Re: [Ace] [Anima] Certification Authority renewal/rollover and intra-device communication
Brian E Carpenter wrote:
>> Brian E Carpenter wrote:
>> > I *really* don't understand this stuff, but how long could the rollover
>> > take, for a reasonably large IoT network (presumably thousands of
>> > devices)? Are we talking about a few seconds when no new sessions could
>> > start, or what?
>>
>> For sleepy IoT devices that wake up once a day, and run on a slow
network?
>> Could be a few weeks, easily.
>>
>> But, on such networks, the devices mostly don't talk to each other at
all.
> What, no networks of cooperating sensors ("I've detected smoke, did you
> detect smoke too?")
yeah, but since both sensors are sleeping, the coordination would be in the
central point.
>> Industrial situations like factories aren't doing a lot of device2device
>> communication (i.e. without involving the control system), but if they
did,
>> then they'd want to schedule the certificate renewal/rollover at a
specific time.
> Agreed, that would be normal procedure in control systems of all kinds.
> It's less clear in what are euphemistically called tactical networks; a
> certificate rollover on a battlefield could be a big deal.
the scene is the back of a truck (or sparse fuselage: think Edge of
Tomorrow), with 10 soldiers on each side: "Marines! Drop in five. Synchronize
your trust anchors!"
>> I think that we could do this by issuing new certificates with a
notBefore
>> date in the future, but to date, I don't think we have a clear
specification
>> that says this.
> Ack.
--
Michael Richardson. o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
Re: [Ace] [Anima] Certification Authority renewal/rollover and intra-device communication
On 06-Oct-21 05:24, Michael Richardson wrote:
>
> Brian E Carpenter wrote:
> > I *really* don't understand this stuff, but how long could the rollover
> > take, for a reasonably large IoT network (presumably thousands of
> > devices)? Are we talking about a few seconds when no new sessions could
> > start, or what?
>
> For sleepy IoT devices that wake up once a day, and run on a slow network?
> Could be a few weeks, easily.
>
> But, on such networks, the devices mostly don't talk to each other at all.
What, no networks of cooperating sensors ("I've detected smoke, did you
detect smoke too?")
> Industrial situations like factories aren't doing a lot of device2device
> communication (i.e. without involving the control system), but if they did,
> then they'd want to schedule the certificate renewal/rollover at a specific
> time.
Agreed, that would be normal procedure in control systems of all kinds.
It's less clear in what are euphemistically called tactical networks; a
certificate rollover on a battlefield could be a big deal.
> I think that we could do this by issuing new certificates with a notBefore
> date in the future, but to date, I don't think we have a clear specification
> that says this.
Ack.
Brian
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
Re: [Ace] [Anima] Certification Authority renewal/rollover and intra-device communication
Brian E Carpenter wrote: > I *really* don't understand this stuff, but how long could the rollover > take, for a reasonably large IoT network (presumably thousands of > devices)? Are we talking about a few seconds when no new sessions could > start, or what? For sleepy IoT devices that wake up once a day, and run on a slow network? Could be a few weeks, easily. But, on such networks, the devices mostly don't talk to each other at all. Industrial situations like factories aren't doing a lot of device2device communication (i.e. without involving the control system), but if they did, then they'd want to schedule the certificate renewal/rollover at a specific time. I think that we could do this by issuing new certificates with a notBefore date in the future, but to date, I don't think we have a clear specification that says this. -- Michael Richardson. o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide signature.asc Description: PGP signature ___ Ace mailing list Ace@ietf.org https://www.ietf.org/mailman/listinfo/ace
Re: [Ace] [Anima] Certification Authority renewal/rollover and intra-device communication
I *really* don't understand this stuff, but how long could the rollover
take, for a reasonably large IoT network (presumably thousands of
devices)? Are we talking about a few seconds when no new sessions could
start, or what?
That said, I don't see that you have much choice.
Regards
Brian
On 03-Oct-21 13:36, Michael Richardson wrote:
>
> In:
> https://github.com/anima-wg/constrained-voucher/pull/177/files
>
> We make a compromise on the CA rollover protocol defined RFC4210.
>
> Specifically, during the period when devices are renewing their certificates,
> we do not support communication between devices with different certificates.
> For instance two devices creating a new DTLS session between them, or even
> IKEv2 or EDHOC using certificates.
>
> Existing connections could continue, including rekeying, but new ones would
> not be possible to create if the devices are in different states.
>
> It's not clear to the design team how RFC7030 would have supported this
> anyway: when would the OldWithNew and NewWithOld certificates have been
> transfered, and at what point would devices learn that they no longer need to
> include those in the certificate chains that are exchanged inband.
>
> Given IoT networks that are primarily M2MP, we think that it *is* reasonable
> that a non-constrained data collection system could have all the right
> certificates (OldWithNew, NewWithOld) to operate. But, we don't know how
> that system got them.
>
> {You might argue that this is really ace-est-coaps^WRFC9148 matter, and
> probably you'd be right. But that document is past AUTH48, waiting for DTLS13}
>
> --
> Michael Richardson. o O ( IPv6 IøT consulting )
>Sandelman Software Works Inc, Ottawa and Worldwide
>
>
>
>
>
> ___
> Anima mailing list
> an...@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
>
___
Ace mailing list
Ace@ietf.org
https://www.ietf.org/mailman/listinfo/ace
