IETF Logo Mail Archive

Re: [Iot-onboarding] OPC and BRSKI

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 06 August 2019 21:10 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 91912120047 for <iot-onboarding@ietfa.amsl.com>; Tue, 6 Aug 2019 14:10:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z065Q3zopX-p for <iot-onboarding@ietfa.amsl.com>; Tue, 6 Aug 2019 14:10:56 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 35667120033 for <iot-onboarding@ietf.org>; Tue, 6 Aug 2019 14:10:55 -0700 (PDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id 66BEE3818D; Tue, 6 Aug 2019 17:10:18 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id D0E65A01; Tue, 6 Aug 2019 17:10:53 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>
cc: "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
In-Reply-To: <BYAPR08MB4903129ECDEADF61E681DE0BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com>
References: <BYAPR08MB4903F02A37ED9AE092A59B8EFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <649C8221-5F33-4EC2-8E03-3EEAF4CAAB64@cisco.com> <BYAPR08MB4903129ECDEADF61E681DE0BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 06 Aug 2019 17:10:53 -0400
Message-ID: <27052.1565125853@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/CG3_siFhijNnnhwLKCdkQ6N6bp4>
Subject: Re: [Iot-onboarding] OPC and BRSKI
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 21:10:58 -0000

Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org> wrote:
    > I will start with the main trouble spots. Some of these may be already
    > covered by BRKSI but I missed the implications of some of the text:

    > 1) Low end devices that only support OPC; this means no TLS client
    > capabilities and no ability to initiate network communication
    > (i.e. server only mode);

What is "OPC", from a transport and security point of view?
When I looked through the web site, I'm afraid I came up empty.

BRSKI can be made to work when the pledge is a responder, but there are
details that need to be worked out for specific use cases.

You may prefer https://datatracker.ietf.org/doc/rfc8572/
Secure Zero-Touch Provisioning, which uses the same format vouchers,
but has different flows.

    > 2) Machine builders that combine devices into a machine that is sold as
    > a unit. These device still have a unique network identity but the
    > effective manufacturer has changed; How to deal with the DeviceID?

What an appropriate answer is depends upon who will be responsible for
the components.  Is it the manufacturer of the aggregate or the manufacturer
of the devices. One way to think of this as an initial sale to the
aggregator, and then to replace the trust anchors for a second sale.

Another way is to think of this is that the aggregator runs a mini-registrar,
onboards the devices into the aggregate, and then takes care of the devices
itself.

    > 3) Devices may be reset to factory defaults and sold/transferred to
    > another organization. This needs to be possible even if the MASA is no
    > longer available (i.e. the original manufacturer has gone out of
    > business).

There are a number of different ways to do this; every single one of them
requires some advance planning (coding) by the device manufacturer.

    > 4) Offline operation is the norm with pre-issued vouchers delivered out
    > of band. The pre-issued vouchers will need to have reasonably long
    > lifetime (i..e. years not hours).

This has already been taken into account.
The question is whether the end-owner is known at time of voucher issue or
not.

If not, then you either need a bearer voucher (which RFC8366 declined to
define, as it's so powerful, we were afraid of the security considerations),
or you need to pin to a temporary key which is turned over the operator.
But, that is effectively a bearer voucher with multiple components.

    > The lifecycle of a device is shown in the following diagram. The
    > expectation is we would need to add links to the MASA at each step in
    > the lifetime.

I don't think you need a connection to the MASA until provisioning box, nor
after that either.

I think that the hardest part is (1), and then it's just an applicability statement.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email