I think that Michaels' suggestion of an informal group, invite only,
chatham house rules is excellent.
Within the DNS community this existed for many years (I wasn't a direct
participant). It was led by folks like Andrew Sullivan (now Internet
Society CEO) and others.
Inside Baseball what they termed it ... because they'd use IETF meeting or
NANOG meetings to then get to the closest baseball game, have a series of
meetings, etc.
Always Chatham House rules.
I know similar groups exist in the DDoS fighters space -- with some overlap
to the DNS operators because of amplification attacks, etc.
Always discussing sensitive matters, so Chatham House rules definitely
apply.
I'm certain that there are those at RIPE now (or previously) who could
provide guidance on how comms were established, etc. I know I was in the
room with folks
who brokered contacts with other key players during the Oct 2016 Dyn attack
as an example.
-phil
On Thu, Jul 7, 2022 at 6:00 AM <iot-wg-request(a)ripe.net> wrote:
> Send iot-wg mailing list submissions to
> iot-wg(a)ripe.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.ripe.net/mailman/listinfo/iot-wg
> or, via email, send a message with subject or body 'help' to
> iot-wg-request(a)ripe.net
>
> You can reach the person managing the list at
> iot-wg-owner(a)ripe.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of iot-wg digest..."
>
>
> Today's Topics:
>
> 1. Re: the vague IoT/RIPE-NCC training question (Michael Richardson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Wed, 06 Jul 2022 13:10:59 -0400
> From: Michael Richardson <mcr+ietf(a)sandelman.ca>
> To: =?utf-8?Q?Peter_Steinh=C3=A4user?= <ps(a)embedd.com>, IoT WG RIPE
> <iot-wg(a)ripe.net>
> Subject: Re: [iot-wg] the vague IoT/RIPE-NCC training question
> Message-ID: <27027.1657127459@localhost>
> Content-Type: text/plain; charset="utf-8"
>
>
> {did we sort out who are the new co-chairs?}
>
> Peter Steinh?user <ps(a)embedd.com> wrote:
> > Regarding your initial topic about the NCC training offerings I tend
> to stand on Jim?s
> > side. Nevertheless I think this WG could:
>
> > 1) Identify IoT aspects that affect ISPs from the broad field of
> topcis, as you already
> > mentioned a bit further below. @Daniel: I salute your comment, I
> think that?s we
> > should focus on.
>
> > 2) Work on RIPE documents, i.e. like the BCOP document we were
> working on. Such
> > documents then could found a base for trainings, if done by the RIPE
> NCC or third
> > parties tends to be seen.
>
> Any other thoughts?
>
> > Getting engagement from the ISPs seems a tricky matter. Inside prpl
> currently IoT is
> > not a relevant topic, at least none of the major ISPs seems to have
> brought it up, yet.
> > Talking to IXPs as well could give us broader view. Although they
> have not direct control
> > about the end user?s CPEs they can get seriously affected by DDoS
> attacks and
> > should have a good interest in prevention.
>
> This concern is what originally motivated CIRA to engage in the SHG
> project.
> What we really have is a major, industry-wide, tragedy of the commons
> https://en.wikipedia.org/wiki/Tragedy_of_the_commons situation.
> The entities most affected by poor security and resulting DDoS attacks are
> not the entities able to affect change. The ones who could affect change
> do
> not have the resources and/or motivation to do so.
>
> >> So, what would I like to see:
> >>
> >> 1) increase connection with RIPE NCC with organizations like
> >> iotsecurityfoundation.org. IoTSF is among the few places I've
> found which
> >> are not about hype or marketing, who seem to have real connections
> to both
> >> places/people technical and people/places regulatory. Like the
> IETF, though,
> >> we need more participation of operators.... not just the airy-fairy
> senior
> >> security architects from various ISPs, but actual people in the
> >> trenches.
>
> Let me ask a question here.
> Is there a means by which the RIPE NCC can (or is already) be in the loop
> for reports about DDoS
> attacks on ISPs and critical (European) infrastructure?
> I don't mean *me*, or the IOT-WG. I understand that this kind of thing is
> often confidential. I am asking if the RIPE NCC can act as an air-gap
> firewall, exfiltrating important aspects of the incidents.
> We can only fix things that we can measure!
> Also: _tell me how you will measure me, and I'll tell you how I will act_
>
> >> Is there an opportunity to collect wisdom together?
> >> Maybe some kind of symposium of operators and openwrt developers
> could
> >> happen. OpenWRT has had conferences, although often not that well
> advertised
> >> in advance. pprlFoundation sometimes has conferences I think. The
> >> WBAlliance does stuff, but alas, 90% of what I see is total
> marketing.
>
> One approach might be a small colloquium of operators/developers meeting
> under Chatham House rules. I'm sure that I could get IoTSF to host such a
> thing in London, but there may be better times/places at which the right
> people are already there. Note that for the conversation to be genuine it
> couldn't be open to the public, but a report would be generated.
