some suggestions on "work items" for the WG
Here are a few random thoughts about the sorts of things the WG might do. I hope these will spark some discussion. Please note I’m not saying the WG will or won’t adopt any of these suggestions. Or that these are the only topics of interest. This is just an attempt to get everyone to think about the WG’s activities and come forward with their own suggestions. 1) Interaction with SDOs and industry fora How could/should the WG engage with these? Do we want updates from (say) AIOTI, IETF, ETSI and so on? Are any members of the WG involved in the IoT work at these sorts of organisations? 2) Liaison with government/regulators What is and isn’t appropriate here? 3) Advice/support to the NCC The NCC gets asked about IoT. They are going to want the WG to provide advice or present the consensus view (if any) of the RIPE community. 4) Academia We had a few IoT themed presentations at RIPE75 from academics. Does the WG want more (or less) of that sort of thing? What’s the best way to collaborate with academia and what does the WG want to get from that? 5) Training & Documentation Should the WG try to develop training materials/tutorials on IoT, white papers, use cases, best practices and so on? [Probably yes.] If so, what should these focus on and are there any volunteers to help produce these? 6) IP(v6) Addressing Issues What are the main issues around IP(v6) addressing/subnetting schemes for IoT devices and networks? 7) Security Anyone interested in the security aspects of IoT, both in terms of the edge devices and their potential role in DDoS attacks like Mirai? Could the WG develop some recommendations or advice? 8) Policy Making What sort of policies (and on what) could the WG develop for the NCC to implement? 9) Tools and toys Does anyone have new/interesting tools for playing with IoT devices or have useful development environments for them, say for writing/debugging code on a Raspbery Pi or even cheaper chipsets? 10) Anything else? Er.... Let’s hear what you all have to say about the above. Or other things I’ve either overlooked or forgotten about. Over to you...
Hello Jim, thanks for starting the discussion! Let me comment on two points....
On 29. Nov 2017, at 15:01, Jim Reid <jim@rfc1035.com> wrote:
4) Academia
We had a few IoT themed presentations at RIPE75 from academics. Does the WG want more (or less) of that sort of thing?
In addition to Academia I would like to see presentations from vendors who actually produce "things" on topics like (but not limited to) - quality assurance (in terms of software, security, networking) - security in general - robustness (in terms of networking) - etc... So if anyone in this group has industry connections, please reach out and encourage to submit presentations for Marseilles....
9) Tools and toys
Does anyone have new/interesting tools for playing with IoT devices or have useful development environments for them, say for writing/debugging code on a Raspbery Pi or even cheaper chipsets?
I play around with ESP8266 as a hobby.... nice chip with IPv4 stack and Wifi built in... for development you can use the Arduino environment... best regards Wolfgang -- Wolfgang Tremmel Phone +49 69 1730902 26 | Fax +49 69 4056 2716 | Mobile +49 171 8600 816 | wolfgang.tremmel@de-cix.net Geschaeftsfuehrer Harald A. Summa | Registergericht AG Köln HRB 51135 DE-CIX Management GmbH | Lindleystrasse 12 | 60314 Frankfurt am Main | Germany | www.de-cix.net
On Wed, Nov 29, 2017 at 02:01:14PM +0000, Jim Reid wrote:
7) Security
Anyone interested in the security aspects of IoT, both in terms of the edge devices and their potential role in DDoS attacks like Mirai? Could the WG develop some recommendations or advice?
Count me in, though I have just a single idea: make sure updates are available in a timely manner.
I would be very interested, too. Alexei Colisnicenco +49 172 5202391 alcolisn@me.com
Am 29.11.2017 um 21:23 schrieb Alex Smirnoff <ark@eltex.net>:
On Wed, Nov 29, 2017 at 02:01:14PM +0000, Jim Reid wrote:
7) Security
Anyone interested in the security aspects of IoT, both in terms of the edge devices and their potential role in DDoS attacks like Mirai? Could the WG develop some recommendations or advice?
Count me in, though I have just a single idea: make sure updates are available in a timely manner.
