draft-ietf-ace-usecases-04.txt   draft-ietf-ace-usecases-05.txt 
ACE Working Group L. Seitz, Ed. ACE Working Group L. Seitz, Ed.
Internet-Draft SICS Swedish ICT AB Internet-Draft SICS Swedish ICT AB
Intended status: Informational S. Gerdes, Ed. Intended status: Informational S. Gerdes, Ed.
Expires: December 6, 2015 Universitaet Bremen TZI Expires: March 4, 2016 Universitaet Bremen TZI
G. Selander G. Selander
Ericsson Ericsson
M. Mani M. Mani
Itron Itron
S. Kumar S. Kumar
Philips Research Philips Research
June 04, 2015 September 01, 2015
ACE use cases ACE use cases
draft-ietf-ace-usecases-04 draft-ietf-ace-usecases-05
Abstract Abstract
Constrained devices are nodes with limited processing power, storage Constrained devices are nodes with limited processing power, storage
space and transmission capacities. These devices in many cases do space and transmission capacities. These devices in many cases do
not provide user interfaces and are often intended to interact not provide user interfaces and are often intended to interact
without human intervention. without human intervention.
This document comprises a collection of representative use cases for This document comprises a collection of representative use cases for
the application of authentication and authorization in constrained the application of authentication and authorization in constrained
skipping to change at page 2, line 10 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 6, 2015. This Internet-Draft will expire on March 4, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 35 skipping to change at page 2, line 35
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4
2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1. Container monitoring . . . . . . . . . . . . . . . . . . 4 2.1. Container monitoring . . . . . . . . . . . . . . . . . . 4
2.1.1. Bananas for Munich . . . . . . . . . . . . . . . . . 5 2.1.1. Bananas for Munich . . . . . . . . . . . . . . . . . 5
2.1.2. Authorization Problems Summary . . . . . . . . . . . 6 2.1.2. Authorization Problems Summary . . . . . . . . . . . 6
2.2. Home Automation . . . . . . . . . . . . . . . . . . . . . 6 2.2. Home Automation . . . . . . . . . . . . . . . . . . . . . 7
2.2.1. Controlling the Smart Home Infrastructure . . . . . . 7 2.2.1. Controlling the Smart Home Infrastructure . . . . . . 7
2.2.2. Seamless Authorization . . . . . . . . . . . . . . . 7 2.2.2. Seamless Authorization . . . . . . . . . . . . . . . 8
2.2.3. Remotely letting in a visitor . . . . . . . . . . . . 7 2.2.3. Remotely letting in a visitor . . . . . . . . . . . . 8
2.2.4. Selling the house . . . . . . . . . . . . . . . . . . 8 2.2.4. Selling the house . . . . . . . . . . . . . . . . . . 8
2.2.5. Authorization Problems Summary . . . . . . . . . . . 8 2.2.5. Authorization Problems Summary . . . . . . . . . . . 8
2.3. Personal Health Monitoring . . . . . . . . . . . . . . . 9 2.3. Personal Health Monitoring . . . . . . . . . . . . . . . 10
2.3.1. John and the heart rate monitor . . . . . . . . . . . 10 2.3.1. John and the heart rate monitor . . . . . . . . . . . 10
2.3.2. Authorization Problems Summary . . . . . . . . . . . 11 2.3.2. Authorization Problems Summary . . . . . . . . . . . 11
2.4. Building Automation . . . . . . . . . . . . . . . . . . . 11 2.4. Building Automation . . . . . . . . . . . . . . . . . . . 12
2.4.1. Device Lifecycle . . . . . . . . . . . . . . . . . . 12 2.4.1. Device Lifecycle . . . . . . . . . . . . . . . . . . 12
2.4.2. Authorization Problems Summary . . . . . . . . . . . 14 2.4.2. Public Safety . . . . . . . . . . . . . . . . . . . . 14
2.5. Smart Metering . . . . . . . . . . . . . . . . . . . . . 15 2.4.3. Authorization Problems Summary . . . . . . . . . . . 15
2.5.1. Drive-by metering . . . . . . . . . . . . . . . . . . 15 2.5. Smart Metering . . . . . . . . . . . . . . . . . . . . . 16
2.5.2. Meshed Topology . . . . . . . . . . . . . . . . . . . 16 2.5.1. Drive-by metering . . . . . . . . . . . . . . . . . . 16
2.5.3. Advanced Metering Infrastructure . . . . . . . . . . 16 2.5.2. Meshed Topology . . . . . . . . . . . . . . . . . . . 17
2.5.4. Authorization Problems Summary . . . . . . . . . . . 16 2.5.3. Advanced Metering Infrastructure . . . . . . . . . . 17
2.6. Sports and Entertainment . . . . . . . . . . . . . . . . 17 2.5.4. Authorization Problems Summary . . . . . . . . . . . 18
2.6.1. Dynamically Connecting Smart Sports Equipment . . . . 17
2.6.2. Authorization Problems Summary . . . . . . . . . . . 18 2.6. Sports and Entertainment . . . . . . . . . . . . . . . . 19
2.7. Industrial Control Systems . . . . . . . . . . . . . . . 18 2.6.1. Dynamically Connecting Smart Sports Equipment . . . . 19
2.7.1. Oil Platform Control . . . . . . . . . . . . . . . . 19 2.6.2. Authorization Problems Summary . . . . . . . . . . . 20
2.7.2. Authorization Problems Summary . . . . . . . . . . . 19 2.7. Industrial Control Systems . . . . . . . . . . . . . . . 20
3. Security Considerations . . . . . . . . . . . . . . . . . . . 19 2.7.1. Oil Platform Control . . . . . . . . . . . . . . . . 21
3.1. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 20 2.7.2. Authorization Problems Summary . . . . . . . . . . . 21
3.2. Configuration of Access Permissions . . . . . . . . . . . 21 3. Security Considerations . . . . . . . . . . . . . . . . . . . 21
3.3. Design Considerations for Authorization Solutions . . . . 22 3.1. Attacks . . . . . . . . . . . . . . . . . . . . . . . . . 22
3.4. Proxies . . . . . . . . . . . . . . . . . . . . . . . . . 23 3.2. Configuration of Access Permissions . . . . . . . . . . . 23
4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 23 3.3. Authorization Considerations . . . . . . . . . . . . . . 23
5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 23 3.4. Proxies . . . . . . . . . . . . . . . . . . . . . . . . . 24
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 24 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 25
7. Informative References . . . . . . . . . . . . . . . . . . . 24 5. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 25
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 24 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25
7. Informative References . . . . . . . . . . . . . . . . . . . 26
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 26
1. Introduction 1. Introduction
Constrained devices [RFC7228] are nodes with limited processing Constrained devices [RFC7228] are nodes with limited processing
power, storage space and transmission capacities. These devices are power, storage space and transmission capacities. These devices are
often battery-powered and in many cases do not provide user often battery-powered and in many cases do not provide user
interfaces. interfaces.
