Internet Engineering Task Force B. Wang, Ed.
Internet-Draft S. Liu, Ed.
Intended status: Standards Track L. Wan, Ed.
Expires: 17 September 2021 X. Wang, Ed.
Hikvision
16 March 2021
Technical Requirements for Secure Access and Management of IoT Smart
Terminals
draft-wang-secure-access-of-iot-terminals-00
Abstract
It is difficult to supervise the great deal of Internet of Things
(IoT) smart terminals which are widely distributed. Furthermore, a
large number of smart terminals (such as IP cameras, access control
terminals, traffic cameras, etc.) running on the network have high
security risks in access control. This draft introduces the
technical requirements for access management and control of IoT smart
terminals, which is used to solve the problem of personate and
illegal connection in the access process, and enables users to
strengthen the control of devices and discover devices that is
offline in time, so as to ensure the safety and stability of smart
terminals in the access process.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 17 September 2021.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
Wang, et al. Expires 17 September 2021 [Page 1]
�
Internet-Draft Secure Access of IoT Smart Terminals March 2021
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. The Network Structure of IoT system . . . . . . . . . . . . . 3
3. Security Threats and Challenges . . . . . . . . . . . . . . . 5
4. Current Technology Level . . . . . . . . . . . . . . . . . . 5
5. Secure Access and Management of IoT Smart Terminals . . . . . 6
5.1. Framework of Secure Access Management . . . . . . . . . . 6
5.1.1. Sensing & Controlling Domain . . . . . . . . . . . . 8
5.1.2. Access & Management Domain . . . . . . . . . . . . . 8
5.1.3. Application & Service Domain . . . . . . . . . . . . 9
5.1.4. User Domain . . . . . . . . . . . . . . . . . . . . . 9
5.2. Requirements for Equipment Access . . . . . . . . . . . . 9
5.2.1. Requirements for devices access authentication identity
information . . . . . . . . . . . . . . . . . . . . . 9
5.2.2. Requirements for Access Status of Devices . . . . . . 9
5.2.3. Recommendation of Access Policy . . . . . . . . . . . 10
5.3. Requirements for Equipment Management . . . . . . . . . . 10
5.4. Requirements for Access Log Audit . . . . . . . . . . . . 11
6. Security Considerations . . . . . . . . . . . . . . . . . . . 12
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
8. Informative References . . . . . . . . . . . . . . . . . . . 12
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction
With the rapid development of the IoT and the IP-based communication
system, a large number of devices have been interconnected through
the network. Due to the large number of branches of IoT network, the
scattered geographical location of smart terminals access, the
difficulty of human supervision, etc., how to ensure the full control
and full time availability of IoT is a brand new problem which is
faced by the industry. A large number of smart terminals (such as IP
cameras, access controll terminals, traffic cameras and other dumb
terminals) running in the network have a large security risk in terms
of security access control. With the further development of the
convergence of IoT systems and information network, if the IoT smart
terminal is once used by hackers, it is very easy for hackers to
penetrate the whole network through the IoT smart terminal, causing
Wang, et al. Expires 17 September 2021 [Page 2]
�
Internet-Draft Secure Access of IoT Smart Terminals March 2021
core business systems to stop and a large amount of confidential
information to leak, which will bring significant losses. Therefore,
the establishment of a perfect access control mechanism and
application control mechanism of smart terminals is an important
element of the IoT security system.
This draft outlines the technical requirements for secure access and
management of smart terminals in the IoT to address the security
threats and challenges that exist in the access process of terminals.
We discuss the networking structure of common IoT smart terminals in
Section 2; we discuss the security threats and challenges faced in
the access process of IoT smart terminals in Section 3; in Section 4,
we review the guidelines and regulations related to the access of IoT
devices; Section 5 we present the requirements for secure access and
management of IoT smart terminals and describes their details; in
Section 6 we concludes the whole draft. This draft provides a
reference for IoT security access and management.
