I am sure most of you would have heard by now that IIESoc have been working behind the scenes for "Connections 2018" - a Pre-IETF 103 forum in bangalore on October 31st - Novemeber 1st 2018, to get protocol developers, academicians and network operators together on the same platform to discuss the latest problems facing the internet and the solutions relevant to them. This is being done with a focus on India and Indian contributions to the Internet.
This blog is part of the speaker series that introduces the various amazing speakers that are part of the event. Next in the series is Mohit Sethi.
Bio: Mohit Sethi is an Experienced Researcher at Ericsson and a post-doctoral researcher at Aalto University. He has received a Doctor of Science (Tech) degree in Computer Science from Aalto University. He has previously completed his dual MSc. degree in security and mobile computing from Royal Institute of Technology (KTH), Sweden and Aalto University, Finland with full EU scholarship. Mohit actively contributes to IoT standardization at the IETF and is currently co-chairing the Light-Weight Implementation Guidance (LWIG) as well as the EAP Method Update (EMU) working groups of the IETF. He has received best paper awards at the ACM Ubicomp and IEEE IoT conferences and has more than 20 international patent applications.
Talk: IoT bootstrapping security and EAP-NOOB (Nimble out-of-band authentication for Extensible Authentication Protocol)
Secure bootstrapping is the process by which an IoT device gets the necessary configuration information and security credentials to become operational. Since bootstrapping is the first phase in the lifecycle of any IoT device, a security breach during bootstrapping would make the device vulnerable for the rest of its lifetime. Security, scalability and usability of bootstrapping have a great effect on how smoothly IoT devices can be deployed and redeployed wherever users want them. In this talk, we will look at the bootstrapping problem in detail and suggest some directions for a bootstrapping solution that is especially designed for cloud-connected IoT appliances. We will also look at EAP-NOOB, a protocol for bootstrapping all kinds of IoT appliances that have a minimal user interface and no pre-configured authentication credentials. We will show how off-the-shelf ubiquitous computing devices such as cameras, printers, displays and speakers can be securely connected to an online cloud service with EAP-NOOB.
Checkout other talks at - https://www.connections.iiesoc.in/abstract
We also asked Mohit a few questions regarding his IETF contributions and involvement.
1. How did you get involved in the IETF? Was there a particular issue that led to your involvement? My IETF involvement started during my initial days at Ericsson, Finland. I was working on a project to show that public-key cryptography is even possible on the tiniest IoT devices that have 8-bit micro-processors. I presented the research results at the Smart Object Security workshop preceding the IETF in Paris in 2012. This document later become RFC 8387. It not only documented our research results from public-key cryptography, but also provided some important security recommendations. Although, my first trip to the IETF was in 2012, I only started attending the meetings regularly since 2014. I am now involved in working groups such as Light Weight Implementation Guidance (LWIG), EAP Method Update (EMU), IPv6 over Networks of Resource-constrained Nodes (6Lo) and Thing-to-Thing Research Group (T2TRG).
2. What is your opinion on the importance of the IETF in the Internet eco-system?
IETF is responsible for specifying many of the core Internet protocols such as TCP, UDP, IPv4, IPv6, DNS and TLS. It is obvious that without IETF standards, we wouldn't have much of the Internet as we know it today. IETF is unique since:
- It is open to everyone without requiring corporate sponsorship. This encourages some of the best engineers and researchers to participate. - RFCs produced by the IETF are published and available for free to everyone. This means that they often get significant peer review. - Decision making on standards does not happen behind closed doors. Decisions such as whether a document should be published as a RFC are done on the online mailing lists. The mailing list subscription is open for everyone and they are archived permanently to improve transparency.
Because of the reasons listed above, some IETF protocols such as TLS see wide-spread deployment on the Internet and are also used by other standards organizations (such as 3GPP). The IETF therefore plays a very important role in the Internet ecosystem by providing openly accessible building blocks (protocols) for the Internet, and for services offered on top of the Internet.
3. What technical changes do you see coming in the next few years?
Rather than predicting the (somewhat obvious) changes that we will see in the next few years (such as 5G, IoT and SDN), I would rather focus on what changes that I would personally like to see:
1. Although, IETF has made taken many initiatives to become a more diverse group by having events such as newcomers meet and greet, a lot more remains to be done.
2. I feel that many working groups have taken up way too much work to keep everyone happy. This has often resulted in documents receiving much less review and oversight than they should. For example, I was told that IESG members review approximately 300 pages every 2 weeks. Perhaps, it is time for us, as the IETF to read more and write less.
3. Even though so many attacks and vulnerabilities have been discovered in security protocols (both at the IETF and outside), it seems we haven't learned our lessons. I still see new protocols are being presented at the IETF without any thorough security and formal modeling. Going forward, I think the barrier for new security protocols needs to be higher and proper formal modeling proofs should be a MUST.
4. More written code. Although, there has been a positive change in the IETF since I started participating, I still see a lot of documents being published with almost no implementation experience. A couple of python scripts and hacked prototypes are simply not enough for thoroughly evaluating many of the major protocols that are being developed.
5. New protocols should also document what are the deployment barriers and what are the incentives for someone to take up this protocol.
4. What are some of the most interesting changes you have seen at the IETF?
One of the major non-technical changes that I have seen at the IETF over the last few years is the move towards the use of github by working groups for editing drafts. This means that not only is the final RFC is available for everyone to see, but the entire standards writing process itself is open to anyone willing to contribute. Another very positive development since I started participating are the hackathons. Having participated in many IETF hackathons, I think this it an excellent forum to meet new IETF people, write code, and run experiments for providing feedback to the working group.
5. What would be your advice for a new-comer from the sub-continent, on how to get involved?
READ, ASK AND COMMENT:
I find it sad that new comers are often advised to write a new draft about their idea. I would rather advise folks to read a draft in their area of interest. If they don't understand something, ask questions on the mailing lists. Most draft authors would be happy to see that someone is reviewing their work. And as we have been taught time and again, there are NO stupid questions. If you have some technical suggestions on a draft, suggest them on the mailing list. This will eventually lead to collaborations and co-authorship of documents. Finally, if you are coming to an IETF meeting, do join the IETF hackathon. That's an excellent way to meet new people in a relaxed environment and get involved with work that you find interesting.
Dont miss this oppurtunity to join us for the event. The tickets for the event are availaible at - https://www.connections.iiesoc.in/tickets