Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
M2M,IoT, device management: 
one protocol to rule them all? 
Julien Vermillard - Sierra Wireless
Who am I? 
Software Engineer at Sierra Wireless, 
implementing various protocols for AirVantage 
cloud service 
Apache mem...
Photo Credit:https://www.flickr.com/photos/90514086@N00/952121271/ CC by-nc-sa
Agenda 
M2M/IoT application protocols (XMPP, MQTT) 
Web-of-things (CoAP) 
IoT protocol security 
Device management (TR-069...
Let’s start with.. 
QUESTIONS!
Questions 
Know MQTT?
Questions 
Use MQTT?
Questions 
Know or use 
CoAP?
Questions 
Device management: 
OMA-DM, 
Lightweight M2M 
or TR-069?
Application protocols 
XMPP 
MQTT 
CoAP
XMPP 
Chat protocol based on XML recycled for IoT 
XEP-0322 (PDF) Efficient XML Interchange (EXI) Format Standards - 2014-...
XMPP 
<message from='device@clayster.com' 
to='client@clayster.com/amr'> 
<fields xmlns='urn:xmpp:iot:sensordata' seqnr='5...
MQ Telemetry Transport 
Killer protocol for M2M applications 
Connect everything with a central broker 
Content agnostic 
...
MQ Telemetry Transport 
- a sensor pushes telemetry values on topics 
greenhouse/42/temperature 
greenhouse/42/humidity 
g...
MQTT security 
- Username and password 
- TLS on top of the TCP stream
MQ Telemetry Transport @ Eclipse IoT 
Write your first MQTT application today :) 
Mosquitto lightweight broker 
Moquette J...
M2M: devices to a server 
Server Server
IoT: devices on Internet 
Internet
Web of things 
IP address for everything! 
6LoWPAN on 802.15.4, Bluetooth LE 
Small IPv6 stack in battery powered devices ...
Web of things 
REST for everything! 
Sensor will live for decades 
Applications will evolve 
Things should expose dumb RES...
Web of things
CoAP 
Constrained Application Protocol 
Internet Eng. Task Force standard for IoT 
Started around 2010! 
Final RFC 7252 pu...
CoAP 
Co: Constrained 
Simple to encode/decode: target 1$ 8bits MCU 
100K Flash, 10K RAM
CoAP 
Co: Constrained 
HTTP and TCP are not a good fit, use UDP 
Low power networks
CoAP 
AP: Application Protocol 
RESTful protocol designed from scratch 
Transparent mapping to HTTP 
Additional features o...
CoAP 
Protocol structure 
Binary protocol 
● Low parsing complexity 
● Small message size 
Options 
● Numbers with IANA re...
CoAP 
Discoverability 
Based on Web Linking (RFC5988) 
Extended to Core Link Format (RFC6690) 
GET /.well-known/core 
</co...
CoAP 
Security 
Based on DTLS (TLS/SSL for Datagrams) 
Focus on Elliptic Curve Cryptography (ECC) 
ECDH, ECDSA, AES 
Hardw...
Californium 
CoAP @ Eclipse IoT 
Pure Java library 
DTLS PSK/RPK/X509 
Unconstrained: 
For large devices or cloud services...
M2M/IoT Protocol security
IoT/M2M protocol security 
TLS for TCP (RFC 5246) 
DTLS for UDP (RFC 6347) 
Rolling your own is still not recommended :)
TLS/DTLS complexity? 
It’s customizable: 
X.509 certificate: certificate with chain of trust (CA & PKI) 
Raw-Public-key: o...
TLS/DTLS complexity? 
Arduino Uno can run CoAP/MQTT 
But not in a secure way :( 
ROM/RAM cost estimation for (D)TLS: 
http...
(D)TLS Pre-Shared-Key mode 
+----------------------+-----------------+ 
| | DTLS | 
| +--------+--------+ 
| | ROM | RAM |...
(D)TLS Raw Public Key mode 
+----------------------------+---------------+ 
| Cryptographic functions | Code size | 
+----...
(D)TLS Raw certificate mode 
You need to add: 
ASN.1 parser 
X509 certificate check code 
Revocation?
TLS for embedded 
It’s still a challenge on some platform 
IETF DICE working group https://datatracker. 
ietf.org/wg/dice/...
Open-source DTLS implementation 
TinyDTLS: http://tinydtls.sourceforge.net 
MIT licensed embedded friendly 
Lua binding: h...
More security challenges ;) 
Provisioning your key from the factory and 
pushing them on the server... 
... for million of...
Device Management
Device management 
Monitor, configure, secure, and update your 
devices 
All you need for operating a fleet of IoT devices...
