draft-ietf-opsawg-mud-10.txt   draft-ietf-opsawg-mud-11.txt 
Network Working Group E. Lear Network Working Group E. Lear
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track R. Droms Intended status: Standards Track R. Droms
Expires: March 19, 2018 Expires: March 24, 2018
D. Romascanu D. Romascanu
September 15, 2017 September 20, 2017
Manufacturer Usage Description Specification Manufacturer Usage Description Specification
draft-ietf-opsawg-mud-10 draft-ietf-opsawg-mud-11
Abstract Abstract
This memo specifies a component-based architecture for manufacturer This memo specifies a component-based architecture for manufacturer
usage descriptions (MUD). The goal of MUD is to provide a means for usage descriptions (MUD). The goal of MUD is to provide a means for
Things to signal to the network what sort of access and network Things to signal to the network what sort of access and network
functionality they require to properly function. The initial focus functionality they require to properly function. The initial focus
is on access control. Later work can delve into other aspects. is on access control. Later work can delve into other aspects.
This memo specifies two YANG modules, IPv4 and IPv6 DHCP options, an This memo specifies two YANG modules, IPv4 and IPv6 DHCP options, an
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 19, 2018. This Internet-Draft will expire on March 24, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 23 skipping to change at page 2, line 23
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. What MUD doesn't do . . . . . . . . . . . . . . . . . . . 4 1.1. What MUD doesn't do . . . . . . . . . . . . . . . . . . . 4
1.2. A Simple Example . . . . . . . . . . . . . . . . . . . . 5 1.2. A Simple Example . . . . . . . . . . . . . . . . . . . . 5
1.3. Determining Intended Use . . . . . . . . . . . . . . . . 5 1.3. Determining Intended Use . . . . . . . . . . . . . . . . 5
1.4. Finding A Policy: The MUD URL . . . . . . . . . . . . . . 5 1.4. Finding A Policy: The MUD URL . . . . . . . . . . . . . . 5
1.5. Types of Policies . . . . . . . . . . . . . . . . . . . . 6 1.5. Types of Policies . . . . . . . . . . . . . . . . . . . . 6
1.6. Terminology . . . . . . . . . . . . . . . . . . . . . . . 8 1.6. Terminology . . . . . . . . . . . . . . . . . . . . . . . 8
1.7. The Manufacturer Usage Description Architecture . . . . . 8 1.7. The Manufacturer Usage Description Architecture . . . . . 8
1.8. Order of operations . . . . . . . . . . . . . . . . . . . 10 1.8. Order of operations . . . . . . . . . . . . . . . . . . . 10
2. The MUD Model and Semantic Meaning . . . . . . . . . . . . . 10 2. The MUD Model and Semantic Meaning . . . . . . . . . . . . . 10
2.1. The IETF-MUD YANG Module . . . . . . . . . . . . . . . . 11
3. Data Node Definitions . . . . . . . . . . . . . . . . . . . . 12 3. Data Node Definitions . . . . . . . . . . . . . . . . . . . . 12
3.1. to-device-policy and from-device-policy containers . . . 12 3.1. to-device-policy and from-device-policy containers . . . 13
3.2. last-update . . . . . . . . . . . . . . . . . . . . . . . 13 3.2. last-update . . . . . . . . . . . . . . . . . . . . . . . 13
3.3. cache-validity . . . . . . . . . . . . . . . . . . . . . 13 3.3. cache-validity . . . . . . . . . . . . . . . . . . . . . 13
3.4. masa-server . . . . . . . . . . . . . . . . . . . . . . . 13 3.4. masa-server . . . . . . . . . . . . . . . . . . . . . . . 13
3.5. is-supported . . . . . . . . . . . . . . . . . . . . . . 13 3.5. is-supported . . . . . . . . . . . . . . . . . . . . . . 13
3.6. systeminfo . . . . . . . . . . . . . . . . . . . . . . . 13 3.6. systeminfo . . . . . . . . . . . . . . . . . . . . . . . 14
3.7. extensions . . . . . . . . . . . . . . . . . . . . . . . 13 3.7. extensions . . . . . . . . . . . . . . . . . . . . . . . 14
3.8. manufacturer . . . . . . . . . . . . . . . . . . . . . . 14 3.8. manufacturer . . . . . . . . . . . . . . . . . . . . . . 14
