draft-ietf-opsawg-mud-17.txt   draft-ietf-opsawg-mud-18.txt 
Network Working Group E. Lear Network Working Group E. Lear
Internet-Draft Cisco Systems Internet-Draft Cisco Systems
Intended status: Standards Track R. Droms Intended status: Standards Track R. Droms
Expires: August 25, 2018 Expires: September 3, 2018
D. Romascanu D. Romascanu
February 21, 2018 March 02, 2018
Manufacturer Usage Description Specification Manufacturer Usage Description Specification
draft-ietf-opsawg-mud-17 draft-ietf-opsawg-mud-18
Abstract Abstract
This memo specifies a component-based architecture for manufacturer This memo specifies a component-based architecture for manufacturer
usage descriptions (MUD). The goal of MUD is to provide a means for usage descriptions (MUD). The goal of MUD is to provide a means for
Things to signal to the network what sort of access and network Things to signal to the network what sort of access and network
functionality they require to properly function. The initial focus functionality they require to properly function. The initial focus
is on access control. Later work can delve into other aspects. is on access control. Later work can delve into other aspects.
This memo specifies two YANG modules, IPv4 and IPv6 DHCP options, an This memo specifies two YANG modules, IPv4 and IPv6 DHCP options, an
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 25, 2018. This Internet-Draft will expire on September 3, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 14, line 35 skipping to change at page 14, line 35
+--rw access-list* [name] +--rw access-list* [name]
+--rw name -> /acl:access-lists/acl/name +--rw name -> /acl:access-lists/acl/name
augment /acl:access-lists/acl:acl/acl:aces/acl:ace/acl:matches: augment /acl:access-lists/acl:acl/acl:aces/acl:ace/acl:matches:
+--rw mud +--rw mud
+--rw manufacturer? inet:host +--rw manufacturer? inet:host
+--rw same-manufacturer? empty +--rw same-manufacturer? empty
+--rw model? inet:uri +--rw model? inet:uri
+--rw local-networks? empty +--rw local-networks? empty
+--rw controller? inet:uri +--rw controller? inet:uri
+--rw my-controller? empty +--rw my-controller? empty
augment /acl:access-lists/acl:acl/acl:aces/acl:ace/acl: augment /acl:access-lists/acl:acl/acl:aces/acl:ace
matches/acl:l4/acl:tcp: /acl:matches/acl:l4/acl:tcp/acl:tcp:
+--rw direction-initiated? direction +--rw direction-initiated? direction
3. Data Node Definitions 3. Data Node Definitions
Note that in this section, when we use the term "match" we are Note that in this section, when we use the term "match" we are
referring to the ACL model "matches" node. referring to the ACL model "matches" node.
The following nodes are defined. The following nodes are defined.
3.1. mud-version 3.1. mud-version
skipping to change at page 19, line 9 skipping to change at page 19, line 9
file servers MUST ignore query parameters that they do not file servers MUST ignore query parameters that they do not
understand. understand.
Note that if the MUD URL contains a fragment identifier (e.g., Note that if the MUD URL contains a fragment identifier (e.g.,
"#foo"), that information will not be sent to the MUD file server in "#foo"), that information will not be sent to the MUD file server in
the HTTP request. However, it will still be considered a separate the HTTP request. However, it will still be considered a separate
MUD URL by the controller. MUD URL by the controller.
