Post on 15-Jan-2015
description
M2M,IoT, device management:one protocol to rule them all?
Julien Vermillard - Sierra Wireless
Who am I?
Software Engineer at Sierra Wireless, implementing various protocols for AirVantage cloud service
Apache member, Eclipse IoT committerCalifornium, Wakaama, Leshan open-source Lightweight M2M serverTinkerer: electronics, reversing, Linux
Photo Credit:https://www.flickr.com/photos/90514086@N00/952121271/ CC by-nc-sa
Agenda
M2M/IoT application protocols (XMPP, MQTT)
Web-of-things (CoAP)
IoT protocol security
Device management (TR-069, OMA-DM, OMA-LwM2M)
Impact on IoT architectures
Let’s start with..
QUESTIONS!
Questions
Know MQTT?
Questions
Use MQTT?
Questions
Know or use CoAP?
Questions
Device management: OMA-DM,Lightweight M2Mor TR-069?
Application protocols
XMPP
MQTT
CoAP
XMPP
Chat protocol based on XML recycled for IoT
XEP-0322 (PDF) Efficient XML Interchange (EXI) Format Standards - 2014-03-10
XEP-0323 (PDF) Internet of Things - Sensor Data - Experimental - 2014-04-07
XEP-0324 (PDF) Internet of Things - Provisioning - Experimental - 2014-05-21
XEP-0325 (PDF) Internet of Things - Control -Experimental 2014-04-07
XEP-0326 (PDF) Internet of Things - Concentrators - Experimental 2014-03-10
XMPP
<message from='device@clayster.com' to='client@clayster.com/amr'> <fields xmlns='urn:xmpp:iot:sensordata' seqnr='5'> <node nodeId='Device02'> <timestamp value='2013-03-07T19:31:15'> <numeric name='Temperature' momentary='true' automaticReadout='true' value='23.4' unit='°C'/> </timestamp> </node> </fields></message>
MQ Telemetry Transport
Killer protocol for M2M applications
Connect everything with a central broker
Content agnostic
Simplicity is MQTT feature #1
MQ Telemetry Transport- a sensor pushes telemetry values on topics greenhouse/42/temperature greenhouse/42/humidity greenhouse/42/luminosity
- actions are on another topic greenhouse/42/open-the-roof
- payload format is free (json,binary,whatever..)
MQTT security
- Username and password
- TLS on top of the TCP stream
MQ Telemetry Transport @ Eclipse IoT
Write your first MQTT application today :)
Mosquitto lightweight brokerMoquette Java based brokerPaho clients Java, C/C++, Go, Python, LuaPonte bridge MQTT, CoAP and HTTP Kura Java OSGi application framework
M2M: devices to a server
ServerServer
IoT: devices on Internet
Internet
Web of things
IP address for everything!
6LoWPAN on 802.15.4, Bluetooth LE
Small IPv6 stack in battery powered devices
Create mesh network with RPL (RFC 6550)
Web of things
REST for everything!
Sensor will live for decades
Applications will evolve
Things should expose dumb REST API, put the behaviour in mashup applications
Web of things
CoAPConstrained Application Protocol
Internet Eng. Task Force standard for IoT
Started around 2010!
Final RFC 7252 published
CoAPCo: Constrained
Simple to encode/decode: target 1$ 8bits MCU
100K Flash, 10K RAM
CoAPCo: Constrained
HTTP and TCP are not a good fit, use UDP
Low power networks
CoAPAP: Application Protocol
RESTful protocol designed from scratchTransparent mapping to HTTPAdditional features of M2M scenarios
GET, POST, PUT, DELETEURIs and media types
DeduplicationOptional retransmissionsObservation, SMS
CoAPProtocol structure
Binary protocol● Low parsing complexity
● Small message size
Options● Numbers with IANA registry
● Type-Length-Value
● Special option header marks payload if present
CoAPDiscoverability
Based on Web Linking (RFC5988)Extended to Core Link Format (RFC6690)
Decentralized discovery: Multicast DiscoveryInfrastructure-based: Resource Directories
</config/groups>;rt="core.gp";ct=39,</sensors/temp>;rt="ucum.Cel";ct="0 50";obs,</large>;rt="block";sz=1280;title="Large resource"
GET /.well-known/core
CoAPSecurity
Based on DTLS (TLS/SSL for Datagrams)
Focus on Elliptic Curve Cryptography (ECC)
ECDH, ECDSA, AES
Hardware acceleration for IoT devices
CaliforniumCoAP @ Eclipse IoT
Pure Java library
DTLS PSK/RPK/X509
Unconstrained: For large devices or cloud services
http://eclipse.org/californium
M2M/IoT Protocol security
IoT/M2M protocol security
TLS for TCP (RFC 5246)DTLS for UDP (RFC 6347)
Rolling your own is still not recommended :)
TLS/DTLS complexity?
