M2M,IoT, device management:one protocol to rule them all?

Julien Vermillard - Sierra Wireless

Who am I?

Software Engineer at Sierra Wireless, implementing various protocols for AirVantage cloud service

Apache member, Eclipse IoT committerCalifornium, Wakaama, Leshan open-source Lightweight M2M serverTinkerer: electronics, reversing, Linux

Photo Credit:https://www.flickr.com/photos/90514086@N00/952121271/ CC by-nc-sa

Agenda

M2M/IoT application protocols (XMPP, MQTT)

Web-of-things (CoAP)

IoT protocol security

Device management (TR-069, OMA-DM, OMA-LwM2M)

Impact on IoT architectures

Let’s start with..

QUESTIONS!

Questions

Know MQTT?

Questions

Use MQTT?

Questions

Know or use CoAP?

Questions

Device management: OMA-DM,Lightweight M2Mor TR-069?

Application protocols

XMPP

MQTT

CoAP

XMPP

Chat protocol based on XML recycled for IoT

XEP-0322 (PDF) Efficient XML Interchange (EXI) Format Standards - 2014-03-10

XEP-0323 (PDF) Internet of Things - Sensor Data - Experimental - 2014-04-07

XEP-0324 (PDF) Internet of Things - Provisioning - Experimental - 2014-05-21

XEP-0325 (PDF) Internet of Things - Control -Experimental 2014-04-07

XEP-0326 (PDF) Internet of Things - Concentrators - Experimental 2014-03-10

XMPP

<message from='device@clayster.com' to='client@clayster.com/amr'> <fields xmlns='urn:xmpp:iot:sensordata' seqnr='5'> <node nodeId='Device02'> <timestamp value='2013-03-07T19:31:15'> <numeric name='Temperature' momentary='true' automaticReadout='true' value='23.4' unit='°C'/> </timestamp> </node> </fields></message>

MQ Telemetry Transport

Killer protocol for M2M applications

Connect everything with a central broker

Content agnostic

Simplicity is MQTT feature #1

MQ Telemetry Transport- a sensor pushes telemetry values on topics greenhouse/42/temperature greenhouse/42/humidity greenhouse/42/luminosity

- actions are on another topic greenhouse/42/open-the-roof

- payload format is free (json,binary,whatever..)

MQTT security

- Username and password

- TLS on top of the TCP stream

MQ Telemetry Transport @ Eclipse IoT

Write your first MQTT application today :)

Mosquitto lightweight brokerMoquette Java based brokerPaho clients Java, C/C++, Go, Python, LuaPonte bridge MQTT, CoAP and HTTP Kura Java OSGi application framework

M2M: devices to a server

ServerServer

IoT: devices on Internet

Internet

Web of things

IP address for everything!

6LoWPAN on 802.15.4, Bluetooth LE

Small IPv6 stack in battery powered devices

Create mesh network with RPL (RFC 6550)

Web of things

REST for everything!

Sensor will live for decades

Applications will evolve

Things should expose dumb REST API, put the behaviour in mashup applications

Web of things

CoAPConstrained Application Protocol

Internet Eng. Task Force standard for IoT

Started around 2010!

Final RFC 7252 published

CoAPCo: Constrained

Simple to encode/decode: target 1$ 8bits MCU

100K Flash, 10K RAM

CoAPCo: Constrained

HTTP and TCP are not a good fit, use UDP

Low power networks

CoAPAP: Application Protocol

RESTful protocol designed from scratchTransparent mapping to HTTPAdditional features of M2M scenarios

GET, POST, PUT, DELETEURIs and media types

DeduplicationOptional retransmissionsObservation, SMS

CoAPProtocol structure

Binary protocol● Low parsing complexity

● Small message size

Options● Numbers with IANA registry

● Type-Length-Value

● Special option header marks payload if present

CoAPDiscoverability

Based on Web Linking (RFC5988)Extended to Core Link Format (RFC6690)

Decentralized discovery: Multicast DiscoveryInfrastructure-based: Resource Directories

</config/groups>;rt="core.gp";ct=39,</sensors/temp>;rt="ucum.Cel";ct="0 50";obs,</large>;rt="block";sz=1280;title="Large resource"

GET /.well-known/core

CoAPSecurity

Based on DTLS (TLS/SSL for Datagrams)

Focus on Elliptic Curve Cryptography (ECC)

ECDH, ECDSA, AES

Hardware acceleration for IoT devices

CaliforniumCoAP @ Eclipse IoT

Pure Java library

DTLS PSK/RPK/X509

Unconstrained: For large devices or cloud services

http://eclipse.org/californium

M2M/IoT Protocol security

IoT/M2M protocol security

TLS for TCP (RFC 5246)DTLS for UDP (RFC 6347)

Rolling your own is still not recommended :)

TLS/DTLS complexity?

