Re: [iot-wg] New on RIPE Labs: Visualisations of Periodic IoT Traffic
Hi Poonam Thanks. The concern here is that the device could choose to identify as something else through a set of false communications. It is indeed an interesting area of research. I am not saying there is nothing to be done, but it is something that requires careful consideration as we aim toward automating policy. I fear in particular that the cloud makes this quite a bit harder, and IOT manufacturer use of their own DNS infrastructure will make it yet more difficult, because we are all using the same cloud infra. Eliot On 19.03.20 15:42, Poonam Yadav wrote:
Dear Elliot,
Thank you for your very important question. In the current setting, our router verifies packets using devices' MAC addresses; it means the router has a list of mac addresses of all IoT devices. For another work, we used certificate-based authentication between the router and device MUD server, something similar: https://docs.microsoft.com/en-us/azure/iot-edge/how-to-authenticate-downstre...
We used off-the-self IoT devices so its not easy to integrate many TEE based solutions.
Best regards,
Poonam
On Thu, Mar 19, 2020 at 12:47 PM Eliot Lear <lear@ofcourseimright.com <mailto:lear@ofcourseimright.com>> wrote:
Very interesting work!
A cautionary question:
If I wanted to pretend to be one of these devices on your network, how hard would it be?
Eliot
On 19.03.20 12:56, Poonam Yadav wrote:
Thanks for sharing!
We have analysed similar pattern in many IoT devices and presented periodicity in IoT traffic as FFT (fig 4 - of IoTDI paper attached for reference) and some initial results here in this report: https://www.repository.cam.ac.uk/handle/1810/284092 and full paper is here: https://dl.acm.org/doi/10.1145/3302505.3310082
Best regards,
On Thu, Mar 19, 2020 at 10:31 AM Mirjam Kuehne <mir@ripe.net <mailto:mir@ripe.net>> wrote:
Dear colleagues,
IoT devices often perform activities on a periodic basis. Thymen Wabeke of SIDN Labs shares his analysis of periodic network traffic from IoT lightbulbs. Read it on RIPE Labs at:
https://labs.ripe.net/Members/thymen_wabeke/visualisations-of-periodic-iot-t...
Kind regards, Mirjam Kühne RIPE NCC
_______________________________________________ iot-wg mailing list iot-wg@ripe.net <mailto:iot-wg@ripe.net> https://lists.ripe.net/mailman/listinfo/iot-wg
_______________________________________________ iot-wg mailing list iot-wg@ripe.net <mailto:iot-wg@ripe.net> https://lists.ripe.net/mailman/listinfo/iot-wg
Eliot Lear <lear@lear.ch> wrote: > Thanks. The concern here is that the device could choose to identify as > something else through a set of false communications. It is indeed an > interesting area of research. I am not saying there is nothing to be > done, but it is something that requires careful consideration as we aim > toward automating policy. I fear in particular that the cloud makes > this quite a bit harder, and IOT manufacturer use of their own DNS > infrastructure will make it yet more difficult, because we are all using > the same cloud infra. Manufacturers SHOULD avoid using their own DNS infrastructure in my opinion. Operational Considerations for use of DNS in IoT devices draft-richardson-opsawg-mud-iot-dns-considerations-01 Abstract This document details concerns about how Internet of Things devices use IP addresses and DNS names. The issue becomes acute as network operators begin deploying RFC8520 Manufacturer Usage Description (MUD) definitions to control device access. This document explains the problem through a series of examples of what can go wrong, and then provides some advice on how a device manufacturer can best make deal with these issues. The recommendations have an impact upon device and network protocol design. ..co-authors, reviews, pull-requests and comments sought. {I'm annoyed that the DNSOP group declined to define "QuadX" as a term in ietf-dnsop-terminology-ter. Actually, I don't care what it's called, as along as I have a term for such public recursive services} -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
Thank you Eliot and Michael for this thoughtful discussion and sharing the draft. I agree with you regarding the security issue with shared cloud infrastructure and DNS. However on IoT device side, do you think, a hardware based authentication (e.g., quantum tunnelling - https://www.cryptoquantique.com/solution ) may solve some of these issues? Best regards, Poonam On Thu, Mar 19, 2020 at 5:47 PM Michael Richardson <mcr+ietf@sandelman.ca> wrote:
Eliot Lear <lear@lear.ch> wrote: > Thanks. The concern here is that the device could choose to identify as > something else through a set of false communications. It is indeed an > interesting area of research. I am not saying there is nothing to be > done, but it is something that requires careful consideration as we aim > toward automating policy. I fear in particular that the cloud makes > this quite a bit harder, and IOT manufacturer use of their own DNS > infrastructure will make it yet more difficult, because we are all using > the same cloud infra.
Manufacturers SHOULD avoid using their own DNS infrastructure in my opinion.
Operational Considerations for use of DNS in IoT devices draft-richardson-opsawg-mud-iot-dns-considerations-01
Abstract
This document details concerns about how Internet of Things devices use IP addresses and DNS names. The issue becomes acute as network operators begin deploying RFC8520 Manufacturer Usage Description (MUD) definitions to control device access.
This document explains the problem through a series of examples of what can go wrong, and then provides some advice on how a device manufacturer can best make deal with these issues. The recommendations have an impact upon device and network protocol design.
..co-authors, reviews, pull-requests and comments sought.
{I'm annoyed that the DNSOP group declined to define "QuadX" as a term in ietf-dnsop-terminology-ter. Actually, I don't care what it's called, as along as I have a term for such public recursive services}
-- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
_______________________________________________ iot-wg mailing list iot-wg@ripe.net https://lists.ripe.net/mailman/listinfo/iot-wg
participants (3)
-
Eliot Lear -
Michael Richardson -
Poonam Yadav