Prof.CarstenBormann,cabo@tzi.org

INRIAParis,2017-04-13

hBp://www.tzi.de/~cabo/current.pdf

IoTProtocolStandards—LandscapeandTrends

1

Prof.Dr.-Ing.CarstenBormann,cabo@tzi.org

CarstenBormann

UniversitätBremenTZIIETFCoREWGIRTFT2TRG

2

hBp://www.tzi.de/~cabo/current.pdf

3

RFC 2429

RFC 2509

RFC 2686

RFC 2687

RFC 2689

RFC 3095

RFC 3189

RFC 3190

RFC 3241

RFC 3320

RFC 3485

RFC 3544

RFC 3819

RFC 3940

RFC 3941

RFC 4629

RFC 5049

RFC 5401

RFC 5740

RFC 5856

RFC 5857

RFC 5858

RFC 6469

RFC 6606

RFC 6775

RFC 7049

RFC 7228

RFC 7252

RFC 7400

RFC 7959

RFC 8132

RFC 8138

Bringing the Internet to new applications

• “Application X will never run on the Internet”

• …

• …

• “How to we turn off the remaining parts of X that still aren’t on the Internet”?

4

Scale up:Number of nodes (50 billion by 2020)

5

Scale down:node

6

Scale down:cost complexity

7

cent kilobyte

megahertz8

http://6lowapp.net core@IETF80, 2011-03-28

10/100 vs. 50/250! There is not just a single class of “constrained node”

! Class 0: too small to securely run on the Internet " “too constrained”

! Class 1: ~10 KiB data, ~100 KiB code " “quite constrained”, “10/100”

! Class 2: ~50 KiB data, ~250 KiB code " “not so constrained”, “50/250”

! These classes are not clear-cut, but may structure the discussion and help avoid talking at cross-purposes

Constrained nodes: orders of magnitude

RFC 7228

9

“IP is important” IP = Integration Protocol

10

But do we need all of the baggage?

Or, just because we can move it, do we still want it?

11

Can you put a sofa on a motorcycle?

Yes, you can.

But do you want to?

Is sofa transport even a good criteria for vehicle selection?

http://www.bbc.com/news/world-africa-21769053

12

Twocamps

• IPistooexpensiveformymicrocontrollerapplicaPon(myhand-kniBedprotocolisbeBer)

vs.• IPalreadyworkswellasitis,justgoaheadanduseit

• Bothcanbetrue!

13

Movingtheboundaries

• EnableInternetTechnologiesformass-marketapplicaPons

Acceptable complexity, Energy/Power needs, Cost

Can use Internet TechnologiesCannot use

Internet Technologies

Can use Internet Technologies unchanged

Can use Linux

14

Movingtheboundaries

• EnableInternetTechnologiesformass-marketapplicaPons

Acceptable complexity, Energy/Power needs, Cost

Can use Internet TechnologiesCannot use

Internet Technologies

Can use Internet Technologies unchanged

Can use Linux

15

Hype-IoT Real IoT

IPv4, NATs IPv6

Device-to-Cloud Internet

Gateways, Silos Small Things Loosely Joined

Questionable Security Real Security

$40+ < $5

W mW, µW16

„

John Naughton, “The internet of things needs better-made things” (The Guardian, 2016-07-10)

… a properly networked world … could be safer, greener, more efficient and more productive … But in order for that to emerge, the system has to be designed in the way that the internet was designed in the 1970s – by engineers who know what they’re doing, setting the protocols and technical standards that will bring some kind of order and security into the chaos of a technological stampede.

17

We make the net work18

IETF: Constrained Node Network WG Cluster

INT LWIG GuidanceINT 6LoWPAN IP over 802.15.4INT 6Lo IP-over-fooINT 6TiSCH IP over TSCHINT LPWAN Low-Power WAN

NetworksRTG ROLL Routing (RPL)APP CoRE REST (CoAP) + OpsAPP CBOR CBOR & CDDLSEC DICE Improving DTLSSEC ACE Constrained AASEC COSE Object Security

✔

✔19

♨

♨

✔

Protocol Stack

30

UDP TCP

IPv6

Resource Model

DTLS TLS

L2 Connectivity (Wi-Fi)

Encoding (CBOR)

CoAP

EncodingJSON or XML/EXI can be negotiated

IP Versionv6 (v4 supported forlegacy devices)

Application Alternatives

Project B OIC Stack[Source: OCF] 20

OMA LWM2M: CoAP + DTLS

21

2005-03-03: 6LoWPAN• “IPv6 over Low-Power WPANs”: IP over X for 802.15.4

• Encapsulation ➔ RFC 4944 (2007)

