Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC

> >[...], but does this mean accessible from anywhere on the Internet ?

> Actually, I think you're probably going to want your refrigerator to be
> able to access the Internet, [...]

"Access to the internet" and "accessible from the internet" are two seperate 
things.Perhaps I want my fridge to access the internet but not the other way 
around.

There was a vulnerability in some heating-systems a few month ago [1]. An 
attacker could remotely shut down the heating. This is the kind of thing one 
does not want to happen.

Regards,
Markus

[1] 
http://www.heise.de/security/meldung/Vaillant-Heizungen-mit-Sicherheits-Leck-1840919.html

__________ ursprüngliche Nachricht __________

Von:		Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
Datum:	Samstag, 16. November 2013, 07:30:13
An:		Marc Lampo <marc.lampo.ietf@gmail.com>, Mikael Abrahamsson 
<swmike@swm.pp.se>
Kopie:	"v6ops@ietf.org WG" <v6ops@ietf.org>
Betr.:	Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC

> >________________________________
> > From: Marc Lampo <marc.lampo.ietf@gmail.com>
> >To: Mikael Abrahamsson <swmike@swm.pp.se>
> >Cc: "v6ops@ietf.org WG" <v6ops@ietf.org>
> >Sent: Thursday, 14 November 2013 9:50 PM
> >Subject: Re: [v6ops] draft-ietf-v6ops-balanced-ipv6-security WGLC
> >
> >
> >
> >I realise now that "unsolicited" is a word allowing multiple
> > interpretations (but also used in RFC 6092).  But we seem to have got it
> > right.
> >
> >Anyway, the fact that some service, on an internal device, is willing to
> > accept connections on port XYZ, does not, in my opinion, imply that those
> > connections may also come from the outside Internet. Back to the example
> > with the refrigerator :
> >suppose it has a service (port XYZ) that allows it to be queried for its
> > contents.
> >
> >Probably great when one is at home, but does this mean accessible from
> > anywhere on the Internet ?
> >
> >In my opinion : not before the owner has explicitly instructed his CPE to
> > allow incoming connections (RFC 6092, REC-48).
>
> Actually, I think you're probably going to want your refrigerator to be
> able to access the Internet, as well as your toaster, answering machine,
> rice cooker, washing machine etc.
>
> I think appliances, if they aren't already, are going to become computers,
> with as much done via software/firmware as possible, instead of hardware,
> because hardware is much harder and more expensive to change, both during
> development and after it is sold to the customer.
>
> However, software/firmware is still hard to change if the customer has to
> either take it back to the manufacturer, or plug a PC or USB stick into it
> to update the software/firmware. Having the device be able to update itself
> over the Internet will be both much more user/customer friendly and much
> cheaper for the manufacturer. 
>
> So manufacturers have an incentive to make their appliances be able to
> attach to the Internet, and their customers have an incentive to attach
> them. As with tablets and smartphones, the manufacturer won't be able to
> vouch for the existence of any upstream network "firewalls", nor will they
> successfully be able to ask the customer of their existence, so the
> manufacturer will have to assume the worst, and therefore harden the
> appliance against publicly addressed unfettered Internet access.
>
> Regards,
> Mark.
>
> _______________________________________________
> v6ops mailing list
> v6ops@ietf.org
> https://www.ietf.org/mailman/listinfo/v6ops