Internet Draft B. Srinivas Document: draft-srinivas-access-na-00.txt T. Chan Expires: July 2002 Nokia February 2002 Access Control for Networked Appliances Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. Abstract The use of the SIP protocol for controlling Networked Appliances (NA) has been proposed in several recent IETF drafts including [1] and [2]. The issue of controlling access to NAs from a remote device is paramount, especially in the context of NAs in the home. This draft investigates the issue of where the access rules must be stored and executed to control access to an NA. The use of proxy gateways within the home domain and their resultant impact on communication pathways between the remote device and the NAs have been studied. Table of Contents Status of this Memo................................................1 Abstract...........................................................1 1. Introduction....................................................2 2. Conventions used in this document...............................2 3. Access Control..................................................2 3.1. Introduction..................................................2 3.2. Access Control Rules..........................................4 3.3. Distributed Access Control....................................4 3.4. Centralized Access Control....................................6 3.5. Proxy based Access Control....................................6 3.6. Failure Scenarios.............................................8 4. Security Considerations.........................................9 5. Acknowledgements................................................9 References........................................................10 Authors' Addresses................................................10 Srinivas and Chan Expires July 2002 [Page 1] Internet Draft Access Control for Networked Appliances February 2002 1. Introduction Networked Appliances (NAs), defined as dedicated function consumer devices containing at least one networked processor [1], need to communicate amongst themselves as well as with an access device. Examples of NAs include lamps, coffee makers and alarm clocks, while the access device can be a personal computer, a personal digital assistant, a smart phone, or any other device. Various protocols including X.10, OSGi, HAVi, VHN, and UPnP currently exist to control and communicate with networked appliances within the home domain. SIP [RFC2543] appears to be the most promising protocol for supporting wide area communications and interworking of NAs [1] [2]. Chief among the attractive features of SIP are the ability to use abstract names (for the NAs), provisioning of end-to-end security and carrying of a flexible payload. Modifications to SIP including a new URL, a new method and support for sessionless communications have been proposed in the recent past [1]. The ability to convey device specific payloads within a SIP message via a new MIME type, Device Messaging Protocol (DMP) [4] which is an XML-based specification, has further enhanced the suitability of SIP as a protocol for NA systems. Furthermore, the security features and numerous other traits make SIP the ideal protocol for wide area access and interworking of NAs. Using SIP for NAs allows re-use of the infrastructure built for SIP to a whole new domain. In order to be able to control an NA from an access device, the user must comply with the access rules which are defined for each NA. The access rules may be stored and checked for compliance at various locations in the NA system. This document explores the alternatives and their consequences. 2. Conventions used in this document The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC-2119 [6]. 3. Access Control 3.1. Introduction Access control constitutes a major component of an NA system. Different users may have different levels of rights in accessing various NAs. The owners will probably have administrative rights to Srinivas and Chan Expires July 2002 [Page 2] Internet Draft Access Control for Networked Appliances February 2002 access all the NAs, and to change the rules that govern other users' access rights. Other users may be given limited rights to access different NAs. For instance, the children may be allowed to access the entertainment system only within certain time periods. Also, they should not be allowed to change the light and temperature settings of their parents' room. Another scenario is of a guest being given temporary and limited access rights to use certain NAs in the house. For example, Bob, the owner of a house, may let his friend, Richard, use his VCR to record a football match. This, in turn, implies that Richard should be given access rights to the VCR for the specified time period. However, he should not be able to access any other NAs in Bob's house. Besides users, different NAs may need to access other NAs. Access rights for each NA to gain access control over other NAs need to be defined as well. Failure to verify access rights can result