6. The MUD YANG Model 6. The MUD YANG Model
<CODE BEGINS>file "ietf-mud@2018-02-20.yang" <CODE BEGINS>file "ietf-mud@2018-03-01.yang"
module ietf-mud { module ietf-mud {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-mud"; namespace "urn:ietf:params:xml:ns:yang:ietf-mud";
prefix ietf-mud; prefix ietf-mud;
import ietf-access-control-list { import ietf-access-control-list {
prefix acl; prefix acl;
} }
import ietf-yang-types { import ietf-yang-types {
prefix yang; prefix yang;
skipping to change at page 20, line 11 skipping to change at page 20, line 11
identified as the document authors. All rights reserved. identified as the document authors. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD to the license terms contained in, the Simplified BSD
License set forth in Section 4.c of the IETF Trust's Legal License set forth in Section 4.c of the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2018-02-20 { revision 2018-03-01 {
description description
"Initial proposed standard."; "Initial proposed standard.";
reference reference
"RFC XXXX: Manufacturer Usage Description "RFC XXXX: Manufacturer Usage Description
Specification"; Specification";
} }
typedef direction { typedef direction {
type enumeration { type enumeration {
enum "to-device" { enum "to-device" {
skipping to change at page 25, line 7 skipping to change at page 25, line 7
type empty; type empty;
description description
"This node matches one or more network elements that "This node matches one or more network elements that
have been configured to be the controller for this have been configured to be the controller for this
Thing, based on its MUD URL."; Thing, based on its MUD URL.";
} }
} }
} }
augment "/acl:access-lists/acl:acl/acl:aces/" + augment "/acl:access-lists/acl:acl/acl:aces/" +
"acl:ace/acl:matches/acl:l4/acl:tcp" { "acl:ace/acl:matches/acl:l4/acl:tcp/acl:tcp" {
description description
"add direction-initiated"; "add direction-initiated";
leaf direction-initiated { leaf direction-initiated {
type direction; type direction;
description description
"This node matches based on which direction a "This node matches based on which direction a
connection was initiated. The means by which that connection was initiated. The means by which that
is determined is discussed in this document."; is determined is discussed in this document.";
} }
} }
skipping to change at page 25, line 34 skipping to change at page 25, line 34
This module specifies an extension to IETF-ACL model such that domain This module specifies an extension to IETF-ACL model such that domain
names may be referenced by augmenting the "matches" node. Different names may be referenced by augmenting the "matches" node. Different
implementations may deploy differing methods to maintain the mapping implementations may deploy differing methods to maintain the mapping
between IP address and domain name, if indeed any are needed. between IP address and domain name, if indeed any are needed.
However, the intent is that resources that are referred to using a However, the intent is that resources that are referred to using a
name should be authorized (or not) within an access list. name should be authorized (or not) within an access list.
The structure of the change is as follows: The structure of the change is as follows:
module: ietf-acldns module: ietf-acldns
augment /acl:access-lists/acl:acl/acl:aces/acl:ace/acl:matches augment /acl:access-lists/acl:acl/acl:aces/acl:ace/
/acl:l3/acl:ipv4: acl:matches/acl:l3/acl:ipv4/acl:ipv4:
+--rw src-dnsname? inet:host +--rw src-dnsname? inet:host
+--rw dst-dnsname? inet:host +--rw dst-dnsname? inet:host
augment /acl:access-lists/acl:acl/acl:aces/acl:ace/acl:matches augment /acl:access-lists/acl:acl/acl:aces/acl:ace/
/acl:l3/acl:ipv6: acl:matches/acl:l3/acl:ipv6/acl:ipv6:
+--rw src-dnsname? inet:host +--rw src-dnsname? inet:host
+--rw dst-dnsname? inet:host +--rw dst-dnsname? inet:host
The choice of these particular points in the access-list model is The choice of these particular points in the access-list model is
based on the assumption that we are in some way referring to IP- based on the assumption that we are in some way referring to IP-
related resources, as that is what the DNS returns. A domain name in related resources, as that is what the DNS returns. A domain name in
our context is defined in [RFC6991]. The augmentations are our context is defined in [RFC6991]. The augmentations are
replicated across IPv4 and IPv6 to allow MUD file authors the ability replicated across IPv4 and IPv6 to allow MUD file authors the ability
to control the IP version that the Thing may utilize. to control the IP version that the Thing may utilize.
skipping to change at page 26, line 25 skipping to change at page 26, line 25
specified by inet:host See the previous section relating to specified by inet:host See the previous section relating to
resolution. resolution.
Note when using either of these with a MUD file, because access is Note when using either of these with a MUD file, because access is
associated with a particular Thing, MUD files MUST not contain either associated with a particular Thing, MUD files MUST not contain either
a src-dnsname in an ACL associated with from-device-policy or a dst- a src-dnsname in an ACL associated with from-device-policy or a dst-
dnsname associated with to-device-policy. dnsname associated with to-device-policy.
