While I agree that this is beyond the scope of the initial MUD draft, I’m not sure I agree that this is beyond the scope of MUD in the longer term.
If a manufacturer can define behavior in this way, why wouldn’t it possibly be a new policy type that can be an extension/augmentation to the MUD YANG module? But I do also agree that things like rate limits are, and should continue to be at the discretion of the network administrator. For example, if the administrator determines that her policy is “20 connection attempts per second”, a MUD policy saying a device type might be “30 connection attempts per second” would just be taken as an advisory, not something that needs to be embodied in policy. However, if a manufacturer defines an expected rate lower than they would normally allow, that can potentially be an input to, for example, IDS configs. Cheers, Einar On 11 Sep 2017, at 16:28, Thorsten Dahm <[email protected]<mailto:[email protected]>> wrote: Hi Ranga, I think this would go beyond the job of MUD and would be at the discretion of the network administrator to enforce rate limits probably at the same network devices that are also responsible for implementing the packet filters and such. cheers, Thorsten On 8 September 2017 at 19:54, M. Ranganathan <[email protected]<mailto:[email protected]>> wrote: Hello! MUD currently does not enforce restrictions on temporal behavior. For example, I cannot specify how many times per second a device is allowed to connect to a remote IP address and port. Would this be worth considering? Use case: DDOS attack mitigation (?) Ranga -- M. Ranganathan _______________________________________________ OPSAWG mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/opsawg -- Thorsten Dahm Network Engineer Google Ireland Ltd. The Gasworks, Barrow Street Dublin 4, Ireland Registered in Dublin, Ireland Registration Number: 368047 _______________________________________________ OPSAWG mailing list [email protected]<mailto:[email protected]> https://www.ietf.org/mailman/listinfo/opsawg
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
