Hi Fred, I'm ok with it.
Regards, Mark. On Tue, 19 Oct 2010 11:40:07 -0700 Fred Baker <f...@cisco.com> wrote: > > On Oct 15, 2010, at 3:40 PM, Brian E Carpenter wrote: > > >> I'd think that recommending having an option that disables unattended > >> automatic update would address this concern. Managed service providers, > >> since they'd be controlling the CPE, could go in and disable unattended > >> automatic updates (if they so desire). > > > > I think the discussion has shown that we (the IETF) don't have consensus > > and that legal and commercial requirements will vary enormously in the > > real world. To me there's only one possible conclusion: the IETF can't > > "legislate" on this. So again here is my suggestion: > > > > REC-13: > > Residential Internet Gateways SHOULD provide a convenient means to > > securely update their firmware, for the installation of security patches > > and other manufacturer-recommended changes. > > I have been following this discussion with a view to figuring out what > recommendations SHOULD be made :-) A key concern I have here, as I said last > week, is the difference between a residential gateway and a laptop; A > laptop's owner at least knows whether an irritating icon is jumping up and > down or has the opportunity to see a dialog box; I don't see that happening > with the router in my equipment closet under the stairs. > > It seems that we agree that there are at least two options that need support: > - automated software update > - manually initiated software update > > One could go into other mechanisms such as having the user download the new > image to a laptop and then TFTP it to a router. Some things are best left > unsuggested, for fear that the vendor might say "hey, that's a great idea!". > > In both cases, the update has to be initiated by the residential CPE, for > scale and reliability, and if automated should be randomized in time for > reasons discussed in RFC 3439. Having the ISP or the vendor manage a list of > the IP addresses of deployed routers is (ahem) problematic. > > In both cases, we need a way to specify the URL and certificate of the > download site. I should imagine the vendor would preconfigure them, and an > ISP running managed services could configure a different URL+certificate in > routers it deploys. There is of course the question of what happens should > the parameter memory get zapped; I would leave that to the vendor. There is > also the question of how the device knows whether it has already downloaded > the image; I for one would do that by having the URL change itself, so that > the client system ca always get access to an older image as a recovery path > and so it can tell whether the image it is requesting is in fact new. > > In preceding recommendations, the format of the document is to state a > recommendation and follow it with an explanatory note. > > Which brings me to this suggestion: > > /* > * suggestion > */ > REC-13: > Residential Internet Gateways SHOULD provide a convenient means to securely > update their firmware, for the installation of security patches and other > manufacturer-recommended changes. > > Vendors can expect users and operators to have differing viewpoints on the > maintenance of patches, with some preferring automated update and some > preferring manual initiation, and those preferring automated update wanting > to download from a vendor site or one managed by the network operator. To > handle the disparity, vendors are well advised if they provide manual and > automated options. In the automated case, they would do well to facilitate > pre-configuration of the download URL and a means of validating the software > image such as a certificate. > /* > * end of suggestion > */ > > Opinions? > _______________________________________________ > v6ops mailing list > v6...@ietf.org > https://www.ietf.org/mailman/listinfo/v6ops -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
