Re: [Mud] Convening MUD calls, + next steps
"M. Ranganathan" <mranga@gmail.com> Tue, 21 May 2019 17:27 UTC
Return-Path: <mranga@gmail.com>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C3977120181 for <mud@ietfa.amsl.com>; Tue, 21 May 2019 10:27:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N-cBqDBrAaQM for <mud@ietfa.amsl.com>; Tue, 21 May 2019 10:27:13 -0700 (PDT)
Received: from mail-io1-xd35.google.com (mail-io1-xd35.google.com [IPv6:2607:f8b0:4864:20::d35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E30912016C for <mud@ietf.org>; Tue, 21 May 2019 10:27:03 -0700 (PDT)
Received: by mail-io1-xd35.google.com with SMTP id p2so14616316iol.2 for <mud@ietf.org>; Tue, 21 May 2019 10:27:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=hwF6PKCvsd5BWNwcLQWD44/RS5BMTQbmuVUJn0SbLIE=; b=jkwglJALrYTytzqB72WFL6hgJPjLPBuk4sT6Hva2LkWpvB5Z3lTH+54Wd+dKcMbDxb m2QgVzvlTiDp06IXRGLUMI2uP4MeTvHHHXWsjtacbnrOL/5B7UVp9wxbsBnzRhpARSKN FFC+qKlkpapgW4qy58tZqJb0uXB4MiGomeqAy9DxcycdBYuvnJJcn27q95J3HiyB2Zxw I7wwneIZ4SFDIaUCVIzm2Lqf3PrPTY7Y1Oh18LbWW8OFvNGBR6ESr9XFC5P7DUKkIevI ZYPTCMbUqJHIvOONGt5xRDT/ky8M8yUfJ2kPXD8Bfe7pMMnlIa3930zHXxrzdi4FnCg7 075g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=hwF6PKCvsd5BWNwcLQWD44/RS5BMTQbmuVUJn0SbLIE=; b=tOdOP/H5QBWRTNkCUYjgqLF1t5CByaAHwDP4YsWICp72aVaN7HblhUeGwf+Z6Os5mN FaocsKfqfMugrqqft2agNv60r4FknYLkdeSFGS5wuPLzkHnfQK6vHcgsTBWgaWx0cwHO RFL1TTDeeUfwV3Qg1+/XBFTk2jHGLF0X1uobrNgHwt7TMz8s4A79Cyu4MX7JEhSV28YU E/0uu47JQE2yl4IQvlqZhSfpmD0uz2hoFEFTpmeijjXSvhvK3g3+pzndDv3kVgVzB38q X06DQ8S+3yyQWnJyhJ2SsL4tK3nIkTtD/BiCSfsdoQQLlSvygAqWSaw54tGsgpUPAmlC CGag==
X-Gm-Message-State: APjAAAVq50zN3blcnquv3TA2cgaWyrSFZTgNhq1emdKjIwBk9OHBO+wp /1ffgaw/vFnaaqCwARXQngPjYNOdh59pDfGbtLxosg==
X-Google-Smtp-Source: APXvYqxlFcm9tAtGxlNfUxlxL14imKBIiXO4spPVJgTiYB+6j0jJiLTy5ehTz0hkH7Y0gp+PPO9eeUH5dEAChD2pc9o=
X-Received: by 2002:a5e:db08:: with SMTP id q8mr28143813iop.64.1558459622443; Tue, 21 May 2019 10:27:02 -0700 (PDT)
MIME-Version: 1.0
References: <5B10945F-EFE2-4021-9650-F010A737BA1D@isoc.org> <F9F696B9-1DAC-4070-B85F-780C841FCC62@cisco.com> <19433.1555006746@localhost> <ABA471C2-D547-4BA0-875C-CF1B7CD61722@cisco.com> <D0A4C670-E9A3-4DA8-8D57-C9D96B7D211F@nist.gov> <AFB482B9-D747-420B-879D-D20E5D9C8BC1@cisco.com> <CAHiu4JPjwuzHPhdDDzNahcngkkOOkSnerFwGx=QH9vbUJ1H8=g@mail.gmail.com> <10007.1555379966@localhost> <CAHiu4JO-iY1h02pKaJzP=eU4WvTn_9HpghnPdynrxEupwh8CPw@mail.gmail.com> <F72774E9-E630-4EC7-B6CA-78F963AEE444@cisco.com> <CAHiu4JNs1D9S8kMMnH2n5VeyHensbjE4Dg_XttZjoGMuHwR+FQ@mail.gmail.com> <11306A54-162F-4EA3-803B-FC2D1BB7D4E6@cisco.com> <30445.1557872022@localhost> <CAHiu4JM9swU=HeG4kgQUiXFXUSQMZwh_yzOFqmp1dR_sCTunow@mail.gmail.com> <CAHiu4JO=2m6HZ6Ep5hp_JhBE+uPCiEDCj7AfGygf-70aWasLtA@mail.gmail.com> <15681.1558454988@localhost>
In-Reply-To: <15681.1558454988@localhost>
From: "M. Ranganathan" <mranga@gmail.com>
Date: Tue, 21 May 2019 13:26:25 -0400
Message-ID: <CAHiu4JMAPS+A4CgS5sZuTE3=SomBGuhPrErRBhPh=BYeZ=A+wg@mail.gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: mud@ietf.org
Content-Type: multipart/alternative; boundary="0000000000003150e005896928b6"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/1OsioGgVSEAwoNs3hNF8B5u_Tpo>