3.9. same-manufacturer . . . . . . . . . . . . . . . . . . . . 14 3.9. same-manufacturer . . . . . . . . . . . . . . . . . . . . 14
3.10. model . . . . . . . . . . . . . . . . . . . . . . . . . . 14 3.10. model . . . . . . . . . . . . . . . . . . . . . . . . . . 14
3.11. local-networks . . . . . . . . . . . . . . . . . . . . . 14 3.11. local-networks . . . . . . . . . . . . . . . . . . . . . 15
3.12. controller . . . . . . . . . . . . . . . . . . . . . . . 15 3.12. controller . . . . . . . . . . . . . . . . . . . . . . . 15
3.13. my-controller . . . . . . . . . . . . . . . . . . . . . . 15 3.13. my-controller . . . . . . . . . . . . . . . . . . . . . . 15
3.14. direction-initiated . . . . . . . . . . . . . . . . . . . 15 3.14. direction-initiated . . . . . . . . . . . . . . . . . . . 15
4. Processing of the MUD file . . . . . . . . . . . . . . . . . 15 4. Processing of the MUD file . . . . . . . . . . . . . . . . . 16
5. What does a MUD URL look like? . . . . . . . . . . . . . . . 16 5. What does a MUD URL look like? . . . . . . . . . . . . . . . 16
6. The MUD YANG Model . . . . . . . . . . . . . . . . . . . . . 17 6. The MUD YANG Model . . . . . . . . . . . . . . . . . . . . . 17
7. The Domain Name Extension to the ACL Model . . . . . . . . . 22 7. The Domain Name Extension to the ACL Model . . . . . . . . . 22
7.1. source-dnsname . . . . . . . . . . . . . . . . . . . . . 23 7.1. source-dnsname . . . . . . . . . . . . . . . . . . . . . 23
7.2. destination-dnsname . . . . . . . . . . . . . . . . . . . 23 7.2. destination-dnsname . . . . . . . . . . . . . . . . . . . 23
7.3. The ietf-acldns Model . . . . . . . . . . . . . . . . . . 23 7.3. The ietf-acldns Model . . . . . . . . . . . . . . . . . . 23
8. MUD File Example . . . . . . . . . . . . . . . . . . . . . . 25 8. MUD File Example . . . . . . . . . . . . . . . . . . . . . . 25
9. The MUD URL DHCP Option . . . . . . . . . . . . . . . . . . . 27 9. The MUD URL DHCP Option . . . . . . . . . . . . . . . . . . . 27
9.1. Client Behavior . . . . . . . . . . . . . . . . . . . . . 28 9.1. Client Behavior . . . . . . . . . . . . . . . . . . . . . 28
9.2. Server Behavior . . . . . . . . . . . . . . . . . . . . . 28 9.2. Server Behavior . . . . . . . . . . . . . . . . . . . . . 28
skipping to change at page 3, line 24 skipping to change at page 3, line 25
16.4. Well Known URI Suffix . . . . . . . . . . . . . . . . . 37 16.4. Well Known URI Suffix . . . . . . . . . . . . . . . . . 37
16.5. MIME Media-type Registration for MUD files . . . . . . . 37 16.5. MIME Media-type Registration for MUD files . . . . . . . 37
16.6. LLDP IANA TLV Subtype Registry . . . . . . . . . . . . . 38 16.6. LLDP IANA TLV Subtype Registry . . . . . . . . . . . . . 38
16.7. The MUD Well Known Universal Resource Name (URNs) . . . 39 16.7. The MUD Well Known Universal Resource Name (URNs) . . . 39
16.8. Extensions Registry . . . . . . . . . . . . . . . . . . 39 16.8. Extensions Registry . . . . . . . . . . . . . . . . . . 39
17. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 39 17. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 39
18. References . . . . . . . . . . . . . . . . . . . . . . . . . 40 18. References . . . . . . . . . . . . . . . . . . . . . . . . . 40
18.1. Normative References . . . . . . . . . . . . . . . . . . 40 18.1. Normative References . . . . . . . . . . . . . . . . . . 40
18.2. Informative References . . . . . . . . . . . . . . . . . 42 18.2. Informative References . . . . . . . . . . . . . . . . . 42
Appendix A. Changes from Earlier Versions . . . . . . . . . . . 43 Appendix A. Changes from Earlier Versions . . . . . . . . . . . 43
Appendix B. Default MUD nodes . . . . . . . . . . . . . . . . . 45 Appendix B. Default MUD nodes . . . . . . . . . . . . . . . . . 46
Appendix C. A Sample Extension: DETNET-indicator . . . . . . . . 49 Appendix C. A Sample Extension: DETNET-indicator . . . . . . . . 50
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 53 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 54
1. Introduction 1. Introduction
