Re: [OPSAWG] [Mud] Declaring something to be a controller in MUD
"M. Ranganathan" <mranga@gmail.com> Mon, 01 July 2019 18:51 UTC
Return-Path: <mranga@gmail.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B01B812016E; Mon, 1 Jul 2019 11:51:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kQ5OW1y_3JgU; Mon, 1 Jul 2019 11:51:44 -0700 (PDT)
Received: from mail-io1-xd31.google.com (mail-io1-xd31.google.com [IPv6:2607:f8b0:4864:20::d31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F9C612016C; Mon, 1 Jul 2019 11:51:44 -0700 (PDT)
Received: by mail-io1-xd31.google.com with SMTP id s7so31106803iob.11; Mon, 01 Jul 2019 11:51:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=UpKSfeZjex6alpCiDT3fuS1vDZstpiy1I4FwgAKQZs4=; b=mU8tv3Z5nrii6LutaPVspjRCVL106LdDe90EWRBUcQs8xys/j6tyrTzRhp10Vkmyps GVJAtSrAW8SPab8Pz5KYzxwOmRxtJ2EPb8DJAerfiSSxYHlxVt1ECY3m6EeEQ+kflLjS rLd8GGNcpd1DjPlEDzy73zBWeQzpc89++62vpGBPyOb0P1Odn2womIBxJ96Fi/PIAoXf OoHUACZbP6FdGAaRiXD6hsIKCP832YF+PwoWqHZPea3J6VNLR1lXXJJ+NDT2dKZk7mNk zeqhbDEahi79zlq/stvhaWv1AjCXwmOFmEls5zH4+B1SJAC0WjUy/del5ZSCBt9CbOac rE2w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=UpKSfeZjex6alpCiDT3fuS1vDZstpiy1I4FwgAKQZs4=; b=jBDXqPxBLkedGOaCfPRFuSHm4XtOd2GyEJhmxGRShywntqUJLaF7UPe6sVd5gKiX7X 0kZSgcLYBjxcK+yFTAuGOlYJOm71pcjGwH4cvaN4Ji/GNjXlN5l2KBR/ky0A7C77hZSI pnlnVp1ES2iChrkemwn+/O+gP5njBIXWCFLWGOYLgMTQ4u8Upe5KsxE9nC1ZrUAPeBf+ Y/syr7C/nKgP+Igp/WUjYahwGHKiEfOMiqNXemyjCEXRBH9Nf4qVnorP3wZ6bHZ9ajMx G1ZSGDivqLbRIhQqFyNJTqqKq3gY61zUDB5EhpEzse9S3JhX4AEqjTyHIUEib6OKmaho p48A==
X-Gm-Message-State: APjAAAUqm8udKN+x/u1210wnX1NmUm0L4NqbNeadr3NwM66AbKAfCh4D nG6SqTWSDBdowH7EW693m/ztM2G3/RbiHtFhpp0=
X-Google-Smtp-Source: APXvYqzeR+4f7bavjlpAUKDG8THbyVj+wWyLb89WS0butQiF/ct/GiLfXR0dqDS0MnjjfYH4Fwc+D3tPmkCpmuIWMtw=
X-Received: by 2002:a02:3308:: with SMTP id c8mr30073263jae.103.1562007103098; Mon, 01 Jul 2019 11:51:43 -0700 (PDT)
MIME-Version: 1.0
References: <B8F9A780D330094D99AF023C5877DABAA49BC8F3@nkgeml513-mbx.china.huawei.com> <230EB786-36AB-4E79-A6DD-20278E895763@cisco.com>
In-Reply-To: <230EB786-36AB-4E79-A6DD-20278E895763@cisco.com>
From: "M. Ranganathan" <mranga@gmail.com>
Date: Mon, 01 Jul 2019 14:51:06 -0400
Message-ID: <CAHiu4JNMrZMX8upAnwEU1qvGie5WTONSsnWU8LfOfYO2Yh+CFg@mail.gmail.com>
To: Eliot Lear <lear@cisco.com>
Cc: Qin Wu <bill.wu@huawei.com>, "opsawg@ietf.org" <opsawg@ietf.org>, "mud@ietf.org" <mud@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000845370058ca31e5c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/oCA5uD65A6wsDBeWLJCM1IQfdbg>
Subject: Re: [OPSAWG] [Mud] Declaring something to be a controller in MUD
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Jul 2019 18:51:47 -0000
On Mon, Jul 1, 2019 at 6:26 AM Eliot Lear <lear@cisco.com> wrote: > Qin and others: > > Just to get the ball rolling, I’ve posted today > draft-lear-opsawg-mud-controller-candidates-00. > > I think this should help the discussion. > > Eliot > Hello Eliot, In a similar vein to the question Qin is asking, I have a question (we could discuss during the upcoming IETF side meeting if you don't have time to respond now). What is the essential difference between a device declaring itself to be a "controller" for another class and the situation where the device (being controlled) just uses the "model" abstraction in an ACE? If a device with mud URL https://toothbrush.nist.local/super1 is a controller for device coffemaker.nist.local, then simply declare an ACE in the coffeemaker MUD file, with a Model abstraction naming toothbursh.nist.local : { "name": "man0-todev", "matches": { "ietf-mud:mud": { "model": "https://toothbrush.nist.local/super1" }, "ipv4": { "protocol": 17 }, "udp": { "source-port": { "operator": "eq", "port": 8008 } } } (similarly in the "frdev") What is the difference (in behavior) between this and the new mechanism proposed in the draft? Thanks, Ranga > > On 1 Jul 2019, at 10:23, Qin Wu <bill.wu@huawei.com> wrote: > > *发件人:* Eliot Lear [mailto:lear@cisco.com <lear@cisco.com>] > *发送时间:* 2019年7月1日 15:52 > *收件人:* Qin Wu <bill.wu@huawei.com> > *抄送:* opsawg@ietf.org; mud@ietf.org > *主题:* Re: [OPSAWG] Declaring something to be a controller in MUD > > > > > On 1 Jul 2019, at 09:20, Qin Wu <bill.wu@huawei.com> wrote: > > *发件人:* OPSAWG [mailto:opsawg-bounces@ietf.org <opsawg-bounces@ietf.org>] > *代表 *Eliot Lear > *发送时间:* 2019年6月24日 17:48 > *收件人:* opsawg@ietf.org; mud@ietf.org > *主题:* [OPSAWG] Declaring something to be a controller in MUD > > Hi everyone, > > A few of us are just trying to put out an initial draft that addresses one > gap in MUD (there are several). In a MUD file one can say that one wants > to access a controller in two ways: either "my-controller” meaning a > controller that services devices of a particular MUD URL or a “controller” > class