Presentation is loading. Please wait.

Presentation is loading. Please wait.

22 April 2016 Webex IPv6 over the TSCH mode of IEEE e Chairs:

Published byJustin Dawson Modified over 6 years ago

Similar presentations

Presentation on theme: "22 April 2016 Webex IPv6 over the TSCH mode of IEEE e Chairs:"— Presentation transcript:

1 22 April 2016 Webex IPv6 over the TSCH mode of IEEE 802.15.4e Chairs:
Pascal Thubert Thomas Watteyne Etherpad for minutes:

2 Note Well This summary is only meant to point you in the right direction, and doesn't have all the nuances. The IETF's IPR Policy is set forth in BCP 79; please read it carefully. The brief summary: By participating with the IETF, you agree to follow IETF processes. If you are aware that a contribution of yours (something you write, say, or discuss in any IETF context) is covered by patents or patent applications, you need to disclose that fact. You understand that meetings might be recorded, broadcast, and publicly archived. For further information, talk to a chair, ask an Area Director, or review the following: BCP 9 (on the Internet Standards Process) BCP 25 (on the Working Group processes) BCP 78 (on the IETF Trust) BCP 79 (on Intellectual Property Rights in the IETF) 2 2

3 Reminder: Minutes are taken. This meeting is recorded
Reminder: Minutes are taken * This meeting is recorded ** Presence is logged *** * Scribe; please contribute online to the minutes at ** Recordings and Minutes are public and may be subject to discovery in the event of litigation. *** From the Webex login 3 3 3 3

4 Agenda [40mn] Administrivia [3min] Pending WG doc Adoptions [5min]
Agenda bashing Approval minutes IETF 95 Pending WG doc Adoptions [5min] Security Bootstrap (Michael Richardson) [10min] OSCOAP (Goran Selander) [40min] AOB [2min] 4 4 4 4 4

5 Administrivia

6 Admin is trivia Approval Agenda Approval minutes IETF 95 6 6 6 6

7 Status drafts

8 Draft news Minimal: Final Int Area review 6LoRH, 6LoCD
Waiting for Charlie’s feedback 6LoRH, 6LoCD Continued last call, 6LoRH advancing 6LoAP (address Protection) 8 8 8 8

9 Join Process status / ReBoot
Michael Richardson

10 Object Security of CoAP (OSCOAP) John Mattsson, Ericsson
IETF 95 Object Security of CoAP (OSCOAP) John Mattsson, Ericsson CoRE WG

11 OSCOAP in one slide Client Proxy Server
IETF 95 OSCOAP in one slide OSCOAP is a security protocol protecting CoAP messages using COSE objects and the CoAP option “Object-Security” Independent of how CoAP is transported (UDP, TCP, foo…) Low footprint, small messages May be used as replacement for DTLS OSCOAP protects CoAP end-to-end across intermediary nodes Co-exists with untrusted proxies Allows legitimate proxy operations Detects illegitimate proxy operations draft-selander-ace-object-security Client Proxy Server DTLS DTLS GET /status GET /status 2.05 “on” 2.05 “on” OSCOAP CoRE WG

12 How does it work? IETF 95 1. Take a plain CoAP message
How does it work? 1. Take a plain CoAP message Protect CoAP payload, almost all options, and some headers in a COSE object (draft-ietf-cose-msg) Put the COSE object in a new “protected” CoAP message including the Object-Security option Send the protected CoAP message The receiver detects with the Object-Security option that it has received a protected CoAP message and reverses the steps above verifies and decrypts the COSE object recreates the original CoAP message This applies both to CoAP request and response CoAP Header Options Payload COSE 2. 3. CoAP Header Object- Security 4. COSE CoRE WG

13 Figure 1: Sketch of OSCOAP
IETF 95 Example Client Server | request: | | GET example.com | | [Header, Token, Options:{..., | | Object-Security:COSE object}] | >| | response: | | (Content) | | Object-Security:-}, Payload:COSE object] | |< | | Figure 1: Sketch of OSCOAP CoRE WG

