Closed elear closed 5 years ago
elear
commented
5 years ago I'm thinking about solving this in a sort of dumb way, which would be good enough for small deployments. Create a daemon that subscribes to DNS names, and then just look them up periodically. You could have multiple of these daemons report their results back into the MUD Manager, who then is responsible for managing the necessary SOAs.
iggy2028
commented
5 years ago Do you expect that IoT device manager mappings to vary frequently? I can't imagine that their DNS mappings will change as frequently as large web properties that might regularly change the pool of IP addresses. Resolving the names at the time of on boarding instead might be sufficient. It's likely that the RADIUS server will be forwarding another Accounting-Request for this device from time to time, or frequently pass the MUD URL in accounting messages which could cause a re-evalution. Perhaps it might not be necessary to re-evaluate the mapping every time a device asks for an ACL with an address that has been mapped, so there could be a cache timeout to reduce constantly resolving the same name.
iggy2028
commented
5 years ago If the daemon approach is taken, then the MUD manager needs to find all of the references in MUD files to that DNS name and send a CoA to each NAS for each device that it has associated with each MUD URL. The basic infrastructure is there to do this, but it would be quite a lot of work.
elear
commented
5 years ago The thing is, I expect these addresses to occasionally vary based on many factors, including networking conditions. But you're right: it's not a small amount of code. It might even be too much for 2.0.
elear
commented
5 years ago PR #25 provides DNS lookups. This means that the DNS doesn't have to be in the config, but can be still for testing purposes.
Right now DNS src/dst names are in the config. Either resolve these names at time of onboarding or have a process that updates the mapping.