Roman Danyliw via Datatracker <nore...@ietf.org> wrote:
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> ** Section 7.
> The use of a publicly specified firmware update protocol would also
> enhance privacy of IoT devices. In such a system, the IoT device
> would never contact the manufacturer for version information or for
> firmware itself.
> Why does the use of a “publicly specified firmware update protocol”
necessarily
> enhance privacy? Do all such protocols have the properties described in
the
> second sentence?
answering this directly now.
I don't know, because, we, the IETF, have yet to specify one :-)
(This is a topic I want to bring to SUIT when it recharters)
I am making an assumption here about how such a protocol would work.
I have added this paragraph after the one you cite:
} While a vendor proprietary scheme to distribute firmware updates would
} satisfy some of these criteria, operators/Enterprises are less likely to
} install one of these for every single device.
} Home (residential) users are unlikely to install any system that did not
} provide service to all their devices, so only a system that was
} non-proprietary is likely to be present.
I also don't know of other such protocols; perhaps the latest MATTER spec
includes one. OPC UA does not (AFAIK) specify one yet.
While there could be many privately specified firmware update protocols, and
maybe every single LG home appliance (for instance) uses the same one, using
such a
privately specified protocol would tell everyone you have LG appliances.
If every single device that you have has to reach out to the vendor, on their
own, then an observer learn not just which kind of devices one has, how many
of them there are, and even possibly what their usage pattern is.
Consider a hospital with hundreds of diffusion pumps: assume that they do not
perform firmware updates while in use (unlike, it seems Tesla cars).
Then, the moment they are put back in the closet, they look for updates online.
Thus the observer knows when they are returned to the closet.
If this Enterprise had multiple locations, and the locations did Internet
directly (via running everything through HQ via site-to-site VPN), then the
observer gets to see the distribution of devices to locations too.
I assume that Samsung and GE are unlikely to use LG's protocol, and that each
would have their own protocol, and as a result, it's unlikely that anyone
will deploy servers to accomodate all of these. Particularily, nobody is
going to deploy a non-publically specified protocol in the home. In an
Enterprise, maybe a hospital would do this to save bandwidth for a device for
which they have hundreds of devices.
A publically specified firmware update protocol that all devices could use
woud mean that some local system (SUIT sometimes calls this the Status
Tracker) would know which devices are present, and would proactively fetch a
single copy of a firmware update. It would then make this update available
to all devices.
It could even affort to do things like oblivious HTTP if desired.
A MUD file for such devices could then omit any Internet firmware update
pathways. (There are some enhancements we could consider to MUD to indicate
these uses. I've previously tried to define some of that in
draft-richardson-shg-mud-quarantined-access, but had not persued that
document recently)
MUD does allow for definition of allowed local access, and it could specify
access to the update server. That is not done by DNS exactly, and we
probably have work to do here.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
