Re: [dhcwg] DHCP and DHCPv6 options for LWM2M services

Srinivasa Rao Nalluri <srinivasa.rao.nalluri@ericsson.com> Fri, 13 January 2017 06:46 UTC

Return-Path: <srinivasa.rao.nalluri@ericsson.com>
X-Original-To: dhcwg@ietfa.amsl.com
Delivered-To: dhcwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5D9FB129AA5 for <dhcwg@ietfa.amsl.com>; Thu, 12 Jan 2017 22:46:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3EwQLH5Lf8jL for <dhcwg@ietfa.amsl.com>; Thu, 12 Jan 2017 22:46:31 -0800 (PST)
Received: from sessmg23.ericsson.net (sessmg23.ericsson.net [193.180.251.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 11602129AA4 for <dhcwg@ietf.org>; Thu, 12 Jan 2017 22:46:30 -0800 (PST)
X-AuditID: c1b4fb2d-58ed898000002e13-be-587877c4ea24
Received: from ESESSHC017.ericsson.se (Unknown_Domain [153.88.183.69]) by (Symantec Mail Security) with SMTP id 57.C5.11795.4C778785; Fri, 13 Jan 2017 07:46:28 +0100 (CET)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (153.88.183.145) by oa.msg.ericsson.com (153.88.183.69) with Microsoft SMTP Server (TLS) id 14.3.319.2; Fri, 13 Jan 2017 07:45:59 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.onmicrosoft.com; s=selector1-ericsson-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=k7R6KjCnaNBf7gYlVLhsro1Kgcedor2nyOkXnmUn8Do=; b=IV9pHP7rtojxObNGFitVZxkzUkjqpxkO2VukiFEFo2Ie6qNYXJt3MZu5l2D02U4sF37JG4lvAUA0G54g69Bl4z/xJ4M5HxkJ6hPp2ETEbj1OdqCGgjPvsq3UbGnR1ikbUgrKZJlyW8qdxwYeqH7dw4nMBVPGSAOmcIZfmxVOCVw=
Received: from HE1PR0701MB1914.eurprd07.prod.outlook.com (10.167.189.18) by AM2PR07MB0978.eurprd07.prod.outlook.com (10.162.37.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.845.6; Fri, 13 Jan 2017 06:45:56 +0000
Received: from HE1PR0701MB1914.eurprd07.prod.outlook.com ([10.167.189.18]) by HE1PR0701MB1914.eurprd07.prod.outlook.com ([10.167.189.18]) with mapi id 15.01.0845.012; Fri, 13 Jan 2017 06:45:55 +0000
From: Srinivasa Rao Nalluri <srinivasa.rao.nalluri@ericsson.com>
To: Ted Lemon <mellon@fugue.com>
Thread-Topic: [dhcwg] DHCP and DHCPv6 options for LWM2M services
Thread-Index: AdJqRXTE4zv4sumCQiCdFGjUYw4CPAAPiYsAABwroFAAnNwysA==
Date: Fri, 13 Jan 2017 06:45:55 +0000
Message-ID: <HE1PR0701MB19142F6D9362309DFD0084B0DE780@HE1PR0701MB1914.eurprd07.prod.outlook.com>
References: <HE1PR0701MB191453938CCDD842F97014F3DE640@HE1PR0701MB1914.eurprd07.prod.outlook.com> <0827A698-2AF7-4D16-87BE-A86BC8E44C63@fugue.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=srinivasa.rao.nalluri@ericsson.com;
x-originating-ip: [125.16.137.146]
x-ld-processed: 92e84ceb-fbfd-47ab-be52-080c6b87953f,ExtAddr
x-microsoft-exchange-diagnostics: 1; AM2PR07MB0978; 7:9i3Zs3Bu3dzyv+vpKcifH+RInqTP3BFwtrUIHh9bVV6lk6ZHvD7d2PQxdvMi3711gowrw/YX1FyUlLODsFNBqKYoex8x10cCLQ8WCiNZDD4tfI130vD7rAK1EwgHVmuwKIAfdbceJXvZvNf5F3b4S6LLR3T3/1/KSl5NywlNA+tjJW/XP9Vs+89/RR/PuHtcrVqMkqF+R8Hhoc2gkr5NbMYFnU0Ue+SuqJzy76+9Fu5G8CkgyvtFXHzC01zJlKGEx0zjUSxRFt0Gf2t8amX239JjplCH16GURvm6klPE1daK/xKD60UnFMurKWuBzBNSg7VGYcr6qbNveFJhk114rBQMHUg57zZNjxv8ylh0xjH7TAdHrPFdFMV+vpD+e/1oSV+W2mUW48LSWTzptWC31gbJh0mCvE/EW+HRXGBxwd/Z7SlZtQgr3eWRGC356DRYK3xg8hN3VR0Sro3NI2n2Ig==
