Re: [OPSAWG] (Also Ben Campbell's and Alexey's) Re: Spencer Dawkins' Yes on draft-ietf-opsawg-mud-20: (with COMMENT)
Eliot Lear <lear@cisco.com> Tue, 17 April 2018 12:56 UTC
Return-Path: <lear@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A495312EB35; Tue, 17 Apr 2018 05:56:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.509
X-Spam-Level:
X-Spam-Status: No, score=-14.509 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tsMx_SJlP3cm; Tue, 17 Apr 2018 05:56:52 -0700 (PDT)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B02F112EB27; Tue, 17 Apr 2018 05:56:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=41032; q=dns/txt; s=iport; t=1523969812; x=1525179412; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=v7AJ0YKSl/La7uOJ/eYm8NwMYGJA74hRqNdwW0wCn7A=; b=WEc7y7R8F9qVvnFcKbjvI70kicJvNlhaVPRSGpsswDb8FIiw5eFjOVHs ATvVf8hiSlsh7pamzcudxjo8IkYJHsel6QBMEZQ8ILgsqaQ3lcNVuxGwl XQBCXF9/17446HdE/94JzQ7/0EtzgbW7EEP1Z5NlAoSG1npd0xv9ag4PO I=;
X-Files: signature.asc : 488
X-IronPort-AV: E=Sophos;i="5.48,463,1517875200"; d="asc'?scan'208,217";a="3237579"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Apr 2018 12:56:49 +0000
Received: from [10.61.91.30] (ams3-vpn-dhcp6943.cisco.com [10.61.91.30]) by aer-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id w3HCumXQ020694; Tue, 17 Apr 2018 12:56:48 GMT
To: Spencer Dawkins at IETF <spencerdawkins.ietf@gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-opsawg-mud@ietf.org, Joe Clarke <jclarke@cisco.com>, opsawg-chairs@ietf.org, opsawg@ietf.org
References: <152390575517.19640.3919526636067910532.idtracker@ietfa.amsl.com> <4218241e-f2d6-ad81-34df-0e538510c70b@cisco.com> <CAKKJt-djcZtbYozqTK9wRdGSqcDGPbdzbKEDSJLwzLethuotWA@mail.gmail.com>
From: Eliot Lear <lear@cisco.com>
Openpgp: preference=signencrypt
Autocrypt: addr=lear@cisco.com; prefer-encrypt=mutual; keydata= xsBNBFMe1UQBCADdYOS5APDpIpF2ohAxB+nxg1GpAYr8iKwGIb86Wp9NkK5+QwbW9H035clT lpVLciExtN8E3MCTPOIm7aITPlruixAVwlBY3g7U9eRppSw9O2H/7bie2GOnYxqmsw4v1yNZ 9NcMLlD8raY0UcQ5r698c8JD4xUTLqybZXaK2sPeJkxzT+IwupRSQ+vXEvFFGhERQ88zo5Ca Sa1Gw/Rv54oH0Dq2XYkO41rhxQ60BKZLZuQK1d9+1y3I+An3AJeD3AA31fJZD3H8YRKOBgqe ILPILbw1mM7gCtCjfvFCt6AFCwEsjITGx55ceoQ+t5B5XGYJEppMWsIFrwZsfbL+gP31ABEB AAHNJUVsaW90IExlYXIgPGxlYXJAb2Zjb3Vyc2VpbXJpZ2h0LmNvbT7CwHsEEwECACUCGwMG CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheABQJTHtXCAhkBAAoJEIe2a0bZ0nozBNoH/j0Mdnyg CgNNmI4DyL9mGfTJ/+XiTxWXMK4TTszwwn/tsXjyPQWjoO6nYqz5i96ItmSpkelSGVpzU+LK LQxSjFeUvKw23bp1rVecfGR+OENSE1m6KfFj3vtzQOZ2/FgK210MWnlYNNyAHX6Pf6hKInTP v6LbZiAQMCmf0aPvRbk/aPSNJAuIKrLrrCgAlwelrTavFsSwnKI3dhSG8DJ9+z/uiXDiHYra Ub3BKp5K/x71Zd8hUsWm2simnE/6HvZaZz7CC29JSZ/5gGtNB3OMNKLzLWUbQacF3IKxpW66 ZFYFYnlBV4jRnKlmb40YcEXWVJkkVC8g+/J9Qo6R8BdmSTXOwE0EUx7VRAEIALRZXth1u/3n FgY+G2FN0KEEik+2Xsk8JX9zr/eISa+Ol8a4U1orgxpyP2V7bQQDkDUEfs+Asagc6I8zrk3K xGln3pFFVfdM18uaEYwWvmE84Y12r7FwYdW62bA9X1Ttsp5Q1GI8XHdh0SQTF12pXYTwWW1P THYVIp7bGzM88cHqBW0xyRflu4j2nUrd9tWFd28SRxhj+MHQkQkbKFLloRty3lwdS8MCRPzX 9gUrkl+DxFHC7WrW3Vi4glI5YBlD0n2hSyDoP1GkKVT60gUGh7eJOnUBR8lzKm5wYqAtgq2m 79rKBylA40diRhbnTTeY+ytqMWFF5UXm97Jwxsezi7kAEQEAAcLAXwQYAQIACQUCUx7VRAIb DAAKCRCHtmtG2dJ6M5K5CADbunatgHsqHbR3KbpXxzralakEcdODGv/fbN6/EdKJeXrG9QKD lPxZTB9STw6+ANwESsr9uUMAxdDNKDeynjnQmFHxGdcdcXlnPZPThfseeUhUkbB/YKOfDIQA kKozNoKYj6Dcia+D/wvifIEW+GUUcO/6Qi8yK6PLJyM8C7vHEqmUGzX8gTCYOgAyOd4WZrC9 95CfB0yFIorw+MpK7MZTm5SbGPcYF9Gq9MzSqmaEw8U6YOElKYfnkcsCTLYyWaolhck+3/0R 9ISEWK5rUzqAuK40S4+Sn7yNycdCoqvQh4e3xSpzAu3aYZ8jKXQVV0X2G9Y+M1HMZuCqhPUO LTdF
Message-ID: <a710d417-e3d6-8214-6840-9a038799a11d@cisco.com>
