[Iot-onboarding] UX concerns with BRSKI
Michael Richardson <mcr@sandelman.ca> Sun, 01 September 2019 17:07 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8314B12002F for <iot-onboarding@ietfa.amsl.com>; Sun, 1 Sep 2019 10:07:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ra12fmcP5fKl for <iot-onboarding@ietfa.amsl.com>; Sun, 1 Sep 2019 10:07:48 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0F00C120025 for <iot-onboarding@ietf.org>; Sun, 1 Sep 2019 10:07:47 -0700 (PDT)
Received: from dooku.sandelman.ca (unknown [142.169.78.159]) by relay.sandelman.ca (Postfix) with ESMTPS id 8DCE61F45A for <iot-onboarding@ietf.org>; Sun, 1 Sep 2019 17:07:43 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 1ABA2AF3; Sun, 1 Sep 2019 13:08:14 -0400 (EDT)
To: iot-onboarding@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
From: Michael Richardson <mcr@sandelman.ca>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Sun, 01 Sep 2019 13:08:14 -0400
Message-ID: <18791.1567357694@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/m9beeg6Sn-qHpH9I-0meEfnNsTE>
Subject: [Iot-onboarding] UX concerns with BRSKI
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 01 Sep 2019 17:07:50 -0000
Hi, I have been discussing UX issues with BRSKI and various IoT onboarding schemes with Scott Jenson of Google's Android IoT team. He is now on this list, and I wanted to share his notions. He wrote: sj> I'm going to assume that my aspirations line up with ANIMA/BRSKI but not sj> completely. My goal is to figure out how to build the following flow: sj> - You install a large number of devices in a location sj> - They power up, auto connect to WiFi (or your favorite wireless transport) sj> - They are validated and secure endpoints are set up sj> - The devices are NOT allowed on the network yet (for Wifi, they could be on a subnet) sj> - Each device points to a schema so it's clear what each wants to do (light, switch etc) sj> - The user is informed of these devices en masse sj> - The user can see who they are from and that they have been validated sj> - With a button push, they are allowed on the network sj> - (further discussion about auto configuring the lights to be controlled by the switches) I think that this goal was well within what many others want to do. There are some details that need sorting out. sj> Thanks for that. Without more market research, it would be foolish to say sj> anything too strong but both cases seem likely to have UX problems sj> - Sales channel integration: potentially lots of logistical challenges sj> (e.g. inventory, last minute router changes, etc) sj> - No sales channel integration: 'first one wins' (this one seems the sj> most problematic) sj> What I'm trying to solve is the "HomeDepot" use case where you buy your 30 sj> switches from HomeDepot and it 'just works' when you turn them on. sj> Obviously this has no sales channel integration. This is indeed a common case. And the lack of sales channel integration makes it difficult Eliot has a presentation which is linked from: https://www.connections.iiesoc.in/2018-abstract sj> You're actually asking quite a bit of the device makers to support BRSKI sj> (which I support btw) I wonder if it's time to make the ROUTERS actually sj> have some additional smarts. I agree that a BRSKI client is additional functionality, and that in some cases this is an issue of code space in some devices. For any device built around the Google Android IoT platform (which is an RPI scale device) that's just an issue. The issue if time-to-market, and this is where reference libraries come into play. I expect to finish a reference client library in RUST this fall, with the goal of fitting into RIOT-OS scale platforms. Whether it wil have DTLS or just EDHOC remains to be seen. sj> Would it be possible to have these smart sj> devices somehow tell the router who they are before they turn on? Here are sj> some thoughts: sj> - All devices have an NFC in the packaging Many of us have significant problems with NFC. (or BTLE). It's just pushing the onboarding problem to a different layer! Some years ago (2012!) the conversation we had at one workshop about what would happen if someone walked through HomeDepot and collected the NFC from all devices. There was a bit of a gap of onboarding understanding, but the attack was what if attacker collects control information on hundreds of thousands of lightbulbs... consider if most of the lightbulbs were smart bulbs which were purchased by people who didn't have smart lighting systems, because cost of making smart lightbulbs was not more than dumb bulbs (after marketing and distribution, etc. costs), so the attacker somehow retained control over the bulbs. {Then attacker turned them *ALL* on at the same time, and then 2 minutes later, turned them all off. Wait five minutes, and turn them back all on and off again. Apparently, this can break the electrical grid as turbines turned on, and then had nowhere to send the power.} So, summary is that I'm skeptical about the NFC solution. The security proposes of "near" seem to fail given an equipped attacker. sj> - You tap this on the router. For the next X minutes, any device of that sj> type is captured and an exchange with each device allows this sj> cert/code/etc .. or you tap it with your phone, which has an API into the router. sj> - This works for families of devices so you only need to tap 1 of the 30 sj> switches you bought this is a problem if you have some devices, and your neighbour has some devices. It sounds like a nice idea, but without sales channel integration to know which of the 29 devices are also on the same sales receipt, it's gonna fail. An annoyance, I agree. sj> - There is nothing stopping this from being an app for that router, that sj> way your phone taps the box, not the router :-) sj> - Your same exchange with the MASA occurs, this just makes sure the sj> right Router wins sj> - If you're willing to make this only use a phone tied to the router, a sj> QRCode could work as well. Yes, I prefer this, and this is the direction WiFi Alliance's DPP has gone. sj> - This implies things could work without internet initially, you just sj> need the router to be powered on many would like this. sj> - This same app could show the 'families of devices' that are available sj> and waiting for confirmation. This is a good prompt for what you should be sj> scanning.(or what you've forgotten) I think it is reasonable for the router to get a list of devices that are trying to connect, and then you can have a list on the phone devices to "find". It's like the egg hunt on Easter Morning. sj> - The only downside is that you might see nearby devices that aren't sj> yours. However with the coming RTT spec in Wifi 802.11az there is a good sj> change to order them so the neighbors are clearly further away. That's a good idea, but given that the upstairs apartment can be closer than the third bedroom of my apartment, not always going to work. sj> What do you think? Is it asking too much to change the routers? I assume sj> they have to change already to support the BRSKI protocol. I'm just sj> throwing out an NFC reader and/or an app to act as one. (both are more sj> expensive clearly) APP wins. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Iot-onboarding] UX concerns with BRSKI Michael Richardson
- Re: [Iot-onboarding] UX concerns with BRSKI Ted Lemon
- Re: [Iot-onboarding] UX concerns with BRSKI Eliot Lear
- Re: [Iot-onboarding] UX concerns with BRSKI Michael Richardson