IETF Logo Mail Archive

Re: [Iot-onboarding] OPC and BRSKI

"Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org> Tue, 06 August 2019 22:51 UTC

Return-Path: <randy.armstrong@opcfoundation.org>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 149B812008C for <iot-onboarding@ietfa.amsl.com>; Tue, 6 Aug 2019 15:51:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=opcfoundation.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kbRzQU5eaJ-C for <iot-onboarding@ietfa.amsl.com>; Tue, 6 Aug 2019 15:51:16 -0700 (PDT)
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (mail-eopbgr730045.outbound.protection.outlook.com [40.107.73.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C5AD12006E for <iot-onboarding@ietf.org>; Tue, 6 Aug 2019 15:51:16 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=U1LMxZMgH7DzVoU/CHCGpzWNPJQ9MmIe7i/tRPP2fwV42s7TZ22ljnk+VZoOQYwesOhBHVddPbybxurYgJK2MoRCGsKcvlDKefuybmBK90b6tFYF3VGcGLv/Ccdec/wlzx/jgJtXkUcP0UlraH2U1Lg+j0g3WZOP0x65LnVmDLAZLL4EyXZL6w6zFa86AyXijaQDiLaLQy0TzZasI5lfYVCVP2GbQ5zGQf7DDZUpaIeQENPEjaThjX1RvmSx86Q8nAH/WxW7Km9pzsduAZ8ocwwpdVpRY7xPPvFSqOg6SH+iSCHWzv3RnlvYjapq3pR0Z2y9ujWfaBGfV//9MuABeg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8z3vxpyEIw7Nv7eOFYUdHrHr4Z5u3/hn7b4jzsek4pM=; b=GYCcT+LSULHRtkQZQNrYmaBZdOkLQU3gI+F/JH7jg9XB0WHkN5DNNfJjMFyAFW1hg0hcG1jaSUYSI41IiPd8d14rev58xMyj6QHPVIrZU1qyWM/vttyliM/xH/HkJFUi3YtXU5nyIZIx2b+2GvNR619kNKJaH/93i7erD1oKtP2ajDl5EObQLY81wh6C/j3sCwxmzgf4GJUhJ644ya77Z/2Ri7VAXAuzQq92g36g414/PP8wGM0ieMvS0crMQ8QjNw76LSyRcx19d9l8h32S1EgMV0FrO9rON/gmhWQjLbDGr/nx8DMmN89mOzoL+46F3mPGedk+l77NQYV0tuolzw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=opcfoundation.org;dmarc=pass action=none header.from=opcfoundation.org;dkim=pass header.d=opcfoundation.org;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=opcfoundation.onmicrosoft.com; s=selector1-opcfoundation-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8z3vxpyEIw7Nv7eOFYUdHrHr4Z5u3/hn7b4jzsek4pM=; b=Qt2OYmN1z5HQygNggUQMGZ0LQJMKoyiS76+NzGcFvjnk2GtS+4qg9W64RSQp5VB27eFj1PP+d+aG7KyHjgvNNjphZgKpV+ydIpW3UZgDrwTkt6uuoGRSoQjdow+LzuPTd3I2s1myxeSH7/raG6bYbXeohzZIKL3nwo2e/jcHFsk=
Received: from BYAPR08MB4903.namprd08.prod.outlook.com (20.176.255.96) by BYAPR08MB5719.namprd08.prod.outlook.com (20.179.61.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.17; Tue, 6 Aug 2019 22:51:13 +0000
Received: from BYAPR08MB4903.namprd08.prod.outlook.com ([fe80::149d:d834:7df3:fc53]) by BYAPR08MB4903.namprd08.prod.outlook.com ([fe80::149d:d834:7df3:fc53%4]) with mapi id 15.20.2094.017; Tue, 6 Aug 2019 22:51:13 +0000
From: "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
Thread-Topic: [Iot-onboarding] OPC and BRSKI
Thread-Index: AdVMZzs5EDHMP+c/QWCVcWuK34MU/QAGrJ8AAADfarAABYC2gAAAxI7A
Date: Tue, 06 Aug 2019 22:51:12 +0000
Message-ID: <BYAPR08MB4903053E68A056CC9A471B51FAD50@BYAPR08MB4903.namprd08.prod.outlook.com>
References: <BYAPR08MB4903F02A37ED9AE092A59B8EFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <649C8221-5F33-4EC2-8E03-3EEAF4CAAB64@cisco.com> <BYAPR08MB4903129ECDEADF61E681DE0BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <27052.1565125853@localhost>
In-Reply-To: <27052.1565125853@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=randy.armstrong@opcfoundation.org;
x-originating-ip: [24.80.80.10]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 656b3d81-03e7-4df6-2223-08d71ac094ed
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BYAPR08MB5719;
x-ms-traffictypediagnostic: BYAPR08MB5719:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <BYAPR08MB57192F3404F1AACF541E7588FAD50@BYAPR08MB5719.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0121F24F22
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(136003)(376002)(39840400004)(346002)(366004)(199004)(51444003)(189003)(13464003)(66946007)(66476007)(256004)(68736007)(14444005)(66556008)(66446008)(64756008)(71200400001)(66066001)(76116006)(5660300002)(86362001)(229853002)(14454004)(7696005)(6116002)(33656002)(53546011)(6506007)(71190400001)(76176011)(316002)(99286004)(3846002)(2906002)(102836004)(186003)(52536014)(74316002)(7736002)(4326008)(6306002)(55016002)(26005)(508600001)(25786009)(446003)(54896002)(6436002)(790700001)(81166006)(486006)(9326002)(966005)(81156014)(9686003)(8676002)(53936002)(476003)(11346002)(6246003)(8936002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR08MB5719; H:BYAPR08MB4903.namprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: opcfoundation.org does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: o1Pismbnggl252d5MTy/qeXbiISKL0PSt3J9TU093dgKcEtsop6SwavDx0E1+v8qPRy21CDBmdPZFotL/b5fAEFu3q8UTUWjVujSnk1LCUtAaRCkFonAi9ZkEIdgfyiD8FQcr5Bo5OG6ooL8mPbZvj2Gww0XWGBSWOxtS9Pc0o39x1LbgITuGHFsq8iUmKi1NSCKmaxf01On0uxcZz4qAft4pdF2aPZ6kM+Co6if/Gc6v0KQHdipj/F07qILSytViOspju7QRxBuUEe4IRQx8+S1Cf9WEyBVA3QXiJJRQ5HJSSRvPQG80DDPPFnP7n/LHw3eQZh8wr38U4GC0V7Ncef9e7kPZ9XyoWAhDzYl4uCxGgsPdkUbXvX2ABussShUvps+6Gp8OyJHfZry+AKOgwToe/4xeZ1KfGbmvhFr2mE=
Content-Type: multipart/alternative; boundary="_000_BYAPR08MB4903053E68A056CC9A471B51FAD50BYAPR08MB4903namp_"
MIME-Version: 1.0
X-OriginatorOrg: opcfoundation.org
X-MS-Exchange-CrossTenant-Network-Message-Id: 656b3d81-03e7-4df6-2223-08d71ac094ed
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Aug 2019 22:51:12.9067 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2d8ef4e4-d41c-489c-8004-bb99304b60fe
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: randy.armstrong@opcfoundation.org
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR08MB5719
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/S-QfJkFpig2iFOZaEjOLmycNkwU>
Subject: Re: [Iot-onboarding] OPC and BRSKI
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 22:51:20 -0000

