| Internet-Draft | More MUD | July 2026 |
| Lear | Expires 6 January 2027 | [Page] |
Manufacturer Usage Descriptions (MUD) provide a means to describe device network behavior. This memo clarifies some aspects that may improve both usability and interoperability. Some examples include how to handle IP-based access-lists, broadcasts and multicasts of various forms, and QoS. This memo updates RFC 8520.¶
This note is to be removed before publishing as an RFC.¶
The latest revision of this draft can be found at https://elear.github.io/draft-lear-mudextras/draft-lear-iotops-mudextras.html. Status information for this document may be found at https://datatracker.ietf.org/doc/draft-lear-iotops-mudextras/.¶
Discussion of this document takes place on the IOT Operations Working Group mailing list (mailto:iotops@ietf.org), which is archived at https://mailarchive.ietf.org/arch/browse/iotops/. Subscribe at https://www.ietf.org/mailman/listinfo/iotops/.¶
Source for this draft and an issue tracker can be found at https://github.com/elear/draft-lear-mudextras.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 6 January 2027.¶
Copyright (c) 2026 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Manufacturer Usage Descriptions (MUD) [RFC8520] provide a means to describe device network behavior. Operational experience has introduced a new use of MUD: to more clearly describe device network behavior and network access requirements in order for it to properly function. The MUD file itself can serve as a contract that is written by the device manufacturer and enacted and observed by both OT and IT services and organizations. This means that the descriptions should be as complete and accurate as possible.¶
Experience has shown that certain cases require clarification, and in some cases new extensions. For example:¶
Some devices make use of directed broadcasts, which are not supported in all networks. When they are, there is a need to understand each and every network segment to which such a device may be attached.¶
Some devices hardcode certain IP addresses. MUD itself augments [RFC8519], which specifies an access control list (ACL) schema in YANG. Within that context, therefore, it should be possible to employ ACLs that match that schema.¶
Some devices make use of multicast, and in some of those cases, multicast packets may need to be sent or received across network segments.¶
While one could argue whether or not either of these approaches should be used by device manufacturers, the reality is that they are used. Therefore, MUD should provide a means to describe them.¶
This memo updates [RFC8520] by clarifying that IP-based ACLs MAY be used in MUD files, and by providing a MUD extension to describe directed broadcasts. It also clarifies that all devices are assumed to both send and receive broadcasts, and provides an example of how to use ACLs to describe multicast behavior.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
As mentioned above, RFC 8519 specifies a YANG schema for ACLs. Nothing in the specification prevents the use of ACLs to describe the network behavior of devices in a MUD file. For example, the following is a valid MUD file that describes a device that is allowed to connect to a cloud service.¶
{
"ietf-mud:mud": {
"mud-version": 1,
"mud-url": "https://iot.example.com/modelX.json",
"mud-signature": "https://iot.example.com/modelX.p7s",
"last-update": "2022-01-05T13:30:31+00:00",
"cache-validity": 48,
"is-supported": true,
"systeminfo": "Sample IoT device",
"mfg-name": "Example, Inc.",
"documentation": "https://iot.example.com/doc/modelX",
"model-name": "modelX",
"from-device-policy": {
"access-lists": {
"access-list": [
{
"name": "mud-65443-v4fr"
}
]
}
},
"to-device-policy": {
"access-lists": {
"access-list": [
{
"name": "sample-ipv4-acl"
}
]
}
}
},
"ietf-access-control-list:acls": {
"acl": [
{
"name": "sample-ipv4-acl",
"type": "ipv4-acl-type",
"aces": {
"ace": [
{
"name": "permit-https-to-my-cloud-service",
"matches": {
"ipv4": {
"protocol": 6,
"destination-ipv4-network": "10.1.2.3/32"
},
"tcp": {
"destination-port": {
"operator": "eq",
"port": 443
}
}
},
"actions": {
"forwarding": "accept"
}
}
]
}
}
]
}
}
A few cautions about using native IP addresses in MUD files:¶
They should only ever refer to globally unique addresses that are coordinated by the device manufacturer.¶
Address changes will necessitate a new MUD file, which must be signed and retrieved by MUD managers.¶
Some device manufacturers will use hardcoded IP addresses to bootstrap functions like the domain name system (DNS). The use of anycast servers is not uncommon. Others simply do not want to introduce a dependency on DNS.¶
Some devices make use of directed broadcasts to communicate with devices either on the same subnet or on remote networks. Directed broadcasts require local topological knowledge, specifically the subnet mask of the network to which the device is attached. That information cannot be used across deployments, and so is inappropriate for MUD files.¶
To address this, we specify a MUD extension here that indicates that the device uses directed broadcasts.¶
Extension name: directed-broadcasts¶
A new object is added to the MUD file, called directed-broadcasts. It contains two boolean elements:¶
inbound: indicates whether the device must receive directed broadcasts.¶
outbound: indicates whether the device must send directed broadcasts.¶
The YANG tree for this extension is as follows:¶
module: ietf-mud-directed-broadcasts
augment /mud:mud:
+--rw directed-broadcasts
+--rw inbound? boolean
+--rw outbound? boolean
The YANG model for this extension is as follows:¶
module ietf-mud-directed-broadcasts {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-mud-directed-broadcasts";
prefix mud-directed-broadcasts;
import ietf-mud {
prefix mud;
reference "RFC 8520: Manufacturer Usage Description (MUD)";
}
organization
"IETF IOTOPS Working Group";
contact
"WG Web: <https://datatracker.ietf.org/wg/iotops/>
WG List: <mailto:iotops@ietf.org>
Author: Eliot Lear <mailto:lear@lear.ch>";
description
"
Copyright (c) 2026 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject to
the license terms contained in, the Revised BSD License set
forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX
(https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself
for full legal notices.
