IETF Logo Mail Archive

Re: [Iot-onboarding] OPC and BRSKI

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 07 August 2019 14:59 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4416312031C for <iot-onboarding@ietfa.amsl.com>; Wed, 7 Aug 2019 07:59:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rXq84hEzyM5y for <iot-onboarding@ietfa.amsl.com>; Wed, 7 Aug 2019 07:59:26 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1217812030C for <iot-onboarding@ietf.org>; Wed, 7 Aug 2019 07:59:19 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 115473818D; Wed, 7 Aug 2019 10:58:42 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 956D9912; Wed, 7 Aug 2019 10:59:17 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Eliot Lear <lear@cisco.com>, "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
In-Reply-To: <46BF5F7B-5407-45A9-9C4F-EA553DF5814B@cisco.com>
References: <BYAPR08MB4903F02A37ED9AE092A59B8EFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <649C8221-5F33-4EC2-8E03-3EEAF4CAAB64@cisco.com> <BYAPR08MB4903129ECDEADF61E681DE0BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <46BF5F7B-5407-45A9-9C4F-EA553DF5814B@cisco.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 07 Aug 2019 10:59:17 -0400
Message-ID: <11781.1565189957@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/Qp9F2sknB8BQw6umC8MIY5Bkvms>
Subject: Re: [Iot-onboarding] OPC and BRSKI
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2019 14:59:37 -0000

Eliot Lear <lear@cisco.com> wrote:
    >> 1) Low end devices that only support OPC; this means no TLS client
    >> capabilities and no ability to initiate network communication
    >> (i.e. server only mode);
    >>

    > How does OPC handle such devices?  I think this is also coming up
    > elsewhere.  One question is whether TLS is required.  Without TLS one
    > does lose confidentiality, but so long as the client can sign the
    > request, maybe that’s all you use.

The TLS encryption provides confidentiality, yes, and I agree that it
is not critical to onboarding.  The TLS Client and ServerCertificate and
resulting channel is critical though as it provides the cryptographic
hook on which the voucher is attached.

    >> 4) Offline operation is the norm with pre-issued vouchers delivered
    >> out of band. The pre-issued vouchers will need to have reasonably long
    >> lifetime (i.e. years not hours).
    >>
    >> The lifecycle of a device is shown in the following diagram. The
    >> expectation is we would need to add links to the MASA at each step in
    >> the lifetime

    > Thank you for that.  For wired it seems to me that a permissive MASA
    > model (logging only) could provide you a way forward.  For wireless,
    > this is not an option because proper network selection needs to occur.
    > Another question is whether we need another mechanism is necessary to
    > validate the voucher (aka, a PSK w/ proof of knowledge, or DPP, etc).

    > Can you say more about what mechanisms OPC is interested in pursuing?

+1


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email