You are here: Home > Participate > Join a Discussion > RIPE Forum
RIPE Forum v1.4.1

IoT Working Group

Threaded
Collapse

[iot-wg] The DNS and the Internet of Things: Opportunities, Risks, and Challenges

Ad Bresser

2019-06-05 15:26:01 CET

Hi,



For the ones that are interested.



The ICANN SSAC (Security and Stability Advisory Committee), published:

SAC105 The DNS and the Internet of Things: Opportunities, Risks, and
Challenges

https://www.icann.org/en/system/files/files/sac-105-en.pdf



Kind regards,



Ad Bresser
User Image

Sandoche BALAKRICHENAN

2019-06-05 20:20:27 CET

Thanks for sending the report.

The intention of the report is to "trigger and facilitate dialogue in 
the broader ICANN community".  Could we take any topics from this report 
for discussion for the RIPE community? Some of the topics i find 
relevant to us from section 5 of this report are :

1. IoT measurements

2. Security and transparency libraries for IoT devices

3. Dissemination and training

4. Proactively mitigating IoT attacks (e.g; envision security systems in 
edge networks such as using MUD (Manufacturer Usage Descriptio)

Sandoche.

On 05/06/2019 15:26, Ad Bresser wrote:
>
> Hi,
>
> Â
>
> For the ones that are interested.
>
> Â
>
> The ICANN SSAC (Security and Stability Advisory Committee), published:
>
> SAC105 The DNS and the Internet of Things: Opportunities, Risks, and 
> Challenges
>
> https://www.icann.org/en/system/files/files/sac-105-en.pdf Â
>
> Â
>
> Kind regards,
>
> Â
>
> Ad Bresser
>
>
> _______________________________________________
> iot-wg mailing list
> iot-wg _at_ ripe _dot_ net
> https://lists.ripe.net/mailman/listinfo/iot-wg
User Image

Sandoche BALAKRICHENAN

2019-06-07 14:33:50 CET

Hi Eliot,

Thanks for the response. My comments inline:

On 07/06/2019 09:29, Eliot Lear wrote:
>
> Hi Ad & Sandoche,
>
> Good that SSAC has published something.  There really are some big 
> challenges here for IoT.  In the area of DNS, one challenge is that 
> in order to limit attacks, you really do want the network to limit 
> access to services, and that means knowing which domains the device 
> should be speaking to.
>
The SPIN project from SIDN 
(https://www.sidnlabs.nl/en/news-and-blogs/redesigning-spin-to-a-reference-platform-for-secure-and-privacy-enabled-iot-home-networks), 
seems to be a possible solution.

Also, there is another plugin from Princeton that lets one to inspect 
IoT traffic in your home network right from the browser:
https://iot-inspector.princeton.edu/blog/post/getting-started/

https://iot-inspector.princeton.edu/blog/


>   That creates some challenges.  That means some sort of consistency 
> with regard to DNS query responses to the device and to the 
> enforcement point.  The ultimate approach to that is coordination 
> between the resolver and the enforcement point, but snooping has 
> worked in the past.  And so you can see some DoH challenges if IoT 
> devices implement that capability prematurely.
>
>
==> Is this a topic that our group can focus on and maybe prepare a RIPE 
BCP (Best Current Practice) or BCOP (Best Current Operation Practice) 
document like the document prepared by ICANN SSAC for the RIPE community?

Please send your views.

Sandoche.

User Image

Sandoche BALAKRICHENAN

2019-06-07 17:05:25 CET

On 07/06/2019 15:52, Eliot Lear wrote:
>
>
>
>> ==> Is this a topic that our group can focus on and maybe prepare a 
>> RIPE BCP (Best Current Practice) or BCOP (Best Current Operation 
>> Practice) document like the document prepared by ICANN SSAC for the 
>> RIPE community?
>>
>
> I think there is room for at least documenting the issues. Where that 
> happens to me is less important than that it happens ;-)
>
>
>
==> I know that you have been involved in a similar effort on IoT device 
onboarding : https://github.com/iot-onboarding/catalog

Maybe we could start something similar in github or a similar place 
where everyone can contribute.

Just want to know the views of others in the group, if any.

Sandoche.