14 Constrainedness aspects
IETF 95 Constrainedness aspects Low footprint, requires only COSE and an update to CoAP CPU/RAM negligable compared to symmetric crypto Low message overhead Example of message OH addition to plain CoAP: NOTE: This is NOT the minimum size, see draft | Tid | Tag | COSE OH | Message OH | | 5 bytes | 8 bytes | 9 bytes | 22 bytes | Figure 9: Message overhead for a 5-byte Tid and 8-byte Tag. CoRE WG

15 IETF 95 Security properties Addresses security requirements in scenarios 1 and 2 of draft-hartke-core-e2e-security-reqs In particular: End-to-end security through untrusted intermediaries Confidentiality and integrity protection using COSE with AEAD cipher Replay protection using sequence numbers Challenge-response: binding of response to request CoRE WG

16 How do I use OSCOAP? You need three things: An implementation of COSE
IETF 95 How do I use OSCOAP? You need three things: An implementation of COSE A CoAP library supporting the Object-Security option A security context in place Then just indicate the use of the Object-Security option with the CoAP message CoRE WG

17 Security Context OSCOAP assumes an established security context
IETF 95 Security Context OSCOAP assumes an established security context .---Cid = Cid Cid = Cid1---. | context: | | context: | | Alg, | | Alg, | | Client Write, | | Client Write, | | Server Write | | Server Write | ' ' ' ' Client Server | | Retrieve context for | request: | target resource | [Token = Token1, | Protect request with | Cid = Cid1, ...] | Client Write >| Retrieve context with | | Cid = Cid1 | | Verify request with Retrieve context with | response: | Client Write Token = Token | [Token = Token1, ...]| Protect response with Verify request with |< Server Write Server Write | | Figure 3: Retrieval and use of the Security Context CoRE WG

18 Establishing Security Context
IETF 95 Establishing Security Context One example of how to establish security context Ephemeral Diffie-Hellman over COSE (EDHOC, draft-selander-ace-cose-ecdhe) Mutual authentication based on pre-shared secret keys or raw public keys Example of message sizes with PSK: bytes, with RPK: bytes NOTE: This is NOT minimum sizes, see draft Security context derived from DH-shared secret With COSE in place, EDHOC comes at almost no footprint May be implemented as CoAP POST Client Server POST /edhoc COSE(g^x) 2.04 (Changed) COSE(g^y) g^(xy) g^(xy) security context security context Common denominator between EDHOC and OSCOAP: Both can be implementated as COSE objects sent in CoAP messages CoRE WG

19 Alignment with existing work
IETF 95 Alignment with existing work Security Context - TLS 1.3 (use of AEAD ciphers, key derivation, nonce construction…) (draft-ietf-tls-tls13-12) Protected CoAP message data – COSE object (draft-ietf-cose-msg-11) CoRE WG

20 What’s next Support for Blockwise Support for CoAP over TCP
IETF 95 What’s next Support for Blockwise Support for CoAP over TCP Support for security context for reverse messaging (same devices implements CoAP client and server) Crypto agility (to include e.g. CCM*) Re-submit to CoRE, ask for adoption in Berlin New implementations in progress Release as open source OSCOAP profile for ACE (separate slide) Certificate support in EDHOC CoRE WG

21 OSCOAP for 6tisch (naïvely)
IETF 95 OSCOAP for 6tisch (naïvely) Join Coordi- nation Entity Joining Node Join Assistant [Inter- mediate] POST /join OSCOAP / EDHOC JOIN REQUEST / ACK 2.04 (Changed) POST /6top/… CONFIG K2 / ACK OSCOAP 2.04 (Changed) Join: Configuration management: Rate limitation: First note in draft-richardsson there is a pre-history before the JOIN REQUEST. The assumption is that during this phase information about the JCE is obtained by the JN. In that information exchange could also the URI of an intermediate forward proxy be provided. By only allowing CoAP requests to JCE to go via that forward proxy, it could have a rate limiting function towards JCE. There may be multiple intermediate forward proxies in the network for load balancing – different JAs could advertise different forward proxies. This is a very simple application layer load balancing function, but e2e security is provided either with OSCOAP or plain COSE. Mutual authentication of JN and JCE based on pre-established node credentials Establishment of security context (optional) Secure provisioning of network credentials Secure configuration of K2 on JN Rate limitation for DoS mitigation (e.g. CoAP forward proxy) CoRE WG

