IETF Logo Mail Archive

[Iot-onboarding] Confusing terminology was Re: [Secdispatch] DANE IOT proposed outcome

Mohit Sethi M <mohit.m.sethi@ericsson.com> Wed, 18 November 2020 12:10 UTC

Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A5233A17F4; Wed, 18 Nov 2020 04:10:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1HQO8FX0cJcP; Wed, 18 Nov 2020 04:10:12 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2081.outbound.protection.outlook.com [40.107.20.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D05443A17F7; Wed, 18 Nov 2020 04:10:11 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=BklwiU5nNgI50ITi6Vv1IRLETcN7ESs8ahJsDBq0LZFgRNpJR1nFrgyQIkvp1F/6M6UyRWI04hj9BNSULDo2qEunDYUkObW0dODtrHQUcDl7R4Z7zzVCCiS3UGatszsXs9p1lh7G8X4OOt/7XX4mSpwBTy8isS08ST3+X2v4+mxtxmj70Wbh8uGA60UOwBG6wfbaEcm2YhaUxoY4nD+VptQKd8ozGhIZubBg4ibVEY+XIG8HtaW4fk/oZ1Z9PpA1kzT2Eqm1h/h8d93hVvYDV8ynQHpACDBYmwp7ZXL8vZRyry7CY3Y6qT8i00GFkP6FMmx/YVF+45eINOGBSm0ZqQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l40g54ZaRUZUPh68GWsg2zo8jzAMYMAD5vGIaX4I1ls=; b=U8uwKTXX8J8MzxXYhlyMlnkiok61gvMn4t/NUTvC9gD5JIGqrkKYohcm3YGfjgmOlOnylGkiYYYmpLnInknEHVWhNyc+Yt6fp/BECrfdtjjvs9TCDGzisjHHksnaaKUKIZC4aONZ7nUrykkXTOizMqE3mkzOwutasaK7EF2GMZOSfXxX9Uq+NYk4um3dUIoUr8eAgv3RE1PWuLmRzooRc1mZKNOc51SmFUuHCP+csBfh5sU/ItzFVJfI6BUfVtItNvHfoDY7LShjnN1x9fQXSARvPTS0WWj7+1/pvZJd06UQxyCU/aMgChXfr1Pkezom5E41M87ne1h/Rtz2jDB8hA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l40g54ZaRUZUPh68GWsg2zo8jzAMYMAD5vGIaX4I1ls=; b=NSOEG8liTGQDchBgnzkfKaVgyg1Ts15iqjhfGo+l7lSYC4fudNS/tBYhONq6esxetntoDYM4XLrtWnzA+nvzAA8uWxvCElBKhOM+HHCuL6xl5L4wwX7kh94GxTL6C5eLDrqTH8eBsxvlkMRqoYQGZ+ZfrTNt+or1L3/G4yfuA2o=
Received: from VI1PR07MB3215.eurprd07.prod.outlook.com (2603:10a6:802:1c::21) by VI1PR07MB3920.eurprd07.prod.outlook.com (2603:10a6:803:37::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3611.9; Wed, 18 Nov 2020 12:10:09 +0000
Received: from VI1PR07MB3215.eurprd07.prod.outlook.com ([fe80::a926:3f37:978b:e40e]) by VI1PR07MB3215.eurprd07.prod.outlook.com ([fe80::a926:3f37:978b:e40e%6]) with mapi id 15.20.3589.017; Wed, 18 Nov 2020 12:10:08 +0000
From: Mohit Sethi M <mohit.m.sethi@ericsson.com>
To: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>, "Panwei (William)" <william.panwei@huawei.com>
CC: "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: Confusing terminology was Re: [Secdispatch] [Iot-onboarding] DANE IOT proposed outcome
Thread-Index: AQHWvaPBBV8WGcj//kmCE55OUJIhJw==
Date: Wed, 18 Nov 2020 12:10:08 +0000
Message-ID: <184ad9b2-fcee-ad01-5fe2-338ad3dcd65a@ericsson.com>
References: <2786E31F-2A4F-4901-8ECC-7AEF4B4D81E2@cisco.com> <b178d5066d6b4371a59ffe59bb6d6447@huawei.com> <A8214369-216E-440B-8757-172416CDF02B@cisco.com>
In-Reply-To: <A8214369-216E-440B-8757-172416CDF02B@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=ericsson.com;
x-originating-ip: [2001:14bb:150:569:3e8c:ae9:d0ae:34c]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b51742f8-e4a8-47dc-ab8f-08d88bbae4a2
