< draft-ietf-ace-usecases-01.txt   draft-ietf-ace-usecases-02.txt >
ACE Working Group L. Seitz, Ed. ACE Working Group L. Seitz, Ed.
Internet-Draft SICS Swedish ICT AB Internet-Draft SICS Swedish ICT AB
Intended status: Informational S. Gerdes, Ed. Intended status: Informational S. Gerdes, Ed.
Expires: July 17, 2015 Universitaet Bremen TZI Expires: August 9, 2015 Universitaet Bremen TZI
G. Selander G. Selander
Ericsson Ericsson
M. Mani M. Mani
Itron Itron
S. Kumar S. Kumar
Philips Research Philips Research
January 13, 2015 February 05, 2015
ACE use cases ACE use cases
draft-ietf-ace-usecases-01 draft-ietf-ace-usecases-02
Abstract Abstract
Constrained devices are nodes with limited processing power, storage Constrained devices are nodes with limited processing power, storage
space and transmission capacities. These devices in many cases do space and transmission capacities. These devices in many cases do
not provide user interfaces and are often intended to interact not provide user interfaces and are often intended to interact
without human intervention. without human intervention.
This document comprises a collection of representative use cases for This document comprises a collection of representative use cases for
the application of authentication and authorization in constrained the application of authentication and authorization in constrained
skipping to change at page 2, line 10 skipping to change at page 2, line 7
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on July 17, 2015. This Internet-Draft will expire on August 9, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 40 skipping to change at page 2, line 37
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Container monitoring . . . . . . . . . . . . . . . . . . 4 2.1. Container monitoring . . . . . . . . . . . . . . . . . . 4
2.1.1. Bananas for Munich . . . . . . . . . . . . . . . . . 5 2.1.1. Bananas for Munich . . . . . . . . . . . . . . . . . 5
2.1.2. Authorization Problems Summary . . . . . . . . . . . 6 2.1.2. Authorization Problems Summary . . . . . . . . . . . 6
2.2. Home Automation . . . . . . . . . . . . . . . . . . . . . 6 2.2. Home Automation . . . . . . . . . . . . . . . . . . . . . 6
2.2.1. Controlling the Smart Home Infrastructure . . . . . . 7 2.2.1. Controlling the Smart Home Infrastructure . . . . . . 7
2.2.2. Seamless Authorization . . . . . . . . . . . . . . . 7 2.2.2. Seamless Authorization . . . . . . . . . . . . . . . 7
2.2.3. Remotely letting in a visitor . . . . . . . . . . . . 7 2.2.3. Remotely letting in a visitor . . . . . . . . . . . . 7
2.2.4. Authorization Problems Summary . . . . . . . . . . . 8 2.2.4. Authorization Problems Summary . . . . . . . . . . . 8
2.3. Personal Health Monitoring . . . . . . . . . . . . . . . 8 2.3. Personal Health Monitoring . . . . . . . . . . . . . . . 9
2.3.1. John and the heart rate monitor . . . . . . . . . . . 9 2.3.1. John and the heart rate monitor . . . . . . . . . . . 9
2.3.2. Authorization Problems Summary . . . . . . . . . . . 10 2.3.2. Authorization Problems Summary . . . . . . . . . . . 10
2.4. Building Automation . . . . . . . . . . . . . . . . . . . 11 2.4. Building Automation . . . . . . . . . . . . . . . . . . . 11
2.4.1. Device Lifecycle . . . . . . . . . . . . . . . . . . 11 2.4.1. Device Lifecycle . . . . . . . . . . . . . . . . . . 11
2.4.2. Authorization Problems Summary . . . . . . . . . . . 13 2.4.2. Authorization Problems Summary . . . . . . . . . . . 13
2.5. Smart Metering . . . . . . . . . . . . . . . . . . . . . 14 2.5. Smart Metering . . . . . . . . . . . . . . . . . . . . . 14
2.5.1. Drive-by metering . . . . . . . . . . . . . . . . . . 14 2.5.1. Drive-by metering . . . . . . . . . . . . . . . . . . 14
2.5.2. Meshed Topology . . . . . . . . . . . . . . . . . . . 15 2.5.2. Meshed Topology . . . . . . . . . . . . . . . . . . . 15
2.5.3. Advanced Metering Infrastructure . . . . . . . . . . 15 2.5.3. Advanced Metering Infrastructure . . . . . . . . . . 15
2.5.4. Authorization Problems Summary . . . . . . . . . . . 16 2.5.4. Authorization Problems Summary . . . . . . . . . . . 16
2.6. Sports and Entertainment . . . . . . . . . . . . . . . . 16 2.6. Sports and Entertainment . . . . . . . . . . . . . . . . 16
2.6.1. Dynamically Connecting Smart Sports Equipment . . . . 17 2.6.1. Dynamically Connecting Smart Sports Equipment . . . . 17
2.6.2. Authorization Problems Summary . . . . . . . . . . . 17 2.6.2. Authorization Problems Summary . . . . . . . . . . . 17
2.7. Industrial Control Systems . . . . . . . . . . . . . . . 17 2.7. Industrial Control Systems . . . . . . . . . . . . . . . 18
2.7.1. Oil Platform Control . . . . . . . . . . . . . . . . 18 2.7.1. Oil Platform Control . . . . . . . . . . . . . . . . 18
2.7.2. Authorization Problems Summary . . . . . . . . . . . 18 2.7.2. Authorization Problems Summary . . . . . . . . . . . 18
3. Security Considerations . . . . . . . . . . . . . . . . . . . 19 3. Security Considerations . . . . . . . . . . . . . . . . . . . 19
3.1. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 19 3.1. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2. Configuration of Access Permissions . . . . . . . . . . . 20 3.2. Configuration of Access Permissions . . . . . . . . . . . 20
3.3. Design Considerations for Authorization Solutions . . . . 21 3.3. Design Considerations for Authorization Solutions . . . . 21
3.4. Proxies . . . . . . . . . . . . . . . . . . . . . . . . . 22 3.4. Proxies . . . . . . . . . . . . . . . . . . . . . . . . . 22
4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 22 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 22
5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 23
skipping to change at page 4, line 11 skipping to change at page 4, line 11
Where specific detail is necessary it is assumed that the devices Where specific detail is necessary it is assumed that the devices
communicate using CoAP [RFC7252], although most conclusions are communicate using CoAP [RFC7252], although most conclusions are
generic. generic.
1.1. Terminology 1.1. Terminology
Readers are required to be familiar with the terms defined in Readers are required to be familiar with the terms defined in
[RFC7228]. In addition, this document uses the following [RFC7228]. In addition, this document uses the following
terminology: terminology:
Resource: An item of interest. Resource: An item of interest.
Resource Server: The device which hosts resources the Client wants to Resource Server: The endpoint which hosts resources the Client wants
access. Resource Servers might be constrained devices. to access. Resource Servers might be located on constrained
devices.
Client: A device which wants to access a resource on the Resource Client: An endpoint which wants to access a resource on the Resource
Server. This could also be a constrained device. Server. This could also be located on a constrained device.
Resource Owner: The subject who owns the resource and controls its Resource Owner: The subject who controls the access permissions of a
access permissions. resource.
Device Owner: The subject who owns a certain device and controls its Client Owner: The subject who controls the access permissions of a
access permissions. client.
Principal: A subject who is either a resource owner or a device owner Principal: A subject who is either a resource owner or a client
or both. owner or both.
2. Use Cases 2. Use Cases
This section lists use cases involving constrained devices with This section lists use cases involving constrained devices with
certain authorization problems to be solved. Each use case first certain authorization problems to be solved. Each use case first
presents a general description of the application area, then one or presents a general description of the application area, then one or
more specific use cases, and finally a summary of the authorization- more specific use cases, and finally a summary of the authorization-
related problems principals need to be solved. related problems principals need to be solved.
There are various reasons for assigning a function (client or server) There are various reasons for assigning a function (client or server)
to a device, e.g. which device initiates the conversation, how do to a device, e.g. which device initiates the conversation, how do
devices find each other, etc. The definition of the function of a devices find each other, etc. The definition of the function of a
device in a certain use case is not in scope of this document. device in a certain use case is not in scope of this document.
Readers should be aware that there might be reasons for each setting Readers should be aware that there might be reasons for each setting
and that devices might even have different functions at different and that endpoints might even have different functions at different
times. times.
2.1. Container monitoring 2.1. Container monitoring
The ability of sensors to communicate environmental data wirelessly The ability of sensors to communicate environmental data wirelessly
opens up new application areas. The use of such sensor systems makes opens up new application areas. The use of such sensor systems makes
it possible to continuously track and transmit specific it possible to continuously track and transmit specific
characteristics such as temperature, humidity and gas content during characteristics such as temperature, humidity and gas content during
the transportation and storage of goods. the transportation and storage of goods.
skipping to change at page 5, line 20 skipping to change at page 5, line 20
During the shipment to their destination the goods often pass stops During the shipment to their destination the goods often pass stops
where they are transloaded to other means of transportation, e.g. where they are transloaded to other means of transportation, e.g.
from ship transport to road transport. from ship transport to road transport.
The transportation and storage of perishable goods is especially The transportation and storage of perishable goods is especially
challenging since they have to be stored at a constant temperature challenging since they have to be stored at a constant temperature
and with proper ventilation. Additionally, it is very important for and with proper ventilation. Additionally, it is very important for
the vendors to be informed about irregularities in the temperature the vendors to be informed about irregularities in the temperature
and ventilation of fruits to avoid the delivery of decomposed fruits and ventilation of fruits to avoid the delivery of decomposed fruits
to their customers. The need for a constant monitoring of perishable to their customers. The need for a constant monitoring of perishable
goods has led to projects such as The Intelligent Container (http:// goods has led to projects such as The Intelligent Container
www.intelligentcontainer.com). (http://www.intelligentcontainer.com).