• Header Compression redone ➔ RFC 6282 (2011)

• Network Architecture and ND ➔ RFC 6775 (2012)

• (Informationals: RFC 4919, RFC 6568, RFC 6606)

22

6LoWPAN =

RFC4944 – HC1/HC2 + RFC6282 (6LoWPAN-HC) + RFC6775 (6LoWPAN-ND)

✔23

6LoWPAN = IPv6 over IEEE 802.15.4

6Lo =6LoWPAN Technologies

for other radios

24

Technology TraitsIEEE 802.15.4 (“ZigBee”) Many SoCs, 0.9 or 2.4 GHz,

6TiSCH upcoming

BlueTooth Smart On every PhoneDECT ULE Dedicated Spectrum,

In every home gateway

ITU-T G.9959 (“Z-Wave”) Popular @home802.11ah (“HaLow”) Low power “WiFi”

NFC Proximity6lobac Wired (RS485)

IEEE 1901.2 (LF PLC) Reuses mains power linesEthernet + PoE Wired, supplies 12–60 WWiFi, LTE, … Power?

2.4 GH

z0.9 G

Hz

1.8 GHz

13.56 MHz6Lo25

2008-02-11: ROLL• “Routing Over Low power and Lossy networks”

• Tree-based routing “RPL” ➔ RFC 6550–2 (2012)

• with Trickle ➔ RFC 6206 (2011)

• with MRHOF ➔ RFC 6719

• Experimentals: P2P-RPL (RFC 6997), Measuring (RFC 6998)

• MPL (Semi-Reliable Multicast Flooding) ➔ RFC 7731..7733

• (Lots of Informationals: RFC 5548 5673 5826 5867 7102 7416)

26

RPL: Routing for CN/N! RFC 6550: Specialized routing protocol RPL

– Rooted DAGs (directed acyclic graphs)

Root

33 2

5 35 4

7

4

6

7

1 Root

33 2

5 35 4

7

4

6

7

1

• redundancies in the tree help cope with churn

• “rank”: loop avoidance

• Storing Mode: Every router has map of subtree

• Non-Storing Mode: Only root has map of tree

Metrics: e.g., ETX

2012

27

2010-03-09: CoRE• “Constrained Restful Environments”

• CoAP ➔ RFC 7252 (20132014)

• Observe: RFC 7641, Block: RFC 7959 • HTTP mapping: RFC 8075

• Experimentals: RFC 7390 group communications

• Discovery (»Link-Format«) ➔ RFC 6690

28

The elements of success of the Web! HTML

! uniform representation of documents ! (now moving forward to HTML5 with CSS, JavaScript)

! URIs ! uniform referents to data and services on the Web

! HTTP ! universal transfer protocol ! enables a distribution system of proxies and reverse proxies

29

✔

Translating this to M2M

! HTML ! uniform representation of documents ! (now moving forward to HTML5 with CSS, JavaScript)

! URIs ! uniform referents to data and services on the Web

! HTTP ! universal transfer protocol ! enables a distribution system of proxies and reverse proxies

New data formats:

M2M semantics instead of

presentation semantics

30

„Make things as simple as possible, but not simpler.Attributed to Albert Einstein

31

The Constrained Application Protocol

! implements HTTP’s REST model ! GET, PUT, DELETE, POST; media type model

! while avoiding most of the complexities of HTTP

! Simple protocol, datagram only (UDP, DTLS) ! 4-byte header, compact yet simple options encoding

! adds “observe”, a lean notification architecture

CoAP

32

Proxying and caching

Source: 6lowpan.net 33

CoRE breakthroughs• RFC 7252: embrace REST

• but get rid of HTTP baggage

• and extend REST with Observe

• RFC 6690: Web Linking for discovery: /.well-known/core

• building resource-directory on top of that

34

Security is not optional!

! HTTP can use TLS (“SSL”) ! CoAP: Use DTLS 1.2

! Add 6LoWPAN-GHC for efficiency ! Crypto: Move to ECC

! P-256 curve ! SHA-256 ! AES-128

! To do: ! Commissioning models (Mother/Duckling, Mothership, …) ! Authorization format and workflow ! Performance fixes (DICE)

128-bit security

(~ RSA 3072-bit)

35

IoT “Security” today

• Thin perimeter protection

• WiFi password = keys to the kingdom

• Once you are “in”, you can do everything

• No authorization

• Doesn’t even work for a three-member family…

36

If it is not usably secure,it’s not

the Internet of Things

37

2014-05-05: ACE

• “Authentication and Authorization for Constrained Environments”

