6tisch Working Group M. Richardson
Internet-Draft Sandelman Software Works
Intended status: Informational B. Damm
Expires: March 1, 2018 Silver Spring Networks
August 28, 2017
6tisch Zero-Touch Secure Join protocol
draft-ietf-6tisch-dtsecurity-zerotouch-join-00
Abstract
This document describes a zero-touch mechanism to enroll a new device
(the "pledge") into a IEEE802.15.4 TSCH network using the 6tisch
signaling mechanisms. The resulting device will obtain a domain
specific credential that can be used with either 802.15.9 per-host
pair keying protocols, or to obtain the network-wide key from a
coordinator. The mechanism describe her is an augmentation to the
one-touch mechanism described in [I-D.ietf-6tisch-minimal-security].
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 1, 2018.
Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Richardson & Damm Expires March 1, 2018 [Page 1]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 5
1.2. Other Bootstrapping Approaches . . . . . . . . . . . . . 6
1.3. Scope of solution . . . . . . . . . . . . . . . . . . . . 6
2. Architectural Overview . . . . . . . . . . . . . . . . . . . 6
2.1. Secure Imprinting using Vouchers . . . . . . . . . . . . 6
2.2. Initial Device Identifier . . . . . . . . . . . . . . . . 7
2.3. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 7
2.4. Lack of realtime clock . . . . . . . . . . . . . . . . . 9
2.5. Cloud Registrar . . . . . . . . . . . . . . . . . . . . . 9
3. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 9
3.1. Discovery . . . . . . . . . . . . . . . . . . . . . . . . 10
3.1.1. Proxy Discovery Protocol Details . . . . . . . . . . 10
3.1.2. Registrar Discovery Protocol Details . . . . . . . . 10
3.2. Pledge Requests Voucher from the Registrar . . . . . . . 10
3.3. Registrar Requests Voucher from MASA . . . . . . . . . . 13
3.4. Voucher Response . . . . . . . . . . . . . . . . . . . . 13
3.4.1. Completing authentication of Provisional TLS
connection . . . . . . . . . . . . . . . . . . . . . 13
3.5. Voucher Status Telemetry . . . . . . . . . . . . . . . . 13
3.6. MASA authorization log Request . . . . . . . . . . . . . 14
3.6.1. MASA authorization log Response . . . . . . . . . . . 14
3.7. EST Integration for PKI bootstrapping . . . . . . . . . . 14
3.7.1. EST Distribution of CA Certificates . . . . . . . . . 14
3.7.2. EST CSR Attributes . . . . . . . . . . . . . . . . . 14
3.7.3. EST Client Certificate Request . . . . . . . . . . . 14
3.7.4. Enrollment Status Telemetry . . . . . . . . . . . . . 14
3.7.5. EST over CoAP . . . . . . . . . . . . . . . . . . . . 14
4. Reduced security operational modes . . . . . . . . . . . . . 14
4.1. Trust Model . . . . . . . . . . . . . . . . . . . . . . . 14
4.2. Pledge security reductions . . . . . . . . . . . . . . . 14
4.3. Registrar security reductions . . . . . . . . . . . . . . 15
4.4. MASA security reductions . . . . . . . . . . . . . . . . 15
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
5.1. MIME-Type Registry . . . . . . . . . . . . . . . . . . . 15
6. Security Considerations . . . . . . . . . . . . . . . . . . . 15
6.1. Security of MASA voucher signing key(s) . . . . . . . . . 15
7. Privacy Considerations . . . . . . . . . . . . . . . . . . . 15
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 15
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 15
9.1. Normative References . . . . . . . . . . . . . . . . . . 15
9.2. Informative References . . . . . . . . . . . . . . . . . 19
Richardson & Damm Expires March 1, 2018 [Page 2]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
Appendix A. One-Touch Assumptions . . . . . . . . . . . . . . . 20
A.1. Factory provided credentials (if any) . . . . . . . . . . 20
A.1.1. Credentials to be introduced . . . . . . . . . . . . 21
A.2. Network Assumptions . . . . . . . . . . . . . . . . . . . 21
A.2.1. Security above and below IP . . . . . . . . . . . . . 21
A.2.2. Join network assumptions . . . . . . . . . . . . . . 22
A.2.3. Number and cost of round trips . . . . . . . . . . . 22
A.2.4. Size of packets, number of fragments . . . . . . . . 22
A.3. Target end-state for join process . . . . . . . . . . . . 22
Appendix B. Join Protocol . . . . . . . . . . . . . . . . . . . 23
B.1. Key Agreement process . . . . . . . . . . . . . . . . . . 23
B.2. Provisional Enrollment process . . . . . . . . . . . . . 24
B.3. Key Distribution Process . . . . . . . . . . . . . . . . 25
Appendix C. YANG model for BRSKI objects . . . . . . . . . . . . 25
C.1. Description of Pledge States in Join Process . . . . . . 26
Appendix D. Definition of managed objects for zero-touch
bootstrap . . . . . . . . . . . . . . . . . . . . . 26
Appendix E. Privacy Considerations . . . . . . . . . . . . . . . 27
E.1. Privacy Considerations for Production network . . . . . . 27
E.2. Privacy Considerations for New Pledges . . . . . . . . . 27
E.2.1. EUI-64 derived address for join time IID . . . . . . 28
E.3. Privacy Considerations for Join Assistant . . . . . . . . 28
Appendix F. Security Considerations . . . . . . . . . . . . . . 28
Appendix G. IANA Considerations . . . . . . . . . . . . . . . . 28
Appendix H. Protocol Definition . . . . . . . . . . . . . . . . 28
Appendix I. Acknowledgements . . . . . . . . . . . . . . . . . . 28
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28
1. Introduction
Enrollment of new nodes into LLNs present unique challenges. The
constrained nodes has no user interfaces, and even if they did,
configuring thousands of such nodes manually is undesireable from a
human resources issue, as well as the difficulty in getting
consistent results.
