Ondřej, At 2016-11-17 01:02:10 +0100 Ondřej Surý <ondrej.s...@nic.cz> wrote:
> > Given the low margin, my suspicion is that most CPE manufacturers would NOT
> > want
> > to add in any additional components to solve what for them would be an edge
> > case in terms of volume.
>
> This is the main problem. Most CPE manufacturers don't give a damn
> about their devices when they are able to sell them successfully
> to unsuspecting people. So I would suspect that if you bought
> a low-end device supporting DNSSEC early next year and let it
> collect a dust for a single year, there's a high chance it won't
> work either, because there would be no way how to update neither
> the firmware nor the trust anchors. And even with the usual 2
> year warranty most people would not just bother to return faulty
> device to the seller, because $20 is not worth it. And that's
> exactly the reason why those vendors are able to do it. Most
> people just don't care...
>
> And I am not convinced that we should design protocols to cater
> the device vendor irresponsible behavior toward their products.
While you're not wrong, I think the characterization is slightly
unfair to CPE vendors.
For most electronics equipment (pre-IoT) once you sold it your job as a
manufacturer was basically done. You don't have to issue security
patches for the keyboard or firmware upgrades to the monitor because
the meaning of the wires in the VGA standard has changed out from under
it.
With anything connected to the Internet it seems the only thing that we
can do is constantly be patching and fighting against the latest
exploits of our protocols and implementations. Unless we are going to
throw away all practical engineering and only use systems that are
provably correct in a mathematics sense(*), that's probably how it is
going to stay.
I infer that you agree that the reason that CPE equipment sucks is
because the business model is wrong. The traditional vendor approach of
selling a thing and then being done with the business is broken. This
is one of the many reasons that IoT equipment sucks and is doing to
continue to suck, until the costs and profits of managing systems
long-term align. But not only *vendors* like this approach, *consumers*
like this approach. (Me too, for the record. I would not be thrilled if
I got a bill for $1 every year to keep my mouse up to date.)
There are several possible models that would be better: subscription,
open systems (so a 3rd party can sell improvements & upgrades), and
so on. Unfortunately nobody seems to care about these issues, since the
vendors are making money by the fistful (a few pennies at a time) and
policy makers take that is a sign that everything is fine.
Cheers,
--
Shane
(*) Noting of course that systems that express things in precise
mathematics are often incomprehensible to experts, much less
non-experts in a given subject area. Or rather, "be careful what
you ask for, you might get it". ;)
pgpPgXTgsxhIb.pgp
Description: OpenPGP digital signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
