On 10/20/17 2:47 AM, M. Ranganathan wrote: > > Scenario: Perhaps the manufacturer would like the IOT devices to use HIS > name server - not necessarily what is returned by dhcp when the IOT device > goes to get it's IP address assigned. That is the device gets a server > address of the desired name server somehow when it connects to its > controller. This would be a guard against DNS spoofing. The mud controller > needs to be able to install ACLs that allow the device to talk to the DNS > server - hence the idea of a URI mapping made sense because, the entity > that installs the ACLs (i.e. the Mud controller) should use the SAME name > resolver to result in the same name resolution.
In this case, you can treat DNS as any other service and just use a DNS ACL with something like DOH. > > The draft also says - LAN local DHCP and DNS should always be allowed. > These are allowed by default. The mechanism to communicate these to the MUD > controller is not specified in the draft. s/DHCP/NTP, and yes, that is stated that they are to be allowed by default. It is the responsibility of the controller to instantiate appropriate ACLs to allow for that. Eliot
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg