What is MUD?

MUD stands for Manufacturer Usage Descriptions, a standard manufacturers can use to describe what sort of network access their devices need.

  • MUD provides customers information they can use to understand how devices access the network.
  •  MUD optionally uses existing device mechanisms to communicate those needs to the network.
  •  MUD can be used to keep your devices safe from other compromised devices on the network.
  •  MUD is an open standard.  Anyone can implement it.
Thermostat

Knowing your device

The first step is documenting what access your device needs.  At a minimum, this means knowing which UDP and TCP ports a device will use.  MUD provides manufacturers a way to specify network access policies for devices without having to know what every customer deployment topology is.  Also, don't worry about DNS or NTP, as you get those services by default.

MUD Maker Tool

Building your MUD file

Each MUD file contains access control lists that use various classes.  When you click on the checkboxes in MUD maker, additional information will appear below that you will need to fill out.  Just choose which classes are appropriate for your devices.  If you need more entries per class, hit the + button.

MUD signature
Once you've built your MUD file, you should sign it.
MUD architecture

Pointing to the MUD file with a URL

Once you've developed your MUD file, plop it on a server somewhere.  Then have your device announce a URL pointing to that file.  This can be done with LLDP, DHCP, or in a certificate.

MUD Protected Network

Trying it out with a MUD Manager

Once you have created a MUD file and a MUD URL, you can test it out. Here are a few MUD managers to try:

MUD

The Standard

RFC 8520 - Manufacturer Usage Descriptions

Thanks for the artwork

Bouchecl - Own work, CC BY-SA 3.0

Tooling by Eliot Lear and Vafa Andalibi