7.3. The ietf-acldns Model 7.3. The ietf-acldns Model
<CODE BEGINS>file "ietf-acldns@2018-02-20.yang" <CODE BEGINS>file "ietf-acldns@2018-03-01.yang"
module ietf-acldns { module ietf-acldns {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-acldns"; namespace "urn:ietf:params:xml:ns:yang:ietf-acldns";
prefix "ietf-acldns"; prefix "ietf-acldns";
import ietf-access-control-list { import ietf-access-control-list {
prefix "acl"; prefix "acl";
} }
import ietf-inet-types { import ietf-inet-types {
skipping to change at page 27, line 10 skipping to change at page 27, line 10
rdroms@gmail.com rdroms@gmail.com
Author: Dan Romascanu Author: Dan Romascanu
dromasca@gmail.com dromasca@gmail.com
"; ";
description description
"This YANG module defines a component that augments the "This YANG module defines a component that augments the
IETF description of an access list to allow dns names IETF description of an access list to allow dns names
as matching criteria."; as matching criteria.";
revision "2018-02-20" { revision 2018-03-01 {
description "Base version of dnsname extension of ACL model"; description "Base version of dnsname extension of ACL model";
reference "RFC XXXX: Manufacturer Usage Description reference "RFC XXXX: Manufacturer Usage Description
Specification"; Specification";
} }
grouping dns-matches { grouping dns-matches {
description "Domain names for matching."; description "Domain names for matching.";
leaf src-dnsname { leaf src-dnsname {
type inet:host; type inet:host;
description "domain name to be matched against"; description "domain name to be matched against";
} }
leaf dst-dnsname { leaf dst-dnsname {
type inet:host; type inet:host;
description "domain name to be matched against"; description "domain name to be matched against";
} }
} }
augment "/acl:access-lists/acl:acl/acl:aces/acl:ace/" + augment "/acl:access-lists/acl:acl/acl:aces/acl:ace/" +
"acl:matches/acl:l3/acl:ipv4" { "acl:matches/acl:l3/acl:ipv4/acl:ipv4" {
description "Adding domain names to matching"; description "Adding domain names to matching";
uses dns-matches; uses dns-matches;
} }
augment "/acl:access-lists/acl:acl/" + augment "/acl:access-lists/acl:acl/" +
"acl:aces/acl:ace/" + "acl:aces/acl:ace/" +
"acl:matches/acl:l3/acl:ipv6" { "acl:matches/acl:l3/acl:ipv6/acl:ipv6" {
description "Adding domain names to matching"; description "Adding domain names to matching";
uses dns-matches; uses dns-matches;
} }
} }
<CODE ENDS> <CODE ENDS>
8. MUD File Example 8. MUD File Example
This example contains two access lists that are intended to provide This example contains two access lists that are intended to provide
outbound access to a cloud service on TCP port 443. outbound access to a cloud service on TCP port 443.
{ {
"ietf-mud:mud": { "ietf-mud:mud": {
"mud-version": 1, "mud-version": 1,
"mud-url": "https://lighting.example.com/lightbulb2000", "mud-url": "https://lighting.example.com/lightbulb2000",
"last-update": "2018-02-08T14:39:15+01:00", "last-update": "2018-03-02T11:20:51+01:00",
"cache-validity": 48, "cache-validity": 48,
"is-supported": true, "is-supported": true,
"systeminfo": "The BMS Example Lightbulb", "systeminfo": "The BMS Example Lightbulb",
"from-device-policy": { "from-device-policy": {
"access-lists": { "access-lists": {
"access-list": [ "access-list": [
{
"name": "mud-94934-v6fr"
}
]
}
},
"to-device-policy": {
"access-lists": {
"access-list": [
{
"name": "mud-94934-v6to"
}
]
}
}
},
"ietf-access-control-list:access-lists": {
"acl": [
{
"name": "mud-94934-v6to",
"type": "ipv6-acl-type",
"aces": {
"ace": [
{ {
"name": "cl0-todev", "name": "mud-76100-v6fr"
"matches": {
"ipv6": {
"ietf-acldns:src-dnsname": "service.bms.example.com",
"protocol": 6
},
"tcp": {
"ietf-mud:direction-initiated": "from-device",
"source-port-range-or-operator": {
"operator": "eq",
"port": 443
}
}
},
"actions": {
"forwarding": "accept"
}
} }
] ]
} }
}, },
{ "to-device-policy": {
"name": "mud-94934-v6fr", "access-lists": {
"type": "ipv6-acl-type", "access-list": [
"aces": {
"ace": [
{ {
"name": "cl0-frdev", "name": "mud-76100-v6to"
"matches": { }
"ipv6": { ]
