<html> <head> <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> Hi Gordon, I think we are looking at this through different lenses. You are considering the risks of inhibiting permissionless innovation, and mine is the inability of the consumer to actually manage access. Here's a little graphic I like to use in this context... <img src="cid:part1.6CC030B7.9A1DAB28@ofcourseimright.com" alt="" height="228" width="486"> It is inline with a presentation Andrew Sullivan gave in November at the IETF over what happened with Mirai. My goal is to thread the needle in the middle. We need to give consumers a meaningful way to address security considerably more holistically than has been done in the past. Certainly CPE gear today don't begin to cover the gap. And consider this- DDOS attacks we are now seeing are beginning to be dominated not by PCs and servers, but by Things. In answer to your question, “What is a thing?” everyone has their own definition, but as an engineer let me give you mine, and my logic: a Thing is a device that has a single or small number of uses and has a transceiver. The Internet of Things is the collection of those Things that have some form of Internet access. My logic is simple: if we include general purpose computing, the problem is entirely unconstrained. If we use a definition such as mine, then we can say that because a Thing has a single or small number of uses, those uses are easy (easier?) to authorize. This doesn't harm permissionless innovation so long as the designer of the Thing can communicate to the network its intentions. To put a cherry on the Sundae, however, the consumer needs to remain the ultimate arbiter of what is allowed or not allowed. The challenge is that the consumer must be presented with decisions that he or she can comprehend. Asking the consumer about which ports to open on a firewall isn't helpful. “A port? What's a port?” THAT is where I believe the SP has a role. But just because *I* believe it doesn't mean any SP believes it. And making my view of the future reality would require a lot of service providers to really Step Up. Finally, let me add one regulatory thought. Consumers might rightly be concerned about trusting a service provider to handle all of this. Consumers might want choices to handle all of this. Service providers must earn that trust, and an appropriate regulatory framework can help. That doesn't mean NO regulation, nor does it mean lot's of regulation. But the goal should be to instill trust. Cooperative security, which this is, hinges on that. Eliot <div class="moz-cite-prefix">On 4/19/17 11:02 AM, Gordon Lennox wrote: </div> <blockquote cite="mid:03AF2CE5-4FB8-4421-9996-03B167E31007@gmail.com" type="cite"> <pre wrap=""> Item: <a class="moz-txt-link-freetext" href="https://www.theregister.co.uk/2017/04/13/aga_oven_iot_insecurity/">https://www.theregister.co.uk/2017/04/13/aga_oven_iot_insecurity/</a> Miscreants can remotely turn off and on posh Aga ovens via unauthenticated text messages, security researchers have warned. Going back to Eliot’s original questions: ** What about the role of the service provider? Can the service provider take a more direct part in assisting the consumer in protecting themselves, and if so, what help is needed from manufacturers, CPE vendors, and yes, companies like mine (Cisco)? Upfront I ought to say that I am still not clear if everybody agrees on what a “thing” is in this context. And what is not a “thing”? I am not even clear that everybody is referring to the same internet when they are talking about the IoT. And what is the “problem” we are trying to solve? Is it that “things” are participating in dDoS attacks elsewhere? Is it that a DoS attack on a domestic network would now have significant bad effects given the increasing reliance we have on our “things"? Is it that our “things" are being used to breach privacy? Are there safety issues? I am though making the presumption that Eliot is talking about access providers and not about those who manufacture or sell “things” or provide services related to specific things. The basic problems seem clear. We don’t produce quality software, quality systems, not even when it concerns safety and security. And the Economist seemed to suggest recently we never will. We don’t even do life-cycle management that well, if at all. There seem to be two modes of operation: "ship and patch" or "ship and forget”. And given the increasing inter-relationships within and between systems it is not clear which is preferable in general. I must be far from the only person who put off and put off and put off upgrading - migrating? - to the latest version of macOS, despite being nagged and nagged by Apple, because GPG was not compatible with it. We do know however that “things” have been connected to the Internet since like forever - which is why some very experienced people in our community prefer talking about the “so-called IoT”? We also know however that the number of network connected devices is increasing. And that the number of services / apps involved with any particular device is often increasing. And the interactions between different devices/services/apps is increasing. And the number of organisations and individuals “inventing” new stuff is increasing. And of course the number of users is certainly increasing. But do the issues vary between a health/fitness app on my phone and me wearing a device providing similar functions that connects to my phone? My phone listens to me and tracks me. And my TV both listens to me and watches me. Of course my content and information suppliers - what were newspapers, books, tv and cinema - know what I look at and when, no matter what device I use. And my next watch may log where I go on public transport while hopefully also telling me the local time. And the building security system watches me come and go. And my camera already talks WiFi. And somehow my headphones just needed a software update. And my next car may have multiple SIM cards which will track me in detail and yet also also have safety