Concerns on use of MUD for HttpsLocal's DNS registration.
Situation: To access devices(e.g. cameras) at local network by a browser (e.g. smartphone) without rendezvous point at Internet.
Target: Secure communication without modifying Trust-store of browser.
Requirement: Certificates for local devices need to be issued from public trusted CA .
Approach: Those devices will have local address, and FQDN under device vender’s Domain namespace.(So that, we do not need global Ip for public trusted EE certificate)
The assumed processing procedure is as follows.
- Camera sends DHCP Discover packet.
- The packet includes OPTION_MUD_URL_V4 (161) and Hostname (12).
- Hostname is unique host name generated by Camera.
- MUD Manager gets MUD File from MUD File Server.
- The MUD File has an extension field which is Domain for Thing (ex: nvr.example.com).
- MUD Manger register a new record for Local DNS Server.
- The record is generated by combining Hostname and Domain for Thing.
* The method of importing certificates into devices, is out of scope here.
To handle nvr.example.com, local DNS server need to be delegated from nvr.example.com
Is it scope of MUD?
This example contains a new field which is below.
- "thing-dnsname" : This is the domain name which is a portion of Thing's FQDN.
{
"ietf-mud:mud": {
"mud-version": 1,
"mud-url": "https://mud.example.com/camera-mud-httpslocal",
"last-update": "2019-11-16T10:10:10+02:00",
"cache-validity": 48,
"is-supported": true,
"systeminfo": "MUD-enabled Network Camera which can be accessed by browser",
"thing-dnsname": "nvr.example.com",
"from-device-policy": {
"access-lists": {
"access-list": [
{
"name": "mud-22111-v4fr"
}
]
}
},
"to-device-policy": {
"access-lists": {
"access-list": [
{
"name": "mud-22111-v4to"
}
]
}
}
},
"ietf-access-control-list:acls": {
"acl": [
{
"name": "mud-22111-v4to",
"type": "ipv4-acl-type",
"aces": {
"ace": [
{
"name": "cl0-todev",
"matches": {
"ipv4": {
"ietf-acldns:src-dnsname": "fw-update.example.com",
"protocol": 6
},
"tcp": {
"ietf-mud:direction-initiated": "from-device",
"source-port": {
"operator": "eq",
"port": 443
}
}
},
"actions": {
"forwarding": "accept"
}
},
{
"name": "myctl0-todev",
"matches": {
"ietf-mud:mud": {
"my-controller": [
null
]
},
"ipv4": {
"protocol": 6
},
"udp": {
"source-port": {
"operator": "eq",
"port": 443
}
}
},
"actions": {
"forwarding": "accept"
}
}
]
}
},
{
"name": "mud-22111-v4fr",
"type": "ipv4-acl-type",
"aces": {
"ace": [
{
"name": "cl0-frdev",
"matches": {
"ipv4": {
"ietf-acldns:dst-dnsname": "fw-update.example.com",
"protocol": 6
},
"tcp": {
"ietf-mud:direction-initiated": "from-device",
"destination-port": {
"operator": "eq",
"port": 443
}
}
},
"actions": {
"forwarding": "accept"
}
},
{
"name": "myctl0-frdev",
"matches": {
"ietf-mud:mud": {
"my-controller": [
null
]
},
"ipv4": {
"protocol": 6
},
"udp": {
"destination-port": {
"operator": "eq",
"port": 443
}
}
},
"actions": {
"forwarding": "accept"
}
}
]
}
}
]
}
}