draft-ietf-opsawg-mud-09.txt   draft-ietf-opsawg-mud-10.txt 
Network Working Group E. Lear Network Working Group E. Lear
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track R. Droms Intended status: Standards Track R. Droms
Expires: March 15, 2018 Expires: March 19, 2018
D. Romascanu D. Romascanu
September 11, 2017 September 15, 2017
Manufacturer Usage Description Specification Manufacturer Usage Description Specification
draft-ietf-opsawg-mud-09 draft-ietf-opsawg-mud-10
Abstract Abstract
This memo specifies a component-based architecture for manufacturer This memo specifies a component-based architecture for manufacturer
usage descriptions (MUD). The goal of MUD is to provide a means for usage descriptions (MUD). The goal of MUD is to provide a means for
Things to signal to the network what sort of access and network Things to signal to the network what sort of access and network
functionality they require to properly function. The initial focus functionality they require to properly function. The initial focus
is on access control. Later work can delve into other aspects. is on access control. Later work can delve into other aspects.
This memo specifies two YANG modules, IPv4 and IPv6 DHCP options, an This memo specifies two YANG modules, IPv4 and IPv6 DHCP options, an
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 15, 2018. This Internet-Draft will expire on March 19, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 26 skipping to change at page 3, line 26
16.6. LLDP IANA TLV Subtype Registry . . . . . . . . . . . . . 38 16.6. LLDP IANA TLV Subtype Registry . . . . . . . . . . . . . 38
16.7. The MUD Well Known Universal Resource Name (URNs) . . . 39 16.7. The MUD Well Known Universal Resource Name (URNs) . . . 39
16.8. Extensions Registry . . . . . . . . . . . . . . . . . . 39 16.8. Extensions Registry . . . . . . . . . . . . . . . . . . 39
17. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 39 17. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 39
18. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 18. References . . . . . . . . . . . . . . . . . . . . . . . . . 40
18.1. Normative References . . . . . . . . . . . . . . . . . . 40 18.1. Normative References . . . . . . . . . . . . . . . . . . 40
18.2. Informative References . . . . . . . . . . . . . . . . . 42 18.2. Informative References . . . . . . . . . . . . . . . . . 42
Appendix A. Changes from Earlier Versions . . . . . . . . . . . 43 Appendix A. Changes from Earlier Versions . . . . . . . . . . . 43
Appendix B. Default MUD nodes . . . . . . . . . . . . . . . . . 45 Appendix B. Default MUD nodes . . . . . . . . . . . . . . . . . 45
Appendix C. A Sample Extension: DETNET-indicator . . . . . . . . 49 Appendix C. A Sample Extension: DETNET-indicator . . . . . . . . 49
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 52 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53
1. Introduction 1. Introduction
The Internet has largely been constructed on general purpose The Internet has largely been constructed on general purpose
computers; those devices that may be used for a purpose that is computers; those devices that may be used for a purpose that is
specified by those who buy the device. [RFC1984] presumed that an specified by those who buy the device. [RFC1984] presumed that an
end device would be most capable of protecting itself. This made end device would be most capable of protecting itself. This made
sense when the typical device was a workstation or a mainframe, and sense when the typical device was a workstation or a mainframe, and
it continues to make sense for general purpose computing devices it continues to make sense for general purpose computing devices
today, including laptops, smart phones, and tablets. today, including laptops, smart phones, and tablets.
skipping to change at page 11, line 18 skipping to change at page 11, line 18
o ietf-acldns (this document) o ietf-acldns (this document)
Extensions may be used to add additional schema. This is described Extensions may be used to add additional schema. This is described
further on. further on.
To provide the widest possible deployability, with the exceptions of To provide the widest possible deployability, with the exceptions of
"acl-name", "acl-type", "rule-name", and TCP and UDP source and "acl-name", "acl-type", "rule-name", and TCP and UDP source and
destination port information, publishers of MUD files SHOULD limit destination port information, publishers of MUD files SHOULD limit
the use of ACL model leaf nodes expressed to those found in this the use of ACL model leaf nodes expressed to those found in this
specification. MUD controllers MAY ignore any particular component specification. Absent any extensions, MUD files are assumed to
of a description or MAY ignore the description in its entirety, and implement only the following ACL model features:
SHOULD carefully inspect all MUD descriptions. Publishers of MUD
files MUST NOT include other nodes except as described in o icmp-acl, ipv6-acl, tcp-acl, udp-acl, ipv4-acl, and ipv6-acl
Section 3.7. See that section for more information.