22 Thank you! Comments/questions?
IETF 95 Thank you! Comments/questions? CoRE WG

23 OSCOAP profile for ACE The ACE solution is based on OAuth 2.0 (draft-ietf-ace-oauth-authz) Profiling the /token and /introspect endpoints May be used for authorization of Joining Node (C=JN; RS=JCE) or for authorization of other node-node interactions /token /introspect AS AS 2. POST /introspect 1. POST /token 2.access token, RS key 3. authz info, C key 3. access token 1. access token C RS RS C 4. access request 4. access request

24 IETF 95 OSCOAP Table of Contents 1. Introduction 1.1. Terminology 2. The Object-Security Option 3. The Security Context 4. Protected CoAP Message Fields 5. The COSE Object 5.1. Plaintext 5.2. Additional Authenticated Data 6. Protecting CoAP Messages 6.1. Replay and Freshness Protection 6.2. Protecting the Request 6.3. Verifying the Request 6.4. Protecting the Response 6.5. Verifying the Response 7. Security Considerations ... 4 main parts: The CoAP Object-Security option The security context The COSE object The OSCOAP protocol Appendices: Message size expansion Examples CoRE WG

25 What options are protected?
IETF 95 What options are protected? All except those intended to be changed by forward proxy | No.| C | U | N | R | Name | Format | Length | E | I | D | | 1 | x | | | x | If-Match | opaque | | x | x | | | 3 | x | x | - | | Uri-Host | string | | | | | | 4 | | | | x | ETag | opaque | | x | x | | | 5 | x | | | | If-None-Match | empty | | x | x | | | 6 | | x | - | | Observe | uint | | x | x | x | | 7 | x | x | - | | Uri-Port | uint | | | | | | 8 | | | | x | Location-Path | string | | x | x | | | 11 | x | x | - | x | Uri-Path | string | | x | x | | | 12 | | | | | Content-Format | uint | | x | x | | | 14 | | x | - | | Max-Age | uint | | x | x | x | | 15 | x | x | - | x | Uri-Query | string | | x | x | | | 17 | x | | | | Accept | uint | | x | x | | | 20 | | | | x | Location-Query | string | | x | x | | | 35 | x | x | - | | Proxy-Uri | string | | | | | | 39 | x | x | - | | Proxy-Scheme | string | | | | | | 60 | | | x | | Size | uint | | x | x | | C=Critical, U=Unsafe, N=NoCacheKey, R=Repeatable, E=Encrypt, I=Integrity Protect, D=Duplicate. Figure 4: Protected CoAP Options CoRE WG

26 IETF 95 References draft-hartke-core-e2e-security-reqs draft-selander-ace-object-security draft-ietf-cose-msg draft-selander-ace-cose-ecdhe draft-ietf-ace-oauth-authz CoRE WG

27 AOB ?

28 Thank you!

Download ppt "22 April 2016 Webex IPv6 over the TSCH mode of IEEE e Chairs:"

Similar presentations

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.
SACM IETF-92 Meeting March 23 and 27, 2015 Dan Romascanu Adam Montville.

SACM IETF-92 Meeting March 23 and 27, 2015 Dan Romascanu Adam Montville.
DDoS Open Threat Signaling BOF (DOTS) IETF 92, Dallas, Texas

DDoS Open Threat Signaling BOF (DOTS) IETF 92, Dallas, Texas
CCAMP Working Group Online Agenda and Slides at: ccamp Data tracker:

CCAMP Working Group Online Agenda and Slides at: ccamp Data tracker:
ACE BOF, IETF-89 London Authentication and Authorization for Constrained Environments (ACE) BOF Wed 09:00-11:30, Balmoral BOF Chairs: Kepeng Li, Hannes.

