some thoughts on iot - hknog · 2017-07-03 · ipv4 and iot • the “conservative” option for...
Post on 07-Jul-2020
0 Views
Preview:
TRANSCRIPT
SomethoughtsonIoT
Geoff Huston
Chief Scientist, APNIC
TechnologyDoestechnologychangesociety,ordowedevelopandadopttechnologytoaddresssociety’schanges?
WhenMeng Tianinventedthecamelhairpaintbrushin250BCEhedidnotinventcalligraphy.HerespondedtoaneedinancientChinesesocietyformoreandhigherqualitywrittendocumentsthatcouldbeproducedfaster
TechnologyDoestechnologychangesociety,ordowedevelopandadopttechnologytoaddresssociety’schanges?
WhenMeng Tianinventedthecamelhairpaintbrushin250BCEhedidnotinventcalligraphy.HerespondedtoaneedinancientChinesesocietyformoreandhigherqualitywrittendocumentsthatcouldbeproducedfaster
Themostprofoundtechnologiesarethosethatdisappear.Theyweavethemselvesintothefabricofeverydaylifeuntiltheyareindistinguishablefromit...
- MarkWeiser1991
Technology
SohowshouldwelookattheInternetofThings?
Isthismerelyatemporaryconsumerfad,destinedtobereplacedbythenextcooltechnologyitem?
Oristhisaninstanceofaprofoundtechnologychangethatanswersabasicneedinoursocietythatwillbeddowntobeapartofoureverydaylifeformanyyearstocome?
Totryandanswerthis,letstryandputthisquestionintosomebroadercontextoftheevolutionthecomputerandcommunicationsenterprise
Computerswereesoterichighfrontierresearchprojects
1946 – Eniac – anumericcalculator
1964:IBM360
Thentheybecamea“musthave”businesstool
1964 IBM360– commercialcomputing
The Computing Evolutionary PathExtravagantstatementsoftechnopower
1976 CRAY-1– “super”computing
The Computing Evolutionary Path
1976:AppleI
Buttherewasalsothehobbyistmarket
1976– Apple-1“personal”computing
Consumercomputersasastatementofdesignstyle
1984– Mac
FromStyletoMassMarketedLuxuryItem
2007– Apple’siPhone
WithdesktopdevicestheInternetofcomputerswasadedicatedactivity
dedicated chair
lighting
wired bandwidth
large view screens
privacy
dedicated worktop
reliable power
TheInternetisnowanywhereandeverywhere
Itstrivial,commonplaceandblendsintoallouractivities
radio connectivity
battery power
hand sized
Thumboperated
Asdedicated“things”arereplacingit
Maybeitsaboutthedemiseofthe“traditional”computer
Connecting“things”totheInternetisnothingnew
SimonHackett’sInternetRemoteRadioof1990
JohnRomkey’s InternetToaster– LetthemeatToast!
Connecting“things”totheInternetisnothingnew
ThisnewIoT isjusttheoldIoT
TheuseofmicroprocessorstoundertakesimpletasksisaboutasoldastheIntel4004andtheZylogics Z80processorchips
ThisnewIoTisjusttheoldIoT(withnewlipstick!)
Andwearealreadylivinginaprocessing-denseworld
Amoderncarhasaround150– 200microprocessor-controlledsystems,fromthewindscreenwipers,totheentrysystem,toenginecontrolandallthingsinbetweenMany/mostconsumerapplianceshaveallturnedtomicroprocessorcontrolIndustrialprocesses,logisticsandinventorycontrol,environmentalmonitoringallusevariousformsofembeddedprocessing
SowhyisIoTahottopictoday?
ThisnewIoT isjusttheoldIoT(withnewlipstick!)
Andwearealreadylivinginaprocessing-denseworld
A moderncarhasaround150– 200microprocessor-controlledsystems,fromthewindscreenwipers,totheentrysystem,toenginecontrolandallthingsinbetweenMany/mostconsumerapplianceshaveallturnedtomicroprocessorcontrolIndustrialprocesses,logisticsandinventorycontrol,environmentalmonitoringallusevariousformsofembeddedprocessing
SowhyisIoT ahottopictoday?