_______________________________________________ iot-wg mailing list iot-wg@ripe.net https://lists.ripe.net/mailman/listinfo/iot-wg
On Nov 29, 2017, at 22:23, Alex Smirnoff <ark@eltex.net> wrote:
On Wed, Nov 29, 2017 at 02:01:14PM +0000, Jim Reid wrote:
7) Security
Anyone interested in the security aspects of IoT, both in terms of the edge devices and their potential role in DDoS attacks like Mirai? Could the WG develop some recommendations or advice?
Count me in, though I have just a single idea: make sure updates are available in a timely manner.
Besides availability of updates there also should be easy and clear way to update any device.
_______________________________________________ iot-wg mailing list iot-wg@ripe.net https://lists.ripe.net/mailman/listinfo/iot-wg
-- Best regards Taras Heichenko tasic@hostmaster.ua
On 29 Nov 2017, at 20:46, Taras Heichenko <tasic@hostmaster.ua> wrote:
On Nov 29, 2017, at 22:23, Alex Smirnoff <ark@eltex.net> wrote:
Count me in, though I have just a single idea: make sure updates are available in a timely manner.
Besides availability of updates there also should be easy and clear way to update any device.
OK Taras and Alex - thanks. Would you like to develop your ideas further? Perhaps this could be worked up and then turned into a RIPE document by the WG?
Ok, I see four basic requirements here: 1) IoT device should receive regular security updates 2) security status of the device should be manageable (get patchlevel, update OTA) for every active device 3) updates should be digitally signed (unless user is allowed to bypass this restriction under certain conditions) 4) the "non IoT" counterpart of the infrastructure, whatever it be, including development and release process, should be reasonably protected. Did I miss anything? On Thu, Nov 30, 2017 at 01:21:43PM +0000, Jim Reid wrote:
On 29 Nov 2017, at 20:46, Taras Heichenko <tasic@hostmaster.ua> wrote:
On Nov 29, 2017, at 22:23, Alex Smirnoff <ark@eltex.net> wrote:
Count me in, though I have just a single idea: make sure updates are available in a timely manner.
Besides availability of updates there also should be easy and clear way to update any device.
OK Taras and Alex - thanks. Would you like to develop your ideas further? Perhaps this could be worked up and then turned into a RIPE document by the WG?
On 2017-11-30 17:31, Alex Smirnoff wrote:
Ok, I see four basic requirements here: 1) IoT device should receive regular security updates 2) security status of the device should be manageable (get patchlevel, update OTA) for every active device 3) updates should be digitally signed (unless user is allowed to bypass this restriction under certain conditions) 4) the "non IoT" counterpart of the infrastructure, whatever it be, including development and release process, should be reasonably protected.
Did I miss anything?
I think it's useful to point to related work in the IETF circles (e.g. https://tools.ietf.org/html/draft-moore-iot-security-bcp-01) that has a much broader set of requirements with good explanations. Cheers, Robert
On Dec 1, 2017, at 12:03, Robert Kisteleki <robert@ripe.net> wrote:
On 2017-11-30 17:31, Alex Smirnoff wrote:
Ok, I see four basic requirements here: 1) IoT device should receive regular security updates 2) security status of the device should be manageable (get patchlevel, update OTA) for every active device 3) updates should be digitally signed (unless user is allowed to bypass this restriction under certain conditions) 4) the "non IoT" counterpart of the infrastructure, whatever it be, including development and release process, should be reasonably protected.
Did I miss anything?
I think it's useful to point to related work in the IETF circles (e.g. https://tools.ietf.org/html/draft-moore-iot-security-bcp-01) that has a much broader set of requirements with good explanations.
Good point. Of course we can try to do some kind of the same job. May be we will find something new but more possible we will just repeat the same. So what are aims of this wg? May be we will not repeat but collect what was done till now and look what can be done on this basis?