This document is about a standard way to introduce new nodes into a
6tisch network that does not involve any direct manipulation of the
nodes themselves. This act has been called "zero-touch"
provisioning, and it does not occur by chance, but requires
coordination between the manufacturer of the node, the service
operator running the LLN, and the installers actually taking the
devices out of the shipping boxes.
This document is a constrained profile of
[I-D.ietf-anima-bootstrapping-keyinfra]. The above document/protocol
is referred by by it's acronym: BRSKI. The pronounciation of which
Richardson & Damm Expires March 1, 2018 [Page 3]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
is "brew-ski", a common north american slang for beer with a pseudo-
polish ending.
This document follows the same structure as it's parent in order to
emphasize the similarities, but specializes a number of things to
constrained networks of constrained devices. Like ANIMA's BRSKI, the
networks which are in scope for this protocol are deployed by a
professional operator. The deterministic mechanisms which have been
designed into 6tisch have been created to satisfy the operational
needs of industrial settings.
This document builds upon the "one-touch" provisioning described in
[I-D.ietf-6tisch-minimal-security], reusing the OSCOAP Join Request
mechanism when appropriate. In addition, it uses the CoAP adaption
of EST defined in [I-D.vanderstok-ace-coap-est] in an identical way.
Otherwise, this document follows BRSKI with the following high-level
changes:
o HTTP is replaced with CoAP.
o TLS (HTTPS) is replaced with either DTLS+CoAP, or EDHOC/
OSCOAP+CoAP
o the domain-registrar anchor certificate is replaced with a Raw
Public Key (RPK) using [RFC7250].
o the PKCS7 signed JSON voucher format is replaced with CWT
o the GRASP discovery mechanism for the Proxy is replaced with an
announcement in the Enhanced Beacon
[I-D.richardson-6tisch-join-enhanced-beacon]
o the TCP circuit proxy mechanism is not used. The IPIP mechanism
if mandatory to implement when deployed with DTLS, while the CoAP
based stateless proxy mechanism is used for OSCOAP/EDHOC.
o real time clocks are assumed to be impossible, so expiry dates in
ownership vouchers are never used
o nonce-full vouchers are encouraged, but off-line nonce-less
operation is also supported
802.1AR Client certificates are retained, but optionally are
specified by reference rather than value.
It is expected that the back-end network operator infrastructure
would be able to bootstrap ANIMA BRSKI-type devices over ethernet,
Richardson & Damm Expires March 1, 2018 [Page 4]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
while also being able bootstrap 6tisch devices over 802.15.4 with few
changes.
1.1. Terminology
In this document, the key words "MUST", "MUST NOT", "REQUIRED",
"SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY",
and "OPTIONAL" are to be interpreted as described in BCP 14, RFC 2119
[RFC2119] and indicate requirement levels for compliant STuPiD
implementations.
The reader is expected to be familiar with the terms and concepts
defined in [I-D.ietf-6tisch-terminology], [RFC7252],
[I-D.ietf-core-object-security], and
[I-D.ietf-anima-bootstrapping-keyinfra]. The following terms are
imported: drop ship, imprint, enrollment, pledge, join proxy,
ownership voucher, join registrar/coordinator. The following terms
are repeated here for readability, but this document is not
authoritative for their definition:
pledge the prospective device, which has the identity provided to at
the factory. Neither the device nor the network knows if the
device yet knows if this device belongs with this network.
Joined Node the prospective device, after having completing the join
process, often just called a Node.
Join Proxy (JP): a stateless relay that provides connectivity
between the pledge and the join registrar/coordinator.
Join Registrar/Coordinator (JRC): central entity responsible for
authentication and authorization of joining nodes.
Audit Token A signed token from the manufacturer authorized signing
authority indicating that the bootstrapping event has been
successfully logged. This has been referred to as an
"authorization token" indicating that it authorizes bootstrapping
to proceed.
Ownership Voucher A signed voucher from the vendor vouching that a
specific domain "owns" the new entity as defined in
[I-D.ietf-anima-voucher].
MIC manufacturer installed certificate. An [ieee802-1AR] identity.
Not to be confused with a (cryptographic) "Message Integrity
Check"
Richardson & Damm Expires March 1, 2018 [Page 5]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
1.2. Other Bootstrapping Approaches
BRSKI describes a more general, more flexible approach for
bootstrapping devices into an ISP or Enterprise network.
[I-D.ietf-6tisch-minimal-security] provides an extremely streamlined
approach to enrolling from hundreds to thousands of devices into a
network, provided that a unique secret key can be installed in each
device.
1.3. Scope of solution
The solution described in this document is appropriate to enrolling
between hundreds to hundreds of thousands of diverse devices into a
network without any prior contact with the devices. The devices
could be shipped by the manufacturer directly to the customer site
without ever being seen by the operator of the network. As described
in BRSKI, in the audit-mode of operation the device will be claimed
by the first network that sees it. In the tracked owner mode of
operation, sales channel integration provides a strong connection
that the operator of the network is the legitimate owner of the
device.
2. Architectural Overview
Section 2 of BRSKI has a diagram with all of the components shown
together. There are no significant changes to the diagram.
