Operational Considerations for use of DNS in IoT devices
draft-ietf-opsawg-mud-iot-dns-considerations-01
OPSAWG Working Group M. Richardson
Internet-Draft Sandelman Software Works
Intended status: Best Current Practice 21 February 2021
Expires: 25 August 2021
Operational Considerations for use of DNS in IoT devices
draft-ietf-opsawg-mud-iot-dns-considerations-01
Abstract
This document details concerns about how Internet of Things devices
use IP addresses and DNS names. The issue becomes acute as network
operators begin deploying RFC8520 Manufacturer Usage Description
(MUD) definitions to control device access.
This document explains the problem through a series of examples of
what can go wrong, and then provides some advice on how a device
manufacturer can best make deal with these issues. The
recommendations have an impact upon device and network protocol
design.
{RFC-EDITOR, please remove. Markdown and issue tracker for this
document is at https://github.com/mcr/iot-mud-dns-considerations.git
}
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 25 August 2021.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
Richardson Expires 25 August 2021 [Page 1]
Internet-Draft mud-iot-dns February 2021
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Strategies to map names . . . . . . . . . . . . . . . . . . . 4
4. DNS and IP Anti-Patterns for IoT device Manufacturers . . . . 6
4.1. Use of IP address literals in-protocol . . . . . . . . . 6
4.2. Use of non-deterministic DNS names in-protocol . . . . . 7
4.3. Use of a too inclusive DNS name . . . . . . . . . . . . . 7
5. DNS privacy and outsourcing versus MUD controllers . . . . . 8
6. Recommendations to IoT device manufacturer on MUD and DNS
usage . . . . . . . . . . . . . . . . . . . . . . . . . . 8
6.1. Consistently use DNS . . . . . . . . . . . . . . . . . . 9
6.2. Use primary DNS names controlled by the manufacturer . . 9
6.3. Use Content-Distribution Network with stable names . . . 9
6.4. Prefer DNS servers learnt from DHCP/Route
Advertisements . . . . . . . . . . . . . . . . . . . . . 9
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 10
8. Security Considerations . . . . . . . . . . . . . . . . . . . 11
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 11
9.1. Normative References . . . . . . . . . . . . . . . . . . 11
9.2. Informative References . . . . . . . . . . . . . . . . . 13
Appendix A. Appendices . . . . . . . . . . . . . . . . . . . . . 14
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction
[RFC8520] provides a standardized way to describe how a specific
purpose device makes use of Internet resources. Access Control Lists
(ACLs) can be defined in an RFC8520 Manufacturer Usage Description
(MUD) file that permit a device to access Internet resources by DNS
name.
Use of a DNS name rather than IP address in the ACL has many
advantages: not only does the layer of indirection permit the mapping
of name to IP address to be changed over time, it also generalizes
automatically to IPv4 and IPv6 addresses, as well as permitting
loading balancing of traffic by many different common ways, including
geography.
Richardson Expires 25 August 2021 [Page 2]
Internet-Draft mud-iot-dns February 2021
Show full document text