Hello Michael, Is the following understanding correct? The difference between the "one-touch" and the "zero-touch" methods is that whether the key or certificate is provisioned by the manufacturer or by the operator at the deployment site. As long as the key/IDevID/certificate is provisioned before the device goes out of the factory, i.e., the operator doesn't have to provision/touch it on site to get it securely join the network, it can be considered as "zero-touch".
Even though the pledge ID is given privately by the manufacturer, and not as per 802.1 AR, the dtsecurity-zerotouch-join method can be implemented by using the MASA provided by the manufacturer? Is the dtsecurity-zerotouch-join method aimed at a scenario in which a certificate can't be provisioned a priori? Many thanks. Remy -----邮件原件----- 发件人: Michael Richardson [mailto:[email protected]] 发送时间: 2020年5月20日 23:10 收件人: Liubing (Remy) <[email protected]>; [email protected]; Carles Gomez Montenegro <[email protected]> 主题: Re: 答复: [6lo] FW: I-D Action: draft-ietf-6lo-plc-03.txt Liubing (Remy) <[email protected]> wrote: > Thank you for mentioning 6tisch-minimal-security. There is also a > BRSKI-like 6tisch mechanism that uses IDevID. > [Remy] I think you must > be talking about [draft-ietf-6tisch-dtsecurity-zerotouch-join]. The > minimal security is considered to be one-touch since the PSK has to be > configured a priori. And this document provides a zero-touch method, in > which the IDevID (provided by the manufacturer) in 802.1AR is used as > the credential for authentication. The authentication is done with the > help of the MASA. Am I understanding it correctly? I think the method > simplifies the provisioning procedure. However, the PLC standards have > not supported 802.1AR yet, thus this zero-touch method couldn't be used > in the implementation at this moment. Whether or not the *PLC* documents specify 802.1AR is not really relevant. They also don't specify any useful secure join mechanism at all. The device either has a manufacturer provided keypair, or it has to be provisioned with a key by the operator. > Is it the case that the PLC devices can have no L2 security as an > option? I believe that you may wish to outlaw that situation. > [Remy] All the PLC standards we mentioned in this document have L2 > security mechanisms, such as encryption, data integrity, and > anti-replay. Since this document is focused on the adaptation layer and > above, the L2 security is considered to be applied by default. Then uou can use dtsecurity-zerotouch-join or 6tisch-minimal-security. -- Michael Richardson <[email protected]>, Sandelman Software Works -= IPv6 IoT consulting =- _______________________________________________ 6lo mailing list [email protected] https://www.ietf.org/mailman/listinfo/6lo