The use of a circuit proxy is not mandated. Instead the IPIP
mechanism described in appendix C ("IPIP Join Proxy mechanism")
SHOULD be be used instead as it supports both DTLS, EDHOC and OSCOAP
protocols. The CoAP proxy mechanism MAY be implemented instead: the
decision depends upon the capabilities of the Registrar and the
proxy. A mechanism is included for the Registrar to announce it's
capabilities (XXX).
2.1. Secure Imprinting using Vouchers
As in BRSKI, the format and cryptographic mechansim of vouchers is
described in detail in [I-D.ietf-anima-voucher]. As described in
section YYY, the physical format for vouchers in this document
differs from that of BRSKI, in that it uses
[I-D.ietf-ace-cbor-web-token] to encode the voucher and to sign it.
Richardson & Damm Expires March 1, 2018 [Page 6]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
2.2. Initial Device Identifier
The essential component of the zero-touch operation is that the
pledge is provisioned with an 802.1AR (PKIX) certificate installed
during the manufacturing process.
It is expected that constrained devices will use a signature
algorithm corresponding to the hardware acceleration that they have,
if they have any. The anticipated algorithms are the ECDSA P-256
(secp256p1) as SHOULD-, while newer devices SHOLD+ begin to appear
using EdDSA curves using the 25519 curves. (EDNOTE details here)
There are a number of simplications detailed later on in this
document designed to eliminate the need for an ASN.1 parser in the
pledge.
The pledge should consider it's 802.1AR certificate to be an opaque
blob of bytes, to be inserted into protocols at appropriate places.
The pledge SHOULD have access to it's public and private keys in the
most useable native format for computation.
The pledge MUST have the public key of the MASA built in a
manufacturer time. This is a seemingly identical requirement as for
BRSKI, but rather than being an abstract trust anchor that can be
augmented with a certificate chain, the pledge MUST be provided with
the Raw Public Key that the MASA will use to sign vouchers for that
pledge.
There are a number of security concerns with use of a single MASA
signing key, and section Section 6.1 addresses some of them with some
operational suggestions.
BRSKI places some clear requirements upon the contents of the IDevID,
but leaves the exact origin of the voucher serial-number open. This
document restricts the process to being the hwSerialNum OCTET STRING.
As CWT can handle binary formats, no base64 encoding is necessary.
The use of the MASA-URL extension is encouraged if the certificate is
sent at all.
[[EDNOTE here belongs text about sending only a reference to the
IDevID rather than the entire certificate]]
2.3. Protocol Flow
The diagram from BRSKI is reproduced with some edits:
+--------+ +---------+ +------------+ +------------+
Richardson & Damm Expires March 1, 2018 [Page 7]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
| Pledge | | IPIP | | Domain | | Vendor |
| | | Proxy | | Registrar | | Service |
| | | | | | | (Internet |
+--------+ +---------+ +------------+ +------------+
| | | |
|<-RFC4862 IPv6 adr | | |
| | | |
|<--------------------| | |
| Enhanced Beacon | | |
| periodic broadcast| | |
| | | |
|<------------------->C<----------------->| |
| DTLS via the IPIP Proxy | |
|<--Registrar DTLS server authentication--| |
[PROVISIONAL accept of server cert] | |
P---X.509 client authentication---------->| |
P | | |
P---Voucher Request (include nonce)------>| |
P | | |
P | | |
P | [accept device?] |
P | [contact Vendor] |
P | |--Pledge ID-------->|
P | |--Domain ID-------->|
P | |--nonce------------>|
P | | [extract DomainID]
P | | |
P | | [update audit log]
P | | |
P | | |
P | | |
P | | |
P | | |
P | |<-device audit log--|
P | |<- voucher ---------|
P | | |
P | | |
P | [verify audit log and voucher] |
P | | |
P<------voucher---------------------------| |
[verify voucher ] | | |
[verify provisional cert| | |
| | | |
|<--------------------------------------->| |
| Continue with RFC7030 enrollment | |
| using now bidirectionally authenticated | |
| DTLS session. | | |
| | | |
Richardson & Damm Expires March 1, 2018 [Page 8]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
| | | |
| | | |
Noteable changes are:
1. no IPv4 support/options.
2. no mDNS steps, 6tisch only uses Enhanced Beacon
3. nonce-full option is always recommended
2.4. Lack of realtime clock
For the constrained situation it is assumed that devices have no real
time clock. These nodes do have access to a monotonically increasing
clock that will not go backwards in the form of the Absolute Sequence
Number. Synchronization to the ASN is required in order to transmit/
receive data and most nodes will maintain it in hardware.
The heuristic described in BRSKI under this section SHOULD be applied
if there are dates in the CWT format voucher.
Voucher requests SHOULD include a nonce. For devices intended for
off-line deployment, the vouchers will have been generated in advance
and no nonce-ful operation will not be possible.
2.5. Cloud Registrar
In 6tisch, the pledge never has network connectivity until it is
enrolled, so no alternate registrar is ever possible.
3. Protocol Details
BRSKI is specified to run over HTTPS. This document respecifies it
to run over CoAP with either DTLS or EDHOC-provided OSCOAP security.
There is an emerging (hybrid) possibility of DTLS-providing the
OSCOAP security, but such a specification does not yet exist.
[I-D.vanderstok-ace-coap-est] specifies that CoAP specifies the use
of CoAP Block-Wise Transfer ("Block") [RFC7959] to fragment EST
messages at the application layer.
BRSKI introduces the concept of a provisional state for EST. The
same situation must also be added to DTLS: a situation where the
connection is active but the identity of the Registar has not yet
been confirmed. The DTLS MUST validate that the exchange has been
signed by the Raw Public Key that is presented by the Server, even
though there is as yet no trust in that key. Such a key is often
Richardson & Damm Expires March 1, 2018 [Page 9]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
available through APIs that provide for channel binding, such as
described in [RFC5056].
