IETF Logo Mail Archive

Re: [Mud] Convening MUD calls, + next steps

"M. Ranganathan" <mranga@gmail.com> Tue, 14 May 2019 19:03 UTC

Return-Path: <mranga@gmail.com>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F87A1200C4 for <mud@ietfa.amsl.com>; Tue, 14 May 2019 12:03:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ylwq_h45L4Fr for <mud@ietfa.amsl.com>; Tue, 14 May 2019 12:03:52 -0700 (PDT)
Received: from mail-it1-x130.google.com (mail-it1-x130.google.com [IPv6:2607:f8b0:4864:20::130]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1967D120021 for <mud@ietf.org>; Tue, 14 May 2019 12:03:52 -0700 (PDT)
Received: by mail-it1-x130.google.com with SMTP id 9so563466itf.4 for <mud@ietf.org>; Tue, 14 May 2019 12:03:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=LmEmScOfBsH4VjrpQDLLg6Yk+x4+aKimJ2SyiIk5Xfc=; b=tjSOBoc0VFjYKd+ftJievQYd7E0YEqOj1fxme1KR7MUsKhcUjbkFuyXnmBinbV2Dwi tsnaFpg29UAefbRWgXYCG4jLMmLIZugv1J4M8nXOi6ty8COTbl0PulJccxl/y5zPbZdK y7q2jRydLFkQz10NKyGF8OSqsrxBqdbfKjNJezFH/CX7eRZ/CmYkPThy12TbyU8lQKWR eMz7mKQcyPSXcDRWo8uvKfc8L9SmGgrI+cvOAdtGWZ4TiDMyzk1GhpAcFYwqiqTiWP8b Dji8dS+kANLNrNmPFLf64WF+azElFiqDdGl5mubgFd74lglo6XujXTG1YZZjv6VBkwoC EIrA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=LmEmScOfBsH4VjrpQDLLg6Yk+x4+aKimJ2SyiIk5Xfc=; b=brsrf/Ig3/3ZfcIcPWVtwRoOm/a/tRXDahvIzo/1uTbLFq7sg3Ac1rPp3G69l1uL3u bYitocodTNGKSrKmen6FdKAIAcoOjli8YFkxnoVxnl0U7NoqbaQRZkMNXfIx2DKiy0je mfcTCkIRSlwjnvGCZdTtSAZMloQ0izEAtoeu3FBOUrEIejFQYO5fc0NNPQxa5DPgfKDu EFj4WsOmDZnt5OvFr+skqnS0dXFGZ4fvuaKjoikGPpbVlnYTUZEKHTd3szCSV2x5EuFA dXsRYErSMCIrZ8MT4XcxsgdQaUn3QUr1ouYV2DXgup6lUemT+/X6nwo2QP9VDmoCcQv5 aXlw==
X-Gm-Message-State: APjAAAULibsPDKbmJX4bLRubBUC1op2MhnQF0n8Y0sKb6nc6npfXqosF 6kr/CDRggH1e2WcG1gO9q8DmITCTzmmOSjl5+7g=
X-Google-Smtp-Source: APXvYqwcUfnxVUn3HP02pPFf+t2acI7RgzeypBbOsu4hfSn4MStBZibF6hciVMNjHv0gDUSHyyUvhS2xewleE8Sfha0=
X-Received: by 2002:a24:320c:: with SMTP id j12mr4424267ita.131.1557860631158; Tue, 14 May 2019 12:03:51 -0700 (PDT)
MIME-Version: 1.0
References: <5B10945F-EFE2-4021-9650-F010A737BA1D@isoc.org> <F9F696B9-1DAC-4070-B85F-780C841FCC62@cisco.com> <19433.1555006746@localhost> <ABA471C2-D547-4BA0-875C-CF1B7CD61722@cisco.com> <D0A4C670-E9A3-4DA8-8D57-C9D96B7D211F@nist.gov> <AFB482B9-D747-420B-879D-D20E5D9C8BC1@cisco.com> <CAHiu4JPjwuzHPhdDDzNahcngkkOOkSnerFwGx=QH9vbUJ1H8=g@mail.gmail.com> <10007.1555379966@localhost> <CAHiu4JO-iY1h02pKaJzP=eU4WvTn_9HpghnPdynrxEupwh8CPw@mail.gmail.com> <F72774E9-E630-4EC7-B6CA-78F963AEE444@cisco.com>
In-Reply-To: <F72774E9-E630-4EC7-B6CA-78F963AEE444@cisco.com>
From: "M. Ranganathan" <mranga@gmail.com>
Date: Tue, 14 May 2019 15:03:14 -0400
Message-ID: <CAHiu4JNs1D9S8kMMnH2n5VeyHensbjE4Dg_XttZjoGMuHwR+FQ@mail.gmail.com>
To: Eliot Lear <lear@cisco.com>
Cc: mud@ietf.org
Content-Type: multipart/alternative; boundary="00000000000087a72b0588ddb17c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/v8EwEVhbRE0tz7YO14yXd36fTiY>
Subject: Re: [Mud] Convening MUD calls, + next steps
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 May 2019 19:03:55 -0000

Hello Eliot,

On Tue, May 14, 2019 at 7:37 AM Eliot Lear <lear@cisco.com> wrote:

> Hi Ranga,
>
> Following up on this message below, the ACL model has actions available.
> One of the things we have spoken about was a means by which manufacturers
> could collect intelligence about how the MUD file is being interpreted.
> That is- if the implementation is dropping packets or would drop packets
> based on the MUD file, provide some sort of aggregate feedback.  We need a
> draft on that alongside an implementation.
>

Defining the format of such feedback would be useful I think.


