-
Securing name resolution in the IoT: DNS over CoAP
Authors:
Martine S. Lenders,
Christian Amsüss,
Cenk Gündogan,
Marcin Nawrocki,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
In this paper, we present the design, implementation, and analysis of DNS over CoAP (DoC), a new proposal for secure and privacy-friendly name resolution of constrained IoT devices. We implement different design choices of DoC in RIOT, an open-source operating system for the IoT, evaluate performance measures in a testbed, compare with DNS over UDP and DNS over DTLS, and validate our protocol desi…
▽ More
In this paper, we present the design, implementation, and analysis of DNS over CoAP (DoC), a new proposal for secure and privacy-friendly name resolution of constrained IoT devices. We implement different design choices of DoC in RIOT, an open-source operating system for the IoT, evaluate performance measures in a testbed, compare with DNS over UDP and DNS over DTLS, and validate our protocol design based on empirical DNS IoT data. Our findings indicate that plain DoC is on par with common DNS solutions for the constrained IoT but significantly outperforms when additional standard features of CoAP are used such as caching. With OSCORE, we can save more than 10 kBytes of code memory compared to DTLS, when a CoAP application is already present, and retain the end-to-end trust chain with intermediate proxies, while leveraging features such as group communication or encrypted en-route caching. We also discuss a compression scheme for very restricted links that reduces data by up to 70%.
△ Less
Submitted 27 July, 2023; v1 submitted 15 July, 2022;
originally announced July 2022.
-
Reliable Firmware Updates for the Information-Centric Internet of Things
Authors:
Cenk Gündoğan,
Christian Amsüss,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
Security in the Internet of Things (IoT) requires ways to regularly update firmware in the field. These demands ever increase with new, agile concepts such as security as code and should be considered a regular operation. Hosting massive firmware roll-outs present a crucial challenge for the constrained wireless environment. In this paper, we explore how information-centric networking can ease rel…
▽ More
Security in the Internet of Things (IoT) requires ways to regularly update firmware in the field. These demands ever increase with new, agile concepts such as security as code and should be considered a regular operation. Hosting massive firmware roll-outs present a crucial challenge for the constrained wireless environment. In this paper, we explore how information-centric networking can ease reliable firmware updates. We start from the recent standards developed by the IETF SUIT working group and contribute a system that allows for a timely discovery of new firmware versions by using cryptographically protected manifest files. Our design enables a cascading firmware roll-out from a gateway towards leaf nodes in a low-power multi-hop network. While a chunking mechanism prepares firmware images for typically low-sized maximum transmission units (MTUs), an early Denial-of-Service (DoS) detection prevents the distribution of tampered or malformed chunks. In experimental evaluations on a real-world IoT testbed, we demonstrate feasible strategies with adaptive bandwidth consumption and a high resilience to connectivity loss when replicating firmware images into the IoT edge.
△ Less
Submitted 21 August, 2021;
originally announced August 2021.
-
Networking Group Content: RESTful Multiparty Access to a Data-centric Web of Things
Authors:
Cenk Gündoğan,
Christian Amsüss,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
Content replication to many destinations is a common use case in the Internet of Things (IoT). The deployment of IP multicast has proven inefficient, though, due to its lack of layer-2 support by common IoT radio technologies and its synchronous end-to-end transmission, which is highly susceptible to interference. Information-centric networking (ICN) introduced hop-wise multi-party dissemination o…
▽ More
Content replication to many destinations is a common use case in the Internet of Things (IoT). The deployment of IP multicast has proven inefficient, though, due to its lack of layer-2 support by common IoT radio technologies and its synchronous end-to-end transmission, which is highly susceptible to interference. Information-centric networking (ICN) introduced hop-wise multi-party dissemination of cacheable content, which has proven valuable in particular for low-power lossy networking regimes. Even NDN, however, the most prominent ICN protocol, suffers from a lack of deployment.
In this paper, we explore how multiparty content distribution in an information-centric Web of Things (WoT) can be built on CoAP. We augment the CoAP proxy by request aggregation and response replication functions, which together with proxy caches enable asynchronous group communication. In a further step, we integrate content object security with OSCORE into the CoAP multicast proxy system, which enables ubiquitous caching of certified authentic content. In our evaluation, we compare NDN with different deployment models of CoAP, including our data-centric approach in realistic testbed experiments. Our findings indicate that multiparty content distribution based on CoAP proxies performs equally well as NDN, while remaining fully compatible with the established IoT protocol world of CoAP on the Internet.
△ Less
Submitted 4 April, 2021;
originally announced April 2021.
