Re: [I2nsf] 答复: draft-qi-i2nsf-access-network-usecase-00
Hannes Tschofenig <hannes.tschofenig@gmx.net> Tue, 25 November 2014 16:01 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB9DD1A6FC9 for <i2nsf@ietfa.amsl.com>; Tue, 25 Nov 2014 08:01:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.61
X-Spam-Level:
X-Spam-Status: No, score=-1.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z7lJxmLUzd7n for <i2nsf@ietfa.amsl.com>; Tue, 25 Nov 2014 08:01:14 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 936591AC3A5 for <i2nsf@ietf.org>; Tue, 25 Nov 2014 08:00:16 -0800 (PST)
Received: from [192.168.131.131] ([80.92.115.84]) by mail.gmx.com (mrgmx003) with ESMTPSA (Nemesis) id 0LgqQQ-1YEaL51S5O-00oCOS; Tue, 25 Nov 2014 17:00:13 +0100
Message-ID: <5474A78B.6020802@gmx.net>
Date: Tue, 25 Nov 2014 17:00:11 +0100
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
MIME-Version: 1.0
To: Minpeng Qi <qiminpeng@chinamobile.com>, i2nsf@ietf.org
References: <547395A0.3040105@gmx.net> <015c01d008c2$02bcf540$0836dfc0$@com>
In-Reply-To: <015c01d008c2$02bcf540$0836dfc0$@com>
OpenPGP: id=4D776BC9
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="N9dwV8Px1wiQihcrEh5PSFLsdOOXxEH72"
X-Provags-ID: V03:K0:ryc6IT4hK7gFHqrQoY4UY70H5Vcu2VKss0K1D/5QlEoadrB2Lyo lU1V6/dodF5enbgM8LW5RmQtsb/wpHaXQd+BQVOl78pkFFShzLAhW3kgxCQaeV4vRP6hOLZ /jIGPpABwsf5+ZR1BHWduljBdl+4hOwbFcAu3OBiklC4dHOwXreMuhIWV/lf23k/YXUc4gt BbQNQzXAIVATlV0ussg+Q==
X-UI-Out-Filterresults: notjunk:1;
Archived-At: http://mailarchive.ietf.org/arch/msg/i2nsf/0AtTLvhgpRYuLS7yANGYYfkjL34
Subject: Re: [I2nsf] 答复: draft-qi-i2nsf-access-network-usecase-00
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Nov 2014 16:01:17 -0000
Thanks for your quick response, Minpeng. Wouldn't it be an implementation / deployment issue to decide how to run the server-side infrastructure? (e.g., what virtualization technology to use) Currently, there are RESTful APIs defined to let these IoT devices (of different classes) interact with the server-side infrastructure (at least for the configuration management). Those APIs should be able to work fine with any virtualization technology out there. Is there anything else one would have to do? Ciao Hannes On 11/25/2014 04:10 PM, Minpeng Qi wrote: > Hi Hannes, > > Thanks for sharing so many information and give recommendations. > > 1. I'm not intended to involve too much details about access level procedure which usually could be seen transparently for upper layer protocol (e.g. DICE, CORE, etc.). And there is nothing wrong with current solution, but some operation issue. > > For better understanding, I can set a similar example here by using DICE and DTLS in IoT device: > Some assumption: First, let's suppose there are several kinds of IoT devices (e.g. class 1 type, class 2 type, and beyond class 2 type) which would occasionally connect to the network. Class 1 IoT devices can only run DICE for secure connection. Class 2 IoT devices can run DICE/DTLS for secure connection. Beyond class 2 IoT devices can run DTLS only for secure connection. Suppose there are ~4000 class 1 type devices, ~1000 class 2 type devices and ~5000 beyond class 2 type devices. > Secondly, on the network side, due to cost or deployment problem, server could provide either DTLS or DICE connection. And suppose one server could connect ~1000 IoT devices. > So if we want to connect 4000 devices, network should prepare EIGHT servers: 4 servers for DICE connection for the case all class 1 type devices connected and 4 servers for DTLS connections for the case all beyond class 2 devices connected. What is more, class 2 devices could not choose which solution it could use when they connected to specific server. > However, if we can use virtualized network server, only FOUR servers with different instantiation is enough. If 4000 class 1 devices connected, the 4 servers could all be DICE applicable instantiation, while if 4000 beyond class 2 devices