Hi Eliot,

Thanks for the response. My comments inline:

On 07/06/2019 09:29, Eliot Lear wrote:

Hi Ad & Sandoche,

Good that SSAC has published something.  There really are some big challenges here for IoT.  In the area of DNS, one challenge is that in order to limit attacks, you really do want the network to limit access to services, and that means knowing which domains the device should be speaking to.

The SPIN project from SIDN (https://www.sidnlabs.nl/en/news-and-blogs/redesigning-spin-to-a-reference-platform-for-secure-and-privacy-enabled-iot-home-networks), seems to be a possible solution.

Also, there is another plugin from Princeton that lets one to inspect IoT traffic in your home network right from the browser:
https://iot-inspector.princeton.edu/blog/post/getting-started/

https://iot-inspector.princeton.edu/blog/


  That creates some challenges.  That means some sort of consistency with regard to DNS query responses to the device and to the enforcement point.  The ultimate approach to that is coordination between the resolver and the enforcement point, but snooping has worked in the past.  And so you can see some DoH challenges if IoT devices implement that capability prematurely.


==> Is this a topic that our group can focus on and maybe prepare a RIPE BCP (Best Current Practice) or BCOP (Best Current Operation Practice) document like the document prepared by ICANN SSAC for the RIPE community?

Please send your views.

Sandoche.