Re: [T2TRG] RESTful Design & Security
Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 08 March 2017 14:14 UTC
Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EA23129472 for <t2trg@ietfa.amsl.com>; Wed, 8 Mar 2017 06:14:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4wR4NWO5Ixv2 for <t2trg@ietfa.amsl.com>; Wed, 8 Mar 2017 06:14:12 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70A701296A3 for <T2TRG@irtf.org>; Wed, 8 Mar 2017 06:14:11 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx003 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MNq8p-1ct2CY1ZAh-007Sx3; Wed, 08 Mar 2017 15:13:21 +0100
To: Eliot Lear <lear@cisco.com>, "Kovatsch, Matthias" <matthias.kovatsch@siemens.com>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>
References: <c15a387f-9dd3-987e-2901-b86fd8f60108@gmx.net> <10144.1488908366@obiwan.sandelman.ca> <952c4a16-174f-2457-1f11-8f733e738f90@gmx.net> <4EBB3DDD0FBF694CA2A87838DF129B3C01AA2F98@DEFTHW99EL4MSX.ww902.siemens.net> <558bae1a-ff84-9fb3-c6bf-021f492e9a04@gmx.net> <4EBB3DDD0FBF694CA2A87838DF129B3C01AA313F@DEFTHW99EL4MSX.ww902.siemens.net> <c85cbfa5-083c-9159-3e01-001b353a3e35@cisco.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <f33f30cc-9a6d-513d-f20f-620ac4b611e1@gmx.net>
Date: Wed, 08 Mar 2017 15:13:17 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <c85cbfa5-083c-9159-3e01-001b353a3e35@cisco.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="2A0iDmrRhaFIF2kTbkhPDtFKGbb6J2WlE"
X-Provags-ID: V03:K0:gveoeiRQ/5QnMEXmStI4fW9humUrBH9AlRaUdjoeIXA0iFn9Ep9 d0S7B0UMbNrIQExDDHB8ajfOlXxHENDwPW7BygA5lltcCj5cjWU2y+qpzz++UXAKzvatzR8 sFo4VnfWWRuMGmfR2ZXB5lSyArpnUC8s5UzX2tfxSmEe0lBHNg7fszP3XD1H4jCzXwxE1sO rJ1SWnJl4VJanVdnuFhQg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:krhzPMV4e0w=:cno9Q3RH9QgRpUkEBOKu1a fntL3FYROpDtxLpiQlTGDjUZJ76TleC6uUK1jOin+vuCaiSNlrQ2tFbn3GK2A3PxqsmO1Um0C xN1O/WjYkak8UkwWzS0+tHzXMHgMWfe1sf3boUF0BHeLPl7cdW5Zg1GXnkiPlTeKykhOGVEyY Tt1tLXmjqmSfckrdn8uBz8eDXeJyRciIapU1olTPkHD3fgFtdTAS4tpSxY8puUPtfv8kdFTVy /sjhX1U3Al3imB6THWiQZWA92Kkj8akjbvBRdUNxjlI3faq1FkgHPdb89R3Fn4Cp6nWa4jULH 9LpplZrur6K1NQd1GZtm0Y8zMNEqSP2f9fttRJTyJYNbitEuQOMNqv7o7CG+dgp61ddW/+gEU i6jT3BIPGW5h1BMUpToL2Gwvg31BWMu1+U0IOIEv51Ge7lClRRRzMoeuqwFaH3ELelF05MhFj 1A4FCBE/Fx8Rfjj6A/R0uluL5ycxlxSxCVKPWckRTIOooRTLwyirvBN1IZqJn/RrJA9vaH5Vt YMBClOgbQgkZ2fyUxakxIOFpU0LURZB9gIT01EFckqn0nrsyogUkOTDGtnY69+qE9JtiUrqJt XCRsS3+ozXuK4MiK1f0alKbwXgrTjLu5aKmuDL9syyFn77oBDUAjSQm6KLpRf1sKYC6FRhYC5 8CbWcAVoBorLZmHhRuvjSog+1mRqV3Y3UPQDJbrcZjWwqXcGjBueRkuphlD2crmmfVHkCRfrD X4pf94jP653vQGP5NYDyF2/tR+RbpL+iwkU23/SX7nWrLI+zJCuOvbt5XsY=
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/wfr_0ToDZqOzVt_zPSIhKzzD5JY>
Cc: "T2TRG@irtf.org" <T2TRG@irtf.org>
Subject: Re: [T2TRG] RESTful Design & Security
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IRTF Thing-to-Thing \(T2T\) Research-Group-in-creation" <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 14:14:19 -0000
Hi Eliot, this would indeed be a good conversation to have. I have tried to trigger it a couple of times in context of the IoT device classes but it is very hard to get people to state what their minimum assumptions are. I believe it has to do with the type of standardization approach we are exercising today and this gives us a hard time to describe the big picture of how the various building blocks are supposed to work together. In fact, the picture becomes extremely complex and fragmented since there are just so many options while at the same time we envision super constrained devices. The T2TRG security document (draft-irtf-t2trg-iot-seccons-01) confirms this and happily talks about normal IPsec/IKE, diet IPsec, HIP, MIKEY, OSCOAP, JOSE, COSE, etc. etc. Ciao Hannes On 03/08/2017 11:02 AM, Eliot Lear wrote: > Matthias, > > I think the key question that everyone seems to be dancing around is this: > > What is an Internet host in the context of IoT? What are the minimum > qualities it must possess? I don't mean this to be a vote, but more of > a law of physics sort of thing. For instance, does a host have a secure > unique identity? What capabilities must it have? I would expect them > to be very few, but there are assuredly some... > > Eliot > > > On 3/7/17 8:36 PM, Kovatsch, Matthias wrote: >> Fair enough. >> >> Yes, I am on this IoT