Re: [6tisch-security] [6lo] Comments needed for Security Bootstrapping of IEEE 802.15.4 based Internet of Things
Tero Kivinen <kivinen@iki.fi> Tue, 03 February 2015 11:59 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: 6tisch-security@ietfa.amsl.com
Delivered-To: 6tisch-security@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AB8A1A00F9; Tue, 3 Feb 2015 03:59:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.131
X-Spam-Level:
X-Spam-Status: No, score=-3.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hnmQlKun9c6; Tue, 3 Feb 2015 03:59:45 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D7BC1A8987; Tue, 3 Feb 2015 03:59:44 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id t13BwSLI009787 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 3 Feb 2015 13:58:28 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id t13BwRf0006160; Tue, 3 Feb 2015 13:58:27 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21712.47075.522836.495543@fireball.kivinen.iki.fi>
Date: Tue, 03 Feb 2015 13:58:27 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "Hedanping (Ana)" <ana.hedanping@huawei.com>
In-Reply-To: <77FA386512F0D748BC7C02C36EB1106D92CC62@szxeml557-mbs.china.huawei.com>
References: <77FA386512F0D748BC7C02C36EB1106D921776@szxeml557-mbs.china.huawei.com> <6426.1422664463@sandelman.ca> <77FA386512F0D748BC7C02C36EB1106D92CC62@szxeml557-mbs.china.huawei.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 9 min
X-Total-Time: 9 min
Archived-At: <http://mailarchive.ietf.org/arch/msg/6tisch-security/p7OIoSWSJ3ZXD5cFM2ieCq-ZH3o>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>, "6tisch-security@ietf.org" <6tisch-security@ietf.org>, "6lo@ietf.org" <6lo@ietf.org>
Subject: Re: [6tisch-security] [6lo] Comments needed for Security Bootstrapping of IEEE 802.15.4 based Internet of Things
X-BeenThere: 6tisch-security@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Extended Design Team for 6TiSCH security architecture <6tisch-security.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch-security/>
List-Post: <mailto:6tisch-security@ietf.org>
List-Help: <mailto:6tisch-security-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Feb 2015 11:59:47 -0000
Hedanping (Ana) writes: > > Because IEEE 802.15.4 maximum payload size is 128 Bytes, > > a standard security bootstrapping protocol should be > > light-weight with low complexity. The protocol must allow > > for commissioning of devices I was surprised that the > > draft then suggested EAP with PANA as a transport: If EAP > > is used, PANA can be used to relay the authentication > > message from configured FFDs to 6LBR. If the validation > > is successful, the IP address and network key are > > generated and delivered to the FFD. But, EAP-TLS with > > PANA is exactly what the Zigbee IP specification has > > specified. Do you envision any changes from that > > specification? > > Zigbee IP specification was developed to enable IP address for > Zigbee application, thus the protocol stack are built on IETF's > standards, including EAP-TLS. > As discussed in many working groups, TLS might result in a > significant amount of retransmissions due to unreliable > communication capability of the network and device, thus energy will > be consumed fast. > I think EAP over DTLS /profiled DTLS could be a good option. There is work going on in the IEEE 802.15.9 task group which specifies the key management for 802.15.4, or more specifically it will specify a way to transport existing key management protocols over the 802.15.4 frames. This would allow running for example IKEv2 + EAP over the 802.15.4 and generate keys for 802.15.4 security and then protect all messages between the two nodes. In normal case this would be run even before the IEEE 802.15.4 assocation is done, i.e. immediately after the beacon before doing the association, and would allow protecting the association process too. For this uses the IKEv2 + EAP would be most likely quite good, i.e. the IKEv2 