[Dtls-iot] Current dtls-iot charter text - discuss...
Stephen Farrell <stephen.farrell@cs.tcd.ie> Mon, 03 June 2013 21:30 UTC
Return-Path: <stephen.farrell@cs.tcd.ie>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AAD5111E80FC for <dtls-iot@ietfa.amsl.com>; Mon, 3 Jun 2013 14:30:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.669
X-Spam-Level:
X-Spam-Status: No, score=-101.669 tagged_above=-999 required=5 tests=[AWL=-0.930, BAYES_20=-0.74, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJf881P9P2Gt for <dtls-iot@ietfa.amsl.com>; Mon, 3 Jun 2013 14:29:57 -0700 (PDT)
Received: from mercury.scss.tcd.ie (mercury.scss.tcd.ie [134.226.56.6]) by ietfa.amsl.com (Postfix) with ESMTP id 6E38921E809F for <dtls-iot@ietf.org>; Mon, 3 Jun 2013 14:23:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mercury.scss.tcd.ie (Postfix) with ESMTP id 7CCB5BE54 for <dtls-iot@ietf.org>; Mon, 3 Jun 2013 22:23:27 +0100 (IST)
X-Virus-Scanned: Debian amavisd-new at scss.tcd.ie
Received: from mercury.scss.tcd.ie ([127.0.0.1]) by localhost (mercury.scss.tcd.ie [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 50DmJR9-YEaU for <dtls-iot@ietf.org>; Mon, 3 Jun 2013 22:23:22 +0100 (IST)
Received: from [10.87.48.12] (unknown [86.41.53.2]) by mercury.scss.tcd.ie (Postfix) with ESMTPSA id 0AB74BE39 for <dtls-iot@ietf.org>; Mon, 3 Jun 2013 22:23:22 +0100 (IST)
Message-ID: <51AD0949.50806@cs.tcd.ie>
Date: Mon, 03 Jun 2013 22:23:21 +0100
From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130510 Thunderbird/17.0.6
MIME-Version: 1.0
To: dtls-iot@ietf.org
X-Enigmail-Version: 1.5.1
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: 8bit
Subject: [Dtls-iot] Current dtls-iot charter text - discuss...
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dtls-iot>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jun 2013 21:30:12 -0000
Hi all, The text below is from [1]. Is it perfect? What'd you change? Please discuss this on the list between now and the proposed Berlin meeting. Some I-Ds on relevant topics being published before June 20 would also be useful in deciding whether or not to approve the BoF slot, but so is charter discussion. Thanks, Stephen. [1] https://docs.google.com/document/d/1Gw00WXRgjJJQJMv9seVpuXuLtIDYKhHE-7pX4eDo3g8/edit?pli=1# DTLS for IoT Group The purpose of this document is to organize interest in a group to standardize a set of optimizations to DTLS for use with constrained devices and networks. Possible goals for this activity could be: A minimal configuration profile of DTLS for IoT Multicast record layer support for DTLS Implementation and deployment guidance (-> LWIG) Optimization of the DTLS handshake and record layer (-> TLS WG after profiling) Use of DTLS for security bootstrapping and key management (-> own activity) Action Points Write a draft of DTLS implementation and deployment guidance to LWIG. [Hannes, Sandeep] Write a straw-man draft (maybe updating the current one) on multicast record-layer support for DTLS [Sye Loong] Write a straw-man draft on the TLS over CoAP handshake and profiling [Sye Loong] Submit the BOF request for Berlin [Sye Loong, Zach] Mailing List https://www.ietf.org/mailman/listinfo/dtls-iot Existing work http://www.ietf.org/id/draft-hartke-core-codtls-02.txt http://www.ietf.org/id/draft-tschofenig-lwig-tls-minimal-02.txt http://www.ietf.org/id/draft-keoh-lwig-dtls-iot-01.txt http://www.ietf.org/id/draft-keoh-tls-multicast-security-00.txt http://www.ietf.org/id/draft-ietf-tls-oob-pubkey-07.txt http://www.ietf.org/id/draft-jennings-core-transitive-trust-enrollment-01.txt Draft Charter – DTLS for the Internet of Things (DIoT?) There is an increased use of wireless control networks in city infrastructure, environmental monitoring, industrial automation, and building management systems. These wireless control networks comprise many electronic devices, sensors and actuators that are connected to each other, and in most cases Internet connected, thus creating a trend towards Internet of Things (IoT). The CoRE working group has defined a framework for resource-oriented applications intended to run on Constrained Node Networks (CNN) (see I-D-ietf-lwig-terminology). A CNN connects devices which are constrained by power, limited amount of code size and memory in a network with severe limits on throughput. The Constrained Application Protocol (CoAP) can be used to manipulate resources on a device in a CNN. Group communication is an important feature in CNNs as it can be effectively used to convey messages to a group of devices without requiring the sender to perform multiple time- and energy-consuming unicast transmissions, one for each group member. For example, in a building control management system, Heating, Ventilation and Air-Conditioning (HVAC) and lighting devices can be grouped according to the layout of the building, and control commands can be issued to a group of devices. Unsecured group communication for CNNs is enabled by using CoAP on top of IP-multicast. However, it must be