IETF Logo Mail Archive

Re: [Mud] Convening MUD calls, + next steps

Eliot Lear <lear@cisco.com> Tue, 14 May 2019 11:38 UTC

Return-Path: <lear@cisco.com>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 826421201D7 for <mud@ietfa.amsl.com>; Tue, 14 May 2019 04:38:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Level:
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EgF_5enW7ZpE for <mud@ietfa.amsl.com>; Tue, 14 May 2019 04:37:59 -0700 (PDT)
Received: from aer-iport-1.cisco.com (aer-iport-1.cisco.com [173.38.203.51]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 754EA1200A4 for <mud@ietf.org>; Tue, 14 May 2019 04:37:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=20488; q=dns/txt; s=iport; t=1557833878; x=1559043478; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=1q/5g7uQPNEa2pWa29tQzDTbNBIlIBnh02d5Qg6bQyc=; b=avBaZGRXn3EoO+s79A2pQhn5wv//38PoLyYDH+gh6FeByiTnLbgZ9dYe mnfCGpndHhXPV+s/G4NJnHKgz9wyTFPeB/j5GlZSmM8r+IiYHpJRpfY5U ooUUGVW0rf/U2FDPke9l9qZ6cZaILpxCBtm5sgjw7ZhFV/BfTggi2lxu9 0=;
X-Files: signature.asc : 195
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BDAADSp9pc/xbLJq1kGQEBAQEBAQEBAQEBAQcBAQEBAQGBZYJ6USESKIQKB4h7jCSJP4kZhg+BEANUAgcBAQEJAwEBGAEFEQEBgUuCdQKCPDgTAQMBAQQBAQIBBG0cDIVKAQEBAwEjBCcrBQsLGCcDAgIhEBURBggHBAEcBIMBAYFqAw4PD61/fDOEMgGBFII8DYITCgaBM4FPhzeCYIF/gREnH4JMPoIaRwICFQOBFAEMBgGDKTKCJgSKfTqHGFKHHow1LDkJgguCCYECgxaBK4c8g1YbghSKGolAjVaFNoFPiTowgnkCBAYFAhWBZiE2MHEzGggbFTsqAYJBEyuBWINoilU9AzABAQ6ODg4XgiwBAQ
X-IronPort-AV: E=Sophos;i="5.60,468,1549929600"; d="asc'?scan'208,217";a="12081366"
Received: from aer-iport-nat.cisco.com (HELO aer-core-3.cisco.com) ([173.38.203.22]) by aer-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 14 May 2019 11:37:56 +0000
Received: from [10.61.193.41] ([10.61.193.41]) by aer-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id x4EBbtGO028427 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 14 May 2019 11:37:55 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <F72774E9-E630-4EC7-B6CA-78F963AEE444@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_90693DE8-893C-47C0-9CE7-138A63C13737"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.8\))
Date: Tue, 14 May 2019 13:37:54 +0200
In-Reply-To: <CAHiu4JO-iY1h02pKaJzP=eU4WvTn_9HpghnPdynrxEupwh8CPw@mail.gmail.com>
Cc: mud@ietf.org
To: "M. Ranganathan" <mranga@gmail.com>
References: <5B10945F-EFE2-4021-9650-F010A737BA1D@isoc.org> <F9F696B9-1DAC-4070-B85F-780C841FCC62@cisco.com> <19433.1555006746@localhost> <ABA471C2-D547-4BA0-875C-CF1B7CD61722@cisco.com> <D0A4C670-E9A3-4DA8-8D57-C9D96B7D211F@nist.gov> <AFB482B9-D747-420B-879D-D20E5D9C8BC1@cisco.com> <CAHiu4JPjwuzHPhdDDzNahcngkkOOkSnerFwGx=QH9vbUJ1H8=g@mail.gmail.com> <10007.1555379966@localhost> <CAHiu4JO-iY1h02pKaJzP=eU4WvTn_9HpghnPdynrxEupwh8CPw@mail.gmail.com>
X-Mailer: Apple Mail (2.3445.104.8)
X-Outbound-SMTP-Client: 10.61.193.41, [10.61.193.41]
X-Outbound-Node: aer-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/dyWrFZQN0hDg0EOMdu4iXxHKiy0>
Subject: Re: [Mud] Convening MUD calls, + next steps
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 May 2019 11:38:02 -0000

Hi Ranga,

Following up on this message below, the ACL model has actions available.  One of the things we have spoken about was a means by which manufacturers could collect intelligence about how the MUD file is being interpreted.  That is- if the implementation is dropping packets or would drop packets based on the MUD file, provide some sort of aggregate feedback.  We need a draft on that alongside an implementation.

We talked a bit about this at one point, and the key is just making sure to match the drop against a particular MUD rule.  From an implementation standpoint that means logging drops, for a specific device, matching that device to a MUD URL, and then having some sort of contact information available for this purpose.

That’s a draft right there.

What I want to avoid is advising complex behaviors or behaviors that might require substantial resources on the part of the MUD manager.  An example of that is logging, because it can be resource-intensive.  If that is something that an administrator wants, do it in your MUD manager implementation.

At least that’s my thinking.  Am I wrong?

