IETF Logo Mail Archive

Re: [Anima] EXTERNAL: Re: [Iot-onboarding] OPC and BRSKI

Jack Visoky <jmvisoky@ra.rockwell.com> Fri, 09 August 2019 19:55 UTC

Return-Path: <jmvisoky@ra.rockwell.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1022120180; Fri, 9 Aug 2019 12:55:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.001
X-Spam-Level:
X-Spam-Status: No, score=-2.001 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ra.rockwell.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 60Ue8mR7Y7_u; Fri, 9 Aug 2019 12:55:32 -0700 (PDT)
Received: from NAM02-BL2-obe.outbound.protection.outlook.com (mail-eopbgr750081.outbound.protection.outlook.com [40.107.75.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4722712018E; Fri, 9 Aug 2019 12:55:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Z4XM8rWhHHaXu3M8kGfF4Oafiz9S+fwT1MJsJQjRlTNP80g+tFwf5DaCz/FLHcz4CK0JYCHyBrSTi5JTBO7QC5xDirhH2OIaK8UJAWCR5PpTlwI9r/54ZBphi1vaFhymKSuBEzfE/gwXrQWnWmMescM84DXeuNsNG5n898Ww5xtT6GDCtd1nS3e8hlWPop4CS+msdGtP47b0/Ys5Stkzy1iUG9EAJXqsbbQw0YDflbkRCdq7JKPSnIdbacf3QQ6vzPfnWnYxsHjfC9/4K0apoJq+qeYth9U8c5Va9ivz9B8RfAhWlBNlP3L8ItLDFwfsw3aEGvVjC1iUoSRr/J26KQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jHEU8iPATovkVs5t1zAP59KNsiRdj+HcL6FUsEmRtaY=; b=ZHIJ+eWXZfqOSgQ1lKVSXFKUNTdgET2tXrEBG1H6UYkBVwkv+pHomSxzce6DHe07F4Wx8x80zwG8IiVL6vZvj12LLqQEIYSleW3yGyYPRrQEmNIIo9/YPe8FVOIcl4kAhFthq9kTd3cVZuFdvoRmxX3KsZYkdPLUHFe2cloaiuV7Ja9EyU5xmJI7Fo3ZEn8iTed59mibZKOz0KO2fs6vD+guiDmO5EWHoJ8sx0iZ4wCxVcmN8IHqtPs6WcbMV51zMCpxQrw0QkBRlG2xi48j1HqljXfOSwNINimWSvsVuLMch5EqLQAyzGrVxcKaX58ybe6UunEjW73yXt0QRa1w6g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ra.rockwell.com; dmarc=pass action=none header.from=ra.rockwell.com; dkim=pass header.d=ra.rockwell.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ra.rockwell.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jHEU8iPATovkVs5t1zAP59KNsiRdj+HcL6FUsEmRtaY=; b=HK4+ghJYauN/UUjqq/7m/OmN5+KxK7i3awI5+AiFi83/RbVtcD+pMx6YbGeD/P3KQIAt7Y9XGMgJzmtBI5Vk+IspMu+Oqhdwo7W60+Yofyxps7s6svn7XS0HVw0l9lZM31Gr+UPRmiNIILlY9lLoTvh/1sPh91XJUMiVU9jeU9U=
Received: from DM5PR2201MB1340.namprd22.prod.outlook.com (10.172.46.145) by DM5PR2201MB1724.namprd22.prod.outlook.com (10.164.253.158) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2157.18; Fri, 9 Aug 2019 19:55:24 +0000
Received: from DM5PR2201MB1340.namprd22.prod.outlook.com ([fe80::ad07:c135:5d24:2d31]) by DM5PR2201MB1340.namprd22.prod.outlook.com ([fe80::ad07:c135:5d24:2d31%5]) with mapi id 15.20.2157.015; Fri, 9 Aug 2019 19:55:24 +0000
From: Jack Visoky <jmvisoky@ra.rockwell.com>
To: "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>, Michael Richardson <mcr+ietf@sandelman.ca>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: EXTERNAL: Re: [Anima] [Iot-onboarding] OPC and BRSKI
Thread-Index: AQHVTUS+OPIhCz2qG029dL1PCmEs9qbwawQAgAD7iACAABK3gIABwB5A
Date: Fri, 09 Aug 2019 19:55:24 +0000
Message-ID: <DM5PR2201MB1340BD83D6CF3F95E82518C299D60@DM5PR2201MB1340.namprd22.prod.outlook.com>
References: <BYAPR08MB4903F02A37ED9AE092A59B8EFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <649C8221-5F33-4EC2-8E03-3EEAF4CAAB64@cisco.com> <BYAPR08MB4903129ECDEADF61E681DE0BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <46BF5F7B-5407-45A9-9C4F-EA553DF5814B@cisco.com> <11781.1565189957@localhost> <20190807172252.4sadxaiprm6hhmdy@faui48f.informatik.uni-erlangen.de> <BYAPR08MB490385B1BED4C665C79B1937FAD70@BYAPR08MB4903.namprd08.prod.outlook.com> <4671.1565279232@localhost> <BYAPR08MB49034F3B36F6979D59561FC3FAD70@BYAPR08MB4903.namprd08.prod.outlook.com>
In-Reply-To: <BYAPR08MB49034F3B36F6979D59561FC3FAD70@BYAPR08MB4903.namprd08.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=jmvisoky@ra.rockwell.com;
x-originating-ip: [205.175.250.244]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 7e41bbad-2f79-4f69-dbf4-08d71d0384bc
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020); SRVR:DM5PR2201MB1724;
x-ms-traffictypediagnostic: DM5PR2201MB1724:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <DM5PR2201MB17249A86396CCC666F85BA7099D60@DM5PR2201MB1724.namprd22.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 01244308DF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(376002)(346002)(39860400002)(396003)(366004)(53754006)(189003)(199004)(13464003)(966005)(229853002)(256004)(14454004)(14444005)(5024004)(99286004)(316002)(66476007)(66556008)(110136005)(66446008)(64756008)(2906002)(81166006)(81156014)(25786009)(6306002)(55016002)(9686003)(8676002)(478600001)(6436002)(74316002)(7736002)(8936002)(71200400001)(71190400001)(305945005)(3846002)(6116002)(6246003)(486006)(53936002)(33656002)(2501003)(186003)(76176011)(66946007)(86362001)(76116006)(7696005)(6506007)(53546011)(26005)(102836004)(446003)(5660300002)(66066001)(476003)(52536014)(11346002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR2201MB1724; H:DM5PR2201MB1340.namprd22.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: ra.rockwell.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: CyDrLUwbEm+k9c6jEMM14swikKTEgyFC0FFyFcFBWe/gcp+W0VcDSfdFeJgHUc1hevg/rO9UmLEtrZsNZGbraSL3hTtxgPljOArTwdv68XTLjhvB3XWsg0xkWnj4YPmjLAOTea0GeXlyju4bpcuEXiz8ZtvSEQUYJfMasCtWh8Dh+dUJO38wWFnyNq/SxVL3L496TI5bqhR5zY+blN7mRy/Tg6tbR9/TOmHZHpXIMoIuD7HdiP/p6DAqHJUVoNd++7zVFaYWMhOo/T3sF/SBTcZYO8iJdy/gAuZRdxPPSn5ZXb6NwnJlHPcdTLCr7f+KOwmrmihQJBAcHwRfbSXLQw+nHrw7uRCglgMCu5uk0ytKi3Cb3eTte+wcuaoiq0CzRjlI6QmcCmjqg/ezI3HwV7YDjpybS88ICZeR2aclCb0=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: ra.rockwell.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7e41bbad-2f79-4f69-dbf4-08d71d0384bc
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Aug 2019 19:55:24.3172 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 855b093e-7340-45c7-9f0c-96150415893e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: y6dJt/5RQ4Hn8XKTsEO6NlYt3j9oMAekMOjWIf7FdQOevsRHeuEV9n6tjlYYSvaunqRtejFhLHTb5dKLdZ4I+11mse2ANaJ+oUJ8VocAyQI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR2201MB1724
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/LdFXV_cuX9mW0DMuPcY8TAnh0Bg>
Subject: Re: [Anima] EXTERNAL: Re: [Iot-onboarding] OPC and BRSKI
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Aug 2019 19:55:49 -0000