2.1.1. Bananas for Munich 2.1.1. Bananas for Munich
A fruit vendor grows bananas in Costa Rica for the German market. It A fruit vendor grows bananas in Costa Rica for the German market. It
instructs a transport company to deliver the goods via ship to instructs a transport company to deliver the goods via ship to
Rotterdam where they are picked up by trucks and transported to a Rotterdam where they are picked up by trucks and transported to a
ripening facility. A Munich supermarket chain buys ripened bananas ripening facility. A Munich supermarket chain buys ripened bananas
from the fruit vendor and transports them from the ripening facility from the fruit vendor and transports them from the ripening facility
to the individual markets with their own company trucks. to the individual markets with their own company trucks.
skipping to change at page 6, line 23 skipping to change at page 6, line 23
system and to monitor the degree of ripeness of the bananas. Ripe system and to monitor the degree of ripeness of the bananas. Ripe
bananas need to be identified and sold before they spoil. bananas need to be identified and sold before they spoil.
The supermarket chain gains ownership of the banana boxes when the The supermarket chain gains ownership of the banana boxes when the
bananas have ripened and are ready to leave the ripening facility. bananas have ripened and are ready to leave the ripening facility.
2.1.2. Authorization Problems Summary 2.1.2. Authorization Problems Summary
o U1.1 Principals such as the fruit vendor, the transloading o U1.1 Principals such as the fruit vendor, the transloading
personnel or the container owners want to grant different access personnel or the container owners want to grant different access
rights for their resource to different parties and want to control rights for their resources to different parties and want to
which devices are allowed to present data to their devices. control which resource servers are allowed to present data to
their clients.
o U1.2 Principals want to grant different access rights for o U1.2 Principals want to grant different access rights for
different resources on a device. different resources on an endpoint.
o U1.3 The principals require the integrity of sensor data. o U1.3 The principals require the integrity of sensor data.
o U1.4 The principals require the confidentiality of sensor data. o U1.4 The principals require the confidentiality of sensor data.
o U1.5 The principals are not always present at the time of access o U1.5 The principals are not always present at the time of access
and cannot manually intervene in the authorization process. and cannot manually intervene in the authorization process.
o U1.6 The principals want to grant temporary access permissions to o U1.6 The principals want to grant temporary access permissions to
a party. a party.
skipping to change at page 7, line 21 skipping to change at page 7, line 21
use), the configuration must use secure default settings, and the use), the configuration must use secure default settings, and the
interface must be well adapted to novice users. interface must be well adapted to novice users.
2.2.1. Controlling the Smart Home Infrastructure 2.2.1. Controlling the Smart Home Infrastructure
Alice and her husband Bob own a flat which is equipped with home Alice and her husband Bob own a flat which is equipped with home
automation devices such as HVAC and shutter control, and they have a automation devices such as HVAC and shutter control, and they have a
motion sensor in the corridor which controls the light bulbs there. motion sensor in the corridor which controls the light bulbs there.
Alice and Bob can control the shutters and the temperature in each Alice and Bob can control the shutters and the temperature in each
room using either wall-mounted touch panels or with an internet room using either wall-mounted touch panels or an internet connected
connected device (e.g. a smartphone). Since Alice and Bob both have device (e.g. a smartphone). Since Alice and Bob both have a full-
a full-time job, they want to be able to change settings remotely, time job, they want to be able to change settings remotely, e.g. turn
e.g. turn up the heating on a cold day if they will be home earlier up the heating on a cold day if they will be home earlier than
than expected. expected.
The couple does not want people in radio range of their devices, e.g. The couple does not want people in radio range of their devices, e.g.
their neighbors, to be able to control them without authorization. their neighbors, to be able to control them without authorization.
Moreover, they don't want burglars to be able to deduce behavioral Moreover, they don't want burglars to be able to deduce behavioral
patterns from eavesdropping on the network. patterns from eavesdropping on the network.
2.2.2. Seamless Authorization 2.2.2. Seamless Authorization
Alice buys a new light bulb for the corridor and integrates it into Alice buys a new light bulb for the corridor and integrates it into
the home network, i.e. makes resources known to other devices in the the home network, i.e. makes resources known to other devices in the
skipping to change at page 7, line 50 skipping to change at page 7, line 50
the need for additional administration effort. She provides the the need for additional administration effort. She provides the
necessary configurations for that. necessary configurations for that.
2.2.3. Remotely letting in a visitor 2.2.3. Remotely letting in a visitor
Alice and Bob have equipped their home with automated connected door- Alice and Bob have equipped their home with automated connected door-
locks and an alarm system at the door and the windows. The couple locks and an alarm system at the door and the windows. The couple
can control this system remotely. can control this system remotely.