• currently applying OAuth framework to IoT

38

39

2013-09-13: CBOR• “Concise Binary Object Representation”:

JSON equivalent for constrained nodes

• start from JSON data model (no schema needed)

• add binary data, extensibility (“tags”)

• concise binary encoding (byte-oriented, counting objects)

• add diagnostic notation

• Started AD-sponsored, turned into a WG on 2017-01-09

40

2015-06-03: COSE• CBOR Object Signing and Encryption:

Object Security for the IoT

• Based on JOSE: JSON Web Token, JWS, JWE, … • Data structures for signatures, integrity, encryption… • Derived from on OAuth JWT • Encoded in JSON, can encrypt/sign other data

• COSE: use CBOR instead of JSON• Can directly use binary encoding (no base64) • Optimized for constrained devices

41

Prof.Dr.-Ing.CarstenBormann,cabo@tzi.org

ApplicaPonLayerTechnologies

! TheWebofThings:CoAPandHTTP" UsingCoAPformanagement:OMALWM2M,COMI" TimeSeriesData:CoAP-Pubsub(andXMPP,MQTT)

! DataFormats:CBORandJSON" Dataobjects:OMALWM2M,IPSOSmartObjects" Sensordata:SenML(inuseinOMALWM2M)

! RealSecurity" CommunicaPons:DTLSandTLS" ObjectSecurity:COSEandJOSE" AuthenPcatedAuthorizaPon:ACE

42

IETF: Constrained Node Network WG Cluster

INT LWIG GuidanceINT 6LoWPAN IP over 802.15.4INT 6Lo IP-over-fooINT 6TiSCH IP over TSCHINT LPWAN Low-Power WAN

NetworksRTG ROLL Routing (RPL)APP CoRE REST (CoAP) + OpsAPP CBOR CBOR & CDDLSEC DICE Improving DTLSSEC ACE Constrained AASEC COSE Object Security

✔

✔43

♨

♨

✔

IRTF: Internet Research Task Force (sister of IETF)• IRTF complements IETF with

longer-term Research Groups

• New: Thing-to-Thing Research Group (T2TRG)

• Investigate open research issues in:

• turning a true “Internet of Things” into reality,

• an Internet where low-resource nodes (“Things”, “Constrained Nodes”) can communicate among themselves and with the wider Internet, in order to partake in permissionless innovation.

44

RESEARCH

How to use REST in IoT?

• Ignore it, build a SOAP on top

• Use it half-heartedly and reap some of the benefits

• Use it right

• But what are the best practices that work well in the IoT?

45

From “REST-as-we-use-it” to Design Patterns 2|Matthias Kovatschhttp://people.inf.ethz.ch/mkovatsc

Cloud-to-Cloud (with Things) Thing-to-Thing(may include cloud services)

REST for Thing-to-Thing Communication

46

How? Client

Resource Directory

Thing A

Auth-Server

Thing B

Thing C

Follow links

Submit forms

Dynamically extend process flow

Entry URI Action Result

Thing C

Choice & redundancy

17

[Source: Kovatsch/Hartke]47

We make the net work48

Constrained cast and network simulation

Olaf Bergmann

49

DAG root

Multicast

Listener

Multicast

Sender

multicast data

DAG parent

Bloom filter

✔

✔

Send Bloom Filter with packet, match OIF

50

IoT Security An overview

Stefanie Gerdes

51

Four legs

I Every endpoint has its own AMI CAM is controlled by COP, SAM is controlled by ROPI CAM helps authenticating S for C and provides authorization

information about S to CI SAM helps authenticating C for S and provides authorization

information about C to S11 / 18

52

Evaluation (DCAF-DTLS)

Reference implementation of DCAF-DTLS adds

I about 440 Bytes CodeI 54 Bytes data for ticket faceI 722 Bytes parser for CBOR payload

to existing CoAP/DTLS server (ARM Cortex M3) representing S.

13 / 1853

IoT Devices as an attack platform

54

55

56

57

Prof.CarstenBormann,cabo@tzi.org

Manufacturer’sUsageDescripPon(MUD)

! Protectthenetworkandotherunrelatedusers againstanIoTDevicethatmaybeinsecure

! Idea:Documentexpectedbehavior inanacPonableway

! MUDasstandardizedtoday:CanbeusedforfirewallconfiguraPon" Pokefirewallholesfordesirabletraffic" DetectwhentheIoTDevicehasbeencompromised

! Wherecanwetakethisidea?

58

Software Updates are needed

• Bugs are being found

• Environments change

➔ Update or discard!

