This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/iot-wg@ripe.net/
[iot-discussion] What role does the SP play in protecting consumers re IoT?
- Previous message (by thread): [iot-discussion] What role does the SP play in protecting consumers re IoT?
- Next message (by thread): [iot-discussion] What role does the SP play in protecting consumers re IoT?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Patrik Fältström
paf at frobbit.se
Wed Apr 12 13:29:11 CEST 2017
On 12 Apr 2017, at 12:55, Eliot Lear wrote: >> B. An agreement from manufacturers that their gear are to do the right thing. Like a gentlemans agreement. Will not help at all, but still a good thing. Enable and make it easy for companies to be signatories of things like MANRS. ISOC? > > I think we could do this. I think it would be a good idea. But it cannot be onerous to manufacturers, onerous being, of course, in the eye of the beholder. To me that means, by the way, using only the code you need, maintaining it through updates, advertising the support lifetime of the device, providing for secure onboarding, and explaining how the device is supposed to behave on the network. It must be a simple easy self-certification. But it must because of this be based on simple rules. "I hereby promise that my gear follow these rules". What are the rules? 1. No default passwords admin/admin 2. Default no open ports (on upstream interface) 3. If forwarding packets, BCP38 4. Automatic software updates 5. ... >> C. Make it much more clear in the various pan european legislations that an ISP do have the ability to cut off customers from which bad packets come from. Today ISPs should forward packets but also protect the network (handwaving, handwaving). I do not see ISPs be afraid of cutting customers off, and the main reason for not doing it has to do with increased support cost (why would an ISP invest money in helping a customer they already do not make money on configuring their toothbrush correctly?). > > That's why I asked my first question as I did: what can ISPs do to facilitate the RIGHT thing happening? Cutting people off is the most extreme form of answer. Surely there is more that can be done before that point. Well, they can do BCP38 and other things in MANRS. They can do DNSSEC validation in whatever recursive resolver service they include in the internet access service. They can also ship gear (if something is included) that supports the simple rules above. But not much more. I would be very nervous if the ISP becomes responsible for content of IP packets of customers. Most attacks I see today also do not come from ISPs (i.e. traditional eyeball providers) but PHP based web sites with unpatched wordpress and what not. Which leads back to the need for more stable and secure software packages that people can use. Patrik -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 203 bytes Desc: OpenPGP digital signature URL: </ripe/mail/archives/iot-wg/attachments/20170412/9e066d6e/attachment.sig>
- Previous message (by thread): [iot-discussion] What role does the SP play in protecting consumers re IoT?
- Next message (by thread): [iot-discussion] What role does the SP play in protecting consumers re IoT?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ iot-wg Archives ]