IoT Working Group Minutes - RIPE 81

Date: 29 October 2020
Scribe: Marco Hogewoning, RIPE NCC
Status: Final

Constanze Dietrich opened the meeting, introducing the chairs and the agenda. She announced a survey will be send to the working group mailing list, to solicit feedback about which activities the community would like to see. For examples what would the WG see as desired deliverables or, for instance, organising another hackathon.

RIPE NCC IoT Update

Marco Hogewoning, RIPE NCC

The presentation can be found here:
https://ripe81.ripe.net/archives/video/474

Marco stressed that although his presentation used examples from within the EU, many countries are considering similar regulatory approaches.

Michael Richardson (Sandelman Software) asked whether the intent of the Radio Equipment Directive was to implement EN 303 645 recommendations. Due to time constraints this question was answered offline.

Architectural Considerations for IoT Device Security in the Home: A Guide for ISPs Specifying CPE Devices

IoT BCOP Task Force

The presentation can be found here:
https://ripe81.ripe.net/archives/video/476/

Peter Steinhauser (Embedd) presented about the work of the IoT BCOP Task Force in preparing an output document for the working group, titled “Architectural Considerations for IoT Device Security in the Home”, which is intended to be published as a RIPE document.

During the presentation, a number of polls were raised with the participants:

Do you provide the CPE?

  • Yes: 27%
  • No: 72%

Do you allow customers to bring their own CPE?

  • Yes: 75%
  • No: 12%
  • I don’t know: 12% 

Do you provide IoT Security, or intend to?

  • Yes: 33%
  • No: 27%
  • I don’t know: 38%

Do you certify the CPE before allowing a customer?

  • Yes: 13%
  • No: 68%
  • I don’t know: 18%

(Note: The results were shared with the IoT WG mailing list) 

Patrick Tarpey (Ofcom, UK) asked about DOCSIS 3.1. He was answered by Phil Stanhope (Zoom Telephonics) who pointed out that DOCSIS has mechanisms to protect the integrity of the firmware, but that the real challenge for IoT security lies on the local area network (LAN) side of the CPE.

Eliot Lear (Cisco) clarified that the focus of DOCSIS is with the CPE itself and that the focus of the document is on how the CPE can protect the devices in the house.

Michael Richardson added that many service providers are worried that when there is a problem with an IoT device, they are likely to be the ones receiving a call.

Sandoche Balakrichenan announced some of the poll results.

Jan Zorz (6connect) added that while the document was presented as a BCOP, in reality there is only very little operational experience.

Michael Richardson answered that he had thought about the same and the document could be seen as advice on how to be prepared. 

Chris Bellman (Carleton University) asked how important it was to the task force strategy it was to ensure implementations remain the same and if there could be several avenues to achieve the same outcome.

Eliot answered that the document would be split, but also stressed the importance of having only a limited number of standards compared to everybody doing their own thing. He pointed out that he had started to observe some consolidation in this area. 

Anna-Maria Mandalari (Imperial College UK) asked about the difficulties of identifying good behavior from different usage of devices by different users.

Eliot answered that one way to do that is for the manufacturer to declare what the expected behaviour would be.

Constanze wrapped up the discussion and asked the task force about the next steps.

Eliot responded that the first step would be to decide what to call the document. He also mentioned that the plan was to continue to develop the document based on feedback from the working group.

Sandoche reminded everybody to send feedback to the mailing list. 

Constanze thanked the speakers and closed the session.

The end of the session

RIPE Forum

The RIPE Forum is an additional way to participate in RIPE community mailing list discussions using a web-based interface rather than an email client.

Check out the forum