Markdown Version | Session Recording

Session Date/Time: 25 Jul 2024 22:00

iotops

Summary

The IOT Operations (iotops) working group meeting covered the motivation for the "Security Requirements Mapping" draft, a revision of RFC 7228 concerning terminology for constrained node networks, and a status update on the TEAS draft. There was also discussion about potential new work items including configuration backup/restore and the relevance of web proxy auto-discovery in IoT environments.

Key Discussion Points

• Security Requirements Mapping (Brenton):
  • Motivation: To provide guidance to IoT device implementers on which IETF standards address specific security requirements from baseline documents like those from ANISA, Etsy, and NIST.
  • The draft maps requirements to standards, not libraries, assuming implementers can find libraries implementing relevant RFCs.
  • Discussion on the classification of requirements (procedural vs. architectural) and whether more justification is needed for excluding certain requirements.
  • Next steps: Address review comments and consider Working Group Last Call after a draft revision.
• RFC 7228bis (Karsten):
  • Revision of an aging RFC on terminology for constrained node networks. Significant updates are needed to reflect changes in technology and network architectures over the past decade.
  • Discussion around:
    • Defining classes for power and energy constraints, as well as new terminology for MTU constraints, asymmetry, and mobility.
    • Updating device classes (Class 0, 1, 2) to reflect current microcontroller and general-purpose platform capabilities.
    • New terminology for firmware/software upgradeability, isolation functionality, and security shielding.
    • Considering timing capabilities related to power events.
  • Plan: Initiate focused discussions on specific topics, solicit reviews, and aim for a Working Group Last Call ready document by the end of the year or early next year.
• TEAS (Carson):
  • Updated the changes between the two draft versions.
  • Working group last call has ended with positive comments from Marco and Thomas.
  • Next steps include updating the document based on the comments and consider adding an additional reference for TLS extension.
• New Work Item Suggestions:
  • Configuration Backup/Restore (Michael Richardson): A need for a device-agnostic way to collect and restore configurations during device replacement, upgrades, or security wipes.
  • SUIT Report Management (Michael Richardson/Brendan): Standardizing how SUIT reports are collected and tracked to improve privacy and allow for standardized evaluation of security compliance.
  • Web Proxy Auto-Discovery (Josh Cohen): Assessing the relevance of web proxy auto-discovery in IoT, especially considering the limited support for proxies in current devices. The working group seems less optimistic that this would have value due to the move to object level security.

Decisions and Action Items

• Security Requirements Mapping: Brenton to address AJ's review comments and update the draft, then determine readiness for Working Group Last Call.
• RFC 7228bis: Karsten to initiate focused discussions on key terminology areas (e.g., isolation, timing), solicit reviews, and create a new draft. He will also look into comments from hardware experts. IOT ops to post this categorization scheme for expert review or entities.
• TEAS: Carson will revise the document and consider adding an additional reference for TLS extension and put the document on hold until CTLS is done.
• New Work Items: Chairs to consider expanding the charter to allow for new work items.

Next Steps

• Brenton to address review comments on the Security Requirements Mapping draft.
• Karsten to begin focused discussions on terminology for RFC 7228bis.
• Authors continue development based on the comments on the existing draft.
• Chairs to consider potential charter expansion.