© ARM 2017

Device Management with the OMA LwM2M Protocol

Hannes Tschofenig

hannes.tschofenig@arm.com

February 13, 2017

© ARM 2017 2

Agenda

� Device management and the LwM2M architecture

� Gentle introduction to LwM2M

� Securing LwM2M and bootstrapping

� Examples

� Outlook

� Summary

© ARM 2017 3

Agenda

� Device management and the LwM2M architecture

� Gentle introduction to LwM2M

� Securing LwM2M and bootstrapping

� Examples

� Outlook

� Summary

© ARM 2017 4

Mobile Device Management

Device Management

Bootstrapping(Security)

Firmware Update

Remote Management

Fault Management

� Service provisioning� Key management� Provisioning of access control lists

� Update application and system software� Apply bug fixes and add new features

� Changes to settings� Trigger actuators

� Report errors from devices� Query status of devices

InformationReporting

� Notify changes in sensor values� Retrieve configuration settings and device status

Diverse IoT deployments with common needs

© ARM 2017 5

LwM2M version1.0 architecture

Figure 1: Entities in the LwM2M Architecture. Figure 2: Protocol Stack

© ARM 2017 6

Architecture, cont.

Internet of Things designs follow a few, frequently re-used design patterns. For an introduction on the design patterns see at http://www.internetsociety.org/doc/iot-overview and https://tools.ietf.org/html/rfc7452.

LWM2M Device

LWM2MProtocol

LWM2M Service

RESTful API over HTTP / HTTPS

In scopeof the

LwM2Mtechnical

specification Outside the scopeof the LwM2M

Technical specification

Device-to-Cloud Pattern

Back-end data sharing pattern

ApplicationServer

© ARM 2017 7

LWM2M and

mbed OSLinuxMicrium...

IoT devices

Services

mbed Cloudmbed Client, ...

Protected by

mbed TLS

CoAP

with GET, PUT, POST,

and DELETE HTTPS

with GET, PUT, POST,

and DELETE

Your application

server

© ARM 2017 8

Agenda

� Device management and the LwM2M architecture

� Gentle introduction to LwM2M

� Securing LwM2M and bootstrapping

� Examples

� Outlook

� Summary

© ARM 2017 9

Weather station example

Design questions: � How to encode the request/response messages?

� How to access multiple sensors and actuators on the IoT device?

� How to access multiple instances of the same sensor/actuator?

� How to encode the response messages efficiently?

� How to secure the access?

LwM2M server

Endpoint1

IoT device

LwM2M clientendpoint1

Temperature Sensor

1. RequestCurrent temperature

2. ResponseTemperature is 50°C

Temperature Sensor

© ARM 2017 10

The LwM2M RESTful API

High-level message pattern hiding details of networking and security protocols

• Information reporting interface

– Publish/subscribe interaction for observing changes in resources.

• Bootstrap interface

– Configure servers info, credentials & ACLs

• Registration interface

– Informs server about “existence” and supported functionality (e.g., objects, transport bindings)

• Device management & service enablement interface

– Ability to access object instances and resources

© ARM 2017 11

Building blocks for LwM2M version 1.0

CoAP DTLS Object Model

© ARM 2017 12

Object model

� Objects/Resources are accessed with simple URIs:

/{Object ID}/{Object Instance}/{Resource ID}

Example:

© ARM 2017 13

Objects

The LwM2M technical specification itself defines eight objects; the repository contains many more contributed by IPSO alliance, oneM2M, and from vendors.

Object Name ID Description

LwM2M Security 0 Keying material of a LwM2M client to access a LwM2M server.

LwM2M Server 1 Data related to a LwM2M server.

Access Control 2 Information used to check whether a LwM2M server has access to object.

Device 3 Device related information, including device reboot and factory reset function.

Connectivity Monitoring 4 Parameters related to network connectivity.

Firmware 5 Capability to update firmware

Location 6 Device location information

Connectivity Statistics 7 Information like transmit and receive counters

© ARM 2017 14

Example: IPSO Temperature object Resource ID Operations Type Description

Sensor value 5700 R Float Last or current measured value from the sensor

Min measured value 5601 R Float The minimum value measured by the sensor since power ON or reset

Max measured value 5602 R Float The maximum value measured by the sensor since power ON or reset

Min range value 5603 R Float The minimum value that can be measured by the sensor

Min range value 5604 R Float The minimum value that can be measured by the sensor

Max range value 5604 R Float The maximum value that can be measured by the sensor

Sensor units 5701 R String Measurement units definition

Reset min and max measured values

5605 E String Reset the min and max measured values to current value

Data

Metadata

A detailed description of this object and many others can be found at the IPSO Github repository.

