IETF Logo Mail Archive

Re: [Anima] [6tisch-security] [6lo] Comments needed for Security Bootstrapping of IEEE 802.15.4 based Internet of Things

Tero Kivinen <kivinen@iki.fi> Tue, 03 February 2015 11:59 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7AB8A1A00F9; Tue, 3 Feb 2015 03:59:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.131
X-Spam-Level:
X-Spam-Status: No, score=-3.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, GB_I_LETTER=-2, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hnmQlKun9c6; Tue, 3 Feb 2015 03:59:45 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D7BC1A8987; Tue, 3 Feb 2015 03:59:44 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id t13BwSLI009787 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 3 Feb 2015 13:58:28 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id t13BwRf0006160; Tue, 3 Feb 2015 13:58:27 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21712.47075.522836.495543@fireball.kivinen.iki.fi>
Date: Tue, 03 Feb 2015 13:58:27 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: "Hedanping (Ana)" <ana.hedanping@huawei.com>
In-Reply-To: <77FA386512F0D748BC7C02C36EB1106D92CC62@szxeml557-mbs.china.huawei.com>
References: <77FA386512F0D748BC7C02C36EB1106D921776@szxeml557-mbs.china.huawei.com> <6426.1422664463@sandelman.ca> <77FA386512F0D748BC7C02C36EB1106D92CC62@szxeml557-mbs.china.huawei.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 9 min
X-Total-Time: 9 min
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima/rxGWh-e2tiy3tiw2h6tsLkCCIAY>
X-Mailman-Approved-At: Tue, 03 Feb 2015 15:49:37 -0800
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>, "6tisch-security@ietf.org" <6tisch-security@ietf.org>, "6lo@ietf.org" <6lo@ietf.org>
Subject: Re: [Anima] [6tisch-security] [6lo] Comments needed for Security Bootstrapping of IEEE 802.15.4 based Internet of Things
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Feb 2015 11:59:47 -0000

Hedanping (Ana) writes:
> 	>    Because IEEE 802.15.4 maximum payload size is 128 Bytes,
> 	>    a standard security bootstrapping protocol should be
> 	>    light-weight with low complexity. The protocol must allow
> 	>    for commissioning of devices I was surprised that the
> 	>    draft then suggested EAP with PANA as a transport: If EAP
> 	>    is used, PANA can be used to relay the authentication
> 	>    message from configured FFDs to 6LBR. If the validation
> 	>    is successful, the IP address and network key are
> 	>    generated and delivered to the FFD. But, EAP-TLS with
> 	>    PANA is exactly what the Zigbee IP specification has
> 	>    specified. Do you envision any changes from that
> 	>    specification?
> 
> Zigbee IP specification was developed to enable IP address for
> Zigbee application, thus the protocol stack are built on IETF's
> standards, including EAP-TLS.  
> As discussed in many working groups, TLS might result in a
> significant amount of retransmissions due to unreliable
> communication capability of the network and device, thus energy will
> be consumed fast. 
> I think EAP over DTLS /profiled DTLS could be a good option.

There is work going on in the IEEE 802.15.9 task group which specifies
the key management for 802.15.4, or more specifically it will specify
a way to transport existing key management protocols over the
802.15.4 frames. This would allow running for example IKEv2 + EAP over
the 802.15.4 and generate keys for 802.15.4 security and then protect
all messages between the two nodes.

In normal case this would be run even before the IEEE 802.15.4
assocation is done, i.e. immediately after the beacon before doing the
association, and would allow protecting the association process too.

For this uses the IKEv2 + EAP would be most likely quite good, i.e.
the IKEv2 frames would be exchange between the peer joining the
network and its next hop router, and inside those IKEv2 frames there
would be EAP messages, which are then relayed to the AAA server (trust
center TC in draft-he-iot-security-bootstrapping-00) for actual
authentication.

The 802.15.9 is now in letter ballot phase in IEEE, meaning we should
be finished quite soon. One issue there is that, during the 802.15.9
work we noticed some issues with 802.15.4 base specifciation which
have been worked on in the 802.15.4 maintenance revision process, and
we need to wait for it to finish before 802.15.9 can finish...

Most likely both of those will finish before the end of year.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email