|
I recently came across an interesting piece about the use of IP addresses in the Tesla model S. The part that caught my attention and led to this post is that the car uses the private IPv4 address subnet 192.168.90.0/24 to address different nodes e.g. the centre console is 192.168.90.100 and the dashboard/navigation screen is 192.168.90.101.
Put your geek hat on for a moment as you ponder that! – anything in the car that you want to be able to communicate with individually can now have its own IP address. Here are some scenarios that are not too far-fetched.
An interesting question for the industry is whether this address space be private or public? If it remains private as is apparently currently the case, it will mean that every Tesla dashboard has the exact same IP address 192.168.90.101. (I don’t know the internals of how Tesla architect this but I suspect that if they do run remote diagnostics on the car like they do, they are probably using a different private subnet for each car) . Public address space will mean that every dashboard in every car that is IP-enabled will have its own unique way of globally addressing. The globally unique public options is both exciting and terrifying. Exciting because the increase in the number of addressable devices in the global network (and thus the value of that network) will increase. Terrifying because that global addressability could be abused with consequences ranging from privacy violations (will an employee of the car company be able to access the feeds from the in-car video camera?), through potential for remote car-jacking to pervasive surveillance. Don’t forget that the same capability that will let the car manufacturer run diagnostics and fix your car remotely or get it to report its location when stolen is the same one that big brothers every where love.
Of course the public addressing option is only feasible in an IPv6 world. I also think it is a perfect opportunity, IP on such a scale in cars is pretty greenfield and users don’t yet have too many expectations, so starting with IPv6 will be perfect ... as it will define THE IP-in-cars experience and set the baseline. Ultimately though, I expect to see private addressing maintained some components (those that will only ever need to communicate with other subsystem in the car) and public addressing for other components.
Going for a moment with the premises that each car needs to have some publicly addressable space, the interesting question comes up—how will each car get this globally unique address space? Here are the possibilities for this addressing:
So how much address space should one car get? The answer, whatever it is , is most certainly not a /64. Because some some systems will need to have auto-provisioning (SLAAC or DHCPv6 .... the article indicates the dashboard runs off of Ubuntu), each car needs to have at least one /64 available. And just like the small home user, I see at least a /60 per car (yes I love my nibble boundaries).
Statistics from the International Organisation of Motor Vehicle Manufacturers of annual car production numbers from 1999 till date indicate that on average, the world produces about 48 million cars annually (This doesn’t include heavy trucks and light 2 wheeled vehicles). So if we plan to have a /60 for each of those cars, then that’s one /34 for all cars in the world. Which is quite small if you consider that RIRs give at least a /32 to an LIR.
And as the IP network of the car of the future becomes more complex, we might need to deploy more of the same IP technologies we plan to deploy for the home network of the future. Because unlike smartphones and tables where one would expect the users to be more technologically sophisticated, users of such cars will likely not want to configure stuff or even be able to hence the need for complete auto-configuration. In any case, exciting times ahead and this will be an interesting development to watch.
Sponsored byVerisign
Sponsored byRadix
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byVerisign
Do we really have to explain why it’s a terrible idea to allow random devices to connect to a car’s internal network? See, for example
http://www.forbes.com/sites/andygreenberg/2013/07/24/hackers-reveal-nasty-new-car-attacks-with-me-behind-the-wheel-video/
Hi John, I don't advocate random devices connecting. Such in-car WiFi will be subject to the same kind of security controls on any other WiFi (at least WPA keys). Secondly, I advocate for multiple subnets - the network to which things like passenger's devices connect will be blocked from accessing the network that controls critical systems.
So if the car has its own private network, firewalled from the rest of the world, what difference does it make what its internal numbering is?
Fun fact: GM’s Onstar service that puts a cell phone in each car uses lots of phone numbers in the 5XX area codes to make each car addressable.
Let me re-state what I meant John SubnetA: Critical Systems SubnetB: In-car wifi So you'd block all traffic from SubnetB to SubnetA However you still want subnetA to have a public space so that the manufacturer for example could run remote diagnostics (I think Tesla does this --- not sure). If there's no need for remote access to SubnetA, then you still need it separate from SubnetB but then accessible via some specialised wired port.
On the equipment I use, e.g. my home router, there’s a single public address of a bastion host that provides limited access to the inside. Why would you want more than that? We really don’t want random outside access to systems where bugs and malware can kill people.
Also, if you assume that every car in the world has its own /64, how would you route the traffic?
If we agree that the car company has a requirement to access nodes on some critical subnet e.g for remote diagnostics, then it is quite possible the use some kind of similar bastion host. But since there are likely going to be more than one node on that critical subnet, each one of them needs to have its own address, hence the need for more than one IP address.
Of course another alternative would be to not make those elements IP-enabled but they use some kind of communications protocol to talk to the bastion host which then talks to the car manufacturer.
Don’t forget that we are talking about cars - I’m sure 95% of those who buy these cars have no clue what a bastion host is, hence the need for automation. Which is why I think the technologies being developed in the Homenet IETF working group may be adaptable to this situation.
As for the routing issue (I think a /64 is too small for a car), an auto-config type protocol that detects what the control subnet prefix is and routes it using the 3G or 4G router that is in the car already exists. Apparently today, Tesla already can remotely access each of its cars and today it gives each of then a /24 subne.
The components in the car need separate addresses on the internal RFC1918 network, and you set up single the bastion host to provide a controlled gateway to whichever of the internal hosts need access. This is an entirely normal way to set up a network, easy to do with any $29.95 home router. Surely you’re familiar with it. It sounds like that’s what Tesla is doing.
Also, do you understand why it’s not practical to route a separate static /64 to every car in the world? The routing tables would explode.
I’m not advocating for the routing of a single /64 - at least not if that single /64 comes from some central space controlled by the car manufacturer. However, if the /64 comes from the local connectivity provider’s space - then no problem. It’s what they already do for their mobile (non-tethering) clients anyway.
Also, if the manufacturer uses ULA, they’d use the same methods they use today to access those hosts - the bastion host with a public IP gotten from the local provider of connectivity is one valid way. Nothing changes. That is the scenario in option (b) of the article.
Where I think we diverge is that - you being a geek see a simple problem to be solved with a $29 home router. I think of the non-geeks and think the solution must be fully automated and transparent to the user of the car. If the car manufacturer (probably working in conjunction with a connectivity provider in different countries) can figure how to do that, then it is a fitting solution.