Interoperability is the key 
You don't know yet what hardware will power 
your IoT projects on the field 
but you MUST be ...
D.M. protocols 
Usual suspects: 
TR-069 
OMA-DM 
Lightweight M2M
TR-069 
Bidirectional SOAP API for : 
broadband modems, gateway, set-top-boxes 
Configure, monitor, firmware upgrades. 
Ye...
OMA-DM 
An Open Mobile Alliance standard for Device 
Management 
Targets mobile phone terminals but can be 
used for M2M 
...
OMA-DM features 
Read, write configuration or monitoring nodes. 
Trigger remote commands (Exec) 
FUMO: Firmware Update Man...
OMA-DM flaws 
Phone oriented 
HTTP+XML (or binary XML) not compact at all
OMA-DM flaws: Hello world :) 
<?xml version="1.0" encoding="UTF-8"?> 
<SyncML xmlns="SYNCML:SYNCML1.2"> 
<SyncHdr> 
<VerDT...
<MaxMsgSize>20480</MaxMsgSize> 
<MaxObjSize>512000</MaxObjSize> 
</Meta> 
</SyncHdr> 
<SyncBody> 
<Alert> 
<CmdID>1</CmdID...
<Item> 
<Source><LocURI>./DevInfo/Man</LocURI></Source> 
<Data>Sierra Wireless</Data> 
</Item> 
<Item> 
<Source><LocURI>./...
OMA-DM: Helloworld server reply 
<?xml version='1.0' encoding='UTF-8' standalone='no' ?> 
<SyncML xmlns="SYNCML:SYNCML1.2"...
OMA-DM security flaws 
Weak security (MD5-HMAC) on top of HTTP 
Use full HTTPS for higher grade security 
Complex to imple...
OMA-DM 
But works :) 
Your mobile phone is managed using OMA-DM
OMA Lightweight M2M 
A reboot of OMA-DM but for M2M 
Built on top of CoAP 
REST API for device management
Lightweight M2M: API 
Security 
Device 
Server 
Connectivity monitoring 
Connectivity statistics 
Location 
Firmware 
The ...
Lightweight M2M: URL 
/{object}/{instance}/{resource} 
Examples: 
"/6/0" the whole position object (binary 
record). 
"/6/...
Lightweight M2M: API 
You can define your custom objects 
Published or not 
Structure is discovered using the CoAP link 
o...
Lightweight M2M: bootstrap 
Initial keying and configuration 
Well defined security lifecycle 
How to update credential an...
Lightweight M2M: bootstrap 
Device can go out of factory with just BS 
credential 
When it goes live the BS server provisi...
Eclipse Wakaama 
http://eclipse.org/wakaama 
A C library for implementing LWM2M 
Embedded friendly 
Lua binding for Wakaam...
More Lightweight M2M open source 
Leshan A Java implementation of LWM2M 
Server library based on Eclipse Californium 
Serv...
LWM2M Demo 
SHOWTIME!
Protocol convergence 
M2M/IoT is not a simple problem 
Security and provisioning are really the hardest 
ones 
Try hard to...
Burning in IoT hell: Mixing protocols 
Cloud servers 
OMA-DM 
Radio module 
2G/3G/LTE 
ZigBee/6LowPan 
WiFi, etc.. 
App1 
...
LWM2M + CoAP 
LWM2M provide device management and 
security workflow for CoAP application using 
the same protocol! 
Huge ...
Key takeaways 
Break silos: embrace the web-of-things 
Think security first, it’s your biggest challenge 
Use standards fo...
Thanks! 
Twitter: @vrmvrm 
E-mail: jvermillard@sierrawireless.com 
Creative Commons – Attribution (CC BY 3.0) 
Microchip d...
Nächste SlideShare
Wird geladen in …5
×

Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?

9.354 Aufrufe

Veröffentlicht am

M2M/IoT is rapidly growing and since its early days different “standard” protocols have emerged (e.g. OMA-DM, TR-069, MQTT, …) or are emerging (e.g. CoAP or Lightweight M2M). Understanding which protocol to use for which application can be intimidating, therefore we propose to give an overview of these protocols to help you understand their goals and characteristics. We’ll present common M2M use cases and why they usually require more than just one protocol ; we will also see whether CoAP associated with Lightweight M2M allows to forge “one protocol to rule them all”.

Veröffentlicht in: Internet
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Antworten 
    Sind Sie sicher, dass Sie …  Ja  Nein
    Ihre Nachricht erscheint hier

Iot Conference Berlin M2M,IoT, device management: one protocol to rule them all?

