IETF Logo Mail Archive

Re: [Iot-onboarding] OPC and BRSKI

"Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org> Wed, 07 August 2019 21:30 UTC

Return-Path: <randy.armstrong@opcfoundation.org>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1041120116; Wed, 7 Aug 2019 14:30:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=opcfoundation.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oVSin7Qc05qM; Wed, 7 Aug 2019 14:30:24 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-eopbgr820054.outbound.protection.outlook.com [40.107.82.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9458F1200DF; Wed, 7 Aug 2019 14:30:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=VpKv8u930rPoCyyTfJT39toDwP6Sd2GLcWfs5ERJtiIWzwBXEgHuJkg4U9tdJYdTJbjm++sFqhY6PcnSmJ1bInYrIkceYuLa/ZHozXE33dTPWz8k1jahWd6ZostJVhmPeEMwY/GsDHOZkzyLBolIijhuHykunnTthy+537JtyR+6+m+bVXSiU+8tQP/sMGkkqsnLUElF56uzv5BjuUQ0bxkUhdOnlS4C0uvhR9i7t1ulefRSvvFsH6iZuwV7YWi3xPmLciOWUsqAnqun6LC3ONL0wgT+iK4bA0s+XgckkBzzEBJ3g62N/eL1wmXIciCqnrq39ToONNSgKlzCe0nrsg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dFvCS4ojxMzeL0riqqTcc/YalZlKW3mgiDJHXPnI1XQ=; b=FQqJ2vlW4qOBkLd+JmWanklI+b+qhGCQDqmkMFTdARPblkAdsKJEGV7K0MHQnlGOd3blzK6+ouu7N9vpBviyhbKDGZNVrxJVLBxEHon3wrIumfRPXpyb75FZ1rIxlJR8rKVgcA5EUKni6R86zCD2geLosPSxXpYOsDr11vihzHAN/UlcE6yzS6lufGUIw80KhWxHTqQJR51ZmxvqNIFxYHuCHuNWupxsNl7H4N2uxgnFr2fUGgHORiSI2OVGpCQOqzysvn1irsRA5NMksaEOI7drpaDisAalagKFPzGmco2zW0xui+EHgPPLu52wY8IDIqopEe320qtK6N9pr2pt6w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=opcfoundation.org;dmarc=pass action=none header.from=opcfoundation.org;dkim=pass header.d=opcfoundation.org;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=opcfoundation.onmicrosoft.com; s=selector1-opcfoundation-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=dFvCS4ojxMzeL0riqqTcc/YalZlKW3mgiDJHXPnI1XQ=; b=hj/uGgzG94FcumAgZg4U0ce4Qu9jjlicNi54xe0D98RsCzWI0R/a0Rlm7/dfz52DjqV9T8EWe1UcW+VE7bTfoILfqcwh5n+hsG2luPJCTY4R4cuRZ7FLVLF/i93UfapsBivzok8oBz9s7aPhVBxLOIAgVL8SmBroVz+4y9kLIv4=
Received: from BYAPR08MB4903.namprd08.prod.outlook.com (20.176.255.96) by BYAPR08MB4549.namprd08.prod.outlook.com (52.135.234.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.14; Wed, 7 Aug 2019 21:30:21 +0000
Received: from BYAPR08MB4903.namprd08.prod.outlook.com ([fe80::149d:d834:7df3:fc53]) by BYAPR08MB4903.namprd08.prod.outlook.com ([fe80::149d:d834:7df3:fc53%4]) with mapi id 15.20.2157.015; Wed, 7 Aug 2019 21:30:21 +0000
From: "Randy Armstrong (OPC)" <randy.armstrong@opcfoundation.org>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Iot-onboarding] OPC and BRSKI
Thread-Index: AdVMZzs5EDHMP+c/QWCVcWuK34MU/QAGrJ8AAADfarAABKcngAAAO+sQAANovwAAARHHUAAAmp+QABFFfIAAAX6+0AAbN40AAAAVERA=
Date: Wed, 07 Aug 2019 21:30:21 +0000
Message-ID: <BYAPR08MB4903ABC4E4BD5C158F77C78BFAD40@BYAPR08MB4903.namprd08.prod.outlook.com>
References: <BYAPR08MB4903F02A37ED9AE092A59B8EFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <649C8221-5F33-4EC2-8E03-3EEAF4CAAB64@cisco.com> <BYAPR08MB4903129ECDEADF61E681DE0BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <46BF5F7B-5407-45A9-9C4F-EA553DF5814B@cisco.com> <BYAPR08MB49037C509717B409DE7B570BFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <20190806223052.md5lp6yeleuvuf5l@faui48f.informatik.uni-erlangen.de> <BYAPR08MB4903CED7FFDB7D11EFDB49FAFAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <BYAPR08MB4903E91A2E9FC117755443C1FAD50@BYAPR08MB4903.namprd08.prod.outlook.com> <F5504CAE-85B7-43AF-B743-1E234A4B320E@cisco.com> <BYAPR08MB4903C95973435BA06FC3C080FAD40@BYAPR08MB4903.namprd08.prod.outlook.com> <1669.1565212526@localhost>
In-Reply-To: <1669.1565212526@localhost>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=randy.armstrong@opcfoundation.org;
x-originating-ip: [24.80.80.10]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 293cb250-f093-4dc1-defc-08d71b7e73c5
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BYAPR08MB4549;
x-ms-traffictypediagnostic: BYAPR08MB4549:
x-microsoft-antispam-prvs: <BYAPR08MB4549CE793DCAEE22A7E2A41AFAD40@BYAPR08MB4549.namprd08.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 01221E3973
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(396003)(366004)(136003)(39840400004)(346002)(199004)(189003)(13464003)(256004)(64756008)(76176011)(66476007)(66946007)(486006)(66556008)(14444005)(66446008)(74316002)(53546011)(25786009)(7736002)(316002)(86362001)(8676002)(6436002)(26005)(508600001)(76116006)(305945005)(81166006)(81156014)(8936002)(9686003)(55016002)(14454004)(186003)(2906002)(71200400001)(229853002)(71190400001)(476003)(446003)(11346002)(6506007)(99286004)(53936002)(33656002)(102836004)(6246003)(5660300002)(3846002)(7696005)(110136005)(52536014)(66066001)(2501003)(6116002); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR08MB4549; H:BYAPR08MB4903.namprd08.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: opcfoundation.org does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: zZNUsHJL57A1SF5MCmK8XJzDMpF/SNadCHksmA9dxEBsxauZvS7xQw3VjpjJ/V28TaLwGaWgiJslIHZ2RAixGa5Vc1FfwXggc2AGeOfPIo5LBySIOFBkE9HjOgm5s16IQlsvy/3GUd9OW3uezPnqJ4J8JO2mubzoX4/CabcMi0ubEukxDnrEQaJUhohSitsQIR11Gzs1NOdx+Dsm2rlVlA62mluiXYfHDiH/lSs5+QKANNcQ36zMGMMfR1G12dpx2r8anVXOidFeqPsjRcv5Yx4IkD4+svYtQVC5MzvvbpvgFTd4KkqiYOq6w4y3izyVuT4rR6CiLuOYGaNdoCAjf3SO/NP7CNzBS6dO5afKmda3uMawWMimjpkmNxxSNavqIIDktABRPOcbZWp6AlXySqHWFJzz46zKMczAFprL92I=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: opcfoundation.org
X-MS-Exchange-CrossTenant-Network-Message-Id: 293cb250-f093-4dc1-defc-08d71b7e73c5
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Aug 2019 21:30:21.6622 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2d8ef4e4-d41c-489c-8004-bb99304b60fe
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: VuVUJaPU4G7CEcPBoMxR6QAwx2reefBDnWPQccEmfHiAwev8DFWzH8d+wW000jHn/OmEOdJER1ne46Ut1PwaLpL5gwBKU++NJapCHfaQ+/vrAnaaa5vq7Fhd7ZyEqBKO
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR08MB4549
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/3JALyCeVonQIa1Zkb6Y2FcnABj0>
Subject: Re: [Iot-onboarding] OPC and BRSKI
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 07 Aug 2019 21:30:27 -0000

