Hi Michael, This work may belong with the EIA/Modbus or ITU etc., we will consider these options as well...
MODBUS is an application layer protocol, currently standardized with layer 2 serial link (such as EIA RS-485,232 etc) and enthernet. The Modbus TCP protocol has adopted TLS-based security standards for enthernet; however, As an application layer protocol, despite its widespread application, the absence of encryption and authentication in Modbus protocol via serial links exposes plaintext data to risks such as MIM interception, modification under attacks such as side-channel analysis etc., particularly in long-distance or bridged network scenarios. Enhancing Modbus serial link security requires introducing proper encryption and authentication methods tailored to varied deployment environments onsidering the characteristics of serial links such as bandwith etc., the draft proposed a security guide outlines lightweight encryption and authentication mechanisms to improve confidentiality and integrity while maintaining compatibility with existing Modbus devices via serial link, offering a practical upgrade path for secure industrial control systems. BR Pengui Liu > -----原始邮件----- > 发件人: "Michael Richardson" <[email protected]> > 发送时间:2025-12-24 04:31:49 (星期三) > 收件人: [email protected] > 抄送: "IOTOPS Working Group" <[email protected]>, [email protected], > "[email protected]" > <[email protected]> > 主题: Re: [Iotops] TR: I-D Action: > draft-liu-iotops-modbus-seriallink-sec-spec-05.txt > > > Editorial: I think the abstract is too big. The Introduction fails to > connect why the increased lengths possible for MODBUS/485 is of concern. I > think it is because, the longer the wire is, the more opportunities there are > for unauthorized taps in places nobody can see. > > 1. This work, as is, seems to belong with the EIA/Modbus. > 2. There seems to be a huge uplift in functionality required to establish L2 > security. If doing such a huge uplift, then: > > 3. Why not just run RFC8163? I understand that MS/TP is *not* MODBUS, as > MODBUS includes many layers. Replace the lowest layer. > 4. then run diet-esp (with SCHC and IKEv2) if the TLS part of MODBUS TCP > isn't enough. > > 5. If MODBUS is being bridged over other transports, then those "VPN" > transports should provide security for that part. > > This document seems to invent another AKE. Pick one of IKEv2, TLS, cTLS or > EDHOC. > > -- > Michael Richardson <[email protected]> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > > _______________________________________________ 6lo mailing list -- [email protected] To unsubscribe send an email to [email protected]
