IETF Logo Mail Archive

Re: [Mud] Convening MUD calls, + next steps

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 14 May 2019 22:13 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CEA271200E6 for <mud@ietfa.amsl.com>; Tue, 14 May 2019 15:13:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WvufwKVP_iWX for <mud@ietfa.amsl.com>; Tue, 14 May 2019 15:13:45 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0349312003F for <mud@ietf.org>; Tue, 14 May 2019 15:13:44 -0700 (PDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id 7DE8C3826E; Tue, 14 May 2019 18:12:59 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 3BBDC1008; Tue, 14 May 2019 18:13:42 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 3A4F1B3D; Tue, 14 May 2019 18:13:42 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: mud@ietf.org
cc: "M. Ranganathan" <mranga@gmail.com>, Eliot Lear <lear@cisco.com>
In-Reply-To: <11306A54-162F-4EA3-803B-FC2D1BB7D4E6@cisco.com>
References: <5B10945F-EFE2-4021-9650-F010A737BA1D@isoc.org> <F9F696B9-1DAC-4070-B85F-780C841FCC62@cisco.com> <19433.1555006746@localhost> <ABA471C2-D547-4BA0-875C-CF1B7CD61722@cisco.com> <D0A4C670-E9A3-4DA8-8D57-C9D96B7D211F@nist.gov> <AFB482B9-D747-420B-879D-D20E5D9C8BC1@cisco.com> <CAHiu4JPjwuzHPhdDDzNahcngkkOOkSnerFwGx=QH9vbUJ1H8=g@mail.gmail.com> <10007.1555379966@localhost> <CAHiu4JO-iY1h02pKaJzP=eU4WvTn_9HpghnPdynrxEupwh8CPw@mail.gmail.com> <F72774E9-E630-4EC7-B6CA-78F963AEE444@cisco.com> <CAHiu4JNs1D9S8kMMnH2n5VeyHensbjE4Dg_XttZjoGMuHwR+FQ@mail.gmail.com> <11306A54-162F-4EA3-803B-FC2D1BB7D4E6@cisco.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 14 May 2019 18:13:42 -0400
Message-ID: <30445.1557872022@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/xB2ua_7cq8Y04IDyB4Ygqwn_NrI>
Subject: Re: [Mud] Convening MUD calls, + next steps
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 May 2019 22:13:47 -0000

Eliot Lear <lear@cisco.com> wrote:
    mr> MUD is a series of "ACCEPT" rules followed by an implicit DROP rule. So
    mr> how can we know that a specific MUD rule caused a packet to be dropped?
    mr> All we know when the packet is dropped (or marked for drop) is that NO
    mr> mud rule allowed the packet to proceed.

    > On the whole this is generally true. The fact that the packet was dropped
    > means that NONE of the accept rules were met, and that’s a lot of information
    > right there. ie, my-controller, same-manufacturer etc didn’t match, or they
    > matched a reject rule. Do others have thoughts there?

But the rules aren't actually fully specific.
They get instantiated:
  1) source is the device (by... L2? L3? depends upon implementation)
  2) destination is an IP, but rule is by name, so how did DNS resolve?

It would be ideal if one could identify packets that would have matched if
only the source was different, or the destination was resolved differently.
This requires a bit of fuzzy matching against the drop-log.

That probably accounts for 9 out 10 situations where packets were dropped
that were not really malicious.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email