IETF Logo Mail Archive

Re: [Emu] Secdir early review of draft-ietf-emu-eap-noob-01

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 29 June 2020 01:43 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: emu@ietfa.amsl.com
Delivered-To: emu@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1F4393A101F; Sun, 28 Jun 2020 18:43:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id c-Om2ah0NSdb; Sun, 28 Jun 2020 18:43:40 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 10A4B3A08B3; Sun, 28 Jun 2020 18:43:36 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 6709538990; Sun, 28 Jun 2020 21:40:50 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Po1o2pOtwi03; Sun, 28 Jun 2020 21:40:49 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id A65803898E; Sun, 28 Jun 2020 21:40:49 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 03BEAF11; Sun, 28 Jun 2020 21:43:35 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Steve Hanna <steve@hannas.com>, emu@ietf.org
cc: secdir@ietf.org, draft-ietf-emu-eap-noob.all@ietf.org
In-Reply-To: <159338848381.14481.6078519980317282415@ietfa.amsl.com>
References: <159338848381.14481.6078519980317282415@ietfa.amsl.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 28 Jun 2020 21:43:34 -0400
Message-ID: <25427.1593395014@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/emu/RZrCe-SbMRhM-87evBdZsw-OeoQ>
Subject: Re: [Emu] Secdir early review of draft-ietf-emu-eap-noob-01
X-BeenThere: emu@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "EAP Methods Update \(EMU\)" <emu.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/emu>, <mailto:emu-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/emu/>
List-Post: <mailto:emu@ietf.org>
List-Help: <mailto:emu-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/emu>, <mailto:emu-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jun 2020 01:43:42 -0000

Steve Hanna via Datatracker <noreply@ietf.org> wrote:
    > Reviewer: Steve Hanna
    > Review result: Not Ready

Steve thanks for the great review!
I wanted to respond as an IoT onboarding expert and EMU WG member.

    > * Bootstrapping an IoT device involves many tasks that extend far beyond what
    > is accomplished by EAP-NOOB: configuring the services that the device
    > can/should employ within its new context (including how to reach and

Hi, so your comments are well taken, but it's really an unreasonably high
standard.  While it is really important to get the configuration mechanisms
in place, they are even more diverse than onboarding.
That's an entire ocean of disagreement here.
I would certainly love to get a handle on this.
When it comes to standardization, really have to be very selective on how big
a thing to bite off.  I think that we can incrementally get to this, but
first we need some success with getting even one onboarding spec working.

So I don't think it's reasonable to evaluate EAP-NOOB (or BRSKI-TEEP) by this critiera.

    > * IoT device provisioning is not a new problem. In fact, it has been solved
    > hundreds of times. Most of those solutions are proprietary but some standards
    > efforts are ongoing now: IoTopia, FIDO IoT, Connected Home over IP, IP-BLiS,
    > etc. Why ignore these? Why not reach out and try to help them?

Well, of those groups, many of them are completely pay-to-play fora, and do
all of their work behind closed doors. In many cases, they look to the IETF
for components, such as EAP-NOOB, BRSKI, etc. that they can incorporate into
their designs.  Some are actively hostile towards an an actual written
standard, preferring that everyone license a particular software stack instead.
I think that EAP-NOOB has benefited greatly from academic and industrial review.

    > * This proposal assumes that the IoT device has a user interface (camera,
    > screen, etc.). What about those that don’t?

Yup. Some don't, and you need to do something else.
But, a lot of devices *do* have displays.
Think about any industrial or hospital instrument.
They all go "ping", and have a cool display to put a graph on :-)

    > * Won’t this protocol apply to a relatively small subset of the networks that
    > IoT devices will need to connect to? Few IoT networks run EAP.

EAP is very popular in industrial and enterprise situations.
EAP can be easily introduced into home network, with the Authentication
Server running locally.  Many have done this, and it is supported in Openwrt today.

    > * How will the device know which network to connect to, in the first
    > place?

This is a good question, and I can offer no answer for the EAP-NOOB case, and
I leave it to the authors to respond to your other comments.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email