IETF Logo Mail Archive

Re: [T2TRG] RESTful Design & Security

"Simpson, Robby (GE Energy Connections)" <robby.simpson@ge.com> Tue, 07 March 2017 19:47 UTC

Return-Path: <robby.simpson@ge.com>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E240A12943D for <t2trg@ietfa.amsl.com>; Tue, 7 Mar 2017 11:47:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.47
X-Spam-Level:
X-Spam-Status: No, score=0.47 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, KHOP_DYNAMIC=1.08, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Wd7ST06CT66G for <t2trg@ietfa.amsl.com>; Tue, 7 Mar 2017 11:47:19 -0800 (PST)
Received: from mx0a-00176a03.pphosted.com (mx0b-00176a03.pphosted.com [67.231.157.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94E00129426 for <T2TRG@irtf.org>; Tue, 7 Mar 2017 11:47:19 -0800 (PST)
Received: from pps.filterd (m0048206.ppops.net [127.0.0.1]) by m0048206.ppops.net-00176a03. (8.16.0.20/8.16.0.20) with SMTP id v27JhNWA037651 for <T2TRG@irtf.org>; Tue, 7 Mar 2017 14:47:16 -0500
From: "Simpson, Robby (GE Energy Connections)" <robby.simpson@ge.com>
To: "Kovatsch, Matthias" <matthias.kovatsch@siemens.com>, "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>
Thread-Topic: [T2TRG] RESTful Design & Security
Thread-Index: AQHSl3orfKb6ZYt5XUa+CpMeNeBpv6GJdGmA
Date: Tue, 07 Mar 2017 19:47:04 +0000
Message-ID: <0216378E-8976-4D4E-A307-AEE5FD00BDA6@GE.com>
References: <c15a387f-9dd3-987e-2901-b86fd8f60108@gmx.net> <10144.1488908366@obiwan.sandelman.ca> <952c4a16-174f-2457-1f11-8f733e738f90@gmx.net> <4EBB3DDD0FBF694CA2A87838DF129B3C01AA2F98@DEFTHW99EL4MSX.ww902.siemens.net> <558bae1a-ff84-9fb3-c6bf-021f492e9a04@gmx.net> <4EBB3DDD0FBF694CA2A87838DF129B3C01AA313F@DEFTHW99EL4MSX.ww902.siemens.net>
In-Reply-To: <4EBB3DDD0FBF694CA2A87838DF129B3C01AA313F@DEFTHW99EL4MSX.ww902.siemens.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1f.0.170216
authentication-results: siemens.com; dkim=none (message not signed) header.d=none;siemens.com; dmarc=none action=none header.from=ge.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [205.173.88.26]
x-ms-office365-filtering-correlation-id: 2e57d109-8ff0-48d6-8dbe-08d46592bb4a
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(22001);SRVR:DM3P101MB0089;
x-microsoft-exchange-diagnostics: 1; DM3P101MB0089; 7:uSWM5lCsCpllDiJkTH47XnAANZAER7LZgsnC9h1rweg/Bwx6HI+7eXb8uwWdlrMKIdKJJI4vb91gC5M9o6HE9E+YEDwYVXR08ns3P1GGIN526DIYHOmknhoAZazBZPl7qAYiNhb180PDAHbBlAGubP5kD4ic940Th80I/8dIS97ob8XhPFLaowjYeY3pypy4Mgw2U/YJBBRqYba7Dy1/X1GiRgTmGVRv8aLEoXRXsjOilMUG5GU2+K386K/5V6yA3CNsdaVaQSjPVG+nwLVSMJt7ZxwzlVFWF37TkOh5yUVK0I5oCHphxG1IgxWhLfW04EL8JDZI2yGqURnppGu8mQ==
x-microsoft-antispam-prvs: <DM3P101MB008985B2EB38EEC21A659ABE882F0@DM3P101MB0089.NAMP101.PROD.OUTLOOK.COM>
x-exchange-antispam-report-test: UriScan:(10436049006162)(192374486261705)(248736688235697)(106981052589767)(126837547833334)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6041248)(20161123564025)(20161123558025)(20161123560025)(20161123555025)(20161123562025)(6072148); SRVR:DM3P101MB0089; BCL:0; PCL:0; RULEID:; SRVR:DM3P101MB0089;
x-forefront-prvs: 0239D46DB6
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39450400003)(39830400002)(39410400002)(377454003)(24454002)(13464003)(6512007)(66066001)(7736002)(236005)(54896002)(53936002)(2950100002)(6306002)(38730400002)(6246003)(3846002)(5660300001)(6116002)(102836003)(33656002)(2906002)(15650500001)(229853002)(122556002)(8676002)(83716003)(8936002)(3280700002)(6506006)(606005)(82746002)(6436002)(6486002)(83506001)(50986999)(54356999)(2501003)(76176999)(36756003)(93886004)(4001350100001)(2900100001)(3660700001)(86362001)(53546006)(106116001)(4326008)(189998001)(7110500001)(2420400007)(7906003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM3P101MB0089; H:DM3P101MB0089.NAMP101.PROD.OUTLOOK.COM; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_0216378E89764D4EA307AEE5FD00BDA6GEcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Mar 2017 19:47:04.5438 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 15ccb6d1-d335-4996-b6f9-7b6925f08121
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM3P101MB0089
X-OriginatorOrg: ge.com
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2017-03-07_15:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 suspectscore=0 malwarescore=0 phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1702020001 definitions=main-1703070155
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/MWpURkWckSSs_WF7C1pDauv3wYU>
Cc: "T2TRG@irtf.org" <T2TRG@irtf.org>
Subject: Re: [T2TRG] RESTful Design & Security
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IRTF Thing-to-Thing \(T2T\) Research-Group-in-creation" <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 19:47:21 -0000

Personally, I’m a big fan of end-to-end and think that is the correct approach.

However, pragmatically, I realize this is not always possible.

I haven’t followed it for a while, but there was some activity in httpbis at one point for resource/object-level security (https://tools.ietf.org/wg/httpbis/draft-ietf-httpbis-encryption-encoding/).  If we limit the discussion to protocols that support content codings (e.g., HTTP and CoAP), then I would think defining a coding that specifies the resource-level security aspects would achieve quite a lot and would be able to preserve aspects through protocol conversion.

- Robby


Robby Simpson, PhD
System Architect
GE
Grid Solutions
M: +1 404 219 1851
Robby.Simpson@GE.com


From: T2TRG <t2trg-bounces@irtf.org> on behalf of "Kovatsch, Matthias" <matthias.kovatsch@siemens.com>
Date: Tuesday, March 7, 2017 at 2:36 PM
To: "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>
Cc: "T2TRG@irtf.org" <T2TRG@irtf.org>
Subject: EXT: Re: [T2TRG] RESTful Design & Security

Fair enough.

Yes, I am on this IoT Directorate. I would say a large fraction of the T2TRG participants has been arguing that the Internet of Gateways is not a good approach. Your security-related summary proves this point.

I personally don't see end-to-end security happening if we keep mixing application protocols, keep using black-magic middleboxes, and keep using proprietary interfaces at the device level. We need something end-to-end (or T2T) for end-to-end security.

Best wishes
Matthias



Sent from my phone, limitations might apply.

-----Original Message-----
From: Hannes Tschofenig [hannes.tschofenig@gmx.net]
Received: Tuesday, 07 Mar 2017, 20:10
To: Kovatsch, Matthias (CT RDA NEC EMB-DE) [matthias.kovatsch@siemens.com]; mcr+ietf@sandelman.ca [mcr+ietf@sandelman.ca]
CC: T2TRG@irtf.org [T2TRG@irtf.org]
Subject: Re: [T2TRG] RESTful Design & Security
Hi Matthias,

I know that this is a research group and everyone can create whatever
they want.

We briefly talked about security at the IoT directorate conference call
and I would be interesting to hear what works and what does not work for
others.

Ciao
Hannes


On 03/07/2017 07:45 PM, Kovatsch, Matthias wrote:
> On big propaganda tour? :P
>
> Regards
> Matthias
>
>
> Sent from my phone, limitations might apply.
>
> -----Original Message-----
> *From:* Hannes Tschofenig [hannes.tschofenig@gmx.net]
> *Received:* Tuesday, 07 Mar 2017, 19:39
> *To:* Michael Richardson [mcr+ietf@sandelman.ca]
> *CC:* t2trg@irtf.org [T2TRG@irtf.org]
> *Subject:* Re: [T2TRG] RESTful Design & Security
>
> OSCOAP does not work when
>
> * you mix protocols,
> * use a middlebox for some processing interactions (such as data
> aggregation), and
> * when one of the protocols is a non-RESTful protocol, such as BLE or MQTT.
>
> Unfortunately, these the use cases we are facing in current IoT
> deployments. For similar reasons we cannot use RFC 8075 either.
>
> Maybe you are seeing different deployment environments.
>
> Ciao
> Hannes
>
> On 03/07/2017 06:39 PM, Michael Richardson wrote:
>>
>> Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>     > Needless to say that these challenges have also been observed in other
>>     > protocols as well, such as HTTP and even SIP.
>>
>>     > What is the story for providing application layer security?
>>
>> OSCOAP seems to be end-to-end to me.
>>
>> --
>> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>>  -= IPv6 IoT consulting =-
>>
>>
>>
>
>
>
> _______________________________________________
> T2TRG mailing list
> T2TRG@irtf.org
> https://www.irtf.org/mailman/listinfo/t2trg<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.irtf.org_mailman_listinfo_t2trg&d=DwMF-g&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=4w13vdCVEUj_vaCSQNdKRf25O0P4iaVn04ElXLrB_ak&m=k7IqC4lOSBeG5yZT3lwAYgfq7isPTJ1x7lhosU4sI0U&s=6FyGiDTW-U31FpvuMwpkVdhppH4XLcvlAPPiMqvTUIo&e=>
>

v2.23.0 | Report a Bug | By Email