Re: [saag] draft-moore-iot-bcp-00 (Best Current Practices for Securing Internet of Things (IoT) Devices)
Loganaden Velvindron <logan@afrinic.net> Tue, 08 November 2016 07:43 UTC
Return-Path: <logan@afrinic.net>
X-Original-To: saag@ietfa.amsl.com
Delivered-To: saag@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C30B8129440 for <saag@ietfa.amsl.com>; Mon, 7 Nov 2016 23:43:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -8.398
X-Spam-Level:
X-Spam-Status: No, score=-8.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9PIgkfOc8VMI for <saag@ietfa.amsl.com>; Mon, 7 Nov 2016 23:43:02 -0800 (PST)
Received: from smtp.mu.afrinic.net (smtp.afrinic.net [IPv6:2001:43f8:90:606::169]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22EC31293D8 for <saag@ietf.org>; Mon, 7 Nov 2016 23:43:00 -0800 (PST)
Received: from [2001:43f8:90:250:5879:d0c1:5501:9e3f] (port=55956 helo=rnt-eng2.dhcp.mu.afrinic.net) by smtp.mu.afrinic.net with esmtpsa (UNKNOWN:AES128-SHA:128) (Exim 4.72) (envelope-from <logan@afrinic.net>) id 1c413X-000Bb5-Vj for saag@ietf.org; Tue, 08 Nov 2016 07:42:55 +0000
To: saag@ietf.org
References: <63ae04d9-9a31-498c-3333-2801a72338f0@network-heretics.com>
From: Loganaden Velvindron <logan@afrinic.net>
Message-ID: <99b43920-ee16-3cb2-731b-941718749cf5@afrinic.net>
Date: Tue, 08 Nov 2016 11:42:54 +0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:45.0) Gecko/20100101 Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <63ae04d9-9a31-498c-3333-2801a72338f0@network-heretics.com>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/saag/IhJMBFbZ8OBPyjxkf4Z2x-5y8C8>
Subject: Re: [saag] draft-moore-iot-bcp-00 (Best Current Practices for Securing Internet of Things (IoT) Devices)
X-BeenThere: saag@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Security Area Advisory Group <saag.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/saag>, <mailto:saag-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/saag/>
List-Post: <mailto:saag@ietf.org>
List-Help: <mailto:saag-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/saag>, <mailto:saag-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2016 07:43:03 -0000
On 11/5/16 5:25 AM, Keith Moore wrote: > Stephen Farrell suggested I bring this draft to your attention. This > was a rush job as the authors just started talking about this last > Friday, but it was written in response to recent DDoS attacks that > utilized easily-compromised IoT devices. I'm sure there are missing > pieces (I've identified a few since -00) and sections that could be > stated better (like the title of section 2.3.2), but hopefully this is > a useful start. > > https://datatracker.ietf.org/doc/draft-moore-iot-security-bcp/ [Speaking for myself] That's a great start. Can you please consider adding section 2.6.3. Sandboxing techniques Device firmware SHOULD be designed to restrict processes attack surface by isolating them in sandboxing, in addition to privilege minization. In case of compromise, the attack surface is significantly reduced, particularly in the case of privilege minimization. [I'm thinking about OpenSSH and Linux seccomp-bpf sandbox, and also techniques like OpenBSD's pledge] > > Keith > > > _______________________________________________ > saag mailing list > saag@ietf.org > https://www.ietf.org/mailman/listinfo/saag
- [saag] draft-moore-iot-bcp-00 (Best Current Pract… Keith Moore
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Natasha Rooney
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Hannes Tschofenig
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Natasha Rooney
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Ira McDonald
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Ronald del Rosario
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Loganaden Velvindron
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Ari Keränen
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Watson Ladd
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Hannes Tschofenig
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Garcia Morchon O, Oscar
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Adam Montville
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Michael Richardson
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Garcia Morchon O, Oscar
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Ben Laurie
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Ben Laurie
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Peter Gutmann
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Adrian Hope-Bailie
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Eliot Lear
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Peter Gutmann
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Jeffrey Walton
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Jeffrey Walton
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Hannes Tschofenig
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Carsten Bormann
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… Peter Gutmann
- Re: [saag] draft-moore-iot-bcp-00 (Best Current P… kathleen.moriarty.ietf