IETF Logo Mail Archive

Re: [Iot-onboarding] OPC and BRSKI

"Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org> Thu, 08 August 2019 00:01 UTC

Return-Path: <randy.armstrong@opcfoundation.org>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF15412006A for <iot-onboarding@ietfa.amsl.com>; Wed, 7 Aug 2019 17:01:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=opcfoundation.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o3CQtlnX8N31 for <iot-onboarding@ietfa.amsl.com>; Wed, 7 Aug 2019 17:01:41 -0700 (PDT)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-eopbgr800054.outbound.protection.outlook.com [40.107.80.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FEE3120033 for <iot-onboarding@ietf.org>; Wed, 7 Aug 2019 17:01:41 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kaF0ViNWtE2YsbQs4qZi/99aojsQgvzahLO5ZMTsj1ERipBieKehAIcsKSvgESoeaaK21gxwSnG7EXZvMg4x4fOLcayIVSJ1WIV6o/3UUfngmifw810PioeR7NlkqFIA1EIiZ9V215VsNYun8A0XPA4sTy5Jdt0mYxGE0+YIHPT1Ov3GTAlYRpnMqpKRvTLpe1QOloewD9HP5XKRgRBTaB0NeKGrfvKXRgamQ0p3cEePCTENDMaeRayzk5LvaCAA8RJoaToAkQwPpSnixQaT8RRJJ/sXUoGlOt7MDUtRN7Z7GyonC0i1DiDoKZvzh4NNhlwAhYXZSqRVutvl3kjVKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YC7nKbamT35dWPSU7htOdLWsoXNHenwDlbMgrLXUwyE=; b=MWosR32wc6EeY53uPgbI+kB7WdX7X9K8dui+5vfqUVjCk/MyoWvyOJzGRYT/xp1mDsr3N5xAy03xYRWH/LOn31zWsEk7Yc/M+9AXjM8bBgcdnaHItvi/IvXLKoMo/exlmuDM5ewvtp65cf0wEtTqiddpCR05XZEqWeppfjQ3lPUXVnTJrgFDQhNmq5q6AQeO41RUm3y1+cGmwGtHHiJfpaceqy4PpevUnLsdZuxVdgIFLZS7FoCihfA8xnjNm5A8i7CMdBEQXWWmYj4fUYQWxGqJCoNzBdsAWifBiiY6+nRgze7HwzvKrj2V6Njlu7ixUlWdKmQ0lY3Ye4T8Su3vOg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=opcfoundation.org;dmarc=pass action=none header.from=opcfoundation.org;dkim=pass header.d=opcfoundation.org;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=opcfoundation.onmicrosoft.com; s=selector1-opcfoundation-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YC7nKbamT35dWPSU7htOdLWsoXNHenwDlbMgrLXUwyE=; b=kEMstATtoV6nosi1gIS9yWSftxig0idQ6zJVbnrRC1WCO5vASBtEuZIBBYnfK8T3eJHG4pAHxDCSo1prdJIDBUYoOj9lPGepqjumzS781vHJL/S3B5Na9d75mD/gjvp7C6yvtPUSh1ksPwtDkvGL0YOQUXYvl+fScXswsD3mMDI=
Received: from BYAPR08MB4903.namprd08.prod.outlook.com (20.176.255.96) by BYAPR08MB5702.namprd08.prod.outlook.com (20.179.61.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.17; Thu, 8 Aug 2019 00:01:38 +0000
Received: from BYAPR08MB4903.namprd08.prod.outlook.com ([fe80::149d:d834:7df3:fc53]) by BYAPR08MB4903.namprd08.prod.outlook.com ([fe80::149d:d834:7df3:fc53%4]) with mapi id 15.20.2157.015; Thu, 8 Aug 2019 00:01:38 +0000
From: "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
Thread-Topic: [Iot-onboarding] OPC and BRSKI
Thread-Index: AdVMZzs5EDHMP+c/QWCVcWuK34MU/QAGrJ8AAADfarAAPQqBgAAAGvUQ
Date: Thu, 08 Aug 2019 00:01:38 +0000
Message-ID: <BYAPR08MB490307308F990A823578AC8EFAD70@BYAPR08MB4903.namprd08.prod.outlook.com>
References: <BYAPR08MB4903F02A37ED9AE092A59B8EFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <649C8221-5F33-4EC2-8E03-3EEAF4CAAB64@cisco.com> <BYAPR08MB4903129ECDEADF61E681DE0BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <717f4770-23d1-e584-d0e8-c10a05109370@sandelman.ca>
In-Reply-To: <717f4770-23d1-e584-d0e8-c10a05109370@sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=randy.armstrong@opcfoundation.org;
x-originating-ip: [24.80.80.10]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e2d4b93c-d84e-4887-0397-08d71b9395fa
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BYAPR08MB5702;
x-ms-traffictypediagnostic: BYAPR08MB5702:
x-ms-exchange-purlcount: 7
x-microsoft-antispam-prvs: <BYAPR08MB57023882E6931A505E817DB5FAD70@BYAPR08MB5702.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 012349AD1C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(376002)(346002)(396003)(39840400004)(136003)(189003)(199004)(51914003)(13464003)(966005)(6306002)(86362001)(64756008)(9686003)(2906002)(55016002)(81156014)(6436002)(229853002)(99286004)(53936002)(81166006)(76116006)(3846002)(66066001)(6246003)(446003)(25786009)(11346002)(316002)(6116002)(102836004)(71190400001)(53546011)(6506007)(71200400001)(2501003)(8936002)(76176011)(305945005)(66946007)(7696005)(5660300002)(52536014)(186003)(486006)(8676002)(508600001)(26005)(33656002)(476003)(66556008)(14454004)(74316002)(66476007)(66446008)(14444005)(256004)(110136005)(7736002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR08MB5702; H:BYAPR08MB4903.namprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: opcfoundation.org does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: kxZWCmAcOoc0vgnVpMTJgH/gW+ehcntBSOE/gg2eTSsGGI0O9ztQhQrcesVKZ4BuMdtFJVaPxXdSaWMGAFgxe/UmMVs4FVbNJwJtbpjRuYrFLKhM079JLrmx/RFb5HYJBb5ceHQTCRuc0l2wl4UzAL82n21HvWMAy7fkmi2JHKjtDYzmEGoTtPnu8ZGCXvDJODEDaNu+4tGt7qLKQYXE0aCZNSv4Zx/WO0hx5OWjw8MbCSMJiZz5BLOAj5aLq6+Nfo6hBTn7oi3wMdOOU13kfiIEcbdx//C8tH3h9O1BDLEM6A38Nv3VBZbONSP2yJr8t75YukDuwCYoTj3d24MneAjPaZPNJ7VE9YHmw2F0GqxWAigVTby84ur+L3FfpduCXxPHPIhYLzcAIDMjVC29VjN5H4VSpmHT37bJUrt7HtI=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: opcfoundation.org
X-MS-Exchange-CrossTenant-Network-Message-Id: e2d4b93c-d84e-4887-0397-08d71b9395fa
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Aug 2019 00:01:38.4538 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2d8ef4e4-d41c-489c-8004-bb99304b60fe
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: CYuxjpsxPRn8cvrILM8XYda4QBj72RR9JfG+eEf6bRaTHIn7hZUER+fgfFg5/mQE4QHRLCT9+eFBXILThcxf2S1fmBbsPm8uf2rlW9NF4WHnbd1fAynos/dPCuogr6fd
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR08MB5702
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/-h86IH-HHR2bsu3JCZHVjABwqMY>
Subject: Re: [Iot-onboarding] OPC and BRSKI
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Aug 2019 00:01:44 -0000

