Giter VIP home page Giter VIP logo

mud's Introduction

Welcome to Manufacturer Usage Descriptions (MUD)

MUD is a form of IoT security that looks at ways by which manufacturers explain to network deployments what L3/L4 communication patterns they designed their devices to use.

The basic concept makes use of a URL that is poot out by a device using one of several mechanisms, such as DHCP, LLDP, or as part of an 802.1AR certificate in an EAP-TLS/802.1X authentication. The URL is then resolved to go get a JSON-encoded YANG-based policy.

What do you get for that?

The goal of MUD is to reduce the threat surface on a device to just that of those specific services on specific systems that are expected to communicate with a Thing.

The Good News

  • We're reusing DHCP, EAP-TLS, LLDP, 802.1AR, and HTTPS to do all of this.
  • All of this configures the network and so no new device agents are anticipated.

Contact

mud's People

Contributors

dependabot[bot] avatar einarnn avatar elear avatar lstn avatar mnot avatar rashshah avatar vafa-andalibi avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

einarnn jsklein linsong ivankorobchuk123 lshafir lstn daniel-w-innes vafa-andalibi

mud's Issues

Mudmaker allows empty manufacturer name

I entered a null (no value) for the manufacturer when generating a MUD file. I got the following MUD file:

{
  "ietf-mud:mud": {
    "mud-version": 1,
    "mud-url": "https://sensor.nist.local/foo",
    "last-update": "2019-07-18T18:01:06+00:00",
    "cache-validity": 48,
    "is-supported": true,
    "systeminfo": "test device",
    "mfg-name": "NIST",
    "documentation": "https://www.nist.local",
    "model-name": "foo",
    "from-device-policy": {
      "access-lists": {
        "access-list": [
          {
            "name": "mud-63570-v4fr"
          }
        ]
      }
    },
    "to-device-policy": {
      "access-lists": {
        "access-list": [
          {
            "name": "mud-63570-v4to"
          }
        ]
      }
    }
  },
  "ietf-access-control-list:acls": {
    "acl": [
      {
        "name": "mud-63570-v4to",
        "type": "ipv4-acl-type",
        "aces": {
          "ace": [
          ]
        }
      },
      {
        "name": "mud-63570-v4fr",
        "type": "ipv4-acl-type",
        "aces": {
          "ace": [
          ]
        }
      }
    ]
  }
}

Demo code no longer working due to changes to mudmaker

It looks like the parsing in mud_controller.py (from your demo code) for the json files generated by mudmaker no longer work due to updates. Looks like there were also mixed whitespace errors.

It would be good to indicate that the demo code is out of date.

Mudmaker not generating ACEs.

A device may communicate with another device iff there is a FROM-DEVICE rule AND a TO-DEVICE rule allowing communication.

Based on this assumption (theorem ?) I think MUDMAKER is missing some ACEs. Consider a same manufacturer rule. Device made by Manufacturer A can only talk to other devices made by A on port 80 TCP.

Here is the generated rule in the to-dev section

{ "name": "myman0-todev", "matches": { "ietf-mud:mud": { "same-manufacturer": [ null ] }, "ipv4": { "protocol": 6 }, "tcp": { "source-port": { "operator": "eq", "port": 80 } } }, "actions": { "forwarding": "accept" } } ] }

Here is the FROM-DEV ACE

{ "name": "myman0-frdev", "matches": { "ietf-mud:mud": { "same-manufacturer": [ null ] }, "ipv4": { "protocol": 6 }, "tcp": { "destination-port": { "operator": "eq", "port": 80 } } }, "actions": { "forwarding": "accept" } }

Consider a device made by manufactuer A that wants to talk to another instance of itself. It uses source port 888 and destination port 80 TCP protocol.

The From-dev rule will match but there is no to-dev rule that will match! The packet is therefore dropped.

Solution:

An ACE has to be added in both From-dev and To-dev sections. Here is the revised to-dev

{ "name": "myman0-todev", "matches": { "ietf-mud:mud": { "same-manufacturer": [ null ] }, "ipv4": { "protocol": 6 }, "tcp": { "source-port": { "operator": "eq", "port": 80 } } }, "actions": { "forwarding": "accept" } } ] }, { "name": "myman0-todev1", "matches": { "ietf-mud:mud": { "same-manufacturer": [ null ] }, "ipv4": { "protocol": 6 }, "tcp": { "destination-port": { "operator": "eq", "port": 80 } } }, "actions": { "forwarding": "accept" } } ] }

Thanks

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.