TheHype
• GartnerPredictions• CESshows• HomeApps• CarApps
IoT is…?
• Itisagenerictermthatencompassesahugevarietyofapplicationthathavelittleincommonotherthanapropensitytooperateinanunmanagedenvironment• ItshardtotalkabouttheIoT inanythingotherthanhighlygenericterms
Whynow?• Lowpower,highcapabilitysiliconnowdominateschip
fabricationplantsSaturationofthesmartdevicemarketFullstreamsiliconproductionvolumesrequiressomeformofconsumptionmodel
• RadioTechnology:RFID,Bluetooth,WiFi,LTE• ImprovementsinADconvertorsisprovidingrangeand
bandwidthtoradiosystems• Protocoldevelopmentprovides”seamless”connectivity• i.e.PassportsandClothingTags,Appleearbuds,Home
controllersandsimilar
• Actorsseekingnewmarkets• 5GforSIMsandwideareamobility• Smartphoneplatformprovidersseekingtoenterthe
car,homeandworkenvironments• Industrialandprocessautomationseekingtoexpand
marketreach
Whynow?
• Becausewehavesaturatedourtraditionalmarketsfortechnologyandtheproductioncapacityisbeingredirectedtonewopportunities• PCsalesvolumesplummeting• Smartphonesalesarenowpeaking• Thecomputertechnologyindustryisseekingtouseitsexistingcapabilitytoprovidenewproducttohighvolumemarkets• Whichmeanslookingatlowunitmarginveryhighvolumeopportunitiesbyadding”smart”networkcentricinterfacesandcontrollerstoexistingdevicesandfunctions
Theopportunities
• “smart”lighting- e.g.Philips• “smart”homeappliancesandnetworks- e.g.Miele• “smart”powermanagement• ”smart”labelsforretail• “smart”trafficcontrol• “smart”imageanalysis• “smart”videosurveillence• Almostanythingelsethatusestheword“smart”
TheVarietyofLife
It’sasetofdiscreteapplicationsthathavehighlydivergentrequirements:
• Radiusofconnectivityvariesfrommmtokilometers• Bandwidthvariesfrombitstogigabitspersecond• Datavolumesvaryfrombytestopetabytes• Connectivitymodelsmaybepushorpull• Connectivitymaybead-hocrelaystodedicatedwired• Transactionsmaybeunicast,multicastoranycast innature• Applicationsincludesensingandreporting,commandandcontrol,adaptationandinterfacing
Thereislittlethattheseenvironmentshaveincommon,exceptmaybea commonunderlyinggenepool!
TheIoT GenePool
Unix• Itssmall,itsubiquitous,itswellunderstood,itscheap,itsopensourcewithoutonerousIPRconstraints,ithasamassivesetofapplicationlibraries• Customised microkernelsarerisky,expensiveandrarelynecessary
IP• Itssmall,itsubiquitous,itscales,itswellunderstood,itscheap,itsopensourcewithoutonerousIPRconstraints,andeveryonespeaksit!
• ButwhichIP?
IPv4andIoT
• The“conservative”optionforIPinthisenvironment• UbiquitoussupportacrosstheentiredeployedInternet• Wellunderstoodprotocolbehaviour• WidelyavailableAPIs
OfcourseitshouldalsobeusefultofactorinNATsinIPv4:• Pushmodelwherethe“thing”pushesdatatoarendezvouspointratherthanaconstantpollable modelof“pull”access
• “pull”and“feeder”modelsworkbehindNATsusingrelaysand/orALGssplittheprimaryfeedfromthepropagationofthedata
IPv6andIoT• It’sthe“killerapp”forIPv6
• Butthenumberssuggestotherwise:• 7Bconnected“devices”ontoday’sIPv4Internet,plusafurther7BconventionalPCandsmartdevices
• 2.8BannouncedIPv4addresses• 1.3B“used”IPv4addresses• Wecanprobablypushthismodelharder!
