Re: [Mud] Convening MUD calls, + next steps
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 14 May 2019 22:13 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEA271200E6 for <mud@ietfa.amsl.com>; Tue, 14 May 2019 15:13:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WvufwKVP_iWX for <mud@ietfa.amsl.com>; Tue, 14 May 2019 15:13:45 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0349312003F for <mud@ietf.org>; Tue, 14 May 2019 15:13:44 -0700 (PDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id 7DE8C3826E; Tue, 14 May 2019 18:12:59 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 3BBDC1008; Tue, 14 May 2019 18:13:42 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 3A4F1B3D; Tue, 14 May 2019 18:13:42 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: mud@ietf.org
cc: "M. Ranganathan" <mranga@gmail.com>, Eliot Lear <lear@cisco.com>
In-Reply-To: <11306A54-162F-4EA3-803B-FC2D1BB7D4E6@cisco.com>
References: <5B10945F-EFE2-4021-9650-F010A737BA1D@isoc.org> <F9F696B9-1DAC-4070-B85F-780C841FCC62@cisco.com> <19433.1555006746@localhost> <ABA471C2-D547-4BA0-875C-CF1B7CD61722@cisco.com> <D0A4C670-E9A3-4DA8-8D57-C9D96B7D211F@nist.gov> <AFB482B9-D747-420B-879D-D20E5D9C8BC1@cisco.com> <CAHiu4JPjwuzHPhdDDzNahcngkkOOkSnerFwGx=QH9vbUJ1H8=g@mail.gmail.com> <10007.1555379966@localhost> <CAHiu4JO-iY1h02pKaJzP=eU4WvTn_9HpghnPdynrxEupwh8CPw@mail.gmail.com> <F72774E9-E630-4EC7-B6CA-78F963AEE444@cisco.com> <CAHiu4JNs1D9S8kMMnH2n5VeyHensbjE4Dg_XttZjoGMuHwR+FQ@mail.gmail.com> <11306A54-162F-4EA3-803B-FC2D1BB7D4E6@cisco.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 14 May 2019 18:13:42 -0400
Message-ID: <30445.1557872022@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/xB2ua_7cq8Y04IDyB4Ygqwn_NrI>
Subject: Re: [Mud] Convening MUD calls, + next steps
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 May 2019 22:13:47 -0000
Eliot Lear <lear@cisco.com> wrote: mr> MUD is a series of "ACCEPT" rules followed by an implicit DROP rule. So mr> how can we know that a specific MUD rule caused a packet to be dropped? mr> All we know when the packet is dropped (or marked for drop) is that NO mr> mud rule allowed the packet to proceed. > On the whole this is generally true. The fact that the packet was dropped > means that NONE of the accept rules were met, and that’s a lot of information > right there. ie, my-controller, same-manufacturer etc didn’t match, or they > matched a reject rule. Do others have thoughts there? But the rules aren't actually fully specific. They get instantiated: 1) source is the device (by... L2? L3? depends upon implementation) 2) destination is an IP, but rule is by name, so how did DNS resolve? It would be ideal if one could identify packets that would have matched if only the source was different, or the destination was resolved differently. This requires a bit of fuzzy matching against the drop-log. That probably accounts for 9 out 10 situations where packets were dropped that were not really malicious. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- Re: [Mud] Convening MUD calls, + next steps Eliot Lear
- Re: [Mud] Convening MUD calls, + next steps M. Ranganathan
- Re: [Mud] Convening MUD calls, + next steps Eliot Lear
- Re: [Mud] Convening MUD calls, + next steps Michael Richardson
- Re: [Mud] Convening MUD calls, + next steps M. Ranganathan
- Re: [Mud] Convening MUD calls, + next steps M. Ranganathan
- Re: [Mud] Convening MUD calls, + next steps Michael Richardson
- Re: [Mud] Convening MUD calls, + next steps M. Ranganathan