IETF Logo Mail Archive

Re: [OPSAWG] [Mud] Declaring something to be a controller in MUD

"M. Ranganathan" <mranga@gmail.com> Mon, 01 July 2019 18:51 UTC

Return-Path: <mranga@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B01B812016E; Mon, 1 Jul 2019 11:51:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kQ5OW1y_3JgU; Mon, 1 Jul 2019 11:51:44 -0700 (PDT)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F9C612016C; Mon, 1 Jul 2019 11:51:44 -0700 (PDT)
Received: by mail-io1-xd31.google.com with SMTP id s7so31106803iob.11; Mon, 01 Jul 2019 11:51:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UpKSfeZjex6alpCiDT3fuS1vDZstpiy1I4FwgAKQZs4=; b=mU8tv3Z5nrii6LutaPVspjRCVL106LdDe90EWRBUcQs8xys/j6tyrTzRhp10Vkmyps GVJAtSrAW8SPab8Pz5KYzxwOmRxtJ2EPb8DJAerfiSSxYHlxVt1ECY3m6EeEQ+kflLjS rLd8GGNcpd1DjPlEDzy73zBWeQzpc89++62vpGBPyOb0P1Odn2womIBxJ96Fi/PIAoXf OoHUACZbP6FdGAaRiXD6hsIKCP832YF+PwoWqHZPea3J6VNLR1lXXJJ+NDT2dKZk7mNk zeqhbDEahi79zlq/stvhaWv1AjCXwmOFmEls5zH4+B1SJAC0WjUy/del5ZSCBt9CbOac rE2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UpKSfeZjex6alpCiDT3fuS1vDZstpiy1I4FwgAKQZs4=; b=jBDXqPxBLkedGOaCfPRFuSHm4XtOd2GyEJhmxGRShywntqUJLaF7UPe6sVd5gKiX7X 0kZSgcLYBjxcK+yFTAuGOlYJOm71pcjGwH4cvaN4Ji/GNjXlN5l2KBR/ky0A7C77hZSI pnlnVp1ES2iChrkemwn+/O+gP5njBIXWCFLWGOYLgMTQ4u8Upe5KsxE9nC1ZrUAPeBf+ Y/syr7C/nKgP+Igp/WUjYahwGHKiEfOMiqNXemyjCEXRBH9Nf4qVnorP3wZ6bHZ9ajMx G1ZSGDivqLbRIhQqFyNJTqqKq3gY61zUDB5EhpEzse9S3JhX4AEqjTyHIUEib6OKmaho p48A==
X-Gm-Message-State: APjAAAUqm8udKN+x/u1210wnX1NmUm0L4NqbNeadr3NwM66AbKAfCh4D nG6SqTWSDBdowH7EW693m/ztM2G3/RbiHtFhpp0=
X-Google-Smtp-Source: APXvYqzeR+4f7bavjlpAUKDG8THbyVj+wWyLb89WS0butQiF/ct/GiLfXR0dqDS0MnjjfYH4Fwc+D3tPmkCpmuIWMtw=
X-Received: by 2002:a02:3308:: with SMTP id c8mr30073263jae.103.1562007103098; Mon, 01 Jul 2019 11:51:43 -0700 (PDT)
MIME-Version: 1.0
References: <B8F9A780D330094D99AF023C5877DABAA49BC8F3@nkgeml513-mbx.china.huawei.com> <230EB786-36AB-4E79-A6DD-20278E895763@cisco.com>
In-Reply-To: <230EB786-36AB-4E79-A6DD-20278E895763@cisco.com>
From: "M. Ranganathan" <mranga@gmail.com>
Date: Mon, 01 Jul 2019 14:51:06 -0400
Message-ID: <CAHiu4JNMrZMX8upAnwEU1qvGie5WTONSsnWU8LfOfYO2Yh+CFg@mail.gmail.com>
To: Eliot Lear <lear@cisco.com>
Cc: Qin Wu <bill.wu@huawei.com>, "opsawg@ietf.org" <opsawg@ietf.org>, "mud@ietf.org" <mud@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000845370058ca31e5c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/oCA5uD65A6wsDBeWLJCM1IQfdbg>
Subject: Re: [OPSAWG] [Mud] Declaring something to be a controller in MUD
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jul 2019 18:51:47 -0000

On Mon, Jul 1, 2019 at 6:26 AM Eliot Lear <lear@cisco.com> wrote:

> Qin and others:
>
> Just to get the ball rolling, I’ve posted today
> draft-lear-opsawg-mud-controller-candidates-00.
>
> I think this should help the discussion.
>
> Eliot
>

Hello Eliot,

In a similar vein to the question Qin is asking, I have a question (we
could discuss during the upcoming IETF side meeting if you don't have time
to respond now).

What is the essential difference between a device declaring itself to be a
"controller" for another class and the situation where the device (being
controlled) just uses the "model" abstraction in an ACE?