  1. 1. M2M,IoT, device management: one protocol to rule them all? Julien Vermillard - Sierra Wireless
  2. 2. Who am I? Software Engineer at Sierra Wireless, implementing various protocols for AirVantage cloud service Apache member, Eclipse IoT committer Californium, Wakaama, Leshan open-source Lightweight M2M server Tinkerer: electronics, reversing, Linux
  3. 3. Photo Credit:https://www.flickr.com/photos/90514086@N00/952121271/ CC by-nc-sa
  4. 4. Agenda M2M/IoT application protocols (XMPP, MQTT) Web-of-things (CoAP) IoT protocol security Device management (TR-069, OMA-DM, OMA-LwM2M) Impact on IoT architectures
  5. 5. Let’s start with.. QUESTIONS!
  6. 6. Questions Know MQTT?
  7. 7. Questions Use MQTT?
  8. 8. Questions Know or use CoAP?
  9. 9. Questions Device management: OMA-DM, Lightweight M2M or TR-069?
  10. 10. Application protocols XMPP MQTT CoAP
  11. 11. XMPP Chat protocol based on XML recycled for IoT XEP-0322 (PDF) Efficient XML Interchange (EXI) Format Standards - 2014-03-10 XEP-0323 (PDF) Internet of Things - Sensor Data - Experimental - 2014-04-07 XEP-0324 (PDF) Internet of Things - Provisioning - Experimental - 2014-05-21 XEP-0325 (PDF) Internet of Things - Control -Experimental 2014-04-07 XEP-0326 (PDF) Internet of Things - Concentrators - Experimental 2014-03-10
  12. 12. XMPP <message from='device@clayster.com' to='client@clayster.com/amr'> <fields xmlns='urn:xmpp:iot:sensordata' seqnr='5'> <node nodeId='Device02'> <timestamp value='2013-03-07T19:31:15'> <numeric name='Temperature' momentary='true' automaticReadout='true' value='23.4' unit='°C'/> </timestamp> </node> </fields> </message>
  13. 13. MQ Telemetry Transport Killer protocol for M2M applications Connect everything with a central broker Content agnostic Simplicity is MQTT feature #1
  14. 14. MQ Telemetry Transport - a sensor pushes telemetry values on topics greenhouse/42/temperature greenhouse/42/humidity greenhouse/42/luminosity - actions are on another topic greenhouse/42/open-the-roof - payload format is free (json,binary,whatever..)
  15. 15. MQTT security - Username and password - TLS on top of the TCP stream
  16. 16. MQ Telemetry Transport @ Eclipse IoT Write your first MQTT application today :) Mosquitto lightweight broker Moquette Java based broker Paho clients Java, C/C++, Go, Python, Lua Ponte bridge MQTT, CoAP and HTTP Kura Java OSGi application framework
  17. 17. M2M: devices to a server Server Server
  18. 18. IoT: devices on Internet Internet
  19. 19. Web of things IP address for everything! 6LoWPAN on 802.15.4, Bluetooth LE Small IPv6 stack in battery powered devices Create mesh network with RPL (RFC 6550)
  20. 20. Web of things REST for everything! Sensor will live for decades Applications will evolve Things should expose dumb REST API, put the behaviour in mashup applications
  21. 21. Web of things
  22. 22. CoAP Constrained Application Protocol Internet Eng. Task Force standard for IoT Started around 2010! Final RFC 7252 published
  23. 23. CoAP Co: Constrained Simple to encode/decode: target 1$ 8bits MCU 100K Flash, 10K RAM
  24. 24. CoAP Co: Constrained HTTP and TCP are not a good fit, use UDP Low power networks
  25. 25. CoAP AP: Application Protocol RESTful protocol designed from scratch Transparent mapping to HTTP Additional features of M2M scenarios GET, POST, PUT, DELETE URIs and media types Deduplication Optional retransmissions Observation, SMS
  26. 26. CoAP Protocol structure Binary protocol ● Low parsing complexity ● Small message size Options ● Numbers with IANA registry ● Type-Length-Value ● Special option header marks payload if present