2. The Network Structure of IoT system
IoT smart terminals are generally connected to the network through
IoT gateway, and then the data information of the terminals is
reported to the application center through the IoT gateway, thus
completing the network building.
A diagram of an IoT system is shown in the figure below. In the
perception layer, there are four different types of IoT smart
terminals that form four different subsystems, which are video
monitoring subsystem, access control subsystem, alarm subsystem and
intercom subsystem. The smart terminals in each subsystem are
different. In the video monitoring subsystem, the main terminals are
IP cameras and intelligent cameras for collecting video and image
data. In the access control subsystem, the main terminals are
turnstiles and vehicle access control hosts for collecting vehicle
information. In the alarm subsystem, the main terminals are alarm
hosts, alarm keyboards and wireless alarm hosts, which are used to
set alarm policies, issue alarm warnings and report alarm events,
etc. In the intercom subsystem, its main terminals are intercom
hosts and individual equipment, which are used to collect voice data.
Through this figure, we can know that in the IoT system, smart
terminals are heterogeneous and complex, and the data are aggregated
into the application layer through the transport layer, which greatly
increases the difficulty of the application layer to control the
terminals in the sensing layer.
Wang, et al. Expires 17 September 2021 [Page 3]
�
Internet-Draft Secure Access of IoT Smart Terminals March 2021
+----------------------------------------------------------------------+
| |
| Application +------------+ |
| Layer +--------+ | Video | |
| +--------+ | Storage| +-------+ | integrated | |
| | HOST | | system | | DVI +-----+ platform | |
| +---+----+ +---+----+ +---+---+ +------+-----+ |
| | | | | |
| | | | | |
+------------------+------------+--+----------+----------------+-------+
| | |
| | |
| Transport +-----+----+ |
| Layer | router | |
| +-----+----+ |
| | |
| +------------------+-+------------+----------------+ |
| | | | | |
| +-+-------+ +----+----+ +----+----+ +-----+---+ |
| | gateway | | gateway | | gateway | | gateway | |
| +-+-------+ +----+----+ +----+----+ +-----+---+ |
| | | | | |
| | | | | |
+----------------------------------------------------------------------+
| | | | | |
+-------------+--+ +-------------+--+ +--------+-----+ +--------+-----+
| Video | | Access | | Alarm | | Intercom |
| surveillance | | control | | subsystem | | subsystem |
| subsystem | | subsystem | | +----------+ | | |
| +------------+ | | +------------+ | | |Alarm host| | | +----------+ |
| | IP camera | | | | Turnstile | | | +----------+ | | |Intercom | |
| +------------+ | | +------------+ | | | Alarm | | | | host | |
| | Ip Camera | | | | Vehicle | | | | keyboard | | | +----------+ |
| +------------+ | | | access | | | +----------+ | | |Individual| |
| |Smart Camera| | | |control host| | | | Wireless | | | |equipment | |
| +------------+ | | +------------+ | | |alarm host| | | | | |
+----------------+ +----------------+ | +----------+ | | +----------+ |
| +--------------+ +--------------+
| Perception |
| Layer |
| |
+----------------------------------------------------------------------+
Figure 1: The Network Structure of an IoT System
Wang, et al. Expires 17 September 2021 [Page 4]
�
Internet-Draft Secure Access of IoT Smart Terminals March 2021
3. Security Threats and Challenges
The main security threats and challenges in the process of accessing
IoT smart terminals are as follows:
1. Illegal connection of devices. On the side of IoT smart
terminals, there exist illegal devices and illegal hosts to
access to the network for probing attacks.There exists the
situation that the application layer network is invaded through
the network of smart terminals and the sensitive data of the
application layer network is illegally stolen, thus causing great
damage to the security of IoT.
2. Counterfeit connection of devices. With wide distribution of IoT
smart terminals and the public deployment environment, it is easy
for malicious devices to illegally impersonate and replace
legitimate devices and upload fake data, which leads to abnormal
function of the devices and causes great damage to the security
of IoT.
