Existing Manufacturer Usage Description (MUD) standards struggle to support low-power IoT devices operating under the Thread protocol, particularly lacking scalable access control mechanisms in large-scale networks with multiple heterogeneous border routers. This work proposes the first MUD-based access control framework for Thread networks that accommodates arbitrary topologies and multi-border-router environments. By extending the Mesh Link Establishment (MLE) protocol, the framework reliably propagates MUD information from constrained devices to any border router, enabling network-wide policy enforcement through integration with Software-Defined Networking (SDN). Experimental evaluation on real hardware demonstrates that the proposed solution achieves strong security guarantees, linear scalability, and minimal runtime overhead, significantly outperforming existing approaches.

The IETF standard Manufacturer Usage Description (MUD) enables manufacturers to equip IoT devices with certified URLs that provide traffic profiles for those devices, helping administrators enforce network access control. However, MUD assumes devices operate on full IP stacks and therefore does not account for constrained IoT devices running Thread--the dominant low-power mesh networking standard--which lacks complete TCP/IP functionality. While prior work proposes extensions to support MUD in Thread environments, these approaches are limited to simple topologies with a single border router and do not scale to realistic deployments with multiple, heterogeneous border routers. We introduce MeshGuard, a framework enabling MUD-based access control in complex Thread networks, with any number of border routers. MeshGuard extends the Mesh Link Establishment (MLE) protocol to deliver MUD information from constrained devices to border routers regardless of network topology. Moreover, MeshGuard leverages Software-Defined Networking (SDN) to synchronize access control lists across all routers. Experiments on our proof-of-concept with real devices (nRF5340, nRF52833, Raspberry-Pi 3) demonstrate enhanced security, minimal overhead, and linear scalability compared to state-of-the-art approaches.