-
Notifications
You must be signed in to change notification settings - Fork 2
Research Agenda
This wiki attempts to capture a research agenda for the T2TRG.
There is no attempt to make this capture either complete or fully correct; no promises are being made.
Its main use will be as a project backlog for interested researchers,
and as a proposal to structure our work within the RG.
In general, we like to touch the following aspects:
- Background, terminology (if needed)
- Research questions
- existing documents to refer to
- existing groups, venues out there to involve
- Next steps for RG
See https://github.com/t2trg/wishi/blob/master/slides/wishi-modeling-mjk-20190612.pdf
An overall overview is provided by: https://github.com/t2trg/2017-07-wishi/blob/master/submissions/27-Hypermedia-for-Long-Term-Semantic-Interoperability.txt
Next steps: write up results from, e.g.
- the 2018/2019 IoT hypermedia teleconference calls
- the 2019-04-02/-03 Munich WoT/CoRE/RG editors team meeting
- Hypermedia for IoT, Thing Descriptions, CoRAL, RDF...
- resource model view vs. link model view
(Contribution by Matthias Kovatsch)
Roughly, Edge Computing denotes computing concepts and strategies that are placed close to devices that produce data or require control commands. The edge resembles the first hop from application devices toward more processing power, storage capabilities, etc. ultimately ending in the cloud; a multi-tier architecture of such compute layers is often referred to as fog computing. Edge Computing aims at dynamic, scalable, and easy to manage solutions, and hence also adopts solutions from data centers and carrier networks.
-
Research questions
- Ad-hoc application patterns (e.g., storage near me, GPU near me, etc.)
- Discovery mechanism for application devices finding edge computing nodes
- Negotiation mechanisms to select appropriate edge computing nodes
- Trust and attestation
- Identify natural edge computing nodes in different application domains (e.g., home router, industrial switches, NFV hosts, ...)
- Differences and commonalities across application domains
-
existing documents to refer to
-
existing groups, venues out there to involve
- COINRG
- IIC - Edge Computing Task Force
- ETSI Multi-Access Edge Computing, MEC
- EdgeX Foundry
-
Next steps for RG
- Pull in and improve draft-hong-iot-edge-computing
- Possible split out domain-specific research topics in their own drafts (e.g., consumer, industrial, carrier networks)
(Contribution by Mohit Sethi)
With publication of RFC 8576, the Thing-to-Thing Research Group (T2TRG) documented the current IoT security initiatives at the IETF (and elsewhere). It also discussed some important security challenges that remain. One of the key challenges identified in the document was how the things in IoT networks can be securely configured before they are functional. This step is especially challenging as the number of these things may be large and they often have very limited user interfaces. The initial configuration of things may involve several sub-steps that must be completed before the thing is fully operational. Each of these sub-steps can be viewed in terms of authorization chains that need to be established. In the next phase of its research work, T2TRG will work on the following security items:
-
Documenting the various terminology related to this initial configuration step: A wide variety of terms such as bootstrapping, onboarding, commissioning, and initialization have been used in this context. The research group will try to understand how these terms are related with each other.
-
As noted in the secure bootstrapping draft, a variety of different methods exist for secure configuration of devices. The research group will identify common design assumptions, architectural components and underlying protocols that many of these device configuration methods use. This knowledge will likely produce some important take-aways for the ongoing standardization work in this area in various IETF working groups (such as EMU and ANIMA).
-
Extensible Authentication Protocol (EAP) is often one of the basic building blocks for the initial configuration of devices/things. Using EAP can provide many benefits such as setting up and using per-device credentials. While EAP has been widely deployed in enterprise environments for network access authentication, its use in smaller home networks is limited because of the usability challenges of setting up a AAA server. Therefore home networks have often resorted to either using network-wide shared secrets or relying on proprietary vendor protocols that limit the choice of devices/things for users/owners. T2TRG will work on a document highlighting the benefits of using EAP for thing configuration and investigate if and how the usability challenges can be addressed even in small non-expert deployments.
On a more general level, we would like to discuss both Semantics for Security and Privacy, and Security and Privacy for Semantics.
Traditionally, security protocols have focused on authentication (and authenticated key establishment so a single authentication exchange can be used to secure multiple further exchanges), often leaving the semantics of such a successful authentication implicit. Generally, these semantics can be expressed in terms of authorization. IoT products today often rely on simplistic binary systems (i.e., everybody who can authenticate is authorized to do everything), which then need to revoke authentication in order to reduce authorization.
In more capable systems, not only is there usually authorization information that can be derived from the identities used for authentication, there is also information about the quality of the authentication (e.g., what trust anchors were involved) that can modulate the authorization that is actually applicable. There is a long tradition for the semantics of such authorization information, often in the form of access control lists and/or capability lists/entitlements. What semantic categories are appropriate for IoT?
More generally, also data itself may need to be shipped around with authorization information (who can use it for what) attached, even if the enforcement of these semantics cannot always be secured. Privacy considerations may make this very authorization data sensitive, so it may actually be more important to protect the authorization information from unintended disclosure than to enforce all of its details (beyond, e.g., simply "trusting" an intended recipient). The multi-stakeholder nature of many IoT systems, combined with the potentially long life of the data generated makes this subject highly relevant for IoT.
The RG will collect common terminology (as already touched on above) and attempt to disseminate this in favor of existing, often poorly defined terms.
The RG will collect a structured bibliography with relevant work for its research agenda.