-
NERD: Neural Network for Edict of Risky Data Streams
Authors:
Sandro Passarelli,
Cem Gündogan,
Lars Stiemert,
Matthias Schopp,
Peter Hillmann
Abstract:
Cyber incidents can have a wide range of cause from a simple connection loss to an insistent attack. Once a potential cyber security incidents and system failures have been identified, deciding how to proceed is often complex. Especially, if the real cause is not directly in detail determinable. Therefore, we developed the concept of a Cyber Incident Handling Support System. The developed system i…
▽ More
Cyber incidents can have a wide range of cause from a simple connection loss to an insistent attack. Once a potential cyber security incidents and system failures have been identified, deciding how to proceed is often complex. Especially, if the real cause is not directly in detail determinable. Therefore, we developed the concept of a Cyber Incident Handling Support System. The developed system is enriched with information by multiple sources such as intrusion detection systems and monitoring tools. It uses over twenty key attributes like sync-package ratio to identify potential security incidents and to classify the data into different priority categories. Afterwards, the system uses artificial intelligence to support the further decision-making process and to generate corresponding reports to brief the Board of Directors. Originating from this information, appropriate and detailed suggestions are made regarding the causes and troubleshooting measures. Feedback from users regarding the problem solutions are included into future decision-making by using labelled flow data as input for the learning process. The prototype shows that the decision making can be sustainably improved and the Cyber Incident Handling process becomes much more effective.
△ Less
Submitted 8 July, 2020;
originally announced July 2020.
-
IoT Content Object Security with OSCORE and NDN: A First Experimental Comparison
Authors:
Cenk Gündoğan,
Christian Amsüss,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
The emerging Internet of Things (IoT) challenges the end-to-end transport of the Internet by low power lossy links and gateways that perform protocol translations. Protocols such as CoAP or MQTT-SN are degraded by the overhead of DTLS sessions, which in common deployment protect content transfer only up to the gateway. To preserve content security end-to-end via gateways and proxies, the IETF rece…
▽ More
The emerging Internet of Things (IoT) challenges the end-to-end transport of the Internet by low power lossy links and gateways that perform protocol translations. Protocols such as CoAP or MQTT-SN are degraded by the overhead of DTLS sessions, which in common deployment protect content transfer only up to the gateway. To preserve content security end-to-end via gateways and proxies, the IETF recently developed Object Security for Constrained RESTful Environments (OSCORE), which extends CoAP with content object security features commonly known from Information Centric Networks (ICN).
This paper presents a comparative analysis of protocol stacks that protect request-response transactions. We measure protocol performances of CoAP over DTLS, OSCORE, and the information-centric Named Data Networking (NDN) protocol on a large-scale IoT testbed in single- and multi-hop scenarios. Our findings indicate that (a) OSCORE improves on CoAP over DTLS in error-prone wireless regimes due to omitting the overhead of maintaining security sessions at endpoints, and (b) NDN attains superior robustness and reliability due to its intrinsic network caches and hop-wise retransmissions.
△ Less
Submitted 16 June, 2020; v1 submitted 22 January, 2020;
originally announced January 2020.
-
Bluetooth Mesh under the Microscope: How much ICN is Inside?
Authors:
Hauke Petersen,
Peter Kietzmann,
Cenk Gündoğan,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
Bluetooth (BT) mesh is a new mode of BT operation for low-energy devices that offers group-based publish-subscribe as a network service with additional caching capabilities. These features resemble concepts of information-centric networking (ICN), and the analogy to ICN has been repeatedly drawn in the BT community. In this paper, we compare BT mesh with ICN both conceptually and in real-world exp…
▽ More
Bluetooth (BT) mesh is a new mode of BT operation for low-energy devices that offers group-based publish-subscribe as a network service with additional caching capabilities. These features resemble concepts of information-centric networking (ICN), and the analogy to ICN has been repeatedly drawn in the BT community. In this paper, we compare BT mesh with ICN both conceptually and in real-world experiments. We contrast both architectures and their design decisions in detail. Experiments are performed on an IoT testbed using NDN/CCNx and BT mesh on constrained RIOT nodes. Our findings indicate significant differences both in concepts and in real-world performance. Supported by new insights, we identify synergies and sketch a design of a BT-ICN that benefits from both worlds.
△ Less
Submitted 26 August, 2019;
originally announced August 2019.
