Hi Michael, This is an very useful and essential draft, I think. The DNS resolving issue may be an important obstacle for deploying MUD solution successfully.
The simplest successful strategy for translating names is for a MUD controller to take is to do a DNS lookup on the name (a forward lookup), and then use the resulting IP addresses to populate the physical ACLs. This strategy is simple, but I doubt it can't be called 'successful' as it won't work all the time. You already listed some failure scenarios. Beyond the considerations in the draft, another method I imagine is to deploy a DNS proxy (but I don't know whether it's practical). In the residential scenario, the CPE device is usually the MUD controller and the policy enforcement point, and it can also act as a DNS proxy. When the IoT device sends a DNS query it will send to the CPE. And CPE can first filter the unexpected DNS query by comparing the DNS names with the ones defined in the MUD file, then CPE will query the actual DNS server. When the CPE gets the answers from the actual DNS server, it can respond to the IoT devices with the answers and generate the corresponding ACLs as it knows the IP addresses now. In the enterprise scenario, the MUD controller, the policy enforcement point, and the DNS proxy may be three different devices. The MUD controller gets the MUD file of the IoT device and dispatch the file to the DNS proxy. When the IoT device sends the DNS query to the DNS proxy, the DNS proxy can filter the DNS query as well and then get the answers by querying the real DNS server. After that, the DNS proxy will tell the IP addresses of the DNS names to the MUD controller, and the MUD controller can generate the ACLs and configure the policy enforcement point. I'm not an DNS expert, and this is a little thought, please don't mind if it's useless. Regards & Thanks! Wei Pan > -----Original Message----- > From: I-D-Announce [mailto:[email protected]] On Behalf > Of [email protected] > Sent: Wednesday, September 23, 2020 9:30 AM > To: [email protected] > Subject: I-D Action: > draft-richardson-opsawg-mud-iot-dns-considerations-03.txt > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > > Title : Operational Considerations for use of DNS in IoT > devices > Author : Michael Richardson > Filename : > draft-richardson-opsawg-mud-iot-dns-considerations-03.txt > Pages : 13 > Date : 2020-09-22 > > Abstract: > This document details concerns about how Internet of Things devices > use IP addresses and DNS names. The issue becomes acute as network > operators begin deploying RFC8520 Manufacturer Usage Description > (MUD) definitions to control device access. > > This document explains the problem through a series of examples of > what can go wrong, and then provides some advice on how a device > manufacturer can best make deal with these issues. The > recommendations have an impact upon device and network protocol > design. > > {RFC-EDITOR, please remove. Markdown and issue tracker for this > document is at https://github.com/mcr/iot-mud-dns-considerations.git > } > > > The IETF datatracker status page for this draft is: > https://datatracker.ietf.org/doc/draft-richardson-opsawg-mud-iot-dns-con > siderations/ > > There is also a HTML versions available at: > https://www.ietf.org/id/draft-richardson-opsawg-mud-iot-dns-considerati > ons-03.html > > A diff from the previous version is available at: > https://www.ietf.org/rfcdiff?url2=draft-richardson-opsawg-mud-iot-dns-co > nsiderations-03 > > > Please note that it may take a couple of minutes from the time of > submission until the htmlized version and diff are available at > tools.ietf.org. > > Internet-Drafts are also available by anonymous FTP at: > ftp://ftp.ietf.org/internet-drafts/ > > > _______________________________________________ > I-D-Announce mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/i-d-announce > Internet-Draft directories: http://www.ietf.org/shadow.html or > ftp://ftp.ietf.org/ietf/1shadow-sites.txt _______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
