Home / Blogs

To our readers: Does your company offer DNS or DNS Security services? CircleID has an opening for an exclusive sponsor for our DNS topic. Gain unparalleled results with our deep market integration. Get in touch: [email protected]

Evolving From an Internet Registry to IoT Registry

As the name indicates, the Internet of Things (IoT) should be an extension of the Internet. However, in reality, most IoT applications are Siloed infrastructures. We will analyse the main challenges in the IoT and explain how an Internet registry could be evolved to provide a secure and privacy integrated Identity and access management service for IoT.

Freedom: Tim Berners-Lee, best known as the inventor of the World Wide Web, mentioned the freedom in the Internet as—“I should be able to pick which applications I use for managing my life, I should be able to pick which content I look at, and I should be able to pick which device I use, which company I use for supplying my Internet, and I’d like those to be independent choices.” The freedom that Tim Berners-Lee expects is possible in the Internet, but not in IoT. Most IoT applications are Walled Gardens, restricting users to specific devices, technologies or applications. The freedom to choose has become more and more a necessity in IoT, and therefore there are efforts in the form of software suites or technologies to provide more choices to the consumers. IoT technologies like LoRaWAN (Long Range Wide Area Network) ensure freedom of choice by providing open specifications to make products available from multiple suppliers.

Interoperability: It is natural to expect interoperability between different applications to access a service in the Internet. For example, one can use any browser such as Chrome, Safari or Firefox to access a website. Similarly, one can send a mail to anyone using any e-mail application. Imagine a scenario where one with a Gmail account can only send mail to users’ with a Gmail account and not to Yahoo or Outlook users. The IoT consumer currently has the hassles of installing and using tens to hundreds of separate apps for accessing different IoT services (e.g., Alexa, Apple, Samsung, Smart lights at home, pet tracker, pacemaker etc.). For example, one cannot control a Philips bulb with Amazon’s Alexa or Apple’s Siri, limiting the interoperability between a product’s service to another, unlike in the Internet.

Number portability: enables users to retain their telephone number while switching from one mobile network carrier to another. In the Internet, with the domain names as persistent identifiers, it is possible to use the same domain name even when the IP address of the webserver is changed. According to BEREC report on IoT, switching connectivity service providers requires a hardware modification, such as replacing the connectivity module.

End-to-End Security: is mostly provided inside the IoT walled garden. When the need arises to securely communicate with the stakeholders outside the walled garden, some challenges need to be addressed. In the LoRaWAN, for example, Pre-Shared cryptographic Keys enable secure communication with multiple stakeholders. The downside is that the Pre-Shared Keys, as the name indicates, need to be shared prior to communication, mitigating the possibility of dynamic, secure communication like in the Internet.

Privacy: Beyond the content of messages exchanged by IoT devices, users’ privacy can be compromised by the metadata of the related communications. Identifiers exposed in network traffic are a source of privacy issues. For instance, identifying a medical appliance in a household could reveal a medical condition of one of the inhabitants, which is considered sensitive by the European regulation—GDPR.

Addressing the above challenges by a DNS based IoT Registry

We have two significant identifiers in the Internet - the IP addresses and domain names. The Domain Naming System (DNS) enables mapping the domain names to IP addresses. There are heterogeneous identifiers and registries in the IoT, scaling from local to global scope. If the different identifiers need to be visible and interoperable globally, a feasible option is to provision them in the Internet’s naming service, i.e., the DNS.

Bringing in the heterogeneous IoT namespaces to be delegated under the DNS solves two major issues: first, a particular company, industry or an alliance of companies could operate and manage their respective IoT namespaces independently. Second, it is possible to interoperate between these different IoT namespaces for identifier resolution and service discovery. Thus, providing the freedom of choice for IoT identity management and the possibility to interoperate between the IoT Walled gardens.

Number portability becomes possible when the IoT identifiers are provisioned and resolved via the DNS. Modifying the IoT identifier pointer to the new connectivity service in the DNS zone enables the IoT device to be discovered or resolved via the new connectivity operator without the need for replacing the IoT hardware. This is how it is done even for mobile number portability by using services such as GSMA PathFinder, which is based on DNS.

As discussed earlier, the security fabric in IoT involving multi-stakeholders using Pre-Shared Keys is challenging to scale dynamically. Asymmetric Keys using Public Key Infrastructure (PKI), have worked well for secure Internet communication and cannot be used in IoT due to the size of the certificates and the cost involved. It is impossible to send X.509 digital certificate (Around 2000 bytes) over a LoRaWAN Communication, whose maximum frame size could be 51 bytes. With its project partners (Figure 1), Afnic is experimenting IETF Standards to compress X.509 certificates with Concise Binary Object Representation (CBOR) for IoT end devices and use the DANE Transport Layer Security Authentication (TLSA) records that store a SHA 256 certificate fingerprint rather than the whole certificate.

Figure 1: Afnic’s R&D work with multiple partners on resolving different IoT challenges

Since Identifiers serve as the principal interface to access IoT data, they could expose personal information. Afnic with the PIVOT project partners is working on grouping named content into different content types to reflect application types and services. The objective is to use the DNS integrated PKI infrastructure for privacy-preserving IoT.

Figure 2: Evolution from Internet Registry to IoT registry using DNS as naming Service

The Role of Internet Registries in IoT

For all the IoT identifiers to be visible in the global Internet scope, the only operationally feasible way is to provision them in DNS. Therefore, the Internet naming registries, with their long experience in managing domain name registration, resolution, and DNS expertise, should also be able to play the role of a registry in the IoT domain.

Afnic has launched in this evolution journey with more than 12 years of R&D experience after influencing two standards (GS1, LoRa Alliance) to include DNS and working with multiple industrial and institutional partners in France and Germany. Our objective is to provide a complete IoT Registry package that facilitates IoT provisioning, resolution, security, and privacy.

By Sandoche Balakrichenan, Head of R&D Partnerships at AFNIC

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API