Re: [T2TRG] [saag] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt
Peter Gutmann <pgut001@cs.auckland.ac.nz> Wed, 05 April 2017 06:44 UTC
Return-Path: <pgut001@cs.auckland.ac.nz>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE0A6128B44 for <t2trg@ietfa.amsl.com>; Tue, 4 Apr 2017 23:44:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=auckland.ac.nz
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fwYH9HPQDewE for <t2trg@ietfa.amsl.com>; Tue, 4 Apr 2017 23:44:31 -0700 (PDT)
Received: from mx4.auckland.ac.nz (mx4.auckland.ac.nz [130.216.125.248]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 623AD128CB9 for <T2TRG@irtf.org>; Tue, 4 Apr 2017 23:44:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=auckland.ac.nz; i=@auckland.ac.nz; q=dns/txt; s=mail; t=1491374670; x=1522910670; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=zXP8PZ+lBcyjEQpSmjc/CM+EhbDPCK41Ra4LsdKqu0U=; b=yEXJ5zcIhzmC5aiLLQ4OS3HQ/3dczQuYXX1TDKys22NkK7fui9JsEWX8 BJXIuc0XzzXfJAWRrdv4XSQ4OPU7mxVhu8osNzr0nXY6Msb3kFV8hQtg/ eMEW29+ls8FDDq//xx8GOycnA3U7LhU6iDNjP1t+iUWyWiCECPjcfV2cW 6To/uQ4HPOTeOwLro0cim+uBY8R6zkbUoX6KG5yg9b0nDe6Kdj/qS9HBI LCXA2CUsO5nbOMUbb1GZJhpFMifO5w3R1DiKtVcfyEJKEE/xr07yTOOmc VJ0F/XjtfjjU23ECTzIAUF2neWF7kw/Chc3F+cbqi+HDNzGe1iBS82/Y4 w==;
X-IronPort-AV: E=Sophos;i="5.36,277,1486378800"; d="scan'208";a="147970755"
X-Ironport-HAT: MAIL-SERVERS - $RELAYED
X-Ironport-Source: 10.6.2.3 - Outgoing - Outgoing
Received: from smtp.uoa.auckland.ac.nz (HELO uxcn13-ogg-b.UoA.auckland.ac.nz) ([10.6.2.3]) by mx4-int.auckland.ac.nz with ESMTP/TLS/AES256-SHA; 05 Apr 2017 18:44:28 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz (10.6.2.5) by uxcn13-ogg-b.UoA.auckland.ac.nz (10.6.2.3) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Wed, 5 Apr 2017 18:44:28 +1200
Received: from uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) by uxcn13-ogg-d.UoA.auckland.ac.nz ([10.6.2.25]) with mapi id 15.00.1263.000; Wed, 5 Apr 2017 18:44:28 +1200
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
To: Barry Raveendran Greene <bgreene@senki.org>, Eliot Lear <lear@cisco.com>
CC: Mohit Sethi <mohit.m.sethi@ericsson.com>, "T2TRG@irtf.org" <T2TRG@irtf.org>, "saag@ietf.org" <saag@ietf.org>, "Kumar, Sandeep" <sandeep.kumar@philips.com>
Thread-Topic: [saag] [T2TRG] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt
Thread-Index: AQHSqhfOYH/eADzk1kGNnz4+4VUtI6GzOqGggAEFfACAAEAxgIAB20R+
Date: Wed, 05 Apr 2017 06:44:27 +0000
Message-ID: <1491374652157.84909@cs.auckland.ac.nz>
References: <149096223256.21673.7096150636636687245.idtracker@ietfa.amsl.com> <1546ba0e65e946b681ccec46f2abcd8c@DB5PR9001MB0165.MGDPHG.emi.philips.com> <483ad18f-5ded-96e0-3008-1d0eb38f5566@cisco.com>, <0DC0BAC2-C6BA-4D15-9343-60642BBD93C7@senki.org>
In-Reply-To: <0DC0BAC2-C6BA-4D15-9343-60642BBD93C7@senki.org>
Accept-Language: en-NZ, en-GB, en-US
Content-Language: en-NZ
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [130.216.158.4]
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/e9KJ3cbNW2fYeSyh6gFq36elfbM>
Subject: Re: [T2TRG] [saag] New Version Notification for draft-irtf-t2trg-iot-seccons-02.txt
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IRTF Thing-to-Thing \(T2T\) Research-Group-in-creation" <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 05 Apr 2017 06:44:34 -0000
Barry Raveendran Greene <bgreene@senki.org> writes: >I survey of all the IoT Security “standards” and “guidelines” assumes we can >remediate the violated IoT device. I put forward for the IETF that we cannot >assume remediation. We have to assume that we cannot remediate. Hence, we >need other tools in the network to mitigate the risk. That's always struck me as a bit odd as well when I read some standard for secure firmware update, for IoS devices like the Raspberry Pi and similar Linux-based/like devices the update process is already sorted (apt-get update) and for SCADA/embedded or whatever running some RTOS it can't be updated, whatever you ship today will be used in that form for the next ten to twenty years (or more, I've seen fifty-year-old ladder logic controllers still in active use). So the diagram in Figure 1 is replaced after "application running" with a dotted line leading up to the present day, there's no updates, no reconfiguration, no maintenance and re-bootstrapping, it just keeps running once put into service. I don't want to start nitpicking individual bits of the draft, but I think it would help if it laid out what's meant by "IoT", are we talking Android phones (mentioned in one place), fridges, PLCs, routers, what? Or perhaps come up with a few sample device profiles and provide specific advice for each case. At the moment it's so generic that it seems to be one-size-fits-nothing... it's like trying to write safe-driving instructions that have to cover cars, buses, trucks, motorbikes, locomotives, boats, oil tankers, jet skis, jet aircraft, jet bikes, scooters, and submarines. Peter.
- Re: [T2TRG] [saag] New Version Notification for d… Garcia-Morchon O, Oscar
- Re: [T2TRG] New Version Notification for draft-ir… Garcia-Morchon O, Oscar
- Re: [T2TRG] New Version Notification for draft-ir… Eliot Lear
- Re: [T2TRG] [saag] New Version Notification for d… Barry Raveendran Greene
- Re: [T2TRG] [saag] New Version Notification for d… Peter Gutmann
- Re: [T2TRG] [saag] New Version Notification for d… Barry Raveendran Greene
- Re: [T2TRG] [saag] New Version Notification for d… Garcia-Morchon O, Oscar
- Re: [T2TRG] [saag] New Version Notification for d… Garcia-Morchon O, Oscar
- Re: [T2TRG] New Version Notification for draft-ir… Garcia-Morchon O, Oscar
- Re: [T2TRG] New Version Notification for draft-ir… Eliot Lear
- Re: [T2TRG] [saag] New Version Notification for d… Peter Gutmann
- Re: [T2TRG] [saag] New Version Notification for d… Thorsten Dahm