forked from faucetsdn/daq
-
Notifications
You must be signed in to change notification settings - Fork 0
MUD files and ACLs
Francesco Anselmo edited this page Dec 21, 2018
·
4 revisions
DAQ uses MUD files to enforce network policies at port level.
The following tutorial explains where MUD files are located and how to generate network access control lists that are compatible with Faucet.
MUD files are located inside the mud_files directory. To show the content of this folder, type the following command in the terminal:
ls mud_files/
This will show the available MUD files and it will look similar to this:
bacnet_frdev.json bacnet.json bacnet_todev.json controller.json default.json lightbulb.json telnet.json
Several MUD files are provided for initial testing. If assigned to devices, they restrict the capability of the device to communicate on a specific port and direction. For instance.
- The
default.jsonMUD file is the smallest example and it does not allow the device to communicate at all.
{
"ietf-mud:mud": {
"mud-version": 1,
"last-update": "2018-03-02T11:20:51+01:00",
"cache-validity": 48,
"is-supported": true
}
}
- The
bacnet.jsonMUD file is a minimalistic example that allows only communication over port 47808 in both inbound and outbound directions. Port 47808 (BAC0 in base 16) is the port used by the BACnet protocol.
{
"ietf-mud:mud": {
"mud-version": 1,
"mud-url": "https://digital-building.org/mud/bacnet",
"last-update": "2018-09-23T20:43:36+02:00",
"cache-validity": 48,
"is-supported": true,
"systeminfo": "Generic BACnet device",
"from-device-policy": {
"access-lists": {
"access-list": [
{
"name": "mud-58064-v4fr"
}
]
}
},
"to-device-policy": {
"access-lists": {
"access-list": [
{
"name": "mud-58064-v4to"
}
]
}
}
},
"ietf-access-control-list:acls": {
"acl": [
{
"name": "mud-58064-v4to",
"type": "ipv4-acl-type",
"aces": {
"ace": [
{
"name": "bacnet-todev",
"matches": {
"ietf-mud:mud": {
"controller": "bacnet"
},
"ipv4": {
"protocol": 17
},
"udp": {
"source-port": {
"operator": "eq",
"port": 47808
},
"destination-port": {
"operator": "eq",
"port": 47808
}
}
},
"actions": {
"forwarding": "accept"
}
}
]
}
},
{
"name": "mud-58064-v4fr",
"type": "ipv4-acl-type",
"aces": {
"ace": [
{
"name": "bacnet-frdev",
"matches": {
"ietf-mud:mud": {
"controller": "bacnet"
},
"ipv4": {
"protocol": 17
},
"udp": {
"destination-port": {
"operator": "eq",
"port": 47808
},
"source-port": {
"operator": "eq",
"port": 47808
}
}
},
"actions": {
"forwarding": "accept"
}
}
]
}
}
]
}
}
Invoke the mudacl command to generate the ACLs.
bin/mudacl
The first output will look similar to this:
Starting a Gradle Daemon.
Download https://plugins.gradle.org/m2/com/github/jengelman/gradle/plugins/shadow/4.0.1/shadow-4.0.1.pom
Download https://plugins.gradle.org/m2/org/jdom/jdom2/2.0.6/jdom2-2.0.6.pom
Download https://plugins.gradle.org/m2/org/ow2/asm/asm/6.2.1/asm-6.2.1.pom
Download https://plugins.gradle.org/m2/org/ow2/asm/asm-commons/6.2.1/asm-commons-6.2.1.pom
Download https://plugins.gradle.org/m2/org/ow2/ow2/1.5/ow2-1.5.pom
Download https://plugins.gradle.org/m2/commons-io/commons-io/2.5/commons-io-2.5.pom
Download https://plugins.gradle.org/m2/org/apache/ant/ant/1.9.7/ant-1.9.7.pom
Download https://plugins.gradle.org/m2/org/apache/commons/commons-parent/39/commons-parent-39.pom
Download https://plugins.gradle.org/m2/org/apache/apache/16/apache-16.pom
Download https://plugins.gradle.org/m2/org/apache/ant/ant-parent/1.9.7/ant-parent-1.9.7.pom
Download https://plugins.gradle.org/m2/org/codehaus/plexus/plexus-utils/3.0.24/plexus-utils-3.0.24.pom
Download https://plugins.gradle.org/m2/org/apache/logging/log4j/log4j-core/2.11.0/log4j-core-2.11.0.pom
Download https://plugins.gradle.org/m2/org/codehaus/plexus/plexus/4.0/plexus-4.0.pom
Download https://plugins.gradle.org/m2/org/sonatype/forge/forge-parent/10/forge-parent-10.pom
Download https://plugins.gradle.org/m2/org/apache/logging/log4j/log4j/2.11.0/log4j-2.11.0.pom
Download https://plugins.gradle.org/m2/org/apache/logging/logging-parent/1/logging-parent-1.pom