frames would be exchange between the peer joining the network and its next hop router, and inside those IKEv2 frames there would be EAP messages, which are then relayed to the AAA server (trust center TC in draft-he-iot-security-bootstrapping-00) for actual authentication. The 802.15.9 is now in letter ballot phase in IEEE, meaning we should be finished quite soon. One issue there is that, during the 802.15.9 work we noticed some issues with 802.15.4 base specifciation which have been worked on in the 802.15.4 maintenance revision process, and we need to wait for it to finish before 802.15.9 can finish... Most likely both of those will finish before the end of year. -- kivinen@iki.fi
- Re: [6tisch-security] [Anima] [6lo] Comments need… Behcet Sarikaya
- Re: [6tisch-security] [Anima] [6lo] Comments need… Tero Kivinen
- Re: [6tisch-security] [6lo] Comments needed for S… Michael Richardson
- Re: [6tisch-security] [6lo] Comments needed for S… Hedanping (Ana)
- Re: [6tisch-security] [6lo] Comments needed for S… Tero Kivinen
- Re: [6tisch-security] [6lo] Comments needed for S… Robert Cragie
- Re: [6tisch-security] [6lo] Comments needed for S… Hannes Tschofenig
- Re: [6tisch-security] [Anima] [6lo] Comments need… Brian E Carpenter
- Re: [6tisch-security] [6lo] Comments needed for S… Behcet Sarikaya
- Re: [6tisch-security] [Anima] [6lo] Comments need… Brian E Carpenter
- Re: [6tisch-security] [Anima] [6lo] Comments need… Brian E Carpenter
- Re: [6tisch-security] [Anima] [6lo] Comments need… peter van der Stok
- Re: [6tisch-security] [Anima] [6lo] Comments need… Hannes Tschofenig
- Re: [6tisch-security] [6lo] [Anima] Comments need… peter van der Stok
- Re: [6tisch-security] [6lo] [Anima] Comments need… Brian E Carpenter
- Re: [6tisch-security] [6lo] [Anima] Comments need… Behcet Sarikaya
- Re: [6tisch-security] [Anima] [6lo] Comments need… Kent Watsen
- Re: [6tisch-security] [Anima] [6lo] Comments need… Hannes Tschofenig
- Re: [6tisch-security] [Anima] [6lo] Comments need… Brian E Carpenter
- Re: [6tisch-security] [6lo] Comments needed for S… Hedanping (Ana)
- [6tisch-security] Device vs network bootstrapping… Brian E Carpenter
- Re: [6tisch-security] [6lo] [Anima] Comments need… Behcet Sarikaya
- [6tisch-security] Thread [Comments needed for Sec… Brian E Carpenter
- Re: [6tisch-security] [6lo] Device vs network boo… Hedanping (Ana)
- Re: [6tisch-security] [6lo] [Anima] Comments need… Hedanping (Ana)
- Re: [6tisch-security] [6lo] [Anima] Comments need… Paul Duffy
- Re: [6tisch-security] [6lo] Device vs network boo… Brian E Carpenter
- Re: [6tisch-security] [Anima] [6lo] Device vs net… Kent Watsen
- Re: [6tisch-security] [6lo] Device vs network boo… Kris Pister
- Re: [6tisch-security] [6lo] [Anima] Comments need… Thomas Watteyne
- Re: [6tisch-security] [6lo] Device vs network boo… Brian E Carpenter
- Re: [6tisch-security] [6lo] Thread [Comments need… Ralph Droms
- Re: [6tisch-security] [6lo] Thread [Comments need… Brian E Carpenter
- Re: [6tisch-security] [6lo] [Anima] Comments need… peter van der Stok
- Re: [6tisch-security] [Anima] Thread [Comments ne… Hannes Tschofenig
- Re: [6tisch-security] [6lo] [Anima] Thread [Comme… Ralph Droms
- Re: [6tisch-security] [Anima] Thread [Comments ne… Brian E Carpenter
- [6tisch-security] (Fair) competition in pursuing … Rene Struik
- Re: [6tisch-security] (Fair) competition in pursu… Brian E Carpenter
- Re: [6tisch-security] [Anima] (Fair) competition … Sheng Jiang
- Re: [6tisch-security] [Anima] Thread [Comments ne… Hannes Tschofenig
- Re: [6tisch-security] [Anima] (Fair) competition … Rene Struik
- Re: [6tisch-security] [Anima] (Fair) competition … Sheng Jiang
- Re: [6tisch-security] [Anima] (Fair) competition … Hannes Tschofenig
- Re: [6tisch-security] [Anima] (Fair) competition … Robert Cragie
- Re: [6tisch-security] [Anima] [6lo] Thread [Comme… Alper Yegin
- Re: [6tisch-security] [Anima] [6lo] Thread [Comme… Carsten Bormann
- Re: [6tisch-security] [6lo] [Anima] Thread [Comme… Oliver Hahm