Internet-Draft IoT Operational Issues March 2024
Walther & Bormann Expires 21 September 2024 [Page]
IOT Operations
Intended Status:
K. Walther
Perinet GmbH
C. Bormann
Universität Bremen TZI

IoT Operational Issues


This I-D is based on a presentation at IETF 119 in the IOTOPS WG.

About This Document

This note is to be removed before publishing as an RFC.

Status information for this document may be found at

Discussion of this document takes place on the IOTOPS Working Group mailing list (, which is archived at Subscribe at

Source for this draft and an issue tracker can be found at

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 21 September 2024.

Table of Contents

1. Introduction

[See abstract]

2. Background

➔ must support ad-hoc connection by technician
➔ Zeroconf is a base requirement

Example Hardware For Web Server and MQTT Client:

3. Problems

3.1. Problem 1: misleading mDNS name resolution

  • mDNS resolves to multiple addresses GA, ULA and LL

    • often the requester cannot use all of them and has to select

      • intransparent to the user because hidden in the SW stack

      • no control possibility by the user (browser address field)

      • non deterministic

  • the problem is unnecessary, since requester defines a domain

    • .local

    • .my-intranet

    • .tld

    • ➔ just reply addresses matching to the domain

3.2. Problem 2: .local request sent to nameservers

  • local nameserves may silently ignore .local requests

    • ➔ timeout
      ➔ requested web server inaccessible by browser

    • strange workarounds in the field (e.g.,

      • how should an IoT device know what is a local scope?

  • some name servers reply a special address for unknown host names

    • the actual device never will use this and is therefore inaccessible

3.3. Problem 3: IPv6 LL zone ID

  • makes URIs unusable: information in the URL is locally valid only

    • Setup: Client (Browser), Management HTTP Service (on Edge Device), and IoT Web service (on the networked sensor) are connected in L2

    • Management Web page cannot provide an IPv6 LL address as link to the networked sensor

    • same applies in various other situations

  • no support by many popular libraries (e.g., nodejs)
    ➔ "non-working-experience" for users

  • IMHO zone ID is unnecessary:
    it creates more problems now than it solves later

3.4. Problem 4: Support for offline environments

  • Example Situation: Sensors on a plow attached to different pulling machines (or not at all during servicing)

  • Webpage cannot be accessed by the user due to various reasons

    • some browsers deactivate IPv6 completely (also Link Local), when there is no Internet connectivity

    • Windows deactivates MDNS for unknown networks by default

    • user cannot type IPv6 addresses with zone ID in the address bar

    • browsers don't support local web server lookup via mdns, as printer dialogue does, and local device may be muddy or below covers, thus the user will have no address information

3.5. Problem 5: Short certificate lifetime

  • Web PKI is moving to ever smaller certificate lifetimes

  • devices are not online in many cases and cannot be updated automatically with certificates

    • during shelf storage

    • attached to non-powered machinery, different networks or no internet connectivity for months

    • required fall back after factory reset to initial certificate

3.6. Problem 6: No standard simple role based access model

  • Authorization is granted via a client certificate

  • User levels are typically simple

    • normal authenticated users can read values or control actuators

    • privileged users: e.g., setting calibration values

    • application admins (technicians) can do everything:
      updates, connection settings, security

  • so far we use an extension field in certificates in a proprietary way

    • works very well, but we would like to have a standard

    • support by standard PKI tools required in the mid term

3.7. Problem 7: Browsers disrespect Web server constraints

  • our device tells the client the maximum packet size and number of connections

    • ≤ 6 connections

    • memory restrictions ➔ no Jumbo Frames

  • is ignored by some browsers or web libraries

    • especially in browsers it looks like a stalled device, with MQTT, MDNS still working

3.8. Problem 8: Virtualization environments act as routers

  • IoT heavily relies on ZeroConf mechanisms like MDNS

    • e.g. a sensor has to find the responsible MQTT broker, which runs in a container

    • user need to access user interface in browser

  • Virtualization environments (docker, snap...) act as routers

    • IPv6 LL and mdns cannot be used

    • breaks fundamentals of local IoT

3.9. What next?

  • Where can standardization help?

    • Help me to identify the right working groups

    • or link me to relevant groups outside of IETF

  • Are there simpler ways than updating/making standards?

4. Security Considerations

TODO Security

5. IANA Considerations

This document has no IANA actions.


TODO acknowledge.

Authors' Addresses

Karsten Walther
Perinet GmbH
Carsten Bormann
Universität Bremen TZI
Postfach 330440
D-28359 Bremen