3. Devices offline. The number of IoT smart terminals is huge and
they are very vulnerable to physical attacks, network anomalies,
power supply anomalies, and the aging of the device itself, which
leads to go offline. And offline devices are difficult to
discover, making some of the normal functions of the IoT lost.
4. Devices management. There are many kinds of IoT smart terminals,
and it is often not clear how many IoT smart terminals are owned
in the whole IoT network and how many IoT smart terminals have
security problems, which leads to problems such as inability to
control IoT smart terminals and inability to sort out device
assets.
4. Current Technology Level
1. On the access control of IoT, there already exist many control
protocols applied to IoT smart terminals, such as Zigbee [ZB],
DALI [DALI], BACNET [BACNET], which do not contribute to the
secure access of IoT devices. the UPnP [ISOIEC23941] access
protocol defines the access to IoT smart terminals, but does not
consider the issue of secure access.
Wang, et al. Expires 17 September 2021 [Page 5]
�
Internet-Draft Secure Access of IoT Smart Terminals March 2021
2. There are many specialized and generic security protocols being
used in current IP-based deployments of IoT smart device
applications. For example, IPsec [RFC7296], TLS [RFC8446], DTLS
[RFC6347], HIP [RFC7401], Kerberos [RFC4120], SASL [RFC4422], and
EAP [RFC3748], etc. These also do not protect against illegal
connection of devices,counterfeit connection of devices, and
device offline encountered during device access.
3. There are also a number of groups that are also currently
focusing on IoT device security . For example, the Cloud Security
Alliance (CSA) is recommending that enterprises building the IoT
consider strengthening IoT smart device authentication/
authorization [CSA];the Global System for Mobile communications
Association (GSMA) has published a security guide for IoT systems
[GSMA] to bring a set of security guidelines to the research of
IoT security product; and the United States Department of
Homeland Security(DHS) has proposed six IoT security strategic
principles [DHS] to guide IoT developers, manufacturers, service
providers, and consumers in considering security issues. These
teams give good advice on building security for the IoT, but
there is no introduction or description of secure access to the
IoT.
4. In the existing security standards on IoT, such as [RFC8576], the
security issues and solutions existing in IoT are introduced, but
there is no mention of the problems and solutions existing in the
access process of smart terminals.
5. In other related device access standards, there are 802.1x
[ISO88021X] based device access and portal-based authentication,
but because IoT smart terminals exist mainly in the form of dumb
terminals, they are not suitable for authentication access
through 802.1x or portal, and the two authentication methods
cannot be used to solve the illegal connection of devices and
counterfeit connection of devices .
5. Secure Access and Management of IoT Smart Terminals
5.1. Framework of Secure Access Management
Comparing to three-layer framework of IoT,a layer of access and
management is added for the framework of secure access management,
which is between transport layer and application layer. The
framework of secure access management for IoT smart terminals is
shown in the following figure. In this framework, the access process
of IoT is divided into four parts, which are sensing&control domain,
access&management domain, application&service domain and user domain.
Among them, access&management domain is the specific implementation
Wang, et al. Expires 17 September 2021 [Page 6]
�
Internet-Draft Secure Access of IoT Smart Terminals March 2021
of the secure access and management technical requirements to ensure
secure access of smart terminals in terms of smart terminals
management, access control, strategy management and access log audit.
