Re: [Mud] CoAP and MUD
Jaime Jiménez <jaime@iki.fi> Thu, 28 November 2019 09:14 UTC
Return-Path: <jaime@iki.fi>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63F41120088; Thu, 28 Nov 2019 01:14:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.82
X-Spam-Level:
X-Spam-Status: No, score=-1.82 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_NEUTRAL=0.779, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=messagingengine.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i_qMdtG2i_RV; Thu, 28 Nov 2019 01:14:50 -0800 (PST)
Received: from wout5-smtp.messagingengine.com (wout5-smtp.messagingengine.com [64.147.123.21]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EB3D1120018; Thu, 28 Nov 2019 01:14:49 -0800 (PST)
Received: from compute6.internal (compute6.nyi.internal [10.202.2.46]) by mailout.west.internal (Postfix) with ESMTP id 4D523712; Thu, 28 Nov 2019 04:14:49 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Thu, 28 Nov 2019 04:14:49 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=ZP7195R1UbcwpQ/FPMEh8/tLwrTeilClX7SrQBmxa Kw=; b=OiVRCq184mqtXfWp8poDP2U/aXiod1qGBMW0UJS/80H4F+nxk1sw8M4OV BJL6s7ejtGU7IO5+jzgNFomXC974UTrh0WF3+BDdReBl4RWUZ5xXZeiTDgBnQgo7 rNxOuDBCBSaMGIDVZNr0GHzSFkXHetWNBFDqizFXgChg5i9uDahbLKmtXvAqGf/Q bv0es5A4kwCnZdnDG3tMYOHg9jpW0pIVSTCHgFmJavxb6ZlprEeBbQQUjA8vH1Mi iCJgeaqT6CcQJfi2VFs6SGhKyL8hxg6v5jNNP3bMUhAM3sJMz7BgWvf88wzhJ2YE gx7b0+e/jzsiEgXk6VOn7ULQLhxtA==
X-ME-Sender: <xms:B5DfXUc4dMot672xxCAzKa0VGPBBC_qsbwdBh-Txcivx9onpwdgnQw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedufedrudeijecutefuodetggdotefrodftvfcurf hrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecuuegr ihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtugfgjgesthekredttd dtudenucfhrhhomheplfgrihhmvgculfhimhornhgviicuoehjrghimhgvsehikhhirdhf iheqnecuffhomhgrihhnpehjrghimhgvrdifihhnpdhhthhtphhrfhgtkeehjeeirdhith enucfkphepkeelrdduieeirdegledrvdegfeenucfrrghrrghmpehmrghilhhfrhhomhep jhgrihhmvgesihhkihdrfhhinecuvehluhhsthgvrhfuihiivgeptd
X-ME-Proxy: <xmx:B5DfXe4N74NXxDapqSk5QF_66Fjm1qM4T9Vh4ixM9-3G_94WvOuzyA> <xmx:B5DfXVdXOiIKTUARhFNsDnaH5GouwKRLzWjxR-z_uJOatlUN6JYbSQ> <xmx:B5DfXWdS5cCgpwV4dUxkzko8vQ8LJ9gJ9Dv87qpvSAn9_rto328J8Q> <xmx:CJDfXRW-eh3A1sYlgygVPcXT33eHQbDxE0_WMzYKwdFQm-zmOf1aBA>
Received: from EMB-918HFH01 (89-166-49-243.co.dnainternet.fi [89.166.49.243]) by mail.messagingengine.com (Postfix) with ESMTPA id 073D38005C; Thu, 28 Nov 2019 04:14:45 -0500 (EST)
Date: Thu, 28 Nov 2019 11:14:44 +0200
From: Jaime Jiménez <jaime@iki.fi>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: mud@ietf.org, opsawg@ietf.org
Message-ID: <20191128091444.6uwuzh7m4pi6if7a@EMB-918HFH01>
References: <20191122015716.mvcwq7g4hnwopjue@EMB-918HFH01> <21818.1574931947@dooku.sandelman.ca>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <21818.1574931947@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/g5FXqNyDeD8rooeHH7ldX_ZbWk4>
Subject: Re: [Mud] CoAP and MUD
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Nov 2019 09:14:53 -0000
On Thu, Nov 28, 2019 at 10:05:47AM +0100, Michael Richardson wrote: > > Jaime Jiménez <jaime@iki.fi> wrote: > > here is the draft in case you wanna have a look, it's just 8 pages. > > https://jaime.win/draft-coap-mud/ > > Thank you for pointing me at it. > I'm replying to the opsawg list. Thanks, the draft is still work in progress and I have not yet submitted it to T2TRG, which is its final intended destination. As per the feedback I have gotten so far, it seems like an interesting topic but might require a bit more "cooking". Specially the justification as to why this is needed, the motives I explain so far do not seem to be sufficiently convincing. > > > Overall a MUD is emitted as a URL using DHCP, LLDP or through 802.1X, then > > a Switch or Router will send the URI to some IoT Controlling Entity. That > > Entity will fetch the MUD file from a Server on the Internet over HTTP > > [RFC8576]. > > It might be worth adding that it can be emitted in an IDevID using BRSKI. > That uses the same certificate extension as in 802.1X. > draft-ietf-anima-constrained-voucher/draft-ietf-6tisch-dtsecurity-zerotouch > is more likely to have been used if we are getting to CoAP. Yes, that is something that should be considered. I was also discussing with others on how Neighbor Discovery (ND) would apply, as it is more common than DHCP in the very constrained space. > > There is an open question in the MUD space as to whether the MUD signature > URL is absolute or if it can be relative. This affects how the signature > file will be found when using a self-hosted MUD file as you have described. > > The signature should NOT be signed by the Thing itself, as that provides no > security against malware. So that also gets in the way of the device > providing any kind of dynamic capability by changing it's MUD. > The device *could* select from a palate of MUD files which the manufacturer > has signed. That would be very interesting. The whole security part is very raw at the moment, I have not thought in detail how that would work in practice. > > 4.1. Serialization > TBD write about SenML/CBOR MUDs. > > Are you thinking that we could serialize the YANG to CBOR instead of JSON? > I'm mostly for that, but I think that in general, since the ACLs will get > enforced by a non-constrained device, and we can host the MUD files on a > manufacturer resource, that it might be enough that it's JSON+CMS. on the > other hand... CMS. Ick. I am just assuming that the device will serialize everything in SenML/CBOR and not use YANG at all. > > Also using udf:// URLs from mathmesh would mean that the MUD file could be > found via any cachable mechanism, with the communication with the > manufacturer only if no other way is fine. This also authenticates the file, > but not quite in the same way that the signature does. Very interesitng, I am not familiar with udf:// either, I guess it does still require an IP address to be usable, right? > > > > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > > >
- Re: [Mud] CoAP and MUD Michael Richardson
- Re: [Mud] CoAP and MUD Jaime Jiménez