Constrained devices benefit from being interconnected using Internet Constrained devices benefit from being interconnected using Internet
protocols. However, due to the devices' limitations, commonly used protocols. However, due to the devices' limitations, commonly used
skipping to change at page 5, line 4 skipping to change at page 5, line 4
During the shipment to their destination the goods often pass stops During the shipment to their destination the goods often pass stops
where they are transloaded to other means of transportation, e.g. where they are transloaded to other means of transportation, e.g.
from ship transport to road transport. from ship transport to road transport.
The transportation and storage of perishable goods is especially The transportation and storage of perishable goods is especially
challenging since they have to be stored at a constant temperature challenging since they have to be stored at a constant temperature
and with proper ventilation. Additionally, it is very important for and with proper ventilation. Additionally, it is very important for
the vendors to be informed about irregularities in the temperature the vendors to be informed about irregularities in the temperature
and ventilation of fruits to avoid the delivery of decomposed fruits and ventilation of fruits to avoid the delivery of decomposed fruits
to their customers. The need for a constant monitoring of perishable to their customers. Real-time information on the state of the goods
goods has led to projects such as The Intelligent Container (http:// is needed for the transporter in order to prioritize goods that will
expire soon.
Furthermore the vendor also wants this type of information in real-
time, in order to be able to react when goods are spoiled and to be
able to still fulfill delivery obligations.
The need for a constant monitoring of perishable goods has led to
projects such as The Intelligent Container (http://
www.intelligentcontainer.com). www.intelligentcontainer.com).
2.1.1. Bananas for Munich 2.1.1. Bananas for Munich
A fruit vendor grows bananas in Costa Rica for the German market. It A fruit vendor grows bananas in Costa Rica for the German market. It
instructs a transport company to deliver the goods via ship to instructs a transport company to deliver the goods via ship to
Rotterdam where they are picked up by trucks and transported to a Rotterdam where they are picked up by trucks and transported to a
ripening facility. A Munich supermarket chain buys ripened bananas ripening facility. A Munich supermarket chain buys ripened bananas
from the fruit vendor and transports them from the ripening facility from the fruit vendor and transports them from the ripening facility
to the individual markets with their own company trucks. to the individual markets with their own company trucks.
skipping to change at page 5, line 43 skipping to change at page 6, line 9
to the condition of the goods to other companies and therefore wants to the condition of the goods to other companies and therefore wants
to assure the confidentiality of this data (U1.4). Thus, the to assure the confidentiality of this data (U1.4). Thus, the
transloading personnel is only allowed to access logistic information transloading personnel is only allowed to access logistic information
(U1.1). Moreover, the transloading personnel is only allowed to (U1.1). Moreover, the transloading personnel is only allowed to
access the data for the time of the transloading (U1.8). access the data for the time of the transloading (U1.8).
Due to the high water content of the fruits, the propagation of radio Due to the high water content of the fruits, the propagation of radio
waves is hindered, thus often inhibiting direct communication between waves is hindered, thus often inhibiting direct communication between
nodes [Jedermann14]. Instead, messages are forwarded over multiple nodes [Jedermann14]. Instead, messages are forwarded over multiple
hops (U1.9). The sensors in the banana boxes cannot always reach the hops (U1.9). The sensors in the banana boxes cannot always reach the
Internet during the journey (U1.10). Internet during the journey (U1.10). Sensors may need to use relay
stations owned by the transport company to connect to endpoints in
the Internet.
In the ripening facility bananas are stored until they are ready for In the ripening facility bananas are stored until they are ready for
selling. The banana box sensors are used to control the ventilation selling. The banana box sensors are used to control the ventilation
system and to monitor the degree of ripeness of the bananas. Ripe system and to monitor the degree of ripeness of the bananas. Ripe
bananas need to be identified and sold before they spoil (U1.2, bananas need to be identified and sold before they spoil (U1.2,
U1.8). U1.8).
The supermarket chain gains ownership of the banana boxes when the The supermarket chain gains ownership of the banana boxes when the
bananas have ripened and are ready to leave the ripening facility. bananas have ripened and are ready to leave the ripening facility.
2.1.2. Authorization Problems Summary 2.1.2. Authorization Problems Summary
o U1.1 Fruit vendors, transloading personnel and container owners o U1.1 Fruit vendors, transloading personnel and container owners
want to grant different authorizations for their resources and/or want to grant different authorizations for their resources and/or
endpoints to different parties. endpoints to different parties.
o U1.2 The fruit vendor requires the integrity of the sensor data o U1.2 The fruit vendor requires the integrity and authenticity of
that pertains the state of the goods for climate control and to the sensor data that pertains the state of the goods for climate
ensure the quality of the monitored recordings. control and to ensure the quality of the monitored recordings.
o U1.3 The container owner requires the integrity of the sensor data o U1.3 The container owner requires the integrity and authenticity
that is used for climate control. of the sensor data that is used for climate control.
o U1.4 The fruit vendor requires the confidentiality of the sensor o U1.4 The fruit vendor requires the confidentiality of the sensor
data that pertains the state of the goods and the confidentiality data that pertains the state of the goods and the confidentiality
of location data, e.g., to protect them from targeted attacks from of location data, e.g., to protect them from targeted attacks from
competitors. competitors.
o U1.5 The fruit vendor may have several types of data that may be o U1.5 The fruit vendor may have several types of data that may be
controlled by the same endpoint, e.g., sensor data and the data controlled by the same endpoint, e.g., sensor data and the data
used for logistics. used for logistics.
o U1.6 The fruit vendor and the transloading personnel require the o U1.6 The fruit vendor and the transloading personnel require the
integrity of the data that is used to locate the goods, in order authenticity and integrity of the data that is used to locate the
to ensure that the good are correctly treated and delivered. goods, in order to ensure that the good are correctly treated and
delivered.
o U1.7 The container owner and the fruit vendor may not be present o U1.7 The container owner and the fruit vendor may not be present
at the time of access and cannot manually intervene in the at the time of access and cannot manually intervene in the
authorization process. authorization process.
o U1.8 The fruit vendor, container owner and transloading company o U1.8 The fruit vendor, container owner and transloading company
want to grant temporary access permissions to a party, in order to want to grant temporary access permissions to a party, in order to
avoid giving permanent access to parties that are no longer avoid giving permanent access to parties that are no longer
involved in processing the bananas. involved in processing the bananas.
o U1.9 Messages between client and resource server might need to be o U1.9 The fruit vendor, container owner and transloading company
forwarded over multiple hops. want their security objectives to be achieved, even if the
messages between the endpoints need to be forwarded over multiple
hops.
o U1.10 The constrained devices might not always be able to reach o U1.10 The constrained devices might not always be able to reach
the Internet. the Internet but still need to enact the authorization policies of
their principals.
o U1.11 Fruit vendors and container owners want to be able to revoke
authorization on a malfunctioning sensor.
2.2. Home Automation 2.2. Home Automation
Automation of the home has the potential to become a big future Automation of the home has the potential to become a big future
market for the Internet of Things. One function of a home automation market for the Internet of Things. One function of a home automation
system can be to connect devices in a house to the Internet and thus system can be to connect devices in a house to the Internet and thus
make them accessible and manageable remotely. Such devices might make them accessible and manageable remotely. Such devices might
control for example heating, ventilation, lighting, home control for example heating, ventilation, lighting, home
entertainment or home security. entertainment or home security.
skipping to change at page 8, line 26 skipping to change at page 8, line 45
as they see fit (U2.3, U2.4). as they see fit (U2.3, U2.4).
When Alice's parents arrive at Alice's and Bob's home, they use their When Alice's parents arrive at Alice's and Bob's home, they use their
smartphone to communicate with the door-lock and alarm system (U2.5, smartphone to communicate with the door-lock and alarm system (U2.5,
U2.9). U2.9).
2.2.4. Selling the house 2.2.4. Selling the house
Alice and Bob have to move because Alice is starting a new job. They Alice and Bob have to move because Alice is starting a new job. They
therefore decide to sell the house, and transfer control of all therefore decide to sell the house, and transfer control of all
automated services to the new owners(U2.11). Before doing that they automated services to the new owners (U2.11). Before doing that they
want to erase privacy relevant data from the logs of the automated want to erase privacy relevant data from the logs of the automated
systems, while the new owner is interested to keep some historic data systems, while the new owner is interested to keep some historic data
e.g. pertaining to the behavior of the heating system (U2.12). e.g. pertaining to the behavior of the heating system (U2.12).