MUD controllers MAY ignore any particular component of a description
or MAY ignore the description in its entirety, and SHOULD carefully
inspect all MUD descriptions. Publishers of MUD files MUST NOT
include other nodes except as described in Section 3.7. See that
section for more information.
======= This module is structured into three parts: ======= This module is structured into three parts:
o The first container "mud" holds information that is relevant to o The first container "mud" holds information that is relevant to
retrieval and validity of the MUD file itself, as well as policy retrieval and validity of the MUD file itself, as well as policy
intended to and from the Thing. intended to and from the Thing.
o The second component augments the matching container of the ACL o The second component augments the matching container of the ACL
model to add several nodes that are relevant to the MUD URL, or model to add several nodes that are relevant to the MUD URL, or
otherwise abstracted for use within a local environment. otherwise abstracted for use within a local environment.
skipping to change at page 17, line 7 skipping to change at page 17, line 7
URL occurs as specified in [RFC2818] and [RFC3986]. URL occurs as specified in [RFC2818] and [RFC3986].
"extras" is intended for use by the MUD controller to provide "extras" is intended for use by the MUD controller to provide
additional information such as posture about the Thing to the MUD additional information such as posture about the Thing to the MUD
file server. This field MUST NOT be configured on the Thing itself file server. This field MUST NOT be configured on the Thing itself
by a manufacturer - that is what "modelinfo" is for. It is left as by a manufacturer - that is what "modelinfo" is for. It is left as
future work to define the full semantics of this field. future work to define the full semantics of this field.
6. The MUD YANG Model 6. The MUD YANG Model
<CODE BEGINS>file "ietf-mud@2017-09-07.yang" <CODE BEGINS>file "ietf-mud@2017-09-15.yang"
module ietf-mud { module ietf-mud {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-mud"; namespace "urn:ietf:params:xml:ns:yang:ietf-mud";
prefix ietf-mud; prefix ietf-mud;
import ietf-access-control-list { import ietf-access-control-list {
prefix acl; prefix acl;
} }
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
skipping to change at page 18, line 8 skipping to change at page 18, line 8
identified as the document authors. All rights reserved. identified as the document authors. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's Legal License set forth in Section 4.c of the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2017-09-05 { revision 2017-09-15 {
description description
"Initial proposed standard."; "Initial proposed standard.";
reference reference
"RFC XXXX: Manufacturer Usage Description "RFC XXXX: Manufacturer Usage Description
Specification"; Specification";
} }
typedef direction { typedef direction {
type enumeration { type enumeration {
enum "to-device" { enum "to-device" {
skipping to change at page 23, line 39 skipping to change at page 23, line 39
by Things to properly operate. by Things to properly operate.
7.2. destination-dnsname 7.2. destination-dnsname
The argument corresponds to a domain name of a destination as The argument corresponds to a domain name of a destination as
specified by inet:host See the previous section relating to specified by inet:host See the previous section relating to
resolution. resolution.
7.3. The ietf-acldns Model 7.3. The ietf-acldns Model
<CODE BEGINS>file "ietf-acldns@2016-09-07.yang" <CODE BEGINS>file "ietf-acldns@2017-09-15.yang"
module ietf-acldns { module ietf-acldns {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-acldns"; namespace "urn:ietf:params:xml:ns:yang:ietf-acldns";
prefix "ietf-acldns"; prefix "ietf-acldns";
import ietf-access-control-list { import ietf-access-control-list {
prefix "acl"; prefix "acl";
} }
import ietf-inet-types { import ietf-inet-types {
skipping to change at page 24, line 23 skipping to change at page 24, line 23
rdroms@gmail.com rdroms@gmail.com
Author: Dan Romascanu Author: Dan Romascanu
dromasca@gmail.com dromasca@gmail.com
"; ";
description description
"This YANG module defines a component that augments the "This YANG module defines a component that augments the
IETF description of an access list to allow dns names IETF description of an access list to allow dns names
as matching criteria."; as matching criteria.";
revision "2016-07-20" { revision "2017-09-15" {
description "Base version of dnsname extension of ACL model"; description "Base version of dnsname extension of ACL model";
reference "RFC XXXX: Manufacturer Usage Description reference "RFC XXXX: Manufacturer Usage Description
Specification"; Specification";
} }
grouping dns-matches { grouping dns-matches {
description "Domain names for matching."; description "Domain names for matching.";
leaf src-dnsname { leaf src-dnsname {
type inet:host; type inet:host;
skipping to change at page 40, line 18 skipping to change at page 40, line 18
[I-D.ietf-anima-bootstrapping-keyinfra] [I-D.ietf-anima-bootstrapping-keyinfra]
Pritikin, M., Richardson, M., Behringer, M., Bjarnason, Pritikin, M., Richardson, M., Behringer, M., Bjarnason,
S., and K. Watsen, "Bootstrapping Remote Secure Key S., and K. Watsen, "Bootstrapping Remote Secure Key
Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping- Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping-
keyinfra-07 (work in progress), July 2017. keyinfra-07 (work in progress), July 2017.