in a misbehaving NA (due to manufacturing defects, software problems, or being compromised by attackers) causing great harm to the whole system. Access control of NAs is closely related to authentication and authorization. We consider two levels of authorization here. SIP messages sent by a user using an access device typically go through the authentication and authorization procedure defined in the SIP standard. This process may involve a AAA server which holds the user profile and is responsible for authenticating the user's identity. The level of authorization provided here will typically just be the determination of whether a user, with an external (to the home) access device, has the right to access the Residential Gateway (RGW). Only authenticated and authorized messages will be further handled by the RGW. A detailed level of authorization, including the identity of the user with the right to access a particular NA, the identity of the NA to be accessed, the time period of access, and nature of a user's rights, should be handled separately. To allay privacy and security concerns, such an access control system SHOULD be implemented inside the house (instead of at the service provider). A way to implement the access control system is by means of access control rules, which will be discussed in Section 3.2. Sections 3.3 to 3.5 describe three different ways of locating the access control rules within the house. Considering secure access to NAs as the guiding principle, both extra-home and intra-home access device scenarios have been considered. Though the concept of an NA system is mostly focused on home networking and home automation, it is also applicable to a business environment. The scale of the system, however, is much larger in the latter than that of a typical household. In the case of an office building, the building management company may have access control of the centralized air conditioning systems, the lighting, and the security systems. The tenants will have access control of these Srinivas and Chan Expires July 2002 [Page 3] Internet Draft Access Control for Networked Appliances February 2002 systems within their offices, as well as over all the devices owned by them. Issues associated with NAs within a business environment require further investigation. 3.2. Access Control Rules Having outlined the reasons for which access rights for an entity's control of an NA are needed, these rights can be defined by a rule- based system. Each rule specifies the rights of a certain entity (user or NA) or group of entities to access a certain NA (or group of NAs). There are many aspects to the rules governing access to the NAs. Some of the most prominent of these are listed below: 1. Subject - entity or group of entities whose rights are specified. 2. Target - NA, or group of NAs to which the access rights apply. 3. Time - the time period to which this rule applies. The rule may apply for all time, or only for one day starting today, or weekdays from 5 PM to 9 PM, and so on. 4. Rights - the particular access rights. Access rights can range from coarse grained to fine grained. An owner may have all access rights to his/her VCR, while a guest is only assigned the rights related to recording. The right also depends on the functionalities of a particular NA. For instance, a lamp can only be turned on and off, while a VCR has a much richer set of functionalities. 5. Priority - different entities may have different priorities. In case of a conflict between two entities seeking to exercise control over the same NA, the system will attempt to comply with the access rule for the entity having higher priority first. Several service creation tools including CPL and CGI can be used to create access control rules [8]. Whatever the technique used to implement an access control system, it can be located and implemented in one of three alterntive ways: distributed, centralized, and proxy based. 3.3. Distributed Access Control In this method of access control, the rules associated with an NA are downloaded to and executed in the NA itself. On a command being sent to an NA, based on the access rules located in-situ (as indicated by the symbol AR (Access Rules) in each NA), the NA will execute the appropriate access rule and decide for itself whether to comply with the command or not. This is the approach adopted by HAVi [7]. The Srinivas and Chan Expires July 2002 [Page 4] Internet Draft Access Control for Networked Appliances February 2002 advantage of such an approach is that there is no single point of failure for intra-home communications. As seen in Figure 1, when the RGW is down, the communication pathways between an external access device and the NAs will be disrupted. However, when the access device is within the house, the pathways do not traverse through the RGW, assuming that the authentication and authorization of the user is done at each individual NA rather than the RGW. In this situation, despite the failure of the RGW, the communication pathways between the access device and