x-ms-traffictypediagnostic: VI1PR07MB3920:
x-microsoft-antispam-prvs: <VI1PR07MB39205AB5ECDCE7BFC82D1E2BD0E10@VI1PR07MB3920.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 0nrGG2+n8+TZ1zdiA1SAgQUm3d6KkWB+7EDLekcv3t6Ir6IlyU09Aeu8BpbdMJLLkoQKiq6WTXK+iEHo0iq6UCJTij4QqnuXk98K0rQ/aUsbt1Tms20rSKk08Fkf8l0K1bxnVWQJj8V3ZdiuUaCz8AqyiE6je5NKvaBHRfdSAanx5JS/LK8aYDmks/hJNrRyxgmsqt2T1ymI6rG5k5M4zLgPiAGEVzoHazUrTxQag5cUne340J1t1lmRRqUYGZ8pZC16empdRVoYqbNnSUx0B0ezOR9iR+qVfEFv5XTOWTrpuQ6p1SQWLvn7IzMbLWeMI9UxuDTrZOCyR5R6AomHlZuBx0/Wkm10c46bZMbJHysAsxLF0zmnQS79DofF5BRW5Q0U3AcwT9eX/H5FJYTioEhoQ6ed++Wq+g91JJSE6ahEWre6C41nZYJLuf0lgF01XkOGZRh2UnAkOw4A04xiBA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB3215.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(376002)(346002)(366004)(39860400002)(396003)(8676002)(31686004)(31696002)(71200400001)(166002)(8936002)(54906003)(110136005)(6506007)(53546011)(2616005)(186003)(316002)(5660300002)(83380400001)(6512007)(36756003)(966005)(478600001)(6486002)(91956017)(66946007)(76116006)(4326008)(66476007)(66556008)(64756008)(86362001)(2906002)(66446008)(43740500002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: yYLdcCo4R590VAci17WyKMzYQjPTM0vy7+W7YnozfVGmXZD4BMqzZ9KVHlgfrOl1A/qTMO9raXNGTZSwoWcRmrruNVOOJ3NHLDEEXUX7vl5/t4rNH4A0UjmAQT6uvDcR08DH+BW/xuqqk0Wa0KU/WMhospNDLasU/thy/9EqVMgEz1YF5bvqeb12czNpjChYSBuF4F8vlV0NroY7Uk39edi62zOJ9a3hfvuwqGybUW6ajhsUFSzMix0tqTGaUTfwsOFKVhAiMlsqquA0dPY6a6Ykc7DNX2xpYatXUFY2ShVXVSm4UgbAxixB01+Vsb4yId/udr4yyg/a2hZFrBRlsybaSf3JmcjErmaNklDc2s89Lkbszrg4O45vFrSHJxw90HC3/lnImfFzXC0NsEKw+IdvfahkiBJ89vI5BWpWuwHsQuVz5anFJVT83J4QMkBCYamiczfY0V27Url2lqf2C72RgHuOGX+3iI82NLaY7fTmx0RmhOBJiaz6WKy8tcUHf1fxoyJEXgxJhq2ENcQzgComjMsqX4Fe2g1wPjU70L713mWT1Ikte2m5/u1FOkt88fqr3AufC00UdFIa+JQZJdQrQbGuPAS+BI4pXAHxZ9MCc4EMMe02U8OC9J9NHIGX0fPlRbmjdUbAFoIwmyMmV71q5jk3Z6yheHEL40LMtk+eklx2UvLmI7eUiHf0WOtq6YF7YcSdlPhdCX+XJhWe0obiZDtTbJApvCvg51VYaLNOPuwlJiPbiNFiHCYDd8RbnYOofVHd0ze6M3MfyTszT3lf97dMuhdtnHukkefLoVZQkV6FVDm5Axknl7mnTcX31F26j/Tq/pIp+N+vTBwQgCYwxAWlh0LJ2N8PEhNP5POBinaZ3wi9VpcuY2gg4ulpH3YMEI3NzEddAOvZGnoHM+3Kyv2v7hBVu5HwrEovLN3Le0KAxJRnKUB/0/yK36cXsuMpM/xwlF6pRJ10ESbPeg==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_184ad9b2fceead015fe2338ad3dcd65aericssoncom_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB3215.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b51742f8-e4a8-47dc-ab8f-08d88bbae4a2
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Nov 2020 12:10:08.8409 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +kV2md9AjvcYbCWCjS8aqljuh4I77zBZzewOvklseDiegimt+iBO5Alm2dMDe5d0tnCxE4Gb3z0f1gVLbgDzF0Np9Zj37GIh0Zfw0x3HnWM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB3920
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/_doappwrNbPlLQut7AgHvG9MsNs>
Subject: [Iot-onboarding] Confusing terminology was Re: [Secdispatch] DANE IOT proposed outcome
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Nov 2020 12:10:17 -0000