2.2.5. Authorization Problems Summary 2.2.5. Authorization Problems Summary
o U2.1 A home owner (Alice and Bob in the example above) wants to o U2.1 A home owner (Alice and Bob in the example above) wants to
spontaneously provision authorization means to visitors. spontaneously provision authorization means to visitors.
o U2.2 A home owner wants to spontaneously change the home's access o U2.2 A home owner wants to spontaneously change the home's access
control policies. control policies.
o U2.3 A home owner wants to apply different access rights for o U2.3 A home owner wants to apply different access rights for
different users. different users.
o U2.4 The home owners want to grant temporary access permissions to o U2.4 The home owners want to grant access permissions to a party
a party. for a specified time frame.
o U2.5 The smart home devices need to be able to communicate with o U2.5 The smart home devices need to be able to communicate with
different control devices (e.g. wall-mounted touch panels, different control devices (e.g. wall-mounted touch panels,
smartphones, electronic key fobs). smartphones, electronic key fobs).
o U2.6 The home owner wants to be able to configure authorization o U2.6 The home owner wants to be able to configure authorization
policies remotely. policies remotely.
o U2.7 Authorized Users want to be able to obtain access with little o U2.7 Authorized Users want to be able to obtain access with little
effort. effort.
skipping to change at page 9, line 37 skipping to change at page 10, line 13
important operational data. important operational data.
2.3. Personal Health Monitoring 2.3. Personal Health Monitoring
The use of wearable health monitoring technology is expected to grow The use of wearable health monitoring technology is expected to grow
strongly, as a multitude of novel devices are developed and marketed. strongly, as a multitude of novel devices are developed and marketed.
The need for open industry standards to ensure interoperability The need for open industry standards to ensure interoperability
between products has lead to initiatives such as Continua Alliance between products has lead to initiatives such as Continua Alliance
(continuaalliance.org) and Personal Connected Health Alliance (continuaalliance.org) and Personal Connected Health Alliance
(pchalliance.org). Personal health devices are typically battery (pchalliance.org). Personal health devices are typically battery
driven, and located physically on the user. They monitor some bodily driven, and located physically on, or in, the user. They monitor
function, such as e.g. temperature, blood pressure, or pulse. They some bodily function, such as e.g. temperature, blood pressure, or
are connected to the Internet through an intermediary base-station, pulse. They are connected to the Internet through an intermediary
using wireless technologies. Through this connection they report the base-station, using wireless technologies. Through this connection
monitored data to some entity, which may either be the user herself, they report the monitored data to some entity, which may either be
or some medical personnel in charge of the user. the user herself, or some medical personnel in charge of the user.
Medical data has always been considered as very sensitive, and Medical data has always been considered as very sensitive, and
therefore requires good protection against unauthorized disclosure. therefore requires good protection against unauthorized disclosure.
A frequent, conflicting requirement is the capability for medical A frequent, conflicting requirement is the capability for medical
personnel to gain emergency access, even if no specific access rights personnel to gain emergency access, even if no specific access rights
exist. As a result, the importance of secure audit logs increases in exist. As a result, the importance of secure audit logs increases in
such scenarios. such scenarios.
Since the users are not typically trained in security (or even Since the users are not typically trained in security (or even
computer use), the configuration must use secure default settings, computer use), the configuration must use secure default settings,
and the interface must be well adapted to novice users. Parts of the and the interface must be well adapted to novice users. Parts of the
system must operate with minimal maintenance. Especially frequent system must operate with minimal maintenance. Especially frequent
changes of battery are unacceptable. changes of battery are unacceptable.
2.3.1. John and the heart rate monitor 2.3.1. John and the heart rate monitor
John has a heart condition, that can result in sudden cardiac John has a heart condition, that can result in sudden cardiac
arrests. He therefore uses a device called HeartGuard that monitors arrests. He therefore uses a device called HeartGuard that monitors
his heart rate and his position (U3.7). In case of a cardiac arrest his heart rate and his location (U3.7). In case of a cardiac arrest
it automatically sends an alarm to an emergency service, transmitting it automatically sends an alarm to an emergency service, transmitting
John's current location (U3.1). This requires the device to be close John's current location (U3.1). This requires the device to be close
to a wireless access point, in order to be able to get an Internet to a wireless access point, in order to be able to get an Internet
connection (e.g. John's smartphone). To ensure Johns safety, the connection (e.g. John's smartphone). To ensure Johns safety, the
device is expected to be in constant operation (U3.3, U3.6). device is expected to be in constant operation (U3.3, U3.6).
The device includes some authentication mechanism, in order to The device includes some authentication mechanism, in order to
prevent other persons who get physical access to it from acting as prevent other persons who get physical access to it from acting as
the owner and messing up the access control and security settings the owner and messing up the access control and security settings
(U3.8). (U3.8).
skipping to change at page 11, line 17 skipping to change at page 11, line 39
o U3.1 The wearer of an eHealth device (John in the example above) o U3.1 The wearer of an eHealth device (John in the example above)
wants to pre-configure special access rights in the context of an wants to pre-configure special access rights in the context of an
emergency. emergency.
o U3.2 The wearer of an eHealth device wants to selectively allow o U3.2 The wearer of an eHealth device wants to selectively allow
different persons or groups access to medical data. different persons or groups access to medical data.
o U3.3 The Security measures could affect battery lifetime of the o U3.3 The Security measures could affect battery lifetime of the
device and changing the battery is very inconvenient. device and changing the battery is very inconvenient.
o U3.4 Devices are often used with default access control settings. o U3.4 Devices are often used with default access control settings
which might threaten the security objectives of the device's
users.
o U3.5 Wearers of eHealth devices are often not trained in computer o U3.5 Wearers of eHealth devices are often not trained in computer
use, and especially computer security. use, and especially computer security.
o U3.6 Security mechanisms themselves could provide opportunities o U3.6 Security mechanisms themselves could provide opportunities
for denial of service attacks on the device. for denial of service attacks, especially on the constrained
devices.
o U3.7 The device provides a service that can be fatal for the o U3.7 The device provides a service that can be fatal for the
wearer if it fails. Accordingly, the wearer wants the device to wearer if it fails. Accordingly, the wearer wants the device to
have a high degree of resistance against attacks that may cause have a high degree of resistance against attacks that may cause
the device to fail to operate partially or completely. the device to fail to operate partially or completely.
o U3.8 The wearer of an eHealth device requires the integrity and o U3.8 The wearer of an eHealth device requires the integrity and
confidentiality of the data measured by the device. confidentiality of the data measured by the device.