The Internet has largely been constructed on general purpose The Internet has largely been constructed on general purpose
computers; those devices that may be used for a purpose that is computers; those devices that may be used for a purpose that is
specified by those who buy the device. [RFC1984] presumed that an specified by those who buy the device. [RFC1984] presumed that an
end device would be most capable of protecting itself. This made end device would be most capable of protecting itself. This made
sense when the typical device was a workstation or a mainframe, and sense when the typical device was a workstation or a mainframe, and
it continues to make sense for general purpose computing devices it continues to make sense for general purpose computing devices
today, including laptops, smart phones, and tablets. today, including laptops, smart phones, and tablets.
skipping to change at page 4, line 26 skipping to change at page 4, line 27
increasing number types of devices in the network. increasing number types of devices in the network.
o Provide a means to address at least some vulnerabilities in a way o Provide a means to address at least some vulnerabilities in a way
that is faster than it might take to update systems. This will be that is faster than it might take to update systems. This will be
particularly true for systems that are no longer supported by particularly true for systems that are no longer supported by
their manufacturer. their manufacturer.
o Keep the cost of implementation of such a system to the bare o Keep the cost of implementation of such a system to the bare
minimum. minimum.
MUD consists of three architectural building blocks: * A classifier MUD consists of three architectural building blocks:
that a device emits that can be used to locate a description; * The
description itself, including how it is interpreted, and; * A means o A classifier that a device emits that can be used to locate a
for local network management systems to retrieve the description. description;
o The description itself, including how it is interpreted, and;
o A means for local network management systems to retrieve the
description.
In this specification we describe each of these building blocks and In this specification we describe each of these building blocks and
how they are intended to be used together. However, they may also be how they are intended to be used together. However, they may also be
used separately, independent of this specification by local used separately, independent of this specification by local
deployments for their own purposes. deployments for their own purposes.
1.1. What MUD doesn't do 1.1. What MUD doesn't do
MUD is not intended to address network authorization of general MUD is not intended to address network authorization of general
purpose computers, as their manufacturers cannot envision a specific purpose computers, as their manufacturers cannot envision a specific
skipping to change at page 11, line 14 skipping to change at page 11, line 14
o ietf-access-control-list [I-D.ietf-netmod-acl-model] o ietf-access-control-list [I-D.ietf-netmod-acl-model]
o ietf-mud (this document) o ietf-mud (this document)
o ietf-acldns (this document) o ietf-acldns (this document)
Extensions may be used to add additional schema. This is described Extensions may be used to add additional schema. This is described
further on. further on.
To provide the widest possible deployability, with the exceptions of To provide the widest possible deployability, publishers of MUD files
"acl-name", "acl-type", "rule-name", and TCP and UDP source and SHOULD make use of the abstractions in this memo and avoid the use of
destination port information, publishers of MUD files SHOULD limit IP addresses. The addressing of one side of an access list is
the use of ACL model leaf nodes expressed to those found in this implicit, based on whether it is applied as to-device-policy or from-
specification. Absent any extensions, MUD files are assumed to device-policy.