-
Gain More for Less: The Surprising Benefits of QoS Management in Constrained NDN Networks
Authors:
Cenk Gündoğan,
Jakob Pfender,
Michael Frey,
Thomas C. Schmidt,
Felix Shzu-Juraschek,
Matthias Wählisch
Abstract:
Quality of Service (QoS) in the IP world mainly manages forwarding resources, i.e., link capacities and buffer spaces. In addition, Information Centric Networking (ICN) offers resource dimensions such as in-network caches and forwarding state. In constrained wireless networks, these resources are scarce with a potentially high impact due to lossy radio transmission. In this paper, we explore the t…
▽ More
Quality of Service (QoS) in the IP world mainly manages forwarding resources, i.e., link capacities and buffer spaces. In addition, Information Centric Networking (ICN) offers resource dimensions such as in-network caches and forwarding state. In constrained wireless networks, these resources are scarce with a potentially high impact due to lossy radio transmission. In this paper, we explore the two basic service qualities (i) prompt and (ii) reliable traffic forwarding for the case of NDN. The resources we take into account are forwarding and queuing priorities, as well as the utilization of caches and of forwarding state space. We treat QoS resources not only in isolation, but correlate their use on local nodes and between network members. Network-wide coordination is based on simple, predefined QoS code points. Our findings indicate that coordinated QoS management in ICN is more than the sum of its parts and exceeds the impact QoS can have in the IP world.
△ Less
Submitted 20 August, 2019;
originally announced August 2019.
-
ICNLoWPAN -- Named-Data Networking for Low Power IoT Networks
Authors:
Cenk Gündoğan,
Peter Kietzmann,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
Information Centric Networking is considered a promising communication technology for the constrained IoT, but NDN was designed only for standard network infrastructure.
In this paper, we design and evaluate an NDN convergence layer for low power lossy links that (1) augments the NDN stateful forwarding with a highly efficient name eliding, (2) devises stateless compression schemes for standard…
▽ More
Information Centric Networking is considered a promising communication technology for the constrained IoT, but NDN was designed only for standard network infrastructure.
In this paper, we design and evaluate an NDN convergence layer for low power lossy links that (1) augments the NDN stateful forwarding with a highly efficient name eliding, (2) devises stateless compression schemes for standard NDN use cases, (3) adapts NDN packets to the small MTU size of IEEE 802.15.4, and (4) generates compatibility with 6LoWPAN so that IPv6 and NDN can coexist on the same LoWPAN links. Our findings indicate that stateful compression can reduce the size of NDN data packets by more than 70% in realistic examples. Our experiments show that for common use cases ICNLoWPAN saves 33% of transmission resources over NDN, and about 20% over 6LoWPAN.
△ Less
Submitted 17 December, 2018;
originally announced December 2018.
-
Security for the Industrial IoT: The Case for Information-Centric Networking
Authors:
Michael Frey,
Cenk Gündoğan,
Peter Kietzmann,
Martine Lenders,
Hauke Petersen,
Thomas C. Schmidt,
Felix Shzu-Juraschek,
Matthias Wählisch
Abstract:
Industrial production plants traditionally include sensors for monitoring or documenting processes, and actuators for enabling corrective actions in cases of misconfigurations, failures, or dangerous events. With the advent of the IoT, embedded controllers link these `things' to local networks that often are of low power wireless kind, and are interconnected via gateways to some cloud from the glo…
▽ More
Industrial production plants traditionally include sensors for monitoring or documenting processes, and actuators for enabling corrective actions in cases of misconfigurations, failures, or dangerous events. With the advent of the IoT, embedded controllers link these `things' to local networks that often are of low power wireless kind, and are interconnected via gateways to some cloud from the global Internet. Inter-networked sensors and actuators in the industrial IoT form a critical subsystem while frequently operating under harsh conditions. It is currently under debate how to approach inter-networking of critical industrial components in a safe and secure manner.
In this paper, we analyze the potentials of ICN for providing a secure and robust networking solution for constrained controllers in industrial safety systems. We showcase hazardous gas sensing in widespread industrial environments, such as refineries, and compare with IP-based approaches such as CoAP and MQTT. Our findings indicate that the content-centric security model, as well as enhanced DoS resistance are important arguments for deploying Information Centric Networking in a safety-critical industrial IoT. Evaluation of the crypto efforts on the RIOT operating system for content security reveal its feasibility for common deployment scenarios.
△ Less
Submitted 5 March, 2019; v1 submitted 10 October, 2018;
originally announced October 2018.
