Re: [Iot-onboarding] some straw-man charter text for an IoT Operational Security WG

Mohit Sethi M <> Wed, 11 September 2019 19:26 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 72889120821; Wed, 11 Sep 2019 12:26:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BX7kMliHedFg; Wed, 11 Sep 2019 12:26:55 -0700 (PDT)
Received: from ( [IPv6:2a01:111:f400:fe09::61e]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0E994120834; Wed, 11 Sep 2019 12:26:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901;; cv=none; b=kpo8MWE4bVCXMImLh3mW098d67J+h8eJ14MPr3VU9rkKe9cmx0wApDYCKQgjQLkk/CTZcGv6GmkabMJz32DCyhrOeOSsqP7Xllc4L86d8gwFPP6rrZ/gMjw+SHjmuiCZLojOEzEV9Pmb+VQWxqsSt+udumseeS/ZaAZXROfCLdslL5J0HMiHYfU+iIwWhEU8agTZ8WWcD9319Q+mbzuBYa2EPj0Ecem7SDwx3kXdTqR1Tzv4ECpIjljdqmLmXvr5wWR0kRFygUPeN37Z5aIRHL+lbK3UbzCya5XgrTF7vap5G54gC9r9jGE43pz2OuzjQh2J57LYPD4z+Xzr9GKSTQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ym5vx1FmTPP1JrnJpJnBZPsMaZDIyd4r+fM6UNTETzc=; b=IWWJNZao7KYZ2APirmLB9cmN+UHlTPdLsURQB81EcULKgDxUa+4TIRtETXq55HnlKgkpHTKnF2DJQcs6RG2h0Xtg6h+x/kRHmQifAkLm6+iegWJsN1mrZt6GaaH0zloCIGgY4uSCaZz4TQ4xowvqaPmeKJbDb5gPgmSMBgtxXojEQLpW4T4YFjEwAcNlPC92fOSFEQbOGFk09EUdNX7v7pfs6Q0YzEuu7gnbJONBRFON6pD5F/ygsIfsuxXFs85fNs9wrv1wWmGkdaU970oq4RvgAjTsqIrJ5tTjl4YSilN39eWINr48riBh4Fw+tAUAOpOWEAtKenKIO505u+yEUA==
ARC-Authentication-Results: i=1; 1; spf=pass; dmarc=pass action=none; dkim=pass; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ym5vx1FmTPP1JrnJpJnBZPsMaZDIyd4r+fM6UNTETzc=; b=Xb/cGO2YaYVLmhVqNzu6GIVQzlvVTEG033yHZ/CO2ek58St12/ugr9eiaZH7Uxm3laZ2kA0TJcceIGJ6rmfUw+ZLkOejTHWn2K/Zq0NC4NWskwN241mZIblSUwFN8B/uf0kobJiM39Ad9D1BS5EJyHDhTXx/ZtV0CRZmB4I9ATI=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.7; Wed, 11 Sep 2019 19:26:52 +0000
Received: from ([fe80::758a:12ec:c6d:e8a9]) by ([fe80::758a:12ec:c6d:e8a9%10]) with mapi id 15.20.2263.015; Wed, 11 Sep 2019 19:26:52 +0000
From: Mohit Sethi M <>
To: Kent Watsen <>, Michael Richardson <>
CC: "" <>, "" <>
Thread-Topic: [Iot-onboarding] some straw-man charter text for an IoT Operational Security WG
Thread-Index: AQHVaNbcpd2ivcpAw0yCVRFO+FMgJw==
Date: Wed, 11 Sep 2019 19:26:52 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3f1971aa-5f4b-47e8-f9db-08d736edfff5
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:HE1PR0701MB2604;
x-ms-traffictypediagnostic: HE1PR0701MB2604:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:7691;
x-forefront-prvs: 0157DEB61B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(376002)(346002)(396003)(366004)(39860400002)(199004)(189003)(64756008)(66476007)(66446008)(66556008)(7736002)(26005)(606006)(478600001)(76116006)(14444005)(186003)(66574012)(66946007)(2906002)(256004)(3846002)(81156014)(81166006)(99286004)(8676002)(36756003)(6116002)(6246003)(65806001)(53936002)(66066001)(65956001)(446003)(6506007)(14454004)(316002)(86362001)(53546011)(8936002)(31696002)(4326008)(6512007)(31686004)(229853002)(15650500001)(5660300002)(76176011)(102836004)(25786009)(486006)(966005)(236005)(11346002)(54906003)(6436002)(110136005)(476003)(6486002)(54896002)(6306002)(71190400001)(71200400001)(58126008)(2616005); DIR:OUT; SFP:1101; SCL:1; SRVR:HE1PR0701MB2604;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: IiESqffBF2U+gaDzxG0eZxu/XOCAaL1SCspXGfUV3wCglUV2ppLOUD8y6RiFUxiyF4B6WF1B8NQ25kSobNL86KlBPdnLSu97EHpDSxBAb5dLnfqTk+olEd5lB4nd4jGNV0/8iMRwazt90psmnL1n+qU1BeZnh7OUQae9tyHSFVsRAGMP8qawTWIxCJzsLoUBYEYJ+ORqVOejx1znybYx0y72T9/PMJKytZyydFoGNqSiIasEeDzIXlsL7BD9oi/pdqHjd+x1S1X0AZfdKPbJHI29GwxaHajgj/IRZZkDKAg/Fd9Qlr36XitVCsoe0yZjujPPQSgw4D3kf7Lr3Qshb+MhpwxRtLIP4hyz1MBNWSL4p1OPeWWDf0mWAha7C4/WDJ5xEivlb+R+fpaCSP4JQoLTqSG+zQcbgba7G+5HBvE=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_bb757b7bdffc94944ae0a709d30445dfericssoncom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3f1971aa-5f4b-47e8-f9db-08d736edfff5
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Sep 2019 19:26:52.4034 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: rQuSSS5ToVrVvNFXHHCzKFu4ynCFWOJe10QpmjaYog6ldkh1hqUG5M/NM8DL8hnXKu/F6K3Jmk6qpxT19eyhHruTUtpxv+wXDmfx/AUq3C8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR0701MB2604
Archived-At: <>
Subject: Re: [Iot-onboarding] some straw-man charter text for an IoT Operational Security WG
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Sep 2019 19:26:59 -0000