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10009020)(7916002)(39450400003)(377454003)(24454002)(189002)(199003)(122556002)(3660700001)(74316002)(68736007)(54896002)(3280700002)(54356999)(76176999)(9686003)(81156014)(6306002)(236005)(110136003)(50986999)(7906003)(81166006)(561944003)(105586002)(101416001)(3900700001)(8936002)(4001430100002)(8676002)(2900100001)(4326007)(9326002)(7736002)(229853002)(33656002)(2906002)(19609705001)(97736004)(6506006)(6436002)(189998001)(55016002)(99286003)(6916009)(6116002)(92566002)(54906002)(66066001)(5660300001)(106356001)(606005)(107886002)(790700001)(7696004)(25786008)(38730400001)(86362001)(102836003)(77096006)(3846002); DIR:OUT; SFP:1101; SCL:1; SRVR:AM2PR07MB0978; H:HE1PR0701MB1914.eurprd07.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
x-ms-office365-filtering-correlation-id: ee99cfd7-d9f3-4b22-d98c-08d43b7fd31d
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:AM2PR07MB0978;
x-microsoft-antispam-prvs: <AM2PR07MB0978B6928B5E52E985814727DE780@AM2PR07MB0978.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(158342451672863)(192374486261705)(21748063052155)(21532816269658);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6041248)(20161123562025)(20161123555025)(20161123564025)(20161123558021)(20161123560025)(6072148); SRVR:AM2PR07MB0978; BCL:0; PCL:0; RULEID:; SRVR:AM2PR07MB0978;
x-forefront-prvs: 018632C080
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_HE1PR0701MB19142F6D9362309DFD0084B0DE780HE1PR0701MB1914_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jan 2017 06:45:55.2416 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM2PR07MB0978
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA01Se0hTURjv3Hu3XaeD49T8WP1Ri8iKLTMxCckVRYZkEkRaSK68qanb2F2m ISSi0HyEkDp15CtbmtMsQ6OMchiZ2gNZOEIn4nxhYVIZYq52vQv87/c63+87h0OTUqtARqdr DIxeo86UC8VUTULPcUX/9ZyE0J628MjxW4Uo8qu1n1ARMQWfLKKY5uYVIp44L45KYTLTsxn9 vsPJ4rSmbjvSdTWinA+l7VQ+milHxciHBhwONeZJQTES01LcgaCpsdNLBhAsz5ZSHKFwGQmz oysU75gIeFPQhXgyiGDYvijkhgmxCqqqptdxIN4Gd4etBBci8Q8EE+YlD6HpABwNJa9UfEYF j9ZKvPmjMN9nJrkIhXeCseU0J0twMphsdiHfVeHpanMKOAPhzfB7kJvv45kfDF9c9QR/IQzN vR9JHgfB/JTbm2fA/Nbh1eXgcjz2PkAUVJeYSK4AcCkF5QujXtIhhNKBZiGfOgUWi0vEbcfh 3ql4Xs6Aped13uI8aHjhoviztQSsThWJeGMrmH8Z15ulni0etBetNwdgGYzbjagc7a7dcAke a8Hxd2kdS7A/vKtxUbyuBEdlhZDHe8HSuEDyWAHVbhu1UW9AoocoiGVYNis17ICS0adfZlmt RqlhDE+Q5w/1PV1VPENtC0dsCNNI7ifRiXMSpAJ1NpubZUNAk/JAidHgkSQp6twbjF57UX8t k2FtaAtNyYMlEa0T56Q4VW1gMhhGx+j/uwTtI8tHEH0l6tvimHUoXnvSPhcdtKvz7PTrHTFr EcT3ev97rfHbT3QyIXVxUYUX+kYmTKqkAb8/sZb73SO+dcvuuIMtN+98XlQpdL6V6aah27XK +lAd4y47dkY705FoSgyDtqSx986fTsPLTc6wHs34xKGOvKuTsZpZUFaPzMmCQi7J5RSbpt6/ h9Sz6n9Jjm6ePwMAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/dhcwg/GxGyRZMJxT5YuIxpfBVSGLVgAuo>
Cc: Amit Gupta X <amit.x.gupta@ericsson.com>, "dhcwg@ietf.org" <dhcwg@ietf.org>, =?iso-8859-1?Q?Ari_Ker=E4nen?= <ari.keranen@ericsson.com>, =?iso-8859-1?Q?Jaime_Jim=E9nez?= <jaime.jimenez@ericsson.com>, Jan Melen <jan.melen@ericsson.com>
Subject: Re: [dhcwg] DHCP and DHCPv6 options for LWM2M services
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: <dhcwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dhcwg/>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Jan 2017 06:46:34 -0000

