IETF Logo Mail Archive

Re: [Mud] MUD server discovery?

"M. Ranganathan" <mranga@gmail.com> Wed, 15 January 2020 16:32 UTC

Return-Path: <mranga@gmail.com>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E852112004A for <mud@ietfa.amsl.com>; Wed, 15 Jan 2020 08:32:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kkP4pZYk-XPD for <mud@ietfa.amsl.com>; Wed, 15 Jan 2020 08:32:12 -0800 (PST)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70F8A12085B for <mud@ietf.org>; Wed, 15 Jan 2020 08:32:12 -0800 (PST)
Received: by mail-io1-xd2d.google.com with SMTP id b10so18397531iof.11 for <mud@ietf.org>; Wed, 15 Jan 2020 08:32:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3m0CgN6YfaEaLay1LVdXpRh1PrwjenO1UnSGEJeG/pM=; b=AFxiVjVWyTy6ZhAWohNOiIxVlQivu9FCPby1FiQXhKr0axNQXIL8KcXyleq/w9YYpd 4ivl0eeld3fOw6/7Wxn0yRlglYuXjNdc/949FRrab53OBzZcg9pq6JL025fai8/1NSlf wbhMSAGrEIlbGAUNVBXY8mymLMRYhlcM7UTNZUBJKcyDdEvmNMR52u8qZijlegaYHern cKWWbRuGahMUTL2/ftslwXsUXUoDzHTBzzdAuOffphJom6TZdS2l/klPg+1YdIvG4hTJ Qal8fi5zVEn/W4uysdZEcOlG+Fe8RNuyCefL3AmnLd7FlcoiRw9HShxKnMsw3qabnIiq WG9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3m0CgN6YfaEaLay1LVdXpRh1PrwjenO1UnSGEJeG/pM=; b=ZxAzGdLUB2zoxoI+uECftVnhBYTfK1lHOom4hgLCv8vHYI3+EFW1J5TBX7xBsT82Wc FHO2jlqcOkHNus4ShWsLB/EWy9FIBMq8hel1kW25Kp8ud+UqBwjhsqiCgZaxg3661dUL QlJ+vaQ+W9KStoe/3IyxOdSbj7RN0qeTOEl/SO65xNI86jdTqeQdxbxHjYdwajUBGMwF 5NZUv4esKzjp7l/m4LhfdYZqFPobYeVmYqQw7kC79eIbF9nKO/OXD0DPn1CfWgyILkJI H8NIpFEsioOkrxMu0FeZjK0Il56lpQo73HstELQ+yGLTf+VVC1HZgQl2kYPlbX/02xnp Hfpw==
X-Gm-Message-State: APjAAAX/ABjt3vLBPBlTawoZIpwTCHqROS+U71Ii1bVP4uP7q8Ee3zOP KG2Igq7l7b+LxlLKDuqA80PeMZxzHXKXT7abnuwwcUTRwKI=
X-Google-Smtp-Source: APXvYqxD6WSl2ojZ8jIRPrBRSx3b793I6qIS4LOyUMFQdeY2DhyBt/Fg0VC9kcjW+170dhpak7uvRel5sGm4LQsjOQA=
X-Received: by 2002:a5e:924c:: with SMTP id z12mr22678087iop.296.1579105931481; Wed, 15 Jan 2020 08:32:11 -0800 (PST)
MIME-Version: 1.0
References: <CAHiu4JNBJ2YrO8a6usMvS1ku1iGkgZCD5zwFrvVEF4AAn8jc4w@mail.gmail.com> <24846.1579038765@localhost>
In-Reply-To: <24846.1579038765@localhost>
From: "M. Ranganathan" <mranga@gmail.com>
Date: Wed, 15 Jan 2020 11:31:35 -0500
Message-ID: <CAHiu4JO4JhDHGRJMVspBnu+Y1fAFkG_FKzwK=62F+4fs+Xdkxg@mail.gmail.com>
To: Michael Richardson <mcr@sandelman.ca>
Cc: mud@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/YR3nuJIEEufH7e4DKhHLVgp3CAY>
Subject: Re: [Mud] MUD server discovery?
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2020 16:32:18 -0000

On Tue, Jan 14, 2020 at 4:52 PM Michael Richardson <mcr@sandelman.ca> wrote:
>
>
> M. Ranganathan <mranga@gmail.com> wrote:
>     > There are a couple of situations I can think of where a trusted agent
>     > may need to communicate with a MUD server:
>
>     > 1. Controller Application: A Controller application may need to "tell"
>     > the MUD server when it joins the network and that it is a controller
>     > for a device. Perhaps it presents a signed certificate to assert its
>     > identity to the MUD server.

Not sure how this fits into the Captive portal model. What we need is
some way to assert the app identity to the MUD server so it can be
trusted to be a device controller. If the APP is trusted and bundled
with a private key and certificate then it should be relatively simple
using TLS handshake.

>
>     > 2. Onboarding using a third party app (e.g. DPP). The onboarding
>     > application may need to communicate the identity (Device certificate)
>     > to the MUD server.
>
> My opinion is that the this should be an extension in the CAPPORT API.
> MUD controllers need the CAPPORT API to indicate if they have quarantined a
> device.
>


The trusted onboarding application is assumed to have a connection to
the MUD server via the CAPPORT API (how?). The onboarding app sends
the device certificate to the MUD server via the CAPPORT API
extension. The device sends a signed MUD URL in the DHCP request
(until which time it is effectively quarantined from the local
network). The MUD server receives the signed MUD URL (sent via DHCP)
and verifies the signature using the device certificate that was
previously sent to it by the onboarding application.

How will unconstrained devices (e.g. a laptop) on the network fit into
this model?


> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
>
>


-- 
M. Ranganathan

v2.8.7 | Report a Bug | By Email