Roman Danyliw via Datatracker <nore...@ietf.org> wrote: > ---------------------------------------------------------------------- > DISCUSS: > ----------------------------------------------------------------------
> ** Section 7. > The use of a publicly specified firmware update protocol would also > enhance privacy of IoT devices. In such a system, the IoT device > would never contact the manufacturer for version information or for > firmware itself. > Why does the use of a “publicly specified firmware update protocol” necessarily > enhance privacy? Do all such protocols have the properties described in the > second sentence? answering this directly now. I don't know, because, we, the IETF, have yet to specify one :-) (This is a topic I want to bring to SUIT when it recharters) I am making an assumption here about how such a protocol would work. I have added this paragraph after the one you cite: } While a vendor proprietary scheme to distribute firmware updates would } satisfy some of these criteria, operators/Enterprises are less likely to } install one of these for every single device. } Home (residential) users are unlikely to install any system that did not } provide service to all their devices, so only a system that was } non-proprietary is likely to be present. I also don't know of other such protocols; perhaps the latest MATTER spec includes one. OPC UA does not (AFAIK) specify one yet. While there could be many privately specified firmware update protocols, and maybe every single LG home appliance (for instance) uses the same one, using such a privately specified protocol would tell everyone you have LG appliances. If every single device that you have has to reach out to the vendor, on their own, then an observer learn not just which kind of devices one has, how many of them there are, and even possibly what their usage pattern is. Consider a hospital with hundreds of diffusion pumps: assume that they do not perform firmware updates while in use (unlike, it seems Tesla cars). Then, the moment they are put back in the closet, they look for updates online. Thus the observer knows when they are returned to the closet. If this Enterprise had multiple locations, and the locations did Internet directly (via running everything through HQ via site-to-site VPN), then the observer gets to see the distribution of devices to locations too. I assume that Samsung and GE are unlikely to use LG's protocol, and that each would have their own protocol, and as a result, it's unlikely that anyone will deploy servers to accomodate all of these. Particularily, nobody is going to deploy a non-publically specified protocol in the home. In an Enterprise, maybe a hospital would do this to save bandwidth for a device for which they have hundreds of devices. A publically specified firmware update protocol that all devices could use woud mean that some local system (SUIT sometimes calls this the Status Tracker) would know which devices are present, and would proactively fetch a single copy of a firmware update. It would then make this update available to all devices. It could even affort to do things like oblivious HTTP if desired. A MUD file for such devices could then omit any Internet firmware update pathways. (There are some enhancements we could consider to MUD to indicate these uses. I've previously tried to define some of that in draft-richardson-shg-mud-quarantined-access, but had not persued that document recently) MUD does allow for definition of allowed local access, and it could specify access to the update server. That is not done by DNS exactly, and we probably have work to do here. -- Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg