IETF Logo Mail Archive

Re: [T2TRG] RESTful Design & Security

"Kovatsch, Matthias" <matthias.kovatsch@siemens.com> Tue, 07 March 2017 20:02 UTC

Return-Path: <matthias.kovatsch@siemens.com>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D7D1B129569 for <t2trg@ietfa.amsl.com>; Tue, 7 Mar 2017 12:02:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.929
X-Spam-Level:
X-Spam-Status: No, score=-4.929 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RHDkhG6G--Q2 for <t2trg@ietfa.amsl.com>; Tue, 7 Mar 2017 12:02:33 -0800 (PST)
Received: from david.siemens.de (david.siemens.de [192.35.17.14]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 20F49129531 for <T2TRG@irtf.org>; Tue, 7 Mar 2017 12:02:32 -0800 (PST)
Received: from mail2.sbs.de (mail2.sbs.de [192.129.41.66]) by david.siemens.de (8.15.2/8.15.2) with ESMTPS id v27K2Qb6030624 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Tue, 7 Mar 2017 21:02:26 +0100
Received: from DEFTHW99ERGMSX.ww902.siemens.net (defthw99ergmsx.ww902.siemens.net [139.22.70.132]) by mail2.sbs.de (8.15.2/8.15.2) with ESMTPS id v27K2Pfx027112 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Tue, 7 Mar 2017 21:02:25 +0100
Received: from DENBGAT9ERRMSX.ww902.siemens.net (139.22.70.197) by DEFTHW99ERGMSX.ww902.siemens.net (139.22.70.132) with Microsoft SMTP Server (TLS) id 14.3.339.0; Tue, 7 Mar 2017 21:02:25 +0100
Received: from DEFTHW99EL4MSX.ww902.siemens.net ([169.254.5.206]) by DENBGAT9ERRMSX.ww902.siemens.net ([139.22.70.197]) with mapi id 14.03.0339.000; Tue, 7 Mar 2017 21:02:25 +0100
From: "Kovatsch, Matthias" <matthias.kovatsch@siemens.com>
To: "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>, "robby.simpson@ge.com" <robby.simpson@ge.com>
Thread-Topic: [T2TRG] RESTful Design & Security
Thread-Index: AQHSlpshLU+67EadNU+/wTUKb0HGTaGJlY0AgAAQwgCAABJb3v//9luAgAAYCfz///IoAIAAFQ0g
Date: Tue, 07 Mar 2017 20:02:24 +0000
Message-ID: <4EBB3DDD0FBF694CA2A87838DF129B3C01AA3219@DEFTHW99EL4MSX.ww902.siemens.net>
References: <c15a387f-9dd3-987e-2901-b86fd8f60108@gmx.net> <10144.1488908366@obiwan.sandelman.ca> <952c4a16-174f-2457-1f11-8f733e738f90@gmx.net> <4EBB3DDD0FBF694CA2A87838DF129B3C01AA2F98@DEFTHW99EL4MSX.ww902.siemens.net> <558bae1a-ff84-9fb3-c6bf-021f492e9a04@gmx.net> <4EBB3DDD0FBF694CA2A87838DF129B3C01AA313F@DEFTHW99EL4MSX.ww902.siemens.net>, <0216378E-8976-4D4E-A307-AEE5FD00BDA6@GE.com>
In-Reply-To: <0216378E-8976-4D4E-A307-AEE5FD00BDA6@GE.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: multipart/alternative; boundary="_000_4EBB3DDD0FBF694CA2A87838DF129B3C01AA3219DEFTHW99EL4MSXw_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/i9NXR8Kbo7S1zYtKb4Zmk3lJUxI>
Cc: "T2TRG@irtf.org" <T2TRG@irtf.org>
Subject: Re: [T2TRG] RESTful Design & Security
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IRTF Thing-to-Thing \(T2T\) Research-Group-in-creation" <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 20:02:36 -0000

Yes, that sounds very reasonable. It does include changing the (end-)devices to support this new approach.

In the W3C Web of Things, we have the idea to retrofit information such as encoding and security aspects through interface descriptions that can be used across multiple IoT protocols (WoT Thing Description). Still it requires to upgrade what is accepted and served by the devices within the protocol used...

Ciao
Matthias


Sent from my phone, limitations might apply.

-----Original Message-----
From: Simpson, Robby (GE Energy Connections) [robby.simpson@ge.com]
Received: Tuesday, 07 Mar 2017, 20:47
To: Kovatsch, Matthias (CT RDA NEC EMB-DE) [matthias.kovatsch@siemens.com]; hannes.tschofenig@gmx.net [hannes.tschofenig@gmx.net]; mcr+ietf@sandelman.ca [mcr+ietf@sandelman.ca]
CC: T2TRG@irtf.org [T2TRG@irtf.org]
Subject: Re: [T2TRG] RESTful Design & Security

Personally, I’m a big fan of end-to-end and think that is the correct approach.