implement only the following ACL model features:
o icmp-acl, ipv6-acl, tcp-acl, udp-acl, ipv4-acl, and ipv6-acl With the exceptions of "acl-name", "acl-type", "rule-name", and TCP
and UDP source and destination port information, publishers of MUD
files SHOULD limit the use of ACL model leaf nodes expressed to those
found in this specification. Absent any extensions, MUD files are
assumed to implement only the following ACL model features:
o any-acl, mud-acl, icmp-acl, ipv6-acl, tcp-acl, any-acl, udp-acl,
ipv4-acl, and ipv6-acl
MUD controllers MAY ignore any particular component of a description MUD controllers MAY ignore any particular component of a description
or MAY ignore the description in its entirety, and SHOULD carefully or MAY ignore the description in its entirety, and SHOULD carefully
inspect all MUD descriptions. Publishers of MUD files MUST NOT inspect all MUD descriptions. Publishers of MUD files MUST NOT
include other nodes except as described in Section 3.7. See that include other nodes except as described in Section 3.7. See that
section for more information. section for more information.
======= This module is structured into three parts: 2.1. The IETF-MUD YANG Module
This module is structured into three parts:
o The first container "mud" holds information that is relevant to o The first container "mud" holds information that is relevant to
retrieval and validity of the MUD file itself, as well as policy retrieval and validity of the MUD file itself, as well as policy
intended to and from the Thing. intended to and from the Thing.
o The second component augments the matching container of the ACL o The second component augments the matching container of the ACL
model to add several nodes that are relevant to the MUD URL, or model to add several nodes that are relevant to the MUD URL, or
otherwise abstracted for use within a local environment. otherwise abstracted for use within a local environment.
o The third component augments the tcp-acl container of the ACL o The third component augments the tcp-acl container of the ACL
skipping to change at page 25, line 14 skipping to change at page 25, line 21
uses dns-matches; uses dns-matches;
} }
} }
<CODE ENDS> <CODE ENDS>
8. MUD File Example 8. MUD File Example
This example contains two access lists that are intended to provide This example contains two access lists that are intended to provide
outbound access to a cloud service on TCP port 443. outbound access to a cloud service on TCP port 443.
{ {
"ietf-mud:mud": { "ietf-mud:mud": {
"mud-url": "https://bms.example.com/.well-known/mud/v1/lightbulb2000", "mud-url": "https://bms.example.com/.well-known/mud/v1/lightbulb",
"last-update": "2017-09-07T13:47:52+02:00", "last-update": "2017-09-20T15:49:18+02:00",
"systeminfo": "https://bms.example.com/descriptions/lightbulb2000", "is-supported": true,
"cache-validity": 48, "systeminfo": "https://bms.example.com/descriptions/lightbulb",
"from-device-policy": { "cache-validity": 48,
"access-lists": { "from-device-policy": {
"access-list": [ "access-lists": {
{ "access-list": [
"acl-name": "mud-83312-v6fr", {
"acl-type": "ietf-access-control-list:ipv6-acl" "acl-name": "mud-54684-v6fr",
} "acl-type": "ietf-access-control-list:ipv6-acl"
] }
} ]
}, }
"to-device-policy": { },
"access-lists": { "to-device-policy": {
"access-list": [ "access-lists": {
{ "access-list": [
"acl-name": "mud-83312-v6to", {
"acl-type": "ietf-access-control-list:ipv6-acl" "acl-name": "mud-54684-v6to",
} "acl-type": "ietf-access-control-list:ipv6-acl"
] }
} ]
} }
}, }
"ietf-access-control-list:access-lists": { },
"acl": [ "ietf-access-control-list:access-lists": {
{ "acl": [
"acl-name": "mud-83312-v6to", {
"acl-type": "ipv6-acl", "acl-name": "mud-54684-v6to",
"access-list-entries": { "acl-type": "ipv6-acl",
"ace": [ "access-list-entries": {
{ "ace": [
"rule-name": "cl0-todev", {
"matches": { "rule-name": "cl0-todev",
"ipv6-acl": { "matches": {
"ietf-acldns:src-dnsname": "service.bms.example.com" "ipv6-acl": {
}, "ietf-acldns:src-dnsname": "service.bms.example.com",
"protocol": 6, "protocol": 6,
"source-port-range": { "source-port-range": {
