From nobody Sun Dec 1 12:16:20 2019 Return-Path: X-Original-To: mud@ietfa.amsl.com Delivered-To: mud@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F954120108; Sun, 1 Dec 2019 12:16:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.2 X-Spam-Level: X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lpO5Z5Gvfa5E; Sun, 1 Dec 2019 12:16:16 -0800 (PST) Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FF7312010C; Sun, 1 Dec 2019 12:16:15 -0800 (PST) Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id A68A63897B; Sun, 1 Dec 2019 15:12:41 -0500 (EST) Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 9AB24726; Sun, 1 Dec 2019 15:16:14 -0500 (EST) From: Michael Richardson To: Ted Lemon , ADD Mailing list CC: mud@ietf.org In-Reply-To: <44754CB6-1CED-4ADF-9521-1361DF4F75A6@fugue.com> References: <99B3F484-0C0B-40F0-9E97-E7807AC61FA5@fl1ger.de> <44754CB6-1CED-4ADF-9521-1361DF4F75A6@fugue.com> X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Archived-At: Subject: [Mud] DNS filtering and IoT device security X-BeenThere: mud@ietf.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussion of Manufacturer Ussage Descriptions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 01 Dec 2019 20:16:18 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Ralf Weber wrote: >> While this is possible for well behaved clients, it=E2=80=99s hardly= possible >> for devices that attack my network, like hacked IoT devices. We have >> to give the network some means to defend against this. To achieve th= is >> the proper behaviour of well defined client must be predictable and >> follow what the network offers. If attack and regular traffic look t= he >> same defending against attack traffic gets much harder. Ted Lemon wrote: > Your IoT devices should not be able to communicate freely with all > other devices on your network (or off). They should be firewalled > automatically using MUD. This is a much more effective strategy than > filtering their DNS queries, because it is a list of permitted > connections rather than a list of excluded connections. The permission > list permits only those destinations the IoT device should be talking > to. An exclusion list allows the IoT device to talk to all unknown > adversaries, and only blocks communication with known adversaries. So > it=E2=80=99s perhaps marginally better than nothing, but still mostly= useless. I agree completely with Ted: DNS is a really poor way to keep your devices safe. It's unfortunately, often the only controls we have to date, and when the only tool you have is a hammer... I posted draft-richardson-opsawg-mud-iot-dns-considerations-01 just before the deadline. Contributions and thoughts welcome. Fundamentally, the MUD controller needs to be able to get the same DNS answers as the IoT devices. To the extent that off-site Do53/DoH/DoT screws up geo-DNS and other load balancing mechanisms they are a problem. That's not a mark against DoX, but against *off-site*. That's also not a statement against browsers doing X or Y, but rather that controllers needs to know where devices are asking questions to. Local makes it easier to manage, but that's not the only answer. =2D- Michael Richardson , Sandelman Software Works -=3D IPv6 IoT consulting =3D- --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEbsyLEzg/qUTA43uogItw+93Q3WUFAl3kH44ACgkQgItw+93Q 3WVIuggApqqpk5eAQZt3j1KnM4WHb/QgQOWphzflIQxTdjQ728dZ/1Wk7/9VHsbZ UrvkO8sDODXd829d3NQSVzygF5gUg6O766DreEJyMkTqy+GjANt1wnssgAdvD0qq Rj7i0y194XyKurgFsAvJ6Zj/oEVH58TdFeDoHWr9tZYEgj+Qw6uSDHtVa9YwlT/f QI4YVhu3XvgMcOAAmGzvLbvgdhlQ0ynv5OsOZ0evMLnvTLguXWGsXexYOCmV/p/I ee8oFconn3WEzvcrj4WCNq79bgF+CgBLjp371O/EDE/sZ/ee8OKh02O78fQVvlp0 cKnyd9YaJC/PsuL46k5iW1o1KJO+TA== =StYG -----END PGP SIGNATURE----- --=-=-=--