Cheers, Robert
_______________________________________________ iot-wg mailing list iot-wg@ripe.net https://lists.ripe.net/mailman/listinfo/iot-wg
-- Best regards Taras Heichenko tasic@hostmaster.ua
Here are a few random thoughts about the sorts of things the WG might do. I hope these will spark some discussion. Please note I’m not saying the WG will or won’t adopt any of these suggestions. Or that these are the only topics of interest. This is just an attempt to get everyone to think about the WG’s activities and come forward with their own suggestions.
1) Interaction with SDOs and industry fora
How could/should the WG engage with these? Do we want updates from (say) AIOTI, IETF, ETSI and so on? Are any members of the WG involved in the IoT work at these sorts of organisations? ==> I follow different IoT WG at the IETF in general, focusing
My comments inline: On 29/11/2017 15:01, Jim Reid wrote: particularly on the LPWAN WG (https://datatracker.ietf.org/wg/lpwan/about/ )
2) Liaison with government/regulators
What is and isn’t appropriate here?
==> Even though the market forces will define regulation, IMHO, the focus for RIPE should be on IoT identification related to data privacy.
3) Advice/support to the NCC
The NCC gets asked about IoT. They are going to want the WG to provide advice or present the consensus view (if any) of the RIPE community.
4) Academia
We had a few IoT themed presentations at RIPE75 from academics. Does the WG want more (or less) of that sort of thing? What’s the best way to collaborate with academia and what does the WG want to get from that?
5) Training & Documentation
Should the WG try to develop training materials/tutorials on IoT, white papers, use cases, best practices and so on? [Probably yes.] If so, what should these focus on and are there any volunteers to help produce these?
==> I volunteer to write a introduction draft on role of identification and addressing in IoT
Sandoche.
On 29 Nov 2017, at 21:19, sandoche Balakrichenan <sandoche.balakrichenan@afnic.fr> wrote:
I volunteer to write a introduction draft on role of identification and addressing in IoT
Excellent! Many thanks Sandoche. This would be a very useful document to produce and have the WG discuss.
On 30/11/2017 14:15, Jim Reid wrote:
On 29 Nov 2017, at 21:19, sandoche Balakrichenan <sandoche.balakrichenan@afnic.fr> wrote:
I volunteer to write a introduction draft on role of identification and addressing in IoT Excellent! Many thanks Sandoche.
This would be a very useful document to produce and have the WG discuss.
As promised, please find the initial draft here : https://github.com/sandoche2k/ripe-iot/blob/master/document.md Thanks for your feedback : https://github.com/sandoche2k/ripe-iot/blob/master/README.md Sandoceh.
Dear Jim, Thank you for sharing your suggestions. I think: 1) Interaction with SDOs and industry fora How could/should the WG engage with these? Do we want updates from (say) AIOTI, IETF, ETSI and so on? Are any members of the WG involved in the IoT work at these sorts of organisations? ===>> It is necessary to collaborate with the other WGs in the other Institutes and Organizations. I'm volunteer to do this, if no one exists. 2) Liaison with government/regulators What is and isn’t appropriate here? ===>> I'm agree. I can establish and pursue the necessary communication with the Ministry of Communications and Information Technology of Iran and the regulator and also ICT Guild Organization (consist of more that 10000 companies in the field of ICT) in Iran to receive their needs and determine the points of interest for cooperating with this kind of working groups. 4) Academia We had a few IoT themed presentations at RIPE75 from academics. Does the WG want more (or less) of that sort of thing? What’s the best way to collaborate with academia and what does the WG want to get from that? ===>> It is very Important I think. The best way to collaborate with academia and universities is proposing the IoT research topics required by the RIPE Community to them and supporting the presentation of the results of joint research in international scientific communities as well as RACI in the Ripe NCC Meetings. I'm Faculty Member in ICT Research Institute of IRAN and also Chairman of Iran IoT Academy. So, I can do it in Iran for RIPE. Also I'm volunteer to do this worldwide (we have international collaboration in IoT Academy) 5) Training & Documentation Should the WG try to develop training materials/tutorials on IoT, white papers, use cases, best practices and so on? [Probably yes.] If so, what should these focus on and are there any volunteers to help produce these? ===>> It is necessary. One of our main activities in IoT Academy of Iran is doing this. I'm volunteer to do this, also. 8) Policy Making What sort of policies (and on what) could the WG develop for the NCC to implement? ===>> It is very important to have a IoT Strategy Plan for RIPE NCC. 9) Tools and toys Does anyone have new/interesting tools for playing with IoT devices or have useful development environments for them, say for writing/debugging code on a Raspbery Pi or even cheaper chipsets? ===>> In IoT Academy of IRAN we use Raspberry Pi, Banana Pi, Edison, Arduino, ... Boards. Best Regards, Farzad -- Farzad Ebrahimi Chairman & Founder IoT Academy of Iran Address: Unit 25, Floor 5, No.49, Abshar Complex, Daman Afshar St., Dafine St., Mirdamad Blvd, Tehran, Iran. Postal Code: 1969765183 Tel: (+9821) 86081025 Fax: (+9821) 88872445 Cell:(+98912) 3707085http://www.IoTAcademy.ir
On 29/11/2017 15:01, Jim Reid wrote:
7) Security
Anyone interested in the security aspects of IoT, both in terms of the edge devices and their potential role in DDoS attacks like Mirai? Could the WG develop some recommendations or advice?
