On 2022-03-07 11:47, Ben Schwartz wrote:
I reviewed [1] this draft at version 01, but my concerns largely stand with
the current version.
The fundamental issue here, in my view, is that the urn:ietf:params:mud:dns
permission is not compatible with the desired threat model. A correct
solution would be to recommend against this permission, and introduce a new
one that provides explicit coupling between DNS resolution, transport
setup, and the MUD gateway (e.g. using a SOCKS5 proxy).
I have been struggling to find a way to deal with your comments.
https://github.com/mcr/iot-mud-dns-considerations/pull/2 is the
beginnings of a recommendation to use SOCKS5 if it is present on
networks. I don't think that we have a way to do that.
Perhaps there is some discovery of SOCKS5 in some vendor DHCP option,
but I haven't found that yet.
_______________________________________________
OPSAWG mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/opsawg