> If the MASA goes away or is compromised, then all the devices
>  from that manufacturer can not be proved to not be counterfeit.

If each Device has a manufacturer issued Certificate with the private key in secure storage like a TPM then the verification of a Device can happen as long as the Operator has a copy of the Manufacturer CA.
This was our original model until someone raised BRSKI.

 > That would lead to the conclusion that it is okay for the operator in the
 > next suite (or next cabinet in a DC, or adjacent distillation tower in a
 > refiner), to use the device in my suite/cabinet/tower.

The Operator decides what Devices go on the networks the Operator controls.
As long as a system is in place to allow the Operator (not the Manufacturer or MASA) to block access to a network then the network is secure.
The one risk which exists is theft. i.e. a thief can't be prevented from using a stolen device.
I can see this being a high priority requirement for mobile phones but not for PLCs.

-----Original Message-----
From: Iot-onboarding <iot-onboarding-bounces@ietf.org> On Behalf Of Michael Richardson
Sent: August 7, 2019 2:15 PM
To: iot-onboarding@ietf.org; anima@ietf.org
Subject: Re: [Iot-onboarding] OPC and BRSKI


Randy Armstrong (OPC) <randy.armstrong@opcfoundation.org> wrote:
    > Counterfeit devices are huge issue in industrial automation. We need
    > this infrastructure so the Operators can assure themselves that the
    > Devices they plug into their network are genuine.

So, just to inject some existential angst:
   If the MASA goes away or is compromised, then all the devices
   from that manufacturer can not be proved to not be counterfeit.

Note that the MASA going away is not the same as the Manufacturer going away.

    > OTOH, Operators don’t need to prove their right to use a Device. If an
    > Operator has a Device they are entitled to use it (i.e. Devices can be
    > sold/transferred without approval from the manufacturer).

I'm not sure you really mean to say it this way :-)
  That would lead to the conclusion that it is okay for the operator in the
  next suite (or next cabinet in a DC, or adjacent distillation tower in a
  refiner), to use the device in my suite/cabinet/tower.

The key problem is the verb "has" needs to be made very clear.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email