Hi Everyone,

I am also involved with OPC-UA and would like to provide my/my company's perspective.  One of the major drivers of this engagement with the ANIMA group was a contentious point around whether or not TLS and EST are required for support of BRSKI.  Some of us had taken the position that these technologies are an integral part of BRSKI and shouldn't be replaced with OPC specific methods, especially given the benefit of using highly adopted security technologies, as well as the tight coupling of BRSKI to these.  So, I think the idea that OPC should just use these technologies is very much a viable answer.

Also, I would strongly push back on any claims that low end OPC devices cannot support TLS.  Other industrial protocols have already added TLS support and are shipping products, including those with TLS client functionality.  TLS is no more heavy-weight than existing, OPC-specific security mechanisms.

In any event I will be sure to join the call that has been set up for later in August.

Thanks and Best Regards,

--Jack Visoky


-----Original Message-----
From: Anima <anima-bounces@ietf.org> On Behalf Of Randy Armstrong (OPC)
Sent: Thursday, August 8, 2019 12:54 PM
To: Michael Richardson <mcr+ietf@sandelman.ca>; iot-onboarding@ietf.org; anima@ietf.org
Subject: EXTERNAL: Re: [Anima] [Iot-onboarding] OPC and BRSKI

[Use caution with links & attachments]



Hi Michael,

OPC UA uses SecurityProfiles to specify the exact algorithms. The based RSA profiles do not have PFS but the ECC profiles do.
We expect the ECC profiles (not released yet) to be most interesting to low end device makers.
https://opcfoundation.github.io/UA-TypeRepository/Core/docs/Part7/6.6.164/

It is not clear which tls-unique attribute you are interested in.
Do you need a unique identifier for the negotiated keys?
If so the SecureChannelId + TokenId would provide that.
https://opcfoundation.github.io/UA-TypeRepository/Core/docs/Part6/6.7.2/#Table43

Regards,

Randy


-----Original Message-----
From: Michael Richardson <mcr+ietf@sandelman.ca>
Sent: August 8, 2019 8:47 AM
To: Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org>; iot-onboarding@ietf.org; anima@ietf.org
Subject: Re: [Iot-onboarding] OPC and BRSKI


Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org> wrote:
    >> Thats what i referred to in my prior email: We would need to understand how to most easily duplicate the mutual authentication with certificates during TLS connection setup with OPC TCP UA messages.:

    > OPC UA CP requires mutual authentication with Certificates bound to the
    > application rather than the machine. It provides everything that you
    > get from TLS.

Based upon my reading of the diagram, it is not obvious that it provides PFS, but I don't think PFS is particularly important for BRSKI.  It seems to support client certificates and server certificates, and that's enough.
We need an equivalent to tls-unique in order to properly bind the EST channel to the UA CP SecureChannel, but that's all I think.

    > So when the Pledge Device connects to the Registrar or the Certificate
    > Manager using UA the Device proves it has possession of the Device
    > private key.

    > That said, the KeyPair used for communication does not need to be the
    > same as the KeyPair used to authenticate.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -= IPv6 IoT consulting =-



_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima

v2.23.0 | Report a Bug | By Email