Date: Tue, 17 Apr 2018 14:56:47 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:52.0) Gecko/20100101 Thunderbird/52.7.0
MIME-Version: 1.0
In-Reply-To: <CAKKJt-djcZtbYozqTK9wRdGSqcDGPbdzbKEDSJLwzLethuotWA@mail.gmail.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="LMgp3wXGSQth9gISkUjEeEzqXc9jvjKmi"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/D4Gp7j9wLV2IcN0Lqy7-YzmNEX4>
Subject: Re: [OPSAWG] (Also Ben Campbell's and Alexey's) Re: Spencer Dawkins' Yes on draft-ietf-opsawg-mud-20: (with COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Apr 2018 12:56:58 -0000
On 17.04.18 14:44, Spencer Dawkins at IETF wrote: > Hi, Eliot, > > On Tue, Apr 17, 2018 at 1:43 AM, Eliot Lear <lear@cisco.com > <mailto:lear@cisco.com>> wrote: > > Responding to Spencer, Ben, and Alexy (in order). > > > On 16.04.18 21:09, Spencer Dawkins wrote: >> Spencer Dawkins has entered the following ballot position for >> draft-ietf-opsawg-mud-20: Yes >> >> When responding, please keep the subject line intact and reply to all >> email addresses included in the To and CC lines. (Feel free to cut this >> introductory paragraph, however.) >> >> >> Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html >> <https://www.ietf.org/iesg/statement/discuss-criteria.html> >> for more information about IESG DISCUSS and COMMENT positions. >> >> >> The document, along with other ballot positions, can be found here: >> https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/ >> <https://datatracker.ietf.org/doc/draft-ietf-opsawg-mud/> >> >> >> >> ---------------------------------------------------------------------- >> COMMENT: >> ---------------------------------------------------------------------- >> >> I'm a Yes who's watching Discussions with other ADs, but that's still a Yes. >> Thanks for doing this work. >> >> I do have some questions and comments. >> >> I don't think this requires any changes to the current document, but I note that >> >> 3.15. direction-initiated >> >> When applied this matches packets when the flow was initiated in the >> corresponding direction. [RFC6092] specifies IPv6 guidance best >> practices. While that document is scoped specifically to IPv6, its >> contents are applicable for IPv4 as well. When this flag is set, and >> the system has no reason to believe a flow has been initiated it MUST >> drop the packet. This node may be implemented in its simplest form >> by looking at naked SYN bits, but may also be implemented through >> more stateful mechanisms. >> >> it's not clear that "looking at naked SYN bits" will have an analogy in HTTP/2 >> over QUIC, and I'm a bit suspicious of "may also be implemented through more >> stateful mechanisms" in 2018. Do the right thing, of course. > > I proposed a clarification: direction initiated is a TCP element. > > > That is a clarification. > > I guess what I'm thinking, on reflection, is that direction is likely > to be helpful for TCP-based communication, is not likely to be helpful > for UDP-based communication without stateful inspection (so, my camera > probably does need to act as a DNS client, but probably doesn't need > to act as a DNS server), and is likely to be increasingly unhelpful if > we really do see things using encrypted, UDP-based transports like QUIC. > > This does poke the "how are network managers going to manage networks > running encrypted, UDP-based transport" bear, but that's way bigger > than this document. Say as much as you think is helpful, and then move > on, I think. Well indeed. I think the key here is to recognize that all MUD can do is invoke network management capabilities already