It’s customizable:
X.509 certificate: certificate with chain of trust (CA & PKI)
Raw-Public-key: only private/public key
Pre-Shared-Key: symmetric keys without forward secrecy
TLS/DTLS complexity?
Arduino Uno can run CoAP/MQTT
But not in a secure way :(
ROM/RAM cost estimation for (D)TLS:http://www.ietf.org/id/draft-ietf-lwig-tls-minimal-01.txt
(D)TLS Pre-Shared-Key mode+----------------------+-----------------+| | DTLS || +--------+--------+| | ROM | RAM |+----------------------+--------+--------+| State Machine | 8.15 | 1.9 || Cryptography | 3.3 | 1.5 || DTLS Record Layer | 3.7 | 0.5 |+----------------------+--------+--------+| TOTAL | 15.15 | 3.9 |+----------------------+--------+--------+ Table 1: Memory Requirements in KB
(D)TLS Raw Public Key mode+----------------------------+---------------+| Cryptographic functions | Code size |+----------------------------+---------------+| MD5 | 4,856 bytes || SHA1 | 2,432 bytes || HMAC | 2,928 bytes || RSA | 3,984 bytes || Big Integer Implementation | 8,328 bytes || AES | 7,096 bytes || RC4 | 1,496 bytes || Random Number Generator | 4,840 bytes |+----------------------------+---------------+
(D)TLS Raw certificate mode
You need to add:
ASN.1 parserX509 certificate check codeRevocation?
TLS for embedded
It’s still a challenge on some platform
IETF DICE working group https://datatracker.ietf.org/wg/dice/
But weirdly TLS PSK is not used
Certificate revocation is also a mess for IoT
Open-source DTLS implementation
TinyDTLS: http://tinydtls.sourceforge.net
MIT licensed embedded friendlyLua binding: https://github.com/sbernard31/luadtls
Eclipse Californium Scandium:A Java implementation of DTLShttps://github.com/eclipse/californium.scandium
More security challenges ;)
Provisioning your key from the factory and pushing them on the server...
... for million of devices with different keys
… and with the capability of changing the keys over-the-air
Device Management
Device management
Monitor, configure, secure, and update your devices
All you need for operating a fleet of IoT devices
Not tied to your application
Interoperability is the key
You don't know yet what hardware will power your IoT projects on the field
but you MUST be able to do management in a consistent way
D.M. protocols
Usual suspects:
TR-069
OMA-DM
Lightweight M2M
TR-069
Bidirectional SOAP API for :broadband modems, gateway, set-top-boxes
Configure, monitor, firmware upgrades.
Yeah SOAP : HTTPS and XML :(
Not wireless friendly
OMA-DM
An Open Mobile Alliance standard for Device Management
Targets mobile phone terminals but can be used for M2M
Mean to be used by mobile network operators.
OMA-DM features
Read, write configuration or monitoring nodes.
