You're right, I got this confused with another thread. Lee
On 11/4/16, 11:29 AM, "JORDI PALET MARTINEZ" <jordi.pa...@consulintel.es> wrote: >I think we are talking about different issues here, the point is security >requirement to avoid the CPEs to be easily “controlled” for attacks … > >Regards, >Jordi > > >-----Mensaje original----- >De: homenet <homenet-boun...@ietf.org> en nombre de "Howard, Lee L" ><lee.how...@charter.com> >Responder a: <lee.how...@charter.com> >Fecha: viernes, 4 de noviembre de 2016, 15:42 >Para: JORDI PALET MARTINEZ <jordi.pa...@consulintel.es>, Tim Chown ><tim.ch...@jisc.ac.uk>, "homenet@ietf.org" <homenet@ietf.org> >CC: "hannes.tschofe...@gmx.net" <hannes.tschofe...@gmx.net>, Keith Moore ><mo...@network-heretics.com>, "rbar...@mozilla.com" <rbar...@mozilla.com> >Asunto: Re: [homenet] write up of time without clocks > > > > > > > On 11/4/16, 8:11 AM, "homenet on behalf of JORDI PALET MARTINEZ" > <homenet-boun...@ietf.org on behalf of jordi.pa...@consulintel.es> wrote: > > >I guess the problem is that this document is NOT targeted to CPEs: > > > > In principle these requirements apply to all hosts that connect to > > the Internet, but this list of requirements is specifically > > targeted at devices that are constrained in their capabilities, > > more than general-purpose programmable hosts (PCs, servers, > > laptops, tablets, etc.), routers, middleboxes, etc. While this is > > a fuzzy boundary, it reflects the current understanding of IoT. A > > more detailed treatment of some of the constraints of IoT devices > > can be found in [RFC7228]. > > > >Not sure if we want a separate document, as it seems to me that the > requirements are very close or we may need to reword a bit the text above to > make it more clear, etc. > > We already have a separate document: https://tools.ietf.org/html/rfc7084 > "IPv6 CE Router Requirements" > > It says CPE router SHOULD support 6rd and SHOULD support DS-Lite. > > > Lee > > > > > >Also is BCP the way if we want authorities to mandate it? > > > >Saludos, > >Jordi > > > > > >-----Mensaje original----- > >De: homenet <homenet-boun...@ietf.org> en nombre de Tim Chown > <tim.ch...@jisc.ac.uk> > >Responder a: <tim.ch...@jisc.ac.uk> > >Fecha: viernes, 4 de noviembre de 2016, 12:43 > >Para: "homenet@ietf.org" <homenet@ietf.org> > >CC: "hannes.tschofe...@gmx.net" <hannes.tschofe...@gmx.net>, Keith Moore > <mo...@network-heretics.com>, "rbar...@mozilla.com" <rbar...@mozilla.com> > >Asunto: Re: [homenet] write up of time without clocks > > > > > > > > > > Hi, > > > > > > On 4 Nov 2016, at 08:34, JORDI PALET MARTINEZ > <jordi.pa...@consulintel.es> wrote: > > > > Exactly. Same as we have regulations like UL, FCC, EC, etc., the same > certifications must care about a minimum set of security, upgradeability, > etc., features. > > > > So the extra cost for the vendors is almost cero if we are talking > about the same certifications entities, just new test added to the actual > sets. > > > > If you don’t comply the certification, your products will not be > accepted in customs from a very high number of countries, so you will be > somehow forced to follow them. > > > > The question here, is homenet the right venue for creating those > minimum requirements? > > > > > > > > > > > > > > Perhaps contribute to draft-moore-iot-security-bcp-00? > > > > > > See https://tools.ietf.org/html/draft-moore-iot-security-bcp-00 > > > > > > This was submitted at the Seoul deadline. Authors copied. > > > > > > Tim > > > > > > > > Regards, > > Jordi > > > > > > -----Mensaje original----- > > De: homenet <homenet-boun...@ietf.org> en nombre de "STARK, BARBARA > H" <bs7...@att.com> > > Responder a: <bs7...@att.com> > > Fecha: jueves, 3 de noviembre de 2016, 21:19 > > Para: Markus Stenberg <markus.stenb...@iki.fi>, Brian E Carpenter > <brian.e.carpen...@gmail.com> > > CC: Philip Homburg <pch-homene...@u-1.phicoh.com>, "homenet@ietf.org" > <homenet@ietf.org>, Juliusz Chroboczek > > <j...@pps.univ-paris-diderot.fr> > > Asunto: Re: [homenet] write up of time without clocks > > > > > > Yes, I agree it's possible to do better, but what's the incentive for > > a bottom-feeding vendor of cheap devices to bother? > > > > > > > > I hate to say this, but how about legal solutions? > > > > > > > > My reading of the tea leaves: either the industry creates its own > certification plan, or the regulators will do it for us. > > Here is a data point: > > > https://www.euractiv.com/section/innovation-industry/news/commission-plans-cybersecurity-rules-for-internet-connected-machines/ > > In the US, both the FCC and FTC are showing keen interest. > > I'd rather the industry get there first. > > And, BTW, it's also been suggested that devices list their "end of > life" date when they're sold. After which no updates may be provided. And > remotely-triggered "kill switch" may be used if a bad vulnerability is > discovered after that date. > > > > Another recommendation is default passwords be unique per device, > and not easily determined from MAC address, firmware revision, etc., and be > changeable. > > > > That is, it's not just about upgradability. It is also passwords, > encryption, and messaging/promises/guarantees that are made. > > Just like cars now have seatbelts, front and side airbags, crumple > zones, and lemon laws. > > There are a number of industry whitepapers coming out on this > topic, and conferences/meetings being held. It's all the rage right now. > > > > > > Barbara > > _______________________________________________ > > homenet mailing list > > homenet@ietf.org > > https://www.ietf.org/mailman/listinfo/homenet > > > > > > > > > > > > ********************************************** > > IPv4 is over > > Are you ready for the new Internet ? > > http://www.consulintel.es > > The IPv6 Company > > > > This electronic message contains information which may be privileged > or confidential. The information is intended to be for the use of the > individual(s) named above. If you are not the intended recipient be aware > that any disclosure, copying, distribution or > > use of the contents of this information, including attached files, > is prohibited. > > > > > > > > _______________________________________________ > > homenet mailing list > > homenet@ietf.org > > https://www.ietf.org/mailman/listinfo/homenet > > > > > > > > > > > > > > > > > > > > _______________________________________________ > > homenet mailing list > > homenet@ietf.org > > https://www.ietf.org/mailman/listinfo/homenet > > > > > > > > > >********************************************** > >IPv4 is over > >Are you ready for the new Internet ? > >http://www.consulintel.es > >The IPv6 Company > > > >This electronic message contains information which may be privileged or > confidential. The information is intended to be for the use of the > individual(s) named above. If you are not the intended recipient be aware > that any disclosure, copying, distribution or use of the contents of this > information, including attached files, is prohibited. > > > > > > > >_______________________________________________ > >homenet mailing list > >homenet@ietf.org > >https://www.ietf.org/mailman/listinfo/homenet > _______________________________________________ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet > > > > >********************************************** >IPv4 is over >Are you ready for the new Internet ? >http://www.consulintel.es >The IPv6 Company > >This electronic message contains information which may be privileged or >confidential. The information is intended to be for the use of the >individual(s) named above. If you are not the intended recipient be aware that >any disclosure, copying, distribution or use of the contents of this >information, including attached files, is prohibited. > > > _______________________________________________ homenet mailing list homenet@ietf.org https://www.ietf.org/mailman/listinfo/homenet
