IETF Logo Mail Archive

Re: [Secdispatch] [Iot-onboarding] DANE IOT proposed outcome

"Panwei (William)" <william.panwei@huawei.com> Tue, 17 November 2020 01:55 UTC

Return-Path: <william.panwei@huawei.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F20243A182D; Mon, 16 Nov 2020 17:55:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jB_J1lf2kkCZ; Mon, 16 Nov 2020 17:54:59 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0299B3A1868; Mon, 16 Nov 2020 17:54:59 -0800 (PST)
Received: from fraeml712-chm.china.huawei.com (unknown [172.18.147.226]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4CZpqn4rZpz67DjB; Tue, 17 Nov 2020 09:53:09 +0800 (CST)
Received: from nkgeml705-chm.china.huawei.com (10.98.57.154) by fraeml712-chm.china.huawei.com (10.206.15.61) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Tue, 17 Nov 2020 02:54:56 +0100
Received: from nkgeml705-chm.china.huawei.com (10.98.57.154) by nkgeml705-chm.china.huawei.com (10.98.57.154) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Tue, 17 Nov 2020 09:54:54 +0800
Received: from nkgeml705-chm.china.huawei.com ([10.98.57.154]) by nkgeml705-chm.china.huawei.com ([10.98.57.154]) with mapi id 15.01.1913.007; Tue, 17 Nov 2020 09:54:54 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: Ash Wilson <ash.wilson@valimail.com>, Shumon Huque <shuque@gmail.com>
CC: "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>, Eliot Lear <lear=40cisco.com@dmarc.ietf.org>
Thread-Topic: [Iot-onboarding] [Secdispatch] DANE IOT proposed outcome
Thread-Index: AQHWvAcDj5ATxnClv0CbH9AVFrI7YanKopzg//+284CAAEFMgIAA9RJw
Date: Tue, 17 Nov 2020 01:54:54 +0000
Message-ID: <b9bded62178e44f8a57c850d0102259e@huawei.com>
References: <2786E31F-2A4F-4901-8ECC-7AEF4B4D81E2@cisco.com> <b178d5066d6b4371a59ffe59bb6d6447@huawei.com> <CAHPuVdXo1o0d_WzLqTZ5s9+JNG=3kbNdTO1BrS7BdEBDd2F1Lw@mail.gmail.com> <CAEfM=vRotGf-SuYz8PKNop8zdCCA_-x+3xU81rMS6Le6EUOOFw@mail.gmail.com>
In-Reply-To: <CAEfM=vRotGf-SuYz8PKNop8zdCCA_-x+3xU81rMS6Le6EUOOFw@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.99.125]
Content-Type: multipart/related; boundary="_004_b9bded62178e44f8a57c850d0102259ehuaweicom_"; type="multipart/alternative"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/iH_TZNnS7EEBhJYDsIKApSpmk0I>
Subject: Re: [Secdispatch] [Iot-onboarding] DANE IOT proposed outcome
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Nov 2020 01:55:02 -0000

Hi Ash,

Thanks for your clarifying. It’s clear to me now. Using DANE doesn’t conflict with other existing bootstrapping processes, but I feel some extensions may be needed to integrate.

Regards & Thanks!
Wei Pan

From: Ash Wilson [mailto:ash.wilson@valimail.com]
Sent: Tuesday, November 17, 2020 3:13 AM
To: Shumon Huque <shuque@gmail.com>
Cc: Panwei (William) <william.panwei@huawei.com>; iot-onboarding@ietf.org; secdispatch@ietf.org; Eliot Lear <lear=40cisco.com@dmarc.ietf.org>
Subject: Re: [Iot-onboarding] [Secdispatch] DANE IOT proposed outcome

Hi Wei Pan,
The process of bootstrapping the device's identity is outside the scope of our drafts, but I completely agree that getting the bootstrapping process right is important. We think that using DANE like this doesn't conflict with other bootstrapping processes; it just adds a DNS-discoverable public key to the identity of the device when it is provisioned.

One of the processes we are seeking to simplify is that of establishing trust directly between devices in the field, both of which may have only a keypair, and not the benefit of PKI that chains to a publicly trusted CA. Supporting x.509 certificates is in the interest of providing broad protocol compatibility (including the support of other adjacent standards like MUD: https://tools.ietf.org/id/draft-ietf-opsawg-mud-22.html#mudx509). By using TLSA for client auth, we allow devices with only a raw public key in DNS, as well as devices with metadata-rich x.509 certificates, to mutually authenticate without requiring the distribution of CA certificates, just based on knowledge of the communicating peer's DNS name.

