Re: [Mud] Using MUD to enforce network traffic policies

Luca Deri <deri@ntop.org> Wed, 11 September 2019 13:49 UTC

Return-Path: <deri@ntop.org>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 58ECC1208BE for <mud@ietfa.amsl.com>; Wed, 11 Sep 2019 06:49:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MIME_QP_LONG_LINE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ntop.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zqhd9llzPjxX for <mud@ietfa.amsl.com>; Wed, 11 Sep 2019 06:49:31 -0700 (PDT)
Received: from mail.ntop.org (mail-digitalocean.ntop.org [167.99.215.164]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0416E12011B for <Mud@ietf.org>; Wed, 11 Sep 2019 06:49:30 -0700 (PDT)
Received: from [10.129.96.235] (unknown [37.160.165.195]) by mail.ntop.org (Postfix) with ESMTPSA id 00EAE401BC; Wed, 11 Sep 2019 15:49:27 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ntop.org; s=mail; t=1568209768; bh=CV7XVb7D0qa4EhBlRDocgRNXBdsr8jajjT2l85S5kFE=; h=Subject:From:In-Reply-To:Date:Cc:References:To:From; b=KDPvFgvr2MiZx2SVulJxtgcIcHPAPqLtNOI6bs9sPaOiXAX+y9KzNl+b8zqI+Nw6/ utHH1NMfdYMp1Uqs0cTO42t3tQxL/eSRuxIZ4ZPfMxE+3/JqcrJXJLEPg0VHiEcTmW QPi+mreWyEnle6spCr8kWr7ttTpO5A60wMZVEuug=
Content-Type: multipart/alternative; boundary="Apple-Mail-9E4C9290-8AF6-4FA0-8A0A-5F74A2DC3DA6"
Mime-Version: 1.0 (1.0)
From: Luca Deri <deri@ntop.org>
X-Mailer: iPhone Mail (16G102)
In-Reply-To: <CAHiu4JMaQBvJs2Y8P-_xgPU7H4ivr2rjnr4FD5apR_BZGMhukg@mail.gmail.com>
Date: Wed, 11 Sep 2019 15:49:24 +0200
Cc: Mud@ietf.org
Content-Transfer-Encoding: 7bit
Message-Id: <DD94A243-C0F1-40A8-8EDB-F19B7A21A3DA@ntop.org>
References: <D4677646-39C6-43DD-AA98-5D22412D3C87@ntop.org> <CAHiu4JMaQBvJs2Y8P-_xgPU7H4ivr2rjnr4FD5apR_BZGMhukg@mail.gmail.com>
To: "M. Ranganathan" <mranga@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/bpl7ubq3Spb05yiVPrXSG4jW8Bg>
Subject: Re: [Mud] Using MUD to enforce network traffic policies
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Sep 2019 13:49:34 -0000

Hi
Thanks for your feedback. I have looked at your work and I think it fits with what I a trying to do. With some changes it can be used to report about traffic/match etc stats. My main concern are
- as this format is pretty verbose, how can it cope with high or rich measurements (I am focusing on efficiency)?
- there are several other formats to report data. Yours has a simple yet effective structure, but on the other hand I am wondering (from the standardization standpoint) if this could be a problem to promote it to RFC as this might overlap in scope with other monitoring standards/formats. 

Finally I have seen that your text has a few English typos. Can you fix them or do you want me to send you a pull request?

Regards Luca

> On 10 Sep 2019, at 16:38, M. Ranganathan <mranga@gmail.com> wrote:
> 
> Hello,
> 
> interesting development.
> 
>> On Tue, Sep 10, 2019 at 3:09 AM Luca Deri <deri@ntop.org> wrote:
>> Hi all,
>> I am the developer of an open source network traffic monitoring application named ntopng (https://github.com/ntop/ntopng). I have started to use MUD to enhance ntopng to planned for MUD enhancements to make it suitable not jus for IoT devices but also for generic devices as tablets and laptops. In my view MUD is a great starting point to create a “portable” device network behaviour that could be used in cybersecurity and traffic monitoring to spot unexpected traffic flows. I have written a short blog post https://www.ntop.org/ntopng/using-rfc8520-mud-to-enforce-hosts-traffic-policies-in-ntopng/ that explains this in detail and highlights the ongoing developments.
>> 
>> I would be glad to receive some feedback in particular related to MUD extensions that are IMHO necessary to make it more general than the original idea.
>> 
> 
> The following mud-reporter MUD extension could be of interest in your event reporting mechanism. 
> 
> https://github.com/iot-onboarding/mud-reporter/tree/master
> 
> It would be interesting to get some feedback from you on the applicability of this extension to your work. 
> 
>  
>> Regards Luca
> 
> 
> 
>  
>> -- 
>> Mud mailing list
>> Mud@ietf.org
>> https://www.ietf.org/mailman/listinfo/mud
> 
> 
> -- 
> M. Ranganathan 
>