IETF Logo Mail Archive

Re: [Secdispatch] DANE IOT proposed outcome

"Panwei (William)" <william.panwei@huawei.com> Mon, 16 November 2020 15:51 UTC

Return-Path: <william.panwei@huawei.com>
X-Original-To: secdispatch@ietfa.amsl.com
Delivered-To: secdispatch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DD4CC3A1219; Mon, 16 Nov 2020 07:51:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cKP_cG8BecJH; Mon, 16 Nov 2020 07:51:40 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57D9C3A1218; Mon, 16 Nov 2020 07:51:40 -0800 (PST)
Received: from fraeml706-chm.china.huawei.com (unknown [172.18.147.201]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4CZYRg6S7Rz67DmZ; Mon, 16 Nov 2020 23:49:51 +0800 (CST)
Received: from nkgeml707-chm.china.huawei.com (10.98.57.157) by fraeml706-chm.china.huawei.com (10.206.15.55) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1913.5; Mon, 16 Nov 2020 16:51:37 +0100
Received: from nkgeml705-chm.china.huawei.com (10.98.57.154) by nkgeml707-chm.china.huawei.com (10.98.57.157) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Mon, 16 Nov 2020 23:51:35 +0800
Received: from nkgeml705-chm.china.huawei.com ([10.98.57.154]) by nkgeml705-chm.china.huawei.com ([10.98.57.154]) with mapi id 15.01.1913.007; Mon, 16 Nov 2020 23:51:35 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: Shumon Huque <shuque@gmail.com>
CC: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>, "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>, "secdispatch@ietf.org" <secdispatch@ietf.org>
Thread-Topic: [Secdispatch] DANE IOT proposed outcome
Thread-Index: AQHWvAcDj5ATxnClv0CbH9AVFrI7YanKopzg//+284CAAI17oA==
Date: Mon, 16 Nov 2020 15:51:34 +0000
Message-ID: <eb52017315ba45279dc686dbb610045e@huawei.com>
References: <2786E31F-2A4F-4901-8ECC-7AEF4B4D81E2@cisco.com> <b178d5066d6b4371a59ffe59bb6d6447@huawei.com> <CAHPuVdXo1o0d_WzLqTZ5s9+JNG=3kbNdTO1BrS7BdEBDd2F1Lw@mail.gmail.com>
In-Reply-To: <CAHPuVdXo1o0d_WzLqTZ5s9+JNG=3kbNdTO1BrS7BdEBDd2F1Lw@mail.gmail.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.52.234.111]
Content-Type: multipart/alternative; boundary="_000_eb52017315ba45279dc686dbb610045ehuaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdispatch/jMiIUqj79caDd7J4cmRFyWR5piw>
Subject: Re: [Secdispatch] DANE IOT proposed outcome
X-BeenThere: secdispatch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Dispatch <secdispatch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdispatch/>
List-Post: <mailto:secdispatch@ietf.org>
List-Help: <mailto:secdispatch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdispatch>, <mailto:secdispatch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Nov 2020 15:51:43 -0000

Hi Shumon,

Thanks.

I was not so clear about how to use DANE before, mostly not clear about how to bind the device’s identity to the DNS domain name securely and automatically.
After Eliot’s explanation, I understand there are two parts: the device onboarding part and the DNS domain name provisioning part. And these two parts can be integrated, for example, when using BRSKI, the allocated DNS domain name can be bound to the LDevID.

Regards & Thanks!
Wei Pan

From: Shumon Huque [mailto:shuque@gmail.com]
Sent: Monday, November 16, 2020 11:19 PM
To: Panwei (William) <william.panwei@huawei.com>
Cc: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>; iot-onboarding@ietf.org; secdispatch@ietf.org
Subject: Re: [Secdispatch] DANE IOT proposed outcome

Hi Wei Pan,

I'll ask Ash (who is more plugged into the IOT ecosystem than I am) to confirm .. but yes, our use case expects devices to have IDevID or some other preconfigured unique value, so it should be possible to work with BRSKI. For the DNS record format naming, we were initially looking at the formats defined in draft-friel-pki-for-devices, specifically the LDevID organization managed form, but have a slightly simpler form currently specified in the draft.

Shumon.

On Mon, Nov 16, 2020 at 7:02 AM Panwei (William) <william.panwei@huawei.com<mailto:william.panwei@huawei.com>> wrote:
Thanks to Eliot for summarizing these.

I think the core concept of using DANE in IoT scenario is to get rid of certificates and PKIX. The solution of how to securely onboard the IoT devices and allocate the DNS domain name, both with and without initial certificates, is the key part to figure out.
If the IoT devices have no initial certificates, such as 802.1AR IDevID certificate, as their initial identity, then the BRSKI mechanism won’t be appropriate for these devices because BRSKI has a requirement of IDevID.
If the IoT devices have an IDevID certificate, I think it can still use BRSKI to onboard, but it won’t use EST to request a certificate any more, instead, it will apply for a DNS domain name by using some protocols.

That’s my preliminary thoughts, maybe not right.

Regards & Thanks!
Wei Pan

From: Secdispatch [mailto:secdispatch-bounces@ietf.org<mailto:secdispatch-bounces@ietf.org>] On Behalf Of Eliot Lear
Sent: Monday, November 16, 2020 6:55 PM
To: secdispatch@ietf.org<mailto:secdispatch@ietf.org>
Subject: [Secdispatch] DANE IOT proposed outcome

Thanks to Shumon for presenting the DANE use case for IOT.

We discussed taking this to the iot-onboarding@ietf.org<mailto:iot-onboarding@ietf.org> list as there were a number of rather big open issues that people wanted to discuss.

We also discussed a non-WG forming BOF to look at, as Ted put it, the broader context for onboarding.  To give people a feel for the sort of related work that is available, here are a list of related activities:


  *   draft-ietf-anima-bootstrapping-keyinfra (BRSKI) is a request/response mechanism that uses RFC 8366 vouchers to introduce devices and network infrastructure.
  *   Intel’s SDO provides an application level introduction using vouchers as well.  This work has been taken up by the FIDO alliance.
  *   The Wifi Alliance has Device Provisioning Protocol (DPP) which does not attach to a global name space prior to provisioning having occurred, but does represent a minimum case (just public keys).
  *   draft-friel-eap-tls-eap-dpp borrows from DPP, intended mostly for wired use, where DPP is focused on 802.11 networks.
  *   There are a number of BRSKI related drafts by Owen as well, relating to cloud-based registrars.
  *   There is also work by Michael Richardson and Peter Van Der Stock on constrained vouchers.  That work is taking place in ACE.

Understanding the landscape might help us understand where DANE fits in.

Regards,

Eliot
_______________________________________________
Secdispatch mailing list
Secdispatch@ietf.org<mailto:Secdispatch@ietf.org>
https://www.ietf.org/mailman/listinfo/secdispatch

v2.23.0 | Report a Bug | By Email