Hi Eliot,

I find your use of the term peer confusing. Let me explain what I mean with this table on various terms for an EAP-TLS implementation:

   +-------------+---------------+-----------------+-------------------+
   |             | Device        | Gateway         | Server            |
   +-------------+---------------+-----------------+-------------------+
   | TLS         | Client        |                 | Server            |
   |             |               |                 |                   |
   | EAP/AAA     | Peer          | Authenticator   | EAP server/backend|
   |             |               |                 | auth server       |
   |             |               |                 |                   |
   | 802.1x      | Supplicant    | Authenticator   | Authentication    |
   |             |               |                 | server (AS)       |
   |             |               |                 |                   |
   | RADIUS      |               | Network access  | RADIUS server     |
   |             |               | server (NAS)    |                   |
   |             |               |                 |                   |
   | 802.11      | Station       | Access Point    |                   |
   +-------------+---------------+-----------------+-------------------+

Assuming email clients are able to render this ascii table correctly, I hope you understand that in some contexts, the device is the peer. When you say proving peer to device, and device to peer, I am unsure if you are referring to a server or a smartphone that acts as a companion device during bootstrapping.

I don't want to be the terminology police here asking people to be more cautious with the usage of terms. I also understand the reality that companies are often forced to do branding to look cool and perhaps improve chances of adoption.

Maybe as protocol engineers we can do somewhat better? I thought we already had too many terms for device: station/peer/client/supplicant. And then I saw the term pledge. Good luck trying to teach network security to new folks. No wonder many students I encounter now want to do AI or javascript but not low-level protocols. I am similarly not enthusiastic with usage of loose terms such as onboarding. At least in my study of several different systems including bluetooth/wi-fi/LWM2M: they principally follow the same terminology pattern: bootstrapping and authentication followed by provisioning/configuration. You could point me to OCF which uses onboarding but we don't have to make the same mistakes as another SDO.

--Mohit

On 11/16/20 2:50 PM, Eliot Lear wrote:
Hi Wei Pan,

I agree with you that there is a need for something that doesn’t require devices to have a full PKI built in.  But there needs to be something unique about the device that it can express and prove.  Also, we should separate out two problems:


  *   Proving the peer to the device
  *   Providing the device to the peer

Each has slightly different characteristics, especially when it comes to certificates.  Nobody should expect a huge cert store to be on a light weight client.  As was said in the chat, that is one thing that BRSKI solves.  But DPP/POK also solves it without certificates, but still requires at least a public/private key pair. Less than that I do not know how to work the problem.

Eliot

On 16 Nov 2020, at 13:02, Panwei (William) <william.panwei@huawei.com<mailto:william.panwei@huawei.com>> wrote:

Thanks to Eliot for summarizing these.

I think the core concept of using DANE in IoT scenario is to get rid of certificates and PKIX. The solution of how to securely onboard the IoT devices and allocate the DNS domain name, both with and without initial certificates, is the key part to figure out.
If the IoT devices have no initial certificates, such as 802.1AR IDevID certificate, as their initial identity, then the BRSKI mechanism won’t be appropriate for these devices because BRSKI has a requirement of IDevID.
If the IoT devices have an IDevID certificate, I think it can still use BRSKI to onboard, but it won’t use EST to request a certificate any more, instead, it will apply for a DNS domain name by using some protocols.

That’s my preliminary thoughts, maybe not right.

Regards & Thanks!
Wei Pan

From: Secdispatch [mailto:secdispatch-bounces@ietf.org] On Behalf Of Eliot Lear
Sent: Monday, November 16, 2020 6:55 PM
To: secdispatch@ietf.org<mailto:secdispatch@ietf.org>
Subject: [Secdispatch] DANE IOT proposed outcome

Thanks to Shumon for presenting the DANE use case for IOT.

We discussed taking this to the iot-onboarding@ietf.org<mailto:iot-onboarding@ietf.org> list as there were a number of rather big open issues that people wanted to discuss.

We also discussed a non-WG forming BOF to look at, as Ted put it, the broader context for onboarding.  To give people a feel for the sort of related work that is available, here are a list of related activities:


  *   draft-ietf-anima-bootstrapping-keyinfra (BRSKI) is a request/response mechanism that uses RFC 8366 vouchers to introduce devices and network infrastructure.
  *   Intel’s SDO provides an application level introduction using vouchers as well.  This work has been taken up by the FIDO alliance.
  *   The Wifi Alliance has Device Provisioning Protocol (DPP) which does not attach to a global name space prior to provisioning having occurred, but does represent a minimum case (just public keys).
  *   draft-friel-eap-tls-eap-dpp borrows from DPP, intended mostly for wired use, where DPP is focused on 802.11 networks.
  *   There are a number of BRSKI related drafts by Owen as well, relating to cloud-based registrars.
  *   There is also work by Michael Richardson and Peter Van Der Stock on constrained vouchers.  That work is taking place in ACE.


Understanding the landscape might help us understand where DANE fits in.

Regards,

Eliot
--
Iot-onboarding mailing list
Iot-onboarding@ietf.org<mailto:Iot-onboarding@ietf.org>
https://www.ietf.org/mailman/listinfo/iot-onboarding




_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org<mailto:Secdispatch@ietf.org>
https://www.ietf.org/mailman/listinfo/secdispatch

v2.23.0 | Report a Bug | By Email