Alice and Bob have invited Alice's parents over for dinner, but are Alice and Bob have invited Alice's parents over for dinner, but are
stuck in traffic and can not arrive in time, while Alice's parents stuck in traffic and cannot arrive in time, while Alice's parents who
who use the subway will arrive punctually. Alice calls her parents use the subway will arrive punctually. Alice calls her parents and
and offers to let them in remotely, so they can make themselves offers to let them in remotely, so they can make themselves
comfortable while waiting. Then Alice sets temporary permissions comfortable while waiting. Then Alice sets temporary permissions
that allow them to open the door, and shut down the alarm. She wants that allow them to open the door, and shut down the alarm. She wants
these permissions to be only valid for the evening since she does not these permissions to be only valid for the evening since she does not
like it if her parents are able to enter the house as they see fit. like it if her parents are able to enter the house as they see fit.
When Alice's parents arrive at Alice's and Bob's home, they use their When Alice's parents arrive at Alice's and Bob's home, they use their
smartphone to communicate with the door-lock and alarm system. smartphone to communicate with the door-lock and alarm system.
2.2.4. Authorization Problems Summary 2.2.4. Authorization Problems Summary
skipping to change at page 9, line 38 skipping to change at page 9, line 41
changes of battery are unacceptable. changes of battery are unacceptable.
2.3.1. John and the heart rate monitor 2.3.1. John and the heart rate monitor
John has a heart condition, that can result in sudden cardiac John has a heart condition, that can result in sudden cardiac
arrests. He therefore uses a device called HeartGuard that monitors arrests. He therefore uses a device called HeartGuard that monitors
his heart rate and his position. In case of a cardiac arrest it his heart rate and his position. In case of a cardiac arrest it
automatically sends an alarm to an emergency service, transmitting automatically sends an alarm to an emergency service, transmitting
John's current location. This requires the device to be close to a John's current location. This requires the device to be close to a
wireless access point, in order to be able to get an Internet wireless access point, in order to be able to get an Internet
connection (e.g. John's smartphone). connection (e.g. John's smartphone).
The device includes some authentication mechanism, in order to The device includes some authentication mechanism, in order to
prevent other persons who get physical access to it from acting as prevent other persons who get physical access to it from acting as
the owner and messing up the access control and security settings. the owner and messing up the access control and security settings.
John can configure additional persons that get notified in an John can configure additional persons that get notified in an
emergency, for example his daughter Jill. Furthermore the device emergency, for example his daughter Jill. Furthermore the device
stores data on John's heart rate, which can later be accessed by a stores data on John's heart rate, which can later be accessed by a
physician to assess the condition of John's heart. physician to assess the condition of John's heart.
However John is a privacy conscious person, and is worried that Jill However John is a privacy conscious person, and is worried that Jill
might use HeartGuard to monitor his location while there is no might use HeartGuard to monitor his location while there is no
emergency. Furthermore he doesn't want his health insurance to get emergency. Furthermore he doesn't want his health insurance to get
access to the HeartGuard data, or even to the fact that he is wearing access to the HeartGuard data, or even to the fact that he is wearing
a HeartGuard, since they might refuse to renew his insurance if they a HeartGuard, since they might refuse to renew his insurance if they
decided he was too big a risk for them. decided he was too big a risk for them.
Finally John, while being comfortable with modern technology and able Finally John, while being comfortable with modern technology, and
to operate it reasonably well, is not trained in computer security. able to operate it reasonably well, is not trained in computer
He therefore need an interface for the configuration of the security. He therefore needs an interface for the configuration of
HeartGuard security that is easy to understand and use. If John does the HeartGuard security that is easy to understand and use. If John
not understand the meaning of some setting, he tends to leave it does not understand the meaning of a setting, he tends to leave it
alone, assuming that the manufacturer has initialized the device to alone, assuming that the manufacturer has initialized the device to
secure settings. secure settings.
NOTE: Monitoring of some state parameter (e.g. an alarm button) and NOTE: Monitoring of some state parameter (e.g. an alarm button) and
the position of a person also fits well into an elderly care service. the position of a person also fits well into an elderly care service.
This is particularly useful for people suffering from dementia, where This is particularly useful for people suffering from dementia, where
the relatives or caregivers need to be notified of the whereabouts of the relatives or caregivers need to be notified of the whereabouts of
the person under certain conditions. In this case it is not the the person under certain conditions. In this case it is not the
patient that decides about access. patient that decides about access.
skipping to change at page 12, line 39 skipping to change at page 12, line 39
shares some of the common spaces with company A. On a really hot day shares some of the common spaces with company A. On a really hot day
James who works for company A turns on the air condition in his James who works for company A turns on the air condition in his
office. Lucy who works for company B wants to make tea using an office. Lucy who works for company B wants to make tea using an
electric kettle. After she turned it on she goes outside to talk to electric kettle. After she turned it on she goes outside to talk to
a colleague until the water is boiling. Unfortunately, her kettle a colleague until the water is boiling. Unfortunately, her kettle
has a malfunction which causes overheating and results in a has a malfunction which causes overheating and results in a
smoldering fire of the kettle's plastic case. smoldering fire of the kettle's plastic case.