"lower-port": 443, "lower-port": 443,
"upper-port": 443 "upper-port": 443
}, }
"tcp-acl": { },
"ietf-mud:direction-initiated": "from-device" "tcp-acl": {
} "ietf-mud:direction-initiated": "from-device"
}, }
"actions": { },
"permit": [ "actions": {
null "permit": [
] null
} ]
} }
] }
} ]
}, }
{ },
"acl-name": "mud-83312-v6fr", {
"acl-type": "ipv6-acl", "acl-name": "mud-54684-v6fr",
"access-list-entries": { "acl-type": "ipv6-acl",
"ace": [ "access-list-entries": {
{ "ace": [
"rule-name": "cl0-frdev", {
"matches": { "rule-name": "cl0-frdev",
"ipv6-acl": { "matches": {
"ietf-acldns:dst-dnsname": "service.bms.example.com" "ipv6-acl": {
}, "ietf-acldns:dst-dnsname": "service.bms.example.com",
"protocol": 6, "protocol": 6,
"destination-port-range": { "destination-port-range": {
"lower-port": 443, "lower-port": 443,
"upper-port": 443 "upper-port": 443
}, }
"tcp-acl": { },
"ietf-mud:direction-initiated": "from-device" "tcp-acl": {
} "ietf-mud:direction-initiated": "from-device"
},
"actions": {
"permit": [
null
]
}
}
]
} }
} },
] "actions": {
} "permit": [
} null
]
}
}
]
}
}
]
}
}
In this example, two policies are declared, one from the Thing and In this example, two policies are declared, one from the Thing and
the other to the Thing. Each policy names an access list that the other to the Thing. Each policy names an access list that
applies to the Thing, and one that applies from. Within each access applies to the Thing, and one that applies from. Within each access
list, access is permitted to packets flowing to or from the Thing list, access is permitted to packets flowing to or from the Thing
that can be mapped to the domain name of "service.bms.example.com". that can be mapped to the domain name of "service.bms.example.com".
For each access list, the enforcement point should expect that the For each access list, the enforcement point should expect that the
thing initiated the connection. thing initiated the connection.
9. The MUD URL DHCP Option 9. The MUD URL DHCP Option
skipping to change at page 37, line 15 skipping to change at page 37, line 15
16.3. PKIX Extensions 16.3. PKIX Extensions
IANA is kindly requested to make the following assignments for: IANA is kindly requested to make the following assignments for:
o The MUDURLExtnModule-2016 ASN.1 module in the "SMI Security for o The MUDURLExtnModule-2016 ASN.1 module in the "SMI Security for
PKIX Module Identifier" registry (1.3.6.1.5.5.7.0). PKIX Module Identifier" registry (1.3.6.1.5.5.7.0).
o id-pe-mud-url object identifier from the "SMI Security for PKIX o id-pe-mud-url object identifier from the "SMI Security for PKIX
Certificate Extension" registry (1.3.6.1.5.5.7.1). Certificate Extension" registry (1.3.6.1.5.5.7.1).
The use fo these values is specified in Section 10. The use of these values is specified in Section 10.
16.4. Well Known URI Suffix 16.4. Well Known URI Suffix
The IANA has allocated the URL suffix of "mud" as follows: The IANA has allocated the URL suffix of "mud" as follows:
o URI Suffix: "mud" o Specification documents: this document o o URI Suffix: "mud" o Specification documents: this document o
Related information: n/a Related information: n/a
16.5. MIME Media-type Registration for MUD files 16.5. MIME Media-type Registration for MUD files
skipping to change at page 43, line 41 skipping to change at page 43, line 41
[RFC7488] Boucadair, M., Penno, R., Wing, D., Patil, P., and T. [RFC7488] Boucadair, M., Penno, R., Wing, D., Patil, P., and T.
Reddy, "Port Control Protocol (PCP) Server Selection", Reddy, "Port Control Protocol (PCP) Server Selection",
RFC 7488, DOI 10.17487/RFC7488, March 2015, RFC 7488, DOI 10.17487/RFC7488, March 2015,
<https://www.rfc-editor.org/info/rfc7488>. <https://www.rfc-editor.org/info/rfc7488>.
Appendix A. Changes from Earlier Versions Appendix A. Changes from Earlier Versions
RFC Editor to remove this section prior to publication. RFC Editor to remove this section prior to publication.
Draft -10 to -11:
o Example corrections
o Typo
o Fix two lists.
o Addition of 'any-acl' and 'mud-acl' in the list of allowed
features.
o Clarification of what should be in a MUD file.
