[Mud] DNS filtering and IoT device security
Michael Richardson <mcr+ietf@sandelman.ca> Sun, 01 December 2019 20:16 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: mud@ietfa.amsl.com
Delivered-To: mud@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F954120108; Sun, 1 Dec 2019 12:16:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lpO5Z5Gvfa5E; Sun, 1 Dec 2019 12:16:16 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FF7312010C; Sun, 1 Dec 2019 12:16:15 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id A68A63897B; Sun, 1 Dec 2019 15:12:41 -0500 (EST)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 9AB24726; Sun, 1 Dec 2019 15:16:14 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Ted Lemon <mellon@fugue.com>, ADD Mailing list <add@ietf.org>
CC: mud@ietf.org
In-Reply-To: <44754CB6-1CED-4ADF-9521-1361DF4F75A6@fugue.com>
References: <99B3F484-0C0B-40F0-9E97-E7807AC61FA5@fl1ger.de> <44754CB6-1CED-4ADF-9521-1361DF4F75A6@fugue.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Sun, 01 Dec 2019 15:16:14 -0500
Message-ID: <892.1575231374@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/mud/yu9J395cgI5Nd8GOiSkyCxR6vMM>
Subject: [Mud] DNS filtering and IoT device security
X-BeenThere: mud@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of Manufacturer Ussage Descriptions <mud.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mud>, <mailto:mud-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/mud/>
List-Post: <mailto:mud@ietf.org>
List-Help: <mailto:mud-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mud>, <mailto:mud-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Dec 2019 20:16:18 -0000
Ralf Weber <dns@fl1ger.de> wrote: >> While this is possible for well behaved clients, it’s hardly possible >> for devices that attack my network, like hacked IoT devices. We have >> to give the network some means to defend against this. To achieve this >> the proper behaviour of well defined client must be predictable and >> follow what the network offers. If attack and regular traffic look the >> same defending against attack traffic gets much harder. Ted Lemon <mellon@fugue.com> wrote: > Your IoT devices should not be able to communicate freely with all > other devices on your network (or off). They should be firewalled > automatically using MUD. This is a much more effective strategy than > filtering their DNS queries, because it is a list of permitted > connections rather than a list of excluded connections. The permission > list permits only those destinations the IoT device should be talking > to. An exclusion list allows the IoT device to talk to all unknown > adversaries, and only blocks communication with known adversaries. So > it’s perhaps marginally better than nothing, but still mostly useless. I agree completely with Ted: DNS is a really poor way to keep your devices safe. It's unfortunately, often the only controls we have to date, and when the only tool you have is a hammer... I posted draft-richardson-opsawg-mud-iot-dns-considerations-01 just before the deadline. Contributions and thoughts welcome. Fundamentally, the MUD controller needs to be able to get the same DNS answers as the IoT devices. To the extent that off-site Do53/DoH/DoT screws up geo-DNS and other load balancing mechanisms they are a problem. That's not a mark against DoX, but against *off-site*. That's also not a statement against browsers doing X or Y, but rather that controllers needs to know where devices are asking questions to. Local makes it easier to manage, but that's not the only answer. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Mud] DNS filtering and IoT device security Michael Richardson