As in [I-D.vanderstok-ace-coap-est], support for Observe CoAP options
[RFC7641] with BRSKI is not supported in the current BRSKI/EST
message flows. Observe options could be used by the server to notify
clients about a change in the cacerts or csr attributes (resources)
and might be an area of future work.
Redirection as described in [RFC7030] section 3.2.1 is NOT supported.
3.1. Discovery
Only IPv6 operations using Link-Local addresses are supported. Use
of a temporary address is NOT encouraged as the critial resource on
the Proxy device is the number of Neighbour Cache Entries that can be
used for untrusted pledge entries.
3.1.1. Proxy Discovery Protocol Details
The Proxy is discovered using the enhanced beacon defined in
[I-D.richardson-6tisch-join-enhanced-beacon].
3.1.2. Registrar Discovery Protocol Details
The Registrar is not discovered by the Proxy. Any device that is
expected to be able to operate as a Registrar MAY be told the address
of the Registrar when that device joins the network. The address MAY
be included in the [I-D.ietf-6tisch-minimal-security] Join Response.
If the address is NOT included, then Proxy may assume that the
Registrar can be found at the DODAG root, which is well known in the
6tisch's use of the RPL protocol.
3.2. Pledge Requests Voucher from the Registrar
The voucher request and response as defined by BRSKI is modified
slightly. In order to simplify the pledge, the use of a certificate
(and chain) for the Registrar is not supported. Instead the newly
defined pinned-domain-subject-public-key-info must contain the (raw)
public key info for the Registrar. It MUST be byte for byte
identical to that which is transmitted by the Registrar during the
TLS ServerCertificate handshake.
BRSKI permits the voucher request to be signed or unsigned. This
document defines the voucher request to be unsigned.
/* -*- c -*- */
module ietf-cwt-voucher {
Richardson & Damm Expires March 1, 2018 [Page 10]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-cwt-voucher";
prefix "vcwt";
import ietf-restconf {
prefix rc;
description
"This import statement is only present to access
the yang-data extension defined in RFC 8040.";
reference "RFC 8040: RESTCONF Protocol";
}
import ietf-voucher {
prefix "v";
}
organization
"IETF 6tisch Working Group";
contact
"WG Web:
WG List:
Author: Michael Richardson
";
description
"This module defines the format for a voucher, which is produced by
a pledge's manufacturer or delegate (MASA) to securely assign one
or more pledges to an 'owner', so that the pledges may establish a
secure connection to the owner's network infrastructure.
This version provides a very restricted subset appropriate
for very constrained devices.
In particular, it assumes that nonce-ful operation is
always required, that expiration dates are rather weak, as no
clocks can be assumed, and that the Registrar is identified
by a pinned Raw Public Key.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT',
'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in
the module text are to be interpreted as described in RFC 2119.";
revision "YYYY-MM-DD" {
description
"Initial version";
reference
Richardson & Damm Expires March 1, 2018 [Page 11]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
"RFC XXXX: Voucher Profile for Constrained Devices";
}
// Grouping defined for future usage
grouping voucher-cwt-grouping {
description
"Grouping to allow reuse/extensions in future work.";
uses v:voucher-artifact-grouping {
augment "voucher" {
description "Base the CWT voucher upon the regular one";
leaf pinned-domain-subject-public-key-info {
type binary;
description
"The pinned-domain-subject replaces the
pinned-domain-certificate in constrained uses of
the voucher. The pinned-domain-public-key-info is the
Raw Public Key of the Registrar. This field is encoded
as specified in RFC7250, section 3.
The ECDSA algorithm MUST be supported.
The EdDSA algorithm as specified in
draft-ietf-tls-rfc4492bis-17 SHOULD be supported.
Support for the DSA algorithm is not recommended.
Support for the RSA algorithm is a MAY.";
}
}
}
}
}
This definition, translated via the rules in
[I-D.ietf-core-yang-cbor] produces the following CDDL for an unsigned
voucher (request):
Richardson & Damm Expires March 1, 2018 [Page 12]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
This is a PLACEHOLDER for a CDDL definition derived from the YANG model.
SID experimental base 60100 is used.
dictionary keys are:
60100 ietf-cwt-voucher
60101 assertion
60102 created-on
60103 domain-cert-revocation-checks
60104 expires-on
60105 idevid-issuer
60106 last-renewal-date
60107 nonce
60108 pinned-domain-cert
60109 pinned-domain-subject-public-key-info
60110 prior-signed-voucher
60111 serial-number
3.3. Registrar Requests Voucher from MASA
There are no change from BRSKI, as this step is between two non-
constrained devices. The format of the voucher is CWT, which implies
changes to both the Registrar and the MASA, but semantically the
content is the same.
The manufacturer will know what algorithms are supported by the
pledge, and will issue a 406 (Conflict) error to the Registrar if the
Registar's public key format is not supported by the pledge.
3.4. Voucher Response
The voucher response MUST have an additional header called: "pinned-
domain-rpk".