+-------------------------------------------------------User Domain----+
| Application & Service Domain |
| +------------------+ +------------------+ +-------------------+ |
| |Bussiness System 1| |Bussiness System 2| |Bussiness System...| |
| +------------------+ +------------------+ +-------------------+ |
+----------------------------------------------------------------------+
^ ^ ^
| | |
+----------+----------------+----------------+----------User Domain----+
| Access & Management Domain |
| +-----------------+-----------------+----------------+-------------+ |
| | Device | Device Access | Access Policy | Log Audit | |
| | Management | +-------------+ | Management | | |
| | | | Unique id | | | | |
| | | | information | | | | |
| | +-----+-------+ | +-------------+ | +------------+ | | |
| | | IP | Port& | | | Trusted | | | IP&MAC | | +---------+ | |
| | | |Service| | |communication| | +------------+ | |Exception| | |
| | +-------------+ | | protocol | | |IP&MAC&Brand| | +---------+ | |
| | |Type | Brand | | +-------------+ | +------------+ | |Behavior | | |
| | +-------------+ | | Certificate | | |IP&MAC&Brand| | +---------+ | |
| | |Model| MAC | | | access | | | &Model | | |Operation| | |
| | +-------------+ | +-------------+ | +------------+ | +---------+ | |
| +------------------------------------------------------------------+ |
+----------------------------------------------------------------------+
Indirect ^ ^ ^ Direct
connection| | | connection
+----------------------------------------------------------------------+
| Sensing & +-----------+ | | |
| Controlling |IoT Gateway| | | |
| Domain +------^----+ | | |
| | | | |
| +------------------------------------------------------------------+ |
| | +---------+ +---------+ +--------+ | +------+ | +------+ | |
| | |RS-485 | |Zigbee | |IP/WIFI/| | |Video | | |Smart | | |
| | |RS232 | |Lora and | |5G/4G | | |and | | |IP | | |
| | |and other| |other | |smart +--+ |Audio +-+ |Camera| | |
| | |wired | |wireless | |device | |device| +------+ | |
| | |terminals| |terminals| +--------+ |RFID | | |
| | +---------+ +---------+ +------+ | |
| +------------------------------------------------------------------+ |
+----------------------------------------------------------------------+
Figure 2: Framework of Secure Access Management for Smart Terminals
Wang, et al. Expires 17 September 2021 [Page 7]
�
Internet-Draft Secure Access of IoT Smart Terminals March 2021
5.1.1. Sensing & Controlling Domain
Smart Terminals: including smart terminals through RS-485, RS-232 and
other wired devices, zigberr, Lora and other wireless terminal
equipment, smart terminal equipment through IP, WiFi, 5g, 4G access
network, audio and video equipment, RFID equipment and intelligent
camera equipment, etc.
IOT Gateway: an entity used to connect smart terminals and terminals
of upper layer.
Among them, smart terminals can be directly connected with the
access&management domain, or indirectly connected with the access and
management domain through the Internet of things gateway.
5.1.2. Access & Management Domain
Access and management domain is the core, which is used to manage and
control the access of smart terminals, including four parts: device
management, device access, access policy management and log audit.
The contents of each part clarified as follows:
Device Management: It mainly manages equipment asset information,
including IP address, MAC address, type of device, brand, model, open
port and service of smart terminal equipment.
Device Access: Refers to the device access mode supported by smart
terminals, including access based on unique identification
information of smart terminal (the composition of unique
identification information of device can be one or more sets of
device asset information managed by device), access based on trusted
communication protocol of smart terminal and access based on
certificate authentication.
Access Policy Management: Refers to the access policy management
based on the unique identification information of smart terminals,
including: IP, MAC access policy; IP, MAC, manufacturer access
policy; IP, MAC, manufacturer, model access policy.
Log Audit: Used to record, store and audit the log information
generated in the access process of smart terminals, including
exception log audit, behavior log audit and operation log audit.
Wang, et al. Expires 17 September 2021 [Page 8]
�
Internet-Draft Secure Access of IoT Smart Terminals March 2021
5.1.3. Application & Service Domain
Application & service domain is the core business system, which
provides informational application services for information
collecting, exchanging and processing. The information provided by
the smart terminals that verified by the access & management domain
to ensure security and stability of the system.
5.1.4. User Domain
User domain is the users of smart terminals, they can directly access
the core business system in the application & service domain, and
access & management domain to view the access condition of smart
terminals and manage them.