“Thing”Behaviour
Pull:• Deviceisalwaysconnectedandinterrogatedbyexternalagents• A modelofpollingorfeedsubscriptionwherethedevicemaintainsinformationthatcanbepolledbyanexternalagent
• ThisrequiresanpublicIPaddress+Port• Italsorequiresahighlyrobustcoreimplementationthatisresistanttoattack
• Italsorequiressomeconsiderablethoughtontheauthorizationmodel• Deviceisconfiguredtoauthorizeusersand/or• Deviceusesathirdpartyauth server
• Commonlyseeninwebcamsandothercontinuousmonitoringapplications(thoughit’snotnecessarilyrequired)
PullvsPush
Push:• Intermittedly connectedandinterrogatedviaexternalagents• Devicepushesdatatosomedatacollectionagent• Limitedconnectionrequirement• Thisbehaviour NAT”friendly”asthedeviceistheclientandthecollectionpointistheserver
• Externalaccessviathedatacollectionagent,notthedevice• Doesnotrequirededicatedaddressingoutsideofthelocalcontext• Thislimitedaccessmodelfacilitatesdefensivemeasures,includingencryptedcommunicationstothedevice’sagentsandpreventingallthirdpartyconnections
• AndsuchdevicesprobablyshouldbebehindaNATinanycase!(e.g.cameras)
Security
SeenatNANOG69…
SecurityInteresting ...
“At last count I have about 43 devices on my LAN, with less than a third running an OS that I can actually interact with. The rest are embedded systems that get updated (hah!) by the vendors at their whim. Easily two-thirds would 'phone home' to somewhere at various times. About 7 have external access without explicitly setting port-forwarding.
Of course, my router monitors and reports on all outbound traffic - but do I actively look at it? I should. But I don’t. And of course everything we value on our LAN we protect and encrypt end-to-end and at-rest as the LAN is actually occupied by foreign devices with unknown network capability... sure we encrypt absolutely everything...”
AnInternetofStupidThings
Wekeeponseeingthesamestupidityagainandagain:• Deviceswiththetelnetportopen• DeviceswithopenDNSresolversontheWANside• DeviceswithopenNTP/SNMP/chargen etc• Deviceswiththesamepresetrootpassword• Devicesusingvulnerablelibrariesthataresusceptibletorootkitexploitation
Insanely
TheInternetofStupidThings
• Howdoyouperformfieldupgradesofotherwiseneglectedandunmanageddevices• What’stheeconomicsofincentingfieldupgradesfromthemanufacturer?• Whoisresponsibleforbroken“things”?
TheInternetofStupidThings
Isthisstupidityevenavoidable?• Thebleakpictureismaybenot!• Inapricesensitivemarketwheresystemrobustnessandqualityislargelyintangiblewhereisthemotivetomaintainhighqualitycode?• Howcanaconsumertellthedifferenceinthequalityofthesoftware,intermofitsrobustnessandsecurityofoperation?
highclockspeed industry+commoditycomponents+lowmargin=marketfailureforIoT Security
Privacy
Privacy
Somethingsyoucancounton…
• Thevolumesarealreadyhuge,andthey’regrowing• “Things”alreadyoutnumbereverythingelseontheInternet
• Securityisanunachievableword!• Privacyisnowanhistoricalconcept• Digitalpollutionispervasiveandwenowhaveaninternetthatisalargelychaoticandhostileenvironment
Andsomethingswecan’ttell• Willwestandardizethisareaorwillitbeadiversesetofmutuallyincompatibledevices?• Willthemarketconsolidatetobedominatedbyasmallnumberofproviders andtheirpseudo-openproprietaryarchitectures?• WhenwilltheIoT embraceIPv6?• WilltheIoT marketeverdiscriminateonqualityandrebustness?• Howdowemanagetheriskofcoercionofthesedevices?
Andsomethingswecan’ttell• Howbadcanitget?
It’satoughproblem…
"The market can't fix this because neither the buyer nor the seller cares.
The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks.
The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features.
There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."
https://www.schneier.com/blog/archives/2017/02/security_and_th.html
Thanks!
top related