[iot-wg] the vague IoT/RIPE-NCC training question

Hi Michael,

was travelling the last days with busy schedule, my apologizes for my delayed response…

Regarding your initial topic about the NCC training offerings I tend to stand on Jim’s 
side. Nevertheless I think this WG could:

1) Identify IoT aspects that affect ISPs from the broad field of topcis, as you already 
    mentioned a bit further below. @Daniel: I salute your comment, I think that’s we
    should focus on.

2) Work on RIPE documents, i.e. like the BCOP document we were working on. Such
    documents then could found a base for trainings, if done by the RIPE NCC or third
    parties tends to be seen.

@1) I agree that most manufacturers only react when there’s market pressure. 
If the ISPs set clear requirements how IoT devices need to behave that’s a
better leverage IMO. Nevertheless, here the question would be what could
be consequence for non-conforming IoT devices. Would denying internet
(or network access in general) be legal? This might also be interesting in the
context of devices not receiving updates any more etc.

@3) That’s an interesting approach, this could be a good project for further research
and also standardisation of the honeypot setup. The information collected could also
be shared between operators and even globally to identify threats much faster.

@4) Definitely. OpenWrt would be ideal for a reference implementation since it’s
de-facto inudstry standard and used by the major chipset makers for their SDKs.
I do not think if we should work on a full fledged reference secure CPE - but on the 
IoT relevant services and configuration. This could result in a specific OpenWrt feed
that could be simply consumed by mid sized operators.

Getting engagement from the ISPs seems a tricky matter. Inside prpl currently IoT is
not a relevant topic, at least none of the major ISPs seems to have brought it up, yet.
Talking to IXPs as well could give us broader view. Although they have not direct control
about the end user’s CPEs they can get seriously affected by DDoS attacks and 
should have a good interest in prevention.

I think you brought up several very valueable topics!

Thank you,
Peter

> Am 30.05.2022 um 21:40 schrieb Michael Richardson <mcr+ietf at sandelman.ca>:
> 
> 
> At RIPE84, recorded at https://ripe84.ripe.net/archives/video/782/
> Jad El Cham asks about training from the RIPE NCC on "IoT".
> I watched this today from the archives.   I wasn't able to be at the IOT-WG
> meeting in person (yes, you saw me there on Monday), because I was at the IoT
> Security Foundation's ManySecured WG meetings in London.
> Perhaps that makes me more qualified to answer the question?
> 
> First, some nitpicks about this presentation.  I couldn't hear Jad El Cham's
> name very well, and the lack of slides meant I had to watch the video three
> times to understand his question.
> https://ripe84.ripe.net/programme/meeting-plan/iot-wg/
> has his name correctly, but:
> https://ripe84.ripe.net/archives/#wednesday does *NOT*
> 
> If there were three slides with the questions and thoughts on them, then I
> could far better respond to the question.
> (Still not sure if the clapping for Marco leaving RIPE was ... "thanks for
> all the work", or "thank god you escaped with your sanity...)
> 
> Second, while I share some of Jim's concern about scope creep, in fact there
> are many things that the RIPE NCC is uniquely positioned to help with that
> would benefit the community, and which probably *does* need a subsidy to get
> done correctly.   Profit motives being forever next-quarter, 90% of the IoT
> security problems (as explained in the previous presentation, the slides at:
> https://ripe84.ripe.net/presentations/87-HVIKT-IoT-encounters-ripe.pdf
> include his missing slides...) are the result of next quarter thinking
> combined with very poor operational controls.
> 
> If we are going to get a handle on the security issues with networks of
> devices (routers are the Internet of Internet things) then we need more data
> and more sharing of experiences.  Back in RIPE79, (Rotterdam), I tried to
> start discussion about how ISPs can collaborate better on dealing with
> security issues, particularly DDoS caused by distributed malware.
> 
> So, what would I like to see:
> 
> 1) increase connection with RIPE NCC with organizations like
> iotsecurityfoundation.org.  IoTSF is among the few places I've found which
> are not about hype or marketing, who seem to have real connections to both
> places/people technical and people/places regulatory.  Like the IETF, though,
> we need more participation of operators.... not just the airy-fairy senior
> security architects from various ISPs, but actual people in the trenches.
> 
> There are dozens of interesting bits of research being done via RIPE Atlas,
> telling more IoT types about the results would be a good thing.  That could
> be in the form of some RIPE (NCC?) person talking about research, or perhaps
> for RIPE NCC sponsoring the researcher to present their stuff at a few
> conferences, such as the IoTSF conference in October,  but also IETF
> meetings, RSA(*), Industrial Internet Consortium, The Thing Conference, ...
> 
> btw: I did two training courses in 2020 for IoTSF on default passwords and
>    software updates.  *Manufacturers* are *really* hard to reach.
>    Educating *operators* about what to *ask for*, and which regulation the
>    supplier is not-complliant with when they fail, would also be very good.
> 
> 2) RIPE NCC involvement with specifications like:
> https://datatracker.ietf.org/wg/mile/about/
> ROLIE   RFC 8322
>   good intro:https://www.redhat.com/en/blog/red-hat-adopts-rolie-protocol-automated-exchange-security-compliance-assets
>   GOLIE   https://github.com/rolieup/golie
> 
> For instance, how many ISPs how how to set this up?
> I have no personal experience.
> Would I come to a day-long workshop (Saturday before or after RIPE?)... YES.
> This is training content that RIPE NCC could develop, and could provide in
> multiple venues for free or for low cost.   This is much akin to MANRS, RPKI
> training, and I think there has been IX training occur as well.
> 
> ROLIE is not loved by everyone, btw, and there are some alternatives which my
> slides from 79 went into, but actually I'm not, alas, qualified at this time
> to say much, because I know little myself.
> 
> 3) RIPE (NCC) involvement with regulators on the topic of *privacy* and
>   *liability* around vulnerability disclosures.
> 
> Some operators, for instance, have told me that in order to avoid
> violating the privacy of their customers when it comes to detecting
> malware infestations on *their* networks, set up honeypots of (somewhat?)
> vulnerable devices and wait for them to get p0wned.
> 
> That's an interesting training course on its own.
> 
> 4) a RIPE reference secure CPE device...?
> 
> I could probably go on for days here with things that could be done.
> 
> Many medium-sized operators have decided they don't like what's available to
> them, and have went out to specify/build their own devices.   Most bigger
> operators have been doing this for more than a decade, but my observation is
> that the bigger the operator, the less secure their default device is.
> (For instance, we know how many and how poorly some of these devices support IPv6)
> 
> Is there an opportunity to collect wisdom together?
> Maybe some kind of symposium of operators and openwrt developers could
> happen.  OpenWRT has had conferences, although often not that well advertised
> in advance.  pprlFoundation sometimes has conferences I think.   The
> WBAlliance does stuff, but alas, 90% of what I see is total marketing.
> 
> 5) I could come with a fifth, but his email is already too long.
> :-)
> 
> 
> 
> 
> 
> --
> Michael Richardson <mcr+IETF at sandelman.ca>   . o O ( IPv6 IøT consulting )
>           Sandelman Software Works Inc, Ottawa and Worldwide
> 
> 
> 
> 
> _______________________________________________
> iot-wg mailing list
> iot-wg at ripe.net
> https://mailman.ripe.net/
> 
> To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://mailman.ripe.net/



Peter Steinhäuser, CEO
embeDD GmbH · Alter Postplatz 2 · 6370 Stans · Switzerland
Phone: +41 (41) 784 95 85 · Fax: +41 (41) 784 95 64
 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/iot-wg/attachments/20220603/0928d1b7/attachment.html>