IETF Logo Mail Archive

Re: [T2TRG] Report from breakout on using application credentials to enable network access

Hannes Tschofenig <hannes.tschofenig@gmx.net> Fri, 14 April 2017 11:56 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B345F12EB98 for <t2trg@ietfa.amsl.com>; Fri, 14 Apr 2017 04:56:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MuNVi2i2KAd6 for <t2trg@ietfa.amsl.com>; Fri, 14 Apr 2017 04:56:04 -0700 (PDT)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FDF7127871 for <T2TRG@irtf.org>; Fri, 14 Apr 2017 04:56:03 -0700 (PDT)
Received: from [192.168.91.190] ([80.92.114.44]) by mail.gmx.com (mrgmx002 [212.227.17.190]) with ESMTPSA (Nemesis) id 0LaG7C-1cKfsc0fni-00lzk6; Fri, 14 Apr 2017 13:56:00 +0200
To: Mohit Sethi <mohit.m.sethi@ericsson.com>, "t2trg@irtf.org" <T2TRG@irtf.org>
References: <3e12961e-0ba7-f580-2837-1971e47e0840@ericsson.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <5a23e759-e152-932f-c720-f6dbc20a0dc4@gmx.net>
Date: Fri, 14 Apr 2017 13:55:58 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <3e12961e-0ba7-f580-2837-1971e47e0840@ericsson.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="mR4hDXScONt7QeAj2DbmNw5dT7Ssm8vGi"
X-Provags-ID: V03:K0:Y3Tgima+DW15HLJcu+nBmKkLIN9DrLkoLzA7BwlhVanr0lrOdVM FwfzRjqz2fShg8eQl/XMPlGENuSZc/jE+ZSrf9h1HEaP66t9VoT4ZpU+TKy4GS8Q0hBgm+8 hMFLKdiaG9N6Ng2sIfI4JBWMf5HSZWuqAmLmZlHpJsE8ffnGKq8vzuUb/4w8xJXDG/npGua KgOwGW+dgA6wLlibdjpBg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:qIeUftHE0yY=:ozGGL0nfDCSMWQSn3PeZ2r qBuWSn+oisI31TBhyIJPSnSCKMi0C8d3GOF4spnyRZl2JAO0w0Gs38cz3vXmrc7nSXPZ96H9Q sXVpDEhDnkho4nEOsPIdtHpL6f4F/ulCIFX7UJqxDQImGoiBvs5iN6DbzduVeSBN0Lkj5uFwP cVHnnyXNPLVObhS4RL1VNi1j0O3nI/rHbWXogXFxovYaX+YA6eOz7gOLZE2i1DF4LgYntM/yp 3fqZscpr8I2NUQ8CF2afpz750Z7QAJlxNpz2+AemPO6o6iftbsNELOOhvJ8TNMVYVeXNvXr8q gKgdSXmmfR/2tNScRpUe48InYcUi59ktIJVn136gEqBJtkrLOGV26cLtiseo6FWGuEORoWRXg 36ln5UhpSRoeFZF2us3ILlmQaTYAHVKWqOI2a2/RNW7uApcGboMjrC07VyxLEoCSCgJETVEk0 OJ6Mmt+s5gfqcivKCPKvLGSs5vWogUpzjw+We0rJ2AkNViw8Iv1+ZA7AN4cQy+wJ8gE4BzaeQ NRsw+GbYKhIfYO0t5FSPwkpYos7CpeluroXW6v2UqYhdNt7nfckXeKdAl8FYWHRy2DDxkW1QQ omzj5wkmF41dGQ+onGEuSQMSFTD9Q5MUz2ReYQ9bdngI7sskhxo1yfXbvHfW4mphQJEkk9qhn rbcfBLm77B87u0PJzkrkVDe8MyEffft5gbcK7z+pgRlJvEXpwzChaFCIyf7yTRzBGCxvS5anF xp0tewwEuClz7Z7fxrg9g1QBDpLY4RcMoXPJP/M7OMdOCPKclrK5hukChTM=
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/PGY_JIwWL5f_SGcmEttOEmWEUmU>
Subject: Re: [T2TRG] Report from breakout on using application credentials to enable network access
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "IRTF Thing-to-Thing \(T2T\) Research-Group-in-creation" <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Apr 2017 11:56:07 -0000

Hi Mohit,

thanks for the writeup.