• Traditional: manual upgrade by connecting a special upgrader device (e.g., PC with upgrader app)

• Too expensive; device might be hard to reach

• Needed: Over-the-air Upgrade

59

Software Updates change the end system

• Need to be authorized

• An authentic upgrade is not enough

• Applicable to device’s configuration, application?

• Qualified in lab testing?

60

Contextual aspects

• Is this a good time for an upgrade?

• airplane in the air or in the hangar

• Holy grail: hitless upgrades

• but upgrades also can go wrong

61

62

63

IoT Data Formats

… and data modeling

64

n2 – n

65

2n

66

Information Model Data Model Serialization

Ontology

Abstract SyntaxConcrete Syntax

④

Marshaling Scheme

Message Transport Format

Encoding

Taxonomy

Vocabulary

Semantic Level

Meaning

67

COSE: CBOR Object Signing and Encryption

• Do for CBOR what has been done for JSON

• Much easier: no base64

• Now draft-ietf-cose-msg, in RFC editor queue

• Main Customer: Internet of Things/Web of Things

• but used in many other environments

68

CWT: CBOR Web Token• JWT: JSON Web Token (RFC 7519)

• Package Claim Set into JSON

• Apply JOSE for Signing and Encryption

• CWT: Use CBOR and COSE instead of JSON and JOSE

• CWT can replace unstructured misuse of certificates for Claim Sets

• Being completed in IETF ACE WG

69

70

DM2

IM,DM,andSerialization

SWID

SWIDCBORData

DefinitionDM1

IM

DM3 DMn

Serialization1.1 Serialization3.1

…

…Serialization2.1 Serializationn.1SWIDCBORInstance

SWIDXMLInstance

SWIDXMLSchema

SoftwareInstance

IETF95- April2016 10

COSWID: Software-ID tags for constrained devices

TUDA: Time-based unidirectional attestation

• Remote Attestation: attempt to describe the integrity and trustworthiness of a host or device

• Measurements of components (e.g., hash values)

• Protocols for RA typically bidirectional

• Challenge for freshness

• TUDA: Time-based unidirectional attestation

71

Evolving REST for a Web of Things

Klaus Hartke

72

22

CoRAL

Forms

[68, 1 (create-item), [Method 1, 2 (POST),Accept 2, 60 (application/cbor),Href.Path 12, "items"]]

flags form relation type

option number option value

73

Open source projects for IoT

Olaf Bergmann

74

libcoap is One of The Major CoAP-Implementations

Bergmann: Technology Transfer Projects 5 / 775

tinydtlshttps://projects.eclipse.org/projects/iot.tinydtls

I Eclipse IoT projectI implements RFC 6347 (DTLS)

using cipher suites recommended by RFC 7252I POSIX and Contiki, RIOTI used as blueprint and interop testing tool for many other

DTLS implementations (e. g. ContikiDTLS, Scandium)I Ported for Eclipse Wakaama LWM2M library

Bergmann: Technology Transfer Projects 6 / 776

Interoperability

… and playgrounds

77

http://6lowapp.net core@IETF83, 2012-03-23 78

ETSI Plugtests, the IPSO Alliance and theFP7 Probe‐IT project are pleased to invite you to par"cipate in the first Internet of Things CoAP Plugtest, takingplace from 24‐25th March 2011 in Paris,France.The event is co‐located with the 83rd IETFheld March 26‐30th.

IoT CoAP Plugtests24‐25 March 2012, Paris

Registra"on Deadline: 9 March 2012Website: h!p://www.etsi.org/plugtests

22.5°C

/temperature

SERVER

CLIENT

GET/temperature200 OK

applica"on/text22.5°C

FLYER IOT_Mise en page 1 12/10/11 10:12 Page1

Prof.CarstenBormann,cabo@tzi.org

ETSIPlugtests

! COAP1:2012-03,Paris! COAP2:2012-11,Sophia-AnPpolis! COAP3:2013-11,LasVegas(colocatedwithOMALWM2M)! COAP4:2014-03,London

! 6LoWPAN1:2013-07,Berlin! 6Lo1:2015-11,Yokohama

! TestdescripPonsprovidedbyTZIOpen-sourcedevelopmentongithub.com

79

80

81

http://coap.technology

http://cbor.io

82

Implementations• Parsing/generating CBOR

easier than interfacing with application

• Minimal implementation: 822 bytes of ARM code

• Different integration models, different languages

• > 25 implementations (after first two years)

34 http://cbor.io

http://cbor.me: CBOR playground

• Convert back and forth between diagnostic notation (~JSON) and binary encoding

83