Draft -09 to -10: Draft -09 to -10:
o AD input. o AD input.
o Correct dates. o Correct dates.
o Add compliance sentence as to which ACL module features are o Add compliance sentence as to which ACL module features are
implemented. implemented.
Draft -08 to -09: Draft -08 to -09:
skipping to change at page 45, line 42 skipping to change at page 46, line 7
rewrite of X.509 text * Include privacy considerations text * Redo rewrite of X.509 text * Include privacy considerations text * Redo
the URL limit. Still 255 bytes, but now stated in the URL the URL limit. Still 255 bytes, but now stated in the URL
definition. * Change URI registration to be under urn:ietf:params definition. * Change URI registration to be under urn:ietf:params
Draft -00 to -01: * Fix cert trust text. * change supportInformation Draft -00 to -01: * Fix cert trust text. * change supportInformation
to meta-info * Add an informational element in. * add urn registry to meta-info * Add an informational element in. * add urn registry
and create first entry * add default elements and create first entry * add default elements
Appendix B. Default MUD nodes Appendix B. Default MUD nodes
What follows is a MUD file that permits DNS traffic to a controller What follows is the portion of a MUD file that permits DNS traffic to
that is registered with the URN "urn:ietf:params:mud:dns" and traffic a controller that is registered with the URN
NTP to a controller that is registered "urn:ietf:params:mud:ntp". "urn:ietf:params:mud:dns" and traffic NTP to a controller that is
This is considered the default behavior and the ACEs are in effect registered "urn:ietf:params:mud:ntp". This is considered the default
appended to whatever other ACEs. To block DNS or NTP one repeats the behavior and the ACEs are in effect appended to whatever other ACEs.
matching statement but replace "permit" with deny. Because ACEs are To block DNS or NTP one repeats the matching statement but replace
processed in the order they are received, the defaults would not be "permit" with deny. Because ACEs are processed in the order they are
reached. A MUD controller might further decide to optimize to simply received, the defaults would not be reached. A MUD controller might
not include the defaults when they are overriden. further decide to optimize to simply not include the defaults when
they are overriden.
The access-list component of the MUD entry is included below. The access-list component of the MUD entry is included below.
{ "ietf-access-control-list:access-lists": {
"ietf-access-control-list:access-lists": {
"acl": [ "acl": [
{ {
"acl-name": "mud-67390-v4to", "acl-name": "mud-85666-v4to",
"acl-type": "ipv4-acl", "acl-type": "ipv4-acl",
"aces": { "aces": {
"ace": [ "ace": [
{ {
"rule-name": "ent0-todev", "rule-name": "ent0-todev",
"matches": { "matches": {
"ietf-mud:mud-acl"{ "ietf-mud:mud-acl": {
"controller": "urn:ietf:params:mud:dns" "controller": "urn:ietf:params:mud:dns"
}, },
"protocol": 17, "ipv4-acl": {
"source-port-range": { "protocol": 17,
"lower-port": 53, "source-port-range": {
"upper-port": 53 "lower-port": 53,
"upper-port": 53
}
} }
}, },
"actions": { "actions": {
"permit": [ "permit": [
null null
] ]
} }
}, },
{ {
"rule-name": "ent1-todev", "rule-name": "ent1-todev",
"matches": { "matches": {
"ietf-mud:mud-acl"{ "ietf-mud:mud-acl": {
"controller": "urn:ietf:params:mud:ntp" "controller": "urn:ietf:params:mud:ntp"
}, },
"protocol": 17 "ipv4-acl": {
