Hi Saswat, On 26.01.18 20:17, Saswat Praharaj (saspraha) wrote: > Hi Eliot, > > Adding device information (manufacture/device-type etc.) in MUD file provides visibility in network, in addition to policy. > If visibility is not that important for MUD, we could have it as optional parameters. > > IMHO, it’s important because MUD will not be the only policy for the device and if admin has to apply other policies, he/she needs to know what the device is. > Device manufacturer is the most reliable source to provide information about the device. > > Based on your comment > > > Yes, there is. If the MUD-URL is "burned in" via 802.1AR and the > > software can be updated, then one oughtn't provide software > > information for the simple reason that it would be most likely > > wrong. Hardware info? Sure. Software when using DHCP or LLDP? > > Sure. But otherwise no. > > For this, it’s important that we have version number in the MUD URL – Either as v1, v2 or <software version> itself. > Device description and access policy may change when software is upgraded. A newly released device with a different software version may have different access pattern compared to older version of the device. That's not quite what the version did, and hardcoding the MUD-URL is the fundamental issue. Remember, it's a GOOD thing to hardcode that URL into a cert because then it is the manufacturer making the assertion and not the device itself. But there are some attendant drawbacks, which is why we have the other mechanisms.
Eliot
signature.asc
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