present in the infrastructure. "Picture if you will", however, a MUD extension that modifies the meaning of "direction-initiated" to say, please do stateful to allow stuff outbound, and re-adds the element in the UDP context. Absolutely possible. I think it's a matter of whether the underlying infrastructure broadly supports such a capability. >> Does >> >> 3.5. is-supported >> >> This boolean is an indication from the manufacturer to the network >> administrator as to whether or not the Thing is supported. In this >> context a Thing is said to not be supported if the manufacturer >> intends never to issue an update to the Thing or never update the MUD >> file. A MUD controller MAY still periodically check for updates. >> >> ever mean anything except "is-updated"? > > Mostly that what it means, but the implication is that there's no > support, and enterprise administrators in particular might want to > know that (usually they do- because those devices represent a > particular risk). > > > Here, I must apologize, because I've been thinking of MUD as the > other side of a coin that also has SUIT, TEEP, and similar tools - If > your Thing is just being installed and forgotten until it's an attack > platform, you need MUD descriptions, but if your Thing is going to be > updated, you should be looking at SUIT, TEEP, and whatever else seems > helpful. > > I had not been thinking of using both MUD and SUIT/TEEP/whatever, and > that's a lack of imagination on my part, but the most relevant side > effect of that, is that if you know what your printer needs to do, to > be a network printer, and you get a MUD description for it, and the > printer isn't going to be updated, that MUD description should be > fine, forever. > I've been thinking about this as well. Had MUD been completed later, I would have wanted to leave a reference to the work, along the lines of "MUD is part of a nutritious breakfast, along with SUIT, TEEP, etc". By the time we do v2, I expect us to do just that. Regards, Eliot > I'm still connecting dots. > >> "Supported" covers a lot of ground … >> >> If a manufacturer sells off one product line (so, flobbidy.example.com <http://flobbidy.example.com> covered >> multiple product lines, but now flobbidy.example.com/mark1/lightbulb >> <http://flobbidy.example.com/mark1/lightbulb> will be >> maintained by a manufacturer that isn't flobbidy.example.com <http://flobbidy.example.com>), is there a good >> plan for what comes next? I'm not sure what happens to is-supported, for >> instance. > > The intent is that the entity providing the MUD file (probably the > manufacturer) will not be issuing software/firmware updates or MUD > file updates. But your point is more about device lifecycle, and > that's a more interesting question than just "is-supported". > Steve Rich and Thorsten Dahm have begun to delve in that > direction. There are at least a few possibilities, such as the > use of redirects, or even domain names that are used for > particular classes of devices, or even common repos. More work > needed. > > > Yeah, and I didn't mean to slow MUD down waiting for that work. Just > to be clear (hence, Yes). > > > >> I'm sensitive to Eliot's "walk before trying to run" comment on another ballot >> thread, but I'm thinking that >> >> 3.11. model >> >> This string matches the entire MUD URL, thus covering the model that >> is unique within the context of the authority. It may contain not >> only model information, but versioning information as well, and any >> other information that the manufacturer wishes to add. The intended >> use is for devices of this precise class to match, to permit or deny >> communication between one another. >> >> might usefully result in a BCP about naming models, after the community has >> some experience with MUD. So, that's not intended to affect the current draft >> text, only the working group that produced it ;-) >> >> And, double ;-) ;-) but I wrote that before I saw this text in Section 14: >> >> A caution about some of the classes: admission of a Thing into the >> "manufacturer" and "same-manufacturer" class may have impact on >> access of other Things. Put another way, the admission may grow the >> access-list on switches connected to other Things, depending on how >> access is managed. Some care should be given on managing that >> access-list growth. Alternative methods such as additional network >> segmentation can be used to keep that growth within reason. >> >> So, when people know enough to describe best practices, I hope they do. >> > > Thanks, Spencer. We're just getting going. > > > And I'm darned glad to see that happening. > > Thanks for the quick responses. > > Spencer > > > Now to Ben: > >> §1.6, 2nd paragraph: Why is the SHOULD not a MUST? > > Because at this stage there is only one encoding and no source of > confusion as to what is returned, and the people implementing this > stuff are getting their feet wet. If they're using a service that > simply doesn't include the right Accept: header, and the right > thing can still happen, let's let that happen. > >> §1.8, 4th paragraph: "The web server is typically run by or on behalf of the >> manufacturer. >> Its domain name is that of the authority found in the MUD URL. " >> >> These URLS are likely to be hardcoded, correct? This seems to point to >> operational considerations, especially around Thing lifecycle and ownership. > > Indeed. It's captured in Security Considerations, but we can > place a forward pointer there. > >> Editorial/Nits: >> >> Abstract: I'm not sure the use of the term "Things" will be obvious to a reader >> of the abstract in isolation from the rest of the document. (Abstracts should >> be able to stand alone.) > > EKR beat you to it. Change proposed. >> §1.1 : first paragraph: The idea that a Thing might have highly restricted >> communication patterns seems core to the document. It would be helpful to >> mention that earlier in §1. > > I think EKR beat you to this one as well ;-). Change proposed. > >> §1.3, definition of "Manufacturer": The definition says that "Manufacturer" may >> not necessarily be the entity that constructed the Thing. But that's the plain >> English meaning of the word "manufacturer". If you don't want it to mean that, >> please consider choosing a different term. ( for example, "authority") > > This one's harder to change, and authority has its own ambiguities. > >> §1.4: "... we assume that a device has so few >> capabilities that it will implement the least necessary capabilities >> to function properly." >> >> That's a bit circular. Perhaps one of the two instances of "capabilities" >> should have been "requirements"? > > How about: >> In seeking a general >> solution, however, we assume that a device will implement >> functionality necessary to fulfill its limited purpose. > > >> §1.8 4th paragraph: The 2nd (and last) sentence is a comma splice, and >> otherwise difficult to parse. > > That is a mouthful. Propose: >> The web server is typically run by or on behalf of the >> manufacturer. >> Its domain name is that of the authority found in the MUD >> URL. For >> legacy cases where Things cannot emit a