Re: [Mud] Convening MUD calls, + next steps
"M. Ranganathan" <mranga@gmail.com> Tue, 14 May 2019 19:03 UTC
Return-Path: <mranga@gmail.com>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F87A1200C4 for <mud@ietfa.amsl.com>; Tue, 14 May 2019 12:03:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ylwq_h45L4Fr for <mud@ietfa.amsl.com>; Tue, 14 May 2019 12:03:52 -0700 (PDT)
Received: from mail-it1-x130.google.com (mail-it1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1967D120021 for <mud@ietf.org>; Tue, 14 May 2019 12:03:52 -0700 (PDT)
Received: by mail-it1-x130.google.com with SMTP id 9so563466itf.4 for <mud@ietf.org>; Tue, 14 May 2019 12:03:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LmEmScOfBsH4VjrpQDLLg6Yk+x4+aKimJ2SyiIk5Xfc=; b=tjSOBoc0VFjYKd+ftJievQYd7E0YEqOj1fxme1KR7MUsKhcUjbkFuyXnmBinbV2Dwi tsnaFpg29UAefbRWgXYCG4jLMmLIZugv1J4M8nXOi6ty8COTbl0PulJccxl/y5zPbZdK y7q2jRydLFkQz10NKyGF8OSqsrxBqdbfKjNJezFH/CX7eRZ/CmYkPThy12TbyU8lQKWR eMz7mKQcyPSXcDRWo8uvKfc8L9SmGgrI+cvOAdtGWZ4TiDMyzk1GhpAcFYwqiqTiWP8b Dji8dS+kANLNrNmPFLf64WF+azElFiqDdGl5mubgFd74lglo6XujXTG1YZZjv6VBkwoC EIrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LmEmScOfBsH4VjrpQDLLg6Yk+x4+aKimJ2SyiIk5Xfc=; b=brsrf/Ig3/3ZfcIcPWVtwRoOm/a/tRXDahvIzo/1uTbLFq7sg3Ac1rPp3G69l1uL3u bYitocodTNGKSrKmen6FdKAIAcoOjli8YFkxnoVxnl0U7NoqbaQRZkMNXfIx2DKiy0je mfcTCkIRSlwjnvGCZdTtSAZMloQ0izEAtoeu3FBOUrEIejFQYO5fc0NNPQxa5DPgfKDu EFj4WsOmDZnt5OvFr+skqnS0dXFGZ4fvuaKjoikGPpbVlnYTUZEKHTd3szCSV2x5EuFA dXsRYErSMCIrZ8MT4XcxsgdQaUn3QUr1ouYV2DXgup6lUemT+/X6nwo2QP9VDmoCcQv5 aXlw==
X-Gm-Message-State: APjAAAULibsPDKbmJX4bLRubBUC1op2MhnQF0n8Y0sKb6nc6npfXqosF 6kr/CDRggH1e2WcG1gO9q8DmITCTzmmOSjl5+7g=
X-Google-Smtp-Source: APXvYqwcUfnxVUn3HP02pPFf+t2acI7RgzeypBbOsu4hfSn4MStBZibF6hciVMNjHv0gDUSHyyUvhS2xewleE8Sfha0=
X-Received: by 2002:a24:320c:: with SMTP id j12mr4424267ita.131.1557860631158; Tue, 14 May 2019 12:03:51 -0700 (PDT)
MIME-Version: 1.0
References: <5B10945F-EFE2-4021-9650-F010A737BA1D@isoc.org> <F9F696B9-1DAC-4070-B85F-780C841FCC62@cisco.com> <19433.1555006746@localhost> <ABA471C2-D547-4BA0-875C-CF1B7CD61722@cisco.com> <D0A4C670-E9A3-4DA8-8D57-C9D96B7D211F@nist.gov> <AFB482B9-D747-420B-879D-D20E5D9C8BC1@cisco.com> <CAHiu4JPjwuzHPhdDDzNahcngkkOOkSnerFwGx=QH9vbUJ1H8=g@mail.gmail.com> <10007.1555379966@localhost> <CAHiu4JO-iY1h02pKaJzP=eU4WvTn_9HpghnPdynrxEupwh8CPw@mail.gmail.com> <F72774E9-E630-4EC7-B6CA-78F963AEE444@cisco.com>
In-Reply-To: <F72774E9-E630-4EC7-B6CA-78F963AEE444@cisco.com>
From: "M. Ranganathan" <mranga@gmail.com>
Date: Tue, 14 May 2019 15:03:14 -0400
Message-ID: <CAHiu4JNs1D9S8kMMnH2n5VeyHensbjE4Dg_XttZjoGMuHwR+FQ@mail.gmail.com>
To: Eliot Lear <lear@cisco.com>
Cc: mud@ietf.org
Content-Type: multipart/alternative; boundary="00000000000087a72b0588ddb17c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/v8EwEVhbRE0tz7YO14yXd36fTiY>
Subject: Re: [Mud] Convening MUD calls, + next steps
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 May 2019 19:03:55 -0000
Hello Eliot, On Tue, May 14, 2019 at 7:37 AM Eliot Lear <lear@cisco.com> wrote: > Hi Ranga, > > Following up on this message below, the ACL model has actions available. > One of the things we have spoken about was a means by which manufacturers > could collect intelligence about how the MUD file is being interpreted. > That is- if the implementation is dropping packets or would drop packets > based on the MUD file, provide some sort of aggregate feedback. We need a > draft on that alongside an implementation. > Defining the format of such feedback would be useful I think. > We talked a bit about this at one point, and the key is just making sure > to match the drop against a particular MUD rule. From an implementation > standpoint that means logging drops, for a specific device, matching that > device to a MUD URL, and then having some sort of contact information > available for this purpose. > Request some clarifications on the proposed behavior: MUD is a series of "ACCEPT" rules followed by an implicit DROP rule. So how can we know that a specific MUD rule caused a packet to be dropped? All we know when the packet is dropped (or marked for drop) is that NO mud rule allowed the packet to proceed. Thanks, Ranga > > That’s a draft right there. > > What I want to avoid is advising complex behaviors or behaviors that might > require substantial resources on the part of the MUD manager. An example > of that is logging, because it can be resource-intensive. If that is > something that an administrator wants, do it in your MUD manager > implementation. > > At least that’s my thinking. Am I wrong? > > Eliot > > On 16 Apr 2019, at 18:43, M. Ranganathan <mranga@gmail.com> wrote: > > > > On Mon, Apr 15, 2019 at 9:59 PM Michael Richardson <mcr+ietf@sandelman.ca> > wrote: > >> >> M. Ranganathan <mranga@gmail.com> wrote: >> > One could presumably add action hints in the ACE on what to do with >> access >> > violations (right now it is just "accept" or "deny" but one could >> be kinder >> > and gentler - e.g. add a "log" action - which is to be interpreted >> as "log >> > violations but allow"). For example: >> >> > "volations": { >> > "forwarding" : "accept-log" >> > } >> >> As another example, let's say that there is access needed to a large >> number >> of content servers. Simple examples would include firmware updates which >> are >> stored in non-deterministic CDNs, but also just consider a netflix model. >> >> Consider a rule that basically says, "device X" -> "all of AWS space". >> One the one hand, that's pretty drastic! The device could attack all >> sorts >> of things that live in AWS "Elastic IP" space. On the other hand, that >> space >> does not include root name servers, core ISP routers, university dorm >> computers, and a lot of other critical infrastructure. >> (Can we find out what is "all of AWS space"? I'm sure the list is long in >> v4, but in v6, it's probably not more than a few dozen prefixes) >> >> However, if we would mitigate such a "all of AWS space" rule to include >> the bandwidth limits often discussed, or better yet, number of >> simulatenous >> connections (or more precisely, number of unique SYN packets/hour), then >> that >> would seriously limit things, and would work very well for firmware >> updates, >> and yes, maybe even netflix. >> >> -- >> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works >> -= IPv6 IoT consulting =- >> >> >> > After some thought, I realized I mis-stated my suggested enhancement > (possibly confusing) so let me try again but I'll keep it at a conceptual > level. > > A MUD file is essentially an if-then-else construct > > > if (ACE[0] is OK) then forward > else if (ACE[1] is OK) then forward > ... > else > DROP > > I think what we're agreed on is that the DROP is too harsh as a blanket > policy to apply. I am saying that we should be able to specify what to do > if no forward action is possible. > > That is, we could specify WHEN to drop, or WHEN we want to log and forward > using matches on various conditions: > > e.g. > > DROP if packet is from a local network from / to Thing (assuming we don't > want to tolerate East-west violations) > FORWARD and log if packet is from Thing to DNS named host (and inform the > Manufacturer). > > This is at the conceptual level. I am not sure how to work this neatly > into the MUD YANG model etc. Here is a very rough example > "ietf-mud:mud": { > "mud-version": 1, > "mud-url": "https://controllerclass-test.nist.local/super1", > "last-update": "2018-03-11T19:44:23+01:00", > "cache-validity": 48, > "is-supported": true, > "systeminfo": "https://mud.nist.local/toaster", > "from-device-policy": { > "access-lists": { > "access-list": [ > { > "name": "mud-38382-v4fr" > } > ] > } > }, > "to-device-policy": { > "access-lists": { > "access-list": [ > { > "name": "mud-38382-v4to" > } > ] > } > }, > "violations" : { > "local-networks" : "drop", > "dns-name" : "forward-log" > } > } > > (I added the last piece). Is there any way of stating this neatly? > > Thanks for reading. > > Regards, > > Ranga. > > > > > > > > > > >> >> -- >> You received this message because you are subscribed to the Google Groups >> "mud-discuss" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to mud-discuss+unsubscribe@googlegroups.com. >> To post to this group, send email to mud-discuss@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/mud-discuss/10007.1555379966%40localhost >> . >> For more options, visit https://groups.google.com/d/optout. >> > > > -- > M. Ranganathan > > > -- > You received this message because you are subscribed to the Google Groups > "mud-discuss" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to mud-discuss+unsubscribe@googlegroups.com. > To post to this group, send email to mud-discuss@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/mud-discuss/CAHiu4JO-iY1h02pKaJzP%3DeU4WvTn_9HpghnPdynrxEupwh8CPw%40mail.gmail.com > <https://groups.google.com/d/msgid/mud-discuss/CAHiu4JO-iY1h02pKaJzP%3DeU4WvTn_9HpghnPdynrxEupwh8CPw%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > > > -- M. Ranganathan
- Re: [Mud] Convening MUD calls, + next steps Eliot Lear
- Re: [Mud] Convening MUD calls, + next steps M. Ranganathan
- Re: [Mud] Convening MUD calls, + next steps Eliot Lear
- Re: [Mud] Convening MUD calls, + next steps Michael Richardson
- Re: [Mud] Convening MUD calls, + next steps M. Ranganathan
- Re: [Mud] Convening MUD calls, + next steps M. Ranganathan
- Re: [Mud] Convening MUD calls, + next steps Michael Richardson
- Re: [Mud] Convening MUD calls, + next steps M. Ranganathan