By: Steve Olshansky
Date: October 30, 2018
Not surprisingly it has been a busy 4 months in IoT, and IoT-related work in IETF has been buzzing right along. This post is intended to highlight some of these activities, and to provide a guide to relevant sessions scheduled during the upcoming IETF 103 meeting in Bangkok. Also check out the IETF Journal IoT Category, the IETF IoT page, the IETF IoT Directorate, the Internet Society’s IoT page, or the Online Trust Alliance IoT page for more details about many of these topics.
The IETF Hackathon, held on the weekend preceding the main IETF meeting (November 3-4, 2018), includes several projects directly related to IoT, with the possibility of more being added. Remote participation is available. More information is on the Hackathon wiki. Projects of interest (at the time of this writing) include those relating to:
- LPWAN CoAP/UDP/IPv6 SCHC compression and fragmentation
- ST-COAPS (ACE WG) + ANIMA BRSK
- WISHI (Work on IoT Semantic / Hypermedia Interoperability
- Trusted Execution Environment Provisioning (TEEP)
The Thing-to-Thing Research Group (T2TRG), under the Internet Research Task Force (IRTF), investigates open research issues towards turning the promise of IoT into reality. The research group will be meeting on Tuesday afternoon 6 Nov 2018 16:10-18:10 (GMT+7) in Bangkok to report out on their recent activities. In addition, they will hold a working meeting on Friday 9-November from 09:00 to 13:20 (GMT+7). The agenda for the Friday work meeting can be found here. As in the past, full details and latest info on their activities can be found in GitHub.
Two recently chartered IoT-related working groups are working on very serious problems, and are making good progress:
- Trusted Execution Environment Provisioning (TEEP), working on standardizing protocols for provisioning applications into secure areas of computer processors. They have recently uploaded a new draft version of the TEEP architecture document. There are, however, a few more open issues, and the chairs are actively seeking feedback on the direction the document is heading.
- Software Updates for Internet of Things (SUIT), working on mechanisms for securely updating the firmware in IoT devices. The latest versions of the draft architecture and information model are on the agenda for the WG meeting, as is the manifest format.
I would like to draw your attention to some recently started activities of note:
- Application Transport LAyer Security (ATLAS) – relating to the re-use of TLS handshaking protocols at the application layer for establishing keying material to protect application data. Although there will not be a BoF at this IETF meeting, there may be an informal side meeting convened. If you are interested, keep an eye on the mailing list either by subscribing to it or by reviewing the archive. This message from the mailing list provides a good overview of current ATLAS-related drafts.
- Remote ATtestation ProcedureS (RATS) and Entity Attestation Token (EAT) are two related activities which address a similar problem space but are using different mechanisms, and which appear to be converging into one workstream – likely as This recent blogpost includes a good update. There is a RATS (aka simply Attestation) BoF scheduled for Tuesday 6 Nov 2018 13:50-15:50 (GMT+7) in Chitlada 2 Meeting Room (2nd Floor), and the RATS draft charter is in GitHub. If you are interested, keep an eye on the EAT and RATS mailing lists.
In other contributed updates of interest:
The Lightweight Implementation Guidance (LWIG) working group is providing useful implementation guidance to IoT developers. At IETF 103, the group will have discussions to finalize the draft on lightweight TCP implementations and Efficient Neighbor Management policies for 6LoWPAN networks. The group will also discuss a draft which defines how various standard elliptic curves such as NIST P-256, Curve25519 and Ed25519 can efficiently re-use the same underlying implementation. The session is Tuesday 7 Nov 2018 11:20-12:20 (GMT+7).
Another interesting draft titled Enabling Network Access for IoT devices from the Cloud in the Thing-to-Thing Research Group (T2TRG) investigates how to overcome the perennial problem of secure bootstrapping of IoT devices. Rather than inventing another protocol, the draft describes how IoT devices can securely join a network with existing standard protocols such as EAP (RFC 3748) and RADIUS (RFC 2865). The draft received significant positive media coverage by The Register. In the latest update, the draft presents how to deal with the tricky problem of manufacturer obsolescence. It also defines new deployment modes for devices which have no identities or keys using existing EAP methods such as EAP-PSK (RFC 4764) and new EAP methods such as EAP-NOOB (Nimble out-of-band authentication for EAP).
Thanks to Mohit Sethi, Ericsson (Co-Chairing EAP Method Update (EMU) and Lightweight Implementation Guidance (LWIG))
A lot of work is going on to figure out how to help a device with no user interface onboard to the correct network in a secure way. The basis for some of this work is the Bootstrapping Remote Secure Key Infrastructure draft (BRSKI). This work is built atop HTTP. Several other activities are now looking at how to provide the voucher that is used in BRSKI and defined in RFC 8366 for other circumstances, like 802.11 networks and for further constrained devices. There are at LEAST three drafts on this subject, that will be mentioned in the OPS Area WG (OPSAWG) meeting, as well as at the EAP Method Update (EMU) WG session. There will also be a side meeting on Tuesday night at 18:00 local time for those who are interested in Apartment 3 on the 9th floor.
