Telling the network what type of device you are: emitting the MUD URL
Part of the challenge network administrators face is determining what any given device is. That is- classifying the device. The other part of the challenge is linking that classification to a policy. Manufacturer Usage Descriptions addresses both of these challenges. The MUD file explains what sort of policies a device needs. The MUD URL points to that explanation.
Step 1: Know what MUD URL you are going to assign
The MUD URL should point to whatever file server on which your MUD file will reside. You can test that the MUD URL is correct by visiting it in your local browser and confirming that the correct MUD file for your device appears. (This means you have to have placed the MUD file there). You can even drop the file on box.com or GitHub or similar services. Wherever you place it, devices using that MUD URL will forever look to that location.
Step 2: Decide how the local deployment should learn what the MUD URL for your device is.
There are four ways that deployments can learn of your device's MUD URL:
LLDP | IEEE 802.1AB or LLDP is a standard that devices can use to periodically emit information about themselves, and to learn about similar devices. The MUD standard specifies a MUD field to use. To emit the MUD URL via LLDP in Linux, you can use lldpd's lldpcli command or this simple script to cause LLDP to emit a given MUD URL. Use LLDP when your device does not support either DHCP or certificate-based authentication. |
DHCP | The MUD standard specifies two new options to emit MUD URLs,
option 161 for DHCPv4 and option 112 for DHCPv6. For
linux-based devices, using ISC dhclient, simply modify the
dhclient.conf file as follows:option mudurl code 161 = text; send mudurl "https://www.example.com/yourmudfile.json";For linux-based devices using dhcpcd, simply specify the murul as follows: mudurl "https://www.example.com/yourmudfile.json" |
Device Certificates | If you are already installing IEEE 802.1AR or similar certificates in your device that is suitable for IEEE 802.1X authentication, no configuration changes on the device are necessary. Instead, an additional extension is used, as specified in RFC 8520. |
Manual Configuration | In this case, the device does not emit the MUD URL but you have listed the URL in your documentation. This requires that the administrator import that URL into his MUD manager manually. |