Directorate. I would say a large fraction of the >> T2TRG participants has been arguing that the Internet of Gateways is >> not a good approach. Your security-related summary proves this point. >> >> I personally don't see end-to-end security happening if we keep mixing >> application protocols, keep using black-magic middleboxes, and keep >> using proprietary interfaces at the device level. We need something >> end-to-end (or T2T) for end-to-end security. >> >> Best wishes >> Matthias >> >> >> >> Sent from my phone, limitations might apply. >> >> -----Original Message----- >> *From:* Hannes Tschofenig [hannes.tschofenig@gmx.net] >> *Received:* Tuesday, 07 Mar 2017, 20:10 >> *To:* Kovatsch, Matthias (CT RDA NEC EMB-DE) >> [matthias.kovatsch@siemens.com]; mcr+ietf@sandelman.ca >> [mcr+ietf@sandelman.ca] >> *CC:* T2TRG@irtf.org [T2TRG@irtf.org] >> *Subject:* Re: [T2TRG] RESTful Design & Security >> >> Hi Matthias, >> >> I know that this is a research group and everyone can create whatever >> they want. >> >> We briefly talked about security at the IoT directorate conference call >> and I would be interesting to hear what works and what does not work for >> others. >> >> Ciao >> Hannes >> >> >> On 03/07/2017 07:45 PM, Kovatsch, Matthias wrote: >> > On big propaganda tour? :P >> > >> > Regards >> > Matthias >> > >> > >> > Sent from my phone, limitations might apply. >> > >> > -----Original Message----- >> > *From:* Hannes Tschofenig [hannes.tschofenig@gmx.net] >> > *Received:* Tuesday, 07 Mar 2017, 19:39 >> > *To:* Michael Richardson [mcr+ietf@sandelman.ca] >> > *CC:* t2trg@irtf.org [T2TRG@irtf.org] >> > *Subject:* Re: [T2TRG] RESTful Design & Security >> > >> > OSCOAP does not work when >> > >> > * you mix protocols, >> > * use a middlebox for some processing interactions (such as data >> > aggregation), and >> > * when one of the protocols is a non-RESTful protocol, such as BLE >> or MQTT. >> > >> > Unfortunately, these the use cases we are facing in current IoT >> > deployments. For similar reasons we cannot use RFC 8075 either. >> > >> > Maybe you are seeing different deployment environments. >> > >> > Ciao >> > Hannes >> > >> > On 03/07/2017 06:39 PM, Michael Richardson wrote: >> >> >> >> Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote: >> >> > Needless to say that these challenges have also been observed >> in other >> >> > protocols as well, such as HTTP and even SIP. >> >> >> >> > What is the story for providing application layer security? >> >> >> >> OSCOAP seems to be end-to-end to me. >> >> >> >> -- >> >> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works >> >> -= IPv6 IoT consulting =- >> >> >> >> >> >> >> > >> > >> > >> > _______________________________________________ >> > T2TRG mailing list >> > T2TRG@irtf.org >> > https://www.irtf.org/mailman/listinfo/t2trg >> > >> >> >> >> _______________________________________________ >> T2TRG mailing list >> T2TRG@irtf.org >> https://www.irtf.org/mailman/listinfo/t2trg >
- [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Ari Keränen
- Re: [T2TRG] RESTful Design & Security Michael Richardson
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Kovatsch, Matthias
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Kovatsch, Matthias
- Re: [T2TRG] RESTful Design & Security Simpson, Robby (GE Energy Connections)
- Re: [T2TRG] RESTful Design & Security Kovatsch, Matthias
- Re: [T2TRG] RESTful Design & Security Göran Selander
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Carsten Bormann
- Re: [T2TRG] RESTful Design & Security Carsten Bormann
- Re: [T2TRG] RESTful Design & Security Eliot Lear
- Re: [T2TRG] RESTful Design & Security Carsten Bormann
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Göran Selander
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- [T2TRG] The Many Headed Hydra Nightingale, J. Stephen (Fed)
- Re: [T2TRG] The Many Headed Hydra Carsten Bormann
- Re: [T2TRG] RESTful Design & Security Garcia-Morchon O, Oscar
- Re: [T2TRG] RESTful Design & Security Eliot Lear
- Re: [T2TRG] RESTful Design & Security Hannes Tschofenig
- Re: [T2TRG] RESTful Design & Security Mohit Sethi
- Re: [T2TRG] RESTful Design & Security Garcia-Morchon O, Oscar
- Re: [T2TRG] RESTful Design & Security Hasan Derhamy
- Re: [T2TRG] RESTful Design & Security Eliot Lear