Hi Michael,



1) What is "OPC", from a transport and security point of view?



My initial post was terse because I was not sure it was the right group.

The complete set of specifications are here: https://opcfoundation.org/developer-tools/specifications-unified-architecture

Part 2 provides the overview of the security architecture.

Part 6 defines the layered transport model.



However, it is a lot of text to get through.



2) Secure Zero-Touch Provisioning, which uses the same format vouchers, but has different flows.



Interesting. One solution that works for us is to allow the registrar to use OPC UA instead of TLS which would allow use to define that flows that address all of the OPC requirements. The registrar would then follow BRSKI for interactions with the MASA.



2) What an appropriate answer is depends upon who will be responsible for the components.  Is it the manufacturer of the aggregate or the manufacturer of the devices. One way to think of this as an initial sale to the aggregator, and then to replace the trust anchors for a second sale.



Ok, so the device certificate can be replaced by a machine builder? If that is OK then it would address this concern.



4) If not, then you either need a bearer voucher (which RFC8366 declined to define, as it's so powerful, we were afraid of the security considerations), If not, then you either need a bearer voucher (which RFC8366 declined to define, as it's so powerful, we were afraid of the security considerations),



We will need bearer vouchers. The registrar is the entity that should decide if a given device belongs on a network as long as the bearer vouchers allow the registrar to verify the origin of the device (i.e. only bearer vouchers issued by a trusted source would be accepted).



Regards,



Randy





-----Original Message-----

From: Iot-onboarding <iot-onboarding-bounces@ietf.org> On Behalf Of Michael Richardson

Sent: August 6, 2019 2:11 PM

To: Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org>

Cc: iot-onboarding@ietf.org

Subject: Re: [Iot-onboarding] OPC and BRSKI





Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org> wrote:

    > I will start with the main trouble spots. Some of these may be already

    > covered by BRKSI but I missed the implications of some of the text:



    > 1) Low end devices that only support OPC; this means no TLS client

    > capabilities and no ability to initiate network communication

    > (i.e. server only mode);



What is "OPC", from a transport and security point of view?

When I looked through the web site, I'm afraid I came up empty.



BRSKI can be made to work when the pledge is a responder, but there are details that need to be worked out for specific use cases.



You may prefer https://datatracker.ietf.org/doc/rfc8572/

Secure Zero-Touch Provisioning, which uses the same format vouchers, but has different flows.



    > 2) Machine builders that combine devices into a machine that is sold as

    > a unit. These device still have a unique network identity but the

    > effective manufacturer has changed; How to deal with the DeviceID?



What an appropriate answer is depends upon who will be responsible for the components.  Is it the manufacturer of the aggregate or the manufacturer of the devices. One way to think of this as an initial sale to the aggregator, and then to replace the trust anchors for a second sale.



Another way is to think of this is that the aggregator runs a mini-registrar, onboards the devices into the aggregate, and then takes care of the devices itself.



    > 3) Devices may be reset to factory defaults and sold/transferred to

    > another organization. This needs to be possible even if the MASA is no

    > longer available (i.e. the original manufacturer has gone out of

    > business).



There are a number of different ways to do this; every single one of them requires some advance planning (coding) by the device manufacturer.



    > 4) Offline operation is the norm with pre-issued vouchers delivered out

    > of band. The pre-issued vouchers will need to have reasonably long

    > lifetime (i..e. years not hours).



This has already been taken into account.

The question is whether the end-owner is known at time of voucher issue or not.



If not, then you either need a bearer voucher (which RFC8366 declined to define, as it's so powerful, we were afraid of the security considerations), or you need to pin to a temporary key which is turned over the operator.

But, that is effectively a bearer voucher with multiple components.



    > The lifecycle of a device is shown in the following diagram. The

    > expectation is we would need to add links to the MASA at each step in

    > the lifetime.



I don't think you need a connection to the MASA until provisioning box, nor after that either.



I think that the hardest part is (1), and then it's just an applicability statement.



--

Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email