Thank you Eliot and Michael for this thoughtful discussion and sharing the draft. I agree with you regarding the security issue with shared cloud infrastructure and DNS. However on IoT device side, do you think, a hardware based authentication (e.g., quantum tunnelling - https://www.cryptoquantique.com/solution ) may solve some of these issues? Best regards, Poonam On Thu, Mar 19, 2020 at 5:47 PM Michael Richardson <mcr+ietf@sandelman.ca> wrote:
Eliot Lear <lear@lear.ch> wrote: > Thanks. The concern here is that the device could choose to identify as > something else through a set of false communications. It is indeed an > interesting area of research. I am not saying there is nothing to be > done, but it is something that requires careful consideration as we aim > toward automating policy. I fear in particular that the cloud makes > this quite a bit harder, and IOT manufacturer use of their own DNS > infrastructure will make it yet more difficult, because we are all using > the same cloud infra.
Manufacturers SHOULD avoid using their own DNS infrastructure in my opinion.
Operational Considerations for use of DNS in IoT devices draft-richardson-opsawg-mud-iot-dns-considerations-01
Abstract
This document details concerns about how Internet of Things devices use IP addresses and DNS names. The issue becomes acute as network operators begin deploying RFC8520 Manufacturer Usage Description (MUD) definitions to control device access.
This document explains the problem through a series of examples of what can go wrong, and then provides some advice on how a device manufacturer can best make deal with these issues. The recommendations have an impact upon device and network protocol design.
..co-authors, reviews, pull-requests and comments sought.
{I'm annoyed that the DNSOP group declined to define "QuadX" as a term in ietf-dnsop-terminology-ter. Actually, I don't care what it's called, as along as I have a term for such public recursive services}
-- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
_______________________________________________ iot-wg mailing list iot-wg@ripe.net https://lists.ripe.net/mailman/listinfo/iot-wg