"ietf-acldns:dst-dnsname": "service.bms.example.com", }
"protocol": 6 }
},
"ietf-access-control-list:access-lists": {
"acl": [
{
"name": "mud-76100-v6to",
"type": "ipv6-acl-type",
"aces": {
"ace": [
{
"name": "cl0-todev",
"matches": {
"ipv6": {
"ietf-acldns:src-dnsname": "test.com",
"protocol": 6
},
"tcp": {
"ietf-mud:direction-initiated": "from-device",
"source-port": {
"operator": "eq",
"port": 443
}
}
}, },
"tcp": { "actions": {
"ietf-mud:direction-initiated": "from-device", "forwarding": "accept"
"destination-port-range-or-operator": {
"operator": "eq", }
"port": 443 }
]
}
},
{
"name": "mud-76100-v6fr",
"type": "ipv6-acl-type",
"aces": {
"ace": [
{
"name": "cl0-frdev",
"matches": {
"ipv6": {
"ietf-acldns:dst-dnsname": "test.com",
"protocol": 6
},
"tcp": {
"ietf-mud:direction-initiated": "from-device",
"destination-port": {
"operator": "eq",
"port": 443
}
} }
},
"actions": {
"forwarding": "accept"
} }
},
"actions": {
"forwarding": "accept"
} }
} ]
] }
} }
} ]
] }
} }
}
In this example, two policies are declared, one from the Thing and In this example, two policies are declared, one from the Thing and
the other to the Thing. Each policy names an access list that the other to the Thing. Each policy names an access list that
applies to the Thing, and one that applies from. Within each access applies to the Thing, and one that applies from. Within each access
list, access is permitted to packets flowing to or from the Thing list, access is permitted to packets flowing to or from the Thing
that can be mapped to the domain name of "service.bms.example.com". that can be mapped to the domain name of "service.bms.example.com".
For each access list, the enforcement point should expect that the For each access list, the enforcement point should expect that the
Thing initiated the connection. Thing initiated the connection.
9. The MUD URL DHCP Option 9. The MUD URL DHCP Option
skipping to change at page 47, line 19 skipping to change at page 47, line 19
[RFC7488] Boucadair, M., Penno, R., Wing, D., Patil, P., and T. [RFC7488] Boucadair, M., Penno, R., Wing, D., Patil, P., and T.
Reddy, "Port Control Protocol (PCP) Server Selection", Reddy, "Port Control Protocol (PCP) Server Selection",
RFC 7488, DOI 10.17487/RFC7488, March 2015, RFC 7488, DOI 10.17487/RFC7488, March 2015,
<https://www.rfc-editor.org/info/rfc7488>. <https://www.rfc-editor.org/info/rfc7488>.
Appendix A. Changes from Earlier Versions Appendix A. Changes from Earlier Versions
RFC Editor to remove this section prior to publication. RFC Editor to remove this section prior to publication.
Draft -16: Draft -18: * Correct an error in the augment statement * Changes to
the ACL model re ports.
Draft -17:
o One editorial. o One editorial.
Draft -16 Draft -16
o add mud-signature element based on review comments o add mud-signature element based on review comments
o redo mud-url o redo mud-url
o make clear that systeminfo uses UTF8 o make clear that systeminfo uses UTF8
skipping to change at page 55, line 32 skipping to change at page 55, line 32
This extension augments the MUD model to include a single node, using This extension augments the MUD model to include a single node, using
the following sample module that has the following tree structure: the following sample module that has the following tree structure:
module: ietf-mud-detext-example module: ietf-mud-detext-example
augment /ietf-mud:mud: augment /ietf-mud:mud:
+--rw is-detnet-required? boolean +--rw is-detnet-required? boolean
The model is defined as follows: The model is defined as follows:
<CODE BEGINS>file "ietf-mud-detext-example@2018-02-20.yang" <CODE BEGINS>file "ietf-mud-detext-example@2018-03-01.yang"
module ietf-mud-detext-example { module ietf-mud-detext-example {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-mud-detext-example"; namespace "urn:ietf:params:xml:ns:yang:ietf-mud-detext-example";
prefix ietf-mud-detext-example; prefix ietf-mud-detext-example;
import ietf-mud { import ietf-mud {
prefix ietf-mud; prefix ietf-mud;
} }
organization organization
skipping to change at page 56, line 13 skipping to change at page 56, line 14