  27. 27. CoAP Discoverability Based on Web Linking (RFC5988) Extended to Core Link Format (RFC6690) GET /.well-known/core </config/groups>;rt="core.gp";ct=39, </sensors/temp>;rt="ucum.Cel";ct="0 50";obs, </large>;rt="block";sz=1280 ;title="Large resource" Decentralized discovery: Multicast Discovery Infrastructure-based: Resource Directories
  28. 28. CoAP Security Based on DTLS (TLS/SSL for Datagrams) Focus on Elliptic Curve Cryptography (ECC) ECDH, ECDSA, AES Hardware acceleration for IoT devices
  29. 29. Californium CoAP @ Eclipse IoT Pure Java library DTLS PSK/RPK/X509 Unconstrained: For large devices or cloud services http://eclipse.org/californium
  30. 30. M2M/IoT Protocol security
  31. 31. IoT/M2M protocol security TLS for TCP (RFC 5246) DTLS for UDP (RFC 6347) Rolling your own is still not recommended :)
  32. 32. TLS/DTLS complexity? It’s customizable: X.509 certificate: certificate with chain of trust (CA & PKI) Raw-Public-key: only private/public key Pre-Shared-Key: symmetric keys without forward secrecy
  33. 33. TLS/DTLS complexity? Arduino Uno can run CoAP/MQTT But not in a secure way :( ROM/RAM cost estimation for (D)TLS: http://www.ietf.org/id/draft-ietf-lwig-tls-minimal-01.txt
  34. 34. (D)TLS Pre-Shared-Key mode +----------------------+-----------------+ | | DTLS | | +--------+--------+ | | ROM | RAM | +----------------------+--------+--------+ | State Machine | 8.15 | 1.9 | | Cryptography | 3.3 | 1.5 | | DTLS Record Layer | 3.7 | 0.5 | +----------------------+--------+--------+ | TOTAL | 15.15 | 3.9 | +----------------------+--------+--------+ Table 1: Memory Requirements in KB
  35. 35. (D)TLS Raw Public Key mode +----------------------------+---------------+ | Cryptographic functions | Code size | +----------------------------+---------------+ | MD5 | 4,856 bytes | | SHA1 | 2,432 bytes | | HMAC | 2,928 bytes | | RSA | 3,984 bytes | | Big Integer Implementation | 8,328 bytes | | AES | 7,096 bytes | | RC4 | 1,496 bytes | | Random Number Generator | 4,840 bytes | +----------------------------+---------------+
  36. 36. (D)TLS Raw certificate mode You need to add: ASN.1 parser X509 certificate check code Revocation?
  37. 37. TLS for embedded It’s still a challenge on some platform IETF DICE working group https://datatracker. ietf.org/wg/dice/ But weirdly TLS PSK is not used Certificate revocation is also a mess for IoT
  38. 38. Open-source DTLS implementation TinyDTLS: http://tinydtls.sourceforge.net MIT licensed embedded friendly Lua binding: https://github.com/sbernard31/luadtls Eclipse Californium Scandium: A Java implementation of DTLS https://github.com/eclipse/californium.scandium
  39. 39. More security challenges ;) Provisioning your key from the factory and pushing them on the server... ... for million of devices with different keys … and with the capability of changing the keys over-the-air
  40. 40. Device Management
  41. 41. Device management Monitor, configure, secure, and update your devices All you need for operating a fleet of IoT devices Not tied to your application
  42. 42. Interoperability is the key You don't know yet what hardware will power your IoT projects on the field but you MUST be able to do management in a consistent way
  43. 43. D.M. protocols Usual suspects: TR-069 OMA-DM Lightweight M2M
  44. 44. TR-069 Bidirectional SOAP API for : broadband modems, gateway, set-top-boxes Configure, monitor, firmware upgrades. Yeah SOAP : HTTPS and XML :( Not wireless friendly
  45. 45. OMA-DM An Open Mobile Alliance standard for Device Management Targets mobile phone terminals but can be used for M2M Mean to be used by mobile network operators.