> We talked a bit about this at one point, and the key is just making sure
> to match the drop against a particular MUD rule.  From an implementation
> standpoint that means logging drops, for a specific device, matching that
> device to a MUD URL, and then having some sort of contact information
> available for this purpose.
>

Request some clarifications on the proposed behavior:

MUD is a series of "ACCEPT" rules followed by an implicit DROP rule. So how
can we know that a specific MUD rule caused a packet to be dropped? All we
know when the packet is dropped (or marked for drop) is that NO mud rule
allowed the packet to proceed.

Thanks,

Ranga




>
> That’s a draft right there.
>

> What I want to avoid is advising complex behaviors or behaviors that might
> require substantial resources on the part of the MUD manager.  An example
> of that is logging, because it can be resource-intensive.  If that is
> something that an administrator wants, do it in your MUD manager
> implementation.
>
> At least that’s my thinking.  Am I wrong?
>
> Eliot
>
> On 16 Apr 2019, at 18:43, M. Ranganathan <mranga@gmail.com> wrote:
>
>
>
> On Mon, Apr 15, 2019 at 9:59 PM Michael Richardson <mcr+ietf@sandelman.ca>
> wrote:
>
>>
>> M. Ranganathan <mranga@gmail.com> wrote:
>>     > One could presumably add action hints in the ACE on what to do with
>> access
>>     > violations (right now it is just "accept" or "deny" but one could
>> be kinder
>>     > and gentler - e.g. add a "log" action - which is to be interpreted
>> as "log
>>     > violations but allow"). For example:
>>
>>     > "volations": {
>>     > "forwarding" : "accept-log"
>>     > }
>>
>> As another example, let's say that there is access needed to a large
>> number
>> of content servers.  Simple examples would include firmware updates which
>> are
>> stored in non-deterministic CDNs, but also just consider a netflix model.
>>
>> Consider a rule that basically says, "device X" -> "all of AWS space".
>> One the one hand, that's pretty drastic!  The device could attack all
>> sorts
>> of things that live in AWS "Elastic IP" space.  On the other hand, that
>> space
>> does not include root name servers, core ISP routers, university dorm
>> computers, and a lot of other critical infrastructure.
>> (Can we find out what is "all of AWS space"?  I'm sure the list is long in
>> v4, but in v6, it's probably not more than a few dozen prefixes)
>>
>> However, if we would mitigate such a "all of AWS space" rule to include
>> the bandwidth limits often discussed, or better yet, number of
>> simulatenous
>> connections (or more precisely, number of unique SYN packets/hour), then
>> that
>> would seriously limit things, and would work very well for firmware
>> updates,
>> and yes, maybe even netflix.
>>
>> --
>> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>>  -= IPv6 IoT consulting =-
>>
>>
>>
> After some thought, I realized I mis-stated my suggested enhancement
> (possibly confusing) so let me try again but I'll keep it at a conceptual
> level.
>
> A MUD file is essentially an if-then-else construct
>
>
> if (ACE[0] is OK) then forward
> else if (ACE[1] is OK) then forward
> ...
> else
>      DROP
>
> I think what we're agreed on is that the DROP is too harsh as a blanket
> policy to apply. I am saying that we should be able to specify what to do
> if no forward action is possible.
>
> That is, we could specify WHEN to drop, or WHEN we want to log and forward
> using matches on various conditions:
>
> e.g.
>
> DROP if packet is from a local network from / to Thing (assuming we don't
> want to tolerate East-west violations)
> FORWARD and log if packet is from Thing to DNS named host (and inform the
> Manufacturer).
>
> This is at the conceptual level. I am not sure how to work this neatly
> into the MUD YANG model etc. Here is a very rough example
>  "ietf-mud:mud": {
>     "mud-version": 1,
>     "mud-url": "https://controllerclass-test.nist.local/super1",
>     "last-update": "2018-03-11T19:44:23+01:00",
>     "cache-validity": 48,
>     "is-supported": true,
>     "systeminfo": "https://mud.nist.local/toaster",
>     "from-device-policy": {
>       "access-lists": {
>         "access-list": [
>           {
>             "name": "mud-38382-v4fr"
>           }
>         ]
>       }
>     },
>     "to-device-policy": {
>       "access-lists": {
>         "access-list": [
>           {
>             "name": "mud-38382-v4to"
>           }
>         ]
>       }
>     },
>     "violations" : {
>             "local-networks" : "drop",
>             "dns-name" : "forward-log"
>     }
>   }
>
> (I added the last piece). Is there any way of stating this neatly?
>
> Thanks for reading.
>
> Regards,
>
> Ranga.
>
>
>
>
>
>
>
>
>
>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "mud-discuss" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to mud-discuss+unsubscribe@googlegroups.com.
>> To post to this group, send email to mud-discuss@googlegroups.com.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/mud-discuss/10007.1555379966%40localhost
>> .
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
> --
> M. Ranganathan
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "mud-discuss" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to mud-discuss+unsubscribe@googlegroups.com.
> To post to this group, send email to mud-discuss@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/mud-discuss/CAHiu4JO-iY1h02pKaJzP%3DeU4WvTn_9HpghnPdynrxEupwh8CPw%40mail.gmail.com
> <https://groups.google.com/d/msgid/mud-discuss/CAHiu4JO-iY1h02pKaJzP%3DeU4WvTn_9HpghnPdynrxEupwh8CPw%40mail.gmail.com?utm_medium=email&utm_source=footer>
> .
> For more options, visit https://groups.google.com/d/optout.
>
>
>

-- 
M. Ranganathan

v2.23.0 | Report a Bug | By Email