Due to the smoke coming from the kettle the fire alarm is triggered. Due to the smoke coming from the kettle the fire alarm is triggered.
Alarm sirens throughout the building are switched on simultaneously Alarm sirens throughout the building are switched on simultaneously
(using a broadcast or multicast) to alert the staff of both (using a broadcastor multicast) to alert the staff of both companies.
companies. Additionally, the ventilation system of the whole Additionally, the ventilation system of the whole building is closed
building is closed off to prevent the smoke from spreading and to off to prevent the smoke from spreading and to withdraw oxygen from
withdraw oxygen from the fire. The smoke cannot get into James' the fire. The smoke cannot get into James' office although he turned
office although he turned on his air condition because the fire alarm on his air condition because the fire alarm overrides the manual
overrides the manual setting by sending commands (broadcast or setting by sending commands (broadcast or multicast) to switch off
multicast) to switch off all the air conditioning. all the air conditioning.
The fire department is notified of the fire automatically and arrives The fire department is notified of the fire automatically and arrives
within a short time. After inspecting the damage and extinguishing within a short time. After inspecting the damage and extinguishing
the smoldering fire a fire fighter resets the fire alarm because only the smoldering fire a fire fighter resets the fire alarm because only
the fire department is authorized to do that. the fire department is authorized to do that.
2.4.1.3. Maintenance 2.4.1.3. Maintenance
Company A's staff are annoyed that the lights switch off too often in Company A's staff are annoyed that the lights switch off too often in
their rooms if they work silently in front of their computer. their rooms if they work silently in front of their computer.
skipping to change at page 13, line 48 skipping to change at page 13, line 48
o U4.2 Principals want to be able to integrate a device that o U4.2 Principals want to be able to integrate a device that
formerly belonged to a different administrative domain to their formerly belonged to a different administrative domain to their
own administrative domain (handover). own administrative domain (handover).
o U4.3 Principal want to be able to remove a device from their o U4.3 Principal want to be able to remove a device from their
administrative domain (decomissioning). administrative domain (decomissioning).
o U4.4 Principals want to be able to delegate selected o U4.4 Principals want to be able to delegate selected
administration tasks for their devices to others. administration tasks for their devices to others.
o U4.5 The device owner wants to be able to define context-based o U4.5 The principal wants to be able to define context-based
Authorization rules. Authorization rules.
o U4.6 The device owner wants to be able to revoke granted o U4.6 The principal wants to be able to revoke granted permissions
permissions and delegations. and delegations.
o U4.7 The device owner wants to allow only authorized access to o U4.7 The principal wants to allow authorized entities to send data
device resources (default deny). to their endpoints (default deny).
o U4.8 The device owner wants to be able to authorize a device to o U4.8 The principal wants to be able to authorize a device to
control several devices at the same time using a multicast control several devices at the same time using a multicast
protocol. protocol.
o U4.9 Principals want to be able to interconnect their own o U4.9 Principals want to be able to interconnect their own
subsystems with those from a different operational domain while subsystems with those from a different operational domain while
keeping the control over the authorizations (e.g. granting and keeping the control over the authorizations (e.g. granting and
revoking permissions) for their devices. revoking permissions) for their endpoints and devices.
2.5. Smart Metering 2.5. Smart Metering
Automated measuring of customer consumption is an established Automated measuring of customer consumption is an established
technology for electricity, water, and gas providers. Increasingly technology for electricity, water, and gas providers. Increasingly
these systems also feature networking capability to allow for remote these systems also feature networking capability to allow for remote
management. Such systems are in use for commercial, industrial and management. Such systems are in use for commercial, industrial and
residential customers and require a certain level of security, in residential customers and require a certain level of security, in
order to avoid economic loss to the providers, vulnerability of the order to avoid economic loss to the providers, vulnerability of the
distribution system, as well as disruption of services for the distribution system, as well as disruption of services for the
skipping to change at page 16, line 15 skipping to change at page 16, line 15
during the last 72 hours". during the last 72 hours".