Actions

© ARM 2017 15

Defining new objects and resources

� Sharing object definitions used in IoT deployments with the community helps to increase interoperability and avoids duplicate efforts.

� Object IDs are registered with the OMA repository.

� Defining a new object is simple!

� Everyone can register an object.

� You don’t need to be an OMA member.

� You don’t need to work in a standards developing organization.

� The easiest way to create a new object is via a dedicated editor tool.

� Objects can be created from scratch or by re-using and modifying existing

objects.

©Sensinode 2013

© ARM 2017 16

Weather station example, cont.

� IoT device with various objects: � Temperature (3303)

� Humidity (3304)

� Barometer (3315)

+ various default objects

� Observe temperature object� GET /3303 observe

� Device reports changes to the temperature object every time it changes:

� Notify 14.5C

� Notify 13C

Simple observation Observation with attributes

� Notifications are not sent unless temperature goes below 5C or above 10C� lt= 5C, and

gt=10C

� Command: � PUT /3303/0/5700?lt=5&gt=10

© ARM 2017 17

Limiting notifications

� Publish/subscribe is great but think about bandwidth consumption.

� Information reporting interface offers features to limit the amount of reported information.

� Time-based limits with minimum period and maximum period:� Pmin – Minimum time to wait (in seconds) before sending a new notify

� Pmax – Maximum time in seconds between two consecutive notify

� Threshold-based limits with less than and greater than: � Lt – Low limit measurement notification, like low alarm

� Gt – High limit measurement notification, like a high alarm

� Limits based on rate of change:� St – Minimum delta change required to notify

© ARM 2017 18

Energy efficiency

� “Always-on” devices are easy to work with.

� Energy consumption may, however, be a concern for battery powered devices.

� Silicon partners offer microcontrollers with sophisticated low power modes.

� Many IoT devices sleep most of the time.

� LwM2M helps energy efficiency designs with the “queue mode” feature.

© ARM 2017 19

LWM2M server

LwM2M queue mode

Endpoint1

Temperature (3303)

0

Max value(5602)

Value(5700)

IoT device

LwM2M clientendpoint1

Temperature (3303)

0

Max value(5602)

Object ID

Object instance

Resource ID

89Resource value

Value(5700)

23

4. Request for endpoint 1

11. Response

Application server

1. Device registrationwith queue mode

7. Registration update

2. After some time without messages device enterssleep mode

3. LwM2M serverqueues messageswhile IoT device issleeping

6. Device wakesup before registration lifetime expires.

8. LwM2M server sends queued messages

9. Relayed request fromapplication server

5. Provisional ResponseDevice sleeping

10. Response

© ARM 2017 20

Agenda

� Device management and the LwM2M architecture

� Gentle introduction to LwM2M

� Securing LwM2M and bootstrapping

� Examples

� Outlook

� Summary

© ARM 2017 21

Securing LwM2M

� IoT devices may exchange sensitive information and need to be protected.

� IoT end points need to be authenticated and communication requires protection.

� LwM2M supports three credential types: 1. Pre-shared secrets,

2. Raw public keys, and

3. Certificates

� Recommended algorithms are AES-128 and ECC (for public key crypto)

� DTLS requires a random number generator.� The danger is that there is little (or no) randomness in embedded systems.

� Paul Bakker talks about “Entropy Requirements in IoT” on the ARM mbedYoutube channel.

© ARM 2017 22

Bootstrapping architecture

� LwM2M client needs credentials to securely communicate with the LwM2M server using DTLS. Configuration and access rights might change.

LwM2M clientLwM2M clientWhere does this informationcome from?

IoT Device

Device credentials

DTLS LwM2M serverLwM2M server

ACLs Config Device credentials

Several deployment choices:� Factory bootstrap

� Bootstrap from smartcard

� Client initiated bootstrap

� Server initiated bootstrap

© ARM 2017 23

Agenda

� Device management and the LwM2M architecture

� Gentle introduction to LwM2M

� Securing LwM2M and bootstrapping

� Examples

� Outlook

� Summary

© ARM 2017 24

LwM2M server

Device registration and discovery

Application server

IoT device

LwM2M clientendpoint1

Temperature (3303)

0

Max Value(5602)

Object ID

Object Instance

Resource ID

89Resource Value

Value(5700)

23

IoT device

LwM2M clientendpoint2

Temperature (3303)

0

Max value(5602)

Object ID

Object instance

Resource ID

321Resource value

Value(5700)

145

Endpoint1

Temperature (3303)

0

Max value(5602)

Value(5700)

1. Register

4. DiscoverGET /endpoints

2. NotifyPOST /notification”registrations” : [{”ep”: ”Endpoint1”,

”resources” : [{”path”: ”/3303/0/5700”,...}],...}]

5. Discover[{”name”: ”Endpoint1”, ...},{”name”: ”Endpoint2”, ...}]

An API documentation is available offering further examples.