3.4.1. Completing authentication of Provisional TLS connection
In order to simplify the pledge as much as possible, the voucher
response
3.5. Voucher Status Telemetry
XXX
Richardson & Damm Expires March 1, 2018 [Page 13]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
3.6. MASA authorization log Request
XXX
3.6.1. MASA authorization log Response
XXX
3.7. EST Integration for PKI bootstrapping
XXX
3.7.1. EST Distribution of CA Certificates
XXX
3.7.2. EST CSR Attributes
XXX
3.7.3. EST Client Certificate Request
XXX
3.7.4. Enrollment Status Telemetry
XXX
3.7.5. EST over CoAP
XXX
4. Reduced security operational modes
XXX
4.1. Trust Model
XXX
4.2. Pledge security reductions
XXX
Richardson & Damm Expires March 1, 2018 [Page 14]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
4.3. Registrar security reductions
XXX
4.4. MASA security reductions
XXX
5. IANA Considerations
XXX
5.1. MIME-Type Registry
XXX
6. Security Considerations
6.1. Security of MASA voucher signing key(s)
7. Privacy Considerations
XXX
8. Acknowledgements
9. References
9.1. Normative References
[cullenCiscoPhoneDeploy]
Jennings, C., "Transitive Trust Enrollment for Constrained
Devices", 2012, .
[I-D.ietf-6lo-privacy-considerations]
Thaler, D., "Privacy Considerations for IPv6 Adaptation
Layer Mechanisms", draft-ietf-6lo-privacy-
considerations-04 (work in progress), October 2016.
[I-D.ietf-6tisch-minimal]
Vilajosana, X., Pister, K., and T. Watteyne, "Minimal
6TiSCH Configuration", draft-ietf-6tisch-minimal-21 (work
in progress), February 2017.
Richardson & Damm Expires March 1, 2018 [Page 15]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
[I-D.ietf-6tisch-minimal-security]
Vucinic, M., Simon, J., Pister, K., and M. Richardson,
"Minimal Security Framework for 6TiSCH", draft-ietf-
6tisch-minimal-security-03 (work in progress), June 2017.
[I-D.ietf-6tisch-terminology]
Palattella, M., Thubert, P., Watteyne, T., and Q. Wang,
"Terminology in IPv6 over the TSCH mode of IEEE
802.15.4e", draft-ietf-6tisch-terminology-09 (work in
progress), June 2017.
[I-D.ietf-ace-cbor-web-token]
Jones, M., Wahlstroem, E., Erdtman, S., and H. Tschofenig,
"CBOR Web Token (CWT)", draft-ietf-ace-cbor-web-token-08
(work in progress), August 2017.
[I-D.ietf-anima-bootstrapping-keyinfra]
Pritikin, M., Richardson, M., Behringer, M., Bjarnason,
S., and K. Watsen, "Bootstrapping Remote Secure Key
Infrastructures (BRSKI)", draft-ietf-anima-bootstrapping-
keyinfra-07 (work in progress), July 2017.
[I-D.ietf-anima-grasp]
Bormann, C., Carpenter, B., and B. Liu, "A Generic
Autonomic Signaling Protocol (GRASP)", draft-ietf-anima-
grasp-15 (work in progress), July 2017.
[I-D.ietf-anima-voucher]
Watsen, K., Richardson, M., Pritikin, M., and T. Eckert,
"Voucher Profile for Bootstrapping Protocols", draft-ietf-
anima-voucher-05 (work in progress), August 2017.
[I-D.ietf-core-comi]
Veillette, M., Stok, P., Pelov, A., and A. Bierman, "CoAP
Management Interface", draft-ietf-core-comi-01 (work in
progress), July 2017.
[I-D.ietf-core-object-security]
Selander, G., Mattsson, J., Palombini, F., and L. Seitz,
"Object Security of CoAP (OSCOAP)", draft-ietf-core-
object-security-04 (work in progress), July 2017.
[I-D.ietf-core-yang-cbor]
Veillette, M., Pelov, A., Somaraju, A., Turner, R., and A.
Minaburo, "CBOR Encoding of Data Modeled with YANG",
draft-ietf-core-yang-cbor-05 (work in progress), August
2017.
Richardson & Damm Expires March 1, 2018 [Page 16]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
[I-D.ietf-netconf-keystore]
Watsen, K., "Keystore Model", draft-ietf-netconf-
keystore-02 (work in progress), June 2017.
[I-D.richardson-6tisch-join-enhanced-beacon]
Dujovne, D. and M. Richardson, "IEEE802.15.4 Informational
Element encapsulation of 6tisch Join Information", draft-
richardson-6tisch-join-enhanced-beacon-02 (work in
progress), July 2017.
[I-D.richardson-6tisch-minimal-rekey]
Richardson, M., "Minimal Security rekeying mechanism for
6TiSCH", draft-richardson-6tisch-minimal-rekey-02 (work in
progress), August 2017.
[I-D.richardson-anima-6join-discovery]
Richardson, M., "GRASP discovery of Registrar by Join
Assistant", draft-richardson-anima-6join-discovery-00
(work in progress), October 2016.
[I-D.selander-ace-cose-ecdhe]
Selander, G., Mattsson, J., and F. Palombini, "Ephemeral
Diffie-Hellman Over COSE (EDHOC)", draft-selander-ace-
cose-ecdhe-07 (work in progress), July 2017.
[I-D.vanderstok-ace-coap-est]
Kumar, S., Stok, P., Kampanakis, P., Furuhed, M., and S.
Raza, "EST over secure CoAP (EST-coaps)", draft-
vanderstok-ace-coap-est-02 (work in progress), June 2017.
[iec62591]
IEC, ., "62591:2016 Industrial networks - Wireless
communication network and communication profiles -
WirelessHART", 2016, .
[ieee802-1AR]
IEEE Standard, ., "IEEE 802.1AR Secure Device Identifier",
2009, .
[ieee802154]
IEEE Standard, ., "802.15.4-2015 - IEEE Standard for Low-
Rate Wireless Personal Area Networks (WPANs)", 2015,
.
