nanog mailing list archives

Re: comcast ipv6 PTR

From: Mark Andrews <marka () isc org>
Date: Thu, 17 Oct 2013 10:03:42 +1100


In message <20131016212547.GC31165 () hezmatt org>, Matt Palmer writes:

On Thu, Oct 17, 2013 at 12:12:03AM +1100, Mark Andrews wrote:

In message <199168.1381928361 () turing-police cc vt edu>, Valdis.Kletnieks@vt

.edu

 writes:

On Wed, 16 Oct 2013 18:50:29 +1100, Mark Andrews said:

* CPE generates a RSA key pair.  Stores this in non-volatile memory.
  [needs to be coded, no protocol work required]


has proven to be a lot harder to do in the field than one might expect, d

ue

to the very limited amount of entropy sources available to a CPE that Joe
Sixpack just pulled out of a Best Buy shopping bag.  Witness the truly hu

ge

pile of CPE that generate horribly insecure weak self-signed certs for ht

tps.

...

 
Which is easily solvable when you design the CPE device to have
good sources of hardware randomness.  CPE devices are no longer
just routers which shuffle packets.  There are lots of activities
that CPE deviced do that require good randomness and it only costs
a couple of cents to add it the devices.


I'm sure the NSA would be happy to chip in to ensure that the best[0]
possible source of randomness is available.

- Matt

[0] *Who* the decision is best for is left open to the imagination.


CPE devices need both battery backed time of day clocks and sources
of hardware randomness.

Modern Intel CPU's provide hardware based random numbers.  It is
not like other cpu manufactures can't do the same thing.  This
doesn't increase the chip count or pcb real estate used.

It's time CPE Router vendors did a re-think.

Mark

-- 
Generally the folk who love the environment in vague, frilly ways are at
odds with folk who love the environment next to the mashed potatoes.
              -- Anthony de Boer, in a place that does not exist

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org

Current thread:

Re: comcast ipv6 PTR, (continued)
- - - Re: comcast ipv6 PTR joel jaeggli (Oct 15)
    - Re: comcast ipv6 PTR Mark Andrews (Oct 15)
    - Re: comcast ipv6 PTR Bjørn Mork (Oct 15)
    - Re: comcast ipv6 PTR Joe Abley (Oct 15)
    - Re: comcast ipv6 PTR Bjørn Mork (Oct 15)
    - Re: comcast ipv6 PTR Brielle Bruns (Oct 15)
    - Re: comcast ipv6 PTR Mark Andrews (Oct 16)
    - Re: comcast ipv6 PTR Valdis . Kletnieks (Oct 16)
    - Re: comcast ipv6 PTR Mark Andrews (Oct 16)
    - Re: comcast ipv6 PTR Matt Palmer (Oct 16)
    - Re: comcast ipv6 PTR Mark Andrews (Oct 16)
    - Re: comcast ipv6 PTR Lyndon Nerenberg (Oct 16)
    - Re: comcast ipv6 PTR Mark Andrews (Oct 16)
    - Re: comcast ipv6 PTR Eugen Leitl (Oct 17)
    - Re: comcast ipv6 PTR Mark Andrews (Oct 15)
    - Re: comcast ipv6 PTR Bjørn Mork (Oct 16)
    - Re: comcast ipv6 PTR Mark Andrews (Oct 16)
    - Re: comcast ipv6 PTR Barry Shein (Oct 15)
    - Re: comcast ipv6 PTR Doug Barton (Oct 15)
    - Re: comcast ipv6 PTR Bjørn Mork (Oct 15)
    - Re: comcast ipv6 PTR Brielle Bruns (Oct 15)

(Thread continues...)