-
NDN, CoAP, and MQTT: A Comparative Measurement Study in the IoT
Authors:
Cenk Gündoğan,
Peter Kietzmann,
Martine Lenders,
Hauke Petersen,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
This paper takes a comprehensive view on the protocol stacks that are under debate for a future Internet of Things (IoT). It addresses the holistic question of which solution is beneficial for common IoT use cases. We deploy NDN and the two popular IP-based application protocols, CoAP and MQTT, in its different variants on a large-scale IoT testbed in single- and multi-hop scenarios. We analyze th…
▽ More
This paper takes a comprehensive view on the protocol stacks that are under debate for a future Internet of Things (IoT). It addresses the holistic question of which solution is beneficial for common IoT use cases. We deploy NDN and the two popular IP-based application protocols, CoAP and MQTT, in its different variants on a large-scale IoT testbed in single- and multi-hop scenarios. We analyze the use cases of scheduled periodic and unscheduled traffic under varying loads. Our findings indicate that (a) NDN admits the most resource-friendly deployment on nodes, and (b) shows superior robustness and resilience in multi-hop scenarios, while (c) the IP protocols operate at less overhead and higher speed in single-hop deployments. Most strikingly we find that NDN-based protocols are in significantly better flow balance than the UDP-based IP protocols and require less corrective actions.
△ Less
Submitted 27 September, 2018; v1 submitted 4 June, 2018;
originally announced June 2018.
-
HoPP: Robust and Resilient Publish-Subscribe for an Information-Centric Internet of Things
Authors:
Cenk Gündoğan,
Peter Kietzmann,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
This paper revisits NDN deployment in the IoT with a special focus on the interaction of sensors and actuators. Such scenarios require high responsiveness and limited control state at the constrained nodes. We argue that the NDN request-response pattern which prevents data push is vital for IoT networks. We contribute HoP-and-Pull (HoPP), a robust publish-subscribe scheme for typical IoT scenarios…
▽ More
This paper revisits NDN deployment in the IoT with a special focus on the interaction of sensors and actuators. Such scenarios require high responsiveness and limited control state at the constrained nodes. We argue that the NDN request-response pattern which prevents data push is vital for IoT networks. We contribute HoP-and-Pull (HoPP), a robust publish-subscribe scheme for typical IoT scenarios that targets IoT networks consisting of hundreds of resource constrained devices at intermittent connectivity. Our approach limits the FIB tables to a minimum and naturally supports mobility, temporary network partitioning, data aggregation and near real-time reactivity. We experimentally evaluate the protocol in a real-world deployment using the IoT-Lab testbed with varying numbers of constrained devices, each wirelessly interconnected via IEEE 802.15.4 LowPANs. Implementations are built on CCN-lite with RIOT and support experiments using various single- and multi-hop scenarios.
△ Less
Submitted 11 January, 2018;
originally announced January 2018.
-
Connecting the World of Embedded Mobiles: The RIOT Approach to Ubiquitous Networking for the Internet of Things
Authors:
Martine Lenders,
Peter Kietzmann,
Oliver Hahm,
Hauke Petersen,
Cenk Gündoğan,
Emmanuel Baccelli,
Kaspar Schleiser,
Thomas C. Schmidt,
Matthias Wählisch
Abstract:
The Internet of Things (IoT) is rapidly evolving based on low-power compliant protocol standards that extend the Internet into the embedded world. Pioneering implementations have proven it is feasible to inter-network very constrained devices, but had to rely on peculiar cross-layered designs and offer a minimalistic set of features. In the long run, however, professional use and massive deploymen…
▽ More
The Internet of Things (IoT) is rapidly evolving based on low-power compliant protocol standards that extend the Internet into the embedded world. Pioneering implementations have proven it is feasible to inter-network very constrained devices, but had to rely on peculiar cross-layered designs and offer a minimalistic set of features. In the long run, however, professional use and massive deployment of IoT devices require full-featured, cleanly composed, and flexible network stacks.
This paper introduces the networking architecture that turns RIOT into a powerful IoT system, to enable low-power wireless scenarios. RIOT networking offers (i) a modular architecture with generic interfaces for plugging in drivers, protocols, or entire stacks, (ii) support for multiple heterogeneous interfaces and stacks that can concurrently operate, and (iii) GNRC, its cleanly layered, recursively composed default network stack. We contribute an in-depth analysis of the communication performance and resource efficiency of RIOT, both on a micro-benchmarking level as well as by comparing IoT communication across different platforms. Our findings show that, though it is based on significantly different design trade-offs, the networking subsystem of RIOT achieves a performance equivalent to that of Contiki and TinyOS, the two operating systems which pioneered IoT software platforms.
△ Less
Submitted 9 January, 2018;
originally announced January 2018.