Hi everyone,I have given this document a fresh read, and I think there are a few points that need to be drawn out.
First, some of this has rather little to do with MUD. MUD is simply an example mechanism that scales intent of the manufacturer of a device. One could just as easily read the documentation and establish a list of domain names that are supposed to be allowed access. My suggestion is to focus on the following fundamental aspect:
IoT devices generally require limited access to the Internet, and it is thus possible to enumerate that access. Cloud-based IoT makes use of DNS for many reasons- load distribution, geographical policy implementation, latency management, and other. Enumerating access to a cloud-based resource all but necessitates the use of the DNS in these circumstances. Thus the draft really should just focus on IOT, DNS, and the binding between the policy enforcement point and domain names being used by a device.
Another point I would make would around the use of proxied TLS. This is possible in ALL versions of TLS, but it is difficult to implement in an IOT device because a trust anchor has to be configured for it to work. It is that configuration aspect that is the problem. I'm not sure how ESNI comes to play here.
Eliot
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list [email protected] https://www.ietf.org/mailman/listinfo/opsawg
