Network Working Group                                            B. Weis
Internet-Draft                                             Cisco Systems
Intended status: Standards Track                        October 25, 2016
Expires: April 28, 2017


          RADIUS Extensions for Manufacturer Usage Description
                        draft-weis-radext-mud-00

Abstract

   A Manufacturer Usage Description (MUD) is a file describing the
   expected use of a class of devices, usually an Internet of Things
   class of devices.  It is prepared by a manufacturer and placed on a
   generally available web server, and is addressable via a Uniform
   Resource Identifier (URI).  The URI is often included in a discovery
   protocol (e.g., DNS, LLDP).  A Network Access Server (NAS) in the
   path of the discovery protocol can collect and forward the URI to a
   RADIUS server, which processes the URI.  This draft defines the
   RADIUS extension needed for the NAS to forward the URI to the RADIUS
   server.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on April 28, 2017.

Copyright Notice

   Copyright (c) 2016 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents



Weis                     Expires April 28, 2017                 [Page 1]


Internet-Draft                 RADIUS-MUD                   October 2016


   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements notation . . . . . . . . . . . . . . . . . .   3
     1.2.  Terminology . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Acronyms and Abbreviations  . . . . . . . . . . . . . . . . .   4
   3.  Extended Attribute for the MUD URI  . . . . . . . . . . . . .   4
   4.  MUD URI processing  . . . . . . . . . . . . . . . . . . . . .   5
   5.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   6.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   7.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .   6
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     8.2.  Informative Reference . . . . . . . . . . . . . . . . . .   6
   Author's Address  . . . . . . . . . . . . . . . . . . . . . . . .   7

1.  Introduction

   Enterprise networks often use Port-Based Network Access Control
   [IEEE802.1X], where the Authentication Server is a RADIUS server
   [RFC2865].  In some cases a device will authenticate itself to the
   network using IEEE 802.1X with a digital certificate (e.g., an IEEE
   802.1AR Secure Device ID [IEEE802.1AR]) that has been placed into the
   device by the manufacturer.  Manufacturer Usage Description (MUD)
   [I-D.ietf-opsawg-mud] has defined an optional extension for digital
   certificates, which consists of a Uniform Resource Identifier (URI)
   that identifies the MUD file.  A MUD file contains identification and
   network access information for a particular class of device.  This
   information can be used to generate authorization policy such as an
   Access Control List (ACL) describing required network access for the
   device.

   However, there are cases where a MUD URI is not included in a
   device's digital certificate, or it does not support the use of
   digital certificates, or may not even support an IEEE 802.1X
   Supplicant.  This will often be the case with IoT devices, which is a
   primary use case for the use of MUD.  In each of these situations, a
   device could benefit from distributing a MUD URI in a discovery
   message (e.g., a DHCP or LLDP message as defined in
   [I-D.ietf-opsawg-mud]), in hopes that a network element device will
   receive and consume it.




Weis                     Expires April 28, 2017                 [Page 2]


Internet-Draft                 RADIUS-MUD                   October 2016


   As shown in Figure 1, a Network Access Server (NAS) can observe the
   discovery message with the MUD URI and forward it to a RADIUS server.
   This can be done as part of a MAC Authentication Bypass (MAB)
   message.  MAB is a common alternative approach of port-based network
   access control used for devices that cannot support a IEEE 802.1X
   Supplicant.  The RADIUS server and an associated MUD Controller
   (defined in [I-D.ietf-opsawg-mud]) will work together to resolve the
   URI and translate the resulting MUD file into authorization policy.
   The RADIUS server distributes to the NAS authorization RADIUS
   attributes (e.g., an ACL describing required network access) to apply
   to messages received from the device.

                                                RADIUS Server &
            Device            NAS               MUD Controller
              +                +                       |
              | (DHCP or LLDP) |                       |
              |     MUD URI    |                       |
              |  +-----------> |      (RADIUS)         |
              |                |  MUD URI ATTRIBUTE    |
              |                | +------------------>  |
              |                |                       |
              |                |   FILTER ATTRIBUTES   |
              |                | <-------------------+ |
              +                +                       +

                       Figure 1: RADIUS Message Flow

   The only missing piece in this workflow is the ability for the NAS to
   relay the MUD URI to the RADIUS server.  This draft defines a new
   RADIUS attribute for this purpose.  The expectation is that the MUD
   URI will be passed in Access Request or Accounting messages.

1.1.  Requirements notation

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

1.2.  Terminology

   The following key terms are used throughout this document:

   MUD Controller  An entity that requests a MUD file from the MUD
         server, and processes the MUD file upon receipt.

   MUD file  A file containing a MUD Yang file definition, as defined in
         [I-D.ietf-opsawg-mud]




Weis                     Expires April 28, 2017                 [Page 3]


Internet-Draft                 RADIUS-MUD                   October 2016


   MUD URI  A URI pointing to a MUD file, typically located on a web
         server.

