6tisch Working Group                                       M. Richardson
Internet-Draft                                  Sandelman Software Works
Intended status: Informational                                 J. Latour
Expires: September 12, 2019                                    CIRA Labs
                                                                 F. Khan
                                                      Twelve Dot Systems
                                                          March 11, 2019


     MUD processing and extensions for Secure Home Gateway Project
            draft-richardson-opsawg-securehomegateway-mud-01

Abstract

   This document details the mechanism used by the CIRA Secure Home
   Gateway and CIRA MUD integration server to return MUD artifacts to
   participating gateway systems.

   The work in [I-D.ietf-opsawg-mud] creates a relationship between a
   device's manufacturer and a border gateway that may need to enforce
   policy.  This document ads an additional relationship to a service
   provider, trusted by the border gateway to enhance or modify the
   stated security policy.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on September 12, 2019.

Copyright Notice

   Copyright (c) 2019 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents



Richardson, et al.     Expires September 12, 2019               [Page 1]

Internet-Draft                   SHG-MUD                      March 2019


   (https://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  Requirements Language . . . . . . . . . . . . . . . . . . . .   3
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   3
   5.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   3
   6.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   3
   7.  Normative References  . . . . . . . . . . . . . . . . . . . .   3
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   3

1.  Introduction

   This document details how the CIRALabs Secure Home Gateway uses MUD
   files.

   [I-D.richardson-shg-mud-quarantined-access] details an extension to
   mark certain ACLs as providing firmware update access.

   The second issue addressed by the document is the question of whether
   and when the MUD file should be specific to a specific version of the
   device firmware.

   The third issue is that an intermediary (ISP, or third-party security
   service) may want to extend or amend a MUD file received from a
   manufacturer.  In order to maintain an audit trail of changes, a way
   to encode the previous MUD URL and signature file (and status) is
   provided.

2.  Terminology

   The major new term, compared to the MUD document is the term

   quaranteed:  a device which has shown behaviour forbidden by a MUD
      file ACL, and has subsequently been denied further access to the
      network.







Richardson, et al.     Expires September 12, 2019               [Page 2]

Internet-Draft                   SHG-MUD                      March 2019


3.  Requirements Language

   In this document, the key words "MUST", "MUST NOT", "REQUIRED",
   "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
   and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119
   [RFC2119] and indicate requirement levels for compliant STuPiD
   implementations.

4.  Security Considerations

   TBD.

5.  IANA Considerations

   TBD.

6.  Acknowledgements

   This work was supported by the Canadian Internet Registration
   Authority (cira.ca).

7.  Normative References

   [I-D.ietf-opsawg-mud]
              Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage
              Description Specification", draft-ietf-opsawg-mud-25 (work
              in progress), June 2018.

   [I-D.richardson-shg-mud-quarantined-access]
              Richardson, M., "Manufacturer Usuage Description for
              quarantined access to firmware", draft-richardson-shg-mud-
              quarantined-access-00 (work in progress), January 2019.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

Authors' Addresses

   Michael Richardson
   Sandelman Software Works

   Email: mcr+ietf@sandelman.ca







Richardson, et al.     Expires September 12, 2019               [Page 3]

Internet-Draft                   SHG-MUD                      March 2019


   Jacques Latour
   CIRA Labs

   Email: Jacques.Latour@cira.ca


   Faud Khan
   Twelve Dot Systems

   Email: faud.khan@twelvedot.com









































Richardson, et al.     Expires September 12, 2019               [Page 4]