comcast ipv6 PTR

Matt Palmer mpalmer at hezmatt.org
Wed Oct 16 21:25:47 UTC 2013


On Thu, Oct 17, 2013 at 12:12:03AM +1100, Mark Andrews wrote:
> In message <199168.1381928361 at turing-police.cc.vt.edu>, Valdis.Kletnieks at vt.edu
>  writes:
> > On Wed, 16 Oct 2013 18:50:29 +1100, Mark Andrews said:
> > > * CPE generates a RSA key pair.  Stores this in non-volatile memory.
> > >   [needs to be coded, no protocol work required]
> > 
> > has proven to be a lot harder to do in the field than one might expect, due
> > to the very limited amount of entropy sources available to a CPE that Joe
> > Sixpack just pulled out of a Best Buy shopping bag.  Witness the truly huge
> > pile of CPE that generate horribly insecure weak self-signed certs for https.
> > ...
>  
> Which is easily solvable when you design the CPE device to have
> good sources of hardware randomness.  CPE devices are no longer
> just routers which shuffle packets.  There are lots of activities
> that CPE deviced do that require good randomness and it only costs
> a couple of cents to add it the devices.

I'm sure the NSA would be happy to chip in to ensure that the best[0]
possible source of randomness is available.

- Matt

[0] *Who* the decision is best for is left open to the imagination.

-- 
Generally the folk who love the environment in vague, frilly ways are at
odds with folk who love the environment next to the mashed potatoes.
		-- Anthony de Boer, in a place that does not exist





More information about the NANOG mailing list