IETF Logo Mail Archive

Re: [Iot-onboarding] [Anima] EXTERNAL: Re: OPC and BRSKI

"Owen Friel (ofriel)" <ofriel@cisco.com> Tue, 13 August 2019 13:19 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7992D120130; Tue, 13 Aug 2019 06:19:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=lMsrE/Ns; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=WtpKa0d2
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S0uKQ0D0fVrW; Tue, 13 Aug 2019 06:19:19 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8C860120152; Tue, 13 Aug 2019 06:19:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6471; q=dns/txt; s=iport; t=1565702359; x=1566911959; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=ZetzCCH3Yw/1B1PuzSOLxdJWFXmyk013nvGXuXD//1E=; b=lMsrE/Ns9V/mhQ/WkjqyCf0q4nPpaC52iisykLwcUQa+/E+3IGgBUJQa 1lcRU3DX3FvTsFTC9ZE7t1lFsC2kztEV5FmMjJxaysRuzDcKzQt8+Sf+8 rYrn9vUsAM0pSem70vF/LYaOmerYDYUBtykkLpwub+4rkpfrfPVEfPGru g=;
IronPort-PHdr: 9a23:I7dwnxCe99Cjy3ywSaE8UyQJPHJ1sqjoPgMT9pssgq5PdaLm5Zn5IUjD/qg83kTRU9Dd7PRJw6rNvqbsVHZIwK7JsWtKMfkuHwQAld1QmgUhBMCfDkiuK/DwbiE+NM9DT1RiuXq8NBsdFQ==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ASAACEuFJd/5ldJa1mGQEBAQEBAQEBAQEBAQcBAQEBAQGBVQIBAQEBAQsBgUQkBScDbVUgBAsqCodbA4sOgluXYoEugSQDVAkBAQEMAQEYCwoCAQGBS4J0AoJ6IzYHDgEEAQEEAQEEAQpthScMhUoBAQEBAwEBECgGAQEsCwELBAIBCA4DBAEBAR4QJwsdCAIEAQ0FCBqCNUyBagMdAQ6hZgKBOIhggiWCegEBBYE3AoNEGIIUCYE0AYohgUMXgUA/gRFGgkw+gmEBAQIBgR0lHoM7giaMGAc9ngVtCQKCHYZjixiCUpg9jVWHX5AkAgQCBAUCDgEBBYFXAy6BWHAVO4JsCYI5DBeCe1SFFIU/cgEBgSeNLAGBIAEB
X-IronPort-AV: E=Sophos;i="5.64,381,1559520000"; d="scan'208";a="613296185"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 13 Aug 2019 13:19:17 +0000
Received: from XCH-ALN-017.cisco.com (xch-aln-017.cisco.com [173.36.7.27]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id x7DDJHvj006062 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 13 Aug 2019 13:19:17 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-017.cisco.com (173.36.7.27) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 13 Aug 2019 08:19:17 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 13 Aug 2019 08:19:16 -0500
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 13 Aug 2019 08:19:16 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WXNDrwoF7pmVTJQFHow1Z+xfA/uEHDmofzrSL0bpzSvGj+4sXQWGQkTeQOnVzroKYh3EVFHC88NJnCuKvN4djf33SWu3EBS1YH9N5tuf/QiUGqVJFbizmpk8fTWntGZaKI1lOSKjlJBSsJNtmwYTIDGw43fS5C8l7kDisxj2c3G5YVZSmysC2qkJqWxs4Cliz5AcWvZgLpvM3eoUs6TpuJ8K3SQ4p+lNBtH8VQNG3mLHEOklCUA4rz2iO2idhe5/FeTxz+TC5E5ynXhw85d+2M1+wx9HNnCpHo2IN/nbN18Mg30NsyqZBeGOdsuHsd6Twn/w4Z7EzaQYhhLR9q7lng==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hocd6+wFQWw+EbpiLNBAHM0T5ocNlqJhIaSaZUtT13w=; b=Rylkk88IYBpZRvDnNH57Bw7eQ16/PjIAyBM1/lUYjZIxaTnpWh0cYYEDr5xD4M/xpteP7+W4jmxQaiXz2Iv4p8J6k7+gNXUAFdG9O5vyO/BGFquPEeQiBzXl41w1vcXPmrL5nRXvGG6a7wMU8mmbbZMOK3thwohZGZipy/pL2wk9s0OkA8yp540mDTAzv0pchxdXo14NPTWPzzPLYKtlzI00KxfbLb88ExeS3+jhG3DPs4EjB/EMaua7hm7eIViKVWiGyqMPLnMgy1bgFIb8EVAyIekYS5Qb8j/4iLqlFiG/ssuD35gOertbybdIOBd0iZNGFBVodHZZd9X3loBA6A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hocd6+wFQWw+EbpiLNBAHM0T5ocNlqJhIaSaZUtT13w=; b=WtpKa0d2RRvgKbkoYDEXsn/1xDvOKx09HWJWMT+00iI75RSYoHDpfXcEbGGuDZQwHOrFUCnkH/jYLhwdFD4IfLmur0w/syzmOaVjp4Ls58vaFLt/FQxCX2Y7ILhoLZkxiLMxXTFmrijx5ZL/gywlfKYDzTybXPXEog4US6wYD0I=
Received: from CY4PR1101MB2278.namprd11.prod.outlook.com (10.172.76.13) by CY4PR1101MB2245.namprd11.prod.outlook.com (10.172.79.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2157.16; Tue, 13 Aug 2019 13:19:15 +0000
