MUD (Manufacturer Usage Description, RFC 8520)
What is MUD (Manufacturer Usage Description, RFC 8520)?
MUD (Manufacturer Usage Description, RFC 8520)An IETF standard for IoT devices to publish a machine-readable description of their intended network behavior, which routers and switches can use to automatically constrain the device to its expected communication patterns.
Manufacturer Usage Description (MUD, RFC 8520), published by the IETF in 2019, is a framework for IoT devices to advertise to the network exactly what communication they need. A MUD-aware device sends a MUD URL during DHCP, LLDP, or 802.1X — pointing to a small JSON file (the 'MUD file') hosted by the manufacturer. The MUD file describes intended endpoints (controller cloud services, NTP servers, etc.), allowed protocols, and allowed peer roles in a structured policy language. A MUD-aware switch, router, or NAC translates that description into per-device ACLs or microsegmentation rules, denying everything outside the manufacturer's declared behavior. The intent is to make 'one camera-vendor's botnet' impossible — a compromised IP camera cannot scan or pivot to other internal hosts because the network refuses anything outside the device's declared profile. NIST SP 1800-15 published a reference architecture and Cisco, Aruba, and several IoT-security vendors implement MUD or MUD-like profiles. Adoption is limited because it requires manufacturer participation, but MUD remains the most concrete IETF answer to the 2016-Mirai-class IoT worm threat.
● Examples
- 01
A MUD-aware switch receives a MUD URL from a new IP camera, fetches its profile, and applies an ACL that allows traffic only to the vendor's cloud endpoint and NTP — blocking all peer-to-peer attempts.
- 02
NIST SP 1800-15 demonstrates MUD enforcement constraining a compromised IoT device so it cannot participate in a Mirai-style scanning botnet.
● Frequently asked questions
What is MUD (Manufacturer Usage Description, RFC 8520)?
An IETF standard for IoT devices to publish a machine-readable description of their intended network behavior, which routers and switches can use to automatically constrain the device to its expected communication patterns. It belongs to the OT / ICS / IoT category of cybersecurity.
What does MUD (Manufacturer Usage Description, RFC 8520) mean?
An IETF standard for IoT devices to publish a machine-readable description of their intended network behavior, which routers and switches can use to automatically constrain the device to its expected communication patterns.
How does MUD (Manufacturer Usage Description, RFC 8520) work?
Manufacturer Usage Description (MUD, RFC 8520), published by the IETF in 2019, is a framework for IoT devices to advertise to the network exactly what communication they need. A MUD-aware device sends a MUD URL during DHCP, LLDP, or 802.1X — pointing to a small JSON file (the 'MUD file') hosted by the manufacturer. The MUD file describes intended endpoints (controller cloud services, NTP servers, etc.), allowed protocols, and allowed peer roles in a structured policy language. A MUD-aware switch, router, or NAC translates that description into per-device ACLs or microsegmentation rules, denying everything outside the manufacturer's declared behavior. The intent is to make 'one camera-vendor's botnet' impossible — a compromised IP camera cannot scan or pivot to other internal hosts because the network refuses anything outside the device's declared profile. NIST SP 1800-15 published a reference architecture and Cisco, Aruba, and several IoT-security vendors implement MUD or MUD-like profiles. Adoption is limited because it requires manufacturer participation, but MUD remains the most concrete IETF answer to the 2016-Mirai-class IoT worm threat.
How do you defend against MUD (Manufacturer Usage Description, RFC 8520)?
Defences for MUD (Manufacturer Usage Description, RFC 8520) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for MUD (Manufacturer Usage Description, RFC 8520)?
Common alternative names include: Manufacturer Usage Description, RFC 8520 MUD.
● Related terms
- ot-iot№ 615
IoT Security
The discipline of protecting Internet-of-Things devices, gateways, networks, and cloud services from compromise, given their scale, constrained resources, and long lifetimes.
- ot-iot№ 614
IoT Botnet
A network of compromised Internet-of-Things devices remotely controlled to launch attacks such as DDoS, credential stuffing, click fraud, or cryptomining.
- ot-iot№ 758
Mirai Botnet
An IoT malware family first seen in 2016 that recruits routers, cameras, and DVRs through default credentials and was used in the Dyn DNS DDoS that broke much of the U.S. internet.
- network-security№ 805
Network Access Control (NAC)
A set of policies and technologies that authenticate devices and users before granting them network access and continually enforce posture requirements.
- network-security№ 752
Microsegmentation
A fine-grained form of segmentation that applies allow-list policies between individual workloads or applications, often via host or hypervisor enforcement.
- network-security№ 809
Network Segmentation
The practice of splitting a network into multiple zones with controlled traffic between them to contain breaches and enforce least privilege.