IETF Logo Mail Archive

Re: [T2TRG] RESTful Design & Security

Hannes Tschofenig <hannes.tschofenig@gmx.net> Wed, 08 March 2017 14:14 UTC

Return-Path: <hannes.tschofenig@gmx.net>
X-Original-To: t2trg@ietfa.amsl.com
Delivered-To: t2trg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3EA23129472 for <t2trg@ietfa.amsl.com>; Wed, 8 Mar 2017 06:14:19 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4wR4NWO5Ixv2 for <t2trg@ietfa.amsl.com>; Wed, 8 Mar 2017 06:14:12 -0800 (PST)
Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70A701296A3 for <T2TRG@irtf.org>; Wed, 8 Mar 2017 06:14:11 -0800 (PST)
Received: from [192.168.91.177] ([80.92.114.23]) by mail.gmx.com (mrgmx003 [212.227.17.190]) with ESMTPSA (Nemesis) id 0MNq8p-1ct2CY1ZAh-007Sx3; Wed, 08 Mar 2017 15:13:21 +0100
To: Eliot Lear <lear@cisco.com>, "Kovatsch, Matthias" <matthias.kovatsch@siemens.com>, "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>
References: <c15a387f-9dd3-987e-2901-b86fd8f60108@gmx.net> <10144.1488908366@obiwan.sandelman.ca> <952c4a16-174f-2457-1f11-8f733e738f90@gmx.net> <4EBB3DDD0FBF694CA2A87838DF129B3C01AA2F98@DEFTHW99EL4MSX.ww902.siemens.net> <558bae1a-ff84-9fb3-c6bf-021f492e9a04@gmx.net> <4EBB3DDD0FBF694CA2A87838DF129B3C01AA313F@DEFTHW99EL4MSX.ww902.siemens.net> <c85cbfa5-083c-9159-3e01-001b353a3e35@cisco.com>
From: Hannes Tschofenig <hannes.tschofenig@gmx.net>
Openpgp: id=071A97A9ECBADCA8E31E678554D9CEEF4D776BC9
Message-ID: <f33f30cc-9a6d-513d-f20f-620ac4b611e1@gmx.net>
Date: Wed, 08 Mar 2017 15:13:17 +0100
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.7.0
MIME-Version: 1.0
In-Reply-To: <c85cbfa5-083c-9159-3e01-001b353a3e35@cisco.com>
Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="2A0iDmrRhaFIF2kTbkhPDtFKGbb6J2WlE"
X-Provags-ID: V03:K0:gveoeiRQ/5QnMEXmStI4fW9humUrBH9AlRaUdjoeIXA0iFn9Ep9 d0S7B0UMbNrIQExDDHB8ajfOlXxHENDwPW7BygA5lltcCj5cjWU2y+qpzz++UXAKzvatzR8 sFo4VnfWWRuMGmfR2ZXB5lSyArpnUC8s5UzX2tfxSmEe0lBHNg7fszP3XD1H4jCzXwxE1sO rJ1SWnJl4VJanVdnuFhQg==
X-UI-Out-Filterresults: notjunk:1;V01:K0:krhzPMV4e0w=:cno9Q3RH9QgRpUkEBOKu1a fntL3FYROpDtxLpiQlTGDjUZJ76TleC6uUK1jOin+vuCaiSNlrQ2tFbn3GK2A3PxqsmO1Um0C xN1O/WjYkak8UkwWzS0+tHzXMHgMWfe1sf3boUF0BHeLPl7cdW5Zg1GXnkiPlTeKykhOGVEyY Tt1tLXmjqmSfckrdn8uBz8eDXeJyRciIapU1olTPkHD3fgFtdTAS4tpSxY8puUPtfv8kdFTVy /sjhX1U3Al3imB6THWiQZWA92Kkj8akjbvBRdUNxjlI3faq1FkgHPdb89R3Fn4Cp6nWa4jULH 9LpplZrur6K1NQd1GZtm0Y8zMNEqSP2f9fttRJTyJYNbitEuQOMNqv7o7CG+dgp61ddW/+gEU i6jT3BIPGW5h1BMUpToL2Gwvg31BWMu1+U0IOIEv51Ge7lClRRRzMoeuqwFaH3ELelF05MhFj 1A4FCBE/Fx8Rfjj6A/R0uluL5ycxlxSxCVKPWckRTIOooRTLwyirvBN1IZqJn/RrJA9vaH5Vt YMBClOgbQgkZ2fyUxakxIOFpU0LURZB9gIT01EFckqn0nrsyogUkOTDGtnY69+qE9JtiUrqJt XCRsS3+ozXuK4MiK1f0alKbwXgrTjLu5aKmuDL9syyFn77oBDUAjSQm6KLpRf1sKYC6FRhYC5 8CbWcAVoBorLZmHhRuvjSog+1mRqV3Y3UPQDJbrcZjWwqXcGjBueRkuphlD2crmmfVHkCRfrD X4pf94jP653vQGP5NYDyF2/tR+RbpL+iwkU23/SX7nWrLI+zJCuOvbt5XsY=
Archived-At: <https://mailarchive.ietf.org/arch/msg/t2trg/wfr_0ToDZqOzVt_zPSIhKzzD5JY>
Cc: "T2TRG@irtf.org" <T2TRG@irtf.org>
Subject: Re: [T2TRG] RESTful Design & Security
X-BeenThere: t2trg@irtf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "IRTF Thing-to-Thing \(T2T\) Research-Group-in-creation" <t2trg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/t2trg>, <mailto:t2trg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/t2trg/>
List-Post: <mailto:t2trg@irtf.org>
List-Help: <mailto:t2trg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/t2trg>, <mailto:t2trg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Wed, 08 Mar 2017 14:14:19 -0000

Hi Eliot,

this would indeed be a good conversation to have. I have tried to
trigger it a couple of times in context of the IoT device classes but it
is very hard to get people to state what their minimum assumptions are.

I believe it has to do with the type of standardization approach we are
exercising today and this gives us a hard time to describe the big
picture of how the various building blocks are supposed to work
together. In fact, the picture becomes extremely complex and fragmented
since there are just so many options while at the same time we envision
super constrained devices. The T2TRG security document
(draft-irtf-t2trg-iot-seccons-01) confirms this and happily talks about
normal IPsec/IKE, diet IPsec, HIP, MIKEY, OSCOAP, JOSE, COSE, etc. etc.

Ciao
Hannes

On 03/08/2017 11:02 AM, Eliot Lear wrote:
> Matthias,
> 
> I think the key question that everyone seems to be dancing around is this:
> 
> What is an Internet host in the context of IoT?  What are the minimum
> qualities it must possess?  I don't mean this to be a vote, but more of
> a law of physics sort of thing.  For instance, does a host have a secure
> unique identity?  What capabilities must it have?  I would expect them
> to be very few, but there are assuredly some...
> 
> Eliot
> 
> 
> On 3/7/17 8:36 PM, Kovatsch, Matthias wrote:
>> Fair enough.
>>
>> Yes, I am on this IoT Directorate. I would say a large fraction of the
>> T2TRG participants has been arguing that the Internet of Gateways is
>> not a good approach. Your security-related summary proves this point.
>>
>> I personally don't see end-to-end security happening if we keep mixing
>> application protocols, keep using black-magic middleboxes, and keep
>> using proprietary interfaces at the device level. We need something
>> end-to-end (or T2T) for end-to-end security.
>>
>> Best wishes
>> Matthias
>>
>>
>>
>> Sent from my phone, limitations might apply.
>>
>> -----Original Message-----
>> *From:* Hannes Tschofenig [hannes.tschofenig@gmx.net]
>> *Received:* Tuesday, 07 Mar 2017, 20:10
>> *To:* Kovatsch, Matthias (CT RDA NEC EMB-DE)
>> [matthias.kovatsch@siemens.com]; mcr+ietf@sandelman.ca
>> [mcr+ietf@sandelman.ca]
>> *CC:* T2TRG@irtf.org [T2TRG@irtf.org]
>> *Subject:* Re: [T2TRG] RESTful Design & Security
>>
>> Hi Matthias,
>>
>> I know that this is a research group and everyone can create whatever
>> they want.
>>
>> We briefly talked about security at the IoT directorate conference call
>> and I would be interesting to hear what works and what does not work for
>> others.
>>
>> Ciao
>> Hannes
>>
>>
>> On 03/07/2017 07:45 PM, Kovatsch, Matthias wrote:
>> > On big propaganda tour? :P
>> >
>> > Regards
>> > Matthias
>> >
>> >
>> > Sent from my phone, limitations might apply.
>> >
>> > -----Original Message-----
>> > *From:* Hannes Tschofenig [hannes.tschofenig@gmx.net]
>> > *Received:* Tuesday, 07 Mar 2017, 19:39
>> > *To:* Michael Richardson [mcr+ietf@sandelman.ca]
>> > *CC:* t2trg@irtf.org [T2TRG@irtf.org]
>> > *Subject:* Re: [T2TRG] RESTful Design & Security
>> >
>> > OSCOAP does not work when
>> >
>> > * you mix protocols,
>> > * use a middlebox for some processing interactions (such as data
>> > aggregation), and
>> > * when one of the protocols is a non-RESTful protocol, such as BLE
>> or MQTT.
>> >
>> > Unfortunately, these the use cases we are facing in current IoT
>> > deployments. For similar reasons we cannot use RFC 8075 either.
>> >
>> > Maybe you are seeing different deployment environments.
>> >
>> > Ciao
>> > Hannes
>> >
>> > On 03/07/2017 06:39 PM, Michael Richardson wrote:
>> >>
>> >> Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>> >>     > Needless to say that these challenges have also been observed
>> in other
>> >>     > protocols as well, such as HTTP and even SIP.
>> >>
>> >>     > What is the story for providing application layer security?
>> >>
>> >> OSCOAP seems to be end-to-end to me.
>> >>
>> >> --
>> >> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>> >>  -= IPv6 IoT consulting =-
>> >>
>> >>
>> >>
>> >
>> >
>> >
>> > _______________________________________________
>> > T2TRG mailing list
>> > T2TRG@irtf.org
>> > https://www.irtf.org/mailman/listinfo/t2trg
>> >
>>
>>
>>
>> _______________________________________________
>> T2TRG mailing list
>> T2TRG@irtf.org
>> https://www.irtf.org/mailman/listinfo/t2trg
>

v2.23.0 | Report a Bug | By Email