I would definitely suggest security to be one of the working items of the WG. There is a recent NIST Draft "Report on Status of International Cybersecurity Standardization for the Internet of Things (IoT)", see https://csrc.nist.gov/News/2018/Report-International-IoT-Cybersecurity-Stand... This report can be a input for discussion on IoT security wrt. international activities, standardisation, etc. Similar to the document suggested by Robert earlier on this list (draft-more-iot-security-bcp). Cheers, -- Benno -- Benno J. Overeinder NLnet Labs https://www.nlnetlabs.nl/
On 16/02/2018 16:39, Benno Overeinder wrote:
On 29/11/2017 15:01, Jim Reid wrote:
7) Security Anyone interested in the security aspects of IoT, both in terms of the edge devices and their potential role in DDoS attacks like Mirai? Could the WG develop some recommendations or advice?
I would definitely suggest security to be one of the working items of the WG.
Same here. The potential role of IoT devices in DDoS attacks like Mirai is something we have been looking at for some time. We envision more functionality in CPEs to better deal with the risks of compromised IoT devices in the homenet. This is part of our SPIN-project (Security and Privacy for In-home Networks) [1]. So yes, definitely interested. [1] https://www.sidnlabs.nl/a/weblog/redesigning-spin-to-a-reference-platform-fo... -- Marco
On 16 Feb 2018, at 16:58, Marco Davids (SIDN) <marco.davids@sidn.nl> wrote:
We envision more functionality in CPEs to better deal with the risks of compromised IoT devices in the homenet.
This particular point was also discussed at the IoT Roundtable event in September last year, quoting from the meeting report:
"A key discussion point was whether providers have an ethical obligation to protect users. A presentation by Enno Rey from ENRW introduced the idea of using CPE as a shield to protect customers' devices at home. He noted that, by default, many ports are open that people will never need or use – so providers should consider closing some of these (e.g. Telnet). This approach would have prevented the Mirai attack. It was noted, however, that providers should be wary of creating an “assisted Internet experience” that disempowers users in the name of protecting them. It was added that manufacturers had a responsibility for devices that couldn't be addressed by blocking ports.”
(https://www.ripe.net/participate/meetings/roundtable/september-2017/ripe-iot...) Apart from the CPE, I also see a bit if trend in dedicated gateway devices, such as SENSE, being announced or actually shipped for the purpose of securing home IoT networks. Certainly an interesting area that I would encourage people to discuss further, also in relation to the talks regarding duty of care that appear in various Internet governance venues. MarcoH RIPE NCC
participants (12)
-
Alex Smirnoff -
Alexei Colisnicenco -
Benno Overeinder -
Farzad Ebrahimi -
Jim Reid -
Marco Davids (SIDN) -
Marco Hogewoning -
Robert Kisteleki -
sandoche Balakrichenan -
Sandoche Balakrichenan
-
Taras Heichenko -
Wolfgang Tremmel