[Iotops] draft-hsothers-iotsens-ps-03 (was: RE: Request for slides for IOTOPS)

Esko Dijk <esko.dijk@iotconsultancy.nl> Sun, 13 November 2022 10:12 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 57723C14CF1A for <iotops@ietfa.amsl.com>; Sun, 13 Nov 2022 02:12:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ugIFxx2zZuIS for <iotops@ietfa.amsl.com>; Sun, 13 Nov 2022 02:12:14 -0800 (PST)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2120.outbound.protection.outlook.com [40.107.20.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 67C5DC14CEED for <iotops@ietf.org>; Sun, 13 Nov 2022 02:12:14 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=a4zUEnAm+w4d1e66LP8ySehqMpHM3xTF9Agp1rWfiNvuy41EYsEk0UbKvc+qIZgMlNjndIqK+9es4yigTYHk49qRvv1IfWi3yo+ewaLaHlL5AHYWQxRZzhNv1T/QXxv41NcqZ77vQnHK9jJFAWEjzm+LwHdUP0CvUnYkq6Qle6JgbTBtzdmq/9J6gArYQERmyWme2H7uTkl2+l5dDEdxDPmMt4cEUXtkY/FjvV5xlW2tFcXXL429rxs5ri20bIiQiCBp7XOM8rYDM3n9QKBD6nTSU5vdQaBNmKqfga/23IoJX1QwU2U2pNJpu7Kv64oM9Kr2KZHl/bTkq2Z8X0haHQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=jpUXQGz9stednLIkO32LHqrx4SW916CXckMkigfk0j4=; b=IzIlW9cxHLz5NXTcVAFzhlQXRJAWd8RFTa45G3nDwzjOAMn4vEhxENUpX028OVO5pg4xkLgSWvUaV2yuLQkiL4AKqSsC5C6VsH+DX2AjlXZqUK8SoTCIcYYahVscMUa70nfHQtVV1uK+T0A/+OPAe3I2qv8+ozFrYNbCY7Ky+ginV2YW0144IpMNrhCm8gYgaC24iyuXOa8x5DwdSWgu1eXkotjgWeEZER0NHuNDdjazQbdXCXXcSEmsheGqOS/z3I3xAIdFiV9HOw5aQH/5hmZb/XBM2l3h1qKGfEE5hvG5VhoFZzdDlVimQNsLS9j4nkbOHJuIUbnu9EC4IFpRUQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jpUXQGz9stednLIkO32LHqrx4SW916CXckMkigfk0j4=; b=w6KVE6m4a3ffW8jtZZTBGeA65OILDBhKW8Mb6+BPPaz1hI+cQT0UG108NceFh4t3TCTB5rK6Av2+muMCgjmmeMTIw4xHT1nh5CWs8hxY1w9eZ0LTSYkWo/WEE96/znKlUtwYo92L1Gv2nemTKf9iShqr/DdqabFt4JjGQzXsPUs=
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:3b9::20) by VI1P190MB0687.EURP190.PROD.OUTLOOK.COM (2603:10a6:800:11c::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5813.16; Sun, 13 Nov 2022 10:12:09 +0000
Received: from DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::90a1:12c9:de4a:6c26]) by DU0P190MB1978.EURP190.PROD.OUTLOOK.COM ([fe80::90a1:12c9:de4a:6c26%3]) with mapi id 15.20.5813.016; Sun, 13 Nov 2022 10:12:09 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "Dirk.von-Hugo@telekom.de" <Dirk.von-Hugo@telekom.de>, "iotops@ietf.org" <iotops@ietf.org>