A few remarks inline:

On 04/13/2017 10:41 AM, Mohit Sethi wrote:
> Topic: Use of application credentials for enabling network access (and
> vice-versa).
> 
> Participants (15 active): Erik Nordmark (note taker), Mohit Sethi
> (breakout leader), Thorsten Dahm, Donald Eastlake, Behcet Sarikaya,
> Demir Rakanovic, Phillip Hallam-Baker, Grace Lewis, Ludwig Seitz,
> Muhhamad Sajjad, Jari Arkko, Laurent Toutain, Hitoshi Asaeda, Francesca
> Palombini, Stephen Kraiman.
> 
> Summary and Conclusions from breakout:
> 
> 1. It can be useful to enable network access for IoT devices using
> application credentials: This leads to less configuration work for the
> user of a new IoT device which is especially beneficial since the
> devices often have limited UI. Think of a new IoT toothbrush that you
> have just purchased. You bring it home and register it with the
> manufacturer (by reading a serial number/public key/scanning QR code
> etc.). It would be nice if the manufacturer can then tell the Access
> Point (AP) at the users home to enable limited Internet connectivity for
> the device.

While this would be nice it is almost impossible to deploy.
Since OEMs, device vendors nor network operators have to do their
deployment at the same time to make this happen it is an uphill battle.

Furthermore, neither home users, enterprises, nor industrial IoT
deployments will allow external parties to configure their network.

> 
> 2. Interesting to investigate if we can reverse the direction of
> enabling network-access: Instead of adding software and hardware
> complexity in the devices itself, it would make sense to simply put the
> dumb IoT devices at the desired location and then enable access from a
> server which is more resourceful.

Where would this server be?

Note that the story for network access varies hugely between different
connectivity technologies.

> 
> 3. Isolation: It would also be smart to put the IoT devices in separate
> VLANs. When the device is authenticated as an IoT device it should be
> put in its separate VLAN so that it has limited connectivity to only a
> couple of services (such as calling home for software update etc).

Sounds useful but would require some management overhead, which is most
likely only justified in an enterprise network. I can hardly imagine how
home users configure such an isolation nor what benefits it would give
them (since their networks are rather small).

> 
> 4. Scaling this to 1000s or 10k devices can be challenge. This also
> relates to the fact that enterprise scenarios are very different from
> the home scenarios. Enterprises may not want to delegate network access
> authentication to an external third party (such as the IoT device
> manufacturer).

When you say "this" what do you refer to?

> 
> 5. Revoking network access should be secure and simple. For example, if
> one of the IoT devices is lost or sold, it shouldn't require you to
> change the network-access credentials for all the devices.

This is not necessarily a technology challenge since we have all the
necessary mechanisms in place. Unfortunately, many home networks use a
somewhat simplistic credential configuration mechanism with class keys.

> 
> 
> Possible Research work: Can we use existing protocols
> (802.1x/RADIUS/DIAMETER) for enabling such network access based on
> application credentials.
I am sure we could work it out but I am less sure there is interest to
deploy it (from an incentive, business model, security, etc. point of
view).

Ciao
Hannes

> 
> --Mohit
> 
> PS: Participants from the breakout are welcome to correct if there are
> errors or there is something I missed. Comments from the group are welcome.
> 
> _______________________________________________
> T2TRG mailing list
> T2TRG@irtf.org
> https://www.irtf.org/mailman/listinfo/t2trg

v2.23.0 | Report a Bug | By Email