On Mon, Oct 24, 2016 at 6:22 AM, Eliot Lear <lear@cisco.com> wrote:
Hi,
On 10/24/16 3:06 PM, Ca By wrote:
Assuming MUD is successful in the ietf, the cpe lifecycle is 10 years before the needle moves. At which point the target will have morphed to something else. Also, nobody is going to pay for that feature. Just like the early days of ipv6, the economics were misaligned.
We know of those who are planning to build, so maybe not so much. The function doesn't NEED to be in CPE, but it helps. And again, the CPE market is changing right now, so be careful about your assumptions.
Please elaborate on concrete evidence to support your claim the CPE market is changing.
in 10 years, the CPE will also be running PCP, where the bot tells the CPE to ignore all of MUD and open any arbitrary port it wants.
One of the hidden villains in these attacks, by the way, is uPnP. The point is not for the device to self-assert, but for the manufacturer to assert. Apart from that PCP actually solves a slightly different problem. MUD can tackle interior connectivity, which PCP doesn't really address. And really that's what we need to address reflection attacks.
Eliot