Re: TLS on disconnected/intermittently connected networks

[Keith Moore <moore@network-heretics.com>]

On 3/4/21 5:02 PM, Sam Hartman wrote:

>      Keith> I've written code for a variety of environments like these
>      Keith> for the last 13 years or so: gas pipeline monitoring,
>      Keith> broadcast television operations, traffic signal
>      Keith> monitoring/control, factory monitoring/automation, avionics,
>      Keith> cryogenic dewar monitoring for various kinds of environments,
>      Keith> and some others that don't come to mind immediately.   For
>      Keith> the environments I've worked with, any of that kind of stuff
>      Keith> would be a non-starter.     DNS is rightly seen as yet
>      Keith> another reason for things to fail, and factories, gas
>      Keith> pipelines, etc. are intolerant of lines being shut down
>      Keith> because some IT guy wanted to use a name rather than an IP
>      Keith> address. Static IPs work just fine for these situations.
>
> We're not really in agreement here.
> I suspect that was true 20 years ago.
> I suspect that was believed to be true 10 years ago, and was possibly
> true in important cases.
I can only report what I've seen in my own experience, from circa 2007 
up to and including 2020.
> But over time we've gotten better at providing redundant automated
> infrastructure for things like naming etc.
>
> I think we've reached a point now where the advantages of having naming
> outweigh the disadvantages.

I'd love to hear you make that argument to some of the customers I've 
talked to and see what their responses are.   Maybe they'll eventually 
come around, but different communities have developed different ideas of 
what makes for good operational practice, based on their own 
requirements and experiences.   Meanwhile, trying to tell customers that 
they should do things differently than they "know", that your experience 
from a different environment trumps their experience with their own 
environment, seems like a pretty ineffective way to sell product and a 
pretty good way to market for your competitors.

>      Keith>     Keith> External connections are also regarded as security
>      Keith>     Keith> threats
>
> I'm disappointed to see  you bringing a red herring like this into the
> conversation. We were both explicitly talking about disconnected/intermittantly
> connected networks.  Appealing to external connections would clearly not be the answer there.

Glad we agree on that.  I only wrote it because lots of IETF people who 
might respond to this thread seem to insist that part of the right 
solution is for all of these networks to connect to the public Internet, 
perhaps through a firewall, so that they can query the public DNS, and 
get firmware updates and root cert updates along with those, perhaps 
CRLs also.

I do get your point that we're better at providing reliable 
infrastructure than we used to be, and maybe someone will figure out how 
to package this really cleanly so that it doesn't require a lot of 
expensive hardware to support in the field.   But I'm not sure how much 
that would address these customers' concerns.   It's pretty hard for IP 
address lookup to fail if you start with the IP address.   And they're 
not renumbering their hosts so they don't need DNS or similar service to 
have stable endpoint names.

Keith