2.5.4. Authorization Problems Summary 2.5.4. Authorization Problems Summary
o U5.1 Devices are installed in hostile environments where they are o U5.1 Devices are installed in hostile environments where they are
physically accessible by attackers. Principals want to make sure physically accessible by attackers. Principals want to make sure
that an attacker cannot use a captured device to attack other that an attacker cannot use a captured device to attack other
parts of their infrastructure. parts of their infrastructure.
o U5.2 Principals want to restrict which entities are allowed to o U5.2 Principals want to restrict which entities are allowed to
write data to the devices and thus ensure the integrity of the send data to their resources and endpoints and thus ensure the
data on their devices. integrity of the data on their endpoints.
o U5.3 The principal wants to control which entities are allowed to o U5.3 The principal wants to control which entities are allowed to
read data on the devices and protect such data in transfer. read data on their resources and protect such data in transfer.
o U5.4 The devices may have intermittent Internet connectivity. o U5.4 The devices may have intermittent Internet connectivity.
o U5.5 The principal is not always present at the time of access and o U5.5 The principal is not always present at the time of access and
cannot manually intervene in the authorization process. cannot manually intervene in the authorization process.
o U5.6 When authorization policies are updated it is impossible, or o U5.6 When authorization policies are updated it is impossible, or
at least very inefficient to contact all affected devices at least very inefficient to contact all affected endpoints
directly. directly.
o U5.7 Messages between a client and the device may need to be o U5.7 Messages between a client and a resource server may need to
stored and forwarded over multiple nodes. be stored and forwarded over multiple nodes.
2.6. Sports and Entertainment 2.6. Sports and Entertainment
In the area of leisure time activities, applications can benefit from In the area of leisure time activities, applications can benefit from
the small size and weight of constrained devices. Sensors and the small size and weight of constrained devices. Sensors and
actuators with various functionalities can be integrated into fitness actuators with various functionalities can be integrated into fitness
equipment, games and even clothes. Principals can carry their equipment, games and even clothes. Principals can carry their
devices around with them at all times. devices around with them at all times.
Usability is especially important in this area since principals will Usability is especially important in this area since principals will
skipping to change at page 17, line 39 skipping to change at page 17, line 39
2.6.2. Authorization Problems Summary 2.6.2. Authorization Problems Summary
o U6.1 The principal wants to be able to grant access rights o U6.1 The principal wants to be able to grant access rights
dynamically when needed. dynamically when needed.
o U6.2 The principle wants the configuration of access rights to o U6.2 The principle wants the configuration of access rights to
work with very little effort. work with very little effort.
o U6.3 The principal wants to be able to preconfigure access o U6.3 The principal wants to be able to preconfigure access
policies that grant certain access permissions to devices with policies that grant certain access permissions to endpoints with
certain attributes (e.g. devices of a certain user) without certain attributes (e.g. endpoints of a certain user) without
additional configuration effort at the time of access. additional configuration effort at the time of access.
o U6.4 Principals wants to protect the confidentiality of their data o U6.4 Principals wants to protect the confidentiality of their data
for privacy reasons. for privacy reasons.
o U6.5 Devices might not have an Internet connection at the time of o U6.5 Devices might not have an Internet connection at the time of
access. access.
2.7. Industrial Control Systems 2.7. Industrial Control Systems
skipping to change at page 18, line 19 skipping to change at page 18, line 24
general public how vulnerable this kind of systems are, especially general public how vulnerable this kind of systems are, especially
when connected to the Internet. The severity of these when connected to the Internet. The severity of these
vulnerabilities are exacerbated by the fact that many ICS are used to vulnerabilities are exacerbated by the fact that many ICS are used to
control critical public infrastructure, such as power, water control critical public infrastructure, such as power, water
treatment of traffic control. Nevertheless the economical advantages treatment of traffic control. Nevertheless the economical advantages
of connecting such systems to the Internet can be significant if of connecting such systems to the Internet can be significant if
appropriate security measures are put in place. appropriate security measures are put in place.
2.7.1. Oil Platform Control 2.7.1. Oil Platform Control
An oil platform uses an industrial control system to monitor data and An oil platform uses an industrical control system to monitor data
control equipment. The purpose of this system is to gather and and control equipment. The purpose of this system is to gather and
process data from a large number of sensors, and control actuators process data from a large number of sensors, and control actuators
such as valves and switches to steer the oil extraction process on such as valves and switches to steer the oil extraction process on
the platform. Raw data, alarms, reports and other information are the platform. Raw data, alarms, reports and other information are
also available to the operators, who can intervene with manual also available to the operators, who can intervene with manual
commands. Many of the sensors are connected to the controlling units commands. Many of the sensors are connected to the controlling units
by direct wire, but the operator is slowly replacing these units by by direct wire, but the operator is slowly replacing these units by
wireless ones, since this makes maintenance easier. wireless ones, since this makes maintenance easier.
The controlling units are connected to the Internet, to allow for The controlling units are connected to the Internet, to allow for
remote administration, since it is expensive and inconvenient to fly remote administration, since it is expensive and inconvenient to fly
skipping to change at page 19, line 5 skipping to change at page 19, line 10
2.7.2. Authorization Problems Summary 2.7.2. Authorization Problems Summary
o U7.1 The principal wants to ensure that only authorized clients o U7.1 The principal wants to ensure that only authorized clients
can read data from sensors and sent commands to actuators. can read data from sensors and sent commands to actuators.
o U7.2 The principal wants to ensure that data coming from sensors o U7.2 The principal wants to ensure that data coming from sensors
and commands sent to actuators are authentic. and commands sent to actuators are authentic.
o U7.3 Some devices do not have direct Internet connection. o U7.3 Some devices do not have direct Internet connection.
o U7.4 Some devices have wired connection while other use wireless. o U7.4 Some devices have wired connection while others use wireless.
o U7.5 The execution of unauthorized commands in an ICS can lead to o U7.5 The execution of unauthorized commands in an ICS can lead to
significant financial damage, and threaten the availability of significant financial damage, and threaten the availability of
critical infrastructure services. Accordingly, the principal critical infrastructure services. Accordingly, the principal
wants a security solution that provides a very high level of wants a security solution that provides a very high level of
security. security.