Trigger remote commands (Exec)
FUMO: Firmware Update Management Object
SCOMO: Software Component Management Object
OMA-DM flaws
Phone oriented
HTTP+XML (or binary XML) not compact at all
OMA-DM flaws: Hello world :)
<?xml version="1.0" encoding="UTF-8"?><SyncML xmlns="SYNCML:SYNCML1.2"> <SyncHdr>
<VerDTD>1.2</VerDTD><VerProto>DM/1.2</VerProto><SessionID>D101</SessionID><MsgID>1</MsgID><Target>
<LocURI>http://na.airvantage.net</LocURI></Target><Source><LocURI>IMEI:1234567890</LocURI></Source><Meta>
<MaxMsgSize>20480</MaxMsgSize> <MaxObjSize>512000</MaxObjSize>
</Meta> </SyncHdr> <SyncBody>
<Alert> <CmdID>1</CmdID> <Data>1201</Data>
</Alert><Replace>
<CmdID>2</CmdID> <Item> <Source><LocURI>./DevInfo/DevId</LocURI></Source> <Data>IMEI:1234567890</Data> </Item>
<Item> <Source><LocURI>./DevInfo/Man</LocURI></Source> <Data>Sierra Wireless</Data> </Item> <Item> <Source><LocURI>./DevInfo/Mod</LocURI></Source> <Data>SL6087</Data> </Item> <Item> <Source><LocURI>./DevInfo/DmV</LocURI></Source> <Data>Sierra Wireless OMC v2.0</Data> </Item> <Item> <Source><LocURI>./DevInfo/Lang</LocURI></Source><Data>en</Data> </Item>
</Replace><Final />
</SyncBody></SyncML>
OMA-DM: Helloworld server reply<?xml version='1.0' encoding='UTF-8' standalone='no' ?><SyncML xmlns="SYNCML:SYNCML1.2"> <SyncHdr><VerDTD>1.2</VerDTD><VerProto>DM/1.2</VerProto><SessionID>D101</SessionID>
<MsgID>1</MsgID><Target><LocURI>IMEI:1234567890</LocURI></Target><Source><LocURI>http://na.airvantage.net</LocURI>
<LocName>AIRVANTAGE-SERVER</LocName></Source>
</SyncHdr> <SyncBody>
<Status> <CmdID>5</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd> <Chal><Meta> <Format xmlns="syncml:metinf">b64</Format> <Type xmlns="syncml:metinf">syncml:auth-MAC</Type> XML QUOTA EXCEEDED..
OMA-DM security flaws
Weak security (MD5-HMAC) on top of HTTPUse full HTTPS for higher grade security
Complex to implement correctly, no streaming due to HMAC
Unnecessary complex protocols is the safest way to security holes
OMA-DM
But works :)
Your mobile phone is managed using OMA-DM
OMA Lightweight M2M
A reboot of OMA-DM but for M2M
Built on top of CoAP
REST API for device management
Lightweight M2M: API
SecurityDeviceServerConnectivity monitoringConnectivity statisticsLocationFirmwareThe objects have a numerical identifier.
Lightweight M2M: URL
/{object}/{instance}/{resource}
Examples:
"/6/0" the whole position object (binary record).
"/6/0/2" only the altitude.
Lightweight M2M: API
You can define your custom objects
Published or not
Structure is discovered using the CoAP link object format (RFC 6690)
Lightweight M2M: bootstrap
Initial keying and configuration
Well defined security lifecycle
How to update credential and security scheme
Keying from factory, smartcard, or over-the-air
Lightweight M2M: bootstrap
Device can go out of factory with just BS credential
When it goes live the BS server provisions the DM keys
Future proof, and the BS server can be really robust
Eclipse Wakaama
http://eclipse.org/wakaama
A C library for implementing LWM2M
Embedded friendly
Lua binding for Wakaama:https://github.com/sbernard31/lualwm2m
More Lightweight M2M open source
Leshan A Java implementation of LWM2M
Server library based on Eclipse CaliforniumServer UI
http://github.com/jvermillard/leshan
LWM2M Demo
SHOWTIME!
Protocol convergence
M2M/IoT is not a simple problem
Security and provisioning are really the hardest ones
Try hard to reduce the number of protocols to make your life easier!
Burning in IoT hell: Mixing protocols
Cloud servers
Radio module
2G/3G/LTE
ZigBee/6LowPan
WiFi, etc..
App1
App2
App3
Supervisor
Low powerApp
OMA-DM
MQTT/CoAP
OMA-DM
Ad-hoc
Linux O/S
TR-069
NetworkOperator
LWM2M + CoAP
LWM2M provide device management and security workflow for CoAP application using the same protocol!
Huge simplicity and security win!
Break silos: embrace the web-of-things
Think security first, it’s your biggest challenge
Use standards for device management and keying
CoAP + LWM2M for your next IoT application!
Key takeaways
Thanks!Twitter: @vrmvrm
E-mail: jvermillard@sierrawireless.com
Creative Commons – Attribution (CC BY 3.0) Microchip designed by Nicolò Bertoncin from the Noun ProjectCloud designed by James Fenton from the Noun ProjectSecure by Charlene Chen from The Noun ProjectChat by Icomatic from The Noun Project Microchip designed by Mario Verduzco from the Noun ProjectCertificate designed by Charlene Chen from the Noun Project