Hi,

To add more on certificate validation....

Idea is to trust your DHCP server to give valid certificate. Otherwise we have risk.
In TLS/PKI frame work there is no way to validate root certificate. That remains same with our proposal.

In TLS root certificates are generally not exchanged using any protocol. So risk is less.

Our proposal is trade-off between flexibility and risk

With regards
Srinivasa Rao Nalluri


From: Srinivasa Rao Nalluri
Sent: Tuesday, January 10, 2017 9:28 AM
To: 'Ted Lemon'
Cc: dhcwg@ietf.org; Ari Keränen; Jan Melen; Jaime Jiménez; Amit Gupta X
Subject: RE: [dhcwg] DHCP and DHCPv6 options for LWM2M services

Hello Ted Lemon,

If I understand correct, you are asking how certificate supplied through DHCP option is validated.

The certificate supplied through DHCP option is not validated but it can be used to validate certificate offered by LWM2M server during LWM2M bootstrapping phase.

Instead of hardcoding root certificate in device by manufacturer, we are proposing to obtain same through DHCP option.

In case I misunderstood your question, please elaborate same.

With Regards
Srinivas

From: Ted Lemon [mailto:mellon@fugue.com]
Sent: Monday, January 09, 2017 7:51 PM
To: Srinivasa Rao Nalluri
Cc: dhcwg@ietf.org<mailto:dhcwg@ietf.org>; Ari Keränen; Jan Melen; Jaime Jiménez; Amit Gupta X
Subject: Re: [dhcwg] DHCP and DHCPv6 options for LWM2M services

How would this be validated?

On Jan 9, 2017, at 2:00 AM, Srinivasa Rao Nalluri <srinivasa.rao.nalluri@ericsson.com<mailto:srinivasa.rao.nalluri@ericsson.com>> wrote:

Hi,

Considering growing popularity of Internet of Things and relevant protocols like LWM2M/CoAP/MQTT, we in Ericsson see need for new DHCP options to make LWM2M service deployment easy and flexible.

Light weight machine to machine (LWM2M) protocol is used to manage end device life cycle in machine to machine communication scenarios.
LWM2M device bootstrap is an optional life cycle phase for devices to  get needed information when starting up for first time.  Information
gathered during bootstrapping might include management server details  and security certificates required to establish connectivity with
management server.  Information required to connect with bootstrap  server might be hard coded during device manufacturing phase.

Hard coding configuration by device manufacturer forces device  operator to use same configuration as hard coded.  It is possible
that reachability information of bootstrap server that is hard coded may be outdated and boot strap server reachability might fail during
first use of device.  In such cases connectivity with bootstrap server is possible only through device software upgrade.

So, we see need to introduce two options to support LWM2M server URL and LWM2M server certificate that validates public key provided by LWM2M server. Thus bootstrap related information can be gathered by LWM2M client during DHCP/DHCPv6 negotiation phase. Draft available at below link describes details.

https://www.ietf.org/internet-drafts/draft-nalluri-dhc-dhcpv6-lwm2m-bootstrap-options-01.txt

This draft considers options for both DHCP and DHCPv6.

I would like this draft to be considered by DHC working group as work item. Please contact me for any further details.


With Regards
Srinivasa Rao Nalluri
Ericssion
India
_______________________________________________
dhcwg mailing list
dhcwg@ietf.org<mailto:dhcwg@ietf.org>
https://www.ietf.org/mailman/listinfo/dhcwg