This module defines a MUD extension for directed broadcasts.";
revision 2026-07-05 {
description
"Initial revision.";
reference
"RFC XXXX: Some MUD Extensions and Clarifications";
}
grouping directed-broadcasts-group {
description
"Indicates whether the device uses directed broadcasts.";
container directed-broadcasts {
description
"Indicates whether the device uses directed broadcasts.";
leaf inbound {
type boolean;
description
"Indicates whether the device must receive directed broadcasts.";
}
leaf outbound {
type boolean;
description
"Indicates whether the device must send directed broadcasts.";
}
}
}
augment "/mud:mud" {
description
"Augments the MUD model with directed-broadcasts.";
uses directed-broadcasts-group;
}
}
The following is an example of a MUD file that indicates that the device uses directed broadcasts in both directions.¶
{
"ietf-mud:mud": {
"mud-version": 1,
"mud-url": "https://iot.example.com/modelX.json",
"mud-signature": "https://iot.example.com/modelX.p7s",
"last-update": "2022-01-05T13:30:31+00:00",
"extensions": [
"directed-broadcasts"
],
"cache-validity": 48,
"is-supported": true,
"systeminfo": "Sample IoT device",
"mfg-name": "Example, Inc.",
"documentation": "https://iot.example.com/doc/modelX",
"model-name": "modelX",
"directed-broadcasts": {
"inbound": true,
"outbound": true
}
}
}
Note that in all likelihood there would also be ACLs in the MUD file, but they are omitted here for brevity.¶
Directed broadcasts have well known security issues (see [RFC2644]). However, they are used in circumstances where a limited amount of configuration is considered acceptable, and where other mechanisms such as multicast cannot be expected to be available in all deployments. The purpose of this extension is not to encourage the use of directed broadcasts, but rather to provide a means to describe them in MUD files when they are used.¶
[RFC8520] does not specify how multicast should be handled. Use of multicast for discovery is relatively common. However, support for multicast beyond the local link is by no means guaranteed.¶
Unlike directed broadcasts, however, multicast addresses are not typically tied to a local network topology. For this reason, MUD files MAY contain multicast addresses in ACLs.¶
The following ACL fragment can be used by either the to-device or from-device ACL to permit multicast:¶
{
"ace": [
{
"name": "permit-multicast",
"matches": {
"ipv4": {
"protocol": 17,
"destination-ipv4-network": "224.0.0.0/4"
}
},
"actions": {
"forwarding": "accept"
}
}
]
}
While this example demonstrates how a device may send or receive multicast traffic, it doesn't specify whether those packets may need to be transmitted across network segments.¶
Whether a manufacturer intends for multicast packets to go beyond a local segment is something that can be expressed in the MUD file with the following extension:¶
Extension name: multicast-across-segments¶
This extension does not extend the MUD YANG model; its presence in a MUD file simply signals to the network operator that multicast may be required to traverse network segments.¶
This will be useful when multicast is intended for purposes other than local discovery. On its own it doesn't specify which multicast groups the device may need to join. An ACL that permits multicast traffic is still required.¶
Examples might include the following:¶
A controller that requires consistent behavior across a set of devices in a timely fashion. It may use multicast to communicate with all of them.¶
A smoke detector that is part of a building-wide alarm system. If one smoke detector detects smoke, it may multicast a message to audible and visual alarms throughout the building to sound the alarm.¶
On-hold music is a historical example, where music is distributed via multicast.¶
Note that operational issues associated with multicast, such as the scope of a multicast group, are outside the scope of this document. Here we are merely documenting the device's behavior and network requirements.¶
[RFC8520] does not specify how broadcast should be handled. Devices may make use of broadcast for many reasons, including discovery, fast failover, expedited processing, and so on. There are a sufficient number of reasons to use broadcasts, that simply identifying that a device uses broadcasts seems as useful as saying that a device uses IP. Therefore, in the context of MUD, all devices are assumed to both send and receive broadcasts.¶
The YANG module specified in this document defines a schema for data that is designed to be accessed via network management protocols such as NETCONF [RFC6241] or RESTCONF [RFC8040]. The lowest NETCONF layer is the secure transport layer, and the mandatory-to-implement secure transport is Secure Shell (SSH) [RFC6242]. The lowest RESTCONF layer is HTTPS, and the mandatory-to-implement secure transport is TLS [RFC8446].¶
The NETCONF access control model [RFC8341] provides the means to restrict access for particular NETCONF or RESTCONF users to a preconfigured subset of all available NETCONF or RESTCONF protocol operations and content.¶
MUD files are intended to be retrieved from a web server, and so the security considerations of [RFC8520] apply. In addition, see Section 2.2.3 for a discussion of the security implications of directed broadcasts.¶
IANA is requested to make the following additions to the "Manufacturer Usage Description (MUD) Extensions" registry:¶
Name: directed-broadcasts Reference: [RFCXXXX] (this document)¶
Name: multicast-across-segments Reference: [RFCXXXX] (this document)¶
The following YANG namespace is registered for the directed-broadcasts MUD extension:¶
TODO acknowledge.¶