Eric Vyncke (evyncke) <evyn...@cisco.com> wrote:
> The comment is indeed about using DNS names in layer-3 ACL of
> firewalls, which is common (at least for one firewall that I know), it
> makes life easier for security people to write ACL (notably when
> handing IPv6-only or dual-stack nodes).
I think that using DNS names for layer-3 ACLs, with attention to TTLs and
updating the firewall as the layer-3 ACL changes is a good thing.
I can see someone writing down some BCP on using DNS in such a situation, and
there are sections of this document that could apply.
The applicability is significantly wider than for MUD, and this is where the
connection falls apart.
* for MUD the ACLs are being written by the vendor of the device,
=> vs an operator at a third party. As the operator a firewall I can't
know how example.com is going to operate their DNS, and to what extent
there might be tailored replies ("geofenced").
* the set of names that could be used by a device is limited.
=> MUD applies to limited capability devices, and so the set of names is
also limited, while a firewall operator can essentially pick anything.
* many popular names are significant overloaded.
=> for instance, people who try to restrict access to youtube, for
instance, discover that the IP addresses involved often are also used for
other google services, and wind up killing gmail or search, etc. Firewalls
don't get access to the URL or name, just the L3 header.
This is why Ben Schwartz suggested that IoT devices with MUD ought to all
use SOCKS.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ OPSAWG mailing list -- opsawg@ietf.org To unsubscribe send an email to opsawg-le...@ietf.org
