Provides an overview of how LWM2M and DNS-SD/DNS-SEC can be used together to provide for secure communications, remote management and provisioning of constrained devices in the Internet of Things using open source software components leshan and Tiaki created in the eclipse IoT community.

1. Securing Millions of Devices
Régis Piccand Verisign, Inc.
Kai Hudalla Bosch Software Innovations GmbH

2. What is the Problem?
Photon by particle.io
very little RAM
limited power supply
few MHz only
low bandwidth
must be cheap
out in the field
(≠ LAN)
Industrial scale IoT solutions require cheap, small & power efficient sensors & connectivity but
still require strong security (authentication, confidentiality, integrity).
Cloud/Data
Center
1..[mb]illions 0..n
Securely connecting a dozen of these in your lab is easy. Connecting & managing [mb]illions of these via internet is a challenge.

3. Lightweight M2M
.. is a protocol (stack) from the Open Mobile Alliance specifically designed for managing constrained devices.
UDP SMS
DTLS
CoAP
LW-M2M
Resources
Connectionless communication suitable for low power/bandwidth environments
Datagram TLS for confidentiality and integrity (RFC 6347)
REST like web transfer protocol targeted at constrained environments with small
bandwidth (10s of kbit/s) (RFC 7252)
Device management operations/interactions:
bootstrap & register device, read/write/execute/observe resource(s)
Management objects (pre-defined & custom):
Device, LWM2M Server, Firmware Update, Location, Connectivity Monitoring etc.

4. Example Object & Request
The Device object (ID: 3) provides metadata about the device and is mandatory for all LWM2M Clients to implement.
URI format: /{ObjectID}/{InstanceID}/{ResourceID}
Cloud/Data
Center
LWM2M Client LWM2M Server
GET /3/0/0
“Particle”
GET /3/0/1
Manufacturer
Device
single
instance only
Model Number
“Photon”
Photon by particle.io

5. Your Solution
Leshan
Eclipse Leshan
… provides libraries that help people develop their own Lightweight M2M server and client.
Californium
Pure Java implementation of Datagram TLS supporting PSK, X.509 &
RawPublicKey based authentication, ECDHE based key exchange
Pure Java implementation of CoAP over UDP, easy to use API for
accessing & implementing resources
Pure Java implementation of LWM2M:
- set of JARs (easily embeddable)
- fat JAR for running standalone (test) server
- OSGi Managed Service implementation
- Standard LWM2M Objects + (some) IPSO Smart Objects supported out-of-the-box
- Custom Objects supported by means of API & XML files
Scandium
Projects are being developed within the context of the Eclipse IoT Working Group. For more information go to:

6. The Provisioning Problem
● Devices must know where they should be connecting to (bootstrap server, message broker, cloud
service, etc.)
● Hard-coding the configuration is limiting -
not every device should connect to the same services, service endpoints can change overtime…
https://mantivities.wordpress.com
● LWM2M provides 4 bootstrapping modes
○ 2 hard-coded options, either in flash or smartcard
○ 2 dynamic options;
■ either client or server initiates bootstrap process
■ bootstrap server writes config data to the device
● How does a device reliably and securely determine the correct
endpoint?

7. Tiaki To The Rescue
● Tiaki is a Secure Service Discovery SDK
● Tiaki allows clients to look up service details (endpoint, port, priority, weight,
type) and configuration securely from DNS
● Tiaki is based on the DNS Service Discovery (DNS-SD) and DNS Security
Extensions (DNSSEC) IETF Standards
● Tiaki validates signatures to authenticate the origin and integrity of data
● Tiaki is available for C, Java and as a command-line interface

8. Service Discovery Logical Flow
_services._dns-sd._udp.example.com. PTR _mqtt._tcp.example.com
_mqtt._tcp.example.com. PTR eclipse-broker._mqtt._tcp.example.com
eclipse-broker._mqtt._tcp.example.com. SRV iot.eclipse.org 1883
eclipse-broker._mqtt._tcp.example.com. TXT "server=Mosquitto" "qos=2“

9. DNS Security Extensions Logical Flow

10. How To Use Tiaki
Command line
$ java -jar iot-discovery-jcli-1.0.jar -i -s mqtt -d example.com
iot.eclipse.org:1883 "server=Mosquitto" "version=1.3.1“
Java SDK
DnsServicesDiscovery discoverer = new DnsServicesDiscovery();
Fqdn fullyQualifiedDomainName = new Fqdn("example.com");
CompoundLabel serviceType = new CompoundLabel("mqtt");
Set<ServiceInstance> discoveryResult = discoverer.listServiceInstances(fullyQualifiedDomainName, serviceType);
for (ServiceInstance instance : discoveryResult) {
System.out.println(instance);
}
https://projects.eclipse.org/projects/iot.tiaki
https://github.com/verisign/iot-discovery-jcli | https://github.com/verisign/iot-discovery-services

11. What you should take away
★ LWM2M is great for managing constrained devices!
★ Californium 1.0 release expected for Nov 2015
★ Leshan 1.0 release to follow up shortly after
★ Tiaki helps with initial provisioning of devices (e.g. LWM2M clients) thanks to
SECURE Service Discovery
★ Initial Contribution being processed
Tiaki not (yet) targeted at constrained devices, your help is needed to make that
happen!

12. Try it,
get in touch :-)
rpiccand@verisign.com
kai.hudalla@bosch-si.com