Eliot Lear <[email protected]> wrote: >> On 23 Sep 2020, at 20:27, Michael Richardson <[email protected]> wrote: >> >> Yes, the CPE could look at the DNS queries the device is using, and then >> cache them. Or, when it loads the MUD file, it could do a DNS lookup on all >> the names, and cache them. Then, when the device asks, it is already cached, >> and one can be sure that a known IP/name combination is returned. >> If it does this DNS lookup on a regular basis (updating the MUD ACLs >> implemented in the forwarding plane), then the cache stays warm, and the >> rules are accurate. >> >> This is how our implementation worked.
> Either this, or there should be a relationship between the resolver and
> the AP/switch/firewall/CPE in which appropriate query responses are
> shared. That might be the better long term approach.
So you are imagining some channel from the recursive DNS resolver(s) which
basically just stream all name->IP pairs being cached.
An MQTT channel or encrypted multicast or CoAP Observe.
The policy enforcement point(s) would then be in charge of updating the ACLs
that were installed with names.
One could even hash the names into some number of channels if the update rate
was otherwise too busy.
> What is key- in
> order for protection to work, the infrastructure needs to know (1) what
> names are authorized and (b) their associated addresses. As important,
> its understanding must be the same as that of the device that makes the
> query.
Yes. The common understanding of the mapping is key.
--
Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