Hi Kent,

Could you explain the high-level differences between BRSKI and SZTP for those like me who are not extremely familiar.

I know there are probably many differences. For example, I see that the SZTP spec says that devices can receive initial bootstrap information over DNS or from a bootstrap server.

What I am trying to understand is what does a device start from (shared-secret/ephemeral key pair/manufacturer certificate), and what does it end with? Do we need both SZTP and BRSKI?


On 9/4/19 4:47 PM, Kent Watsen wrote:
I'm still not 100% sure if this working group is needed but, if such a working group is to be formed, I object to it being BRSKI-oriented, as already there is ANIMA for that.  I appreciate that the first paragraph enumerates a number of efforts (BTW, it should be just "SZTP", without the NETCONF qualifier), and later the text says that it's "not limited to just that protocol" (being BRSKI), but the general tone, and specifically the Milestones, are very BRSKI-specific.  To be clear, if such a working group were formed, I would like to submit a document entitled something like "SZTP for IoT and other Constrained Devices".  In this document I could show how SZTP could be extended to use DTLS, CBOR, and CoAP and further, that it achieves bootstrap state with fewer message exchanges and greater flexibility, not to mention that it already supports the offline/cloudless use-case and a peusdo-NOOB approach (already implemented by Juniper).  SZTP-TEAP could also be provided for.


On Sep 4, 2019, at 3:45 AM, Michael Richardson <<>> wrote:

I wrote this last week, and passed it around for obvious objections.
You can use the crayon/edit button on github to suggest changes, or email.