the NAs are still available. Furthermore, when an NA within the house needs the service of another (or a group of) NA(s) located within the house, the distributed approach ensures that communication is maintained though the RGW is down. The drawback of distributed access control is the added requirement on each NA to store and execute these rules. The consequent increase in complexity and cost of each NA is an obvious disadvantage. --- --- --- --- -- --- --- --- --- --- -- -+ \ +---------------+ -+ | |-----| NA3-AR | | | | / +---------------+ | | | \ |----------| | | ||------------ | NA4-AR | | -------- | || / |----------| | //- -\\ | || +----------------+ | // \\ | || | NA2-AR | | | | | || +----/|\---------+ | | +--------+--+ | | +--+--------+ || |--------| | |Access | || RGW +-----------------+ | |Device +----------->>| | | | +---+-------+ +--------+--+ \|/ | | | | +----------------+ | \ / | | NA1-AR | | \\ // | +----------------+ | \\- -// +--------------------------------+ -------- Wide Area Domain Home Domain Figure 1: Distributed Access Control Srinivas and Chan Expires July 2002 [Page 5] Internet Draft Access Control for Networked Appliances February 2002 3.4. Centralized Access Control For the centralized approach, all rules are centrally warehoused at the RGW where access rights of all requests will be checked (see Figure 2). Therefore, requests originating from outside the house, as well as those originating from within the house will go through the RGW where they are checked for authorization. The advantage of this scheme is its simplicity and uniformity, while the drawback is that, for both intra- and extra-home communications, it becomes a single point of failure. Furthermore, even intra-home communications need to traverse through an additional hop. --- --- --- --- --- --- --- --- --- --- --- -+ \ +---------------+ -- | |-----| NA3 | | | | / +---------------+ | | | \ +----------| | | ||-------------- | NA4 | | -------- | || / |----------| | //- -\\ | || +----------------+ | // \\ | || | NA2 | | | | | || +----/|\---------+ | | +--------+--+ | | +--+--------+ || |--------| | |Access | || RGW-AR +-----------------+ | |Device +----------->>| | | | +---+-------+ +--------+--+ \|/ | | | | +----------------+ | \ / | | NA1 | | \\ // | +----------------+ | \\- -// +--------------------------------+ -------- Wide Area Domain Home Domain Figure 2: Centralized Access Control 3.5. Proxy based Access Control It is desirable to reduce the chances of a single failure causing denial of access to all the NAs, especially in the case of remote Srinivas and Chan Expires July 2002 [Page 6] Internet Draft Access Control for Networked Appliances February 2002 access to all the NAs, whether in a residential or commercial setting. This approach suggests a mechanism to improve the robustness of a set of NAs at the cost of a few additional proxy gateways within the house (in addition to the RGW). The proxy based access control mechanism for controlling access to a multiplicity of NAs ensures the elimination of a single point failure without the associated drawback of requiring every NA to store and execute the access rules. The strategy adopted is as follows (see Figure 3). While the RGW serves as the access gateway in a traditional system, in this control system, it serves as a simple switching device which routes incoming/outgoing messages from/to the remote access device to the appropriate proxy gateway. Several (but fewer than the number of NAs in the house) SIP proxy gateways (P in Figure 3) are added which will serve as stores and execution platforms for the NA access rules. Each such proxy gateway will control access to a subset of the NAs thus eliminating the danger of there being a single point of failure as in a centralized system. For each proxy gateway that fails, only the subset of NAs that are controlled by that proxy are affected. This approach scores over the distributed approach by eliminating the requirement for individual NAs to store and execute the access rules. Additionally, for extra- home communications, while the RGW is a single point of failure even for distributed access control (when authentication and authorization at the RGW fail), the proxy gateways serve in making the system more robust by causing only a subset of the NAs to be inaccessible due to the failure of each proxy gateway. It improves on the centralized approach by increasing the number of failures which must occur before every NA is inaccessible. By offloading the access control tasks from the RGW (as in a centralized approach) to the proxy gateways, including those of authentication and authorization, the likelihood of the RGW failing is reduced limiting the possibility of the disruption of the communication pathways between an external access device and the NAs. Srinivas and Chan Expires July 2002 [Page 7] Internet Draft Access Control for Networked Appliances February 2002 --- --- --- --- --- --- --- --- --- --- -- -+ \ +---------------+ -- | |-----| NA3 | | | | / +---------------+ | | | \ +----------| | | ||-------------- | NA4 | | -------- | ----- /|----------| | //- -\\ || P-AR | |+--------------+ | // \\ | ------ | NA2 | | | | | | +---/|\---------+ | | +--------+--+ | | +--+--------+ || | ------- | |Access | || RGW +-----| P-AR |------+ | |Device +----------->>| | ------- | | +---+-------+ +--------+--+ \|/ | | | +----------------+ | \ / | | NA1 | | \\ // | +----------------+ | \\- -// +---------------------------------+ -------- Wide Area Domain Home Domain Figure 3: Proxy based Access Control Having discussed the three different approaches of implementing the rule-based access control systems, it should be noted that one approach is not necessarily superior to another. In practice, different consumers will have different requirements and considerations when choosing a particular architecture. For example, a home owner may decide that the centralized approach is more cost- effective, since there are not many NAs in the house, and he/she may not be too concerned if the system fails once in a while. However, for a large office building, the proxy based approach is likely to be the most appropriate choice with each subsystem handled by a separate proxy gateway (or even further partitioned according to geographical locations). 3.6 Failure scenarios The following discussion focusses on the impact of a failed RGW on the communication pathways in an NA system. All three access control Srinivas and Chan Expires July 2002 [Page 8] Internet Draft Access Control for Networked Appliances February 2002 scenarios are discussed including the need and consequence (if absent) of a backup RGW. If the primary RGW fails, the system will be handed off, if present, to the backup RGW. This ensures that full operations of the system can be maintained, which include wide-area access from remote locations, intra-home communications (access device within the house, or access between NAs within the houes), as well as all the access control features. Where there is no backup RGW, possibly due to cost considerations, if the primary RGW fails, different levels of services will be maintained depending on the particular implementation of the access control system in the house. In the distributed system, the access control rules are stored in the NAs themselves. Intra-home communications between NAs do not need to go through the RGW. Hence, even if the RGW fails, all intra-home features of the NA system can be maintained. Extra-home communications (access device outside the house), however, will not be possible since all the communication pathways go through the RGW. For the centralized system, since all the access control rules are stored in the RGW, all the communication pathways go through the RGW. In the event of a failure in the RGW, both extra and intra-home communications will be halted. Consequently, the need for a backup RGW is felt more acutely in this case. Finally, for the proxy gateway based access control system, the likelihood of the RGW failing is reduced owing to the reduced processing load placed on the RGW (straight-forward switching alone). The individual proxy gateways can be protected with backup proxies based on the severity of loss of access to each NA controlled by the corresponding proxy. 4. Security Considerations Security in the form of authentication and authorization has been discussed in various sections of this document including Section 3.3 and 3.5. In general, SIP messages will be handled securely by means of security features provided by the SIP framework, which include authentication, message integrity, and message privacy. 5. Acknowledgements The authors would like to acknowledge Senthil Sengodan for interesting discussions on the subject. Srinivas and Chan Expires July 2002 [Page 9] Internet Draft Access Control for Networked Appliances February 2002 References 1 Moyer, S. et. al, "Framework Draft for Networked Appliances using the Session Initiation Protocol", draft-moyer-sip-appliances- framework-02.txt, Internet Draft, June 2001. 2. S. Tsang, et al., "SIP Extensions for Communicating with Networked Appliances", draft-tsang-sip-appliances- do-00.txt, Internet Draft, November 2000. 3 Norman, D., "The Invisible Computer", MIT Press, Oct. 1999. 4 Handley, M., Schulzrinne, H., Schooler, E., Rosenberg, J., "SIP: Session Initiation Protocol", RFC 2543, March 1999. 5 T. Chan and S. Sengodan, "On Applying SIP Security to Networked Appliances," Proceedings of 4th International Workshop on Networked Appliances, Jan. 15-16, 2002, pp. 31-40. 6 Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997 7 www.havi.org 8 S. Moyer and D. Marples, "The Internet Alarm Clock - A Networked Appliance Case Study," http://www.research.telcordia.com/iapp/ac-whitepaper.pdf. Authors' Addresses Bindignavile Srinivas Nokia Research Center 5 Wayside Road Phone: 781-993-3786 Boston, MA 01803 Email: bindignavile.srinivas@nokia.com USA Tat Chan Nokia Research Center 5 Wayside Road Phone: 781-993-5776 Boston, MA 01803 Email: tat.chan@nokia.com USA Srinivas and Chan Expires July 2002 [Page 10]