Network Working Group B. Weis Internet-Draft Cisco Systems Intended status: Standards Track October 25, 2016 Expires: April 28, 2017 RADIUS Extensions for Manufacturer Usage Description draft-weis-radext-mud-00 Abstract A Manufacturer Usage Description (MUD) is a file describing the expected use of a class of devices, usually an Internet of Things class of devices. It is prepared by a manufacturer and placed on a generally available web server, and is addressable via a Uniform Resource Identifier (URI). The URI is often included in a discovery protocol (e.g., DNS, LLDP). A Network Access Server (NAS) in the path of the discovery protocol can collect and forward the URI to a RADIUS server, which processes the URI. This draft defines the RADIUS extension needed for the NAS to forward the URI to the RADIUS server. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 28, 2017. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents Weis Expires April 28, 2017 [Page 1] Internet-Draft RADIUS-MUD October 2016 carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements notation . . . . . . . . . . . . . . . . . . 3 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 2. Acronyms and Abbreviations . . . . . . . . . . . . . . . . . 4 3. Extended Attribute for the MUD URI . . . . . . . . . . . . . 4 4. MUD URI processing . . . . . . . . . . . . . . . . . . . . . 5 5. Security Considerations . . . . . . . . . . . . . . . . . . . 5 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 5 7. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 8.1. Normative References . . . . . . . . . . . . . . . . . . 6 8.2. Informative Reference . . . . . . . . . . . . . . . . . . 6 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 7 1. Introduction Enterprise networks often use Port-Based Network Access Control [IEEE802.1X], where the Authentication Server is a RADIUS server [RFC2865]. In some cases a device will authenticate itself to the network using IEEE 802.1X with a digital certificate (e.g., an IEEE 802.1AR Secure Device ID [IEEE802.1AR]) that has been placed into the device by the manufacturer. Manufacturer Usage Description (MUD) [I-D.ietf-opsawg-mud] has defined an optional extension for digital certificates, which consists of a Uniform Resource Identifier (URI) that identifies the MUD file. A MUD file contains identification and network access information for a particular class of device. This information can be used to generate authorization policy such as an Access Control List (ACL) describing required network access for the device. However, there are cases where a MUD URI is not included in a device's digital certificate, or it does not support the use of digital certificates, or may not even support an IEEE 802.1X Supplicant. This will often be the case with IoT devices, which is a primary use case for the use of MUD. In each of these situations, a device could benefit from distributing a MUD URI in a discovery message (e.g., a DHCP or LLDP message as defined in [I-D.ietf-opsawg-mud]), in hopes that a network element device will receive and consume it. Weis Expires April 28, 2017 [Page 2] Internet-Draft RADIUS-MUD October 2016 As shown in Figure 1, a Network Access Server (NAS) can observe the discovery message with the MUD URI and forward it to a RADIUS server. This can be done as part of a MAC Authentication Bypass (MAB) message. MAB is a common alternative approach of port-based network access control used for devices that cannot support a IEEE 802.1X Supplicant. The RADIUS server and an associated MUD Controller (defined in [I-D.ietf-opsawg-mud]) will work together to resolve the URI and translate the resulting MUD file into authorization policy. The RADIUS server distributes to the NAS authorization RADIUS attributes (e.g., an ACL describing required network access) to apply to messages received from the device. RADIUS Server & Device NAS MUD Controller + + | | (DHCP or LLDP) | | | MUD URI | | | +-----------> | (RADIUS) | | | MUD URI ATTRIBUTE | | | +------------------> | | | | | | FILTER ATTRIBUTES | | | <-------------------+ | + + + Figure 1: RADIUS Message Flow The only missing piece in this workflow is the ability for the NAS to relay the MUD URI to the RADIUS server. This draft defines a new RADIUS attribute for this purpose. The expectation is that the MUD URI will be passed in Access Request or Accounting messages. 