However, pragmatically, I realize this is not always possible.

I haven’t followed it for a while, but there was some activity in httpbis at one point for resource/object-level security (https://tools.ietf.org/wg/httpbis/draft-ietf-httpbis-encryption-encoding/).  If we limit the discussion to protocols that support content codings (e.g., HTTP and CoAP), then I would think defining a coding that specifies the resource-level security aspects would achieve quite a lot and would be able to preserve aspects through protocol conversion.

- Robby


Robby Simpson, PhD
System Architect
GE
Grid Solutions
M: +1 404 219 1851
Robby.Simpson@GE.com


From: T2TRG <t2trg-bounces@irtf.org> on behalf of "Kovatsch, Matthias" <matthias.kovatsch@siemens.com>
Date: Tuesday, March 7, 2017 at 2:36 PM
To: "hannes.tschofenig@gmx.net" <hannes.tschofenig@gmx.net>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>
Cc: "T2TRG@irtf.org" <T2TRG@irtf.org>
Subject: EXT: Re: [T2TRG] RESTful Design & Security

Fair enough.

Yes, I am on this IoT Directorate. I would say a large fraction of the T2TRG participants has been arguing that the Internet of Gateways is not a good approach. Your security-related summary proves this point.

I personally don't see end-to-end security happening if we keep mixing application protocols, keep using black-magic middleboxes, and keep using proprietary interfaces at the device level. We need something end-to-end (or T2T) for end-to-end security.

Best wishes
Matthias



Sent from my phone, limitations might apply.

-----Original Message-----
From: Hannes Tschofenig [hannes.tschofenig@gmx.net]
Received: Tuesday, 07 Mar 2017, 20:10
To: Kovatsch, Matthias (CT RDA NEC EMB-DE) [matthias.kovatsch@siemens.com]; mcr+ietf@sandelman.ca [mcr+ietf@sandelman.ca]
CC: T2TRG@irtf.org [T2TRG@irtf.org]
Subject: Re: [T2TRG] RESTful Design & Security
Hi Matthias,

I know that this is a research group and everyone can create whatever
they want.

We briefly talked about security at the IoT directorate conference call
and I would be interesting to hear what works and what does not work for
others.

Ciao
Hannes


On 03/07/2017 07:45 PM, Kovatsch, Matthias wrote:
> On big propaganda tour? :P
>
> Regards
> Matthias
>
>
> Sent from my phone, limitations might apply.
>
> -----Original Message-----
> *From:* Hannes Tschofenig [hannes.tschofenig@gmx.net]
> *Received:* Tuesday, 07 Mar 2017, 19:39
> *To:* Michael Richardson [mcr+ietf@sandelman.ca]
> *CC:* t2trg@irtf.org [T2TRG@irtf.org]
> *Subject:* Re: [T2TRG] RESTful Design & Security
>
> OSCOAP does not work when
>
> * you mix protocols,
> * use a middlebox for some processing interactions (such as data
> aggregation), and
> * when one of the protocols is a non-RESTful protocol, such as BLE or MQTT.
>
> Unfortunately, these the use cases we are facing in current IoT
> deployments. For similar reasons we cannot use RFC 8075 either.
>
> Maybe you are seeing different deployment environments.
>
> Ciao
> Hannes
>
> On 03/07/2017 06:39 PM, Michael Richardson wrote:
>>
>> Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>>     > Needless to say that these challenges have also been observed in other
>>     > protocols as well, such as HTTP and even SIP.
>>
>>     > What is the story for providing application layer security?
>>
>> OSCOAP seems to be end-to-end to me.
>>
>> --
>> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>>  -= IPv6 IoT consulting =-
>>
>>
>>
>
>
>
> _______________________________________________
> T2TRG mailing list
> T2TRG@irtf.org
> https://www.irtf.org/mailman/listinfo/t2trg<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.irtf.org_mailman_listinfo_t2trg&d=DwMF-g&c=IV_clAzoPDE253xZdHuilRgztyh_RiV3wUrLrDQYWSI&r=4w13vdCVEUj_vaCSQNdKRf25O0P4iaVn04ElXLrB_ak&m=k7IqC4lOSBeG5yZT3lwAYgfq7isPTJ1x7lhosU4sI0U&s=6FyGiDTW-U31FpvuMwpkVdhppH4XLcvlAPPiMqvTUIo&e=>
>

v2.23.0 | Report a Bug | By Email