3. Security Considerations 3. Security Considerations
As the use cases listed in this document demonstrate, constrained As the use cases listed in this document demonstrate, constrained
devices are used in various application areas. The appeal of these devices are used in various application areas. The appeal of these
devices is that they are small and inexpensive. That makes it easy devices is that they are small and inexpensive. That makes it easy
to integrate them into many aspects of everyday life. Therefore, the to integrate them into many aspects of everyday life. Therefore, the
devices will be entrusted with vast amounts of valuable data or even devices will be entrusted with vast amounts of valuable data or even
control functions, that need to be protected from unauthorized control functions, that need to be protected from unauthorized
access. access. Moreover, the aggregation of data must be considered:
Moreover, the aggregation of data must be considered: attackers might attackers might not only collect data from a single device but from
not only collect data from a single device but from many devices, many devices, thus increasing the potential damage.
thus increasing the potential damage.
Not only the data on the constrained devices themselves is Not only the data on the constrained devices themselves is
threatened, the devices might also be abused as an intrusion point to threatened, the devices might also be abused as an intrusion point to
infiltrate a network. Once an attacker gained control over the infiltrate a network. Once an attacker gained control over the
device, it can be used to attack other devices as well. Due to their device, it can be used to attack other devices as well. Due to their
limited capabilities, constrained devices appear as the weakest link limited capabilities, constrained devices appear as the weakest link
in the network and hence pose an attractive target for attackers. in the network and hence pose an attractive target for attackers.
This section summarizes the security problems highlighted by the use This section summarizes the security problems highlighted by the use
cases above and provides guidelines for the design of protocols for cases above and provides guidelines for the design of protocols for
skipping to change at page 20, line 7 skipping to change at page 20, line 13
[RFC7258] attacks. [RFC7258] attacks.
As some of the use cases indicate, constrained devices may be As some of the use cases indicate, constrained devices may be
installed in hostile environments where they are physically installed in hostile environments where they are physically
accessible (see Section 2.5). Protection from physical attacks is accessible (see Section 2.5). Protection from physical attacks is
not in the scope of ACE, but should be kept in mind by developers of not in the scope of ACE, but should be kept in mind by developers of
authorization solutions. authorization solutions.
Denial of service (DoS) attacks threaten the availability of services Denial of service (DoS) attacks threaten the availability of services
a device provides. E.g., an attacker can induce a device to perform a device provides. E.g., an attacker can induce a device to perform
steps of a heavy weight security protocol (e.g. Datagram Transport steps of a heavy weight security protocol (e.g. Datagram Transport
Layer Security (DTLS) [RFC6347]) before authentication and Layer Security (DTLS) [RFC6347]) before authentication and
authorization can be verified, thus exhausting the device's system authorization can be verified, thus exhausting the device's system
resources. This leads to a temporary or - e.g. if the batteries are resources. This leads to a temporary or - e.g. if the batteries are
drained - permanent failure of the service. For some services of drained - permanent failure of the service. For some services of
constrained devices, availability is especially important (see constrained devices, availability is especially important (see
Section 2.3). Because of their limitations, constrained devices are Section 2.3). Because of their limitations, constrained devices are
especially vulnerable to denial of service attacks. Solution especially vulnerable to denial of service attacks. Solution
designers must be particularly careful to consider these limitations designers must be particularly careful to consider these limitations
in every part of the protocol. This includes: in every part of the protocol. This includes:
skipping to change at page 20, line 35 skipping to change at page 20, line 41
o Size of code required to run the protocol o Size of code required to run the protocol
o Size of RAM memory and stack required to run the protocol o Size of RAM memory and stack required to run the protocol
Another category of attacks that needs to be considered by solution Another category of attacks that needs to be considered by solution
developers is session interception and hijacking. developers is session interception and hijacking.
3.2. Configuration of Access Permissions 3.2. Configuration of Access Permissions
o The access control policies of the principals need to be enforced o The access control policies of the principals need to be enforced
(all use cases): The access control policies set by the Principals (all use cases): The information that is needed to implement the
need to be provisioned to the device that enforces the access control policies of the Principals need to be provided to
authorization and applied to every incoming request. the device that enforces the authorization and applied to every
incoming request.
o A single resource might have different access rights for different o A single resource might have different access rights for different
requesting entities (all use cases). requesting entities (all use cases).
