Re: [T2TRG] Report from breakout on using application credentials to enable network access
Dan García Carrillo <dan.garcia@um.es> Thu, 13 April 2017 22:45 UTC
Return-Path: <dan.garcia@um.es>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CBFC12EB60 for <t2trg@ietfa.amsl.com>; Thu, 13 Apr 2017 15:45:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23CziTCUIXPE for <t2trg@ietfa.amsl.com>; Thu, 13 Apr 2017 15:45:34 -0700 (PDT)
Received: from xenon21.um.es (xenon21.um.es [155.54.212.161]) by ietfa.amsl.com (Postfix) with ESMTP id CAA6B129C0C for <t2trg@irtf.org>; Thu, 13 Apr 2017 15:45:32 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon21.um.es (Postfix) with ESMTP id E286A3F96B; Fri, 14 Apr 2017 00:45:30 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon21.um.es
Received: from xenon21.um.es ([127.0.0.1]) by localhost (xenon21.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id JlbGXxNAN3-e; Fri, 14 Apr 2017 00:45:30 +0200 (CEST)
Received: from [192.168.1.206] (unknown [89.33.191.228]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: dan.garcia@um.es) by xenon21.um.es (Postfix) with ESMTPSA id EA1E13F821; Fri, 14 Apr 2017 00:45:29 +0200 (CEST)
Content-Type: multipart/alternative; boundary="Apple-Mail=_D1C4FB1C-57EA-4C7C-BBA9-FD25AE70EAE7"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Dan García Carrillo <dan.garcia@um.es>
In-Reply-To: <E2FA0FF2-57F4-489C-AC7A-5B9763DF655E@um.es>
Date: Fri, 14 Apr 2017 00:45:28 +0200
Cc: Dan García Carrillo <dan.garcia@um.es>
Message-Id: <CBF2A279-A163-4B0C-9F53-6EDD21511A7B@um.es>
References: <3e12961e-0ba7-f580-2837-1971e47e0840@ericsson.com> <E2FA0FF2-57F4-489C-AC7A-5B9763DF655E@um.es>
To: t2trg@irtf.org
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/JhiZkOO1Cx3fIMEgRQWHBdZQPGA>
Subject: Re: [T2TRG] Report from breakout on using application credentials to enable network access
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IRTF Thing-to-Thing \(T2T\) Research-Group-in-creation" <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Apr 2017 22:45:37 -0000
Dear all: Regarding the topic of network access for IoT devices. We are currently working on that, using RADIUS and EAP. Concretely, we are using CoAP to transport EAP messages. The proposal is in draft-marin-ace-wg-coap-eap. We have a functional prototype of the protocol for Contiki O.S. and we have performed some tests comparing the performance to PANATIKI's implementation of the PANA protocol for Contiki O.S shown in this article. http://www.mdpi.com/1424-8220/16/3/358 We are currently working on the concept of CoAP relay and proxy for network access authentication. Questions are welcome. Best Regards, Dan. >> De: Mohit Sethi <mohit.m.sethi@ericsson.com <mailto:mohit.m.sethi@ericsson.com>> >> Fecha: 13 de abril de 2017, 10:41:16 CEST >> Para: "t2trg@irtf.org <mailto:t2trg@irtf.org>" <T2TRG@irtf.org <mailto:T2TRG@irtf.org>> >> Asunto: [T2TRG] Report from breakout on using application credentials to enable network access >> >> Topic: Use of application credentials for enabling network access (and vice-versa). >> >> Participants (15 active): Erik Nordmark (note taker), Mohit Sethi (breakout leader), Thorsten Dahm, Donald Eastlake, Behcet Sarikaya, Demir Rakanovic, Phillip Hallam-Baker, Grace Lewis, Ludwig Seitz, Muhhamad Sajjad, Jari Arkko, Laurent Toutain, Hitoshi Asaeda, Francesca Palombini, Stephen Kraiman. >> >> Summary and Conclusions from breakout: >> >> 1. It can be useful to enable network access for IoT devices using application credentials: This leads to less configuration work for the user of a new IoT device which is especially beneficial since the devices often have limited UI. Think of a new IoT toothbrush that you have just purchased. You bring it home and register it with the manufacturer (by reading a serial number/public key/scanning QR code etc.). It would be nice if the manufacturer can then tell the Access Point (AP) at the users home to enable limited Internet connectivity for the device. >> >> 2. Interesting to investigate if we can reverse the direction of enabling network-access: Instead of adding software and hardware complexity in the devices itself, it would make sense to simply put the dumb IoT devices at the desired location and then enable access from a server which is more resourceful. >> >> 3. Isolation: It would also be smart to put the IoT devices in separate VLANs. When the device is authenticated as an IoT device it should be put in its separate VLAN so that it has limited connectivity to only a couple of services (such as calling home for software update etc). >> >> 4. Scaling this to 1000s or 10k devices can be challenge. This also relates to the fact that enterprise scenarios are very different from the home scenarios. Enterprises may not want to delegate network access authentication to an external third party (such as the IoT device manufacturer). >> >> 5. Revoking network access should be secure and simple. For example, if one of the IoT devices is lost or sold, it shouldn't require you to change the network-access credentials for all the devices. >> >> >> Possible Research work: Can we use existing protocols (802.1x/RADIUS/DIAMETER) for enabling such network access based on application credentials. >> >> --Mohit >> >> PS: Participants from the breakout are welcome to correct if there are errors or there is something I missed. Comments from the group are welcome. >> >> _______________________________________________ >> T2TRG mailing list >> T2TRG@irtf.org <mailto:T2TRG@irtf.org> >> https://www.irtf.org/mailman/listinfo/t2trg <https://www.irtf.org/mailman/listinfo/t2trg>
- Re: [T2TRG] Report from breakout on using applica… Hannes Tschofenig
- Re: [T2TRG] Report from breakout on using applica… Michael Richardson
- Re: [T2TRG] Report from breakout on using applica… Dan García Carrillo
- Re: [T2TRG] Report from breakout on using applica… Dan García Carrillo
- Re: [T2TRG] Report from breakout on using applica… Dan García Carrillo
- [T2TRG] Report from breakout on using application… Mohit Sethi