[T2TRG] Fwd: [OPSAWG] Here's MUD in your eye!
Carsten Bormann <cabo@tzi.org> Fri, 05 February 2016 07:45 UTC
Return-Path: <cabo@tzi.org>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3D1EB1A00B4 for <t2trg@ietfa.amsl.com>; Thu, 4 Feb 2016 23:45:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ePeSYVyJgJFq for <t2trg@ietfa.amsl.com>; Thu, 4 Feb 2016 23:45:56 -0800 (PST)
Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EFCC31A00B2 for <t2trg@irtf.org>; Thu, 4 Feb 2016 23:45:55 -0800 (PST)
Received: from mfilter10-d.gandi.net (mfilter10-d.gandi.net [217.70.178.139]) by relay4-d.mail.gandi.net (Postfix) with ESMTP id 59D781720C5; Fri, 5 Feb 2016 08:45:54 +0100 (CET)
X-Virus-Scanned: Debian amavisd-new at mfilter10-d.gandi.net
Received: from relay4-d.mail.gandi.net ([IPv6:::ffff:217.70.183.196]) by mfilter10-d.gandi.net (mfilter10-d.gandi.net [::ffff:10.0.15.180]) (amavisd-new, port 10024) with ESMTP id E7or6gyHVQ8Y; Fri, 5 Feb 2016 08:45:52 +0100 (CET)
X-Originating-IP: 93.199.254.229
Received: from nar.local (p5DC7FEE5.dip0.t-ipconnect.de [93.199.254.229]) (Authenticated sender: cabo@cabo.im) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id A261E1720A1; Fri, 5 Feb 2016 08:45:52 +0100 (CET)
Message-ID: <56B4532E.3060903@tzi.org>
Date: Fri, 05 Feb 2016 08:45:50 +0100
From: Carsten Bormann <cabo@tzi.org>
User-Agent: Postbox 4.0.8 (Macintosh/20151105)
MIME-Version: 1.0
To: "t2trg@irtf.org" <t2trg@irtf.org>
References: <56B44E3A.9020501@cisco.com>
In-Reply-To: <56B44E3A.9020501@cisco.com>
X-Enigmail-Version: 1.2.3
Content-Type: multipart/mixed; boundary="------------000808050203000009080001"
Archived-At: <http://mailarchive.ietf.org/arch/msg/t2trg/_RR6Wwb5uIQscsR5D7jaEvG7ekE>
Subject: [T2TRG] Fwd: [OPSAWG] Here's MUD in your eye!
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "IRTF Thing-to-Thing \(T2T\) Research-Group-in-creation" <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Feb 2016 07:45:58 -0000
Interesting use case for a "thing description". Grüße, Carsten -------- Original Message -------- Subject: [OPSAWG] Here's MUD in your eye! Date: Fri, 5 Feb 2016 08:24:42 +0100 From: Eliot Lear <lear@cisco.com> To: opsawg@ietf.org Hi everyone, For the last few months I've been working on a little effort which I call MUD. It stands for Manufacturer Usage Descriptions, and it focuses on the security of Things. There are already quite a lot things and more on the way (Cisco estimates 50 billion by 2020, and others say more). And there will be many developers/manufacturers of these things. It will be impossible for anyone to really keep track of all of these Things on their own. Developers/manufacturers will be in a good position to tell network administrators what sort of network access these Things require, and as importantly, what sort of network access these things are not intended to have. Consider this simple example : a networked rheostat is unlikely to want to browse CNN. That same rheostat may have a bug. It's also possible for the network to limit who can attack it, so long as the rheostat manufacturer has a means to tell the network what access is needed and what is not. So... what's necessary for all of this to work? 1. A standard way to indicate where a description is stored; 2. A way for the thing to tell the network what it is in such a way that the network can retrieve a description; 3. A schema for the description itself; and optionally 4. Some abstractions that can permit/deny access to certain classes of devices. As an entrée, I've specified a URI as a means to indicate where the desription is (1), IEEE 802.1AR certificates with 802.1X as well as DHCP for getting it from the device (2), and YANG-based XML for (3) and (4). In IETFeze that translates to the following drafts: * draft-lear-mud-framework (a few more lines of text describing the above) * draft-lear-ietf-netmod-mud (the YANG model and the URI specification) * draft-lear-ietf-pkix-mud-extension (a non-critical constraint for the MUD URI); and * draft-lear-ietf-dhc-mud-option (a way to communicate the URI via DHCP) I think you'll find one or two open issues with these drafts (to say the very least), but hopefully you might like the concept. I'm seeking feedback, discussion, collaborators, and perhaps some co-authors on this work. At the very least, I'm sure some people can contribute a humorous pun or two. And please! No mud slinging! ;-) Eliot
- [T2TRG] Fwd: [OPSAWG] Here's MUD in your eye! Carsten Bormann