Endpoint2

Temperature (3303)

0

Max value(5602)

Value(5700)

2. Register

3. Notify

© ARM 2017 25

LwM2M server

Information retrieval

Endpoint1

Temperature (3303)

0

Max value(5602)

Value(5700)

IoT device

LwM2M clientendpoint1

Temperature (3303)

0

Max value(5602)

Object ID

Object instance

Resource ID

89Resource value

Value(5700)

23

Endpoint2

Temperature (3303)

0

Max value(5602)

Value(5700)

1. RequestGET /Endpoint1/3303/0/5602

2. Response{ ”async-id”: ”1232”, ...}

Application server5. Notify

POST /notification”async-responses” : [{ ”id: ”1232”, ”payload” : ”base64(89)”, ...}]

3. GET/3303/0/5602

4. Response89

© ARM 2017 26

LwM2M Server

Information reporting

Endpoint1

Temperature (3303)

0

Max value(5602)

Value(5700)

IoT device

LwM2M clientendpoint1

Temperature (3303)

0

Max value(5602)

Object ID

Object instance

Resource ID

89Resource value

Value(5700)

20

Endpoint2

Temperature (3303)

0

Max value(5602)

Value(5700)

1. RequestPUT/subscription/Endpoint1/3303/0/5700

2. Response{ ”async-id”: ”1232”, ...}

Application server5. Notify

POST /notification”async-responses” : [{ ”id: ”1232”, ”status” : 200, ...}]

7. NotifyPOST /notification”notifications” : [{”ep”: ”Endpoint1”, ”path” : ”/3303/0/5700”,”payload”: ”base64(23)”, ...}]

3.Observe/3303/0/5700

4.Success

6.Notify/3303/0/570023

23

© ARM 2017 27

Agenda

� Device management and the LwM2M architecture

� Gentle introduction to LwM2M

� Securing LwM2M and bootstrapping

� Examples

� Outlook

� Summary

© ARM 2017 28

Outlook

� LwM2M version 1.0 is finalized.

� Implementation and deployment feedback lead to desire to cover additional use cases.

� Envisioned additions: � Support for CoAP over TCP/TLS

� Protocol gateway support

� Support for other transports, such as HTTP/2.

� Additional security features

� Enhanced support for low power WANs

� Feature list still in discussion till mid April.

© ARM 2017 29

Agenda

� Device management and the LwM2M architecture

� Gentle introduction to LwM2M

� Securing LwM2M and bootstrapping

� Examples

� Outlook

� Summary

© ARM 2017 30

1. LwM2M version 1.0 is a big step in standardization that will simplify secure IoT device management.

2. It re-uses proven internet security technologies.

3. You can get involved in standardization and play with the code.

Summary

© ARM 2017 31

More background information?

OMA LwM2M version 1.0 specification.http://openmobilealliance.org/release/LightweightM2M/V1_0-20170208-A/

ARM whitepaper about device management.

https://developer.mbed.org/blog/entry/Whitepaper-Managing-Internet-of-Things/

© ARM 2017 32

LWM2M: How to Participate?� I want to contribute to the technical specification

� Submit new objects definitions to the OMA operated repository.

� File issues with the public OMA LWM2M Github issue tracker.

� Become OMA member and participate in the standardization process.

� Participate in the IETF for foundational standards (such as CoAP, DTLS/TLS, HTTP, etc.)

� I want to write code� Several open source projects are happy to receive your contributions.

� Examples: ARM mbed client, Leshan / Wakaama, AVSystems

� I want to test my implementation� Join an interoperability test event (PlugFest, TestFest). Info about upcoming events can be found

at the OMA testfest website. The next event takes place 17th – 19th May in Pittsburgh/US.

� Use one of the available open source implementations to test against.

The trademarks featured in this presentation are registered and/or unregistered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners.

Copyright © 2016 ARM Limited

© ARM 2016

Questions?