[OPSAWG] My comments about : draft-richardson-opsawg-mud-acceptable-urls-01

"Yangjie (Jay, IP Standard)" <jay.yang@huawei.com> Mon, 29 June 2020 12:47 UTC

Return-Path: <jay.yang@huawei.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ACB6D3A0E95 for <opsawg@ietfa.amsl.com>; Mon, 29 Jun 2020 05:47:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uPjAp_x_s0Ad for <opsawg@ietfa.amsl.com>; Mon, 29 Jun 2020 05:46:59 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 428C73A0CA4 for <opsawg@ietf.org>; Mon, 29 Jun 2020 05:46:59 -0700 (PDT)
Received: from lhreml701-chm.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 0B96CA64932556A0D169; Mon, 29 Jun 2020 13:46:55 +0100 (IST)
Received: from nkgeml704-chm.china.huawei.com (10.98.57.158) by lhreml701-chm.china.huawei.com (10.201.108.50) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1913.5; Mon, 29 Jun 2020 13:46:54 +0100
Received: from nkgeml704-chm.china.huawei.com (10.98.57.158) by nkgeml704-chm.china.huawei.com (10.98.57.158) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Mon, 29 Jun 2020 20:46:52 +0800
Received: from nkgeml704-chm.china.huawei.com ([10.98.57.158]) by nkgeml704-chm.china.huawei.com ([10.98.57.158]) with mapi id 15.01.1913.007; Mon, 29 Jun 2020 20:46:51 +0800
From: "Yangjie (Jay, IP Standard)" <jay.yang@huawei.com>
To: Michael Richardson <mcr@sandelman.ca>
CC: "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: My comments about : draft-richardson-opsawg-mud-acceptable-urls-01
Thread-Index: AdZOEylPfZY7pxiPRuGhlcfswv7QQg==
Date: Mon, 29 Jun 2020 12:46:51 +0000
Message-ID: <3921d68321f84d2b9d3e01f1448f272b@huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.164.150.17]
Content-Type: multipart/alternative; boundary="_000_3921d68321f84d2b9d3e01f1448f272bhuaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/vtex6wcEUhJbRIn1Z8nlmICojJc>
Subject: [OPSAWG] My comments about : draft-richardson-opsawg-mud-acceptable-urls-01
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2020 12:47:01 -0000

Hi, Michael,

Introducing root MUD URL is a good way for authorized updating, and is the firstly initially inside devices, which can fetch the version-0 mud file.

But perhaps in some scenarios, like mud server moved for follow-up maintenance, this current acceptable URL will be changed.
So Can we specify the fixed parts and variable in Root URL clearly in the generation rule initially? I think this solution will be more general.
Here, the fixed parts can be be the right of the last "/" in the root URL, like your draft's description, also can be some invariable attributes like manufacture and devices, which can be convert to some parts of standard URL. And this fixed parts can be built-in initial certification, used as the trust basis for the final valid URL.
The variable parts can be get from device storage, or from some file in this device. I think, this MUD URL updating mechanism is more flexible.

By the way, introduction on ACL and DNS in the beginning of this draft, may be no need.


Best Regards,
Jay.