IoT Operational Issues
draft-walther-iotops-iot-ops-00
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Authors | Karsten Walther , Carsten Bormann | ||
| Last updated | 2024-03-19 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Additional resources |
GitHub Repository
|
||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-walther-iotops-iot-ops-00
IOT Operations K. Walther
Internet-Draft Perinet GmbH
Intended status: Informational C. Bormann
Expires: 21 September 2024 Universität Bremen TZI
20 March 2024
IoT Operational Issues
draft-walther-iotops-iot-ops-00
Abstract
This I-D is based on a presentation at IETF 119 in the IOTOPS WG.
About This Document
This note is to be removed before publishing as an RFC.
Status information for this document may be found at
https://datatracker.ietf.org/doc/draft-walther-iotops-iot-ops/.
Discussion of this document takes place on the IOTOPS Working Group
mailing list (mailto:iotops@ietf.org), which is archived at
https://mailarchive.ietf.org/arch/browse/iotops/. Subscribe at
https://www.ietf.org/mailman/listinfo/iotops/.
Source for this draft and an issue tracker can be found at
https://github.com/cabo/iot-ops.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 21 September 2024.
Walther & Bormann Expires 21 September 2024 [Page 1]
Internet-Draft IoT Operational Issues March 2024
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Conventions and Definitions . . . . . . . . . . . . . . . 2
2. Background . . . . . . . . . . . . . . . . . . . . . . . . . 2
3. Problems . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. Problem 1: misleading mDNS name resolution . . . . . . . 3
3.2. Problem 2: .local request sent to nameservers . . . . . . 4
3.3. Problem 3: IPv6 LL zone ID . . . . . . . . . . . . . . . 4
3.4. Problem 4: Support for offline environments . . . . . . . 4
3.5. Problem 5: Short certificate lifetime . . . . . . . . . . 5
3.6. Problem 6: No standard simple role based access model . . 5
3.7. Problem 7: Browsers disrespect Web server constraints . . 5
3.8. Problem 8: Virtualization environments act as routers . . 6
3.9. What next? . . . . . . . . . . . . . . . . . . . . . . . 6
4. Security Considerations . . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
[See abstract]
1.1. Conventions and Definitions
2. Background
* Simple networkable things: light, sensor, power-switch
- in our case Single Pair Ethernet is used
- no user interface, except a web page and a label
Walther & Bormann Expires 21 September 2024 [Page 2]
Internet-Draft IoT Operational Issues March 2024
* devices, virtual devices and local services (on containers)
- act autonomously together during normal operation
- users occasionally use a browser for interaction
* Typical Applications: Operations level in industry, building and
agriculture
- often no internet connection nor name server or DHCP available
* Typical User: _Technician_ without IT knowledge
- previously configured a PLC
- has no administration rights on their computer
- minimizes contact to network administrators
➔ must support ad-hoc connection by technician
➔ Zeroconf is a base requirement
Example Hardware For Web Server and MQTT Client:
* Cortex R4 250MHz
* ~ 200KB RAM (for code and data)
3. Problems
3.1. Problem 1: misleading mDNS name resolution
* mDNS resolves to multiple addresses GA, ULA and LL
- often the requester cannot use all of them and has to select
o intransparent to the user because hidden in the SW stack
o no control possibility by the user (browser address field)
o non deterministic
* the problem is unnecessary, since requester defines a domain
- .local
- .my-intranet
Walther & Bormann Expires 21 September 2024 [Page 3]
Internet-Draft IoT Operational Issues March 2024
- .tld
- ➔ just reply addresses matching to the domain
3.2. Problem 2: .local request sent to nameservers
* local nameserves may silently ignore .local requests
- ➔ timeout
➔ requested web server inaccessible by browser
- strange workarounds in the field (e.g., fritz.box)
o how should an IoT device know what is a local scope?
* some name servers reply a special address for unknown host names
- the actual device never will use this and is therefore
inaccessible
3.3. Problem 3: IPv6 LL zone ID
* makes URIs unusable: information in the URL is locally valid only
- Setup: Client (Browser), Management HTTP Service (on Edge
Device), and IoT Web service (on the networked sensor) are
connected in L2
- Management Web page cannot provide an IPv6 LL address as link
to the networked sensor
- same applies in various other situations
* no support by many popular libraries (e.g., nodejs)
➔ "non-working-experience" for users
* IMHO zone ID is unnecessary:
it creates more problems now than it solves later
3.4. Problem 4: Support for offline environments
* Example Situation: Sensors on a plow attached to different pulling
machines (or not at all during servicing)
* Webpage cannot be accessed by the user due to various reasons
- some browsers deactivate IPv6 completely (also Link Local),
when there is no Internet connectivity
Walther & Bormann Expires 21 September 2024 [Page 4]
Internet-Draft IoT Operational Issues March 2024
- Windows deactivates MDNS for unknown networks by default
- user cannot type IPv6 addresses with zone ID in the address bar
- browsers don't support local web server lookup via mdns, as
printer dialogue does, and local device may be muddy or below
covers, thus the user will have no address information
3.5. Problem 5: Short certificate lifetime
* Web PKI is moving to ever smaller certificate lifetimes
* devices are not online in many cases and cannot be updated
automatically with certificates
- during shelf storage
- attached to non-powered machinery, different networks or no
internet connectivity for months
- required fall back after factory reset to initial certificate
3.6. Problem 6: No standard simple role based access model
* Authorization is granted via a client certificate
* User levels are typically simple
- normal authenticated users can read values or control actuators
- privileged users: e.g., setting calibration values
- application admins (technicians) can do everything:
updates, connection settings, security
* so far we use an extension field in certificates in a proprietary
way
- works very well, but we would like to have a standard
- support by standard PKI tools required in the mid term
3.7. Problem 7: Browsers disrespect Web server constraints
* our device tells the client the maximum packet size and number of
connections
- ≤ 6 connections
Walther & Bormann Expires 21 September 2024 [Page 5]
Internet-Draft IoT Operational Issues March 2024
- memory restrictions ➔ no Jumbo Frames
* is ignored by some browsers or web libraries
- especially in browsers it looks like a stalled device, with
MQTT, MDNS still working
3.8. Problem 8: Virtualization environments act as routers
* IoT heavily relies on ZeroConf mechanisms like MDNS
- e.g. a sensor has to find the responsible MQTT broker, which
runs in a container
- user need to access user interface in browser
* Virtualization environments (docker, snap...) act as routers
- IPv6 LL and mdns cannot be used
- breaks fundamentals of local IoT
3.9. What next?
* Where can standardization help?
- Help me to identify the right working groups
- or link me to relevant groups outside of IETF
* Are there simpler ways than updating/making standards?
4. Security Considerations
TODO Security
5. IANA Considerations
This document has no IANA actions.
Acknowledgments
TODO acknowledge.
Authors' Addresses
Karsten Walther
Perinet GmbH
Walther & Bormann Expires 21 September 2024 [Page 6]
Internet-Draft IoT Operational Issues March 2024
Email: karsten.walther@perinet.io
Carsten Bormann
Universität Bremen TZI
Postfach 330440
D-28359 Bremen
Germany
Phone: +49-421-218-63921
Email: cabo@tzi.org
Walther & Bormann Expires 21 September 2024 [Page 7]