2.4. Building Automation 2.4. Building Automation
skipping to change at page 13, line 9 skipping to change at page 13, line 35
BLMS. Additionally employees are allowed to manually override the BLMS. Additionally employees are allowed to manually override the
lighting brightness and color in their office by using the switches lighting brightness and color in their office by using the switches
or handheld controllers. Such changes are allowed only if the or handheld controllers. Such changes are allowed only if the
authorization rules exist in the BLMS. For example lighting in the authorization rules exist in the BLMS. For example lighting in the
corridors may not be manually adjustable. corridors may not be manually adjustable.
At the end of the day, lighting is dimmed down or switched off if no At the end of the day, lighting is dimmed down or switched off if no
occupancy is detected even if manually overridden during the day. occupancy is detected even if manually overridden during the day.
On a later date company B also moves into the same building, and On a later date company B also moves into the same building, and
shares some of the common spaces with company A (U4.2, U4.9). On a shares some of the common spaces with company A (U4.2, U4.9).
really hot day James who works for company A turns on the air
condition in his office. Lucy who works for company B wants to make
tea using an electric kettle. After she turned it on she goes
outside to talk to a colleague until the water is boiling.
Unfortunately, her kettle has a malfunction which causes overheating
and results in a smoldering fire of the kettle's plastic case.
Due to the smoke coming from the kettle the fire alarm is triggered.
Alarm sirens throughout the building are switched on simultaneously
(using a broadcast or multicast) to alert the staff of both companies
(U4.8). Additionally, the ventilation system of the whole building
is closed off to prevent the smoke from spreading and to withdraw
oxygen from the fire. The smoke cannot get into James' office
although he turned on his air condition because the fire alarm
overrides the manual setting by sending commands (broadcast or
multicast) to switch off all the air conditioning.
The fire department is notified of the fire automatically and arrives
within a short time. After inspecting the damage and extinguishing
the smoldering fire a fire fighter resets the fire alarm because only
the fire department is authorized to do that (U4.4, U4.5).
2.4.1.3. Maintenance 2.4.1.3. Maintenance
Company A's staff are annoyed that the lights switch off too often in Company A's staff are annoyed that the lights switch off too often in
their rooms if they work silently in front of their computer. their rooms if they work silently in front of their computer.
Company A notifies the commissioning Company C about the issue and Company A notifies the commissioning Company C about the issue and
asks them to increase the delay before lights switch off (U4.4). asks them to increase the delay before lights switch off (U4.4).
Company C again gets the necessary authorization from the service Company C again gets the necessary authorization from the service
company to interact with the BLMS. The commissioner's tool gets the company to interact with the BLMS. The commissioner's tool gets the
skipping to change at page 14, line 17 skipping to change at page 14, line 22
it would be better to completely remove handheld controllers and asks it would be better to completely remove handheld controllers and asks
Company C to decommission them from the lighting system (U4.4). Company C to decommission them from the lighting system (U4.4).
Company C again gets the necessary authorization from the service Company C again gets the necessary authorization from the service
company to interact with the BLMS. The commissioner now deletes any company to interact with the BLMS. The commissioner now deletes any
rules that allowed handheld controllers authorization to control the rules that allowed handheld controllers authorization to control the
lighting (U4.3, U4.6). Additionally the commissioner instructs the lighting (U4.3, U4.6). Additionally the commissioner instructs the
BLMS to push these new rules to prevent cached rules at the end BLMS to push these new rules to prevent cached rules at the end
devices from being used. devices from being used.
2.4.2. Authorization Problems Summary 2.4.2. Public Safety
The fire department requires that as part of the building safety
code, that the building have sensors that sense the level of smoke,
heat, etc., when a fire breaks out. These sensors report metrics
which are then used by a back-end server to map safe areas and un-
safe areas within a building and also possibly the structural
integrity of the building before fire-fighters may enter it.
Sensors may also be used to track where human/animal activity is
within the building. This will allow people stuck within the
building to be guided to safer areas and suggest possible actions
that they make take (e.g. using a client application on their phones,
or loudspeaker directions) in order to bring them to safety. In
certain cases, other organizations such as the Police, Ambulance, and
federal organizations are also involved and therefore the co-
ordination of tasks between the various entities have to be carried
out using efficient messaging and authorization mechanisms.
2.4.2.1. A fire breaks out
On a really hot day James who works for company A turns on the air
condition in his office. Lucy who works for company B wants to make
tea using an electric kettle. After she turned it on she goes
outside to talk to a colleague until the water is boiling.
Unfortunately, her kettle has a malfunction which causes overheating
and results in a smoldering fire of the kettle's plastic case.
Due to the smoke coming from the kettle the fire alarm is triggered.
