Re: [smartpower-interest] Smart Grid Architecture Committee meeting17 February
"Davis, Terry L" <terry.l.davis@boeing.com> Tue, 23 February 2010 19:03 UTC
Return-Path: <terry.l.davis@boeing.com>
X-Original-To: smartpower-interest@core3.amsl.com
Delivered-To: smartpower-interest@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 04FE13A6F4D for <smartpower-interest@core3.amsl.com>;
Tue, 23 Feb 2010 11:03:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.441
X-Spam-Level:
X-Spam-Status: No, score=-6.441 tagged_above=-999 required=5 tests=[AWL=-0.157,
BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, SARE_MILLIONSOF=0.315]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BXdZs8L9gwgL for
<smartpower-interest@core3.amsl.com>; Tue, 23 Feb 2010 11:03:54 -0800 (PST)
Received: from slb-smtpout-01.boeing.com (slb-smtpout-01.boeing.com
[130.76.64.48]) by core3.amsl.com (Postfix) with ESMTP id AE9D63A6B90 for
<smartpower-interest@ietf.org>; Tue, 23 Feb 2010 11:03:54 -0800 (PST)
Received: from stl-av-01.boeing.com (stl-av-01.boeing.com [192.76.190.6]) by
slb-smtpout-01.ns.cs.boeing.com (8.14.4/8.14.4/8.14.4/SMTPOUT) with ESMTP id
o1NJ5TUA027997 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256
verify=FAIL); Tue, 23 Feb 2010 11:05:30 -0800 (PST)
Received: from stl-av-01.boeing.com (localhost [127.0.0.1]) by
stl-av-01.boeing.com (8.14.4/8.14.4/DOWNSTREAM_RELAY) with ESMTP id
o1NJ5P6S017883; Tue, 23 Feb 2010 13:05:25 -0600 (CST)
Received: from XCH-NWHT-01.nw.nos.boeing.com (xch-nwht-01.nw.nos.boeing.com
[130.247.70.222]) by stl-av-01.boeing.com (8.14.4/8.14.4/UPSTREAM_RELAY) with
ESMTP id o1NJ58qM017305 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128
verify=OK); Tue, 23 Feb 2010 13:05:22 -0600 (CST)
Received: from XCH-NW-05V.nw.nos.boeing.com ([130.247.25.215]) by
XCH-NWHT-01.nw.nos.boeing.com ([130.247.70.222]) with mapi;
Tue, 23 Feb 2010 11:05:10 -0800
From: "Davis, Terry L" <terry.l.davis@boeing.com>
To: "'Russ Housley'" <housley@vigilsec.com>, Fred Baker <fred@cisco.com>
Date: Tue, 23 Feb 2010 11:05:10 -0800
Thread-Topic: [smartpower-interest] Smart Grid Architecture Committee
meeting17 February
Thread-Index: AcqxiRcyC3RFpPNrSUCdXQUOHVqBjwDMI+sQ
Message-ID: <0267B5481DCC474D8088BF4A25C7F1DF551547BB4C@XCH-NW-05V.nw.nos.boeing.com>
References: <55FA0F33-F37F-4429-92D0-9E99162BA496@cisco.com>
<4B7ECA70.1060909@vigilsec.com>
In-Reply-To: <4B7ECA70.1060909@vigilsec.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
x-tm-as-product-ver: SMEX-8.0.0.1181-6.000.1038-17210.005
x-tm-as-result: No--72.561300-8.000000-31
x-tm-as-user-approved-sender: No
x-tm-as-user-blocked-sender: No
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "smartpower-interest@ietf.org" <smartpower-interest@ietf.org>
Subject: Re: [smartpower-interest] Smart Grid Architecture Committee
meeting17 February
X-BeenThere: smartpower-interest@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Smart Power Interest <smartpower-interest.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/smartpower-interest>,
<mailto:smartpower-interest-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/smartpower-interest>
List-Post: <mailto:smartpower-interest@ietf.org>
List-Help: <mailto:smartpower-interest-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/smartpower-interest>,
<mailto:smartpower-interest-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Feb 2010 19:03:56 -0000
Russ I agree with you 100% on both the v6 and the security solution; we looked at a similar concept for keying that I liked very much. I don't think it was on the smartpower lists but on one of the others... The North American grid system includes 300 million electric meters (just the meters not counting anything else). That's at least 20 NAT zones to translate between if you use 10 space just for the meters. I also might suggest that Suite B - circa 2011 be the target as it will have several major changes from NIST. It might also be of value to actually start working on true vendor-to-vendor interoperability. SmartGrid like aviation, will likely find that it will have to write into the proposals that simple to implement vendor-to-vendor IPSec/IKEv2 interoperability be provided. They might also want to take a look at the ATA Spec 42 working on standardizing certificate formats. Take care Terry > -----Original Message----- > From: smartpower-interest-bounces@ietf.org > [mailto:smartpower-interest-bounces@ietf.org] On Behalf Of > Russ Housley > Sent: Friday, February 19, 2010 9:29 AM > To: Fred Baker > Cc: smartpower-interest@ietf.org > Subject: Re: [smartpower-interest] Smart Grid Architecture > Committee meeting17 February > > Fred: > > I have a few comments about IPv6 and security. > > > I am forwarding in case you folks have not seen this. It is > the proposed > > IP architecture from NERC, which is