Does an IoT device need an IP address?

In an earlier post I had a a look at the different options for Cellular IoT (NB-IoT) when it comes to connectivity. One of the options is to use the cellular control plane to forward the raw data without wrapping it into IP data packets (NIDD, Non-IP data delivery). At the time I wondered a bit whether that would be a good idea. But perhaps it actually is!?

Two things have made me reconsider this recently:

One is a recent massive distributed denial of service attack on Brian Krebs’ website that was done with millions of ‘Internet of Things’ devices such as webcams that are connected to the Internet. Bad default security, no maintenance and a lack of security updates create a dangerous situation. As device manufacturers don’t care and owners of those devices usually don’t have the knowledge to keep these devices secure it’s unlikely to change in the future. I agree with Bruce Schneier that the market has failed and will fail to righten the situation and government intervention will be necessary. So perhaps it is better for Internet of Things devices not to have an IP address!? What can’t be addressed from the Internet and what can’t talk to the Internet directly is at least no threat to others if a security loophole is massively exploited.

The second thing that made me think about whether an IP address for many IoT devices is actually needed is this video of Paul Egan of Neul giving a talk at the 2014 Cambridge Internet of Things seminar. The video is interesting in many respects especially if you’ve been following the IoT discussion and progress in 3GPP since that video was made (clean slate, anyone…) and particularly on this topic because he makes you wonder if that soap dispenser that only reports its fill level in a byte or two occasionally really needs an IP address.