Richardson & Damm Expires March 1, 2018 [Page 17]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
[ieee802159]
IEEE Standard, ., "802.15.9-2016 - IEEE Approved Draft
Recommended Practice for Transport of Key Management
Protocol (KMP) Datagrams", 2016,
.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, .
[RFC6775] Shelby, Z., Ed., Chakrabarti, S., Nordmark, E., and C.
Bormann, "Neighbor Discovery Optimization for IPv6 over
Low-Power Wireless Personal Area Networks (6LoWPANs)",
RFC 6775, DOI 10.17487/RFC6775, November 2012,
.
[RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed.,
"Enrollment over Secure Transport", RFC 7030,
DOI 10.17487/RFC7030, October 2013, .
[RFC7217] Gont, F., "A Method for Generating Semantically Opaque
Interface Identifiers with IPv6 Stateless Address
Autoconfiguration (SLAAC)", RFC 7217,
DOI 10.17487/RFC7217, April 2014, .
[RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for
Constrained-Node Networks", RFC 7228,
DOI 10.17487/RFC7228, May 2014, .
[RFC7250] Wouters, P., Ed., Tschofenig, H., Ed., Gilmore, J.,
Weiler, S., and T. Kivinen, "Using Raw Public Keys in
Transport Layer Security (TLS) and Datagram Transport
Layer Security (DTLS)", RFC 7250, DOI 10.17487/RFC7250,
June 2014, .
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014, .
Richardson & Damm Expires March 1, 2018 [Page 18]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
[RFC7959] Bormann, C. and Z. Shelby, Ed., "Block-Wise Transfers in
the Constrained Application Protocol (CoAP)", RFC 7959,
DOI 10.17487/RFC7959, August 2016, .
9.2. Informative References
[duckling]
Stajano, F. and R. Anderson, "The resurrecting duckling:
security issues for ad-hoc wireless networks", 1999,
.
[I-D.ietf-ace-actors]
Gerdes, S., Seitz, L., Selander, G., and C. Bormann, "An
architecture for authorization in constrained
environments", draft-ietf-ace-actors-05 (work in
progress), March 2017.
[I-D.ietf-core-sid]
Veillette, M., Pelov, A., Turner, R., Minaburo, A., and A.
Somaraju, "YANG Schema Item iDentifier (SID)", draft-ietf-
core-sid-01 (work in progress), May 2017.
[I-D.ietf-roll-useofrplinfo]
Robles, I., Richardson, M., and P. Thubert, "When to use
RFC 6553, 6554 and IPv6-in-IPv6", draft-ietf-roll-
useofrplinfo-16 (work in progress), July 2017.
[ISA100] "The Technology Behind the ISA100.11a Standard", June
2010, .
[PFS] Wikipedia, ., "Forward Secrecy", August 2016,
.
[pledge] Dictionary.com, ., "Dictionary.com Unabridged", 2015,
.
[RFC4191] Draves, R. and D. Thaler, "Default Router Preferences and
More-Specific Routes", RFC 4191, DOI 10.17487/RFC4191,
November 2005, .
[RFC4655] Farrel, A., Vasseur, J., and J. Ash, "A Path Computation
Element (PCE)-Based Architecture", RFC 4655,
DOI 10.17487/RFC4655, August 2006, .
Richardson & Damm Expires March 1, 2018 [Page 19]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
[RFC5056] Williams, N., "On the Use of Channel Bindings to Secure
Channels", RFC 5056, DOI 10.17487/RFC5056, November 2007,
.
[RFC7554] Watteyne, T., Ed., Palattella, M., and L. Grieco, "Using
IEEE 802.15.4e Time-Slotted Channel Hopping (TSCH) in the
Internet of Things (IoT): Problem Statement", RFC 7554,
DOI 10.17487/RFC7554, May 2015, .
[RFC7641] Hartke, K., "Observing Resources in the Constrained
Application Protocol (CoAP)", RFC 7641,
DOI 10.17487/RFC7641, September 2015, .
[RFC7731] Hui, J. and R. Kelsey, "Multicast Protocol for Low-Power
and Lossy Networks (MPL)", RFC 7731, DOI 10.17487/RFC7731,
February 2016, .
9.3. URIs
[2] mailto:6tisch@ietf.org
[3] mailto:mcr+ietf@sandelman.ca
Appendix A. One-Touch Assumptions
This document interacts with the one-touch solution described in
[I-D.ietf-6tisch-minimal-security].
A.1. Factory provided credentials (if any)
When a manufacturer installed certificate is provided as the IDevID,
it SHOULD contain a number of fields.
[I-D.ietf-anima-bootstrapping-keyinfra] provides a detailed set of
requirements.
A manufacturer unique serial number MUST be provided in the
serialNumber SubjectAltName extension, and MAY be repeated in the
Common Name. There are no sequential or numeric requirements on the
serialNumber, it may be any unique value that the manufacturer wants
to use. The serialNumber SHOULD be printed on the packaging and/or
on the device in a discrete way so that failures can be physically
traced to the relevant device.
Richardson & Damm Expires March 1, 2018 [Page 20]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
A.1.1. Credentials to be introduced
The goal of the bootstrap process is to introduce one or more new
locally relevant credentials:
1. a certificate signed by a local certificate authority/registrar.
This is the LDevID of [ieee802-1AR].
2. alternatively, a network-wide key to be used to secure L2
traffic.
3. alternatively, a network-wide key to be used to authenticate per-
peer keying of L2 traffic using a mechanism such as provided by
[ieee802159].