1.1. Requirements notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 1.2. Terminology The following key terms are used throughout this document: MUD Controller An entity that requests a MUD file from the MUD server, and processes the MUD file upon receipt. MUD file A file containing a MUD Yang file definition, as defined in [I-D.ietf-opsawg-mud] Weis Expires April 28, 2017 [Page 3] Internet-Draft RADIUS-MUD October 2016 MUD URI A URI pointing to a MUD file, typically located on a web server. 2. Acronyms and Abbreviations The following acronyms and abbreviations are used throughout this document DHCP Dynamic Host Configuration Protocol IoT Internet of Things LLDP Link Layer Discovery Protocol MAB MAC Authentication Bypass MUD Manufacturer Usage Description NAS Network Access Server 3. Extended Attribute for the MUD URI This attribute is of type "TLV" as defined in the RADIUS Protocol Extensions [RFC6929]. It is named the MUD-URI Attribute, and is defined in Figure 2. 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Length | Extended-Type | Value ... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 2: MUD TLV format Type TBD1 Length This field indicates the total length in bytes of all fields of this attribute, including the Type, Length, Extended-Type, and the entire length of the Value. Extended-Type TBD2 Weis Expires April 28, 2017 [Page 4] Internet-Draft RADIUS-MUD October 2016 Value A MUD URI as defined in [I-D.ietf-opsawg-mud], and MUST conform to the syntax defined a URI [RFC3986]. 4. MUD URI processing When a NAS receives a MUD URI, it forwards it to a RADIUS server using the Extended Attribute described in Section 3. When a RADIUS server receives a MUD URI, it works in conjunction with a MUD Controller to retrieve the MUD file and processes it as described in [I-D.ietf-opsawg-mud]. They determine filter policies based on the MUD file, and the RADIUS server passes these filter policies to the NAS using commonly used RADIUS filter attributes. Finally, the NAS receives the RADIUS filter attributes and applies them to the network traffic associated with the new device. 5. Security Considerations This document defines a RADIUS attribute, which does not affect the security considerations of the RADIUS protocol [RFC2865]. Security considerations regarding the integrity of the MUD URI are outside the scope of this document, but it may be helpful to consider how a network using MAB might use a MUD URI. When retrieved from an authenticated device a NAS does not absolutely know if this MUD file is correct for the device that proffers the MUD URI, but it can use the MUD file as a hint as to the type of device. A NAS may be able to correlate the claimed device type with other policy for this device using other mechanisms. It should also be noted that the intent of a MUD policy description is to severely limit the network access of the device (e.g., using filters), rather than grant wide access to a device. Therefore, the action of proffering a MUD URI indicates a willingness to have its network access restricted rather than opened. 6. IANA Considerations TBD1: One of the RADIUS Types that indicates an Extended Type TBD2: A RADIUS Extended Type value. Weis Expires April 28, 2017 [Page 5] Internet-Draft RADIUS-MUD October 2016 7. Acknowledgements The author thanks Nancy Cam-Winget for her thoughtful review, which resulted in substantial improvements to the memo. 8. References 8.1. Normative References [I-D.ietf-opsawg-mud] Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage Description Specification", draft-ietf-opsawg-mud-01 (work in progress), September 2016. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC2865] Rigney, C., Willens, S., Rubens, A., and W. Simpson, "Remote Authentication Dial In User Service (RADIUS)", RFC 2865, DOI 10.17487/RFC2865, June 2000, . [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform Resource Identifier (URI): Generic Syntax", STD 66, RFC 3986, DOI 10.17487/RFC3986, January 2005, . 8.2. Informative Reference [IEEE802.1AR] IEEE Computer Society, "802.1AR-2009 - IEEE Standard for Local and metropolitan area networks--Secure Device Identity", February 2010, . [IEEE802.1X] IEEE Computer Society, "802.1X-2010 - IEEE Standard for Local and metropolitan area networks--Port-Based Network Access Control", February 2010, . Weis Expires April 28, 2017 [Page 6] Internet-Draft RADIUS-MUD October 2016 [RFC6929] DeKok, A. and A. Lior, "Remote Authentication Dial In User Service (RADIUS) Protocol Extensions", RFC 6929, DOI 10.17487/RFC6929, April 2013, . Author's Address Brian Weis Cisco Systems 170 W. Tasman Drive San Jose, California 95134-1706 USA Phone: +1 408 526 4796 Email: bew@cisco.com Weis Expires April 28, 2017 [Page 7]