[T2TRG] Report from breakout on using application credentials to enable network access
Mohit Sethi <mohit.m.sethi@ericsson.com> Thu, 13 April 2017 08:41 UTC
Return-Path: <mohit.m.sethi@ericsson.com>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3512B131800 for <t2trg@ietfa.amsl.com>; Thu, 13 Apr 2017 01:41:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.221
X-Spam-Level:
X-Spam-Status: No, score=-4.221 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ozmsoEfkpa_7 for <t2trg@ietfa.amsl.com>; Thu, 13 Apr 2017 01:41:25 -0700 (PDT)
Received: from sesbmg23.ericsson.net (sesbmg23.ericsson.net [193.180.251.37]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C2781317DA for <T2TRG@irtf.org>; Thu, 13 Apr 2017 01:41:19 -0700 (PDT)
X-AuditID: c1b4fb25-c27a798000006af2-1c-58ef39ad52a2
Received: from ESESSHC009.ericsson.se (Unknown_Domain [153.88.183.45]) by (Symantec Mail Security) with SMTP id F6.79.27378.DA93FE85; Thu, 13 Apr 2017 10:41:17 +0200 (CEST)
Received: from nomadiclab.fi.eu.ericsson.se (153.88.183.153) by smtp.internal.ericsson.com (153.88.183.47) with Microsoft SMTP Server id 14.3.339.0; Thu, 13 Apr 2017 10:41:16 +0200
Received: from nomadiclab.fi.eu.ericsson.se (localhost [127.0.0.1]) by nomadiclab.fi.eu.ericsson.se (Postfix) with ESMTP id 4B1044EB0B for <T2TRG@irtf.org>; Thu, 13 Apr 2017 11:43:52 +0300 (EEST)
Received: from [127.0.0.1] (localhost [127.0.0.1]) by nomadiclab.fi.eu.ericsson.se (Postfix) with ESMTP id EB2AA4E94F for <T2TRG@irtf.org>; Thu, 13 Apr 2017 11:43:51 +0300 (EEST)
To: "t2trg@irtf.org" <T2TRG@irtf.org>
From: Mohit Sethi <mohit.m.sethi@ericsson.com>
Message-ID: <3e12961e-0ba7-f580-2837-1971e47e0840@ericsson.com>
Date: Thu, 13 Apr 2017 11:41:16 +0300
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
X-Virus-Scanned: ClamAV using ClamSMTP
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFlrDLMWRmVeSWpSXmKPExsUyM2K7ru5ay/cRBnfWK1q8f9DD4sDoMXnj YbYAxigum5TUnMyy1CJ9uwSujD3XogqmC1c8/bCRuYHxEH8XIyeHhICJxK8r09i7GLk4hATW M0rs2P6KEcLZwSjxe81qJgjnOKPEudlNzBDONkaJme9esIL0iwioSjTMuQ5mswnoSXSeO84M YgsLREr86/nDBmLzCthLHDq9ghHEZgGqv/h9JzuILSoQIfGwcxc7RI2gxMmZT1hAbGYBC4mZ 888zQtjyEtvfzmGGuFVN4uq5TWC2kIC6xNaOA4wTGAVmIWmfhaR9FpL2BYzMqxhFi1OLk3LT jYz1Uosyk4uL8/P08lJLNjECw/Dglt+qOxgvv3E8xCjAwajEw/vA6F2EEGtiWXFl7iFGCQ5m JRHeC1pAId6UxMqq1KL8+KLSnNTiQ4zSHCxK4ryO+y5ECAmkJ5akZqemFqQWwWSZODilGhj7 9mg5Jt/aaZXyy9Nr50pt3bbi17yBJoZTl859/pDlpqrcclYFkTK5vpWqeve8r7PL3v+8VJNX nK/S6Y/ypZqAG0rXV+a3M7TyrN2s8e7aND7/iuzk533Pkk7YiDzVWzFN4dabmNovE3j1r95q ULqsLFz5yln7b2b7hcWlRZrcp5dOXse//pMSS3FGoqEWc1FxIgCX95/8PwIAAA==
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/JV_mFsxqqSJYudEZHib07GA2s1g>
Subject: [T2TRG] Report from breakout on using application credentials to enable network access
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IRTF Thing-to-Thing \(T2T\) Research-Group-in-creation" <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2017 08:41:27 -0000
Topic: Use of application credentials for enabling network access (and vice-versa). Participants (15 active): Erik Nordmark (note taker), Mohit Sethi (breakout leader), Thorsten Dahm, Donald Eastlake, Behcet Sarikaya, Demir Rakanovic, Phillip Hallam-Baker, Grace Lewis, Ludwig Seitz, Muhhamad Sajjad, Jari Arkko, Laurent Toutain, Hitoshi Asaeda, Francesca Palombini, Stephen Kraiman. Summary and Conclusions from breakout: 1. It can be useful to enable network access for IoT devices using application credentials: This leads to less configuration work for the user of a new IoT device which is especially beneficial since the devices often have limited UI. Think of a new IoT toothbrush that you have just purchased. You bring it home and register it with the manufacturer (by reading a serial number/public key/scanning QR code etc.). It would be nice if the manufacturer can then tell the Access Point (AP) at the users home to enable limited Internet connectivity for the device. 2. Interesting to investigate if we can reverse the direction of enabling network-access: Instead of adding software and hardware complexity in the devices itself, it would make sense to simply put the dumb IoT devices at the desired location and then enable access from a server which is more resourceful. 3. Isolation: It would also be smart to put the IoT devices in separate VLANs. When the device is authenticated as an IoT device it should be put in its separate VLAN so that it has limited connectivity to only a couple of services (such as calling home for software update etc). 4. Scaling this to 1000s or 10k devices can be challenge. This also relates to the fact that enterprise scenarios are very different from the home scenarios. Enterprises may not want to delegate network access authentication to an external third party (such as the IoT device manufacturer). 5. Revoking network access should be secure and simple. For example, if one of the IoT devices is lost or sold, it shouldn't require you to change the network-access credentials for all the devices. Possible Research work: Can we use existing protocols (802.1x/RADIUS/DIAMETER) for enabling such network access based on application credentials. --Mohit PS: Participants from the breakout are welcome to correct if there are errors or there is something I missed. Comments from the group are welcome.
- Re: [T2TRG] Report from breakout on using applica… Hannes Tschofenig
- Re: [T2TRG] Report from breakout on using applica… Michael Richardson
- Re: [T2TRG] Report from breakout on using applica… Dan García Carrillo
- Re: [T2TRG] Report from breakout on using applica… Dan García Carrillo
- Re: [T2TRG] Report from breakout on using applica… Dan García Carrillo
- [T2TRG] Report from breakout on using application… Mohit Sethi