>
>
>
> --
> Michael Richardson <mcr+IETF(a)sandelman.ca> . o O ( IPv6 I?T consulting )
> Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>
>
At RIPE84, recorded at https://ripe84.ripe.net/archives/video/782/
Jad El Cham asks about training from the RIPE NCC on "IoT".
I watched this today from the archives. I wasn't able to be at the IOT-WG
meeting in person (yes, you saw me there on Monday), because I was at the IoT
Security Foundation's ManySecured WG meetings in London.
Perhaps that makes me more qualified to answer the question?
First, some nitpicks about this presentation. I couldn't hear Jad El Cham's
name very well, and the lack of slides meant I had to watch the video three
times to understand his question.
https://ripe84.ripe.net/programme/meeting-plan/iot-wg/
has his name correctly, but:
https://ripe84.ripe.net/archives/#wednesday does *NOT*
If there were three slides with the questions and thoughts on them, then I
could far better respond to the question.
(Still not sure if the clapping for Marco leaving RIPE was ... "thanks for
all the work", or "thank god you escaped with your sanity...)
Second, while I share some of Jim's concern about scope creep, in fact there
are many things that the RIPE NCC is uniquely positioned to help with that
would benefit the community, and which probably *does* need a subsidy to get
done correctly. Profit motives being forever next-quarter, 90% of the IoT
security problems (as explained in the previous presentation, the slides at:
https://ripe84.ripe.net/presentations/87-HVIKT-IoT-encounters-ripe.pdf
include his missing slides...) are the result of next quarter thinking
combined with very poor operational controls.
If we are going to get a handle on the security issues with networks of
devices (routers are the Internet of Internet things) then we need more data
and more sharing of experiences. Back in RIPE79, (Rotterdam), I tried to
start discussion about how ISPs can collaborate better on dealing with
security issues, particularly DDoS caused by distributed malware.
So, what would I like to see:
1) increase connection with RIPE NCC with organizations like
iotsecurityfoundation.org. IoTSF is among the few places I've found which
are not about hype or marketing, who seem to have real connections to both
places/people technical and people/places regulatory. Like the IETF, though,
we need more participation of operators.... not just the airy-fairy senior
security architects from various ISPs, but actual people in the trenches.
There are dozens of interesting bits of research being done via RIPE Atlas,
telling more IoT types about the results would be a good thing. That could
be in the form of some RIPE (NCC?) person talking about research, or perhaps
for RIPE NCC sponsoring the researcher to present their stuff at a few
conferences, such as the IoTSF conference in October, but also IETF
meetings, RSA(*), Industrial Internet Consortium, The Thing Conference, ...
btw: I did two training courses in 2020 for IoTSF on default passwords and
software updates. *Manufacturers* are *really* hard to reach.
Educating *operators* about what to *ask for*, and which regulation the
supplier is not-complliant with when they fail, would also be very good.
2) RIPE NCC involvement with specifications like:
https://datatracker.ietf.org/wg/mile/about/
ROLIE RFC 8322
good intro:https://www.redhat.com/en/blog/red-hat-adopts-rolie-protocol-automate…
GOLIE https://github.com/rolieup/golie
For instance, how many ISPs how how to set this up?
I have no personal experience.
Would I come to a day-long workshop (Saturday before or after RIPE?)... YES.
This is training content that RIPE NCC could develop, and could provide in
multiple venues for free or for low cost. This is much akin to MANRS, RPKI
training, and I think there has been IX training occur as well.
ROLIE is not loved by everyone, btw, and there are some alternatives which my
slides from 79 went into, but actually I'm not, alas, qualified at this time
to say much, because I know little myself.
3) RIPE (NCC) involvement with regulators on the topic of *privacy* and
*liability* around vulnerability disclosures.
Some operators, for instance, have told me that in order to avoid
violating the privacy of their customers when it comes to detecting
malware infestations on *their* networks, set up honeypots of (somewhat?)
vulnerable devices and wait for them to get p0wned.
That's an interesting training course on its own.
4) a RIPE reference secure CPE device...?
I could probably go on for days here with things that could be done.
Many medium-sized operators have decided they don't like what's available to
them, and have went out to specify/build their own devices. Most bigger
operators have been doing this for more than a decade, but my observation is
that the bigger the operator, the less secure their default device is.
(For instance, we know how many and how poorly some of these devices support IPv6)
Is there an opportunity to collect wisdom together?
Maybe some kind of symposium of operators and openwrt developers could
happen. OpenWRT has had conferences, although often not that well advertised
in advance. pprlFoundation sometimes has conferences I think. The
WBAlliance does stuff, but alas, 90% of what I see is total marketing.
5) I could come with a fifth, but his email is already too long.
:-)
--
Michael Richardson <mcr+IETF(a)sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide