IETF Logo Mail Archive

Re: [Iot-onboarding] OPC and BRSKI

"Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org> Tue, 06 August 2019 18:58 UTC

Return-Path: <randy.armstrong@opcfoundation.org>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15A5F12013C for <iot-onboarding@ietfa.amsl.com>; Tue, 6 Aug 2019 11:58:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DC_PNG_UNO_LARGO=0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=opcfoundation.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WiJmxXQw79kU for <iot-onboarding@ietfa.amsl.com>; Tue, 6 Aug 2019 11:58:20 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-eopbgr790081.outbound.protection.outlook.com [40.107.79.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BAF84120059 for <iot-onboarding@ietf.org>; Tue, 6 Aug 2019 11:58:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=j4w9d1IPgj8C+awSPidbF40JtvbI93kFw59WImJysYqXL+3uDSBwdEYVeokKkkTA1/ErPsMfKVnb7wISU9UjT4unLgNQx5PrYup/ZIX+ujQDfjb2IxFeIz2TKoHbbzKpB8shbknvRSUxzmUfOB80xtK5HDDow/wSxS9V0aYoQzypBylzhgaWo3Nd96WvDruXsP0fxoPAQnRw+n5KmcCfwTy8zALLZ+OdvFYUylCNZSLy90FJ4UOX2fsSjx7fctt9k5qNfT/EEHY+3S4H1f7ihpR2FWMaGfbji/1WTt1PQ4Vm5mpuhuN6YRXq9edZHkfdeZ7sfojwNFJgIHltIOrBfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=s+ECaBQA9qmRNC4YW59+UlkxfCZPBTvTWmB86vBmS4Y=; b=IKMDVxzJ7WP+h2U79UktXkkEstzhhrJRqumYkiEF25JBOCnIHCuklSgwyUkCRTfqgDVhsn+C517q4d4clsfJgfcsJZuYIQ28TrUQdDW9jSdjW2F+zmxBATzDwfwMbXj07H2qqiTWXIdNlKw7odsjCb4pyk6QtkYyUWFiK/egUokwumJ5CwsHhYxQ7rRdRWVd1wpY8q7viBdSeasbTy6A3LlUtz7n8GQMucid+4U/IDjL+nx4IsoMZy804OV7vfZBTtvLRJf7684vs4zGTpJv5FPR0/BJx2ylnwBpMsEXYqpmxzU4Yj7JHlzDtIjvUchzdAgB6ojLYonotMyevoL8ew==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=opcfoundation.org;dmarc=pass action=none header.from=opcfoundation.org;dkim=pass header.d=opcfoundation.org;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=opcfoundation.onmicrosoft.com; s=selector1-opcfoundation-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=s+ECaBQA9qmRNC4YW59+UlkxfCZPBTvTWmB86vBmS4Y=; b=dptvz7zSUpga25QlhpfjWwv7wH6d1ii4SaFEfLP1XBOxuz5m4e/eXvlEOz+rvdG3CcZIVNKds4m7/+ejFf+OuI3IBSDSfwu6tsLXPmlv98O3URflp8LHs4yBLd6cY7UqPY73sPXCoRxIQkHiy+xhT79ghSexRfziYCBthVnvfUo=
Received: from BYAPR08MB4903.namprd08.prod.outlook.com (20.176.255.96) by BYAPR08MB4087.namprd08.prod.outlook.com (52.135.195.157) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.17; Tue, 6 Aug 2019 18:58:17 +0000
Received: from BYAPR08MB4903.namprd08.prod.outlook.com ([fe80::149d:d834:7df3:fc53]) by BYAPR08MB4903.namprd08.prod.outlook.com ([fe80::149d:d834:7df3:fc53%4]) with mapi id 15.20.2094.017; Tue, 6 Aug 2019 18:58:16 +0000
From: "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>
To: "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
Thread-Topic: [Iot-onboarding] OPC and BRSKI
Thread-Index: AdVMZzs5EDHMP+c/QWCVcWuK34MU/QAGrJ8AAADfarA=
Date: Tue, 06 Aug 2019 18:58:15 +0000
Message-ID: <BYAPR08MB4903129ECDEADF61E681DE0BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com>
References: <BYAPR08MB4903F02A37ED9AE092A59B8EFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <649C8221-5F33-4EC2-8E03-3EEAF4CAAB64@cisco.com>
In-Reply-To: <649C8221-5F33-4EC2-8E03-3EEAF4CAAB64@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=randy.armstrong@opcfoundation.org;
x-originating-ip: [24.80.80.10]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8913f311-950e-40ea-f7d2-08d71aa009fc
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(49563074)(7193020); SRVR:BYAPR08MB4087;
x-ms-traffictypediagnostic: BYAPR08MB4087:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <BYAPR08MB4087B3F71AFE4DEF10769E3FFAD50@BYAPR08MB4087.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0121F24F22
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39840400004)(136003)(366004)(346002)(396003)(376002)(53754006)(199004)(189003)(486006)(86362001)(2906002)(99936001)(2501003)(966005)(2351001)(6116002)(316002)(3846002)(66066001)(76176011)(476003)(66446008)(606006)(6506007)(11346002)(102836004)(33656002)(53936002)(53546011)(186003)(76116006)(71190400001)(71200400001)(66946007)(66556008)(66476007)(66576008)(64756008)(8936002)(68736007)(81156014)(6436002)(508600001)(5024004)(14444005)(6306002)(54556002)(446003)(7696005)(236005)(99286004)(54896002)(6246003)(5640700003)(74316002)(6916009)(55016002)(7736002)(5660300002)(26005)(733005)(14454004)(52536014)(229853002)(256004)(25786009)(8676002)(81166006)(9686003); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR08MB4087; H:BYAPR08MB4903.namprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: opcfoundation.org does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: PNUquIMcFIQitHR8Ue54z9MSYJCqarNTbSyTbUd1B5ugvwFwh0OvCjto+mhFzbNI4VQxp5564sRaYUpsD8PaCbjcD8LUWjO0FMVQnNUr5yzUtz4gEdIxVHQhfO/a1V5uzOv+wDOKA5I8VW+R9UzejriIeoWtA96zrEm6N4YgTQVg1xKAFhcCPr/9pq56MXY/FhSKZ5CM6BWhEOS7wBoa85+Geunb3qWs7ooasyzFi8g0JJwHPHWcBx48AV1UmnP4dv+x3a5DXZwi53lfcrsDeQXPkSioZ5yIkr7851ijeoVhiSRCxng8/9a2PHscL1sKWJ6+Ag6GGQLW/1FgrIVavEYzfXd/QGFqCRULfJEgJc3JRJZaEnJ9UaXPCva4Mfsjef8CutD90JJn6Gz3vflMd6+gQlLDBQaVwVzQMJihFAo=
Content-Type: multipart/related; boundary="_006_BYAPR08MB4903129ECDEADF61E681DE0BFAD50BYAPR08MB4903namp_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: opcfoundation.org
X-MS-Exchange-CrossTenant-Network-Message-Id: 8913f311-950e-40ea-f7d2-08d71aa009fc
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Aug 2019 18:58:15.9238 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2d8ef4e4-d41c-489c-8004-bb99304b60fe
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: randy.armstrong@opcfoundation.org
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR08MB4087
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/na1cjZ0nTi0e3uwwnIgVm-pUFcs>
Subject: Re: [Iot-onboarding] OPC and BRSKI
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 18:58:25 -0000