Download https://plugins.gradle.org/m2/org/apache/apache/18/apache-18.pom
Download https://plugins.gradle.org/m2/org/vafer/jdependency/1.3/jdependency-1.3.pom
Download https://plugins.gradle.org/m2/org/ow2/asm/asm-analysis/6.2.1/asm-analysis-6.2.1.pom
Download https://plugins.gradle.org/m2/org/ow2/asm/asm-tree/6.2.1/asm-tree-6.2.1.pom
Download https://plugins.gradle.org/m2/org/apache/ant/ant-launcher/1.9.7/ant-launcher-1.9.7.pom
Download https://plugins.gradle.org/m2/org/apache/logging/log4j/log4j-api/2.11.0/log4j-api-2.11.0.pom
Download https://plugins.gradle.org/m2/org/ow2/asm/asm-util/6.0/asm-util-6.0.pom
Download https://plugins.gradle.org/m2/org/ow2/asm/asm-parent/6.0/asm-parent-6.0.pom
Download https://plugins.gradle.org/m2/org/ow2/ow2/1.3/ow2-1.3.pom
Download https://plugins.gradle.org/m2/commons-io/commons-io/2.6/commons-io-2.6.pom
Download https://plugins.gradle.org/m2/org/apache/commons/commons-parent/42/commons-parent-42.pom
Download https://plugins.gradle.org/m2/org/jdom/jdom2/2.0.6/jdom2-2.0.6.jar
Download https://plugins.gradle.org/m2/com/github/jengelman/gradle/plugins/shadow/4.0.1/shadow-4.0.1.jar
Download https://plugins.gradle.org/m2/org/vafer/jdependency/1.3/jdependency-1.3.jar
Download https://plugins.gradle.org/m2/org/ow2/asm/asm-commons/6.2.1/asm-commons-6.2.1.jar
Download https://plugins.gradle.org/m2/org/ow2/asm/asm-util/6.0/asm-util-6.0.jar
Download https://plugins.gradle.org/m2/org/ow2/asm/asm-analysis/6.2.1/asm-analysis-6.2.1.jar
Download https://plugins.gradle.org/m2/org/ow2/asm/asm-tree/6.2.1/asm-tree-6.2.1.jar
Download https://plugins.gradle.org/m2/commons-io/commons-io/2.6/commons-io-2.6.jar
Download https://plugins.gradle.org/m2/org/ow2/asm/asm/6.2.1/asm-6.2.1.jar
Download https://plugins.gradle.org/m2/org/apache/ant/ant/1.9.7/ant-1.9.7.jar
Download https://plugins.gradle.org/m2/org/codehaus/plexus/plexus-utils/3.0.24/plexus-utils-3.0.24.jar
Download https://plugins.gradle.org/m2/org/apache/ant/ant-launcher/1.9.7/ant-launcher-1.9.7.jar
Download https://plugins.gradle.org/m2/org/apache/logging/log4j/log4j-core/2.11.0/log4j-core-2.11.0.jar
Download https://plugins.gradle.org/m2/org/apache/logging/log4j/log4j-api/2.11.0/log4j-api-2.11.0.jar
BUILD SUCCESSFUL in 24s
2 actionable tasks: 2 executed
Running regression test.
Writing output files to /opt/daq/mudacl/out/acl_templates
Writing output files to /opt/daq/mudacl/out/port_acls
Compare out/acl_templates/ with setup/acl_templates/...
Compare out/port_acls/ with setup/port_acls/...
Loading config from local/system.conf
BUILD SUCCESSFUL in 1s
2 actionable tasks: 2 up-to-date
Executing mudacl generator on mud_files/...
Writing output files to /opt/daq/inst/acl_templates
inst/acl_templates:
total 36
-rw-r--r-- 1 root root 540 Dec 21 17:01 template_bacnet_acl.yaml
-rw-r--r-- 1 root root 332 Dec 21 17:01 template_bacnet_frdev_acl.yaml
-rw-r--r-- 1 root root 332 Dec 21 17:01 template_bacnet_todev_acl.yaml
-rw-r--r-- 1 root root 768 Dec 21 17:01 template_baseline_acl.yaml
-rw-r--r-- 1 root root 1452 Dec 21 17:01 template_controller_acl.yaml
-rw-r--r-- 1 root root 78 Dec 21 17:01 template_default_acl.yaml
-rw-r--r-- 1 root root 1442 Dec 21 17:01 template_lightbulb_acl.yaml
-rw-r--r-- 1 root root 258 Dec 21 17:01 template_raw_acl.yaml
-rw-r--r-- 1 root root 496 Dec 21 17:01 template_telnet_acl.yaml
inst/port_acls:
total 0
This means that the initial build process has gone well and that bin/mudacl has created the respective ACL files inside the inst/acl_templates directory.
For example, the bacnet.json MUD file has been converted to the following ACL yaml file:
cat inst/acl_templates/template_bacnet_acl.yaml
---
acls:
'@from:template_bacnet_acl':
- rule:
description: "type bacnet rule bacnet-frdev"
dl_type: "0x0800"
dl_src: "@mac:bacnet"
nw_proto: 17
nw_dst: "@ctrl:bacnet"
udp_src: 47808
udp_dst: 47808
actions:
allow: 1
'@to:template_bacnet_acl':
- rule:
description: "type bacnet rule bacnet-todev"
dl_type: "0x0800"
dl_dst: "@mac:bacnet"
nw_proto: 17
nw_src: "@ctrl:bacnet"
udp_src: 47808
udp_dst: 47808
actions:
allow: 1
Go to the next tutorial > Device specifications and groups