Thread-Topic: draft-hsothers-iotsens-ps-03 (was: RE: [Iotops] Request for slides for IOTOPS)
Thread-Index: AQHY90hj56yOv8z6yEeBzLg+y3yGQw==
Date: Sun, 13 Nov 2022 10:12:08 +0000
Message-ID: <DU0P190MB1978D690C327AE3892CCC7B3FD029@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <A55B2F54-9750-49D5-8352-5B690040DE30@isode.com> <BE1P281MB2854C1A00660F2B61C4A60D8D13F9@BE1P281MB2854.DEUP281.PROD.OUTLOOK.COM>
In-Reply-To: <BE1P281MB2854C1A00660F2B61C4A60D8D13F9@BE1P281MB2854.DEUP281.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=iotconsultancy.nl;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: DU0P190MB1978:EE_|VI1P190MB0687:EE_
x-ms-office365-filtering-correlation-id: ff9b8060-6b0b-4184-6ffb-08dac55f862e
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LjRVfHwQVF0FYtLImhzwKYEGz9vUFKvNl2YwdzeSA+i7P8ngtkFvck7cjzz/dZP3Xhtwg3lx6L4AGjTY5NRz6csnpBah0fJuCAmdU8HvoQPgdzstJn2JWuD1vDVIXIsnpNBpEDe5JC3txP/ZoWEUYI3iXXbBlxdENFa9ttDNQ2OP3XWrlpt02y2vu2hplLWkiB8juc8sSsYUFIvGT8JeAfDddkyyFW6rqpTqgGNToz8uxIQpHxXlj91fpYacACNP0w0bqIyeIPkMBR9rhNR/bWyXTcn7+/RknrvqTeG2bL5lEukFiwiDAtFrDM7c28aQ/8KCUGkXDbLE8Pjesv8EYxv6EC8O1FUoSDeFcrCp7hcKZh8cJ2G+lPJ/a/J0FVC+bvegOX7TjGIETC61SLlqafyNUbUeo1k4XqkDciaaJq3aKXQTn+BS0zk97XkVsJEso9TJ2i8QKrZZ1GUeFdMqRX6dnuW7G2gF5ueTaGTEc+ZfcJJIFsjMesC1eCfWN7rRkORDwsPDrZ9VptfDvUu2YiyiRsbFKIfcQJVkzQjGQrAd52dkUWyDVPPuPqbIQIUoCHdPDWsjhnPyC32DUeF1+zbYLqtHIz4eatLneQbbnrlXLVxwCkPzPcskEr2wqa3rfRGAkvZ496jgKx8RkBtOh0tex52GXwxX+nbPlKW2LnKa1YrHcGzOwb6X7RVjgEd0oxj5f8jITCc8IIMuLnr/m1/3Em0LxhQV6lbog77IfZO+xrh2ciiMWOKq2ewoljkApj4C6LfG7G+6CL71LqfG7gjAkDXaZLnEUP4gA9Fowx0Cgg3b+ywKYcihd0uNdWJjv069H7H0U07elsSJMj3uNg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU0P190MB1978.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(396003)(366004)(39830400003)(346002)(136003)(376002)(451199015)(83380400001)(86362001)(316002)(38100700002)(122000001)(38070700005)(2906002)(64756008)(41300700001)(44832011)(8936002)(5660300002)(52536014)(55016003)(8676002)(53546011)(66476007)(66446008)(26005)(66556008)(9686003)(71200400001)(6506007)(966005)(186003)(66574015)(66946007)(76116006)(478600001)(110136005)(7696005)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 