IoT Protocol Standards — Landscape and...
Transcript of IoT Protocol Standards — Landscape and...
Prof.CarstenBormann,[email protected]
INRIAParis,2017-04-13
hBp://www.tzi.de/~cabo/current.pdf
IoTProtocolStandards—LandscapeandTrends
1
Prof.Dr.-Ing.CarstenBormann,[email protected]
CarstenBormann
UniversitätBremenTZIIETFCoREWGIRTFT2TRG
2
hBp://www.tzi.de/~cabo/current.pdf
3
RFC 2429
RFC 2509
RFC 2686
RFC 2687
RFC 2689
RFC 3095
RFC 3189
RFC 3190
RFC 3241
RFC 3320
RFC 3485
RFC 3544
RFC 3819
RFC 3940
RFC 3941
RFC 4629
RFC 5049
RFC 5401
RFC 5740
RFC 5856
RFC 5857
RFC 5858
RFC 6469
RFC 6606
RFC 6775
RFC 7049
RFC 7228
RFC 7252
RFC 7400
RFC 7959
RFC 8132
RFC 8138
Bringing the Internet to new applications
• “Application X will never run on the Internet”
• …
• …
• “How to we turn off the remaining parts of X that still aren’t on the Internet”?
4
http://6lowapp.net core@IETF80, 2011-03-28
10/100 vs. 50/250! There is not just a single class of “constrained node”
! Class 0: too small to securely run on the Internet " “too constrained”
! Class 1: ~10 KiB data, ~100 KiB code " “quite constrained”, “10/100”
! Class 2: ~50 KiB data, ~250 KiB code " “not so constrained”, “50/250”
! These classes are not clear-cut, but may structure the discussion and help avoid talking at cross-purposes
Constrained nodes: orders of magnitude
RFC 7228
9
Can you put a sofa on a motorcycle?
Yes, you can.
But do you want to?
Is sofa transport even a good criteria for vehicle selection?
http://www.bbc.com/news/world-africa-21769053
12
Twocamps
• IPistooexpensiveformymicrocontrollerapplicaPon(myhand-kniBedprotocolisbeBer)
vs.• IPalreadyworkswellasitis,justgoaheadanduseit
• Bothcanbetrue!
13
Movingtheboundaries
• EnableInternetTechnologiesformass-marketapplicaPons
Acceptable complexity, Energy/Power needs, Cost
Can use Internet TechnologiesCannot use
Internet Technologies
Can use Internet Technologies unchanged
Can use Linux
14
Movingtheboundaries
• EnableInternetTechnologiesformass-marketapplicaPons
Acceptable complexity, Energy/Power needs, Cost
Can use Internet TechnologiesCannot use
Internet Technologies
Can use Internet Technologies unchanged
Can use Linux
15
Hype-IoT Real IoT
IPv4, NATs IPv6
Device-to-Cloud Internet
Gateways, Silos Small Things Loosely Joined
Questionable Security Real Security
$40+ < $5
W mW, µW16
„
John Naughton, “The internet of things needs better-made things” (The Guardian, 2016-07-10)
… a properly networked world … could be safer, greener, more efficient and more productive … But in order for that to emerge, the system has to be designed in the way that the internet was designed in the 1970s – by engineers who know what they’re doing, setting the protocols and technical standards that will bring some kind of order and security into the chaos of a technological stampede.