Alarm sirens throughout the building are switched on simultaneously
(using a group communication scheme) to alert the staff of both
companies (U4.8). Additionally, the ventilation system of the whole
building is closed off to prevent the smoke from spreading and to
withdraw oxygen from the fire. The smoke cannot get into James'
office although he turned on his air condition because the fire alarm
overrides the manual setting by sending commands (using group
communication) to switch off all the air conditioning (U4.10).
The fire department is notified of the fire automatically and arrives
within a short time. After inspecting the damage and extinguishing
the smoldering fire a fire fighter resets the fire alarm because only
the fire department is authorized to do that (U4.4, U4.5, U4.11).
2.4.3. Authorization Problems Summary
o U4.1 The building owner and the companies want to be able to add o U4.1 The building owner and the companies want to be able to add
new devices to their administrative domain (commissioning). new devices to their administrative domain (commissioning).
o U4.2 The building owner and the companies want to be able to o U4.2 The building owner and the companies want to be able to
integrate a device that formerly belonged to a different integrate a device that formerly belonged to a different
administrative domain to their own administrative domain administrative domain to their own administrative domain
(handover). (handover).
o U4.3 The building owner and the companies want to be able to o U4.3 The building owner and the companies want to be able to
skipping to change at page 14, line 46 skipping to change at page 15, line 45
define context-based authorization rules. define context-based authorization rules.
o U4.6 The building owner and the companies want to be able to o U4.6 The building owner and the companies want to be able to
revoke granted permissions and delegations. revoke granted permissions and delegations.
o U4.7 The building owner and the companies want to allow authorized o U4.7 The building owner and the companies want to allow authorized
entities to send data to their endpoints (default deny). entities to send data to their endpoints (default deny).
o U4.8 The building owner and the companies want to be able to o U4.8 The building owner and the companies want to be able to
authorize a device to control several devices at the same time authorize a device to control several devices at the same time
using a multicast protocol. using a group communication scheme.
o U4.9 The companies want to be able to interconnect their own o U4.9 The companies want to be able to interconnect their own
subsystems with those from a different operational domain while subsystems with those from a different operational domain while
keeping the control over the authorizations (e.g. granting and keeping the control over the authorizations (e.g. granting and
revoking permissions) for their endpoints and devices. revoking permissions) for their endpoints and devices.
o U4.10 The authorization mechanisms must be able to cope with
extremely time-sensitive operations which have to be carried out
in a quick manner.
o U4.11 The building owner and the public authorities want to be
able to be able to perform data origin authentication on messages
sent and received by some of the systems in the building.
2.5. Smart Metering 2.5. Smart Metering
Automated measuring of customer consumption is an established Automated measuring of customer consumption is an established
technology for electricity, water, and gas providers. Increasingly technology for electricity, water, and gas providers. Increasingly
these systems also feature networking capability to allow for remote these systems also feature networking capability to allow for remote
management. Such systems are in use for commercial, industrial and management. Such systems are in use for commercial, industrial and
residential customers and require a certain level of security, in residential customers and require a certain level of security, in
order to avoid economic loss to the providers, vulnerability of the order to avoid economic loss to the providers, vulnerability of the
distribution system, as well as disruption of services for the distribution system, as well as disruption of services for the
customers. customers.
skipping to change at page 15, line 29 skipping to change at page 16, line 37
and only wake up every minute/hour to check for incoming and only wake up every minute/hour to check for incoming
instructions. Furthermore they wake up a few times a day (based on instructions. Furthermore they wake up a few times a day (based on
their configuration) to upload their measured metering data. their configuration) to upload their measured metering data.
Different networking topologies exist for smart metering solutions. Different networking topologies exist for smart metering solutions.
Based on environment, regulatory rules and expected cost, one or a Based on environment, regulatory rules and expected cost, one or a
mixture of these topologies may be deployed to collect the metering mixture of these topologies may be deployed to collect the metering
information. Drive-By metering is one of the most current solutions information. Drive-By metering is one of the most current solutions
deployed for collection of gas and water meters. deployed for collection of gas and water meters.
Various stakeholders have a claim on the metering data. Utility
companies need the data for accounting, the metering equipment may be
operated by a third party Service Operator who needs to maintain it,
and the equipment is installed in the premises of the consumers,
measuring their consumption, which entails privacy questions.
2.5.1. Drive-by metering 2.5.1. Drive-by metering
A service operator offers smart metering infrastructures and related A service operator offers smart metering infrastructures and related
services to various utility companies. Among these is a water services to various utility companies. Among these is a water
provider, who in turn supplies several residential complexes in a provider, who in turn supplies several residential complexes in a
city. The smart meters are installed in the end customer's homes to city. The smart meters are installed in the end customer's homes to
measure water consumption and thus generate billing data for the measure water consumption and thus generate billing data for the
utility company, they can also be used to shut off the water if the utility company, they can also be used to shut off the water if the
bills are not paid (U5.1, U5.3). The meters do so by sending and bills are not paid (U5.1, U5.3). The meters do so by sending and
receiving data to and from a base station (U5.2). Several base receiving data to and from a base station (U5.2). Several base
skipping to change at page 16, line 26 skipping to change at page 17, line 34
A utility company is updating its old utility distribution network A utility company is updating its old utility distribution network
with advanced meters and new communication systems, known as an with advanced meters and new communication systems, known as an
Advanced Metering Infrastructure (AMI). AMI refers to a system that Advanced Metering Infrastructure (AMI). AMI refers to a system that
measures, collects and analyzes usage, and interacts with metering measures, collects and analyzes usage, and interacts with metering
devices such as electricity meters, gas meters, heat meters, and devices such as electricity meters, gas meters, heat meters, and
water meters, through various communication media either on request water meters, through various communication media either on request
(on-demand) or on pre-defined schedules. Based on this technology, (on-demand) or on pre-defined schedules. Based on this technology,
new services make it possible for consumers to control their utility new services make it possible for consumers to control their utility
consumption (U5.2, U5.6) and reduce costs by supporting new tariff consumption (U5.2, U5.6) and reduce costs by supporting new tariff
models from utility companies, and more accurate and timely billing. models from utility companies, and more accurate and billing.