a US regulatory body. > > > > One important statement it makes is: > > > >> A final note is that this document will not make the distinction > >> between IP version 4 or version 6 for the purpose of analysis or > >> standardization. The point is simply to support IP with > the version > >> number left to be an implementation detail determined by > the utility > >> or service provider that would install the AMI network. That being > >> said, any competent network planner can easily do the math - many > >> investor-owned utilities have literally millions of electric meters > >> installed (a distinct challenge in a version 4 > environment), with this > >> "volume problem" being compounded by the presence of other devices > >> including some quantity of electric vehicles as potential roaming > >> users in the future. That means the utility would either > have to use > >> IPv4 very judiciously and replicate private IP space over and over > >> again, or move to IPv6 and address a greater number of > devices uniquely. > > > > This is not as strong a statement re IPv6 as the IETF and ARIN have > > proposed, but is at least a sensible one in the near term. > > This allows NAT upon NAT. I would prefer NERC to more > strongly advocate > IPv6. NERC does not even say that IPv6 is the long-term solution. I > wish they had gone that far. > > > The architecture doesn't say a lot about security, but does > say this: > > > >> The C12.22 protocol also includes AES-128 security mechanisms. > >> Additional IP transport security protocols may be provided > to enhance > >> and preserve the upper layer security provisions but not as a > >> substitute of such. > > > > Personally, I think that's an inadequate statement. The key > issues are > > in identification, authentication, authorization, and > confidentiality > > where appropriate. > > I agree that these are the right security services to include > as long as > you consider access control to be part of authorization. > > > > It would be nice if [...] the architecture could specify > the use of "suite b > > cryptographic standards". For those that don't know what > that means, it > > refers to the use of elliptic curve public key cryptography > without the > > IPR considerations that have crippled the industry's > ability to use it. > > Suite B is composed of algorithms that are publicly > specified, and it is > defined here: http://www.nsa.gov/ia/programs/suiteb_cryptography. > > Suite B includes: > > Encryption: AES with 128- and 256-bit keys > > Key Exchange: Elliptic Curve One-Pass Diffie Hellman (called > ECDH) using > the curves with 256- and 384-bit prime moduli > > Digital Signature: Elliptic Curve Digital Signature Algorithm (called > ECDSA) using the curves with 256- and 384-bit prime moduli) > > Hashing: SHA-256 and SHA-384 > > The smaller size in each of these choices seems quite reasonable for > Smart Grid. > > There are intellectual property issues with Elliptic Curve > Cryptography > (ECC), but McGrew seems to have found at least one way to implement > these algorithms that avoids the known patents. See: > http://tools.ietf.org/html/draft-mcgrew-fundamental-ecc-01 > > > [...] The lack of a key management > > infrastructure is a problem, which I would entertain useful > proposals for. > > As a starting point for this discussion, can we leverage the work done > by CableLabs and the WiMAX Forum. Devices that follow the > specifications from these groups ship with an embedded > private key and a > certificate. This is not the complete answer, but it allows anyone to > authenticate the device. At some point prior to installation, the > device still needs to be told some things about the network > that it will > be connected. This might be as simple as the insertion of some > configuration data that includes a trust anchor to validate > certificates > from the utility. > > Russ > _______________________________________________ > smartpower-interest mailing list > smartpower-interest@ietf.org > https://www.ietf.org/mailman/listinfo/smartpower-interest >
- [smartpower-interest] Smart Grid Architecture Com… Fred Baker
- Re: [smartpower-interest] Smart Grid Architecture… Joe DiAdamo
- Re: [smartpower-interest] Smart Grid Architecture… Fred Baker
- Re: [smartpower-interest] Smart Grid Architecture… Phil Roberts
- Re: [smartpower-interest] Smart Grid Architecture… Bob Hinden
- Re: [smartpower-interest] Smart Grid Architecture… Russ Housley
- Re: [smartpower-interest] Smart Grid Architecture… Zach Shelby
- Re: [smartpower-interest] Smart Grid Architecture… Paul Duffy
- Re: [smartpower-interest] Smart Grid Architecture… Greg Daley
- Re: [smartpower-interest] Smart Grid Architecture… Greg Daley
- Re: [smartpower-interest] Smart Grid Architecture… Davis, Terry L
- Re: [smartpower-interest] Smart Grid Architecture… Douglas Otis