ACE BOF, IETF-89 London Authentication and Authorization for Constrained Environments (ACE) BOF Wed 09:00-11:30, Balmoral BOF Chairs: Kepeng Li, Hannes.
Audio/Video Transport Extensions (AVTEXT). Administrivia Notetakers? Jabber scribe? Jabber Chat Room

Audio/Video Transport Extensions (AVTEXT). Administrivia Notetakers? Jabber scribe? Jabber Chat Room
Network Virtualization Overlays (NVO3) NVO3 Meeting, IETF 88, Vancouver Benson Schliesser Matthew Bocci

Network Virtualization Overlays (NVO3) NVO3 Meeting, IETF 88, Vancouver Benson Schliesser Matthew Bocci
CCAMP Working Group Online Agenda and Slides at: https://datatracker.ietf.org/meeting/90/agenda/ccamp/ Data tracker:

CCAMP Working Group Online Agenda and Slides at: Data tracker:
LMAP WG IETF 89, London, UK Dan Romascanu Jason Weil.

LMAP WG IETF 89, London, UK Dan Romascanu Jason Weil.
Dnssd WG Chairs: Tim Chown Ralph Droms IETF 89, London, 3 rd March 2014.

Dnssd WG Chairs: Tim Chown Ralph Droms IETF 89, London, 3 rd March 2014.
Wed 31 Jul & Fri 2 Aug 2013SIDR IETF 87 Berlin, German1 SIDR Working Group IETF 87 Berlin, Germany Wednesday, 31 Jul 2013 Friday, 2 Aug 2013.

Wed 31 Jul & Fri 2 Aug 2013SIDR IETF 87 Berlin, German1 SIDR Working Group IETF 87 Berlin, Germany Wednesday, 31 Jul 2013 Friday, 2 Aug 2013.
CCAMP Working Group Online Agenda and Slides at: Data tracker:

CCAMP Working Group Online Agenda and Slides at: Data tracker:
ForCES WG Status Forwarding and Control Element Separation (IETF88 Vancouver, CA 2013) Chair: Jamal Hadi Salim Damascene.

ForCES WG Status Forwarding and Control Element Separation (IETF88 Vancouver, CA 2013) Chair: Jamal Hadi Salim Damascene.
SACM IETF-91Meeting November 10 and 14, 2014 Dan Romascanu Adam Montville.

SACM IETF-91Meeting November 10 and 14, 2014 Dan Romascanu Adam Montville.
RADEXT WG IETF 93 Agenda July 20, 2015 1850-1950 Please join the Jabber room:

RADEXT WG IETF 93 Agenda July 20, Please join the Jabber room:
1 TCP Maintenance and Minor Extensions (TCPM) Working Group Pasi Sarolahti Michael Scharf Yoshifumi Nishida IETF 90 – Toronto, Canada July 2014.

1 TCP Maintenance and Minor Extensions (TCPM) Working Group Pasi Sarolahti Michael Scharf Yoshifumi Nishida IETF 90 – Toronto, Canada July 2014.
1 Benchmarking Methodology WG (bmwg) 86th IETF Tuesday, July 30, 2013 (1520-1650 Berlin Local Time, GMT+2:00) Chairs: –Al Morton (acmorton(at)att.com)

1 Benchmarking Methodology WG (bmwg) 86th IETF Tuesday, July 30, 2013 ( Berlin Local Time, GMT+2:00) Chairs: –Al Morton (acmorton(at)att.com)
Wed 31 Jul & Fri 2 Aug 2013SIDR IETF 87 Berlin, German1 SIDR Working Group IETF 87 Berlin, Germany Wednesday, 31 Jul 2013 Friday, 2 Aug 2013.

Wed 31 Jul & Fri 2 Aug 2013SIDR IETF 87 Berlin, German1 SIDR Working Group IETF 87 Berlin, Germany Wednesday, 31 Jul 2013 Friday, 2 Aug 2013.
LMAP WG INTERIM DUBLIN, IRELAND Jason Weil Dan Romascanu - remote.

LMAP WG INTERIM DUBLIN, IRELAND Jason Weil Dan Romascanu - remote.
Virtualized Network Function (VNF) Pool BoF IETF 90 th, Toronto, Canada. BoF Chairs: Ning Zong Melinda Shore

Virtualized Network Function (VNF) Pool BoF IETF 90 th, Toronto, Canada. BoF Chairs: Ning Zong Melinda Shore

Similar presentations

Ads by Google