However the fine-grained measurement of consumption data may induce
privacy concerns for the end-customers, since it may allow others to
create behavioral profiles (U5.9).
The technical solution is based on levels of data aggregation between The technical solution is based on levels of data aggregation between
smart meters located at the consumer premises and the Meter Data smart meters located at the consumer premises and the Meter Data
Management (MDM) system located at the utility company (U5.8). For Management (MDM) system located at the utility company (U5.8). For
reasons of efficiency and cost, end-to-end connectivity is not always reasons of efficiency and cost, end-to-end connectivity is not always
feasible, so metering data is stored and aggregated in various feasible, so metering data is stored and aggregated in various
intermediate devices before being forwarded to the utility company, intermediate devices before being forwarded to the utility company,
and in turn accessed by the MDM. The intermediate devices may be and in turn accessed by the MDM. The intermediate devices may be
operated by a third party service operator on behalf of the utility operated by a third party service operator on behalf of the utility
company (U5.6). One responsibility of the service operator is to company (U5.6). One responsibility of the service operator is to
skipping to change at page 17, line 24 skipping to change at page 19, line 5
always present at the time of access and cannot manually intervene always present at the time of access and cannot manually intervene
in the authorization process. in the authorization process.
o U5.7 When authorization policies are updated it is impossible, or o U5.7 When authorization policies are updated it is impossible, or
at least very inefficient to contact all affected endpoints at least very inefficient to contact all affected endpoints
directly. directly.
o U5.8 Messages between endpoints may need to be stored and o U5.8 Messages between endpoints may need to be stored and
forwarded over multiple nodes. forwarded over multiple nodes.
o U5.9 Consumers may not want the Service Operator, the Utility
company or others to be able to have access to a fine-grained
level of consumption data that allows the creation of behavioral
profiles.
2.6. Sports and Entertainment 2.6. Sports and Entertainment
In the area of leisure time activities, applications can benefit from In the area of leisure time activities, applications can benefit from
the small size and weight of constrained devices. Sensors and the small size and weight of constrained devices. Sensors and
actuators with various functions can be integrated into fitness actuators with various functions can be integrated into fitness
equipment, games and even clothes. Users can carry their devices equipment, games and even clothes. Users can carry their devices
around with them at all times. around with them at all times.
Usability is especially important in this area since users will often Usability is especially important in this area since users will often
want to spontaneously interconnect their devices with others. want to spontaneously interconnect their devices with others.
skipping to change at page 18, line 36 skipping to change at page 20, line 32
rights dynamically when needed. rights dynamically when needed.
o U6.2 Sports equipment owners want the configuration of access o U6.2 Sports equipment owners want the configuration of access
rights to work with very little effort. rights to work with very little effort.
o U6.3 Sports equipment owners want to be able to pre-configure o U6.3 Sports equipment owners want to be able to pre-configure
access policies that grant certain access permissions to endpoints access policies that grant certain access permissions to endpoints
with certain attributes (e.g. endpoints of a certain user) without with certain attributes (e.g. endpoints of a certain user) without
additional configuration effort at the time of access. additional configuration effort at the time of access.
o U6.4 Sports equipment owners to protect the confidentiality of o U6.4 Sports equipment owners want to protect the confidentiality
their data for privacy reasons. of their data for privacy reasons.
2.7. Industrial Control Systems 2.7. Industrial Control Systems
Industrial control systems (ICS) and especially supervisory control Industrial control systems (ICS) and especially supervisory control
and data acquisition systems (SCADA) use a multitude of sensors and and data acquisition systems (SCADA) use a multitude of sensors and
actuators in order to monitor and control industrial processes in the actuators in order to monitor and control industrial processes in the
physical world. Example processes include manufacturing, power physical world. Example processes include manufacturing, power
generation, and refining of raw materials. generation, and refining of raw materials.
Since the advent of the Stuxnet worm it has become obvious to the Since the advent of the Stuxnet worm it has become obvious to the
skipping to change at page 22, line 5 skipping to change at page 23, line 43
o A device might host several resources where each resource has its o A device might host several resources where each resource has its
own access control policy (all use cases). own access control policy (all use cases).
o The device that makes the policy decisions should be able to o The device that makes the policy decisions should be able to
evaluate context-based permissions such as location or time of evaluate context-based permissions such as location or time of
access (see e.g. Section 2.2, Section 2.3, Section 2.4). Access access (see e.g. Section 2.2, Section 2.3, Section 2.4). Access
may depend on local conditions, e.g. access to health data in an may depend on local conditions, e.g. access to health data in an
emergency. The device that makes the policy decisions should be emergency. The device that makes the policy decisions should be
able to take such conditions into account. able to take such conditions into account.