5.2. Requirements for Equipment Access
5.2.1. Requirements for devices access authentication identity
information
The identity information of devices access authentication should
include one or more of the following characteristics:
1. IP address
2. address
3. brand
4. type
5. model
6. firmware version
5.2.2. Requirements for Access Status of Devices
There should be at least four types of access status:
1. Online: The device that has passed authentication and the device
is working well.
2. Offline: The device that has passed authentication and the device
is not working.
3. Counterfeit: A device that fails authentication and its
authentication identity information is the same as that of the
authenticated device before.
Wang, et al. Expires 17 September 2021 [Page 9]
�
Internet-Draft Secure Access of IoT Smart Terminals March 2021
4. Illegal connection: The authentication identity information of
the device that fails to pass the authentication is completely
different from the identity information of the device that has
passed the authentication
5.2.3. Recommendation of Access Policy
1. The device access policy can be at least five combinations:
1. IP + MAC
2. IP + Mac + manufacturer
3. IP + Mac + manufacturer + model
4. IP + Mac + manufacturer + model + type
5. IP + Mac + manufacturer + model + type + firmware version
2. Quickly discover the access of counterfeit and illegal
connection, and prevent illegal control of devices.
3. The configuration of access policy can be done manually and
automatically
4. Device access policy can be customized as any combination of
recommendation of access policy shown in requirement 3.
5.3. Requirements for Equipment Management
Device management requires the ability to monitor device status in
real time, to profile devices, to identify and manage applications
running on terminals, to identify and manage device asset information
of terminals, and to manage IP addresses of terminals.
1. Requirements for equipment condition monitoring and management
1. It should be ability to monitor the offline and online status
of smart terminals in real time
2. It should be ability to discover whether there is weak
password information of the smart terminal
3. It should be ability to discover the risky ports of smart
terminals
4. It should be ability to alert offline devices, devices with
weak passwords and risky ports
Wang, et al. Expires 17 September 2021 [Page 10]
�
Internet-Draft Secure Access of IoT Smart Terminals March 2021
2. Requirements for the management of terminal profiling
1. It should be ability to visualize device information of smart
terminals, including device type, IP address, open ports,
etc.
3. Requirements for the management of identifying applications
1. It should be ability to automatically identify and manage the
device's open services and service ports
2. It should be ability to automatically discover and identify
the application system of B/S architecture or CS architecture
running in the network where the IoT smart terminal is
located, including: service IP, service port, application
name
4. Requirements for the management of identifying asset information
of the device
1. It should be ability to manage IP address, MAC address,
device manufacturer, device model, device type, device
firmware version number, device open port, and device online
time for smart terminals
2. It should be ability to manage the communication protocol
information of smart terminals and geographic location
information of devices
5.4. Requirements for Access Log Audit
Access log audit requires the ability to audit all types of
operations as well as abnormal and malicious behavior of access
devices.
1. It should be ability to record abnormal behavior log information
of access devices in real time and to provide analysis and audit
functions.
2. It should be ability to record malicious behavior log information
of access devices in real time and to provide analysis and audit
functions.
3. It should be ability to record the management, access and
blocking of access devices and other types of operations in real
time , and can provide analysis and audit functions
Wang, et al. Expires 17 September 2021 [Page 11]
�
Internet-Draft Secure Access of IoT Smart Terminals March 2021
6. Security Considerations
This entire memo deals with security issues.
7. IANA Considerations
This documents has no IANA actions.
8. Informative References
[BACNET] American Society of Heating, Refrigerating and Air-
Conditioning Engineers (ASHRAE), "BACnet",
<http://www.bacnet.org>.
[CSA] "Security Guidance for Early Adopters of the Internet of
Things (IoT)", 2015,
<https://downloads.cloudsecurityalliance.org/whitepapers/S
ecurity_Guidance_for_Early_Adopters_of_the_Internet_of_Thi
ngs.pdf>.