Eliot

> On 16 Apr 2019, at 18:43, M. Ranganathan <mranga@gmail.com> wrote:
> 
> 
> 
> On Mon, Apr 15, 2019 at 9:59 PM Michael Richardson <mcr+ietf@sandelman.ca <mailto:mcr%2Bietf@sandelman.ca>> wrote:
> 
> M. Ranganathan <mranga@gmail.com <mailto:mranga@gmail.com>> wrote:
>     > One could presumably add action hints in the ACE on what to do with access
>     > violations (right now it is just "accept" or "deny" but one could be kinder
>     > and gentler - e.g. add a "log" action - which is to be interpreted as "log
>     > violations but allow"). For example:
> 
>     > "volations": {
>     > "forwarding" : "accept-log"
>     > }
> 
> As another example, let's say that there is access needed to a large number
> of content servers.  Simple examples would include firmware updates which are
> stored in non-deterministic CDNs, but also just consider a netflix model.
> 
> Consider a rule that basically says, "device X" -> "all of AWS space".
> One the one hand, that's pretty drastic!  The device could attack all sorts
> of things that live in AWS "Elastic IP" space.  On the other hand, that space
> does not include root name servers, core ISP routers, university dorm
> computers, and a lot of other critical infrastructure.
> (Can we find out what is "all of AWS space"?  I'm sure the list is long in
> v4, but in v6, it's probably not more than a few dozen prefixes)
> 
> However, if we would mitigate such a "all of AWS space" rule to include
> the bandwidth limits often discussed, or better yet, number of simulatenous
> connections (or more precisely, number of unique SYN packets/hour), then that
> would seriously limit things, and would work very well for firmware updates,
> and yes, maybe even netflix.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca <mailto:mcr%2BIETF@sandelman.ca>>, Sandelman Software Works
>  -= IPv6 IoT consulting =-
> 
> 
> 
> After some thought, I realized I mis-stated my suggested enhancement (possibly confusing) so let me try again but I'll keep it at a conceptual level.
> 
> A MUD file is essentially an if-then-else construct
> 
> 
> if (ACE[0] is OK) then forward
> else if (ACE[1] is OK) then forward
> ...
> else
>      DROP
> 
> I think what we're agreed on is that the DROP is too harsh as a blanket policy to apply. I am saying that we should be able to specify what to do if no forward action is possible.
> 
> That is, we could specify WHEN to drop, or WHEN we want to log and forward using matches on various conditions:
> 
> e.g.
> 
> DROP if packet is from a local network from / to Thing (assuming we don't want to tolerate East-west violations)
> FORWARD and log if packet is from Thing to DNS named host (and inform the Manufacturer).
> 
> This is at the conceptual level. I am not sure how to work this neatly into the MUD YANG model etc. Here is a very rough example
>  "ietf-mud:mud": {
>     "mud-version": 1,
>     "mud-url": "https://controllerclass-test.nist.local/super1 <https://controllerclass-test.nist.local/super1>",
>     "last-update": "2018-03-11T19:44:23+01:00",
>     "cache-validity": 48,
>     "is-supported": true,
>     "systeminfo": "https://mud.nist.local/toaster <https://mud.nist.local/toaster>",
>     "from-device-policy": {
>       "access-lists": {
>         "access-list": [
>           {
>             "name": "mud-38382-v4fr"
>           }
>         ]
>       }
>     },
>     "to-device-policy": {
>       "access-lists": {
>         "access-list": [
>           {
>             "name": "mud-38382-v4to"
>           }
>         ]
>       }
>     },
>     "violations" : {
>             "local-networks" : "drop",
>             "dns-name" : "forward-log"
>     }
>   }
> 
> (I added the last piece). Is there any way of stating this neatly?
> 
> Thanks for reading.
> 
> Regards,
> 
> Ranga.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> --
> You received this message because you are subscribed to the Google Groups "mud-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to mud-discuss+unsubscribe@googlegroups.com <mailto:mud-discuss%2Bunsubscribe@googlegroups.com>.
> To post to this group, send email to mud-discuss@googlegroups.com <mailto:mud-discuss@googlegroups.com>.
> To view this discussion on the web visit https://groups.google.com/d/msgid/mud-discuss/10007.1555379966%40localhost <https://groups.google.com/d/msgid/mud-discuss/10007.1555379966%40localhost>.
> For more options, visit https://groups.google.com/d/optout <https://groups.google.com/d/optout>.
> 
> 
> --
> M. Ranganathan
> 
> 
> --
> You received this message because you are subscribed to the Google Groups "mud-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to mud-discuss+unsubscribe@googlegroups.com <mailto:mud-discuss+unsubscribe@googlegroups.com>.
> To post to this group, send email to mud-discuss@googlegroups.com <mailto:mud-discuss@googlegroups.com>.
> To view this discussion on the web visit https://groups.google.com/d/msgid/mud-discuss/CAHiu4JO-iY1h02pKaJzP%3DeU4WvTn_9HpghnPdynrxEupwh8CPw%40mail.gmail.com <https://groups.google.com/d/msgid/mud-discuss/CAHiu4JO-iY1h02pKaJzP%3DeU4WvTn_9HpghnPdynrxEupwh8CPw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> For more options, visit https://groups.google.com/d/optout <https://groups.google.com/d/optout>.

v2.23.0 | Report a Bug | By Email