[192361] in North American Network Operators' Group
Re: Spitballing IoT Security
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Wed Oct 26 18:24:20 2016
X-Original-To: nanog@nanog.org
To: "Ronald F. Guilmette" <rfg@tristatelogic.com>
From: Valdis.Kletnieks@vt.edu
In-Reply-To: <11878.1477519366@segfault.tristatelogic.com>
Date: Wed, 26 Oct 2016 18:24:16 -0400
Cc: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1477520656_2235P
Content-Type: text/plain; charset=us-ascii
On Wed, 26 Oct 2016 15:02:46 -0700, "Ronald F. Guilmette" said:
> i.e. a multitude of wall plates in every room, each one bristling with a
> multitude of RJ11 sockets into which all manner of shiny new IoT things
> will be directly plugged, thence to be issued their own IPv6 addresses
> directly via DHCP from the local provider.
Actually, it seems to be going to wireless/bluetooth, and DHCP from the
household router. Note that although a minor difference, it's one that
can be leveraged. If we can change the dynamic from "plug it in and it
Just Works" to "plug it in, and click the pop-up from your router confirming
that you just added a device, and it Just Works after that", the battle is
3/4 won. The other 1/4 is the device initially telling the router what sort
of device it is. - and we already know how to do that for USB and BlueTooth...
> Given that, and given that "OpenWRT and kin" often provide the end-user
> with readily accessible dials and knobs via which the user can force the
> device to *exceed* legal/FCC limits on power output, I am not persuaded
> that open source WiFi router firmware actually represents a shining
> example of a methodology to prevent inexpensive devices from behaving badly.
Given that out of the box, the default config is in bounds, and it requires
actual user interaction to exceed the limits, and that we don't see a very
large problem out in the wild, I think we have prior art for the concept
that "shipped with default and clued user can reconfigure" is a workable design.
--==_Exmh_1477520656_2235P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Comment: Exmh version 2.5 07/13/2001
iQEVAwUBWBEtEI0DS38y7CIcAQKY7wf/XSJnf1JVR1jMWy52NIkadhVl4XxPBTLp
ZoxhE4bGNQ+RrfFU+2I2gTHIb09dqN4Ne06n5AHYSWgHEr42GZ7UqMXiv3hF8OL6
Kq5sOAUs+aEkxF62QLDo54b0TmbM7pfIgRKmCcv8QlfEMZHS3/R9XniZdVQaNJ4W
7ZhCWKtjIaFsmdyfqAuiQ3c6cR7kSCplfU0r+iPv88ZLLWGRfLvdByLYIAFILgFC
e+AroUiD3/sMT/S23wLfPtTy9wIAXwIzO4PStwRAK0NovcSYCg8WPHVAOXEzFxcN
Zz/4N6DC7/vgi+GbBsz6C9UEmNohuIYXALQP4O8IbTGY5cGu70eVpg==
=AAiU
-----END PGP SIGNATURE-----
--==_Exmh_1477520656_2235P--