"protocol": 17,
"source-port-range": {
"lower-port": 123,
"upper-port": 123
}
}
}, },
"actions": { "actions": {
"permit": [ "permit": [
null null
] ]
} }
} }
] ]
} }
}, },
{ {
"acl-name": "mud-67390-v4fr", "acl-name": "mud-85666-v4fr",
"acl-type": "ipv4-acl", "acl-type": "ipv4-acl",
"access-list-entries": { "aces": {
"ace": [ "ace": [
{ {
"rule-name": "ent0-frdev", "rule-name": "ent0-frdev",
"matches": { "matches": {
"ietf-mud:mud-acl"{ "ietf-mud:mud-acl": {
"controller": "urn:ietf:params:mud:dns" "controller": "urn:ietf:params:mud:dns"
}, },
"protocol": 17, "ipv4-acl": {
"destination-port-range": { "protocol": 17,
"lower-port": 53, "destination-port-range": {
"upper-port": 53 "lower-port": 53,
"upper-port": 53
}
} }
}, },
"actions": { "actions": {
"permit": [ "permit": [
null null
] ]
} }
}, },
{ {
"rule-name": "ent1-frdev", "rule-name": "ent1-frdev",
"matches": { "matches": {
"ietf-mud:mud-acl"{ "ietf-mud:mud-acl": {
"controller": "urn:ietf:params:mud:ntp" "controller": "urn:ietf:params:mud:ntp"
}, },
"protocol": 17 "ipv4-acl": {
"protocol": 17,
"destination-port-range": {
"lower-port": 123,
"upper-port": 123
}
}
}, },
"actions": { "actions": {
"permit": [ "permit": [
null null
] ]
} }
} }
] ]
} }
}, },
{ {
"acl-name": "mud-67390-v6to", "acl-name": "mud-85666-v6to",
"acl-type": "ipv6-acl", "acl-type": "ipv6-acl",
"aces": { "access-list-entries": {
"ace": [ "ace": [
{ {
"rule-name": "ent0-todev", "rule-name": "ent0-todev",
"matches": { "matches": {
"ietf-mud:mud-acl"{ "ietf-mud:mud-acl": {
"controller": "urn:ietf:params:mud:dns" "controller": "urn:ietf:params:mud:dns"
}, },
"protocol": 17, "ipv6-acl": {
"source-port-range": { "protocol": 17,
"lower-port": 53, "source-port-range": {
"upper-port": 53 "lower-port": 53,
"upper-port": 53
}
} }
}, },
"actions": { "actions": {
"permit": [ "permit": [
null null
] ]
} }
}, },
{ {
"rule-name": "ent1-todev", "rule-name": "ent1-todev",
"matches": { "matches": {
"ietf-mud:mud-acl"{ "ietf-mud:mud-acl": {
"controller": "urn:ietf:params:mud:ntp" "controller": "urn:ietf:params:mud:ntp"
}, },
"protocol": 17 "ipv6-acl": {
"protocol": 17,
"source-port-range": {
"lower-port": 123,
"upper-port": 123
}
}
}, },
"actions": { "actions": {
"permit": [ "permit": [
null null
] ]
} }
} }
] ]
} }
}, },
{ {
"acl-name": "mud-67390-v6fr", "acl-name": "mud-85666-v6fr",
"acl-type": "ipv6-acl", "acl-type": "ipv6-acl",
"aces": { "access-list-entries": {
"ace": [ "ace": [
{ {
"rule-name": "ent0-frdev", "rule-name": "ent0-frdev",
"matches": { "matches": {
"ietf-mud:mud-acl"{ "ietf-mud:mud-acl": {
"controller": "urn:ietf:params:mud:dns" "controller": "urn:ietf:params:mud:dns"
}, },
"protocol": 17, "ipv6-acl": {
"destination-port-range": { "protocol": 17,
"lower-port": 53, "destination-port-range": {
"upper-port": 53 "lower-port": 53,
"upper-port": 53
}
} }
}, },
"actions": { "actions": {
"permit": [ "permit": [
null null
] ]
} }
}, },
{ {
"rule-name": "ent1-frdev", "rule-name": "ent1-frdev",
"matches": { "matches": {
"ietf-mud:mud-acl"{ "ietf-mud:mud-acl": {
"controller": "urn:ietf:params:mud:ntp" "controller": "urn:ietf:params:mud:ntp"
}, },
"protocol": 17 "ipv6-acl": {
"protocol": 17,
"destination-port-range": {
"lower-port": 123,
"upper-port": 123
}
}
}, },
"actions": { "actions": {
"permit": [ "permit": [
null null
] ]
} }
} }
] ]
} }
} }
skipping to change at page 51, line 4 skipping to change at page 51, line 47
device."; device.";
leaf is-detnet-required { leaf is-detnet-required {