[DALI] "DALI Explained", <http://www.dalibydesign.us/dali.html>.
[DHS] "Strategic Principles For Securing the Internet of Things
(IoT)", 2016,
<https://www.dhs.gov/sites/default/files/publications/
Strategic_Principles_for_Securing_the_Internet_of_Things-
2016-1115-FINAL....pdf>.
[GSMA] "GSMA IoT Security Guidelines and Assessment",
<http://www.gsma.com/connectedliving/future-iot-networks/
iot-security-guidelines>.
[ISO88021X]
ISO/IEC/IEEE, "Telecommunications and exchange between
information technology systems - Requirements for local
and metropolitan area networks - Part 1X: Port-based
network access control".
[ISOIEC23941]
ISO/IEC, "IoT management and control device control
protocol".
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H.
Levkowetz, Ed., "Extensible Authentication Protocol
(EAP)", DOI 10.17487/RFC3748, June 2004,
<https://www.rfc-editor.org/info/rfc3748>.
Wang, et al. Expires 17 September 2021 [Page 12]
�
Internet-Draft Secure Access of IoT Smart Terminals March 2021
[RFC4120] Neuman, C., Yu, T., Hartman, S., and K. Raeburn, "The
Kerberos Network Authentication Service (V5)",
DOI 10.17487/RFC4120, July 2005,
<https://www.rfc-editor.org/info/rfc4120>.
[RFC4422] Melnikov, A., Ed. and K. Zeilenga, Ed., "Simple
Authentication and Security Layer (SASL)",
DOI 10.17487/RFC4422, June 2006,
<https://www.rfc-editor.org/info/rfc4422>.
[RFC6347] Rescorla, E. and N. Modadugu, "Datagram Transport Layer
Security Version 1.2", DOI 10.17487/RFC6347, January 2012,
<https://www.rfc-editor.org/info/rfc6347>.
[RFC7296] Kaufman, C., Hoffman, P., Nir, Y., Eronen, P., and T.
Kivinen, "Internet Key Exchange Protocol Version 2
(IKEv2)", DOI 10.17487/RFC7296, October 2014,
<https://www.rfc-editor.org/info/rfc7296>.
[RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T.
Henderson, "Host Identity Protocol Version 2 (HIPv2)",
DOI 10.17487/RFC7401, April 2015,
<https://www.rfc-editor.org/info/rfc7401>.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", DOI 10.17487/RFC8446, August 2018,
<https://www.rfc-editor.org/info/rfc8446>.
[RFC8576] Garcia-Morchon, O., Kumar, S., and M. Sethi, "Internet of
Things (IoT) Security: State of the Art and Challenges",
DOI 10.17487/RFC8576, April 2019,
<https://www.rfc-editor.org/info/rfc8576>.
[ZB] "Zigbee Alliance", 2020, <http://www.zigbee.org/>.
Authors' Addresses
Bin Wang (editor)
Hikvision
555 Qianmo Road, Binjiang District
Hangzhou
310051
China
Phone: +86 571 8847 3644
Email: wbin2006@gmail.com
Wang, et al. Expires 17 September 2021 [Page 13]
�
Internet-Draft Secure Access of IoT Smart Terminals March 2021
Song Liu (editor)
Hikvision
555 Qianmo Road, Binjiang District
Hangzhou
310051
China
Phone: +86 571 8847 3644
Email: achelics@gmail.com
Li Wan (editor)
Hikvision
555 Qianmo Road, Binjiang District
Hangzhou
310051
China
Phone: +86 571 8847 3644
Email: dzwanli@126.com
Xing Wang (editor)
Hikvision
555 Qianmo Road, Binjiang District
Hangzhou
310051
China
Phone: +86 571 8847 3644
Email: xing.wang.email@gmail.com
Wang, et al. Expires 17 September 2021 [Page 14]