Am 22.10.2018 um 23:49 schrieb Michael Richardson <mcr@sandelman.ca>:
nevertheless a MUD file could be used to describe service classes of a TV, like „TV Streaming“, „Social Media“ etc. to give the end user simple choices and at least some control about what the device should be allowed to do.
Such a multi-functional device (in particular, any game console), might need to take on a multitude of identities for it's different personalities, with appropriate MUD files for each personality. (And possibly, parental MUD file overrides, including number of packets/bytes allowed to be transmitted per day, and even perhaps elapsed duration between first transmitted packet, and last one, to enforce "screen-time" limits)
I see the point, that would get pretty complex...
We currently implement filtering by L2 address (MAC). That's works for most Things, and it also lets us cleanly implement the quarantee function in a way that isn't *trivially* side stepped by changing L3 address. To meaningfully prevent changing L2 address, a group of students at Algonquin College, in collaboration of Telus have been working on making sure that there is a unique WPA key per mac address, and that it's easy to setup. That means that changing your mac address would mean losing access to the (wireless) network.
I think current MAC whitelisting would be sufficient (?) Assigning individual WPA keys for each IoT device sounds impractical to me.
This brings up the default policy for new devices: it needs to be restrict. But this is gonna be a pain in quite a number of situations, so it needs a really intuitive user interface.
Absolutely!