[192351] in North American Network Operators' Group
Re: Spitballing IoT Security
daemon@ATHENA.MIT.EDU (Jean-Francois Mezei)
Wed Oct 26 15:53:02 2016
X-Original-To: nanog@nanog.org
To: nanog@nanog.org
From: Jean-Francois Mezei <jfmezei_nanog@vaxination.ca>
Date: Wed, 26 Oct 2016 15:52:58 -0400
In-Reply-To: <CAJL_ZMP=OR53q9W=YWMGjm==kM_A1FJ_OBWwwWbuP_CK5rMbbw@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
re: having gadgets certified (aka UL/CSA for electric stuff).
Devil is in the details. Who would certify it ? And who would set the
standards for certification?
How fast would those standards change? updated with each new attack?
Would standards update require agreement of multiple parties who rarely
agree?
Consider vendor X who starts to develop product based on standards
available in Oct 2016, but by the time he gets to market, standards have
changed and his device no longer conforms?
One of the beauties of the Internet is the freedom to innovate while
keeping to the core basic IP packet delivery. Start to regulate it or
add red tape and you start to hinder innovation.
Perhaps the RFC mechanism to define best practices for standalone "IoT"
devices might be a better mechanism. Those who build IP stacks to be
used wholesale by gadget manufacturers could adhere to that RFC so that
end products en up using a proper IP stack that doesn't easily allow the
device to be "upgraded" to serve Dr Evil's botnet designed to take over
the world.