It’s customizable:

X.509 certificate: certificate with chain of trust (CA & PKI)

Raw-Public-key: only private/public key

Pre-Shared-Key: symmetric keys without forward secrecy

TLS/DTLS complexity?

Arduino Uno can run CoAP/MQTT

But not in a secure way :(

ROM/RAM cost estimation for (D)TLS:http://www.ietf.org/id/draft-ietf-lwig-tls-minimal-01.txt

(D)TLS Pre-Shared-Key mode+----------------------+-----------------+| | DTLS || +--------+--------+| | ROM | RAM |+----------------------+--------+--------+| State Machine | 8.15 | 1.9 || Cryptography | 3.3 | 1.5 || DTLS Record Layer | 3.7 | 0.5 |+----------------------+--------+--------+| TOTAL | 15.15 | 3.9 |+----------------------+--------+--------+ Table 1: Memory Requirements in KB

(D)TLS Raw Public Key mode+----------------------------+---------------+| Cryptographic functions | Code size |+----------------------------+---------------+| MD5 | 4,856 bytes || SHA1 | 2,432 bytes || HMAC | 2,928 bytes || RSA | 3,984 bytes || Big Integer Implementation | 8,328 bytes || AES | 7,096 bytes || RC4 | 1,496 bytes || Random Number Generator | 4,840 bytes |+----------------------------+---------------+

(D)TLS Raw certificate mode

You need to add:

ASN.1 parserX509 certificate check codeRevocation?

TLS for embedded

It’s still a challenge on some platform

IETF DICE working group https://datatracker.ietf.org/wg/dice/

But weirdly TLS PSK is not used

Certificate revocation is also a mess for IoT

Open-source DTLS implementation

TinyDTLS: http://tinydtls.sourceforge.net

MIT licensed embedded friendlyLua binding: https://github.com/sbernard31/luadtls

Eclipse Californium Scandium:A Java implementation of DTLShttps://github.com/eclipse/californium.scandium

More security challenges ;)

Provisioning your key from the factory and pushing them on the server...

... for million of devices with different keys

… and with the capability of changing the keys over-the-air

Device Management

Device management

Monitor, configure, secure, and update your devices

All you need for operating a fleet of IoT devices

Not tied to your application

Interoperability is the key

You don't know yet what hardware will power your IoT projects on the field

but you MUST be able to do management in a consistent way

D.M. protocols

Usual suspects:

TR-069

OMA-DM

Lightweight M2M

TR-069

Bidirectional SOAP API for :broadband modems, gateway, set-top-boxes

Configure, monitor, firmware upgrades.

Yeah SOAP : HTTPS and XML :(

Not wireless friendly

OMA-DM

An Open Mobile Alliance standard for Device Management

Targets mobile phone terminals but can be used for M2M

Mean to be used by mobile network operators.

OMA-DM features

Read, write configuration or monitoring nodes.

Trigger remote commands (Exec)

FUMO: Firmware Update Management Object

SCOMO: Software Component Management Object

OMA-DM flaws

Phone oriented

HTTP+XML (or binary XML) not compact at all

OMA-DM flaws: Hello world :)

<?xml version="1.0" encoding="UTF-8"?><SyncML xmlns="SYNCML:SYNCML1.2"> <SyncHdr>

<VerDTD>1.2</VerDTD><VerProto>DM/1.2</VerProto><SessionID>D101</SessionID><MsgID>1</MsgID><Target>

<LocURI>http://na.airvantage.net</LocURI></Target><Source><LocURI>IMEI:1234567890</LocURI></Source><Meta>

<MaxMsgSize>20480</MaxMsgSize> <MaxObjSize>512000</MaxObjSize>

</Meta> </SyncHdr> <SyncBody>

<Alert> <CmdID>1</CmdID> <Data>1201</Data>

</Alert><Replace>

<CmdID>2</CmdID> <Item> <Source><LocURI>./DevInfo/DevId</LocURI></Source> <Data>IMEI:1234567890</Data> </Item>

