[I2nsf] 答复: draft-qi-i2nsf-access-network-usecase-00
"Minpeng Qi" <qiminpeng@chinamobile.com> Tue, 25 November 2014 15:11 UTC
Return-Path: <qiminpeng@chinamobile.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD7121A879A for <i2nsf@ietfa.amsl.com>; Tue, 25 Nov 2014 07:11:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.611
X-Spam-Level:
X-Spam-Status: No, score=0.611 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RELAY_IS_221=2.222, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q_ftm4n6Q0yB for <i2nsf@ietfa.amsl.com>; Tue, 25 Nov 2014 07:11:27 -0800 (PST)
Received: from cmccmta3.chinamobile.com (cmccmta3.chinamobile.com [221.176.66.81]) by ietfa.amsl.com (Postfix) with SMTP id 322A71A6FC6 for <i2nsf@ietf.org>; Tue, 25 Nov 2014 07:10:56 -0800 (PST)
Received: from spf.mail.chinamobile.com (unknown[172.16.121.19]) by rmmx-syy-dmz-app10-12010 (RichMail) with SMTP id 2eea54749bff653-e3b47; Tue, 25 Nov 2014 23:10:56 +0800 (CST)
X-RM-TRANSID: 2eea54749bff653-e3b47
X-RM-SPAM-FLAG: 00000000
Received: from RonpuzzlePC (unknown[14.110.186.109]) by rmsmtp-syy-appsvr10-12010 (RichMail) with SMTP id 2eea54749bfd73d-0f007; Tue, 25 Nov 2014 23:10:56 +0800 (CST)
X-RM-TRANSID: 2eea54749bfd73d-0f007
From: Minpeng Qi <qiminpeng@chinamobile.com>
To: 'Hannes Tschofenig' <hannes.tschofenig@gmx.net>, i2nsf@ietf.org
References: <547395A0.3040105@gmx.net>
In-Reply-To: <547395A0.3040105@gmx.net>
Date: Tue, 25 Nov 2014 23:10:54 +0800
Message-ID: <015c01d008c2$02bcf540$0836dfc0$@com>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Office Outlook 12.0
Thread-Index: AdAIJaR5oEZHO6ySSGS4nqaseyw0dQAbBTJA
Content-Language: zh-cn
Archived-At: http://mailarchive.ietf.org/arch/msg/i2nsf/0S4c9f_qfrlh4sZyl7MrhZOkxgU
Subject: [I2nsf] 答复: draft-qi-i2nsf-access-network-usecase-00
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Nov 2014 15:11:29 -0000
Hi Hannes, Thanks for sharing so many information and give recommendations. 1. I'm not intended to involve too much details about access level procedure which usually could be seen transparently for upper layer protocol (e.g. DICE, CORE, etc.). And there is nothing wrong with current solution, but some operation issue. For better understanding, I can set a similar example here by using DICE and DTLS in IoT device: Some assumption: First, let's suppose there are several kinds of IoT devices (e.g. class 1 type, class 2 type, and beyond class 2 type) which would occasionally connect to the network. Class 1 IoT devices can only run DICE for secure connection. Class 2 IoT devices can run DICE/DTLS for secure connection. Beyond class 2 IoT devices can run DTLS only for secure connection. Suppose there are ~4000 class 1 type devices, ~1000 class 2 type devices and ~5000 beyond class 2 type devices. Secondly, on the network side, due to cost or deployment problem, server could provide either DTLS or DICE connection. And suppose one server could connect ~1000 IoT devices. So if we want to connect 4000 devices, network should prepare EIGHT servers: 4 servers for DICE connection for the case all class 1 type devices connected and 4 servers for DTLS connections for the case all beyond class 2 devices connected. What is more, class 2 devices could not choose which solution it could use when they connected to specific server. However, if we can use virtualized network server, only FOUR servers with different instantiation is enough. If 4000 class 1 devices connected, the 4 servers could all be DICE applicable instantiation, while if 4000 beyond class 2 devices connected, the 4 servers could all be DTLS applicable instantiation. And class 2 devices have more flexibility to select preferred DICE/DTLS solution to use. In short, it does not propose to enhance current solution, but willing to develop a solution for more flexible deployment. 2. The motivation about configuration provisioning is: clients and servers could negotiate configuration as well as selection specific solutions in order to reduce the negotiation/handshake inside this specific solution procedure. You are right this have some overlap with ACE working group use case, but the solutions are not same. We are fine to keep it out of mind if there is consensus to make no duplication between these two solutions. BRs, Minpeng -----邮件原件----- 发件人: I2nsf [mailto:i2nsf-bounces@ietf.org] 代表 Hannes Tschofenig 发送时间: 2014年11月25日 4:31 收件人: i2nsf@ietf.org 主题: [I2nsf] draft-qi-i2nsf-access-network-usecase-00 Following the presentation at the last IETF meeting I read draft-qi-i2nsf-access-network-usecase-00 with a focus on the mentioned Internet of Things use cases. The draft mentions Internet of Things in Section 3 as well but does not go into the details about the type of security (and configuration) provisioning. Since we have been working on various Internet of Things related scenarios in other working groups (DICE, CORE, LWIG, ACE, etc.) it would be good to go into more details. In particular, I would like to understand what is wrong with the currently developed solution. Maybe they do not provide the functionality needed or there are other use cases that have not been covered yet. I would also suggest to look at the OMA Lightweight Machine-to-Machine specification since it provides provisioning capabilities and makes use of the IETF CoAP protocol. It also offers a number of cellular operator-based scenarios. The specification can be found at: http://openmobilealliance.org/about-oma/work-program/m2m-enablers/ At the last IETF meeting my co-worker Michael Koster gave an overview talk that explained how CoAP, OMA LWM2M, and the IPSO objects fit together. The slides can be found here: http://www.slideshare.net/MichaelKoster/ietf91-ad-hoccoaplwm2mipso-41542196 Note also that this provisioning interface is rather generic and allows various parties to use it - not just network operators but also application providers. It might also be worthwhile to note that * when IoT devices execute network authentication then there is no user interaction (just a terminology issue since you are writing about users in your scenario), * the street lighting deployments I am aware of do not use cellular technology but rather a multi-hop mesh network based on sub-Ghz IEEE 802.15.4 technology. For this reason it might be useful to go into more details with regard to the description of the scenario. * when you use cellular radio technology then you would have the shared secret for the AKA algorithm already on the smart card and the credential provisioning happens during the manufacturing time. * The story about configuring different key lengths is OK but we are currently working on a profile that tries to reduce the number of options as much as possible (at least when DTLS/TLS is used in the IoT context). This work happens in the IETF DICE working group. * There could potentially be an overlap with the use cases we are investigating in the ACE working group. Please take a look at the use case document, which you can find at http://tools.ietf.org/html/draft-seitz-ace-usecases-02 Ciao Hannes
- [I2nsf] draft-qi-i2nsf-access-network-usecase-00 Hannes Tschofenig
- [I2nsf] 答复: draft-qi-i2nsf-access-network-usecase… Minpeng Qi
- Re: [I2nsf] 答复: draft-qi-i2nsf-access-network-use… Hannes Tschofenig