Re: [OPSAWG] [Mud] Declaring something to be a controller in MUD

Eliot Lear <> Wed, 26 June 2019 15:43 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A6F33120100; Wed, 26 Jun 2019 08:43:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mtmIJ2Ts9NWE; Wed, 26 Jun 2019 08:43:05 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1FC7612003E; Wed, 26 Jun 2019 08:43:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=5110; q=dns/txt; s=iport; t=1561563785; x=1562773385; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=ZQRBKeQzTVT9jnz3njd9giCaN/RSYI5YJxdHdpZmWLs=; b=dDcyXLryMRPmIAGQxK94OnRO6yU5jgLp6URJGltNVDMWtv8mVBnmBPgv xsxiZk/62V+5UkBy97KpaCDsjNCfyCss2yYsApwdAgBRbZnSqLXifP0ho SikUPWMAgwHNXu6yd+OFyimGWOF7ch/Sb3kacXKbko6ipAJetAeMGsnre g=;
X-Files: signature.asc : 195
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BWAAC4kRNd/xbLJq1kGgEBAQEBAgE?= =?us-ascii?q?BAQEHAgEBAQGBZ4MBUQEyIQeEFYh7i18lmmcCBwEBAQkDAQEjDAEBgUuCdQK?= =?us-ascii?q?DIDgTAQMBAQQBAQIBBW2KNwyFSgEBAQMBI1EFBQsLGCoCAlcGE4MiAYF7Dwg?= =?us-ascii?q?HpWSBMYVHhF0QgTSBUYokgX+BOAwTgh4uPoJWhHgygiYEjAGHb1qVUAmCGII?= =?us-ascii?q?egQqDKI0fG4MWlD6UCFiBd4JTiA2DCQIEBgUCFYFnIYFYMxoIGxU7KgGCQQk?= =?us-ascii?q?1ggqDFVSKVT0DMI8rAQE?=
X-IronPort-AV: E=Sophos;i="5.63,420,1557187200"; d="asc'?scan'208";a="13557855"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Jun 2019 15:43:02 +0000
Received: from ( []) by (8.15.2/8.15.2) with ESMTPS id x5QFh1PG003375 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Wed, 26 Jun 2019 15:43:02 GMT
From: Eliot Lear <>
Message-Id: <>
Content-Type: multipart/signed; boundary="Apple-Mail=_555F9A05-FBC8-4287-8E2B-E270949473E2"; protocol="application/pgp-signature"; micalg=pgp-sha1
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Wed, 26 Jun 2019 17:43:00 +0200
In-Reply-To: <11505.1561563275@localhost>
To: Michael Richardson <>
References: <> <1547.1561492346@localhost> <> <11505.1561563275@localhost>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <>
Subject: Re: [OPSAWG] [Mud] Declaring something to be a controller in MUD
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 26 Jun 2019 15:43:08 -0000

> On 26 Jun 2019, at 17:34, Michael Richardson <> wrote:
> Signed PGP part
> Eliot Lear <> wrote:
>>>> In either case, right now the administrator has to manually know and
>>>> populate information, to say - some device is a controller,
>>>> either for MUD URL <> or
>>>> a class <>.
>>>> That can be laborious.  To assist, we are examining ways to have a
>>>> controller declare itself as a candidate controller.  That at least
>>>> provides a hint to the administrator that this particular device is
>>>> capable of serving in a particular role.
>>> I think that anything that requires administrator activity to be a fail for
>>> residential use.  It's too complex.
>> There will ALWAYS be a need for an administrator in the enterprise
>> case.  But maybe with the options above we can ease the consumer burden
>> over time.  In the consumer case, you might want an app for initial
>> device admission control anyway, no?  Can we not rely on that
>> interaction as an approval step in this instance?
> I think we'd all like to have a generic app (with an RFC standard API) that
> can onboard any device and can do admission control for any controller.
> I think this is what you are saying as well.

Yes, but I was saying a bit more.  Do you expect to fully automate the inclusion of a controller into a controller class in the home?  How do you envision the full flow looking like?

>>>> One possibility to address this is to incorporate the new RESTful
>>>> endpoint into an ANIMA BRSKI join registrar, which may already be
>>>> exposed.  But that requires that ANIMA BRSKI be in play, which it may
>>>> not.
>>> It is, however, a really good idea for the case where it is in play.
>>>> My thinking is that we do this work in two stages.  First handle the
>>>> easy case, which is the MUD file extension, and then figure out how to
>>>> do the app version of this.
>>>> Thoughts?
>>> yes.
>> Was that “yes” to the two stage approach?
> "Yes"   :-)

> Eliot Lear <> wrote:
>>> 1) insist that to user the my-controller connections that the two devices
>>> have to be signed by the "same" entity.  ["same" could mean literal the
>>> same key, the same certificate Issuer/DN,  or something more complex]
>>> 2) we could have devices declare in an MUD extension the
>>> DN/certificate/entity which must sign their controller device.
>>> 3) (2) above, but with some level of indirection through some URL.
>> Another thought here:
>> We could provide a level of dereference for authorized controllers in
>> the device’s MUD file, in the form of a URL list that would look
>> something like:
>> {  [
>> “controller” : “controller-name"
>> “mud-urls” : [ some mud urls of valid controllers here ]
>> “include” : “” that points to a file that contains a JSON serialization of this grouping
>> }
> yes, this is exactly what I was thinking about.
> Would "mud-urls" / "include" be mutually exclusive?

I don’t see why it would have to be.  But now let’s back up, just to make sure we’re not digging too deep a hole for the application case that Ranga wants to get to.  If the MUD protected device is declaring MUD URLs for MUD controllers and that is what all of this would boil down to, then the app case is really a completely separate mechanism, because apps don’t have MUD-URLs.

If we do a two-stage, then we need a completely separate draft for apps anyway, but I was hoping for some commonality.


> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
> ]        |   ruby on rails    [
> --
> Michael Richardson <>ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-