Subject: Re: [Mud] Convening MUD calls, + next steps
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 May 2019 17:27:16 -0000
On Tue, May 21, 2019 at 12:09 PM Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > M. Ranganathan <mranga@gmail.com> wrote: > > Are there any standard logging formats to report "misbehavior"? > Maybe just > > use syslog (RFC 3164)? > > It's a good question! > From the gateway to... ? what's the place we should report to? > The reporting URL could be specified as a MUD extension (?). Maybe report back to manufacturer so he can have additional information to fix the problem. > Probably the ISP for aggregation. It would be nice if the DHCPv6 included > an attribute as to what that was. > - ROLIE/MILE > - INCH/IODEF > > I've tried to capture some options in the un-quarantine slides at: > > https://github.com/CIRALabs/shg-un-quarantine/blob/master/presentations/RIPE-IoT-Unquarantine-expanded.pdf > slide 34. > > To share details of the event, though, the list includes: > - SCAPv2 (rolie) > - MISP > - TAXI (rolie), STIIX > This is interesting but beyond the scope of what I had in mind. I think to start, a simple event notification mechanism (along with a standardized format for the events) should be a good starting point. (WDYT?) > > What should the tuning parameters be? I was thinking, frequency of > sampling > > and packet rate estimation. > > what do you mean here? > Scenario : A device misbehaves. It is put into quarantine (can only access quarantine ACEs). While it is under quarantine, "Administrator" would like to know statistics about what the device is actually doing under quarantine. How often should this state be reported back to the administrator. One could report back this information periodically. If so, at what frequency. > > I came across the following which looked interesting: > > > > https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/monitor_nsel.html#wp1111174%0A > > So this uses Netflow, or this uses Syslog? (or some combination) > I didn't understand it that well. > I don't understand NSEL that well either (have not played with it -- perhaps Eliot has some insights). In particular, it would not directly apply because there are no DENY ACEs in MUD except for the one if it does not match any previous rule and the TCP direction (which is an implicity deny rule). We would have to suitably modify the semantics. I was thinking we could modify it to carry information about the class of packet based on the source that was dropped. Thanks, > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > > > > -- M. Ranganathan
- Re: [Mud] Convening MUD calls, + next steps Eliot Lear
- Re: [Mud] Convening MUD calls, + next steps M. Ranganathan
- Re: [Mud] Convening MUD calls, + next steps Eliot Lear
- Re: [Mud] Convening MUD calls, + next steps Michael Richardson
- Re: [Mud] Convening MUD calls, + next steps M. Ranganathan
- Re: [Mud] Convening MUD calls, + next steps M. Ranganathan
- Re: [Mud] Convening MUD calls, + next steps Michael Richardson
- Re: [Mud] Convening MUD calls, + next steps M. Ranganathan