Received: from CY4PR1101MB2278.namprd11.prod.outlook.com ([fe80::c060:dedd:1c7e:cf11]) by CY4PR1101MB2278.namprd11.prod.outlook.com ([fe80::c060:dedd:1c7e:cf11%12]) with mapi id 15.20.2157.022; Tue, 13 Aug 2019 13:19:15 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Toerless Eckert <tte@cs.fau.de>, Jack Visoky <jmvisoky=40ra.rockwell.com@dmarc.ietf.org>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>, "anima@ietf.org" <anima@ietf.org>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
Thread-Topic: [Iot-onboarding] [Anima] EXTERNAL: Re: OPC and BRSKI
Thread-Index: AQHVUVxfgQd3rVTIeESwtoKXZYIhOKb5ECEA
Date: Tue, 13 Aug 2019 13:19:14 +0000
Message-ID: <CY4PR1101MB227858FC480A81B98505DC8ADBD20@CY4PR1101MB2278.namprd11.prod.outlook.com>
References: <BYAPR08MB4903129ECDEADF61E681DE0BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <46BF5F7B-5407-45A9-9C4F-EA553DF5814B@cisco.com> <11781.1565189957@localhost> <20190807172252.4sadxaiprm6hhmdy@faui48f.informatik.uni-erlangen.de> <BYAPR08MB490385B1BED4C665C79B1937FAD70@BYAPR08MB4903.namprd08.prod.outlook.com> <4671.1565279232@localhost> <BYAPR08MB49034F3B36F6979D59561FC3FAD70@BYAPR08MB4903.namprd08.prod.outlook.com> <DM5PR2201MB1340BD83D6CF3F95E82518C299D60@DM5PR2201MB1340.namprd22.prod.outlook.com> <19592.1565471757@localhost> <DM5PR2201MB1340616CB8E90FFEB486531999D00@DM5PR2201MB1340.namprd22.prod.outlook.com> <20190812185020.za2rtuo6bduhsu7i@faui48f.informatik.uni-erlangen.de>
In-Reply-To: <20190812185020.za2rtuo6bduhsu7i@faui48f.informatik.uni-erlangen.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [64.103.40.17]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2fe26672-de5b-4295-76b6-08d71ff0d6e9
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:CY4PR1101MB2245;
x-ms-traffictypediagnostic: CY4PR1101MB2245:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <CY4PR1101MB22452AB28C71FD8ACDBBE862DBD20@CY4PR1101MB2245.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 01283822F8
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(366004)(39860400002)(376002)(346002)(396003)(189003)(199004)(13464003)(8676002)(4326008)(26005)(2906002)(6116002)(446003)(11346002)(14454004)(14444005)(256004)(476003)(81166006)(81156014)(99286004)(316002)(76176011)(7696005)(3846002)(6246003)(5660300002)(8936002)(110136005)(25786009)(64756008)(66946007)(71190400001)(74316002)(66066001)(305945005)(7736002)(66446008)(66476007)(478600001)(33656002)(186003)(966005)(71200400001)(53936002)(486006)(53546011)(6506007)(6306002)(6436002)(102836004)(55016002)(76116006)(52536014)(9686003)(86362001)(229853002)(66556008)(54906003); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1101MB2245; H:CY4PR1101MB2278.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: WWQOdivRCmjF2gPU7PGogkA8VkC+9n2zZnK+KHnt4C5DqZRT6Smk7r3h/Y21Pi41aoPXJ50EYcMN2Wh75doHXczFSV42sK7trvUTCelHtXfWpCsT7Q0Vw6Q5uROV/qtfdxdVJVKtsF6eBgFYd+KmfZJBM1LlcEIJAe0Xf8rdVhulSRiQkbWFPxR9TWMhUuCQ0SmLJlhK55fQqXSksz6fSjz5oMVTeimku7I1eH24NbRDCdRjn/vIYf61sA0Hxi1AiWNOKXnu/JomkwiRe/KoFfQjzohXMQHHG6AvsFMuq7vGqbl+hJSXV43EzpL/8gkrdSO3qNZM7X1CUOUHca7zd4WqffV3GxwBJgaY+tU2ZeMIILzU6VNkcyLCy9xAhDGnUsVbmeVyn++RwRMN39zY5CZcbkYxFzc+uZJBrrhBAOk=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 2fe26672-de5b-4295-76b6-08d71ff0d6e9
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Aug 2019 13:19:15.1512 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: SXTQsG014vtQLBOwySD9jAeK45lqOT5CPZ49dtSBWQyedUHqtLCjJyk+SMrsB2m4znp5/GfexBwgTSxEkWy7DA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1101MB2245
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.27, xch-aln-017.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/lYpEv-2P22IyHnGcmLAdKWNha8A>
Subject: Re: [Iot-onboarding] [Anima] EXTERNAL: Re: OPC and BRSKI
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Aug 2019 13:19:22 -0000