Thanks to Eliot Lear, Cisco
ANIMA‘s Bootstrapping Remote Secure Key Infrastructure draft (BRSKI) protocol has passed WGLC, and by IETF103 may be through IESG review and into the RFC-EDITOR queue. Since IETF101, ANIMA has adopted a constrained version of RFC8366 + BRSKI, and ACE has adopted a constrained version of RFC7030 (Enrollment over Secure Transport – EST). Expect serious activity on these protocols at IETF103, as these variations are approaching WGLC. A variety of interoperability events are being planned around these protocols, and there may be reports on those that have get done. Interest is growing on how to do device secure device enrolment over WiFi. The draft BRSKI over IEEE 802.11 gives a review of many different ideas, and the Wifi Alliance has recently released the Device Provisioning Protocol (DPP) Specification (requires registration).
Thanks to Michael Richardson, Sandelman Software Works
The IETF motto about running code is being applied to the opsawg’s MUD internet draft. CIRALabs has been working over the summer to bring to life a MUD-driven IoT firewall called the “SecureHomeGateway.” The system uses a smartphone, an off-the-shelf OpenWRT home gateway, and a QR code to apply the MUD internet draft to common devices. The team is taking the work up to ISPs at RIPE, to ccTLD operators at ICANN and has been keeping the HOMENET and ANIMA WGs appraised of developments. The CIRAlabs team expects to make some extensions (MUD processing and extensions for Secure Home Gateway Project) to MUD to better support some operational requirements that might come out of the SUIT and ANIMA The team also has some ideas on how to bootstrap the initial trust between mobile phone and home gateway (BRSKI enrollment for Smart Pledges).The MUD authors are now also looking at ways to expand the use of MUD to bandwidth profiling, so that administrators can provision based on the devices’ needs and observe when a device is behaving outside that profile. The initial draft can be found at https://datatracker.ietf.org/doc/draft-lear-opsawg-mud-bw-profile/.
Thanks to Michael Richardson, Sandelman Software Works, and Eliot Lear, Cisco
While we are on the subject of “Manufacturer Usage Description Specification“ (MUD), I am pleased to see that it is gaining some serious traction. Last June, the Internet Engineering Steering Group (IESG) approved it as a proposed standard.
From the abstract: This memo specifies a component-based architecture for manufacturer usage descriptions (MUD). The goal of MUD is to provide a means for end devices to signal to the network what sort of access and network functionality they require to properly function. The initial focus is on access control. Later work can delve into other aspects.
For more on MUD, Eliot Lear, one of the MUD authors, wrote a great article about it for the IETF Journal: Managing the Internet of Things – It’s All About Scaling.
As I have noted in previous IoT Rough Guides, MUD also plays a significant role in the project – Mitigating IoT-Based Automated Distributed Threats – being developed by the US National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE). NCCoE has also taken on a proof of concept project. You can find out more about that at https://www.nccoe.nist.gov/projects/building-blocks/mitigating-iot-based-ddos.
Ongoing work includes:
- The Constrained RESTful Environments (core) WG aims to extend the Web architecture to most constrained networks and embedded devices. This is one of the most active IoT working groups.
- The IPv6 over Networks of Resource-constrained Nodes (6lo)WG will be meeting on Tuesday afternoon, and focuses on the work that facilitates IPv6 connectivity over constrained node networks.
- The IPv6 over the TSCH mode of IEEE 802.15.4e (6tisch) WGwas chartered in 2014 to enable IPv6 for the Time-Slotted Channel Hopping (TSCH) mode that was recently added to IEEE 802.15.4 networks.
- The Home Networking (homenet) WG focuses on the evolving networking technology within and among relatively small “residential home” networks. For example, an obvious trend in home networking is the proliferation of networking technology in an increasingly broad range and number of devices.
- The IPv6 over Low Power Wide-Area Networks (lpwan) WG – typical LPWANs provide low-rate connectivity to vast numbers of battery-powered devices over distances that may span tens of miles, using license-exempt bands.
- The IP Wireless Access in Vehicular Environments (ipwave) WG has as its primary deliverable a specification for mechanisms to transmit IPv6 datagrams over IEEE 802.11-OCB mode.
- The Authentication and Authorization for Constrained Environments (ace) WG,as its name suggests, is concerned with authentication and authorization mechanisms in constrained environments, where network nodes are limited in CPU, memory and power. This is a critical issue for IoT, for obvious reasons.
- Routing for IoT is tackled by theRouting Over Low power and Lossy networks (roll) WG which focuses on routing protocols for constrained-node networks.
- In addition to the new protocols and other mechanisms developed by IETF working groups, IoT developers often benefit from additional guidance for efficient implementation techniques and other considerations. The Lightweight Implementation Guidance (lwig) WGis developing such documents.
Schedule and locations subject to change. Please refer to the online agenda to confirm.
If you have an interest in how the IoT is developing and being standardized in the IETF, I hope to see you in person or online at some of these meetings during IETF 103. (Note that If you know you will be unable to travel to the meeting and would like to participate remotely, you must register as a remote participant. There is currently no fee to be a remote participant at an IETF meeting but registration is required. If you do not want to register, you may opt to listen to the live audio stream of the sessions instead. The links for each session are posted in each session description in the agenda.
** All times ICT — Indochina Time (GMT+7)
core (Constrained RESTful Environments) WG
Monday, 5 Nov 2018, 13:50-15:50
Boromphimarn 1/2 Meeting Room (3rd Floor)
Thursday, 8 Nov 2018, 11:20-12:20
Chitlada 1 Meeting Room (2nd Floor)
It will be a busy week in Bangkok, and whether you plan to be there or join remotely, there’s much to monitor. Read the full series of Rough Guide to IETF 103 posts, and follow us on the Internet Society blog, Twitter, or Facebook using #IETF103 to keep up with the latest news.