2.  Acronyms and Abbreviations

   The following acronyms and abbreviations are used throughout this
   document

   DHCP  Dynamic Host Configuration Protocol

   IoT   Internet of Things

   LLDP  Link Layer Discovery Protocol

   MAB   MAC Authentication Bypass

   MUD   Manufacturer Usage Description

   NAS   Network Access Server

3.  Extended Attribute for the MUD URI

   This attribute is of type "TLV" as defined in the RADIUS Protocol
   Extensions [RFC6929].  It is named the MUD-URI Attribute, and is
   defined in Figure 2.

   0                   1                   2                   3
   0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
   |      Type     |     Length    | Extended-Type |    Value ...
   +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

                         Figure 2: MUD TLV format

   Type

      TBD1

   Length

      This field indicates the total length in bytes of all fields of
      this attribute, including the Type, Length, Extended-Type, and the
      entire length of the Value.

   Extended-Type

      TBD2




Weis                     Expires April 28, 2017                 [Page 4]


Internet-Draft                 RADIUS-MUD                   October 2016


   Value

      A MUD URI as defined in [I-D.ietf-opsawg-mud], and MUST conform to
      the syntax defined a URI [RFC3986].

4.  MUD URI processing

   When a NAS receives a MUD URI, it forwards it to a RADIUS server
   using the Extended Attribute described in Section 3.

   When a RADIUS server receives a MUD URI, it works in conjunction with
   a MUD Controller to retrieve the MUD file and processes it as
   described in [I-D.ietf-opsawg-mud].  They determine filter policies
   based on the MUD file, and the RADIUS server passes these filter
   policies to the NAS using commonly used RADIUS filter attributes.

   Finally, the NAS receives the RADIUS filter attributes and applies
   them to the network traffic associated with the new device.

5.  Security Considerations

   This document defines a RADIUS attribute, which does not affect the
   security considerations of the RADIUS protocol [RFC2865].

   Security considerations regarding the integrity of the MUD URI are
   outside the scope of this document, but it may be helpful to consider
   how a network using MAB might use a MUD URI.  When retrieved from an
   authenticated device a NAS does not absolutely know if this MUD file
   is correct for the device that proffers the MUD URI, but it can use
   the MUD file as a hint as to the type of device.  A NAS may be able
   to correlate the claimed device type with other policy for this
   device using other mechanisms.  It should also be noted that the
   intent of a MUD policy description is to severely limit the network
   access of the device (e.g., using filters), rather than grant wide
   access to a device.  Therefore, the action of proffering a MUD URI
   indicates a willingness to have its network access restricted rather
   than opened.

6.  IANA Considerations

   TBD1: One of the RADIUS Types that indicates an Extended Type

   TBD2: A RADIUS Extended Type value.








Weis                     Expires April 28, 2017                 [Page 5]


Internet-Draft                 RADIUS-MUD                   October 2016


7.  Acknowledgements

   The author thanks Nancy Cam-Winget for her thoughtful review, which
   resulted in substantial improvements to the memo.

8.  References

8.1.  Normative References

   [I-D.ietf-opsawg-mud]
              Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage
              Description Specification", draft-ietf-opsawg-mud-01 (work
              in progress), September 2016.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <http://www.rfc-editor.org/info/rfc2119>.

   [RFC2865]  Rigney, C., Willens, S., Rubens, A., and W. Simpson,
              "Remote Authentication Dial In User Service (RADIUS)",
              RFC 2865, DOI 10.17487/RFC2865, June 2000,
              <http://www.rfc-editor.org/info/rfc2865>.

   [RFC3986]  Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
              Resource Identifier (URI): Generic Syntax", STD 66,
              RFC 3986, DOI 10.17487/RFC3986, January 2005,
              <http://www.rfc-editor.org/info/rfc3986>.

8.2.  Informative Reference

   [IEEE802.1AR]
              IEEE Computer Society, "802.1AR-2009 - IEEE Standard for
              Local and metropolitan area networks--Secure Device
              Identity", February 2010,
              <https://standards.ieee.org/findstds/standard/802.1AR-
              2009.html>.

   [IEEE802.1X]
              IEEE Computer Society, "802.1X-2010 - IEEE Standard for
              Local and metropolitan area networks--Port-Based Network
              Access Control", February 2010,
              <https://standards.ieee.org/findstds/standard/802.1X-
              2010.html>.







Weis                     Expires April 28, 2017                 [Page 6]


Internet-Draft                 RADIUS-MUD                   October 2016


   [RFC6929]  DeKok, A. and A. Lior, "Remote Authentication Dial In User
              Service (RADIUS) Protocol Extensions", RFC 6929,
              DOI 10.17487/RFC6929, April 2013,
              <http://www.rfc-editor.org/info/rfc6929>.

Author's Address

   Brian Weis
   Cisco Systems
   170 W. Tasman Drive
   San Jose, California  95134-1706
   USA

   Phone: +1 408 526 4796
   Email: bew@cisco.com




































Weis                     Expires April 28, 2017                 [Page 7]