17
IETF: Constrained Node Network WG Cluster
INT LWIG GuidanceINT 6LoWPAN IP over 802.15.4INT 6Lo IP-over-fooINT 6TiSCH IP over TSCHINT LPWAN Low-Power WAN
NetworksRTG ROLL Routing (RPL)APP CoRE REST (CoAP) + OpsAPP CBOR CBOR & CDDLSEC DICE Improving DTLSSEC ACE Constrained AASEC COSE Object Security
✔
✔19
♨
♨
✔
Protocol Stack
30
UDP TCP
IPv6
Resource Model
DTLS TLS
L2 Connectivity (Wi-Fi)
Encoding (CBOR)
CoAP
EncodingJSON or XML/EXI can be negotiated
IP Versionv6 (v4 supported forlegacy devices)
Application Alternatives
Project B OIC Stack[Source: OCF] 20
2005-03-03: 6LoWPAN• “IPv6 over Low-Power WPANs”: IP over X for 802.15.4
• Encapsulation ➔ RFC 4944 (2007)
• Header Compression redone ➔ RFC 6282 (2011)
• Network Architecture and ND ➔ RFC 6775 (2012)
• (Informationals: RFC 4919, RFC 6568, RFC 6606)
22
Technology TraitsIEEE 802.15.4 (“ZigBee”) Many SoCs, 0.9 or 2.4 GHz,
6TiSCH upcoming
BlueTooth Smart On every PhoneDECT ULE Dedicated Spectrum,
In every home gateway
ITU-T G.9959 (“Z-Wave”) Popular @home802.11ah (“HaLow”) Low power “WiFi”
NFC Proximity6lobac Wired (RS485)
IEEE 1901.2 (LF PLC) Reuses mains power linesEthernet + PoE Wired, supplies 12–60 WWiFi, LTE, … Power?
2.4 GH
z0.9 G
Hz
1.8 GHz
13.56 MHz6Lo25
2008-02-11: ROLL• “Routing Over Low power and Lossy networks”
• Tree-based routing “RPL” ➔ RFC 6550–2 (2012)
• with Trickle ➔ RFC 6206 (2011)
• with MRHOF ➔ RFC 6719
• Experimentals: P2P-RPL (RFC 6997), Measuring (RFC 6998)
• MPL (Semi-Reliable Multicast Flooding) ➔ RFC 7731..7733
• (Lots of Informationals: RFC 5548 5673 5826 5867 7102 7416)
26
RPL: Routing for CN/N! RFC 6550: Specialized routing protocol RPL
– Rooted DAGs (directed acyclic graphs)
Root
33 2
5 35 4
7
4
6
7
1 Root
33 2
5 35 4
7
4
6
7
1
• redundancies in the tree help cope with churn
• “rank”: loop avoidance
• Storing Mode: Every router has map of subtree
• Non-Storing Mode: Only root has map of tree
Metrics: e.g., ETX
2012
27
2010-03-09: CoRE• “Constrained Restful Environments”
• CoAP ➔ RFC 7252 (20132014)
• Observe: RFC 7641, Block: RFC 7959 • HTTP mapping: RFC 8075
• Experimentals: RFC 7390 group communications
• Discovery (»Link-Format«) ➔ RFC 6690
28
The elements of success of the Web! HTML
! uniform representation of documents ! (now moving forward to HTML5 with CSS, JavaScript)
! URIs ! uniform referents to data and services on the Web
! HTTP ! universal transfer protocol ! enables a distribution system of proxies and reverse proxies
29
✔
Translating this to M2M
! HTML ! uniform representation of documents ! (now moving forward to HTML5 with CSS, JavaScript)
! URIs ! uniform referents to data and services on the Web
! HTTP ! universal transfer protocol ! enables a distribution system of proxies and reverse proxies
New data formats:
M2M semantics instead of
presentation semantics
30
The Constrained Application Protocol
! implements HTTP’s REST model ! GET, PUT, DELETE, POST; media type model
! while avoiding most of the complexities of HTTP
! Simple protocol, datagram only (UDP, DTLS) ! 4-byte header, compact yet simple options encoding
! adds “observe”, a lean notification architecture
CoAP
32
CoRE breakthroughs• RFC 7252: embrace REST
• but get rid of HTTP baggage
• and extend REST with Observe
• RFC 6690: Web Linking for discovery: /.well-known/core
• building resource-directory on top of that
34
Security is not optional!