I will start with the main trouble spots. Some of these may be already covered by BRKSI but I missed the implications of some of the text:

1) Low end devices that only support OPC; this means no TLS client capabilities and no ability to initiate network communication (i.e. server only mode);

2) Machine builders that combine devices into a machine that is sold as a unit. These device still have a unique network identity but the effective manufacturer has changed; How to deal with the DeviceID?

3) Devices may be reset to factory defaults and sold/transferred to another organization. This needs to be possible even if the MASA is no longer available (i.e. the original manufacturer has gone out of business).

4) Offline operation is the norm with pre-issued vouchers delivered out of band. The pre-issued vouchers will need to have reasonably long lifetime (i.e. years not hours).

The lifecycle of a device is shown in the following diagram. The expectation is we would need to add links to the MASA at each step in the lifetime.

[cid:image002.png@01D54C4C.BE708BD0]

Regards,

Randy

From: Eliot Lear <lear@cisco.com>
Sent: August 6, 2019 11:08 AM
To: Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org>
Cc: iot-onboarding@ietf.org
Subject: Re: [Iot-onboarding] OPC and BRSKI

Yes it is, and it is timely.  I want to stress that what would help greatly would be a step through of the OPC UA use case.

In particular, one of the issues we want to solve for is when system integrators are in the flow.  The question for us, and this is particularly important as you evolve your TSN approaches, is how should ownership transfer transfer or proof of knowledge occur along the path of SIs.  What is a day in the life of onboarding that you envision?  For a PLC or a POD, how hands free do you want to go?

Eliot




On 6 Aug 2019, at 16:57, Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org<mailto:randy.armstrong@opcfoundation.org>> wrote:

Hello All,

I work with the OPC Foundation and we are currently trying to solve a problem similar to what BRSKI is trying to solve for industrial automation devices. However, there are a number of unique requirements in our space which appear to create impedance mismatches between what BRKSI assumes and what we need. I would like to start a discussion on those differences and see if they can be resolved in a way to allow OPC Specifications to incorporate BRSKI.

Is this the right forum for such discussions?

Regards,

Randy Armstrong
https://opcfoundation.org/

From: Iot-onboarding <iot-onboarding-bounces@ietf.org<mailto:iot-onboarding-bounces@ietf.org>> On Behalf Of Owen Friel (ofriel)
Sent: August 6, 2019 7:38 AM
To: Owen Friel (ofriel) <ofriel@cisco.com<mailto:ofriel@cisco.com>>; Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>>; anima@ietf.org<mailto:anima@ietf.org>; iot-onboarding@ietf.org<mailto:iot-onboarding@ietf.org>
Subject: Re: [Iot-onboarding] Device Certificate Deployment Automation with ACME using BRSKI

FYI, Its up on github now:

https://github.com/upros/brski-cloud


From: Anima <anima-bounces@ietf.org<mailto:anima-bounces@ietf.org>> On Behalf Of Owen Friel (ofriel)
Sent: 06 August 2019 14:05
To: Rifaat Shekh-Yusef <rifaat.ietf@gmail.com<mailto:rifaat.ietf@gmail.com>>; anima@ietf.org<mailto:anima@ietf.org>; iot-onboarding@ietf.org<mailto:iot-onboarding@ietf.org>
Subject: Re: [Anima] [Iot-onboarding] Device Certificate Deployment Automation with ACME using BRSKI

Hi guys,

After the meeting and from corridor conversations with Toerless, I had actually already started on such a draft.

What I have started so far is attached. Its not on a public repo yet, but will put it there. You are already named on it Rifaat, happy to add you too Michael and you can help figure out some of the open redirect options outlined in it :)

My high level thoughts on this were to keep the ACME specifics out of the draft, and use the draft to define the cloud RA behaviour, and the pledge behaviour when interacting with the cloud RA, and the various cert, CA, TLS, redirect, etc. details. The fact that the RA (whether cloud or local) *may* use ACME to talk to the CA is transparent to the pledge.

I was thinking that the ACME specifics could be covered in a different draft based on merging draft-yusef-acme-3rd-party-device-attestation and draft-friel-acme-integrations, but leave the BRSKI clarifications/specifics in this one.

Thoughts?
Owen




From: Iot-onboarding <iot-onboarding-bounces@ietf.org<mailto:iot-onboarding-bounces@ietf.org>> On Behalf Of Rifaat Shekh-Yusef
Sent: 02 August 2019 19:09
To: anima@ietf.org<mailto:anima@ietf.org>; iot-onboarding@ietf.org<mailto:iot-onboarding@ietf.org>
Subject: [Iot-onboarding] Device Certificate Deployment Automation with ACME using BRSKI

All,

During the last IETF meeting in Montreal we had a side meeting to discuss the
deployment automation of ACME issued certificates to devices, and the potential
use of the BRSKI mechanism to help with this. It was clear from the discussion
that BRSKI can be used to help address this use case, and that further discussion is
needed to define the needed enhancements to BRSKI.

The current BRSKI mechanism only briefly discusses the Cloud Registrar option in
section 2.7, which could be used to help address this use case.

Michael Richardson and I had another meeting over lunch yesterday to further
discuss this and we decided to work on a new draft to describe the issue and
define a solution.

Because of vacations and other commitments, we will try to publish the first
version of the draft early October.

Regards,
 Rifaat & Michael
--
Iot-onboarding mailing list
Iot-onboarding@ietf.org<mailto:Iot-onboarding@ietf.org>
https://www.ietf.org/mailman/listinfo/iot-onboarding

v2.23.0 | Report a Bug | By Email