Browse Prior Art Database

MANUFACTURER USE OF LOCAL POSTURE INFORMATION TO INFORM LOCAL DEPLOYMENTS OF CONFIGURATION RECOMMENDATIONS

IP.com Disclosure Number: IPCOM000249727D
Publication Date: 2017-Mar-28
Document File: 6 page(s) / 462K

Publishing Venue

The IP.com Prior Art Database

Related People

Eliot Lear: AUTHOR [+3]

Abstract

A combined use of Manufacturing Usage Descriptions (MUD) and Network Endpoint Assessment (NEA) is provided such that a MUD controller retrieves finer grain access control information than otherwise would be provided. Manufacturers may thus inform their customers of appropriate network treatment for a specific model of device based on the posture of a given device, while at the same time scaling to large numbers (e.g., tens of millions) of devices. The process allows for the MUD Uniform Resource Identifier (URI) and other X.509 attributes to remain constant, while also providing for variance of software attributes, such as operating system and installed packages.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 33% of the total text.

Copyright 2017 Cisco Systems, Inc. 1

MANUFACTURER USE OF LOCAL POSTURE INFORMATION TO INFORM LOCAL DEPLOYMENTS OF CONFIGURATION RECOMMENDATIONS

AUTHORS: Eliot Lear

Max Pritikin Dan Wing

CISCO SYSTEMS, INC.

ABSTRACT

A combined use of Manufacturing Usage Descriptions (MUD) and Network

Endpoint Assessment (NEA) is provided such that a MUD controller retrieves finer grain

access control information than otherwise would be provided. Manufacturers may thus

inform their customers of appropriate network treatment for a specific model of device

based on the posture of a given device, while at the same time scaling to large numbers

(e.g., tens of millions) of devices. The process allows for the MUD Uniform Resource

Identifier (URI) and other X.509 attributes to remain constant, while also providing for

variance of software attributes, such as operating system and installed packages.

DETAILED DESCRIPTION

Network administrators deploying devices on a network need to apply appropriate

policies that restrict the devices to the types and forms of network traffic that are reasonable

for the device. For example, it is not reasonable for an IoT-enabled coffee machine to

stream large quantities of breakroom audio data to Nigeria.

Manufacturing usage descriptions (MUD) provide a way for manufacturers to

provide policy/configuration recommendations to enterprises with regard to specific

models of devices. One scaling property of MUD is that those recommendations do not

change based on the deployment. In its most secure form, the MUD Uniform Resource

Identifier (URI) (e.g., Uniform Resource Locator (URL)) is entirely invariant as far as the

client is concerned, and neither the operational network nor the manufacturer can discern

state information on the device and adjust policy accordingly. As such, it is difficult to vary

MUD recommendations while holding constant the MUD URL that the device provides to

the network.

Copyright 2017 Cisco Systems, Inc. 2

For example, newly enabled device functionality might automatically brew

additional coffee based on ambient noise and cloud analytics that controls predictive coffee

brewing. The MUD recommendations may be influenced by local conditions (e.g., the

actual version of software/firmware is run on a device).

As described herein, Internet Engineering Task Force (IETF) draft-ietf-opsawg-

mud, which sets out a Yet Another Next Generation (YANG) access control list (ACL)

model that typically provides MUD in the form of ACLs, is extended to include target

posture for the devices. For example, the model may be extended to indicate that coffee

machines with firmware version A are to have ACLs applied that do not allow

communications back to cloud resources, but that devices with firmware version B (e.g.,

with voice control and ambient noise analytics) are allowed to communicate with specific

cloud resources. Similarly, the appropriate behavior for devices that are running an

unknown firmware version may be specified, for examp...