! HTTP can use TLS (“SSL”) ! CoAP: Use DTLS 1.2
! Add 6LoWPAN-GHC for efficiency ! Crypto: Move to ECC
! P-256 curve ! SHA-256 ! AES-128
! To do: ! Commissioning models (Mother/Duckling, Mothership, …) ! Authorization format and workflow ! Performance fixes (DICE)
128-bit security
(~ RSA 3072-bit)
35
IoT “Security” today
• Thin perimeter protection
• WiFi password = keys to the kingdom
• Once you are “in”, you can do everything
• No authorization
• Doesn’t even work for a three-member family…
36
2014-05-05: ACE
• “Authentication and Authorization for Constrained Environments”
• currently applying OAuth framework to IoT
38
2013-09-13: CBOR• “Concise Binary Object Representation”:
JSON equivalent for constrained nodes
• start from JSON data model (no schema needed)
• add binary data, extensibility (“tags”)
• concise binary encoding (byte-oriented, counting objects)
• add diagnostic notation
• Started AD-sponsored, turned into a WG on 2017-01-09
40
2015-06-03: COSE• CBOR Object Signing and Encryption:
Object Security for the IoT
• Based on JOSE: JSON Web Token, JWS, JWE, … • Data structures for signatures, integrity, encryption… • Derived from on OAuth JWT • Encoded in JSON, can encrypt/sign other data
• COSE: use CBOR instead of JSON• Can directly use binary encoding (no base64) • Optimized for constrained devices
41
Prof.Dr.-Ing.CarstenBormann,[email protected]
ApplicaPonLayerTechnologies
! TheWebofThings:CoAPandHTTP" UsingCoAPformanagement:OMALWM2M,COMI" TimeSeriesData:CoAP-Pubsub(andXMPP,MQTT)
! DataFormats:CBORandJSON" Dataobjects:OMALWM2M,IPSOSmartObjects" Sensordata:SenML(inuseinOMALWM2M)
! RealSecurity" CommunicaPons:DTLSandTLS" ObjectSecurity:COSEandJOSE" AuthenPcatedAuthorizaPon:ACE
42
IETF: Constrained Node Network WG Cluster
INT LWIG GuidanceINT 6LoWPAN IP over 802.15.4INT 6Lo IP-over-fooINT 6TiSCH IP over TSCHINT LPWAN Low-Power WAN
NetworksRTG ROLL Routing (RPL)APP CoRE REST (CoAP) + OpsAPP CBOR CBOR & CDDLSEC DICE Improving DTLSSEC ACE Constrained AASEC COSE Object Security
✔
✔43
♨
♨
✔
IRTF: Internet Research Task Force (sister of IETF)• IRTF complements IETF with
longer-term Research Groups
• New: Thing-to-Thing Research Group (T2TRG)
• Investigate open research issues in:
• turning a true “Internet of Things” into reality,
• an Internet where low-resource nodes (“Things”, “Constrained Nodes”) can communicate among themselves and with the wider Internet, in order to partake in permissionless innovation.
44
RESEARCH
How to use REST in IoT?
• Ignore it, build a SOAP on top
• Use it half-heartedly and reap some of the benefits
• Use it right
• But what are the best practices that work well in the IoT?
45
From “REST-as-we-use-it” to Design Patterns 2|Matthias Kovatschhttp://people.inf.ethz.ch/mkovatsc
Cloud-to-Cloud (with Things) Thing-to-Thing(may include cloud services)
REST for Thing-to-Thing Communication
46
How? Client
Resource Directory
Thing A
Auth-Server
Thing B
Thing C
Follow links
Submit forms
Dynamically extend process flow
Entry URI Action Result
Thing C
Choice & redundancy
17
[Source: Kovatsch/Hartke]47
DAG root
Multicast
Listener
Multicast
Sender
multicast data
DAG parent
Bloom filter
✔
✔
Send Bloom Filter with packet, match OIF
50
Four legs
I Every endpoint has its own AMI CAM is controlled by COP, SAM is controlled by ROPI CAM helps authenticating S for C and provides authorization
information about S to CI SAM helps authenticating C for S and provides authorization
information about C to S11 / 18
52
Evaluation (DCAF-DTLS)
Reference implementation of DCAF-DTLS adds
I about 440 Bytes CodeI 54 Bytes data for ticket faceI 722 Bytes parser for CBOR payload
to existing CoAP/DTLS server (ARM Cortex M3) representing S.
13 / 1853
Prof.CarstenBormann,[email protected]
Manufacturer’sUsageDescripPon(MUD)
! Protectthenetworkandotherunrelatedusers againstanIoTDevicethatmaybeinsecure
! Idea:Documentexpectedbehavior inanacPonableway
! MUDasstandardizedtoday:CanbeusedforfirewallconfiguraPon" Pokefirewallholesfordesirabletraffic" DetectwhentheIoTDevicehasbeencompromised
! Wherecanwetakethisidea?
