-
Notifications
You must be signed in to change notification settings - Fork 0
Device specifications and groups
The network ACLs generated by the MUD files can be referenced inside device_specs.json files.
These files can be included in the device_specs configuration entry inside system.conf to specify a mapping for individual devices to create communication groups and flow restrictions. If this file is not specified, as we've seen before in all the previous tutorials, then no flow restrictions will be enforced.
A few examples of device specification files are located in the misc folder. Let's see its content.
ls misc/device_specs*
misc/device_specs_bacnet_disabled.json misc/device_specs_bacnet.json misc/device_specs.json
misc/device_specs_bacnet_frdev.json misc/device_specs_bacnet_todev.json
Now show the content of the misc/device_specs_bacnet.json file.
cat misc/device_specs_bacnet.json
The output is this:
{
"macAddrs": {
"9a:02:57:1e:8f:01": {
"type": "bacnet",
"group": "testing",
"controllers": {
"bacnet": {
"controlees": {
"bacnet": {
"mac_addrs": {
"9a:02:57:1e:8f:02": {
}
}
}
}
}
}
},
"9a:02:57:1e:8f:02": {
"type": "bacnet",
"group": "testing",
"controllers": {
"bacnet": {
"controlees": {
"bacnet": {
"mac_addrs": {
"9a:02:57:1e:8f:01": {
}
}
}
}
}
}
}
}
}
The basic structure of the device_specs file includes the "macAddrs" object, which contains the list of MAC addresses of the devices.
For each MAC address, it is possible to specify a "type" and a "group".
The "type" is the name of the MUD file describing the network policy associated with the device. If no type is specified, then it defaults to the mud_files/default.json MUD file, meaning that the device will not be able to communicate or be accessed.
By specifying the same "group" for two or more devices, it is possible to achieve a functionality equivalent to a named subnet. If no group is specified, then it defaults to an isolated group based on the device's MAC address. Devices in the same group will have network reachability (sans MUD restrictions) with a shared DHCP server, while devices in separate groups will be completely sequestered.
TODO: add controllers and controlees.
For the first test, let's put two devices using the bacnet.json MUD file in the same group.
TODO
Find MAC addresses of devices
Write device specs file
Activate network with cmd/run -n
Test that devices can communicate only over BACnet
TODO
TODO
Go to the next tutorial > BACnet communication testing