Re: [Mud] MUD server discovery?
"M. Ranganathan" <mranga@gmail.com> Wed, 15 January 2020 17:07 UTC
Return-Path: <mranga@gmail.com>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 086881208A0 for <mud@ietfa.amsl.com>; Wed, 15 Jan 2020 09:07:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BgN-VQrzjNpB for <mud@ietfa.amsl.com>; Wed, 15 Jan 2020 09:07:50 -0800 (PST)
Received: from mail-io1-xd2d.google.com (mail-io1-xd2d.google.com [IPv6:2607:f8b0:4864:20::d2d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A602120886 for <mud@ietf.org>; Wed, 15 Jan 2020 09:07:50 -0800 (PST)
Received: by mail-io1-xd2d.google.com with SMTP id n21so18546148ioo.10 for <mud@ietf.org>; Wed, 15 Jan 2020 09:07:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=vXtnHe6O5KZ75Ii3BSaZx660zUR2Rseg7bkj5sE8YMc=; b=YBZ1aEYDPzNViTs6KPLD1+Ne/bGfGRzTDszP8m+5rPBQ7kp4XKSBYZ30TuPVoXiTam csYIYfNH/kyxEAIjt/uz+iqX02ihnt6v71GY+qe2p9+DNysQ4jUVoIzzmNcULikSkxh3 idArEnbCOyfT1Xe9BOqOpF+V/YIKjtbyE47z8Mulq/z62q13mXLq2K0E1atNBuXy22rk S2LIPlIcOJhGdygDtnVUdjYh56TALunSLROkmBifRsTDoyyk/8+A2f7Fc/UKFk3ddh9O jYzvnSjWct8ibhC0h6RCEPGd0sHY4uMEuBZt5xXlAoXGbe5LhyNaNCuh+4u5dBl6QBuT /iDg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=vXtnHe6O5KZ75Ii3BSaZx660zUR2Rseg7bkj5sE8YMc=; b=BolWe1J9hR20SVZqEybbRUUxF76z8feBoROOuUSsbYDLerTUG+8IX3UjdFjC3O/u0z Tmnx8TBB+hChCBOkufI3NM7rHhU/RhslUyTqr9emgnUxD4CH/Gj7JadM8a6D653q9gXF vc+aPRoaVULxJuGip2VLBNrqpBeBYEGj2hInGXzQLIwZNKo44Va+Zw2FUX8zo+zaKAOc XuFWL3QxUsSPLA/PZp8p/Bk1HXNKX/adK0CFV7GMQ5htJfJaquM10488Qc7ncTg+MzOX A1KswiF2D8UQh3LGrAHOJKDy7w+P/lOaSpIYJmmTRoN2a95gniUncHSL4AnUT+SnIdPL bEiQ==
X-Gm-Message-State: APjAAAXzC7UA9FQ6hFv3cgRygPf7vdCMNxK7kSmEvaMf6PGtuU3iDr5N 9srmNB6EfEdF6LwvW3zcDYydloNQvIP95PJ0zYBcK6KUaoM=
X-Google-Smtp-Source: APXvYqxp5KmNsouAVTxf+updEVS7lImxPAL+g5KUosjzKDiv5faWxhqnk2p7TlmdGbkJ8m/LhHPPk8SSCTKmX8o8ExA=
X-Received: by 2002:a05:6638:301:: with SMTP id w1mr25470758jap.63.1579108069288; Wed, 15 Jan 2020 09:07:49 -0800 (PST)
MIME-Version: 1.0
References: <CAHiu4JNBJ2YrO8a6usMvS1ku1iGkgZCD5zwFrvVEF4AAn8jc4w@mail.gmail.com> <24846.1579038765@localhost> <CAHiu4JO4JhDHGRJMVspBnu+Y1fAFkG_FKzwK=62F+4fs+Xdkxg@mail.gmail.com>
In-Reply-To: <CAHiu4JO4JhDHGRJMVspBnu+Y1fAFkG_FKzwK=62F+4fs+Xdkxg@mail.gmail.com>
From: "M. Ranganathan" <mranga@gmail.com>
Date: Wed, 15 Jan 2020 12:07:13 -0500
Message-ID: <CAHiu4JO9dhs0N97k2Y38BtLw+x4wfG=p=karebFjCCcN1iy1ug@mail.gmail.com>
To: Michael Richardson <mcr@sandelman.ca>
Cc: mud@ietf.org
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/sKJDVwXD9fHwqu-E4-yw-jf4WGA>
Subject: Re: [Mud] MUD server discovery?
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Jan 2020 17:07:56 -0000
On Wed, Jan 15, 2020 at 11:31 AM M. Ranganathan <mranga@gmail.com> wrote: > > On Tue, Jan 14, 2020 at 4:52 PM Michael Richardson <mcr@sandelman.ca> wrote: > > > > > > M. Ranganathan <mranga@gmail.com> wrote: > > > There are a couple of situations I can think of where a trusted agent > > > may need to communicate with a MUD server: > > > > > 1. Controller Application: A Controller application may need to "tell" > > > the MUD server when it joins the network and that it is a controller > > > for a device. Perhaps it presents a signed certificate to assert its > > > identity to the MUD server. > > Not sure how this fits into the Captive portal model. What we need is > some way to assert the app identity to the MUD server so it can be > trusted to be a device controller. If the APP is trusted and bundled > with a private key and certificate then it should be relatively simple > using TLS handshake. > > > > > > 2. Onboarding using a third party app (e.g. DPP). The onboarding > > > application may need to communicate the identity (Device certificate) > > > to the MUD server. > > > > My opinion is that the this should be an extension in the CAPPORT API. > > MUD controllers need the CAPPORT API to indicate if they have quarantined a > > device. > > > > > The trusted onboarding application is assumed to have a connection to > the MUD server via the CAPPORT API (how?). The onboarding app sends > the device certificate to the MUD server via the CAPPORT API > extension. The device sends a signed MUD URL in the DHCP request > (until which time it is effectively quarantined from the local > network). The MUD server receives the signed MUD URL (sent via DHCP) > and verifies the signature using the device certificate that was > previously sent to it by the onboarding application. > > How will unconstrained devices (e.g. a laptop) on the network fit into > this model? On second thoughts, indeed the onboarding application could send the MUD URL of the device to the MUD server. It would be part of the device certificate. DHCP based mechanism would be redundant. One could use RFC 7710 to transmit the captive portal URL. So yes this scheme makes sense. > > > > -- > > ] Never tell me the odds! | ipv6 mesh networks [ > > ] Michael Richardson, Sandelman Software Works | IoT architect [ > > ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ > > > > > > > -- > M. Ranganathan -- M. Ranganathan
- [Mud] MUD server discovery? M. Ranganathan
- Re: [Mud] MUD server discovery? Michael Richardson
- Re: [Mud] MUD server discovery? M. Ranganathan
- Re: [Mud] MUD server discovery? M. Ranganathan