Re: [Iot-onboarding] administrative control of devices --- thinking again about an IoT security WG

Qin Wu <bill.wu@huawei.com> Thu, 24 September 2020 10:51 UTC

Return-Path: <bill.wu@huawei.com>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BDE043A0906; Thu, 24 Sep 2020 03:51:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QB7wg2gyvqQn; Thu, 24 Sep 2020 03:51:56 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 389723A08F8; Thu, 24 Sep 2020 03:51:56 -0700 (PDT)
Received: from lhreml748-chm.china.huawei.com (unknown [172.18.7.107]) by Forcepoint Email with ESMTP id 962D17794BB4BBF40F92; Thu, 24 Sep 2020 11:51:51 +0100 (IST)
Received: from lhreml748-chm.china.huawei.com (10.201.108.198) by lhreml748-chm.china.huawei.com (10.201.108.198) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Thu, 24 Sep 2020 11:51:51 +0100
Received: from DGGEML402-HUB.china.huawei.com (10.3.17.38) by lhreml748-chm.china.huawei.com (10.201.108.198) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.1.1913.5 via Frontend Transport; Thu, 24 Sep 2020 11:51:51 +0100
Received: from DGGEML511-MBS.china.huawei.com ([169.254.4.160]) by DGGEML402-HUB.china.huawei.com ([fe80::fca6:7568:4ee3:c776%31]) with mapi id 14.03.0487.000; Thu, 24 Sep 2020 18:51:46 +0800
From: Qin Wu <bill.wu@huawei.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "mud@ietf.org" <mud@ietf.org>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
Thread-Topic: [Iot-onboarding] administrative control of devices --- thinking again about an IoT security WG
Thread-Index: AdaSYDAbdXizPTyAQwqQjwr3bR5d+Q==
Date: Thu, 24 Sep 2020 10:51:46 +0000
Message-ID: <B8F9A780D330094D99AF023C5877DABAADA0A12F@dggeml511-mbs.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.101.103]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/_ubn1dW0y-8jHaykylZwFttveUY>
Subject: Re: [Iot-onboarding] administrative control of devices --- thinking again about an IoT security WG
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Sep 2020 10:51:58 -0000

Have we considered to manage multiple devices on boarding at one time?
These devices might be placed behind the same gateway device. In some cases, there is no DNS infrastructure or DHCP.

-Qin
-----邮件原件-----
发件人: Iot-onboarding [mailto:iot-onboarding-bounces@ietf.org] 代表 Michael Richardson
发送时间: 2020年9月19日 5:58
收件人: mud@ietf.org; iot-onboarding@ietf.org
主题: [Iot-onboarding] administrative control of devices --- thinking again about an IoT security WG


Michael Richardson <mcr+ietf@sandelman.ca> wrote:
    > This includes:
    > * administrative control of devices

Some have asked how big this effort would be.
I think that it might rather small, and it does not have to a single solution either.  90% of the challenge in building administrative interfaces is the authorization side.  This is something that can be handled during onboarding.

A RESTCONF interface might be enough.
  1) https://datatracker.ietf.org/doc/draft-ietf-netconf-keystore/ provides
     a way to update a WPA-PSK key for network access.

  2) https://datatracker.ietf.org/doc/rfc8341/ and/or
     https://datatracker.ietf.org/doc/draft-ietf-netconf-trust-anchors/
     provides a way to update who can manage the device.  

  3) I looked for a way to statically configure DNS server IPs into a device,
     should one not be willing to use the Do53 ones from DHCP.  There isn't
     such a thing, but I'll bet ADD WG would comment on such a document.
     I was actually looking for some network configuration ("MIB") YANG module, which
     I'm sure exists, but I'm not YANG expert.
     
  4) https://datatracker.ietf.org/doc/draft-kwatsen-netconf-sztp-csr/
     can be used to renew management interface certificates.  Or the
     onboarding system might have an LDevID renewal process.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [