Moving from an Internet Registry to an IoT Registry

As the name suggests, the Internet of Things (IoT) should be an extension of the Internet. However, in reality, most IoT applications are Siled infrastructures. We will analyze the main challenges in the IoT and explain how an internet ledger could be developed to provide a integrated security and privacy Identity and access management a service for IoT.

Freedom: Tim Berners-Lee, best known as the inventor of the World Wide Web, referred to internet freedom as—“I should be able to choose the apps I use to manage my life, I should be able to choose the content I watch, and I should be able to choose the device I use, the company I use to provide my internet, and I would like them to be independent choices. The freedom that Tim Berners-Lee expects is possible on the Internet, but not in the IoT. Most IoT applications are Enclosed gardens, limiting users to specific devices, technologies or applications. The freedom to choose has increasingly become a necessity in the IoT, and hence, efforts are being made in the form of software suites or technologies to provide more choice to consumers. IoT technologies like LoRaWAN (Long Range Wide Area Network) guarantees freedom of choice by providing open specifications to make products available from multiple vendors.

Interoperability: It is natural to expect interoperability between different applications to access a service on the Internet. For example, one can use any browser such as Chrome, Safari or Firefox to access a website. Similarly, one can send an email to anyone using any messaging application. Imagine a scenario where someone with a Gmail account can only send mail to users with a Gmail account and not to Yahoo or Outlook users. The IoT consumer currently has the hassle of installing and using dozens to hundreds of separate apps to access different IoT services (e.g. Alexa, Apple, Samsung, Smart lights at home, pet tracker, pacemaker etc. ). For example, you cannot control a Philips bulb with Amazon’s Alexa or Apple’s Siri, limiting interoperability between services from one product to another, unlike the Internet.

Number portability: allows users to keep their phone number when switching between mobile network operators. On the Internet, with domain names as persistent identifiers, it is possible to use the same domain name even when the web server’s IP address changes. According to BEREC report on the IoT, switching connectivity service providers requires a hardware change, such as replacing the connectivity module.

End-to-end security: is mainly provided inside the IoT walled garden. When the need arises to communicate securely with stakeholders outside the walled garden, certain challenges must be met. In LoRaWAN, for example, pre-shared cryptographic keys enable secure communication with multiple stakeholders. The downside is that pre-shared keys, as the name suggests, must be shared before communication, which reduces the possibility of dynamic and secure communication like on the Internet.

Privacy: Beyond the content of messages exchanged by IoT devices, user privacy can be compromised by the associated communications metadata. Credentials exposed in network traffic are a source of privacy concerns. For example, the identification of a medical device in a household could reveal a medical condition of one of the inhabitants, considered sensitive by the European GDPR regulation.

Addressing the above challenges by a DNS-based IoT registry

We have two important identifiers on the Internet – IP addresses and domain names. The Domain Naming System (DNS) maps domain names to IP addresses. There are heterogeneous identifiers and registries in the IoT, ranging from local scope to global scope. If the different identifiers are to be globally visible and interoperable, one option is to provide them in the Internet’s naming service, ie DNS.

Integrating heterogeneous IoT namespaces to be delegated under DNS solves two major issues: firsta particular company, industry, or alliance of companies could independently operate and manage their respective IoT namespaces. Second, it is possible to interoperate between these different IoT namespaces for credential resolution and service discovery. Thus, providing the freedom of choice for IoT identity management and the ability to interoperate between IoT walled gardens.

Number portability becomes possible when IoT identifiers are provisioned and resolved via DNS. Changing the IoT identifier pointer to the new connectivity service in the DNS zone allows the IoT device to be discovered or resolved through the new connectivity carrier without the need to replace the IoT hardware. This is how it is done even for mobile number portability using services such as GSMA Research Toolwhich is DNS-based.

As discussed previously, the Security The fabric in IoT involving multiple stakeholders using pre-shared keys is difficult to scale dynamically. Asymmetric keys using public key infrastructure (PKI) have worked well for secure internet communication and cannot be used in the IoT due to the size of certificates and the cost involved. It is not possible to send an X.509 digital certificate (about 2000 bytes) over a LoRaWAN communication, whose maximum frame size could be 51 bytes. With its project partners (Figure 1), Afnic is experimenting with IETF standards to compress X.509 certificates with Concise representation of binary objects (CBOR) for IoT devices and use the DANE Transport Layer Security Authentication (TLSA) records that store an SHA 256 certificate fingerprint rather than the entire certificate.

Figure 1: Afnic R&D work with multiple partners to solve different IoT challenges

Since credentials serve as the primary interface for accessing IoT data, they can expose personal information. Afnic with the PIVOT project partners is working on grouping named content into different content types to reflect application types and services. The objective is to use the DNS integrated PKI infrastructure to privacy-preserving the IoT.

Figure 2: Evolution from Internet Registry to IoT Registry using DNS as Naming Service

The Role of Internet Registries in the IoT

For all IoT credentials to be visible within the global Internet perimeter, the only operationally feasible way is to provision them in DNS. Therefore, Internet naming registries, with their long experience in domain name registration management, DNS resolution and expertise, should also be able to play the role of a registry in the IoT domain. .

Afnic embarked on this evolutionary journey with more than 12 years of R&D experience after having influenced two standards (GS1, LoRa Alliance) to include the DNS and worked with multiple industrial and institutional partners in France and in Germany. Our goal is to provide a comprehensive IoT registry package that facilitates IoT provisioning, remediation, security and privacy.

Comments are closed.