[Mud] MUD for (Virtual) RFC8995 Registrar Appliances -- register a port number?
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 01 September 2022 21:49 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CF49C1522D5; Thu, 1 Sep 2022 14:49:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.706
X-Spam-Level:
X-Spam-Status: No, score=-1.706 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_INVALID=0.1, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (2048-bit key) reason="fail (bad RSA signature)" header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JctO4mZ50H5v; Thu, 1 Sep 2022 14:49:26 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FF2BC1522AE; Thu, 1 Sep 2022 14:49:25 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id EC1B71813B; Thu, 1 Sep 2022 18:09:56 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id qhM4MiPJdTW2; Thu, 1 Sep 2022 18:09:52 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 484F518138; Thu, 1 Sep 2022 18:09:52 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1662070192; bh=TKd759XL9rn4FSw2bVarV+7eFFtYqmLRiHkAdFrD9Tg=; h=From:To:cc:Subject:Date:From; b=FqpwZwtNj5RBNHIYjJlS3KkTB6YdNp0XAxEuB/2BfVcUr5ZbG+cTy2Sp4R5bwL7O+ 99vJVEZJrbg96bSjEPriVUmaN1g5uZ50Y8cfDqrOuZXJvjhiHk/8I23Cx70Pow799T uQi++UGvkdaT5OI7AdM1Pdho4J4VMphfpGX87EGNiY/aoXcIln++s19LYy90vC0J1V S5TTXy1OA8qehQnOrqmJHTJckxCS0jyJKS8yMKxLGtXptyj56tjN50EtUsyIAdXrZV eN36mUM3Jxan/fcIG4GGvXI9iHFNea/vtAmliKC8FFBGP7x35N3PWQVJa1v4rvCFjO 5xrUP8rjBHPKg==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 0B6D4551; Thu, 1 Sep 2022 17:49:20 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: mud@ietf.org
cc: anima@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 01 Sep 2022 17:49:20 -0400
Message-ID: <24349.1662068960@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/saShEOhGmlqNw4MDSikiYwMoVRI>
Subject: [Mud] MUD for (Virtual) RFC8995 Registrar Appliances -- register a port number?
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Sep 2022 21:49:30 -0000
I have begun shipping virtual appliances for RFC8995(BRSKI) Registrars to Enterprises. I anticipate shipping SBOM information with the virtual appliance, and it would be relatively easy to do that via DHCP/LLDP MUD file. I have been thinking about how to write up this MUD file. Most of the MUD ACLs are easy: 1) https access to update server 2) inbound ssh access for maintenance/diagnostics from a known place 3) inbound port-8443 access for BRSKI-EST connection 4) outbound GRASP announcements (3) and (4) may well fall below the level of most MUD controllers, since that will be enterprise internal (NOC) traffic. And I'm not sure that multicast destinations will realy fit well into what a MUD Controller might expect ACLs, but ... Then we get to: (5) outbound connections using HTTPS on undetermined ports to undetermined destinations for the BRSKI-MASA connections. The specific port that is connected to is determined by the MASA URL extension in the IDevID certificate. In writing RFC8995, we figured that we were removing a hassle to deployment by not requiring a specific port number. In particular, not using port-443. Eventually, the ACLs could be part of a supply chain integration, but for now, this is a problem for Enterprises that are hesitant to open port numbers. ** Now I think that we should have registered a port number for the BRSKI-MASA ** connection, which would have let us at least write a somewhat restrictive ** ACL. I'm unclear if it's possible to write a MUD ACL that permits connection to any host on a particular port. My reading of RFC8519 is that yes, one can have a l4.tcp ACL without having an l3 ACL. So, to make that workable, we'd at least need a registered port. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Mud] MUD for (Virtual) RFC8995 Registrar Applian… Michael Richardson