-----Original Message-----
From: Iot-onboarding <iot-onboarding-bounces@ietf.org> On Behalf Of Toerless Eckert
Sent: 12 August 2019 19:50
To: Jack Visoky <jmvisoky=40ra.rockwell.com@dmarc.ietf.org>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>; Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org>; anima@ietf.org; iot-onboarding@ietf.org
Subject: Re: [Iot-onboarding] [Anima] EXTERNAL: Re: OPC and BRSKI

Agreeing to what Michael and you said, but also wanted to point out that TLS as defined by IETF is on a trajectory which may or may not be desirable for e.g.: industrial automation (where OPC is used) or other regulated/ critical environments.

For example the total elimination of any non-encryption option in the
TLS1.3 profile and the removal of the ability for passive observers to see the certificates exchanged impeeds severely on the ability to do passive diagnostics.

I at least think there are good reasons to also have a strong and independent reviewed authentication scheme without encryption that can well be diagnosed by passive observers.

Aspects like these are easily fixed IMHO by creating different profiles of TLS. Whether or not one could get such profiles through the TLS WG in the IETF is of course a different question given what seems to be a highly contentuous nature of the topic.

There also seems to be a desire of areas of industrial automation to avoid the overhead of a perceived to be redundant network layer. This was a thing back in the days of OSI where TP4 was often run in factories without CLNS, and given how IP hasn't really improved on simplified, automated address management vs. L2 switched ethernet, this still seems to be a thing. Aka: Someone would need to define TLS on top of just ethernet instead of IP/IPv6. And there may be other similar L2 "transport" technologies where its not clear if simple ethernet mappings would suffice (bluetooth, wifi,...).