58
Software Updates are needed
• Bugs are being found
• Environments change
➔ Update or discard!
• Traditional: manual upgrade by connecting a special upgrader device (e.g., PC with upgrader app)
• Too expensive; device might be hard to reach
• Needed: Over-the-air Upgrade
59
Software Updates change the end system
• Need to be authorized
• An authentic upgrade is not enough
• Applicable to device’s configuration, application?
• Qualified in lab testing?
60
Contextual aspects
• Is this a good time for an upgrade?
• airplane in the air or in the hangar
• Holy grail: hitless upgrades
• but upgrades also can go wrong
61
Information Model Data Model Serialization
Ontology
Abstract SyntaxConcrete Syntax
④
Marshaling Scheme
Message Transport Format
Encoding
Taxonomy
Vocabulary
Semantic Level
Meaning
67
COSE: CBOR Object Signing and Encryption
• Do for CBOR what has been done for JSON
• Much easier: no base64
• Now draft-ietf-cose-msg, in RFC editor queue
• Main Customer: Internet of Things/Web of Things
• but used in many other environments
68
CWT: CBOR Web Token• JWT: JSON Web Token (RFC 7519)
• Package Claim Set into JSON
• Apply JOSE for Signing and Encryption
• CWT: Use CBOR and COSE instead of JSON and JOSE
• CWT can replace unstructured misuse of certificates for Claim Sets
• Being completed in IETF ACE WG
69
70
DM2
IM,DM,andSerialization
SWID
SWIDCBORData
DefinitionDM1
IM
DM3 DMn
Serialization1.1 Serialization3.1
…
…Serialization2.1 Serializationn.1SWIDCBORInstance
SWIDXMLInstance
SWIDXMLSchema
SoftwareInstance
IETF95- April2016 10
COSWID: Software-ID tags for constrained devices
TUDA: Time-based unidirectional attestation
• Remote Attestation: attempt to describe the integrity and trustworthiness of a host or device
• Measurements of components (e.g., hash values)
• Protocols for RA typically bidirectional
• Challenge for freshness
• TUDA: Time-based unidirectional attestation
71
22
CoRAL
Forms
[68, 1 (create-item), [Method 1, 2 (POST),Accept 2, 60 (application/cbor),Href.Path 12, "items"]]
flags form relation type
option number option value
73
tinydtlshttps://projects.eclipse.org/projects/iot.tinydtls
I Eclipse IoT projectI implements RFC 6347 (DTLS)
using cipher suites recommended by RFC 7252I POSIX and Contiki, RIOTI used as blueprint and interop testing tool for many other
DTLS implementations (e. g. ContikiDTLS, Scandium)I Ported for Eclipse Wakaama LWM2M library
Bergmann: Technology Transfer Projects 6 / 776
http://6lowapp.net core@IETF83, 2012-03-23 78
ETSI Plugtests, the IPSO Alliance and theFP7 Probe‐IT project are pleased to invite you to par"cipate in the first Internet of Things CoAP Plugtest, takingplace from 24‐25th March 2011 in Paris,France.The event is co‐located with the 83rd IETFheld March 26‐30th.
IoT CoAP Plugtests24‐25 March 2012, Paris
Registra"on Deadline: 9 March 2012Website: h!p://www.etsi.org/plugtests
22.5°C
/temperature
SERVER
CLIENT
GET/temperature200 OK
applica"on/text22.5°C
FLYER IOT_Mise en page 1 12/10/11 10:12 Page1
Prof.CarstenBormann,[email protected]
ETSIPlugtests
! COAP1:2012-03,Paris! COAP2:2012-11,Sophia-AnPpolis! COAP3:2013-11,LasVegas(colocatedwithOMALWM2M)! COAP4:2014-03,London
! 6LoWPAN1:2013-07,Berlin! 6Lo1:2015-11,Yokohama
! TestdescripPonsprovidedbyTZIOpen-sourcedevelopmentongithub.com
79
http://cbor.io
82
Implementations• Parsing/generating CBOR
easier than interfacing with application
• Minimal implementation: 822 bytes of ARM code
• Different integration models, different languages
• > 25 implementations (after first two years)
34 http://cbor.io