3.3. Design Considerations for Authorization Solutions 3.3. Authorization Considerations
o Devices need to be enabled to enforce authorization policies o Devices need to be enabled to enforce authorization policies
without human intervention at the time of the access request (see without human intervention at the time of the access request (see
e.g. Section 2.1, Section 2.2, Section 2.4, Section 2.5). e.g. Section 2.1, Section 2.2, Section 2.4, Section 2.5).
o Authorization solutions need to consider that constrained devices o Authorization solutions need to consider that constrained devices
might not have internet access at the time of the access request might not have internet access at the time of the access request
(see e.g. Section 2.1, Section 2.3, Section 2.5, Section 2.6). (see e.g. Section 2.1, Section 2.3, Section 2.5, Section 2.6).
o It should be possible to update access control policies without o It should be possible to update access control policies without
skipping to change at page 23, line 49 skipping to change at page 25, line 41
solution provides means for audit logs, it must consider the impact solution provides means for audit logs, it must consider the impact
of logged data for the privacy of all parties involved. Suitable of logged data for the privacy of all parties involved. Suitable
measures for protecting and purging the logs must be taken during measures for protecting and purging the logs must be taken during
operation, maintenance and decommissioning of the device. operation, maintenance and decommissioning of the device.
5. Acknowledgments 5. Acknowledgments
The authors would like to thank Olaf Bergmann, Sumit Singhal, John The authors would like to thank Olaf Bergmann, Sumit Singhal, John
Mattson, Mohit Sethi, Carsten Bormann, Martin Murillo, Corinna Mattson, Mohit Sethi, Carsten Bormann, Martin Murillo, Corinna
Schmitt, Hannes Tschofenig, Erik Wahlstroem, Andreas Baeckman, Samuel Schmitt, Hannes Tschofenig, Erik Wahlstroem, Andreas Baeckman, Samuel
Erdtman, Steve Moore, and Thomas Hardjono for reviewing and/or Erdtman, Steve Moore, Thomas Hardjono, Kepeng Li and Jim Schaad for
contributing to the document. Also, thanks to Markus Becker, Thomas reviewing and/or contributing to the document. Also, thanks to
Poetsch and Koojana Kuladinithi for their input on the container Markus Becker, Thomas Poetsch and Koojana Kuladinithi for their input
monitoring use case. on the container monitoring use case. Furthermore the authors thank
Akbar Rahman, Chonggang Wang, and Vinod Choyi who contributed the
public safety scenario in the building automation use case.
Ludwig Seitz and Goeran Selander worked on this document as part of Ludwig Seitz and Goeran Selander worked on this document as part of
EIT-ICT Labs activity PST-14056. EIT-ICT Labs activity PST-14056.
6. IANA Considerations 6. IANA Considerations
This document has no IANA actions. This document has no IANA actions.
7. Informative References 7. Informative References
[Jedermann14] [Jedermann14]
Jedermann, R., Poetsch, T., and C. LLoyd, "Communication Jedermann, R., Poetsch, T., and C. LLoyd, "Communication
techniques and challenges for wireless food quality techniques and challenges for wireless food quality
monitoring", Philosophical Transactions of the Royal monitoring", Philosophical Transactions of the Royal
Society A Mathematical, Physical and Engineering Sciences, Society A Mathematical, Physical and Engineering Sciences,
May 2014. May 2014.
skipping to change at page 24, line 22 skipping to change at page 26, line 16
7. Informative References 7. Informative References
[Jedermann14] [Jedermann14]
Jedermann, R., Poetsch, T., and C. LLoyd, "Communication Jedermann, R., Poetsch, T., and C. LLoyd, "Communication
techniques and challenges for wireless food quality techniques and challenges for wireless food quality
monitoring", Philosophical Transactions of the Royal monitoring", Philosophical Transactions of the Royal
Society A Mathematical, Physical and Engineering Sciences, Society A Mathematical, Physical and Engineering Sciences,
May 2014. May 2014.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer [RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", RFC 6347, January 2012. Security Version 1.2", RFC 6347, DOI 10.17487/RFC6347,
January 2012, <http://www.rfc-editor.org/info/rfc6347>.
[RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for
Constrained-Node Networks", RFC 7228, May 2014. Constrained-Node Networks", RFC 7228, DOI 10.17487/
RFC7228, May 2014,
<http://www.rfc-editor.org/info/rfc7228>.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252, June 2014. Application Protocol (CoAP)", RFC 7252, DOI 10.17487/
RFC7252, June 2014,
<http://www.rfc-editor.org/info/rfc7252>.
[RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an [RFC7258] Farrell, S. and H. Tschofenig, "Pervasive Monitoring Is an
Attack", BCP 188, RFC 7258, May 2014. Attack", BCP 188, RFC 7258, DOI 10.17487/RFC7258, May
2014, <http://www.rfc-editor.org/info/rfc7258>.
Authors' Addresses Authors' Addresses
Ludwig Seitz (editor) Ludwig Seitz (editor)
SICS Swedish ICT AB SICS Swedish ICT AB
Scheelevaegen 17 Scheelevaegen 17
Lund 223 70 Lund 223 70
Sweden Sweden
Email: ludwig@sics.se Email: ludwig@sics.se
 End of changes. 38 change blocks. 
94 lines changed or deleted 164 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/