secured as it is vulnerable to the usual attacks (eavesdropping, tampering, message forgery, replay, etc). Datagram Transport Layer Security (DTLS) has been chosen by CoRE to protect CoAP unicast communications, and it would be beneficial if the same security protocol, i.e., DTLS can be used to protect CoAP group communication as well. The current design of DTLS leads to fragmentation of DTLS handshake messages over the wireless link, in particular when Raw Public-key and Certificate modes are used. From the various implementation experiences reported in the LWIG working group, the complexity of re-transmission and re-ordering of DTLS handshake messages in CNNs has resulted in a significantly increased code size and RAM. Additional reliability mechanisms for transporting DTLS handshake messages are required as they will ensure that handling of re-ordered messages needs to be done in a single place in the stack only. This WG combines expertise from both the IETF Application and Security areas in order to work out the appropriate security solutions for the Internet of Things. The scope of this WG is to define the following: Document the problems with the DTLS handshake for IoT, and define a suitable profile of DTLS for an IoT architecture and use case that minimizes the complexity and overhead of DTLS for constrained devices. The use of DTLS Record Layer in combination with the (derived) multicast key to protect the CoAP group communication without source authentication. The DTLS Record Layer should not be modified/altered. Goals and Milestones Oct 2013 WG document for DTLS for IoT profile Nov 2013 WG document for secure multicast group communication in CNNs Feb 2014 DTLS for IoT profile specification submitted to the IESG Mar 2014 Secure Multicast group communication specification submitted to the IESG Initial brainstorming A minimal configuration profile of DTLS [Klaus: Implementations in a deployment need to agree on cipher suite, etc. for interop. Maybe it’s possible to define minimal profiles for a number of typical scenarios?] [Sandeep: when selecting the minimal profiles for different typical scenarios it would be nice to select a common underlying cipher (like AES) to reduce implementation costs, so using AES-CMAC for authentication and AES-CCM for additional confidentiality Zach: Common Ciphers are already defined in the CoAP specification. ] What defines a “profile”? Maybe what we really need from a profile is to explain the (D)TLS features actually needed for a set of IoT applications that we commonly come across. The purpose of this profile would be to limit the number of options and flexibility in especially the (D)TLS handshake. What are the features actually needed for use with CoAP? Applicability Communication model Threat model Security requirements Class of devices ... Cipher suites Extensions Signature Algorithms Server Name Indication Maximum Fragment Length Supported Elliptic Curves Supported Point Formats Application Layer Protocol Heartbeat Cached Info Session Resumption ... Timer values ... [Note RS: it would be good to define technical requirements first here. -security services (authenticated key agreement, authenticated key transport, entity authentication, secured data transport (unicast, multicast, broadcast; source authentication, etc.), replay protection, timeliness, etc. Authorization (identity-based, role based), privacy, etc. -communication services: in-order delivery, fragmentation/defragmentation support, etc. -support for initial provisioning, configuration -scalability, adaptability towards change of role/trust models, device replacement, merging and partitioning of networks, flexible authorization policy management, etc. - how to deal with typical network aspects, including sleepy nodes, crappy links, no online availability trusted third party -how to make sure human involvement is virtually absent -support for existing/legacy implementation pieces (e.g., AES in hardware; RNG, etc., device id) -support for memory-starved devices, with harldy any buffering capability, etc. Zach: Well, we have already been through the main requirements when we chose DTLS as the solution for CoAP in general. Much of this is also captured in the main CoAP ID. However for the purpose of optimizing DTLS, I agree we should capture the security requirements in relation to what we want to achieve. The goal here however is NOT to reconsider CoAP’s choice of security protocol, model, cipher suites etc. The goal here is to make the choice we already made more efficient, and to support multicast. ] Implementation and deployment guidance Recommendations on handshake fragmentation to minimize retransmissions timer values to avoid spurious retransmissions when to perform handshake (on device startup, on demand, ...) when to close connections (when idle, …) DTLS version negotiation epochs >= 2 session resumption Dealing with resource exhaustion (eviction strategy for connections, ...) Implementation techniques for implementing