Charter for Working Group

The words "Internet of Things" or IoT have come to mean anything and
everything to a wide group of technology players. The IETF has been working
on a wide variety of protocols for use by machine to machine
communication. This include CoAP, CBOR, 6TISCH, ROLL, SUIT, NETCONF SZTP,
T2TRG, ANIMA's BRSKI onboarding protocol, and most recently RFC8520, the
Manufacturer Usage Description.

The IETF has tried to focus on categories of what limited things can do, and
this has resulted in a number of useful documents from the Light-Weight
Implementation Guide (LWIG). RFC7228 is a key product, having provided
terminology and scaling understanding to the entire industry. All of this has
been about scaling the Internet technologies to small devices and constrained
networks. In aggregate, these devices on small networks present a significant
operational risk to the Internet as a whole, and even to individual
Enterprise, simply due to their numbers, and lack of opportunity for regular
human supervision.

IoT devices already exist today in vast numbers. Most devices that people are
personally familiar with are in the BlueTooth Connected devices, or
Web-Connected devices that use WiFi to reach servers on the Internet ("the
Cloud"). Increasingly, the IETF view of machine to machine communications are
colinizing new greenfield situations. The IETF notion of autonomous networks
of devices is still a minority view compared to the market IoT industry of
cloud-only connected devices, but the transition is occuring.

RFC8520 was created to bridge the gap between devices wholly controlled by a
local operator (such as Enterprise IT), and devices which can not assume any
infrastructure at all, and must rely entirely on cloud communications for
command and control.

This working group concerns itself with Operational Security of IoT systems.

This includes:

* factory provisioning of devices
* onboarding of devices
* access control of devices to network resources
* administrative control of devices
* asset management of devices, as it pertains to software/firmware versions
* isolation/quarantine of devices
* remediation of broken devices
* end of life management of devices

The WG is chartered explicitely to work on MUD (RFC8520) and extensions to it.

The WG is chartered to work on onboarding protocols, specifically including
derivaties of BRSKI (RFC-tbd), but not limited to just that protocol.

The WG is not expected to pick a winner, and is encouraged to work on a
multitude of use-case specific protocols: better to get one use case right,
than to be too-complex jack of all trades.

The WG is expected to articulate clear applicability statements for each
protocol. The WG is expected to produce concise Roadmap documents that
explain how a variety of IETF (and other) protocols can work together to
satisfy the Operational needs of specific IoT areas. These roadmap documents
needn’t result in RFCs.

Neither the WG nor the IETF has exclusivity here, and an ideal document would
be one that the WG helps to start, but a specific industry alliance becomes
the lead editor for.

There will be coordination with many other WGs beyond the list above, and
this WG may accept applicability statement work from other WGs about specific
ways to deploy their protocols.

The WG will operate through a series of virtual interim meetings. This is
driven by a need to interact regularly with other industry grouops, and due
to the variety of topics which will not always be able to get quorum as a
committee of the whole.

{unusual, maybe not charter appropriate, but rather saag-like}
During in-person meetings, the WG will deal with typical status and document
progress issues during one hour (or less) of the time, and during another
hour, will be open to slideware presentations and tutorials on current IETF
or other-SDO IoT efforts. The goal of these presentations is to quickly
communicate current IoT systems state to the rest of the IETF.

It is acknowledged that part of the value is in YouTube content, and some
content should be done at IAB tech plenaries rather than at the WG.

The initial set of work items is included below as milestones, which only
require AD approval.


* adopt the constrained-voucher/constrained-BRSKI work from ANIMA.
* adopt the dtsecurity-zero-touch work from 6tisch, which can not finish before a LAKE finishes.
* create a list of a series of MUD extensions, and revise this milestone
* adopt a cloud-less (MASA-less, AAA-less) onboarding mechanism (possibly a version of EAP-NOOB), that can be used at the retail level.
* negotiate with EMU WG on how to proceed with TEAP-BRSKI, and revise this milestone.
* adopt a cloud-driven onboarding mechanism that can be used in completely offline situations without requiring renewals (perhaps revising RFC8366).

Michael Richardson <<>>, Sandelman Software Works
-= IPv6 IoT consulting =-

Iot-onboarding mailing list<>