| rfc9726v4.txt | rfc9726.txt | |||
|---|---|---|---|---|
| skipping to change at line 317 ¶ | skipping to change at line 317 ¶ | |||
| addresses that might be returned by the update server. This can be | addresses that might be returned by the update server. This can be | |||
| done with IP address literals in the MUD file, but this may require | done with IP address literals in the MUD file, but this may require | |||
| continuing updates to the MUD file if the addresses change | continuing updates to the MUD file if the addresses change | |||
| frequently. A DNS name in the MUD could resolve to the set of all | frequently. A DNS name in the MUD could resolve to the set of all | |||
| possible IPv4 and IPv6 addresses that would be used, with DNS | possible IPv4 and IPv6 addresses that would be used, with DNS | |||
| providing a level of indirection that obviates the need to update the | providing a level of indirection that obviates the need to update the | |||
| MUD file itself. | MUD file itself. | |||
| A third problem involves the use of HTTPS. It is often more | A third problem involves the use of HTTPS. It is often more | |||
| difficult to get TLS certificates for an IP address, and so it is | difficult to get TLS certificates for an IP address, and so it is | |||
| less likely that the firmware download will be protected by TLS. An | less likely that the firmware download will be protected by TLS. | |||
| IP address literal in the TLS ServerNameIndicator [RFC6066] might not | Even if an IP address literal was placedin the TLS | |||
| provide enough context for a web server to distinguish which of the | ServerNameIndicator [RFC6066], against the advice of that document, | |||
| (potentially many) tenants the client wishes to reach. This drives | it still would not provide enough context for a web server to | |||
| the use of an IP address per tenant, and for IPv4 (at least), this is | distinguish which of the (potentially many) tenants the client wishes | |||
| no longer a sustainable use of IP addresses. | to reach. This drives the use of an IP address per tenant, and for | |||
| IPv4 (at least), this is no longer a sustainable use of IP addresses. | ||||
| Finally, it is common in some CDNs to use multiple layers of DNS | Finally, it is common in some CDNs to use multiple layers of DNS | |||
| CNAMEs in order to isolate the content owner's naming system from | CNAMEs in order to isolate the content owner's naming system from | |||
| changes in how the distribution network is organized. | changes in how the distribution network is organized. | |||
| When a name or address is returned within an update protocol for | When a name or address is returned within an update protocol for | |||
| which a MUD rule cannot be written, then the MUD controller is unable | which a MUD rule cannot be written, then the MUD controller is unable | |||
| to authorize the connection. In order for the connection to be | to authorize the connection. In order for the connection to be | |||
| authorized, the set of names returned within the update protocol | authorized, the set of names returned within the update protocol | |||
| needs to be known ahead of time and must be from a finite set of | needs to be known ahead of time and must be from a finite set of | |||
| End of changes. 1 change blocks. | ||||
| 6 lines changed or deleted | 7 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||