While I agree that this is beyond the scope of the initial MUD draft, I’m not sure I agree that this is beyond the scope of MUD in the longer term.
If a manufacturer can define behavior in this way, why wouldn’t it possibly be a new policy type that can be an extension/augmentation to the MUD YANG module? But I do also agree that things like rate limits are, and should continue to be at the discretion of the network administrator. For example, if the administrator determines that her policy is “20 connection attempts per second”, a MUD policy saying a device type might be “30 connection attempts per second” would just be taken as an advisory, not something that needs to be embodied in policy. However, if a manufacturer defines an expected rate lower than they would normally allow, that can potentially be an input to, for example, IDS configs. Cheers, Einar On 11 Sep 2017, at 16:28, Thorsten Dahm <thorstend...@google.com<mailto:thorstend...@google.com>> wrote: Hi Ranga, I think this would go beyond the job of MUD and would be at the discretion of the network administrator to enforce rate limits probably at the same network devices that are also responsible for implementing the packet filters and such. cheers, Thorsten On 8 September 2017 at 19:54, M. Ranganathan <mra...@gmail.com<mailto:mra...@gmail.com>> wrote: Hello! MUD currently does not enforce restrictions on temporal behavior. For example, I cannot specify how many times per second a device is allowed to connect to a remote IP address and port. Would this be worth considering? Use case: DDOS attack mitigation (?) Ranga -- M. Ranganathan _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org<mailto:OPSAWG@ietf.org> https://www.ietf.org/mailman/listinfo/opsawg -- Thorsten Dahm Network Engineer Google Ireland Ltd. The Gasworks, Barrow Street Dublin 4, Ireland Registered in Dublin, Ireland Registration Number: 368047 _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org<mailto:OPSAWG@ietf.org> https://www.ietf.org/mailman/listinfo/opsawg
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
