Bill Frantz <frantz@xxxxxxxxxxxxxx> writes: >I would like to have a few more examples of "Can't be taken out of >production". Well as a bit of a generalisation anything running an RTOS is likely to be something that can't be taken out of production, and certainly wouldn't be taken out of production for something as minor as a security changeover. These are devices for which availability overrides all other concerns. To give an actual example from earlier this year, a risk analysis for a set of devices included a discussion of how long and under what conditions you could keep operating a device after it had been compromised by an attacker, because the only thing worse than a device that was co-managed by an attacker would be a device that wasn't functioning at all. The presence of an attacker, while suboptimal, was still far better than not having it operational at all. Some examples of reasons why devices can't be easily upgraded include one I mentioned a year or two back on this list for which the upgrade cycle, which required a site visit for each device, ran over about ten years and the next cycle was planned to complete in 2030 (but these things always take longer than planned, I don't think they've even started it), and for more exotic examples, "service calls to low earth orbit are expensive", "we can only replace the hardware when the reactors are shut down for refuelling", and "[suggested change] is a good idea but would involve renegotiating international treaties", which still rates as the most solid reason-we-can't- do-it I've ever heard. Peter. -- last-call mailing list last-call@xxxxxxxx https://www.ietf.org/mailman/listinfo/last-call