[I-D.ietf-netmod-acl-model] [I-D.ietf-netmod-acl-model]
Jethanandani, M., Huang, L., Agarwal, S., and D. Blair, Jethanandani, M., Huang, L., Agarwal, S., and D. Blair,
"Network Access Control List (ACL) YANG Data Model", "Network Access Control List (ACL) YANG Data Model",
draft-ietf-netmod-acl-model-12 (work in progress), draft-ietf-netmod-acl-model-13 (work in progress),
September 2017. September 2017.
[IEEE8021AB] [IEEE8021AB]
Institute for Electrical and Electronics Engineers, "IEEE Institute for Electrical and Electronics Engineers, "IEEE
Standard for Local and Metropolitan Area Networks-- Standard for Local and Metropolitan Area Networks--
Station and Media Access Control Connectivity Discovery", Station and Media Access Control Connectivity Discovery",
n.d.. n.d..
[RFC1123] Braden, R., Ed., "Requirements for Internet Hosts - [RFC1123] Braden, R., Ed., "Requirements for Internet Hosts -
Application and Support", STD 3, RFC 1123, Application and Support", STD 3, RFC 1123,
skipping to change at page 43, line 41 skipping to change at page 43, line 41
[RFC7488] Boucadair, M., Penno, R., Wing, D., Patil, P., and T. [RFC7488] Boucadair, M., Penno, R., Wing, D., Patil, P., and T.
Reddy, "Port Control Protocol (PCP) Server Selection", Reddy, "Port Control Protocol (PCP) Server Selection",
RFC 7488, DOI 10.17487/RFC7488, March 2015, RFC 7488, DOI 10.17487/RFC7488, March 2015,
<https://www.rfc-editor.org/info/rfc7488>. <https://www.rfc-editor.org/info/rfc7488>.
Appendix A. Changes from Earlier Versions Appendix A. Changes from Earlier Versions
RFC Editor to remove this section prior to publication. RFC Editor to remove this section prior to publication.
Draft -08 to -09: * Resolution of Security Area review, IoT Draft -09 to -10:
directorate review, GenART review, YANG doctors review. * change of
YANG structure to address mandatory nodes. * Terminology cleanup. * o AD input.
specify out extra portion of MUD-URL. * consistency changes. *
improved YANG descriptions. * Remove extra revisions. * Track ACL o Correct dates.
model changes. * Additional cautions on use of ACL model; further
clarifications on extensions. o Add compliance sentence as to which ACL module features are
implemented.
Draft -08 to -09:
o Resolution of Security Area review, IoT directorate review, GenART
review, YANG doctors review.
o change of YANG structure to address mandatory nodes.
o Terminology cleanup.
o specify out extra portion of MUD-URL.
o consistency changes.
o improved YANG descriptions.
o Remove extra revisions.
o Track ACL model changes.
o Additional cautions on use of ACL model; further clarifications on
extensions.
Draft -07 to -08: Draft -07 to -08:
o a number of editorials corrected. o a number of editorials corrected.
o definition of MUD file tweaked. o definition of MUD file tweaked.
Draft -06 to -07: Draft -06 to -07:
o Examples updated. o Examples updated.
 End of changes. 12 change blocks. 
22 lines changed or deleted 50 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/