From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.gmx.net (mout.gmx.net [212.227.17.22]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by lists.bufferbloat.net (Postfix) with ESMTPS id D05BB3B29E for ; Mon, 26 Nov 2018 17:13:19 -0500 (EST) Received: from hms-beagle2.lan ([77.12.89.227]) by mail.gmx.com (mrgmx101 [212.227.17.168]) with ESMTPSA (Nemesis) id 0MOBOi-1gLuwa3QNo-005cwb; Mon, 26 Nov 2018 23:13:16 +0100 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) From: Sebastian Moeller In-Reply-To: Date: Mon, 26 Nov 2018 23:13:14 +0100 Cc: =?utf-8?Q?Dave_T=C3=A4ht?= , cerowrt-devel Content-Transfer-Encoding: quoted-printable Message-Id: <05A88D6B-51BC-4CC5-98D9-E85AE11D96AC@gmx.de> References: <6F8CDBFF-8B8A-4B6B-BCE9-918A69354626@gmx.de> To: Mikael Abrahamsson X-Mailer: Apple Mail (2.3445.9.1) X-Provags-ID: V03:K1:3mvwXcKAE+xrHBD7v7c7uW4RziU9rIqZht29/sg/xz3YwJYk3Uh jO9Hzge0/sXHUHDepPiOzPyyo+rsTrD/ej4Ew3YwoaYg2TPaDs4hja+aAStGuqV2BhUozav zdXcRZPt23CqVES9sq3WCzIGbwnnAzx8JkVJkIrpbqg9aSgN8cEHhgkfz8X3Y4H8Y0WIup4 ToGW/XRxrkadgmtpIWrPQ== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:Qs++/s9n5nU=:uY3bjfxx9Fa53bRtEmqPQa TJ5NEb9e9P4xhoKErOPfnJMtzHRrAG9BjHrgZvwHE9fYql3p0D1yhIKgU0g6AluGV3/3eAqep LqJkcKzMdKCDIfjrr8AQHFjk1GIrXfQc7yWQB3aZdnUat5Mx9Uek7P9P7nbGhmiL/+Mz08qZb 0hwRz/2lq4prrJ3C+TSxwQtdyGReO8JRVaZqF+6YLfm1Pser4JKFbUxsBycijGctW9q3521Yl zj5Anc0pp/pDLDO28IHNzaTiwaNjZR/6AJeVDKLO02dUcKWUMZ9jtLjtVF32+bwmUyI2NM/ED UAc5AAKEIsC517TVvqEi/857MGBH8llrfd0eaSZvQ5c+pDo6s8pjRP4bG18vKTM97jMGkWc26 JEoxuROjMUbFjZx+M7lnfLE+UrtCSWtrtBWLztLBPccXzUnzC9IqWeP7vXTrlXLHHgKDKVz5G YI9d7cDERJsuxNv5iYWV6IIzu1BRWN0peTZyfQN8Y3GDTU+V/6rWnbriALo4WQEYBDyYLNGmZ pj98RrfxkwyK4ayvcK454pKNnLYSbMJnDjxYsKDUX8QkrxG3Ij/yiVmZWhMHq59Rxk1QNtPS0 vhp5G1WYLzD49YG84epbS4SOx5A42dsxwztSOE5slvC3kQrpI/ZaW4W0rfBXYKPI/ERm6Reml hXdHtWMvi2V0lung2I3Q37OID+nMbrTSEpVjTQ7gP9i7a5I9okjbo/6Ku01H36Va62vfeL60U Z+muztkNnGcRHi8cNuDs8UL9hyONgG2LW3hDxSPAepdjbnHhvIGqzsevKP8ZCpcxwYLNOCygt KXI7MHPY4ORkFfva0JWZihX77Tbtjh6GXUiUAUL7nwkjv1qa4ChZ5fzR86AH/oDsGOQKpzAwj 94+IrClRj+VCtQ7lhTEgDjD70wpJmasxgPz55ADnBUNOIGsRl1Qq+wreQVIuoH Subject: Re: [Cerowrt-devel] security guidelines for home routers X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.20 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Nov 2018 22:13:20 -0000 Hi Mikael, > On Nov 26, 2018, at 19:35, Mikael Abrahamsson = wrote: >=20 > On Mon, 26 Nov 2018, Sebastian Moeller wrote: >=20 >> And 2) basically is a complaint that there is a weak MAY clause for = guaranteeing that 3rd party firmware like openwrt is installable. I = think this was weakened on purpose by the DOCSIS-ISPs which seem to have = zero interest for 3rd party firmwares for cable-modems/routers. (I would = not be amazed if cable labs would actually rule something like this out = per contract, but I have zero evidence for that hypothesis). >=20 > 2 is interesting from a security point of view. With secure boot = special provisions have to be put into the router to turn off secure = boot to be able to install anything on it. Question is how this would be = done in a way that is both secure and somewhat user friendly. I guess that most cheap routers do not actually do "secure boot" but = rather make it hard to flash not-approved firmware binaries from the = GUI, and for the intents an purposes of the BSI document that level of = security, in spite of the talk about firmware authentication by digital = signatures, seems sufficient. So no need to secure the JTAG interface, = or even a tftp update method that can be initiated by pressing a button = on the router or similar.=20 > 2 also implies sharing drivers etc, and it's unclear how this would be = done. Why? In my reading 2 basically just turns the "The router MAY = allow the installation of unsigned firmware (i.e. custom firmware)" into a "The router MUST allow " it does not rule = that the manufacturer needs to actively help to develop said custom = firmware IMHO. Now it would be a great idea to do so, but certainly not = required. > I believe Germany is too small to drive this requirement, we'd need at = least US or EU size market to really succeed with this. Yes, I agree, this is one of the issues where one of the = heavy-weights needs to get involved. My bet is on the EU picking = something like this up first though. ATM I do not see much appetite for = such regulatory actions in the US. >=20 > --=20 > Mikael Abrahamsson email: swmike@swm.pp.se