<Item> <Source><LocURI>./DevInfo/Man</LocURI></Source> <Data>Sierra Wireless</Data> </Item> <Item> <Source><LocURI>./DevInfo/Mod</LocURI></Source> <Data>SL6087</Data> </Item> <Item> <Source><LocURI>./DevInfo/DmV</LocURI></Source> <Data>Sierra Wireless OMC v2.0</Data> </Item> <Item> <Source><LocURI>./DevInfo/Lang</LocURI></Source><Data>en</Data> </Item>

</Replace><Final />

</SyncBody></SyncML>

OMA-DM: Helloworld server reply<?xml version='1.0' encoding='UTF-8' standalone='no' ?><SyncML xmlns="SYNCML:SYNCML1.2"> <SyncHdr><VerDTD>1.2</VerDTD><VerProto>DM/1.2</VerProto><SessionID>D101</SessionID>

<MsgID>1</MsgID><Target><LocURI>IMEI:1234567890</LocURI></Target><Source><LocURI>http://na.airvantage.net</LocURI>

<LocName>AIRVANTAGE-SERVER</LocName></Source>

</SyncHdr> <SyncBody>

<Status> <CmdID>5</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd> <Chal><Meta> <Format xmlns="syncml:metinf">b64</Format> <Type xmlns="syncml:metinf">syncml:auth-MAC</Type> XML QUOTA EXCEEDED..

OMA-DM security flaws

Weak security (MD5-HMAC) on top of HTTPUse full HTTPS for higher grade security

Complex to implement correctly, no streaming due to HMAC

Unnecessary complex protocols is the safest way to security holes

OMA-DM

But works :)

Your mobile phone is managed using OMA-DM

OMA Lightweight M2M

A reboot of OMA-DM but for M2M

Built on top of CoAP

REST API for device management

Lightweight M2M: API

SecurityDeviceServerConnectivity monitoringConnectivity statisticsLocationFirmwareThe objects have a numerical identifier.

Lightweight M2M: URL

/{object}/{instance}/{resource}

Examples:

"/6/0" the whole position object (binary record).

"/6/0/2" only the altitude.

Lightweight M2M: API

You can define your custom objects

Published or not

Structure is discovered using the CoAP link object format (RFC 6690)

Lightweight M2M: bootstrap

Initial keying and configuration

Well defined security lifecycle

How to update credential and security scheme

Keying from factory, smartcard, or over-the-air

Lightweight M2M: bootstrap

Device can go out of factory with just BS credential

When it goes live the BS server provisions the DM keys

Future proof, and the BS server can be really robust

Eclipse Wakaama

http://eclipse.org/wakaama

A C library for implementing LWM2M

Embedded friendly

Lua binding for Wakaama:https://github.com/sbernard31/lualwm2m

More Lightweight M2M open source

Leshan A Java implementation of LWM2M

Server library based on Eclipse CaliforniumServer UI

http://github.com/jvermillard/leshan

LWM2M Demo

SHOWTIME!

Protocol convergence

M2M/IoT is not a simple problem

Security and provisioning are really the hardest ones

Try hard to reduce the number of protocols to make your life easier!

Burning in IoT hell: Mixing protocols

Cloud servers

Radio module

2G/3G/LTE

ZigBee/6LowPan

WiFi, etc..

App1

App2

App3

Supervisor

Low powerApp

OMA-DM

MQTT/CoAP

OMA-DM

Ad-hoc

Linux O/S

TR-069

NetworkOperator

LWM2M + CoAP

LWM2M provide device management and security workflow for CoAP application using the same protocol!

Huge simplicity and security win!

Break silos: embrace the web-of-things

Think security first, it’s your biggest challenge

Use standards for device management and keying

CoAP + LWM2M for your next IoT application!

Key takeaways

Thanks!Twitter: @vrmvrm

E-mail: jvermillard@sierrawireless.com

Creative Commons – Attribution (CC BY 3.0) Microchip designed by Nicolò Bertoncin from the Noun ProjectCloud designed by James Fenton from the Noun ProjectSecure by Charlene Chen from The Noun ProjectChat by Icomatic from The Noun Project Microchip designed by Mario Verduzco from the Noun ProjectCertificate designed by Charlene Chen from the Noun Project