type boolean; type boolean;
description description
"This value will equal true if a device requires "This value will equal true if a device requires
detnet to properly function"; detnet to properly function";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
Using the previous example, we now show how the extension would be Using the previous example, we now show how the extension would be
expressed: expressed:
{ {
"ietf-mud:mud": { "ietf-mud:mud": {
"mud-url": "https://bms.example.com/.well-known/mud/v1/lightbulb2", "mud-url": "https://bms.example.com/.well-known/mud/v1/lightbulb",
"last-update": "2017-08-30T15:48:42+02:00", "last-update": "2017-09-20T15:49:18+02:00",
"systeminfo": "https://bms.example.com/descriptions/lightbulb2", "is-supported": true,
"systeminfo": "https://bms.example.com/descriptions/lightbulb",
"cache-validity": 48, "cache-validity": 48,
"extensions": [ "extensions": [
"ietf-mud-detext-example" "ietf-mud-detext-example"
], ],
"ietf-mud-detext-example:is-detnet-required": "false", "ietf-mud-detext-example:is-detnet-required": "false",
"from-device-policy": { "from-device-policy": {
"access-lists": { "access-lists": {
"access-list": [ "access-list": [
{ {
"acl-name": "mud-16595-v6fr", "acl-name": "mud-54684-v6fr",
"acl-type": "ietf-access-control-list:ipv6-acl" "acl-type": "ietf-access-control-list:ipv6-acl"
} }
] ]
} }
}, },
"to-device-policy": { "to-device-policy": {
"access-lists": { "access-lists": {
"access-list": [ "access-list": [
{ {
"acl-name": "mud-16595-v4to", "acl-name": "mud-54684-v6to",
"acl-type": "ietf-access-control-list:ipv6-acl" "acl-type": "ietf-access-control-list:ipv6-acl"
} }
] ]
} }
} }
}, },
"ietf-access-control-list:access-lists": { "ietf-access-control-list:access-lists": {
"acl": [ "acl": [
{ {
"acl-name": "mud-16595-v6to", "acl-name": "mud-54684-v6to",
"acl-type": "ipv6-acl", "acl-type": "ipv6-acl",
"access-list-entries": { "access-list-entries": {
"ace": [ "ace": [
{ {
"rule-name": "cl0-todev", "rule-name": "cl0-todev",
"matches": { "matches": {
"ipv4-acl": { "ipv6-acl": {
"ietf-acldns:src-dnsname": "service.bms.example.com" "ietf-acldns:src-dnsname": "service.bms.example.com",
}, "protocol": 6,
"protocol": 6, "source-port-range": {
"source-port-range": { "lower-port": 443,
"lower-port": 443, "upper-port": 443
"upper-port": 443 }
}, },
"tcp-acl": { "tcp-acl": {
"ietf-mud:direction-initiated": "to-device" "ietf-mud:direction-initiated": "from-device"
} }
}, },
"actions": { "actions": {
"permit": [ "permit": [
null null
] ]
} }
} }
] ]
} }
}, },
{ {
"acl-name": "mud-16595-v6fr", "acl-name": "mud-54684-v6fr",
"acl-type": "ipv6-acl", "acl-type": "ipv6-acl",
"aces": { "access-list-entries": {
"ace": [ "ace": [
{ {
"rule-name": "cl0-frdev", "rule-name": "cl0-frdev",
"matches": { "matches": {
"ipv6-acl": { "ipv6-acl": {
"ietf-acldns:dst-dnsname": "service.bms.example.com" "ietf-acldns:dst-dnsname": "service.bms.example.com",
}, "protocol": 6,
"protocol": 6, "destination-port-range": {
"destination-port-range": { "lower-port": 443,
"lower-port": 443, "upper-port": 443
"upper-port": 443 }
}, },
"tcp-acl": { "tcp-acl": {
"ietf-mud:direction-initiated": "to-device" "ietf-mud:direction-initiated": "from-device"
} }
}, },
"actions": { "actions": {
"permit": [ "permit": [
null null
] ]
} }
} }
] ]
} }
 End of changes. 54 change blocks. 
184 lines changed or deleted 247 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/