Colleagues, here are the draft minutes from the WG meeting in Marseille. My thanks to Amanda for taking such excellent notes. Please let me know if there are any corrections or ommissions. IoT Working Group Minutes - RIPE 76 17 May 2018, 14:00 - 15:30 WG Chair: Jim Reid Scribe: Mirjam Kühne Status: draft The presentation is available at: https://ripe76.ripe.net/archives/video/124 1. Administrivia Jim Reid opened the meeting and explained that the WG chair selection process is still ongoing. He will pick this up on the mailing list again. It is expected to conclude this within the next few months so that the WG will have selected chairs at the next RIPE meeting. 2. Report on RIPE NCC IoT Activities Marco Hogewoning, RIPE NCC The presentation is available at: https://ripe76.ripe.net/archives/video/125 Jim expressed his personal thanks to Marco for helping to get the IoT WG off the ground. There were no further questions. 3. Privacy Implications of Sewage Testing for Illicit Drugs Elif Sert, Istanbul Bilgi University The presentation is available at: https://ripe76.ripe.net/archives/video/127 Jim asked if there are any indications that this data might be cross-referenced with other types of data to get closer granularity (i.e. the bus network)? Elif responded that this sounds indeed very possible. This particular research data was for instance merged with geographical and mobile phone data, but it was not clear what the results were. The goal was definitely to get more accurate results (on groups and individuals). Hugo Vincent, ARM Research, reported that they have seen quite a lot of progress in the last couple of years in regulating privacy for individuals. He wondered if there were any groups or organisations that were making progress around trying to define how to regulate group privacy? Elif said that there is some research on this and that some books have been published on this topic. She added that at the moment they have a very individual way to look at privacy, and that they might have to lift it up to the group level in order to better protect people. 3. RIOT: Networking from the Friendly OS Perspective Matthias Waehlisch, FU Berlin The presentation is available at: https://ripe76.ripe.net/archives/video/128 Jim asked what the next big thing would be for RIOT. Matthias explained that one thing there were working on were automatic updates for the devices, preferably over the air and secure. Another thing was an easy system to share applications, working on an app store. 4. SPIN: Security and Privacy for In-Home Networks Jelte Jansen, SIDN The presentation is available at: https://ripe76.ripe.net/archives/video/130 Matthias Waehlisch asked if Jelte was aware of the people from Princeton (referring to the IoT inspector). Jelte said that he was aware of them, but that he had no contact yet. Jim said he was fascinated to hear that Jelte’s TV was actually talking to Facebook and wondered if it wouldn’t be a useful service for end users to have some kind of a Little Snitch sitting on the home router reporting what weird things a TV, fridge, kettle etc., werere doing in the background. He asked Jelte if he has considered such a service. Jelte answered that he would like to actually visualise that. However, this could only be done in real time. Looking into the actual data would cause a whole new set of privacy problems. He clarified that one of the reasons this was a research project is that they wanted to look into how they could efficiently report what kind of things people's devices were doing. Niels Bakker asked on the chat channel what Jelte’s ISP was that kept disconnecting him. Jelte didn’t want to mention the name, but said it was a helpdesk service by Ziggo that was responsible for the building he lives in and he didn’t have a choice. Someone else mentioned on the chat channel that there were products on the market that do per-device 'parental controls', like FRITZ!Box, that any end user can use to easily isolate their IoT devices, wired or wireless. Jelte said that he was aware of this, but they were usually restricted to things like parental control. 5. Securing IoT Devices - Closing the Gaps Hugo Vincent, ARM Security The presentation is available at: https://ripe76.ripe.net/archives/video/132 Alain Durand, ICANN, asked what would happen if these devices were to live for 25 years. How does one manage trust anchors if devices are powered down for many years? Hugo said that this was obviously a big challenge. One needs to have strong hardware identity to be able to make sure that this is still the same device later on. Alain added that he thinks authentication has to go both ways. Hugo agreed. Vesna Manojlovic, RIPE NCC, suggested that since Hugo was considering very long terms, to also look at sustainability. Where will the material come from and what about recycling and waste? Hugo said that this was a fantastic question and that he was definitely interested in overall global efficiency. He said ARM wanted to make the device as sustainable as possible and that they were looking at extremely low power usage. They’re doing work with plastic semi-conductors for example to reduce the energy input into the device compared to silicon. He agreed that this was a very important question. Vesna asked if Hugo would be willing to present about this topic at the next RIPE Meeting. Hugo answered that one of his colleagues could definitely do that. Petr Špaček, CZ.NIC, asked to let him know when they found a way to solve the trust anchor issue, because the domain name community has been struggling with that problem for years already. Jim commented that ARM was in a very interesting position in this particular marketplace and that there was a lot of good things they could do to encourage their partners to have a security framework for the live updates of IoT devices. He also suggested to consider open sourcing some of that work. Hugo responded that a lot of their IoT stack was already open source. He agreed that they don’t only have the opportunity but the responsibility to improve security of IoT devices. 6. Role for the Name and Numbering Community in the IoT Domain Sandoche Balakrichenan, AFNIC The presentation is available at: https://ripe76.ripe.net/archives/video/134 Marco Hogewoning clarified that from the RIPE NCC’s perspective, IPv6 addresses are not good for identification. A lot of people want both: a fixed identifier and at the same time an identifier to deliver traffic to the device where ever it is. This can be solved. But as the RIPE NCC we would like some guidance from the community how to handle this. Jim added that it would be good if the speaker could help to do some outreach into these other communities in the area of IoT. He recommended to find out what the problem statements and approaches are and to encourage them to come to the meetings and participate. Victoria Risk, ISC, asked if the speaker had considered using MAC addresses as identifiers. Sandoche responded that in LowRa they are using UI64 (which is a bit like a MAC address). He said that for locating communication in a computers, one could use a MAC type UI64 address and for the communication between the protocols on the Internet, one could use IPv6. But they will still have to see if this would work. 7. AOB Jim Reid closed the meeting and encouraged everyone to participate in the IoT/IPv6 discussion taking place in the IPv6 WG later that afternoon.