On 15.07.21 23:02, Michael Richardson wrote:
Eliot Lear <l...@lear.ch> wrote: > What is and is not a good idea is highly contextual in this case. The > network CAN provide a level of protection to limit attacks on devices, but it > can only do so if it knows who that device wants to talk to. There is no > magic here. Either the bindings can be established or they can't.Right. So the advice boils down to: Dear IoT device Manufacturer, if you want your device protected, then avoid playing DNS games that can not be described easily MUD. ---- Maybe the document would go better as a song? https://www.youtube.com/watch?v=0NnzChrd0S4 my new lyrics: A lonely MUD controller gazing out of the window Staring at a IoT device that she just can't touch If at any time, he's in a IoT attack, she'll be by his side But he doesn't realize he hurts the Internet so much But all the DNS-filtering just ain't helping at all 'Cause he can't seem to keep hisself out of 8.8.8.8 So he goes out and he connects to the cloud the best way he knows how Another TLS connection laying cold in the IDS Listen to me [Chorus: TLC] Don't go chasing DNS flows Please stick to the servers and the stub resolvers that you're used to I know that you're gonna have it your way or nothing at all But I think you're moving too fast -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg