Objectives

The project aims at achieving the following four key objectives:

O1. Design an Extendable Scalable IoT Naming Architecture. The first objective is to design a system architecture for scalable IoT naming and resolution based on open IETF standards and minimal extensions. It needs to take into account heterogeneous identifiers of IoT devices and resolve names in a uniform way for various types of networks.

The resolution scheme will build on the DNS infrastructure and extend its functions using existing IETF standards to fit the requirements of IoT networks. In particular, it needs to take into account device constraints in terms of limited memory, energy, and bandwidth, and scale up to billion devices. To take advantage of IPv6 addresses in LPWAN, we plan to extend the architecture to include Static Context Header Compression (SCHC) proposed by the IETF LPWAN WG.

In this objective, we will consider the object lifecycle and identify the impact on the DNS architecture in terms of device ownership and provisioning through DNS.

We also need to find means for assigning compact identifiers and names to IoT devices that would enable their reuse in different kinds of networks and allow expressing a rich set of device features. We plan to validate this architecture initially on LoRa and extend it for NB-IoT and future 5G MTC (Machine Type Communications) networks. If we can validate the architecture on LoRa, which does not natively provide IP connectivity to end devices, we will hold premise that it also fits other legacy and new IoT networks.

Architecture for secure IoT naming and resolution schemes

O2. Design a Lightweight Authentication and Authorization Framework for IoT Devices. For authentication and authorization in a constrained environment, an IoT device needs to store a compressed X.509 certificate. Towards this goal, we propose to explore compressing X.509 certificates with Concise Binary Object Representation (CBOR) using CBOR Object Signing and Encryption (COSE). In the Internet, DANE Transport Layer Security Authentication (TLSA) records enable storing a SHA 256 certificate fingerprint rather than the whole X.509 certificate and take advantage of DNSSEC to guarantee data integrity. Thus, entities in IoT constrained networks and in the Internet can share the same variant of a X.509 certificate.

When an IoT device with a compressed X.509 certificate initiates a TLS handshake, the certificate is trusted based on the DANE TLSA record stored in DNS and because DNSSEC guarantees data integrity, the PKI trust chain for the certificate can be validated.

We will apply the PKI framework to roaming IoT devices—we propose to explore the idea of IoTRoam, a federation of DNS servers for IoT similar to EduRoam (the network that enables authentication of users in university Wi-Fi hotspots). An IoT device can be authenticated in networks belonging to different operators or owners based on its name. This type of an open federated infrastructure is useful for research and public IoT networks. It will enable seamless roaming of IoT devices between multiple IoT networks. We propose to study this implementation initially on LoRa networks based on DNS and OpenID, OAuth 2.0, and the Authentication and Authorization for Constrained Environments (ACE) framework. The framework will include recent advances in DNS privacy to limit the scope of the name resolution to some well-defined actors and consider randomized low-level identifiers to avoid tracking personal information.

O3. Define Semantic Naming, Resolution, and Discovery for IoT Devices. We propose to construct a unique semantic identifier (USI) for an IoT device representing its various features such as type of sensors, data encoding, data units, frequency of measurements, type of statistical processing, quality of transmission, and others defined by specific applications. We assume that features are predicates, i.e., statements that may be true or false. USI will be a Bloom filter on a set of features so that knowing USI, we can retrieve the set of features, thus enabling IoT discovery of devices and data sources.

Finally, we also plan to design a scheme for expressing the geographic location of IoT devices in USI or in a DNS name, and enable queries on geographic regions. Such geo-queries can take advantage of a recursive quadtree partitioning of the 2D world map and the definition of geo-prefixes, compact representations of GPS area coordinates.

In the name resolution process, users may resolve a name as a two-step operation: i) the first resolution from DNS returns a server able to provide more information related to the name, and ii) subsequent discovery resolution on that server finds all IoT devices related to the name. For instance, when a name encodes some IoT device features, the server will provide the features corresponding to the name.

We will explore the means for supporting rich queries on various features of IoT devices in the name resolution scheme: geographic location, type of generated data, etc.

Proposed scheme for identifiers, addresses, and names supporting authentication and authorization

O4. Validate and Experiment on Real-World Networks.
In the initial phase, the project will experiment with the proposed naming and resolution schemes and the authentication and authorization framework in the context of LoRa networks (already deployed in 90 different countries with around 50 million connected devices), which presents interesting challenges: the need for several device/application identifiers and keys (DevAddr, DevEUI, AppEUI, AppKey), interoperability between several operators, and discovery of relevant devices by users or applications. One of the reasons of experiments on LoRa networks is that the LoRa back-end specification already uses DNS for identifier resolution. Moreover, the constraints of LoRa end devices that operate on duty cycles going to sleep for long periods of time, present an interesting challenge requiring experimental validation of the proposed name resolution scheme. DiNS will also test the SCHC header compression scheme in the context of identification and naming in LoRa networks.

The project will develop early operational prototypes and validate their functionalities in experiments on LoRa networks. The prototypes will provide support for LoRa device registration, activation, and roaming based on the information stored in DNS. Once tested on LoRa, we could extend the schemes to other technologies such as cellular NB-IoT or future 5G MTC.