Author: Ralph Droms Author: Ralph Droms
rdroms@gmail.com rdroms@gmail.com
Author: Dan Romascanu Author: Dan Romascanu
dromasca@gmail.com dromasca@gmail.com
"; ";
description description
"Sample extension to a MUD module to indicate a need "Sample extension to a MUD module to indicate a need
for DETNET support."; for DETNET support.";
revision 2018-02-20 { revision 2018-03-01 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: Manufacturer Usage Description "RFC XXXX: Manufacturer Usage Description
Specification"; Specification";
} }
augment "/ietf-mud:mud" { augment "/ietf-mud:mud" {
description description
"This adds a simple extension for a manufacturer "This adds a simple extension for a manufacturer
skipping to change at page 56, line 39 skipping to change at page 56, line 40
"This value will equal true if a device requires "This value will equal true if a device requires
detnet to properly function"; detnet to properly function";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
Using the previous example, we now show how the extension would be Using the previous example, we now show how the extension would be
expressed: expressed:
{ {
"ietf-mud:mud": { "ietf-mud:mud": {
"mud-version": 1, "mud-version": 1,
"mud-url": "https://lighting.example.com/lightbulb2000", "mud-url": "https://lighting.example.com/lightbulb2000",
"last-update": "2018-02-08T14:39:15+01:00", "last-update": "2018-03-02T11:20:51+01:00",
"cache-validity": 48, "cache-validity": 48,
"is-supported": true, "extensions": [
"systeminfo": "The BMS Example Lightbulb", "ietf-mud-detext-example"
"extensions": [ ],
"ietf-mud-detext-example" "ietf-mud-detext-example:is-detnet-required": "false",
], "is-supported": true,
"ietf-mud-detext-example:is-detnet-required": "false", "systeminfo": "The BMS Example Lightbulb",
"from-device-policy": { "from-device-policy": {
"access-lists": { "access-lists": {
"access-list": [ "access-list": [
{
"name": "mud-94934-v6fr"
}
]
}
},
"to-device-policy": {
"access-lists": {
"access-list": [
{
"name": "mud-94934-v6to"
}
]
}
}
},
"ietf-access-control-list:access-lists": {
"acl": [
{
"name": "mud-94934-v6to",
"type": "ipv6-acl-type",
"aces": {
"ace": [
{ {
"name": "cl0-todev", "name": "mud-76100-v6fr"
"matches": {
"ipv6": {
"ietf-acldns:src-dnsname": "service.bms.example.com",
"protocol": 6
},
"tcp": {
"ietf-mud:direction-initiated": "from-device",
"source-port-range-or-operator": {
"operator": "eq",
"port": 443
}
}
},
"actions": {
"forwarding": "accept"
}
} }
] ]
} }
}, },
{ "to-device-policy": {
"name": "mud-94934-v6fr", "access-lists": {
"type": "ipv6-acl-type", "access-list": [
"aces": {
"ace": [
{ {
"name": "cl0-frdev", "name": "mud-76100-v6to"
"matches": { }
"ipv6": { ]
"ietf-acldns:dst-dnsname": "service.bms.example.com", }
"protocol": 6 }
},
"ietf-access-control-list:access-lists": {
"acl": [
{
"name": "mud-76100-v6to",
"type": "ipv6-acl-type",
"aces": {
"ace": [
{
"name": "cl0-todev",
"matches": {
"ipv6": {
"ietf-acldns:src-dnsname": "test.com",
"protocol": 6
},
"tcp": {
"ietf-mud:direction-initiated": "from-device",
"source-port": {
"operator": "eq",
"port": 443
}
}
}, },
"tcp": { "actions": {
"ietf-mud:direction-initiated": "from-device", "forwarding": "accept"
"destination-port-range-or-operator": { }
"operator": "eq", }
"port": 443 ]
}
},
{
"name": "mud-76100-v6fr",
"type": "ipv6-acl-type",
"aces": {
"ace": [
{
"name": "cl0-frdev",
"matches": {
"ipv6": {
"ietf-acldns:dst-dnsname": "test.com",
"protocol": 6
},
"tcp": {
"ietf-mud:direction-initiated": "from-device",
"destination-port": {
"operator": "eq",
"port": 443
}
} }
},
"actions": {
"forwarding": "accept"
} }
},
"actions": {
"forwarding": "accept"
} }
} ]
] }
} }
} ]
] }
} }
}
Authors' Addresses Authors' Addresses
Eliot Lear Eliot Lear
Cisco Systems Cisco Systems
Richtistrasse 7 Richtistrasse 7
Wallisellen CH-8304 Wallisellen CH-8304
Switzerland Switzerland
Phone: +41 44 878 9200 Phone: +41 44 878 9200
 End of changes. 37 change blocks. 
173 lines changed or deleted 176 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/