Hi Michael,

UA CP includes a complete security handshake which provides end-to-end message security over any transport:
https://opcfoundation.github.io/UA-TypeRepository/Core/docs/Part6/6.1/

UA TCP is UA CP over a raw TCP socket. 
When UA CP runs over HTTPS you have the option of using UA CP security in addition to TLS which is useful if you are going through untrusted HTTPS proxies.

For low end devices the only transport will be UA TCP.

Regards,

Randy

Note: the links to the specifications are from a website under development so missing/dead links will show up. The URLs will also change when we go to release.

-----Original Message-----
From: Michael Richardson <mcr+ietf@sandelman.ca> 
Sent: August 7, 2019 4:41 PM
To: Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org>; iot-onboarding@ietf.org
Subject: Re: [Iot-onboarding] OPC and BRSKI

On 2019-08-06 2:58 p.m., Randy Armstrong (OPC) wrote:
> I will start with the main trouble spots. Some of these may be already 
> covered by BRKSI but I missed the implications of some of the text:
> 
> 1) Low end devices that only support OPC; this means no TLS client 
> capabilities and no ability to initiate network communication (i.e.
> server only mode);

Thanks for the link to the WIP at: 
https://opcfoundation.github.io/UA-TypeRepository/Core/docs/Part2/3.1/

I looked through this document looking for the what you are using that isn't TLS.  TLS is clearly mentioned in the document. Section 4 of that document at https://opcfoundation.github.io/UA-TypeRepository/Core/docs/Part2/4.5.2/
refers to a Secure Channel, and references which led me to:

https://opcfoundation.github.io/UA-TypeRepository/Core/docs/Part4/6.1.4/
I can't see anything there that says it is TLS, nor can I can see anything that is at odds with it being TLS.

https://opcfoundation.github.io/UA-TypeRepository/Core/docs/Part6/4/
says:"that is built on an existing Layer 5, 6 or 7 protocol such as TCP/IP, TLS or HTTP. "

At
https://opcfoundation.github.io/UA-TypeRepository/Core/docs/Part6/6.5.1/
  I see that Kerberos is mentioned, and then JWT, and OAUTH2.

Now, at: 
https://opcfoundation.github.io/UA-TypeRepository/Core/docs/Part6/7.1.1/
  I see your UAPC protocol, finally! And UAPC can run over: TCP, SOAP/HTTP (deprecated), HTTPS, WebSockets (HTTP and HTTPS).

So as far as I can see, in the TCP and WebSockets-over-HTTP, there is no security at all. In all other cases, there is TLS (or HTTPS).

v2.23.0 | Report a Bug | By Email