On Fri, 11 Sep 2020 at 16:11, Nick Lamb <[email protected]> wrote: > On Fri, 11 Sep 2020 12:32:03 +0530 > tirumal reddy <[email protected]> wrote: > > > The MUD URL is encrypted and shared only with the authorized > > components in the network. An attacker cannot read the MUD URL and > > identify the IoT device. Otherwise, it provides the attacker with > > guidance on what vulnerabilities may be present on the IoT device. > > RFC 8520 envisions that the MUD URL is broadcast as a DHCP option and > over LLDP without - so far as I was able to see - any mechanism by which > it should be meaningfully "encrypted" as to prevent an attacker on your > network from reading it. >
RFC 8520 allows other means (see sections 1.5 and 1.8) like 802.1X (for example, TEAP (it does not allow TLS cipher suites without encryption). The client identity (certificate carrying the MUD URL) is encrypted and not visible to eavesdroppers. Further, RFC8520 discusses IoT devices may not even omit the URL. It recommends to use a proxy to retrieve the MUD file for privacy reasons. -Tiru > > Nick. >
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