that services devices based on a particular class name of > controller. > > In either case, right now the administrator has to manually know and > populate information, to say - some device 1.2.3.4 is a controller, either > for MUD URL https://example.com/mud or a class > http://example.com/mudclass1. That can be laborious. To assist, we are > examining ways to have a controller declare itself as a candidate > controller. > > [Qin]: Since MUD in RFC8520 has already specify DNS extension and DHCP > extension, why not configure MUD manager with controller’s declaration? So > the RESTFUL interface can be defined between NMS and controller, if my > understanding is correct. > I believe this is network initiated solution, you might have client > initiated solution, but probably more complicated than network initiated > solution. > > > Can you say a few more words? I’m not sure I’m quite following you. > [Qin]: What I am suggesting is NMS preconfigures the MUD manager with > controller’s declaration information, during DHCP process or DNS process, > the controller’s declaration can be returned > To the router or switch between the thing and MUD manager or return to the > thing, the router or the thing can access controller through controller > delclartion. > > If the MUD manager also needs to be advertised to the thing, DHCP > Discovery or DNS process can be leveraged. In this case, NMS needs to > preconfigure DHCP server with MUD manager information. > > Eliot > > > That at least provides a hint to the administrator that this particular > device is capable of serving in a particular role. > > To make that declaration, the device must- > > - Form the declaration; > - Find the MUD manager; and > - Send it. > > > Forming the declaration is easy: we can make this a YANG grouping and then > place it in various spots. > > Finding the MUD manager depends on one question: > > - Was the device built to be a controller or is it a general purpose > device that has an app that is intended to be a controller? > > > If the device was built to be a controller, we can simply cram the > declaration into that devices own MUD file as an extension. If the device > is a general purpose computer, things get a bit more interesting. In this > case we have two choices: > > > - Either create a MUD file that points somewhere internally - this > doesn’t seem very plug and play. > - Make the declaration directly to the MUD manager. > > > I’m going to focus on the latter for the moment. It is easy enough to > create a RESTful interface for this purpose, but it requires a mechanism to > discovered the MUD manager, which up until now has been an internal part of > the network infrastructure. > > Let me call this out plainly: letting the app itself directly call the MUD > manager requires that the MUD manager itself become exposed to the user > infrastructure, which is a change. > > One possibility to address this is to incorporate the new RESTful endpoint > into an ANIMA BRSKI join registrar, which may already be exposed. But that > requires that ANIMA BRSKI be in play, which it may not. > > My thinking is that we do this work in two stages. First handle the easy > case, which is the MUD file extension, and then figure out how to do the > app version of this. > > Thoughts? > > Eliot > > > > > -- > Mud mailing list > Mud@ietf.org > https://www.ietf.org/mailman/listinfo/mud > -- M. Ranganathan
- [OPSAWG] Declaring something to be a controller i… Eliot Lear
- Re: [OPSAWG] Declaring something to be a controll… M. Ranganathan
- Re: [OPSAWG] Declaring something to be a controll… Michael Richardson
- Re: [OPSAWG] [Mud] Declaring something to be a co… Eliot Lear
- Re: [OPSAWG] [Mud] Declaring something to be a co… Eliot Lear
- Re: [OPSAWG] [Mud] Declaring something to be a co… M. Ranganathan
- Re: [OPSAWG] [Mud] Declaring something to be a co… Michael Richardson
- Re: [OPSAWG] [Mud] Declaring something to be a co… Eliot Lear
- Re: [OPSAWG] [Mud] Declaring something to be a co… Michael Richardson
- Re: [OPSAWG] [Mud] Declaring something to be a co… Eliot Lear
- Re: [OPSAWG] Declaring something to be a controll… Qin Wu
- Re: [OPSAWG] Declaring something to be a controll… Eliot Lear
- Re: [OPSAWG] Declaring something to be a controll… Qin Wu
- Re: [OPSAWG] Declaring something to be a controll… Eliot Lear
- Re: [OPSAWG] Declaring something to be a controll… Eliot Lear
- Re: [OPSAWG] [Mud] Declaring something to be a co… M. Ranganathan
- Re: [OPSAWG] Declaring something to be a controll… Qin Wu
- Re: [OPSAWG] Declaring something to be a controll… Qin Wu
- Re: [OPSAWG] [Mud] Declaring something to be a co… Eliot Lear
- Re: [OPSAWG] [Mud] Declaring something to be a co… Eliot Lear
- Re: [OPSAWG] [Mud] Declaring something to be a co… M. Ranganathan