CoAP over DTLS ... [Zach: This should be done in LWIG. Someone could already start writing this document up there?] Optimization of the DTLS handshake and record layer DTLS is written as a diff to TLS. The diff changes the transport to an unreliable datagram-based transport, adds reliability to the handshake layer and makes a few modifications to the record layer to cater for message reordering, etc. DTLS was clearly not designed with constrained devices and lossy networks in mind. It should be possible to investigate alternate reliability mechanisms and message formats that are more suitable for constrained environments but do not touch TLS itself. This means basically reinventing the “D” in “DTLS”, to a greater or smaller extent. Ideas floating around: Transport the handshake messages in CoAP requests and responses, using draft-ietf-core-block to transport messages that do not fit in a single datagram. Transport the DTLS records in CoAP messages. For experimentation, I have added a tiny (5 bits) fragmentation indication to the CoAP messaging layer. The result can be used to transport the DTLS messages of a handshake flight in the same simple lock-step fashion as we already do in CoAP, instead of transmitting all messages at once and retransmitting all fragment when a single fragment is lost. Retransmit all fragments when a single fragment is lost and focus on reducing the number of fragments to be sent. Retransmitting all fragments actually performs better(!) than sending one acknowledgement per fragment in lossy environments in terms of transmission count. [Note RS: it is not a priori clear that DTLS fits the bill here: first discuss requirements, instead of reverse engineering those from dreamt up solution that may be incomplete at best (I am not saying it is, but it could Zach: This group is not about re-thinking security from scratch. We already chose (D)TLS as our security binding for CoAP. Based on experience using it so far, there is some obvious optimization that can be done, as well as an important feature missing. ] Multicast record layer support for DTLS The current DTLS record layer header can be used to support/protect a single sender-multiple receivers group communication scenario. The sequence number field in the record layer header is probably sufficient to detect replay attacks. This is based on the assumption that authorized devices in a multicast group are trusted to behave correctly. The question then is whether this assumption is reasonable and do we need additional measures to prevent insider attacks? There was also a question whether source authentication is necessarily for multicast? In our opinion, this can be an optional feature in that for some important use cases, e.g., switching off all lights in the building, source authentication is required. Providing source authentication with a group key is not feasible, an alternative is to provide source authentication at the CoAP level using public-key cryptography? A single security protocol for IoT To strive for a single security protocol (e.g., the optimized “D”TLS) that can provide the required security functionalities such as network access, key management (distribution of unicast, multicast keys) and secure group communication such that we can optimize the use of memory on the constrained devices. Define the workflow in to perform network access using DTLS Define ways of distributing and renewing application, network, and multicast keys over the DTLS secure channel, i.e., using CoAP messages to encapsulate keying materials. Define the key derivation methods, re-using the security components in DTLS, e.g., PRF functions, AES.
- [Dtls-iot] Current dtls-iot charter text - discus… Stephen Farrell
- Re: [Dtls-iot] Current dtls-iot charter text - di… Zach Shelby
- Re: [Dtls-iot] Current dtls-iot charter text - di… Keoh, Sye Loong
- Re: [Dtls-iot] Current dtls-iot charter text - di… Bert Greevenbosch
- Re: [Dtls-iot] Current dtls-iot charter text - di… Keoh, Sye Loong
- Re: [Dtls-iot] Current dtls-iot charter text - di… Paul Duffy
- Re: [Dtls-iot] Current dtls-iot charter text - di… Don Sturek
- Re: [Dtls-iot] Current dtls-iot charter text - di… Keoh, Sye Loong
- Re: [Dtls-iot] Current dtls-iot charter text - di… Zach Shelby
- Re: [Dtls-iot] Current dtls-iot charter text - di… Don Sturek
- Re: [Dtls-iot] Current dtls-iot charter text - di… Bert Greevenbosch
- Re: [Dtls-iot] Current dtls-iot charter text - di… Kumar, Sandeep
- Re: [Dtls-iot] Current dtls-iot charter text - di… Bert Greevenbosch
- Re: [Dtls-iot] Current dtls-iot charter text - di… Kemp, David P.
- Re: [Dtls-iot] Current dtls-iot charter text - di… Kumar, Sandeep
- Re: [Dtls-iot] Current dtls-iot charter text - di… Keoh, Sye Loong
- Re: [Dtls-iot] Current dtls-iot charter text - di… Zach Shelby
- Re: [Dtls-iot] Current dtls-iot charter text - di… Don Sturek
- Re: [Dtls-iot] Current dtls-iot charter text - di… Kemp, David P.
- Re: [Dtls-iot] Current dtls-iot charter text - di… Rene Struik