  46. 46. OMA-DM features Read, write configuration or monitoring nodes. Trigger remote commands (Exec) FUMO: Firmware Update Management Object SCOMO: Software Component Management Object
  47. 47. OMA-DM flaws Phone oriented HTTP+XML (or binary XML) not compact at all
  48. 48. OMA-DM flaws: Hello world :) <?xml version="1.0" encoding="UTF-8"?> <SyncML xmlns="SYNCML:SYNCML1.2"> <SyncHdr> <VerDTD>1.2</VerDTD> <VerProto>DM/1.2</VerProto> <SessionID>D101</SessionID> <MsgID>1</MsgID> <Target> <LocURI>http://na.airvantage.net</LocURI> </Target> <Source><LocURI>IMEI:1234567890</LocURI></Source> <Meta>
  49. 49. <MaxMsgSize>20480</MaxMsgSize> <MaxObjSize>512000</MaxObjSize> </Meta> </SyncHdr> <SyncBody> <Alert> <CmdID>1</CmdID> <Data>1201</Data> </Alert> <Replace> <CmdID>2</CmdID> <Item> <Source><LocURI>./DevInfo/DevId</LocURI></Source> <Data>IMEI:1234567890</Data> </Item>
  50. 50. <Item> <Source><LocURI>./DevInfo/Man</LocURI></Source> <Data>Sierra Wireless</Data> </Item> <Item> <Source><LocURI>./DevInfo/Mod</LocURI></Source> <Data>SL6087</Data> </Item> <Item> <Source><LocURI>./DevInfo/DmV</LocURI></Source> <Data>Sierra Wireless OMC v2.0</Data> </Item> <Item> <Source><LocURI>./DevInfo/Lang</LocURI></Source><Data>en</Data> </Item> </Replace> <Final /> </SyncBody> </SyncML>
  51. 51. OMA-DM: Helloworld server reply <?xml version='1.0' encoding='UTF-8' standalone='no' ?> <SyncML xmlns="SYNCML:SYNCML1.2"> <SyncHdr><VerDTD>1.2</VerDTD><VerProto>DM/1.2</VerProto><SessionID>D101</SessionID> <MsgID>1</MsgID> <Target><LocURI>IMEI:1234567890</LocURI></Target> <Source><LocURI>http://na.airvantage.net</LocURI> <LocName>AIRVANTAGE-SERVER</LocName> </Source> </SyncHdr> <SyncBody> <Status> <CmdID>5</CmdID><MsgRef>1</MsgRef><CmdRef>0</CmdRef><Cmd>SyncHdr</Cmd> <Chal><Meta> <Format xmlns="syncml:metinf">b64</Format> <Type xmlns="syncml:metinf">syncml:auth-MAC</Type> XML QUOTA EXCEEDED..
  52. 52. OMA-DM security flaws Weak security (MD5-HMAC) on top of HTTP Use full HTTPS for higher grade security Complex to implement correctly, no streaming due to HMAC Unnecessary complex protocols is the safest way to security holes
  53. 53. OMA-DM But works :) Your mobile phone is managed using OMA-DM
  54. 54. OMA Lightweight M2M A reboot of OMA-DM but for M2M Built on top of CoAP REST API for device management
  55. 55. Lightweight M2M: API Security Device Server Connectivity monitoring Connectivity statistics Location Firmware The objects have a numerical identifier.
  56. 56. Lightweight M2M: URL /{object}/{instance}/{resource} Examples: "/6/0" the whole position object (binary record). "/6/0/2" only the altitude.
  57. 57. Lightweight M2M: API You can define your custom objects Published or not Structure is discovered using the CoAP link object format (RFC 6690)
  58. 58. Lightweight M2M: bootstrap Initial keying and configuration Well defined security lifecycle How to update credential and security scheme Keying from factory, smartcard, or over-the-air
  59. 59. Lightweight M2M: bootstrap Device can go out of factory with just BS credential When it goes live the BS server provisions the DM keys Future proof, and the BS server can be really robust
  60. 60. Eclipse Wakaama http://eclipse.org/wakaama A C library for implementing LWM2M Embedded friendly Lua binding for Wakaama: https://github.com/sbernard31/lualwm2m
  61. 61. More Lightweight M2M open source Leshan A Java implementation of LWM2M Server library based on Eclipse Californium Server UI http://github.com/jvermillard/leshan
  62. 62. LWM2M Demo SHOWTIME!
  63. 63. Protocol convergence M2M/IoT is not a simple problem Security and provisioning are really the hardest ones Try hard to reduce the number of protocols to make your life easier!
  64. 64. Burning in IoT hell: Mixing protocols Cloud servers OMA-DM Radio module 2G/3G/LTE ZigBee/6LowPan WiFi, etc.. App1 Linux O/S Supervisor App2 App3 Low power App OMA-DM MQTT/CoAP Ad-hoc TR-069 Network Operator
  65. 65. LWM2M + CoAP LWM2M provide device management and security workflow for CoAP application using the same protocol! Huge simplicity and security win!
  66. 66. Key takeaways Break silos: embrace the web-of-things Think security first, it’s your biggest challenge Use standards for device management and keying CoAP + LWM2M for your next IoT application!
  67. 67. Thanks! Twitter: @vrmvrm E-mail: jvermillard@sierrawireless.com Creative Commons – Attribution (CC BY 3.0) Microchip designed by Nicolò Bertoncin from the Noun Project Cloud designed by James Fenton from the Noun Project Secure by Charlene Chen from The Noun Project Chat by Icomatic from The Noun Project Microchip designed by Mario Verduzco from the Noun Project Certificate designed by Charlene Chen from the Noun Project

×