Re: [Ace] draft-schmitt-two-way-authentication-for-iot-02
Likepeng <likepeng@huawei.com> Mon, 07 July 2014 03:52 UTC
Return-Path: <likepeng@huawei.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91F011A0AE2 for <ace@ietfa.amsl.com>; Sun, 6 Jul 2014 20:52:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.851
X-Spam-Level:
X-Spam-Status: No, score=-4.851 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.651, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vtm5VDW2rzTw for <ace@ietfa.amsl.com>; Sun, 6 Jul 2014 20:52:33 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FEDD1A0AE1 for <ace@ietf.org>; Sun, 6 Jul 2014 20:52:32 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml405-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BGV91587; Mon, 07 Jul 2014 03:52:30 +0000 (GMT)
Received: from SZXEMA402-HUB.china.huawei.com (10.82.72.34) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.158.1; Mon, 7 Jul 2014 04:52:27 +0100
Received: from SZXEMA501-MBS.china.huawei.com ([169.254.2.128]) by SZXEMA402-HUB.china.huawei.com ([10.82.72.34]) with mapi id 14.03.0158.001; Mon, 7 Jul 2014 11:52:22 +0800
From: Likepeng <likepeng@huawei.com>
To: Corinna Schmitt <schmitt@ifi.uzh.ch>, "ace@ietf.org" <ace@ietf.org>, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>
Thread-Topic: [Ace] draft-schmitt-two-way-authentication-for-iot-02
Thread-Index: AQHPlD3fAWxhjPHxj0q+0bPwAUrxB5uT+BAA
Date: Mon, 07 Jul 2014 03:52:22 +0000
Message-ID: <34966E97BE8AD64EAE9D3D6E4DEE36F25817518D@SZXEMA501-MBS.china.huawei.com>
References: <53086642.5050609@gmx.net> <53134E58.20608@ifi.uzh.ch> <531F6177.5040704@gmx.net> <53B1209C.5020200@ifi.uzh.ch>
In-Reply-To: <53B1209C.5020200@ifi.uzh.ch>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.66.167.122]
Content-Type: multipart/related; boundary="_004_34966E97BE8AD64EAE9D3D6E4DEE36F25817518DSZXEMA501MBSchi_"; type="multipart/alternative"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/ace/dPVRbLUmYn5UL-ETSBUFUefdMmI
Cc: Burkhard Stiller <stiller@ifi.uzh.ch>
Subject: Re: [Ace] draft-schmitt-two-way-authentication-for-iot-02
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Jul 2014 03:52:37 -0000
Hi Corinna, Please find my personal feedback to your draft: Section 2, Terminology: Currently, our charter and most of the other submitted drafts use “Client”, “Resource Server”, “Authorization Server”. To keep consistency, it is better to use these terminologies to replace “Publisher”, “Subscriber” and “Access Control Server”. Section 3, High Level Design Requirements: the objective of this section is quite similar to the “design considerations” draft. It is better to consolidate this section with the draft. http://datatracker.ietf.org/doc/draft-seitz-ace-design-considerations/ Section 4, It seems that that most of the design considerations (e.g. assumed network stack, handshake message flows) will also be applied for Class 1 devices. It is better to indicate the common design considerations first, then highlight what more we can achieve by Class 2 devices. Section 5.1, 5.2 and 6, Use cases and Requirements: Maybe it is better to consolidate these sections with the “Use cases and requirements” draft: http://datatracker.ietf.org/doc/draft-seitz-ace-usecases/ Section 5.3, Data Access Procedures: it seems that interactions between Gateway and Publisher are out of scope? Because from the flows, the Gateway is not involved in the data access flow any more. Also about the last two steps “Two-way authentication handshake between Subscriber and Publisher” and “Data exchange using DTLS secured channel”, in these two steps, is “Access Control Server” involved in the data access flow? Section 10, Formal Syntax: It is better to put this section as a sub-section of Section 2, to let readers better understand the meaning of the abbreviations. Thanks, Kind Regards Kepeng (Individual) 发件人: Ace [mailto:ace-bounces@ietf.org] 代表 Corinna Schmitt 发送时间: 2014年6月30日 16:32 收件人: ace@ietf.org; Hannes Tschofenig 抄送: Burkhard Stiller 主题: Re: [Ace] draft-schmitt-two-way-authentication-for-iot-02 Dear Hannes, based on the discussions of the pre-meeting in Stockholm we updated our draft and generalized it. Our old draft "draft-schmitt-two-way-authentication-for-iot" is now replaced by "draft-schmitt-ace-twowayauth-for-iot". The mentioned projects are only examples where we have the work integrated and where it runs already successful. So we believe the draft fits into ACE and also maps the requirements outlined in https://tools.ietf.org/html/draft-seitz-ace-usecases-00. See you in Toronto at IETF 90, Corinna Am 11.03.14 20:18, schrieb Hannes Tschofenig: Hi Corinna, thanks for the response. My suggestion would be to produce a write-up that is of generic use (independent from your specific implementation and your EU funded project). However, given the charter discussions and the BOF I have my doubts whether the work would meet many of the requirements outlined in https://tools.ietf.org/html/draft-seitz-ace-usecases-00. Ciao Hannes On 03/02/2014 04:29 PM, Dr. Corinna Schmitt wrote: Dear Hannes, Hi Corinna, Hi Burkhard, thanks for your document. I have read through it and I ran into a few questions. Your response would help me to better understand the proposed idea. Thanks for reading the draft and make comments to it to improve it. Some comments can be answered right away. 1) Why do you assume IEEE 802.15.4? Currently it seems that the 15.4 radio will mostly be used in specialized industry segments only. Is there anything in the document that would make the idea less suitable for other radio technologies, for example BTLE? Potentially the proposed solution can work on every stack you like. So you can do an implementation independently of IEEE 802.15.4. We put IEEE 802.15.4 there, because our used stack (BLIP) uses it. 2) The assumed network stack does not show 6lowpan. Was this intentional? Same as above. You can use the stack you want. So also 6lowpan can be used. It depends n you what you require and what you want to support. 3) You show RPL in the stack and I was wondering whether you assume it being mandatory to implement for your assumed architecture? It does not seem to show up elsewhere in the document. It appears to be irrelevant for your design. RPL was just mentioned due to our other publications. Currently our plan is to change to RPL (CoAP) in the future. 4) Subscriber identity: You write -- " The identity of a default subscriber is usually preconfigured on a publisher before it is deployed. " Could you explain more what you assume is pre-configured and where it is preconfigured? Here pre-configures means that our devices are equipped with the certification during compiling and programming them before deployment. This is due to the application scenario we support at the moment. Before deploying the device you have to run to steps: First creation of certificate, and second compiling code and play it on the device. I would also suggest to avoid the term subscriber since it has two other meanings that might confuse: a) The term subscriber is often used in context of telecommunication as the user who has a contract with a telecommunication operator. b) The second use is in context of protocols that use asynchronous communication (like XMPP). I believe your notion of subscriber does not relate to those two existing uses. I guess you are more using the term subscriber to refer to a device that wants some data from a sensor. Is this correct? Thanks for the hint. Yes you are right. The subscriber should be a device that wants data from the sensor. Usually this is one outside of the WSN. Do you have a suggestion for new name? 5) Roles in your architecture. It seems that you assume that the IoT devices are publishers and that there are subscribers who talk to these publishers. In some other cases I have seen architectures where the IoT devices (sensors) upload the data to some servers without having to act as servers themselves. In your architecture it feels like the sensor nodes implement the server-side functionality That was not our intention. Our network has push characteristics up to the server. Data publishing runs over server, because it has more resources and, therefore, can handle requests better. It is the gate to the world. Pull is only performed if you require data (measurements) at a time that is not pre-defined. In Section 4.2.2 you write that you recommend an OpenSSL implementation on the server side but the server-side would be the IoT device. While it would be inappropriate to recommend a specific implementation in an IETF draft/RFC it also raises the questions about the expectations on the server-side. Thanks for the hint. We use OpenSSL on the server but not within the WSN. OpenSSL is used especially for managing rights, requests, and certificates. 6. Certificate content In Section 4.2.2 you describe the content of a certificate and you indicate that the commonName is set to "localhost". It seems to be useless to include this in the certificate since a CA would not be able to verify this identity information nor would any party verifying it be able to use it in a meaningful way. Localhost in our case is a special IP address (here: sink). You are right, we should rename it and make clear that it is an IP address. So you can set is like you want. It also seems to be in violation of what you write in Section 5.2 where you state that "every publisher in the network MUST have an unique identity.". You also indicated more complete information for inclusion in the certificate but it is not clear to me what purpose it serves. Could you explain? Will do it asap. 7. Privacy In Section 5 you indicate some privacy related aspects and you hint to " access regulations based on legal and regulative implications". Could you briefly explain what those requirements are? This part we put in due to the deployment and project relations we are running at the moment. Here it means that not every device can be able to access the data, for example, due to legal issues in the region (EU, CH, US rights). This has to be stored central in the network and it has to be checked before giving access and creating the corresponding access ticket. Here we refer to the following publications: Radhika Garg, Corinna Schmitt, Burkhard Stiller: /Investigating Regulative Implications for User-generated Content and a Design Proposal/; Degruyter, PIK-Praxis der Informationsverarbeitung und Kommunikation, Vol. 36, No. 4, December 2013, ISSN 0930-5157, pp 1–11. doi:10.1515/pik-2013-0042 <http://dx.doi.org/10.1515/pik-2013-0042><http://dx.doi.org/10.1515/pik-2013-0042> URL: http://www.degruyter.com/view/j/piko.ahead-of-print/pik-2013-0042/pik-2013-0042.xml Radhika Garg, Christos Tsiaras, Burkhard Stiller, Corinna Schmitt, Daniel Dönni: /Deliverable D7.1 - Basics, Requirements, Scenarios, and Architecture: In FLAMINGO/; Radhika Garg (Edt.), Zürich, Switzerland, October 2013 8. Use Cases. I suggest to omit the use cases from the document since the description is too brief to be useful. A small remark: From my work in the emergency services environment I had gotten the impression that there are no plans to take sensor input directly when initiating alerts. In fact, sensor alerts do rarely even get directly to the emergency services authorities but are rather pre-processed by an intermediate organization (by humans). Maybe you have spoken with other people, who have different plans. Where did you got your information from? This section is based on discussion with our project partners within SmartenIT (www.smartenit.eu<http://www.smartenit.eu>) and Flamingo ( http://www.fp7-flamingo.eu). <http://www.fp7-flamingo.eu><http://www.fp7-flamingo.eu> 9. Architecture Figure 3 shows the architecture but it is a bit confusing since it is not clear what the boxes and the lines mean. The publisher is a box separate from the sensors and from the earlier description I thought that the sensors are actually the publishers. Furthermore, the gateway was not discussed as a role up to that point in the document. The gateway shows up in Section 5.3 and its role confuses me. You write: " A sensor node has published its data, which is transmitted in direction to the global sink (cf. Figure 3 where global sink is located in the gateway component). " Does the sensor publish the data at the gateway? From the earlier sections I thought that the subscriber talks to the publisher instead. Is the gateway the subscriber? Why doesn't the sensor uploads the data to some server instead (which is frequently done in today's IoT deployments). Lots of comments. I will address and clarify them asap. Furthermore, I will add a legend to the Figure and perhaps modify it based on you aforementioned comments. Why do you call the entire document "two-way authentication" when the the two way authentication is just one small part of the overall authentication procedure. In fact the two-way authentication is used between the subscriber and the access control server (as shown in Figure 4), and between the publisher and the gateway. Furthermore, there has to be some authentication between the subscriber and the publisher as well (at least I hope so). What is the purpose of the access ticket? It shows up in Section 5.3 and I wonder why there is a need for an access ticket when the two parties (subscriber and publisher) already have a certificate. Why cannot you use the certificate for authentication with the publisher right away? Where do you see the access control server being deployed? Is this an entity in the local network or something you would have on the Internet? Why does the publisher have to authenticate to the gateway? From Figure 4 it is not clear whether the gateway is just an optional component or an integral part of the architecture. The document does not explain what the access token is and how it is exchanged between the subscriber and the publisher. Btw, the term CA standards for Certification Authority rather than Certificate Authority. Will be addressed soon. 10. Hardware requirements. Hardware requirements typically are not appropriate for IETF documents. While you make the argument that an RSA-based public key cryptosystem is good enough from a performance point of view the currently mandatory ciphersuites used in CoAP are based on ECC (for those that rely on asymmetric crypto). While having hardware support for key storage is a great idea I was wondering how much your architecture actually relies on it. My impression that it would work fine just without a TPM chip. But you might have more hardware experience than I have. Could you point me to some hardware that you have in mind using? We put this section for completeness and to show that an implementation exists. Concerning sensor nodes and TPM we are using OPAL from CSIRO. Trusting Computing becomes relevant nowadays when thinking about securing data. Drawback is that if the TPM chip is broken or you change something during booting everything is lost. Advantage is that the storage root key is stored safely and only derivates are used for your applications. Hope to answer most important questions or comments now. Others will be addressed soon. You can also talk to me during IETF in London. Regards, Corinna _______________________________________________ Ace mailing list Ace@ietf.org<mailto:Ace@ietf.org> https://www.ietf.org/mailman/listinfo/ace _______________________________________________ Ace mailing list Ace@ietf.org<mailto:Ace@ietf.org> https://www.ietf.org/mailman/listinfo/ace -- [cid:image001.png@01CF99D4.176EFD60]
- [Ace] draft-schmitt-two-way-authentication-for-io… Hannes Tschofenig
- Re: [Ace] draft-schmitt-two-way-authentication-fo… Dr. Corinna Schmitt
- Re: [Ace] draft-schmitt-two-way-authentication-fo… Hannes Tschofenig
- Re: [Ace] draft-schmitt-two-way-authentication-fo… Corinna Schmitt
- Re: [Ace] draft-schmitt-two-way-authentication-fo… Likepeng
- Re: [Ace] draft-schmitt-two-way-authentication-fo… Dr. Corinna Schmitt