A.2. Network Assumptions
This document is about enrollment of constrained devices [RFC7228] to
a constrained network. Constrained networks is such as [ieee802154],
and in particular the time-slotted, channel hopping (tsch) mode,
feature low bandwidths, and limited opportunities to transmit. A key
feature of these networks is that receivers are only listening at
certain times.
A.2.1. Security above and below IP
802.15.4 networks have three kinds of layer-2 security:
o a network key that is shared with all nodes and is used for
unicast and multicast. The key may be used for privacy, and it
may be used in some cases for authentication only (in the case of
enhanced beacons).
o a series of network keys that are shared (agreed to) between pairs
of nodes (the per-peer key)
o a network key that is shared with all nodes (through a group key
management system), and is used for multicast traffic only, while
a per-pair key is used for unicast traffic
Setting up the credentials to bootstrap one of these kinds of
security, (or directly configuring the key itself for the first case)
is required. This is the security below the IP layer.
Security is required above the IP layer: there are three aspects
which the credentials in the previous section are to be used.
Richardson & Damm Expires March 1, 2018 [Page 21]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
o to provide for secure connection with a Path Computation Element
[RFC4655], or other LLC (see ({RFC7554}} section 3).
o to initiate a connection between a Resource Server (RS) and an
application layer Authorization Server (AS and CAS from
[I-D.ietf-ace-actors]).
A.2.1.1. Perfect Forward Secrecy
Perfert Forward Secrecy (PFS) is the property of a protocol such that
complete knowledge of the crypto state (for instance, via a memory
dump) at time X does not imply that data from a disjoint time Y can
also be recovered. ([PFS]).
PFS is important for two reasons: one is that it offers protection
against the compromise of a node. It does this by changing the keys
in a non-deterministic way. This second property also makes it much
easier to remove a node from the network, as any node which has not
participated in the key changing process will find itself no longer
connected.
A.2.2. Join network assumptions
The network which the new pledge will connect to will have to have
the following properties:
o a known PANID. The PANID 0xXXXX where XXXX is the assigned RFC#
for this document is suggested.
o a minimal schedule with some Aloha time. This is usually in the
same slotframe as the Enhanced Beacon, but a pledge MUST listen
for an unencrypted Enhanced Beacon to so that it can synchronize.
A.2.3. Number and cost of round trips
TBD.
A.2.4. Size of packets, number of fragments
A.3. Target end-state for join process
At the end of the zero-touch join process there will be a symmetric
key protected channel between the Join Registrar/Coordinator and the
pledge, now known as a Joined Node. This channel may be rekeyed via
new exchange of asymmetric exponents (ECDH for instance),
authenticated using the domain specific credentials created during
the join process.
Richardson & Damm Expires March 1, 2018 [Page 22]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
This channel is in the form of an OSCOAP protected connection with
[I-D.ietf-core-comi] encoded objects. This document includes
definition of a [I-D.ietf-netconf-keystore] compatible objects for
encoding of the relevant [I-D.ietf-anima-bootstrapping-keyinfra]
objects.
Appendix B. Join Protocol
The pledge join protocol state machine is described in
[I-D.ietf-6tisch-minimal-security], in section XYZ. The pledge
recognizes that it is in zero-touch configuration by the following
situation:
o no PSK has been configured for the network in which it has joined.
o the pledge has no locally defined certificate (no LDevID), only an
IDevID.
o the network asserts an identity that the pledge does not
recognize.
All of these conditions MUST be true. If any of these are not true,
then the pledge has either been connected to the wrong network, or it
has already been bootstrapped into a different network, and it should
wait until it finds that network.
The zero-touch process consists of three stages:
1. the key agreement process
2. the provisional enrollment process
3. the key distribution process
B.1. Key Agreement process
The key agreement process is identical to
[I-D.ietf-6tisch-minimal-security]. The process uses EDHOC with
certificates.
The pledge will have to trust the JRC provisionally, as described in
[I-D.ietf-anima-bootstrapping-keyinfra], section 3.1.2, and in
section 4.1.1 of [RFC7030].
The JRC will be able to validate the IDevID of the pledge using the
manufacturer's CA.
Richardson & Damm Expires March 1, 2018 [Page 23]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
The pledge may not know if it is in a zero-touch or one-touch
situation: the pledge may be able to verify the JRC based upon trust
anchors that were installed at manufacturing time. In that case, the
pledge runs the simplified one-touch process.
The pledge signals in the EDHOC message_2 if it has accepted the JRC
certificate. The JRC will in general, not trust the pledge with the
network keys until it has provided the pledge with a voucher. The
pledge will notice the absence of the provisioning keys.
XXX - there could be some disconnect here. May need additional
signals here.
B.2. Provisional Enrollment process
When the pledge determines that it can not verify the certificate of
the JRC using built-in trust anchors, then it enters a provisional
state. In this state, it keeps the channel created by EDHOC open.
A new EDHOC key derivation is done by the JRC and pledge using a new
label, "6tisch-provisional".
The pledge runs as a passive CoMI server, leaving the JRC to drive
the enrollment process. The JRC can interrogate the pledge in a
variety of fashions as shown below: the process terminates when the
JRC provides the pledge with an ownership voucher and the pledge
leaves the provisional state.
