Re: [Dtls-iot] IP Addresses in Certificates
Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 11 August 2015 11:24 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3F6D1A879E for <dtls-iot@ietfa.amsl.com>; Tue, 11 Aug 2015 04:24:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.61
X-Spam-Level:
X-Spam-Status: No, score=-2.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1qJMk366EVbZ for <dtls-iot@ietfa.amsl.com>; Tue, 11 Aug 2015 04:24:04 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.17.20]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ABBE31A8706 for <dtls-iot@ietf.org>; Tue, 11 Aug 2015 04:24:03 -0700 (PDT)
Received: from [192.168.131.134] ([80.92.114.74]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0MSuYT-1ZH7Ih0fmX-00Rpbw; Tue, 11 Aug 2015 13:23:58 +0200
Message-ID: <55C9DB23.1040308@gmx.net>
Date: Tue, 11 Aug 2015 13:23:15 +0200
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0
MIME-Version: 1.0
To: Stephen Farrell <stephen.farrell@cs.tcd.ie>, Michael StJohns <msj@nthpermutation.com>
References: <55A63EEF.7010608@gmx.net> <55A641EC.4030203@cs.tcd.ie> <D1D3F9D5.31B15%thomas.fossati@alcatel-lucent.com> <trinity-5e418e2e-726a-4c31-8498-634e598fb57e-1438786484782@3capp-gmx-bs46> <55C23E1B.5050300@cs.tcd.ie> <55C2687F.8050004@nthpermutation.com> <55C4BEE5.5080107@gmx.net> <55C7F80B.5020501@cs.tcd.ie> <55C9D1BC.70500@gmx.net> <55C9D35D.60307@cs.tcd.ie>
In-Reply-To: <55C9D35D.60307@cs.tcd.ie>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="LBnpVaR6G2fmf6ABtnakdVoV9SgIm8Aoe"
X-Provags-ID: V03:K0:r6548o3Zzavu4fUVFrR/DYZuuF2/h/JsIr/FldWNaOaCGEj3AIP q92Xy0BVlJmSCNREYdx7uLD0MFEA6hoKsXEJuDZekUWcxLGV22ZZenbMHLpXZ2RLXr0VPtm UmWaL150Glid4QQ41clsmZ6quwZkKwTWapIXoCT1iLF+VFFoINYmngHxrEoPRjPHPU6dSDA GC7SYFzBDPWIO2u/TXP/Q==
X-UI-Out-Filterresults: notjunk:1;V01:K0:3fM4zqgXjwQ=:QCIsBWKWDfD1I2Nnq0jAFU SbNJwXMu06r3yCsOUVm9ZQ0kWAlMagiVtz9+b2dFlDbzRiPw5XmoQripntWRUeiDIPDLdnBPb fb/gaGteD02xIZyQdotdOyjeEJM5s4Ybp+10iChoOTOG+oMILzwgl+jFuAiO6WPkplLMQ60bT dubiZBQLC6X22snAZeuzkPDlCRWWLuDS5lI5Q+p3E8FVpnsNJjxrXkLChtU4yLNnfu6bbFBwm uwpIdFefItcnK0tRasasvEUkSWVCpls/dyP36tYT1+HJP/kBGsvNOtBvrhbta2Y0YE0SDBgSc +xkI5yrZhp9gRocxanXJjv6bQPLDeCMpG+oeuhCarHcDrseDGReWs+p8WuPe7Sn57K3h/yoJG nfXt5mfOkyvUMqFYxMONYq6xJJ/1HmZyIkYS/jLfWxLQwiVzMk6oYRfsTFV51An7KaCBziNmV IE4T5GnAIwSKzcjWxluwkraPPjL1biutUpTol4RC09Cb0jRRRjNAxexsTDQxKOvj38W6SzDys LZhKN7wCGgv+igt1NFAHI2gWFdYAMVoy7yTNdLOn889W7rjAF6wwhy5uE6Nc3NoesEatluRWu 1hPnVEc4PuwPFHQ18MMRkHJwzf38/akhHQ4zL+V07+GRT9+hRnR+rWgjLsL6s4ZcgurXmUd9Y z/Z69hskNVZauz51u1yEZiUgkubnELj2TwsURNR7FN8CmhSgff2LNHUFvABk6bDOIz8yx3lTG KXkD4gdQZMw/5duk
Archived-At: <http://mailarchive.ietf.org/arch/msg/dtls-iot/pSZfmLJyB4L-_0mKN9y_r4nYAJo>
Cc: dtls-iot@ietf.org
Subject: Re: [Dtls-iot] IP Addresses in Certificates
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Aug 2015 11:24:05 -0000
Hi Stephen, On 08/11/2015 12:50 PM, Stephen Farrell wrote: > > > On 11/08/15 11:43, Hannes Tschofenig wrote: >> Hi Stephen, >> >>> OTOH, there will be devices whose only visible identifier is an IP >>> address, right? If so, and if certificates/DTLS are to be of use with >>> such devices... then what? I do think some variety of "we" ought try >>> to address this problem. >> >> I don't think that there are devices that have no other identifiers than >> IP addresses. For example, if a device has a network interface it will >> also have a MAC address. > > My hope is that 802 move more and more towards non-static or random > MAC addresses. Me too but then we (in the IETF) just replace it with something static at the IP layer (as we managed to remove the randomized IPv6 interface generation via 6lo....). > >> There will also be an application sitting on >> top of the stack that might introduce identifiers. > > Sure, they "might" :-) And if they do, then for sure there shouldn't > be any reason to put an IP address for such a device in a certificate. > > My point is that there will be devices where the IP address is the > only reliably-present publicly (maybe public==on-LAN here) visible > identifier and where we'd like to use (D)TLS to talk to that device. > And we have no guidance for that case, and we do have a bunch of > gotchas and pitfalls. Here is the additional challenges: 1) When are the certificates generated? 2) When are the IP address assignment happens? If the certificates are generated during the manufacturing time then the IP address cannot be know. So, what IP address are you going to put in there? May I assume that the certificate enrolment request is done using some protocol during the deployment (such as with EST) then the IoT devices provides the currently assigned IP address to the enrolment server to get the certificate back? Would this mean that every time the IoT device gets a new IP address it has to request a new certificate? If not, would we just assume that the IP address in the certificate has no relationship to what is contained in the certificate? If we talk about IPv6 addresses why wouldn't we just put the IID into the certificate rather than the full IP address (assuming that the IID does not change for certain deployments)? Ciao Hannes
- [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson
- Re: [Dtls-iot] IP Addresses in Certificates FOSSATI, Thomas (Thomas)
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Michael StJohns
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Stephen Farrell
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Hannes Tschofenig
- Re: [Dtls-iot] IP Addresses in Certificates Michael StJohns
- Re: [Dtls-iot] IP Addresses in Certificates Michael Richardson