Thing-to-Thing Research Group (T2TRG)
Eliot Lear and Mohit Sethi
The Thing-to-Thing research group (T2TRG), under the Internet Research Task Force (IRTF), investigates open research issues towards turning the promise of IoT into reality. The research group held reported on their recent activities during their session in Prague, and held a further working meeting to follow up.
Earlier this year, the seminal document on IoT security considerations from T2TRG cleared its last milestone and was approved for publication as an informational RFC by the Internet Engineering Steering Group (IESG). T2TRG is also discussing two new pieces of work:
- Constrained Internationalized Resource Identifiers describes a mechanism to encode URI components in Concise Binary Object Representation (CBOR) instead of the typical string of ASCII characters. This can simplify parsing and comparison of URIs in resource-constrained environments.
- Constrained RESTful Application Language (CoRAL) defines a data and interaction model that can allow software agents (automated scripts) to navigate a Web application based on a standardized vocabulary of links and forms and relation types.
IoT bootstrapping work is also underway in the IETF. Many small office and home (SOHO) IoT devices re-use the existing Wi-Fi infrastructure for connecting to the Internet. These deployments typically rely on a network-wide shared-secret for joining the network. This is also commonly referred to as WPA2-PSK mode. However, the security of a shared passphrase becomes highly questionable when large numbers of physical devices–from toys to bathroom scales to doorbells to thermostats–are connected to the network. The per-device credentials provided by 802.1X will be necessary to prevent one insecure device from compromising the security of others on the same wireless network. There is currently ongoing discussion in the community on how IETF standards such as EAP (Extensible Authentication Protocol) can be employed for this purpose.
Full details and the latest information about T2TRG activities can be found in GitHub.
Large organizations obviously also require centralized management, both in terms of how devices get credentials, and establishing accountability for those devices. When hundreds of the same type of a device are connected, automation is a requirement. On the other hand, such a trusted introduction also introduces additional and potentially lasting dependencies on additional parties. The IETF is currently working on mechanisms such as Bootstrapping Remote Secure Key Infrastructure (BRSKI) which are being adopted by others.
After the IETF 103 meeting, a mailing list was also formed to discuss these topics, and participants have begun to catalog the mechanisms that are available. Discussions at IETF 104 were used refine that work.