Last but not least, QUIC is on a path to replace TLS and that too puts a dent into the belief that TLS as it stands would be a long term stable most-widely used protocol.

[ofriel] Its more accurate to say that QUIC is going to replace TCP. QUIC will be secured using TLS: https://tools.ietf.org/html/draft-ietf-quic-tls-22


Finally: There is something said to not simply trust a design like TLS which you do not really understand just because  its widely used, and thus hopefully well reviewed, but rather make sure you have a design based on solid understanding of the cryptographic principles employed and a well defined review/control process of implementations.  Incidents like with OpenSSL show how badly reviewed even the most widely deployed crypto mechanisms can be.

Cheers
    Toerless



On Sun, Aug 11, 2019 at 09:31:22PM +0000, Jack Visoky wrote:
> > but there are significant benefits to not maintaining your own protocols, and significant benefits to getting the extensive review that TLS gets.
> 
> I could not agree more with this statement.
> 
> Thanks,
> 
> --Jack
> 
> 
> -----Original Message-----
> From: Michael Richardson <mcr+ietf@sandelman.ca>
> Sent: Saturday, August 10, 2019 5:16 PM
> To: Jack Visoky <jmvisoky@ra.rockwell.com>; Randy Armstrong (OPC) 
> <randy.armstrong@opcfoundation.org>; iot-onboarding@ietf.org; 
> anima@ietf.org
> Subject: Re: EXTERNAL: Re: [Anima] [Iot-onboarding] OPC and BRSKI
> 
> 
> Jack Visoky <jmvisoky@ra.rockwell.com> wrote:
>     > I am also involved with OPC-UA and would like to provide my/my
>     > company's perspective.  One of the major drivers of this engagement
>     > with the ANIMA group was a contentious point around whether or not TLS
>     > and EST are required for support of BRSKI.  Some of us had taken the
>     > position that these technologies are an integral part of BRSKI and
>     > shouldn't be replaced with OPC specific methods, especially given the
>     > benefit of using highly adopted security technologies, as well as the
>     > tight coupling of BRSKI to these.  So, I think the idea that OPC should
>     > just use these technologies is very much a viable answer.
> 
> If the device is powered or has enough battery to do 802.11, then it probably has enough power and code space to do TLS (particularly mbedtls from ARM).
> If it's on a very low duty cycle on battery, and/or it does 802.15.4, 
> then the question is still open.  The IETF may start work on a 
> 802.15.4 specific AKE, (see lake@ietf.org).  We believe we need these 
> for 6tisch (TSCH mode of 802.15.4 for deterministic industrial 
> networks)
> 
> It appears that the OPC UA methods provide enough security to do BRSKI, but there are significant benefits to not maintaining your own protocols, and significant benefits to getting the extensive review that TLS gets.
> 
>     > Also, I would strongly push back on any claims that low end OPC devices
>     > cannot support TLS.  Other industrial protocols have already added TLS
>     > support and are shipping products, including those with TLS client
>     > functionality.  TLS is no more heavy-weight than existing, OPC-specific
>     > security mechanisms.
> 
> The OPC-specific mechanism appears to avoid a DH operation and therefore lacks PFS.  I understand it uses RSA, which means that it's significantly more expensive than TLS with ECDSA (and ECDH) would be, and most SOCs have hardware acceleration for ECDSA's secp256v1, fewer have RSA acceleration.
> 
>     > In any event I will be sure to join the call that has been set up for
>     > later in August.
> 
> Awesome.
> 
> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
> 
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  
> -= IPv6 IoT consulting =-
> 
> 
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima

--
---
tte@cs.fau.de

--
Iot-onboarding mailing list
Iot-onboarding@ietf.org
https://www.ietf.org/mailman/listinfo/iot-onboarding

v2.23.0 | Report a Bug | By Email