Hi Michael,
"/1) .../"
For onboarding a new device, where there is no connectivity after
authentication, you propose to use 802.1X, which is an EAP lower layer.
EAP over CoAP is in fact a proposal for a application level EAP lower
layer that overcomes the limitation that 802.1X works on an inferior
layer, hence, giving the possibility to perform the network
authentication through nodes.
This idea is not new, in fact, you have PANA, another EAP lower layer
that works on top of UDP.
As you comment , draft-ietf-6tisch-minimal-security - offers minimal
security and has several deficiencies that can be solved by using EAP
and AAA infrastructures.
Regarding your second point
"/2) If it for application authentication, then you need to use EAP to
setup MSK for later use by a context. We do this in IKEv2, (D)TLS already./"
Our proposal is to define an EAP lower layer that is specifically
designed for constrained devices and networks. The setup of the MSK for
later use, is what the EAP KMF does, and this key material is used to
run a security association protocol, that could be DTLS or OSCORE. That
is why it is not an afterthought as you say. I wrote could, because is
one of the possibilities. That is another benefit of using EAP.
With respect to do this with IKEv2, EAP already has an EAP method for
IKE. Why limit the options when EAP gives you more. What will you do if
the specific network does not support running IKEv2 due to severe
constrains in the network or any other reason?
That is why I believe the flexibility EAP gives you is worth considering.
Best Regards,
Dan.
On 9/12/20 19:55, Michael Richardson wrote:
Dan Garcia <dan.gar...@um.es> wrote:
> EAP can be used in the context of IoT for authentication.
But, to what end?
1) If it is onboarding a new device, then there is no connectivity until after
authentication.
so you can't use CoAP, you have to use 802.1x, or some equivalent, or
create a system such as draft-ietf-6tisch-minimal-security.
Which does use CoAP and OSCORE already.
2) If it for application authentication, then you need to use EAP to setup
MSK for later use by a context.
We do this in IKEv2, (D)TLS already.
So the only left would be OSCORE, yet you write "could", as if it was an
afterthought.
Tell me what is your application? What will be impossible if we don't do
this work?
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
_______________________________________________
Emu mailing list
Emu@ietf.org
https://www.ietf.org/mailman/listinfo/emu
