Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
What if you have a wired and wireless network that are separate? If you only get link-local addresses, you can't see the device from the other network.
If you do get an address other than the link-local address, you will be exposed to the entire Internet unless you have a border router blocking you.
The days of unrestricted end-to-end traffic are gone, and won't be back.
The most that we can hope for is that end-to-end traffic is an option controlled by the local router/firewall administrator, rather than the current situation where many/most ISPs block the access.
Schaller: The long journey towards good free video conferencing
Posted Oct 15, 2012 19:09 UTC (Mon) by dlang (✭ supporter ✭, #313)
for some strange reason, people think that a smart fridge needs to show you the local weather report, so it 'needs' to talk to the Internet.
your TV has an actual need to be able to find out what programs are airing and when they get rescheduled, so it will be talking to the Internet.
So these devices are not going to be limited to the local network.
Posted Oct 15, 2012 22:41 UTC (Mon) by tpo (subscriber, #25713)
Once we'll get serious about saving energy, the fridge will possibly want to know whether it needs to fill up its coldness reservoir in advance, because tomorrow will be a warm day and it won't be able to rely on cold outside air to help it cool its contents :-)
Posted Oct 15, 2012 21:36 UTC (Mon) by Cyberax (✭ supporter ✭, #52523)
I absolutely loathe the model of "soft center, hard perimeter" - it's broken beyond belief right now, so in lots of cases right now relation "being accessible" is equal to "being authorized to use".
We should probably evolve towards "no perimeter, everything is hardened" model. For example, by using IPSec to create authenticated overlays over the IPv6 network.
Posted Oct 15, 2012 21:44 UTC (Mon) by dlang (✭ supporter ✭, #313)
defining how to setup IPv6 IPSec on your TV, DVR, Washing Machine, Fridge, etc is not trivial (for that matter, setting it up securely on your full blown computers is not trivial, even for experienced admins)
As long as devices can be shipped and 'just work' without some complicated setup, manufacturers will continue to have that as the default.
Any completely automated IPSec setup process is not going to be any more secure, as the rogue equipment will be able to automate joining the network just like any legitimate equipment.
Now that you have a 'soft center', the only remaining question is if you opt to expose this out to the Internet, or if you try to get some protection by putting a 'hard shell' around it.
and arguments for ubiquitous IPSec or SSL can actually reduce the overall security if they make it impossible for the devices at the edge of the network to protect devices inside the network.
Posted Oct 15, 2012 21:57 UTC (Mon) by Cyberax (✭ supporter ✭, #52523)
>Any completely automated IPSec setup process is not going to be any more secure, as the rogue equipment will be able to automate joining the network just like any legitimate equipment.
Right now IPSec is impossible to use, but that's because nobody has yet started to "humanize" it.
Posted Oct 15, 2012 22:05 UTC (Mon) by raven667 (subscriber, #5198)
True and unfortunate. There should be no need for SSL because IPSec should cover that use case but Opportunistic Encryption just didn't work well enough in the real world and ESP doesn't work well with NAT. IPSec represents the bad kind of multi-vendor consensus design that tries to be everything and ends up being nothing.
Posted Oct 15, 2012 22:29 UTC (Mon) by dlang (✭ supporter ✭, #313)
right now nothing 'works' (for some definition of 'works')
Every large organization that has tried to get rid of the hard shell and harden everything has been broken into. But at the same time, every large organization that has tried to have a 'hard shell' and a free-for all inside has also been broken into.
'hard shell' by itself only works if you can control the communication out of the network
'harden everything' only works if you actually control every device on your network and have a sane way of administering the result.
The 'current' model of allowing everyone to have their own personally owned equipment that the company has no control over, and letting them connect it to the network (either directly, or via USB to the company computers) is a situation that gives you no control over your external communication, and no control over anything running inside.
Posted Oct 16, 2012 22:31 UTC (Tue) by sorpigal (subscriber, #36106)
My prediction is that security through "the thieves haven't broken in to my house YET" will be the rule of the day. We're almost there now, but it will just get worse. Those users who notice that their toasters have been rooted, are stealing credit card numbers and forwarding them overseas will simply throw the toasters out and buy new ones, not attempt to secure them.
Posted Oct 16, 2012 23:38 UTC (Tue) by Cyberax (✭ supporter ✭, #52523)
Posted Oct 16, 2012 23:51 UTC (Tue) by dlang (✭ supporter ✭, #313)
even assuming that someone takes the time to engineer your solution, and all the different manufacturers manage to agree on a common spec for how it would work, and going even further, manage to implement it in a compatible way.
Posted Oct 17, 2012 0:20 UTC (Wed) by Cyberax (✭ supporter ✭, #52523)
And most of components are already here. NFC is available on most phones and NFC readers are dirt-cheap.
Posted Oct 17, 2012 0:22 UTC (Wed) by dlang (✭ supporter ✭, #313)
with the notable exception of Apple devices. how many companies are going to make a fridge that cannot be configured by any Apple customers?
Posted Oct 17, 2012 0:28 UTC (Wed) by Cyberax (✭ supporter ✭, #52523)
Posted Oct 17, 2012 15:33 UTC (Wed) by sorpigal (subscriber, #36106)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds