Something over on homenet prompted me to send the following. I do have the same concern for BRSKI - what's the disaster recovery mechanism when all vendor MASAs are unreachable but we must restart the network anyway?
Brian -------- Forwarded Message -------- Subject: Re: [homenet] write up of time without clocks Date: Wed, 2 Nov 2016 08:38:04 +1300 From: Brian E Carpenter <[email protected]> Organization: University of Auckland To: [email protected] On 02/11/2016 03:52, Philip Homburg wrote: ... > Which brings me to the following: given that all code has security issues, > maybe devices should check for updates and just shutdown if they can't > verify that they are running the latest firmware? That sounds absolutely dreadful for disaster recovery scenarios where the Internet is badly broken (after a hurricane, earthquake, etc.) and people need to restart essential systems (or they need to restart themselves). > So the device should have the vendor's long term TLS certicate. With possibly > an option for the user to disable this kind of security if the device is > not actually connected to the internet. No, during disaster recovery the last thing you need is for ordinary people to be faced with strange security alerts that they've never seen before. (It's rather like advising people to go into the BIOS to change an option while the fire alarm is ringing.) Things need to just work during disaster recovery. Brian _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