If a device with mud URL  https://toothbrush.nist.local/super1 is a
controller for device coffemaker.nist.local, then simply declare an ACE in
the coffeemaker MUD file, with a Model abstraction naming
toothbursh.nist.local :

       {
              "name": "man0-todev",
              "matches": {
                "ietf-mud:mud": {
              "model": "https://toothbrush.nist.local/super1"
                },
                "ipv4": {
                  "protocol": 17
                },
                "udp": {
                  "source-port": {
                    "operator": "eq",
                    "port": 8008
                  }
                }
              }

(similarly in the "frdev")


What is the difference (in behavior) between this and the new mechanism
proposed in the draft?

Thanks, Ranga


>
> On 1 Jul 2019, at 10:23, Qin Wu <bill.wu@huawei.com> wrote:
>
> *发件人:* Eliot Lear [mailto:lear@cisco.com <lear@cisco.com>]
> *发送时间:* 2019年7月1日 15:52
> *收件人:* Qin Wu <bill.wu@huawei.com>
> *抄送:* opsawg@ietf.org; mud@ietf.org
> *主题:* Re: [OPSAWG] Declaring something to be a controller in MUD
>
>
>
>
> On 1 Jul 2019, at 09:20, Qin Wu <bill.wu@huawei.com> wrote:
>
> *发件人:* OPSAWG [mailto:opsawg-bounces@ietf.org <opsawg-bounces@ietf.org>]
> *代表 *Eliot Lear
> *发送时间:* 2019年6月24日 17:48
> *收件人:* opsawg@ietf.org; mud@ietf.org
> *主题:* [OPSAWG] Declaring something to be a controller in MUD
>
> Hi everyone,
>
> A few of us are just trying to put out an initial draft that addresses one
> gap in MUD (there are several).  In a MUD file one can say that one wants
> to access a controller in two ways: either "my-controller” meaning a
> controller that services devices of a particular MUD URL or a “controller”
>  class that services devices based on a particular class name of
> controller.
>
> In either case, right now the administrator has to manually know and
> populate information, to say - some device 1.2.3.4 is a controller, either
> for MUD URL https://example.com/mud or a class
> http://example.com/mudclass1.  That can be laborious.  To assist, we are
> examining ways to have a controller declare itself as a candidate
> controller.
>
> [Qin]: Since MUD in RFC8520 has already specify DNS extension and DHCP
> extension, why not configure MUD manager with controller’s declaration? So
> the RESTFUL interface can be defined between NMS and controller, if my
> understanding is correct.
> I believe this is network initiated solution, you might have client
> initiated solution, but probably more complicated than network initiated
> solution.
>
>
> Can you say a few more words?  I’m not sure I’m quite following you.
> [Qin]: What I am suggesting is NMS preconfigures the MUD manager with
> controller’s declaration information, during DHCP process or DNS process,
> the controller’s declaration can be returned
> To the router or switch between the thing and MUD manager or return to the
> thing, the router or the thing can access controller through controller
> delclartion.
>
> If the MUD manager also needs to be advertised to the thing, DHCP
> Discovery or DNS process can be leveraged. In this case, NMS needs to
> preconfigure DHCP server with MUD manager information.
>
> Eliot
>
>
>  That at least provides a hint to the administrator that this particular
> device is capable of serving in a particular role.
>
> To make that declaration, the device must-
>
>    - Form the declaration;
>    - Find the MUD manager; and
>    - Send it.
>
>
> Forming the declaration is easy: we can make this a YANG grouping and then
> place it in various spots.
>
> Finding the MUD manager depends on one question:
>
>    - Was the device built to be a controller or is it a general purpose
>    device that has an app that is intended to be a controller?
>
>
> If the device was built to be a controller, we can simply cram the
> declaration into that devices own MUD file as an extension.  If the device
> is a general purpose computer, things get a bit more interesting.  In this
> case we have two choices:
>
>
>    - Either create a MUD file that points somewhere internally - this
>    doesn’t seem very plug and play.
>    - Make the declaration directly to the MUD manager.
>
>
> I’m going to focus on the latter for the moment.  It is easy enough to
> create a RESTful interface for this purpose, but it requires a mechanism to
> discovered the MUD manager, which up until now has been an internal part of
> the network infrastructure.
>
> Let me call this out plainly: letting the app itself directly call the MUD
> manager requires that the MUD manager itself become exposed to the user
> infrastructure, which is a change.
>
> One possibility to address this is to incorporate the new RESTful endpoint
> into an ANIMA BRSKI join registrar, which may already be exposed.  But that
> requires that ANIMA BRSKI be in play, which it may not.
>
> My thinking is that we do this work in two stages.  First handle the easy
> case, which is the MUD file extension, and then figure out how to do the
> app version of this.
>
> Thoughts?
>
> Eliot
>
>
>
>
> --
> Mud mailing list
> Mud@ietf.org
> https://www.ietf.org/mailman/listinfo/mud
>


-- 
M. Ranganathan

v2.23.0 | Report a Bug | By Email