Minutes IETF97: t2trg
minutes-97-t2trg-00

T2TRG Summary meeting at IETF 97
Seoul, South Korea

Wednesday, November 16, 2016, 15:20-16:20
Chairs: Carsten Bormann & Ari Keranen

Note takers: Francesca Palombini, Christian Groves, Ari Keranen
Git repo for this meeting at: https://github.com/t2trg/2016-ietf97

15:20  RG Status Update (Chairs)
slides:
https://github.com/t2trg/2016-ietf97/blob/master/slides/10-T2TRG-2016-ietf97-summary-chair-material.pdf

Carsten gave overview of T2TRG scope & goals. RG meetings: with W3C in Nice and
Lisbon, San Jose IAB IoTSI WS, Buenos Aires and Berlin, RIOT summit in Berlin,
Implementors' meeting in Ludwigsburg, joint meeting with ICNRG in Seoul. 2017
calendar open TBD. Joint meeting with ICNRG and T2TRG on Sunday before the IETF
97.

15:30  W3C WoT Update (Matthias Kovatsch)
slides:
https://www.ietf.org/proceedings/97/slides/slides-97-t2trg-wot-update-00.pdf

* W3C WoT mission: not to create another standard. Building blocks of semantic
metadata for interoperability. How to develop portable IoT applications. WoT
Building blocks: WoT scripting API, thing descriptions (TD), protocol mappings,
security and privacy. TD is the central building block. * WoT interest group in
W3C since April 2015. Rechartered in August 2016. 210 participants. 7
face-2-face meetings thus far (4 in 2016). * Proposed new WoT Working Group:
can do normative standards work. The interest group is more like the T2TRG.
There is a proposed charter. See slide for links. Review in September 2016. 49
support as is. 6 comments on RDF dependency/semantic complexity, scope, and
security. Working on priority of deliverables. TD has the priority as it has
the greatest interest to members. Security consideration: more emphasis that we
have to run checks and running code. Comments from browser vendors. * see slide
8 for links to Resources

[Dinh] Can I participate in W3C as an individual member?
[Matthias] University isn't member of W3C but WoT mailing list and Github are
public.

15:40  Security considerations (Mohit Sethi)
slides:
https://www.ietf.org/proceedings/97/slides/slides-97-t2trg-security-considerations-for-the-iot-01.pdf

* Draft originally submitted to CoRE WG several years ago. Decided to address
this in the T2TRG. Draft to act as a repository of security issues for other
drafts dealing with IoT. * Draft discusses the thing life cycle from
manufacturing through to de-comissioning and possible re-purposing. * It also
contains a threat analysis: cloning of things, substitution,
eavesdropping/MiTM, privacy, denial-of-service, firmware replacement, routing
attacks. * It lists challenges in securing against these threats: heterogeneity
of devices, protocol translation vs. e2e security (translation but also
aggregators), software update, verifying device behavior, end of life,
penetration testing, quantum resistance. Got comment from Stepehen Farrell
which led to new challenges being documented. * Several sections discussing
profiles/ architecture / state of the art. Different environments: home/
managed home/ industrial, tradeoffs. Depending on the scenario you may have
different requirements. * What has been changed: there has been a section
reordering, added challenges, bootstrapping has been removed and placed into a
separate draft. * Next Steps: Think it will take a few more iterations to get
the draft finalized. Draft too long, structure should be made more consistent.
Suggest a uniform structure according to security pillars: Security
Architecture, Security model of a thing, security bootstrapping, network
security, application security. Threats: possibly restructure and classify
Security profiles: further detail. State of the art: Is outdated, classify
according to pillars

[Mike St Johns] Frustrated. Document concentrates on threats to things rather
than threats from things. Need to think of IoT of things and that we don't have
the same model of control over them. Cyberphysical threats and DDOS need to be
considered.

[Mohit] Point taken, but we don't think we can go into solutions in the draft.

[Mike] Can we afford profiles with little security?

[Dan York] Agree with Mike. Practical question: how do you want the feedback?
Github?

[Mohit] Github or email

[Ari] Preferable to email the RG list. Github good to keep track of the issues.

[Jason Livingood] There's a document coming out of the BTAG going through many
relevant issues.

[Mohit] Many forums writing guidelines in this space. We don't think we can
take all of them into account.

[Lee Howard] Can prevent threats from by dealing with threats to.

[Niels Ten Over] It would be useful to link to the other guidelines.

[Mohit] Good point.

15:55  RESTful Design and Hypermedia (Ari Keränen)
slides:
https://www.ietf.org/proceedings/97/slides/slides-97-t2trg-restful-iot-work-00.pdf

* Many documents included in this presentation: guidance, hypermedia language
for IoT, Hypermedia apps. (see slide 2 for full list) * RESTful Design
document: collection of basic information, been around for a long time. Lots of
terminology. Idea to be able to give a draft to a new person and for them to be
able to understand RESTful design for IoT. Focused on the constrained devices
and networks. A lot of issues in the issue tracker that we are planning to
adress. * CoRE Application Description: how can you describe APIs of
constrained RESTful applications * Hypermedia Language for IoT: "HTML for IoT"
more focused on control. Related work going on in W3C WoT. * CoRAL Language:
hypermedia representation format for links and forms based on CBOR. 2 different
drafts related to this. * HSML: combined CoRE link format + SenML, using JSON
and CBOR. * Comparing CoRAL to HSML: Why have different approaches? Because its
a research group. Need to understand the similarities and differences. *
Ongoing work: experimentation and evaluation through prototyping. Idea is to
converge into a single solution but right now we are exploring both. *
Hypermedia Applications: Core Lighting from Klaus Hartke (needs update) and
Thing-to-Thing Data Hub. T2T Data Hub tries to have more dynamic resources
following REST principles.

Please read the documents and come back to us if you are interested in any of
those.

No mic comments.

16:10  CoMI/YANG interaction model for IoT (Alexander Pelov)
slides:
https://www.ietf.org/proceedings/97/slides/slides-97-t2trg-yang-interaction-model-for-iot-00.pdf

* Question how many know YANG? Most people put up their hand.
* Current scope of YANG large amount of modules for (routers) less for IoT
(small stuff). CoMI in the middle. In the future there will be more YANG
modules for IoT devices. * Allows a richer vocabulary between devices. * Talked
about interaction model description. How do you determine methods, URI data
syntax and data values? The semantics. * Example with REST. Showing that
content formats may be used to describe the data. How to handle a large number
of possible content types? Use HATEOAS or CoMI/YANG. * Alternative to REST:
CoMI / YANG. In this case much richer set of interactions. Medium term solution
that gives a lot of power at a level below the fully RESTful communication
(long term).

[Carsten] People can always propose topics to be discussed in summary meetings
in the research group.