A typical interaction involves the following requests:
Richardson & Damm Expires March 1, 2018 [Page 24]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
+-----------+ +----------+ +-----------+ +----------+
| | | | | Circuit | | New |
| Vendor | | Registrar| | Proxy | | Entity |
| (MASA) | | | | | | |
++----------+ +--+-------+ +-----------+ +----------+
| | GET request voucher |
| |-------------------------------->
| <----------voucher-token---------|
|/requestvoucher| |
<---------------+ |
+---------------> |
|/requestlog | |
<---------------+ |
+---------------> |
| | POST voucher |
| |-------------------------------->
| <------------2.05 OK ------------+
| | |
| | POST csr attributes |
| |-------------------------------->
| <------------2.05 OK ------------+
| | |
| | GET cert request |
| |-------------------------------->
| ???? <------------2.05 OK ------------+
|<--------------| CSR |
|-------------->| |
| | POST certificate |
| |-------------------------------->
| <------------2.05 OK ------------+
| | |
B.3. Key Distribution Process
The key distribution process utilizes the protocol described
[I-D.richardson-6tisch-minimal-rekey]. The process starts with the
initial key, rather than an actual rekey.
This protocol remains active for subsequent rekey operations.
Appendix C. YANG model for BRSKI objects
module ietf-6tisch-brski { yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:6tisch-brski"; prefix
"ietf6brski";
Richardson & Damm Expires March 1, 2018 [Page 25]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
//import ietf-yang-types { prefix yang; } //import ietf-inet-types {
prefix inet; }
organization "IETF 6tisch Working Group";
contact "WG Web: http://tools.ietf.org/wg/6tisch/ WG List:
6tisch@ietf.org [2] Author: Michael Richardson mcr+ietf@sandelman.ca
[3]";
description "This module defines an interface to set and retrieve
BRSKI objects using CoMI. This interface is used as part of an
enrollment process for constrained nodes and networks.";
revision "2017-03-01" { description "Initial version"; reference "RFC
XXXX: 6tisch zero-touch bootstrap"; }
// top-level container container ietf6brski { leaf requestnonce {
type binary; length XX; // how big can/should it be? mandatory true;
description "Request Nonce."; } leaf voucher { type binary;
description "The voucher as a serialized COSE object"; }
leaf csrattributes {
type binary;
description "A list of attributes that MUST be in the CSR";
}
leaf certificaterequest {
type binary;
description "A PKIX format Certificate Request";
}
leaf certificate {
type binary;
description "The LDevID certificate";
} } }
C.1. Description of Pledge States in Join Process
TBD
Appendix D. Definition of managed objects for zero-touch bootstrap
The following is relevant YANG for use in the bootstrap protocol.
The objects identified are identical in format to the named objects
from [I-D.ietf-anima-bootstrapping-keyinfra].
Richardson & Damm Expires March 1, 2018 [Page 26]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
Appendix E. Privacy Considerations
[I-D.ietf-6lo-privacy-considerations] details a number of privacy
considerations important in Resource Constrained nodes. There are
two networks and three sets of constrained nodes to consider. They
are: 1. the production nodes on the production network. 2. the new
pledges, which have yet to enroll, and which are on a join network.
3. the production nodes which are also acting as proxy nodes.
E.1. Privacy Considerations for Production network
The details of this are out of scope for this document.
E.2. Privacy Considerations for New Pledges
New Pledges do not yet receive Router Advertisements with PIO
options, and so configure link-local addresses only based upon
layer-2 addresses using the normal SLAAC mechanisms described in
[RFC4191].
These link-local addresses are visible to any on-link eavesdropper
(who is synchronized to the same Join Assistant), so regardless of
what is chosen they can be seen. This link-layer traffic is
encapsulated by the Join Assistant into IPIP packets and carried to
the JCE. The traffic SHOULD never leave the operator's network, and
no outside traffic should enter, so it should not be possible to do
any ICMP scanning as described in
[I-D.ietf-6lo-privacy-considerations].
The join process described herein requires that some identifier
meaningful to the network operator be communicated to the JCE via the
Neighbor Advertisement's ARO option. This need not be a manufacturer
created EUI-64 as assigned by IEEE; it could be another value with
higher entropy and less interesting vendor/device information.
Regardless of what is chosen, it can be used to track where the
device attaches.
For most constrained device, network attachment occurs very
infrequently, often only once in their lifetime, so tracking
opportunities may be rare.
Further, during the enrollment process, a DTLS connection connection
will be created. Unless TLS1.3 is used, the device identity will be
visible to passive observers in the 802.11AR IDevID certificate that
is sent. Even when TLS1.3 is used, an active attacker could collect
the information by simply connecting to the device; it would not have
to successful complete the negotiation either, or even attempt to
Man-In-The-Middle the device.
Richardson & Damm Expires March 1, 2018 [Page 27]
�
Internet-Draft 6tisch Zero-Touch Secure Join protocol August 2017
There is, at the same time, significant value in avoiding a link-
local DAD process by using an IEEE assigned EUI-64, and there is also
significant advantage to the operator being able to see what the
vendor of the new device is.
E.2.1. EUI-64 derived address for join time IID
It is therefore suggested that the IID used in the link-local address
used during the join process be a vendor assigned EUI-64. After the
join process has concluded, the device SHOULD be assigned a unique
randomly generated long address, and a unique short address (not
based upon the vendor EUI-64) for use at link-layer. At that point,
all layer-3 content is encrypted by the layer-2 key.
E.3. Privacy Considerations for Join Assistant
Appendix F. Security Considerations
Appendix G. IANA Considerations
This document allocates one value from the subregistry "Address
Registration Option Status Values": ND_NS_JOIN_DECLINED Join
Assistant, JOIN DECLINED (TBD-AA)
Appendix H. Protocol Definition
Appendix I. Acknowledgements
Kristofer Pister helped with many non-IETF references.
Authors' Addresses
Michael Richardson
Sandelman Software Works
Email: mcr+ietf@sandelman.ca
Benjamin Damm
Silver Spring Networks
Email: bdamm@ssni.com
Richardson & Damm Expires March 1, 2018 [Page 28]