Re: [OPSAWG] CoAP and MUD
Michael Richardson <mcr+ietf@sandelman.ca> Thu, 28 November 2019 09:05 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8E4BC120018; Thu, 28 Nov 2019 01:05:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WOL-aljwTHu1; Thu, 28 Nov 2019 01:05:46 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DE2712008C; Thu, 28 Nov 2019 01:05:46 -0800 (PST)
Received: from dooku.sandelman.ca (unknown [185.201.63.254]) by relay.sandelman.ca (Postfix) with ESMTPS id 6DE1B1F47D; Thu, 28 Nov 2019 09:05:44 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id C3876E3B; Thu, 28 Nov 2019 17:05:47 +0800 (+08)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: =?utf-8?Q?Jaime=20Jim=C3=A9nez?= <jaime@iki.fi>, mud@ietf.org, opsawg@ietf.org
In-reply-to: <20191122015716.mvcwq7g4hnwopjue@EMB-918HFH01>
References: <20191122015716.mvcwq7g4hnwopjue@EMB-918HFH01>
Comments: In-reply-to =?utf-8?Q?Jaime=20Jim=C3=A9nez?= <jaime@iki.fi> message dated "Fri, 22 Nov 2019 09:57:16 +0800."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Thu, 28 Nov 2019 10:05:47 +0100
Message-ID: <21818.1574931947@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/FhMIX88DPApysJMuZj5T6ejtcuw>
Subject: Re: [OPSAWG] CoAP and MUD
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Nov 2019 09:05:48 -0000
Jaime Jiménez <jaime@iki.fi> wrote: > here is the draft in case you wanna have a look, it's just 8 pages. > https://jaime.win/draft-coap-mud/ Thank you for pointing me at it. I'm replying to the opsawg list. > Overall a MUD is emitted as a URL using DHCP, LLDP or through 802.1X, then > a Switch or Router will send the URI to some IoT Controlling Entity. That > Entity will fetch the MUD file from a Server on the Internet over HTTP > [RFC8576]. It might be worth adding that it can be emitted in an IDevID using BRSKI. That uses the same certificate extension as in 802.1X. draft-ietf-anima-constrained-voucher/draft-ietf-6tisch-dtsecurity-zerotouch is more likely to have been used if we are getting to CoAP. There is an open question in the MUD space as to whether the MUD signature URL is absolute or if it can be relative. This affects how the signature file will be found when using a self-hosted MUD file as you have described. The signature should NOT be signed by the Thing itself, as that provides no security against malware. So that also gets in the way of the device providing any kind of dynamic capability by changing it's MUD. The device *could* select from a palate of MUD files which the manufacturer has signed. That would be very interesting. 4.1. Serialization TBD write about SenML/CBOR MUDs. Are you thinking that we could serialize the YANG to CBOR instead of JSON? I'm mostly for that, but I think that in general, since the ACLs will get enforced by a non-constrained device, and we can host the MUD files on a manufacturer resource, that it might be enough that it's JSON+CMS. on the other hand... CMS. Ick. Also using udf:// URLs from mathmesh would mean that the MUD file could be found via any cachable mechanism, with the communication with the manufacturer only if no other way is fine. This also authenticates the file, but not quite in the same way that the signature does. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- Re: [OPSAWG] CoAP and MUD Michael Richardson
- Re: [OPSAWG] CoAP and MUD Jaime Jiménez