[ru999gol]

If Boeing decides to cut costs by using a single network for their entertainment, communications and flight control, who is there gonna be to tell them no? You would assume there is some oversight by independent security researchers who review these planes security, but this assumption seems unsubstantiated.

In reality, how is this separation of critical networks looking like exactly? MAC address filters? Are they air-gapped? I would venture to guess, nobody that isn't bound by an NDA knows.

[p_l]

Boeing actually attempted that on 787,with some VLAN trickery.

FAA caught it and forced them to redesign the setup.

As for actual AFDX networks - they have hardcoded forwarding tables and no MAC learning, and separation between networks tends to use data diodes

[solotronics]

As a network engineer it is terrifying that they would try this. Also, even if you have no MAC learning its trivial to sniff the MAC on an endpoint and then spoof it. You would really need pubkey based encryption where the key is stored in secure chips on every endpoint to know for sure what each device is connected to.

[kerng]

Companies do these things all the time and in other industries they get away with it. It would be nice if other industries would have similar strict audits and requirements.

[p_l]

the difference is that AFDX is a "closed" network. If you attached anything to it directly, you're already past the security boundary, as timing and reliability is more important than verifying identities in it.

[jakeogh]

tends?