connected, the 4 servers could all be DTLS applicable instantiation. And class 2 devices have more flexibility to select preferred DICE/DTLS solution to use. > > In short, it does not propose to enhance current solution, but willing to develop a solution for more flexible deployment. > > 2. The motivation about configuration provisioning is: clients and servers could negotiate configuration as well as selection specific solutions in order to reduce the negotiation/handshake inside this specific solution procedure. You are right this have some overlap with ACE working group use case, but the solutions are not same. We are fine to keep it out of mind if there is consensus to make no duplication between these two solutions. > > BRs, > Minpeng > > -----邮件原件----- > 发件人: I2nsf [mailto:i2nsf-bounces@ietf.org] 代表 Hannes Tschofenig > 发送时间: 2014年11月25日 4:31 > 收件人: i2nsf@ietf.org > 主题: [I2nsf] draft-qi-i2nsf-access-network-usecase-00 > > Following the presentation at the last IETF meeting I read draft-qi-i2nsf-access-network-usecase-00 with a focus on the mentioned Internet of Things use cases. > > The draft mentions Internet of Things in Section 3 as well but does not go into the details about the type of security (and configuration) provisioning. > > Since we have been working on various Internet of Things related scenarios in other working groups (DICE, CORE, LWIG, ACE, etc.) it would be good to go into more details. > > In particular, I would like to understand what is wrong with the currently developed solution. Maybe they do not provide the functionality needed or there are other use cases that have not been covered yet. > > I would also suggest to look at the OMA Lightweight Machine-to-Machine specification since it provides provisioning capabilities and makes use of the IETF CoAP protocol. It also offers a number of cellular operator-based scenarios. > > The specification can be found at: > http://openmobilealliance.org/about-oma/work-program/m2m-enablers/ > > At the last IETF meeting my co-worker Michael Koster gave an overview talk that explained how CoAP, OMA LWM2M, and the IPSO objects fit together. The slides can be found here: > http://www.slideshare.net/MichaelKoster/ietf91-ad-hoccoaplwm2mipso-41542196 > > Note also that this provisioning interface is rather generic and allows various parties to use it - not just network operators but also application providers. > > It might also be worthwhile to note that > > * when IoT devices execute network authentication then there is no user interaction (just a terminology issue since you are writing about users in your scenario), > > * the street lighting deployments I am aware of do not use cellular technology but rather a multi-hop mesh network based on sub-Ghz IEEE > 802.15.4 technology. For this reason it might be useful to go into more details with regard to the description of the scenario. > > * when you use cellular radio technology then you would have the shared secret for the AKA algorithm already on the smart card and the credential provisioning happens during the manufacturing time. > > * The story about configuring different key lengths is OK but we are currently working on a profile that tries to reduce the number of options as much as possible (at least when DTLS/TLS is used in the IoT context). This work happens in the IETF DICE working group. > > * There could potentially be an overlap with the use cases we are investigating in the ACE working group. Please take a look at the use case document, which you can find at > http://tools.ietf.org/html/draft-seitz-ace-usecases-02 > > Ciao > Hannes > > > > > > > _______________________________________________ > I2nsf mailing list > I2nsf@ietf.org > https://www.ietf.org/mailman/listinfo/i2nsf >
- [I2nsf] draft-qi-i2nsf-access-network-usecase-00 Hannes Tschofenig
- [I2nsf] 答复: draft-qi-i2nsf-access-network-usecase… Minpeng Qi
- Re: [I2nsf] 答复: draft-qi-i2nsf-access-network-use… Hannes Tschofenig