8r/QEGpD8vwOPFDoAaHwCW8uLmsBH0xkiauwtMTiPyFfuQ0ThKo/JFGDNgqARRICj/XVLl7dA/6nK+iwZqb1UUM7p9jZpxeviZoy8C8YPUsaaTNzLxu5afpSKTlo3S7Gh9Yu2KOvIzS8Nmb9Vcm+/msv4D1bLhPR8ZZfCcKhAwLQbDNlqKWAFd8c6wSAEd0wjJjFOZJsT9a6n1yFJ8u+BCHAf/rK5GPxJjYZQMtkBEuG3tc0kHpxgSBf7fNQm4W9RnbK1bevaqBjCtrTWrbf8JC2MisMQ4JRyWwtbSZYrsoGgi6iNyC00YajvtFbV3caajHzX3m/a8Kb24pyejM/cv37UpkvkXj9YI1SfXE1RtS8V1GBsIIFTLbsP082rdm8FloERJwHWQGuiyNT4yoa67252bfSfmt67zS/WQCFz0/hGrcHyDPP4U3cj6CXEouNa23vIn6aIVH9+drxrnFcFzwaIaFdlTE5G2ENSb3LN+52bWOwuPA99Z2iEJ6KOfvN3DB2gVNi0DfuLczg29XFciH2BvDbn9uZ/sloub7ZBCFZQG/ry9x+q2VTzg1WS4y/QiK4EzTUsKc/FuMGhL6bymzMud8WiE7FOlJRc4IurzYMOYpLQh73uGqsTWRbQKO0vIk1cKgHd9liDh7AfpUi6yHkC+dzwuVMlgPykf4u/LqYbgAfI2lQcaAXg2qqZws8S29xI9FWdlavw0mmPL+x7BJTOE+2yeYOWnVi8SRFLsL2KNLn1y9ir3QeDrNQGWXE+/cWepchhCsPqTxKppDhgGt7b7gX0jR4fpOA1yA8WgnB7HsB6iKea9BiLLDwIUwLiqXIjF8N9oQY4/f+EjoOkof7Z+9wsE7K98eTbCmcs00IiIjJt7KZIG6VDLNi9P4qes9boqPIAwwP1L9pVUnxbfS3afeVh7a8QzNZGzfF2hgqcCUIPAuoRlxYdg0rtwB3DSmnxMuE6PMC3f+3+KJmtdmJpE2NH6rVuIj+CLxo+k3mVd4trL3et6+vnFAgGulrZAdYdziDk0+vJZXdbJlY9qrtR4JaL3VEf1xZBAVBWS8aIOqYBYkZ/gQxor1Nd79Pri+k16ijCDNIq6blAjbriaGciCPTo7JO3CIfaMIYFjxWzOJQtuwOoI+gauKWcc8rAaPJZU1BZ/bVwAITtuFCvfZaGUEGmMso2koFm/DwfHU9BY1tEk6CyJ8gij9uQPRtX7hnuhtQiSnmo20FGt+rFrvx2m0gKAI5kdKKhctTZZJkA4E8BRrraqBMJqQtvA2GJ6SUkb2ObW4I/iTIG9fwuMZ+li9pbOMRRCbtCo58tMfzJwjvyBsxYWMN84tSt7genTC2f4hDhVJj5tMIBa0jvEirzoSNJY9fmcND4dtmT5BSgvFJWiyaVcisIxLTJtYcACh86RNi9C9BCRba+XVN4Y0bsxoJHGOkFGACg3Gotu7JVc2Itl/VWWxub14pNJtSYXEH8YbV24fTU1bnxZ/hjc4tHPaAKmWYhoOiJ1xD1Yw0v8aDCTSPu+rw2r08V5uXJ8CY3IH6SGZGy+dYSX6u4lqCIgBpXG9uyclLK2GAvuEK9eg8/ycdWXTRSolaAFIwHk1JS0BZbvLiT94Kf8HZmw==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DU0P190MB1978.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: ff9b8060-6b0b-4184-6ffb-08dac55f862e
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Nov 2022 10:12:08.9619 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: gV6h837ZYtpoTVStgettJx5eP1TxYACA4e6hLmOM1K0lbXvRxK2mcDMR3J+3wXtE/0uQe3rkgUJZgtdMbADXoq6AMWjpT6sFyQuPMG67BFk=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P190MB0687
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/wRP_p5EAy2w0jtmGfh_L0NhwKvM>
Subject: [Iotops] draft-hsothers-iotsens-ps-03 (was: RE: Request for slides for IOTOPS)
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Nov 2022 10:12:19 -0000

Hi Dirk,

Thanks for drawing our attention to the draft!

In the ANIMA WG we are working on Constrained BRSKI (https://datatracker.ietf.org/doc/html/draft-ietf-anima-constrained-voucher) which aims to deliver BRSKI bootstrapping while meeting constrained / IoT device and network requirements, such as those highlighted in your draft and in RFC 8576.  This can work without any user interaction and doesn't require an additional OOB channel, nor a secure channel. Standard operation uses X.509 certs (roughly 0.5 KB each) but for more constrained cases it can also work with raw public key (RPK) for operational device identity.

So it does provide secure authentication of an IoT device and also further things like "rebootstrap" into a new domain or renewal of identity within a domain. Some potential gaps I still do see i.e. what Constrained BRSKI is not providing:

1. A standardized way to (securely) tell an IoT device "do factory-reset" i.e. "forget your operational identity (LDevID) and go back to bootstrap mode". 

2. Configuring a new device at application level - e.g. if a broken light bulb is replaced, the new bulb automatically is configured in a replacement role, taking over all the configuration/responsibilities that the old bulb had.  This aspect is also mentioned in your draft in 5.2. Still to be determined is what part of this can be defined in IETF, and what part is up to the application ecosystem (e.g. Matter, OCF, KNX, etc.)

3. Bootstrapping without network infrastructure available (notably the "Registrar" and "MASA" hosts are required for BRSKI). For this BRSKI-PRM is being defined (https://datatracker.ietf.org/doc/html/draft-ietf-anima-brski-prm-05) but it doesn't have a constrained equivalent yet. 

4. Make use of environmental / sensed signals to help in secure authentication of IoT devices: BRSKI doesn't depend on this currently. Could these signals help in some way? Your draft hints at doing this but it could use some more details perhaps on how to do this. As an example: only autoconfigure a light bulb as "living room light" if it's radio can sense other living room devices and vice versa. If that's not the case, a human user can still manually configure it - overriding any autosuggested configuration for the new device. A bunch of use cases like this could clarify what you would like to do with such environmental signals.

5. How the operational identity / key is used to gain access to the secured IoT network (e.g. wireless or wired, 6LoWPAN, ... ). This is currently left to the specific technology to be defined. Some (6TiSCH) are defined in IETF scope while others may be defined outside IETF.

Regards
Esko

-----Original Message-----
From: Iotops <iotops-bounces@ietf.org> On Behalf Of Dirk.von-Hugo@telekom.de
Sent: Tuesday, November 8, 2022 16:17
To: iotops@ietf.org
Cc: iotops-chairs@ietf.org; alexey.melnikov@isode.com; henk.birkholz@sit.fraunhofer.de
Subject: Re: [Iotops] Request for slides for IOTOPS

Dear all,
thanks to the lively discussion during the session today covering topics of onboarding, securing and controlling access, and authenticating IoT devices there was no time left for AOB where we would have pointed to our recently updated draft on "Need for New Authentication Methods for Internet of Things" discussing the problem statement and potential IETF work for technology agnostic authentication of 'dumb' devices:
https://www.ietf.org/archive/id/draft-hsothers-iotsens-ps-03.txt 

Thanks for reading and reviewing - next time we will apply for a slot in time!
Best regards
Behcet and Dirk

-----Original Message-----
From: Iotops <iotops-bounces@ietf.org> On Behalf Of Alexey Melnikov
Sent: Montag, 7. November 2022 15:42
To: iotops@ietf.org
Cc: iotops-chairs@ietf.org
Subject: [Iotops] Request for slides for IOTOPS

Dear presenters,

Please send your slides for the IOTOPS @ IETF 115 session by the end of Monday, November 7th.

Thank you,
Alexey
-- 
Iotops mailing list
Iotops@ietf.org
https://www.ietf.org/mailman/listinfo/iotops

-- 
Iotops mailing list
Iotops@ietf.org
https://www.ietf.org/mailman/listinfo/iotops