Rationale: In some cases different types of users need different Rationale: In some cases different types of users need different
access rights, as opposed to a binary approach where the same access rights, as opposed to a binary approach where the same
access permissions are granted to all authenticated users. access permissions are granted to all authenticated users.
o A device might host several resources where each resource has its o A device might host several resources where each resource has its
own access control policy (all use cases). own access control policy (all use cases).
o The device that makes the policy decisions should be able to o The device that makes the policy decisions should be able to
evaluate context-based permissions such as location or time of evaluate context-based permissions such as location or time of
access (see e.g. Section 2.2, Section 2.3, Section 2.4). Access access (see e.g. Section 2.2, Section 2.3, Section 2.4). Access
may depend on local conditions, e.g. access to health data in an may depend on local conditions, e.g. access to health data in an
emergency. The device that makes the policy decisions should be emergency. The device that makes the policy decisions should be
able to take such conditions into account. able to take such conditions into account.
3.3. Design Considerations for Authorization Solutions 3.3. Design Considerations for Authorization Solutions
o Devices need to be enabled to enforce the principal's o Devices need to be enabled to enforce the principal's
authorization policies without the principal's intervention at the authorization policies without the principal's intervention at the
time of the access request (see e.g. Section 2.1, Section 2.2, time of the access request (see e.g. Section 2.1, Section 2.2,
Section 2.4, Section 2.5). Section 2.4, Section 2.5).
o Authorization solutions need to consider that constrained devices o Authorization solutions need to consider that constrained devices
might not have internet access at the time of the access request might not have internet access at the time of the access request
(see e.g. Section 2.1, Section 2.3, Section 2.5, Section 2.6). (see e.g. Section 2.1, Section 2.3, Section 2.5, Section 2.6).
o It should be possible to update access control policies without o It should be possible to update access control policies without
manually re-provisioning individual devices (see e.g. Section 2.2, manually re-provisioning individual devices (see e.g.
Section 2.3, Section 2.5, Section 2.6). Section 2.2, Section 2.3, Section 2.5, Section 2.6).
Rationale: Peers can change rapidly which makes manual re- Rationale: Peers can change rapidly which makes manual re-
provisioning unreasonably expensive. provisioning unreasonably expensive.
o Principals might define authorization policies for a large number o Principals might define authorization policies for a large number
of devices that might only have intermittent connectivity. of devices that might only have intermittent connectivity.
Distributing policy updates to every device for every update might Distributing policy updates to every device for every update might
not be a feasible solution. not be a feasible solution (see e.g. Section 2.5).
o It must be possible to dynamically revoke authorizations (see e.g. o It must be possible to dynamically revoke authorizations (see e.g.
Section 2.4). Section 2.4).
o The authentication and access control protocol can put undue o The authentication and access control protocol can put undue
burden on the constrained resources of a device participating in burden on the constrained system resources of a device
the protocol. An authorization solutions must take the participating in the protocol. An authorization solutions must
limitations of the constrained devices into account (see also take the limitations of the constrained devices into account (all
Section 3.1). use cases, see also Section 3.1).
o Secure default settings are needed for the initial state of the o Secure default settings are needed for the initial state of the
authentication and authorization protocols (all use cases). authentication and authorization protocols (all use cases).
Rationale: Many attacks exploit insecure default settings, and Rationale: Many attacks exploit insecure default settings, and
experience shows that default settings are frequently left experience shows that default settings are frequently left
unchanged by the end users. unchanged by the end users.
o Access to resources on other devices should only be permitted if a o Access to resources on other devices should only be permitted if a
rule exists that explicitly allows this access (default deny). rule exists that explicitly allows this access (default deny) (see
e.g. Section 2.4).
o Usability is important for all use cases. The configuration of o Usability is important for all use cases. The configuration of
authorization policies as well as the gaining access to devices authorization policies as well as the gaining access to devices
must be simple for the users of the devices. Special care needs must be simple for the users of the devices. Special care needs
to be taken for home scenarios where access control policies have to be taken for home scenarios where access control policies have
to be configured by users that are typically not trained in to be configured by users that are typically not trained in
security (see Section 2.2, Section 2.6). security (see Section 2.2, Section 2.3, Section 2.6).
3.4. Proxies 3.4. Proxies
In some cases, the traffic between Client and Resource Server might In some cases, the traffic between Client and Resource Server might
go through intermediary nodes (e.g. proxies, gateways). This might go through intermediary nodes (e.g. proxies, gateways). This might
affect the function or the security model of authentication and affect the function or the security model of authentication and
access control protocols e.g. end-to-end security between Client and access control protocols e.g. end-to-end security between Client and
Resource Server with DTLS might not be possible (see Section 2.5). Resource Server with DTLS might not be possible (see Section 2.5).
4. Privacy Considerations 4. Privacy Considerations
 End of changes. 44 change blocks. 
82 lines changed or deleted 85 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/