implications. Happily my fridge still tends mostly towards cold beer. What I see around me is that people are having significant problems keeping track of their multiple devices, including their multiple logins and services which work on one network and not another, and how various devices and services interact. But the idea of using Facebook to provide the unique authenticated ID seems scary. And then we share or sell or pass on devices to others. Anyway I am very wary of giving more control to access providers, of allowing them to take more control, for a number of reasons. Both individuals and increasingly households have multiple access providers. People with their crossover phones - are they still phones? - are continually moving between networks - WiFi, 3G, 4G - at home, at work, while commuting, travelling, roaming and so on. Sometimes they are on more than one network at the same time. For the domestic environment see the HomeNet presentation by Mark Townsley previously mentioned. And of course the workspace is similar. Except I would presume there that many organisations have long accepted that, given the nomadic nature of user devices, relying only on a corporate firewall is a touch naive. However even just the traffic associated with one device going through one access provider to, as the user sees it, one service is more complex than many people realise. See the little paper that Patrik and I produced and we did not delve too deep. So we have increasing local complexity and external complexity. But if we ignore that for the moment we will obviously see the usual candidate solutions. At the device level we have been through a lot of the arguments. See Hush-a-Phone, the Carterfone and more for old US history. And in the EU we had the Terminal Equipment Directive. Until the incumbents started to impose their “Box's”? And now more recently the discussions on Network Neutrality. The idea that you have to ask permission from your access provider to use a networked device seems very old school. In addition it now takes me a bit of effort - not yet too much? - to identify all the networked devices in my home. And then of course we have the Raspberry Pi community! We still believe in "permission-free innovation” don’t we? So I don’t see how we could expect users to notify their multiple access providers of their devices. But I also don't expect access providers to be allowed to keep track of those devices. Even if that, without SIMs, was to some extent possible it would now be seen as just too damn intrusive. We seem not entirely happy accepting this kind of thing for terrorism: I don’t see us doing it for rogue refrigerators. Indeed the IETF has identified significant surveillance as an attack. I find it difficult to see how we can now try and reclassify that kind of “attack” just because we cannot code air-conditioning systems properly. Going up a level we have the notion of blocking certain IP addresses or port numbers or domain names. Again we have been there before. It has worked when, for well-known reasons, there has been enough of a consensus and acceptable alternatives. I am thinking of course of port 25. But when it has been a question of trying to restrict access to certain content - whether copyrighted material or content related to child abuse - blocking, filtering or redirecting has not been the panacea that some legislators expected. If the issue is that a domestic network is “participating” in some kind of more widespread network-related problem then blocking all traffic from that network - all traffic to that network? - may have been a solution. But given that some form of connectivity is now seen as so important - essential for normal participation in society, if not a human right - then that may tend to be seen as too extreme. Rate limiting or throttling plus a clear indication being sent for the motive may still be seen as acceptable. If the access provider can, with the minimum of intrusion, identify when traffic is abnormal? But given that applications and services will more and more have health and safety implications then serious care is needed. If we are though in the area of blocking, redirecting or rate capping then there still has to be a reasonable way for an access provider to communicate with the user. We seem to be in a process whereby we have to give more and more information to do stuff. To read a newspaper we need to give an email address. To manage an email account we need to give a phone number. Increasing the number of players who need more and more information may not be the way to go. And yet how can we be sure the message gets through? When my access provider had a problem a while back I lost not only internet connectivity through them but also my TV connection and my fixed telephone service. Of course I had alternative ways of finding out what was happening and reporting the problem. I am not sure all my neighbours were the same. I hope that many of them do not spend as much time as I do with a screen and a keyboard. Going up another layer we might envisage blocking certain applications or services, for security reasons or safety reasons. But I think we know where that tends to lead. All in all, given the richness and complexity of connected activities, surveillance and interference of domestic traffic by access providers is not going to be well regarded in general - and it may simply be illegal. Nor is it liable to be that effective? Even if it was ever going to be feasible? The more we take surveillance as a “bad thing” the more we will encrypt, with the resulting loss of transparency in the core. Maybe the IP layer is just not where we should be looking for the solution to specific problems. ** What role does/should the government play? Governments, here, there, everywhere, will do whatever. And is this really one of the better moments to talk about governments given that we will now have a series of elections in major EU countries? I accept there are contradictions in what governments do. See “The Organization of Hypocrisy” by Nils Brunsson or "Why Leaders Lie” by John Meersheimer or so many more. I accept that it can get complicated. Anyone for some new free trade negotiations? But governments are still just about people, people who are not always that much brighter than you, people who in any case tend to lack magical powers. They can help. But they cannot easily help with a problem that we as stakeholders - horrible term - have not begun to properly define. I sometimes think about it as going to see your general practitioner. Go with an ill-defined “feeling” and you may be in for some "tests” - too many tests? Go with some signs and symptoms and be ready for a conversation and you might come out cured. I was invited though to talk at EuroIX some years back about the “government” in Brussels. I said there were three things that they did. *** Policy. Talk about stuff. See if there is a consensus. Try and develop a consensus. Push certain ideas. Fund groups. Organise meetings. Not to be underestimated. But it takes time, effort, resources to get really involved. There are very many specialists, lobbyists, in Brussels. And in the end of course you can disagree with government policy. *** Make rules. Regulate and legislate. It takes time - and what goes into the sausage-making machine often does not resemble what come out: you may not like that sausage, a sausage you are now expected to eat. And once rules are agreed it can take a long time to change them. The resources to fully enforce the “rules” though may simply not always be there. But ignoring the rules tends not to be an option for most folk. *** And funding... There is a continuum between policy and rules and funding. Policy helps define the rules to be agreed and policy helps decide how strongly rules will be enforced or not. But funding, in one form or another, tends to be what makes it happen. So what should we expect from governments? I would rather ask what we could or should ask from governments, how can we and should we engage. I think we could engage in any policy discussions. Primarily to bring in some reality? Stop them killing the internet? I would so much hope we can avoid things like the Y2K disaster games. I still have the scars. There is a downside of course in that by just being there you may bring credibility to the issue. NCC and ISOC were there and so obviously they agree with the importance of the issues and endorse the outcome? We should also be wary of the “problem” being punted off to some organisation. The choice of organisation - ITU, ETSI, ENISA, ICANN and not the IETF or the RIRs - sort of defines the answers we might expect in so many ways. When it come to wanting rules. Be careful. Be very careful. Not least because if we get it wrong it will stay wrong for a while! - - - And responding to Patrik’s bullets - because I have too! ;-) A. Sort the quality problem. Yes please. But how come big resource-rich companies - make your own list - are patching and patching and then patching again. Until end-of-life? I am not clear what we ought to be able to expect from the rest. B. Stickers, seals, logos, MoUs have been popular for a long time. One more? Some more? C. I don’t think the Parliament is going to be that happy recommending that an access provider can cut off a domestic customer suddenly and completely. An awful lot of safeguards would be required. And even then. D. Public procurement? It would be nice if that was done better from an internet engineering perspective. But public procurement is political. The big battles have tended to be around local preference rather than IPv6. Looking back though we have tried to make the technical rules clearer, both in terms of interconnection and security. GOSIP? Common Criteria? And much more. And we have had national successes which were both good and bad - good for a time and then bad? But if you want to enforce rules then you need a body to make those rules. Sorry Patrik but just asking you is not an option. ;-) So who? ETSI? CENELEC? And I feel not the IETF. RFCs provide “advice to consenting engineers": they are not always ideal procurement specs. - - - The IoT, for any soft definition of IoT, is going to pervasive and ubiquitous. The devil is though going to be in the detail. Potentially in every line of code? I don’t think there will be a single solution, a single set of rules. I am not even sure if yet another set of principles - maybe however some OECD guidelines? - would be useful at this stage. But maybe. And if not that then one problem at a time? I am still not clear where the human rights activities in the IRTF may go. I say that while thinking human rights are important - apparently some people, some states do not? I say that though having watched how the IETF security directorate worked over the years. And protocol security clearly involves more engineering considerations? But the evolving IoT will involve human rights considerations. Privacy, the new surveillance, safety and so on. But if I had a wish from industry it would be for some clarity on what the IoT toys we buy are doing. I don’t buy some stuff because I don’t know enough about what is happening. I have stopped using stuff because I felt that the device was being too intrusive. When asked for advice I have found myself doing some kind of reverse engineering to try and figure out what might be going on. (They sprinkled Golden Crypto Dust on it. So everything is OK? Well maybe not…!) And of course I don’t always have an indication that something has gone wrong. And alongside that maybe some tools that I could use on my network that would help me understand what my network is doing? But that is probably too much to ask right now. Pause… See you at 74. :-) Gordon @ TDRS _______________________________________________ iot-discussion mailing list <a class="moz-txt-link-abbreviated" href="mailto:iot-discussion@ripe.net">iot-discussion@ripe.net</a> <a class="moz-txt-link-freetext" href="https://lists.ripe.net/mailman/listinfo/iot-discussion">https://lists.ripe.net/mailman/listinfo/iot-discussion</a> </pre> </blockquote> </body> </html>