On Mon, Feb 6, 2017 at 7:14 PM, joel jaeggli <joelja@bogus.com> wrote:
On 2/6/17 2:31 PM, William Herrin wrote:
This afternoon's panel about IoT's lack of security got me thinking...
Hi Joel, For clarification I was referring to this: http://nanog.org/meetings/abstract?id=3051 The long and short of the panel was: as an industry (device vendors and service providers both) it behooves us to voluntarily get on top of the IoT security problem before some catastrophic event requires the government to dictate the precise manner in which we will get on top of the problem.
What about some kind of requirement or convention that upon boot and successful attachment to the network (and maybe once a month thereafter), any IoT device must _by default_ emit a UDP packet to an anycast address reserved for the purpose which identifies the device model and software build.
self identification is privacy hostile and tantamount to indicating a willingness to be subverted (this is why we disable lldp on external interfaces) even if it would otherwise be rather useful. the use of modified eui64 addresses as part of v6 address selection hash basically gone away for similar reasons.
I'm not sure how we get on top of the problem without offering an effective network kill switch to the nearest security-competent person. I think I'd prefer a user-disableable kill-switch used on a single piece of equipment to a kill switch for my entire Internet connection. The IPv6 SLAAC address suffers a rather worse case of the privacy problem since it allows the entire Internet to track your hardware, not just your local ISP. In any case, I thought "how do we fix this long term" could stand discussion on the list. Because yes, the IoT device vendors mostly produce trash and if (to borrow a phrase) it saves them a buck at retail they will keep producing trash. But we're the ones letting that trash cause nation-scale problems and when the regulatory hammer crashes down it's gonna hit us all. On Mon, Feb 6, 2017 at 7:10 PM, Michael Thomas <mike@mtcc.com> wrote:
Uh, yuck at many levels. Do you leak your cisco ios versions to the internet?
Hi Michael, I'm not aware of any Cisco IOS devices that qualify as IoT. Some lighter weight Cisco gear, yes. And no, I do not want to broadcast my information. But I'm professional who customizes my gear when I plug it in. I don't run with the defaults.
Do you really want the responsibility for the remote kill switch for IoT S&M gear?
I already have the kill switch for the customer's entire S&M transit link. I'd prefer to also have a smaller hammer whose use won't net me a furious call from Sales.
And of course, you're depending on rfc 3514, right?
Nope. I'll decide what's evil and what's not (more likely I'll pay a service to provide me a regularly updated database) and I depend only on a high enough percentage of the devices offering themselves up for that decision that it becomes impractical to construct another Mirai. Regards, Bill Herrin -- William Herrin ................ herrin@dirtside.com bill@herrin.us Owner, Dirtside Systems ......... Web: <http://www.dirtside.com/>