SIM/UICC identity providers may provision public keys in DNS, and leave a record of the device's DNS name in the SIM card (likely to be found in the certificate). This gives the device that receives the SIM card the ability to do all the things that the PKI ecosystem supports now, with the additional benefit of being able to mutually authenticate without the other side of the handshake needing to possess and trust the CA certificate used to sign the certificate that ships with the SIM card. Naming collisions are prevented by binding the public key to the DNS name- only the possessor of the private key corresponding to the TLSA record is the 'real' identity holder.

In a similar fashion, device manufacturers may provision a DANE identity for devices before they ship. These device identities may reside in a DNS zone under the manufacturer's control, or the implementer may present the device certificates in a DNS zone under the implementer's control. This allows the identity to more naturally indicate the party responsible for the device's behavior, and can make the mitigation of some types of network abuse a little more straightforward.


On Mon, Nov 16, 2020 at 8:04 AM Shumon Huque <shuque@gmail.com<mailto:shuque@gmail.com>> wrote:
Hi Wei Pan,

I'll ask Ash (who is more plugged into the IOT ecosystem than I am) to confirm .. but yes, our use case expects devices to have IDevID or some other preconfigured unique value, so it should be possible to work with BRSKI. For the DNS record format naming, we were initially looking at the formats defined in draft-friel-pki-for-devices, specifically the LDevID organization managed form, but have a slightly simpler form currently specified in the draft.

Shumon.

On Mon, Nov 16, 2020 at 7:02 AM Panwei (William) <william.panwei@huawei.com<mailto:william.panwei@huawei.com>> wrote:
Thanks to Eliot for summarizing these.

I think the core concept of using DANE in IoT scenario is to get rid of certificates and PKIX. The solution of how to securely onboard the IoT devices and allocate the DNS domain name, both with and without initial certificates, is the key part to figure out.
If the IoT devices have no initial certificates, such as 802.1AR IDevID certificate, as their initial identity, then the BRSKI mechanism won’t be appropriate for these devices because BRSKI has a requirement of IDevID.
If the IoT devices have an IDevID certificate, I think it can still use BRSKI to onboard, but it won’t use EST to request a certificate any more, instead, it will apply for a DNS domain name by using some protocols.

That’s my preliminary thoughts, maybe not right.

Regards & Thanks!
Wei Pan

From: Secdispatch [mailto:secdispatch-bounces@ietf.org<mailto:secdispatch-bounces@ietf.org>] On Behalf Of Eliot Lear
Sent: Monday, November 16, 2020 6:55 PM
To: secdispatch@ietf.org<mailto:secdispatch@ietf.org>
Subject: [Secdispatch] DANE IOT proposed outcome

Thanks to Shumon for presenting the DANE use case for IOT.

We discussed taking this to the iot-onboarding@ietf.org<mailto:iot-onboarding@ietf.org> list as there were a number of rather big open issues that people wanted to discuss.

We also discussed a non-WG forming BOF to look at, as Ted put it, the broader context for onboarding.  To give people a feel for the sort of related work that is available, here are a list of related activities:


  *   draft-ietf-anima-bootstrapping-keyinfra (BRSKI) is a request/response mechanism that uses RFC 8366 vouchers to introduce devices and network infrastructure.
  *   Intel’s SDO provides an application level introduction using vouchers as well.  This work has been taken up by the FIDO alliance.
  *   The Wifi Alliance has Device Provisioning Protocol (DPP) which does not attach to a global name space prior to provisioning having occurred, but does represent a minimum case (just public keys).
  *   draft-friel-eap-tls-eap-dpp borrows from DPP, intended mostly for wired use, where DPP is focused on 802.11 networks.
  *   There are a number of BRSKI related drafts by Owen as well, relating to cloud-based registrars.
  *   There is also work by Michael Richardson and Peter Van Der Stock on constrained vouchers.  That work is taking place in ACE.

Understanding the landscape might help us understand where DANE fits in.

Regards,

Eliot
_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org<mailto:Secdispatch@ietf.org>
https://www.ietf.org/mailman/listinfo/secdispatch
--
Iot-onboarding mailing list
Iot-onboarding@ietf.org<mailto:Iot-onboarding@ietf.org>
https://www.ietf.org/mailman/listinfo/iot-onboarding


--
Ash Wilson | Technical Director
e: ash.wilson@valimail.com<mailto:ash.wilson@valimail.com>

[图像已被发件人删除。]



This email and all data transmitted with it contains confidential and/or proprietary information intended solely for the use of individual(s) authorized to receive it. If you are not an intended and authorized recipient you are hereby notified of any use, disclosure, copying or distribution of the information included in this transmission is prohibited and may be unlawful. Please immediately notify the sender by replying to this email and then delete it from your system.

v2.23.0 | Report a Bug | By Email