URL, if the switch is >> able to >> determine the appropriate URL, it may proxy it. In the >> trivial case >> it may hardcode MUD-URL on a switch port or a map from some >> available identifier such as an L2 address or certificate hash >> to a >> MUD-URL. > > >> §1.9, list item 7: are we talking about transient disconnect or permanent >> removal? > > Could be either. The only difference between the two is that at > some point someone has to CRUD the thing out of a database somewhere. >> §2: "A MUD file consists of a YANG model ..." >> A model instance, right? That is, not the model itself? > > Indeed. >> §3.8, 2nd sentence: Consider reformulating this as a construction of MUST. > > I think that's fair, and propose to change it to the following: > >> Note that MUD extensions MUST NOT be used in a MUD file without >> the extensions being declared. Implementations MUST ignore any node >> in this file that they do not understand. > >> §4: The idea of a "default" in bullet 2 seems in tension with the idea of >> "Anything not explicitly permitted is forbidden" in bullet 1. > > Maybe so, but the intent here is that a great many devices are > going to be making use of DNS and NTP, and that not listing them > in a MUD file is more likely to lead to mistakes, rather than > accidentally listing them. > >> §14: Please define the concept of "east-west infection". >> > > Propose "lateral infection" with a parenthetical definition. > > On to Alexey: >> 16.4. MIME Media-type Registration for MUD files >> >> The following media-type is defined for transfer of MUD file: >> >> o Type name: application >> o Subtype name: mud+json >> o Required parameters: n/a >> o Optional parameters: n/a >> o Encoding considerations: 8bit; application/mud+json values >> are represented as a JSON object; UTF-8 encoding SHOULD be >> employed. >> >> I am tempted to say "MUST be UTF-8 encoded". > > In this day and age I think that sounds correct. I personally > have no objections. > >> o Security considerations: See Security Considerations >> of this document. >> o Interoperability considerations: n/a >> o Published specification: this document >> >> Nit: IANA Media Type registration templates need to have fully qualified >> references. Use "[RFCXXXX]" instead of "this document" here, so that when the >> RFC is published, the registration template can be posted to IANA website and >> will have correct reference. > Ok >> o Applications that use this media type: MUD controllers as >> specified by this document. >> >> As above. > Ok >> o Fragment identifier considerations: n/a >> o Additional information: >> >> Magic number(s): n/a >> File extension(s): n/a >> Macintosh file type code(s): n/a >> >> o Person & email address to contact for further information: >> Eliot Lear <lear@cisco.com> <mailto:lear@cisco.com>, Ralph Droms <rdroms@cisco.com> <mailto:rdroms@cisco.com> >> >> I think Ralph's address is wrong in 2 places. > > Corrected. >> o Intended usage: COMMON >> o Restrictions on usage: none >> o Author: >> Eliot Lear <lear@cisco.com> <mailto:lear@cisco.com> >> Ralph Droms <rdroms@cisco.com> <mailto:rdroms@cisco.com> >> o Change controller: IESG >> o Provisional registration? (standards tree only): No. >> >> UTF-8 needs to be a Normative reference (RFC 3629). >> > Ok. > > Thanks, all. > > Eliot > >
- [OPSAWG] Spencer Dawkins' Yes on draft-ietf-opsaw… Spencer Dawkins
- [OPSAWG] (Also Ben Campbell's and Alexey's) Re: S… Eliot Lear
- Re: [OPSAWG] (Also Ben Campbell's and Alexey's) R… Spencer Dawkins at IETF
- Re: [OPSAWG] (Also Ben Campbell's and Alexey's) R… Eliot Lear