Re: [OPSAWG] I-D Action: draft-richardson-opsawg-mud-iot-dns-considerations-03.txt

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 23 September 2020 18:27 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 562CC3A1365; Wed, 23 Sep 2020 11:27:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9no4t7CWrcpz; Wed, 23 Sep 2020 11:27:46 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2D96E3A1363; Wed, 23 Sep 2020 11:27:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 1C52E389BD; Wed, 23 Sep 2020 14:06:20 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id JyCgsccQm_x5; Wed, 23 Sep 2020 14:06:19 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id C679838993; Wed, 23 Sep 2020 14:06:18 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id B3E32373; Wed, 23 Sep 2020 14:27:41 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Panwei \(William\)" <william.panwei@huawei.com>, opsawg <opsawg@ietf.org>, "mud\@ietf.org" <mud@ietf.org>
In-Reply-To: <f61a62eba99f4e17a96d222e384f4c8a@huawei.com>
References: <160082461405.2339.249127609152770744@ietfa.amsl.com> <f61a62eba99f4e17a96d222e384f4c8a@huawei.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Date: Wed, 23 Sep 2020 14:27:41 -0400
Message-ID: <16821.1600885661@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/P3MAp5wOSdZh4b4xlR_3qgTAfy0>
Subject: Re: [OPSAWG] I-D Action: draft-richardson-opsawg-mud-iot-dns-considerations-03.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Sep 2020 18:27:48 -0000

Panwei (William) <william.panwei@huawei.com> wrote:
    > This is an very useful and essential draft, I think. The DNS resolving
    > issue may be an important obstacle for deploying MUD solution
    > successfully.

Thank you.

    mcr> The simplest successful strategy for translating names is for a MUD
    mcr> controller to take is to do a DNS lookup on the name (a forward
    mcr> lookup), and then use the resulting IP addresses to populate the
    mcr> physical ACLs.

    > This strategy is simple, but I doubt it can't be called 'successful' as
    > it won't work all the time. You already listed some failure scenarios.

Okay, so maybe my words are not perfect.  Please suggest some better ones here.

The naive method of using the reverse map never works :-)
(Some people read RFC1034/35 and think that DNS inverse queries are still a thing)

This method is the simplest that can be made to work.
The rest of the document is really about making this method work.

    > Beyond the considerations in the draft, another method I imagine is to
    > deploy a DNS proxy (but I don't know whether it's practical).

I am not sure what you call a DNS proxy.
A recursive DNS server accessed by Do53 effectively proxies and caches all requests.

    > In the residential scenario, the CPE device is usually the MUD
    > controller and the policy enforcement point, and it can also act as a
    > DNS proxy.

    > When the IoT device sends a DNS query it will send to the
    > CPE. And CPE can first filter the unexpected DNS query by comparing the
    > DNS names with the ones defined in the MUD file, then CPE will query
    > the actual DNS server.

Yes, the CPE could look at the DNS queries the device is using, and then
cache them.   Or, when it loads the MUD file, it could do a DNS lookup on all
the names, and cache them.  Then, when the device asks, it is already cached,
and one can be sure that a known IP/name combination is returned.
If it does this DNS lookup on a regular basis (updating the MUD ACLs
implemented in the forwarding plane), then the cache stays warm, and the
rules are accurate.

This is how our implementation worked.

    > When the CPE gets the answers from the actual
    > DNS server, it can respond to the IoT devices with the answers and
    > generate the corresponding ACLs as it knows the IP addresses now.

If you can generate the ACL on demand fast enough, it can work.
Many IoT devices, if DNS seems slow, will switch to 8.8.8.8.
Google Chromecast for instance, always sends to both local and 8.8.8.8 from
what I've read, and uses which ever is faster.

    > In the enterprise scenario, the MUD controller, the policy enforcement
    > point, and the DNS proxy may be three different devices. The MUD
    > controller gets the MUD file of the IoT device and dispatch the file to
    > the DNS proxy. When the IoT device sends the DNS query to the DNS
    > proxy, the DNS proxy can filter the DNS query as well and then get the
    > answers by querying the real DNS server. After that, the DNS proxy will
    > tell the IP addresses of the DNS names to the MUD controller, and the
    > MUD controller can generate the ACLs and configure the policy
    > enforcement point.

Sure, that's essentially correct.
The DNS proxy is just the local recursive resolver.
What counts is that the MUD controller and the IoT device use the same
recursive resolver, and see the same cache.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide