[192344] in North American Network Operators' Group
Re: Spitballing IoT Security
daemon@ATHENA.MIT.EDU (Eric S. Raymond)
Wed Oct 26 08:31:18 2016
X-Original-To: nanog@nanog.org
Date: Wed, 26 Oct 2016 08:30:43 -0400
From: "Eric S. Raymond" <esr@thyrsus.com>
To: Rich Kulawiec <rsk@gsp.org>
In-Reply-To: <20161026120634.GA20735@gsp.org>
Reply-To: esr@thyrsus.com
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
Rich Kulawiec <rsk@gsp.org>:
> I think our working assumption should be that there will be zero cooperation
> from the IoT vendors. (Yeah, once in a while one might actually step up,
> but that will merely be a happy anomaly.)
I agree.
There is, however, a chokepoint we have more hope of getting decent software
deployed to. I refer to home and small-business routers. OpenWRT and kin
are already minor but significant players here. And there's an NRE-minimization
aregument we can make for router manufacturers to use rebranded versions
rather than rolling their own crappy firmware.
I think the anti-IoT-flood strategy that makes the most sense is:
1. Push open-source firmware that doesn't suck to the vendors with a
cost- and risk-minimization pitch.
2. Ship it with egress filters. (And telnet blocked.)
It wouldn't be technically very difficult to make the firmware
rate-limit outbound connections. Cute trick: if we unlimit any
local IP address that is a port-forwarding target, most users
will never notice because their browser sessions won't be effected.
--
<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>
