[Mud] review of mDNS vs IoT DNS
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 27 March 2024 11:18 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30BC5C14F6A7 for <mud@ietfa.amsl.com>; Wed, 27 Mar 2024 04:18:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8S5yo3BKCbIr for <mud@ietfa.amsl.com>; Wed, 27 Mar 2024 04:18:55 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E847FC14F614 for <mud@ietf.org>; Wed, 27 Mar 2024 04:18:54 -0700 (PDT)
Received: from dyas.sandelman.ca (60-240-91-174.static.tpgi.com.au [60.240.91.174]) by relay.sandelman.ca (Postfix) with ESMTPS id BA7DA1F448; Wed, 27 Mar 2024 11:18:45 +0000 (UTC)
Authentication-Results: relay.sandelman.ca; dkim=pass (2048-bit key; secure) header.d=sandelman.ca header.i=@sandelman.ca header.b="ie6FkAGk"; dkim-atps=neutral
Received: by dyas.sandelman.ca (Postfix, from userid 1000) id 314AAA191C; Wed, 27 Mar 2024 22:18:41 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=sandelman.ca; s=dyas; t=1711538321; bh=e7uxEk/NRhBfbBiIyqpwPTcsQhbnA+SoOnLYmHHTK90=; h=From:To:Subject:Date:From; b=ie6FkAGklXxYgm81+MIUR17icsGd0XZtD0s3jNXWgF/6ExQIrbjqqPRQFV9GKDsYS XLaQla133x+2BNoEkPQu6dttpM/93Ve+ftunydMm+PheBppp/vj8lRthGvjTFH2DoW JYXrJnzKKsAmbIY1Vumd4TZgqoPKfseQ9GkLrPhsX+t+sqoJ3uU2L8c6IIf3gW4dMJ R16AOyyV0YI+XNYgJm6TFoHrjwVYzWLqI1PAil62BlUUsGes/Beh8IqPFg8uVXMALJ Gq7JTFXBBQ0dgwxv0ORIRR73t6HEcfxL8apF3ddzFXzaXgwhsSyyrHumXyznMvnaSz S0CEoHuewSQiA==
Received: from dyas (localhost [127.0.0.1]) by dyas.sandelman.ca (Postfix) with ESMTP id 2F1E5A1918; Wed, 27 Mar 2024 22:18:41 +1100 (AEDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: mud@ietf.org, Ted Lemon <mellon@fugue.com>
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 27 Mar 2024 22:18:41 +1100
Message-ID: <509926.1711538321@dyas>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/EkmzfDrL6JBsigXizdXL8nlYl-0>
Subject: [Mud] review of mDNS vs IoT DNS
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Mar 2024 11:18:59 -0000
Éric Vyncke asked in his COMMENTS:
> ## Absence of mDNS
> Is mDNS used in the context of MUD ? If so, then it should be mentioned here.
I've tried to answer this as:
https://github.com/IETF-OPSAWG-WG/draft-ietf-opsawg-mud-iot-dns-considerations/pull/17
which I paste below, but if you have edits, do a github suggestion please.
Ted: I'd particularly like your opinion here.
I think that I a device could ask for printer.local and then receive some
internet address as an AAAA record, 2001:db8::1234, which would send the
device out there. I think that would only be the result of malware.
But... DNS-SD could well answer some
not-local-to-this-subnet-but-still-internal answer right?
Which might well pass through the MUD policy enforcement point ("firewall").
I think... tough... internal addresses need to be acceptlisted.
# Interactions with mDNS and DNSSD
Unicast DNS requests are not the only way to map names to IP addresses.
IoT devices might also use mDNS {{?RFC6762}}, both to be discovered by other
devices, and also to discover other devices.
mDNS replies include A and AAAA records, and it is conceivable that these
replies contain addresses which are not local to the link on which they are
made.
This could be the result of another device which contains malware.
An unsuspecting IoT device could be led to contact some external host as a result.
Protecting against such things is one of the benefits of MUD.
In the unlikely case that the external host has been listed as a legitimate
destination in a MUD file, then communication will continue as expected.
As an example of this, an IoT device might look for a name like
"update.local" in order to find a source of firmware updates.
It could be led to connect to some external host that was listed as
"update.example" in the MUD file.
This should work fine if the name "update.example" does not require any kind
of tailored reply.
In residential networks there has typically not been more than one network
(although this is changing through work like {{?I-D.ietf-snac-simple}}), but
on campus or enterprise networks, having more than one network is not
unusual.
In such networks, mDNS is being replaced with DNS-SD {{?RFC8882}}, and in
such a situation, connections could be initiated to other parts of the
network.
Such connections might traverse the MUD policy enforcement point (an
intra-department firewall), and could very well be rejected because the MUD
controller did not know about that interaction.
{{RFC8250}} includes a number of provisions for controlling internal
communications, including complex communications like same manufacturer ACLs.
To date, this aspect of MUD has been difficult to describe.
This document does not consider internal communications to be in scope.
--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =- *I*LIKE*TRAINS*
- [Mud] review of mDNS vs IoT DNS Michael Richardson
- Re: [Mud] review of mDNS vs IoT DNS Ted Lemon
- Re: [Mud] review of mDNS vs IoT DNS Michael Richardson