Device Management with the OMA LwM2M Protocol - Arm … · Device Management with the OMA LwM2M...
Transcript of Device Management with the OMA LwM2M Protocol - Arm … · Device Management with the OMA LwM2M...
© ARM 2017
Device Management with the OMA LwM2M Protocol
Hannes Tschofenig
February 13, 2017
© ARM 2017 2
Agenda
� Device management and the LwM2M architecture
� Gentle introduction to LwM2M
� Securing LwM2M and bootstrapping
� Examples
� Outlook
� Summary
© ARM 2017 3
Agenda
� Device management and the LwM2M architecture
� Gentle introduction to LwM2M
� Securing LwM2M and bootstrapping
� Examples
� Outlook
� Summary
© ARM 2017 4
Mobile Device Management
Device Management
Bootstrapping(Security)
Firmware Update
Remote Management
Fault Management
� Service provisioning� Key management� Provisioning of access control lists
� Update application and system software� Apply bug fixes and add new features
� Changes to settings� Trigger actuators
� Report errors from devices� Query status of devices
InformationReporting
� Notify changes in sensor values� Retrieve configuration settings and device status
Diverse IoT deployments with common needs
© ARM 2017 5
LwM2M version1.0 architecture
Figure 1: Entities in the LwM2M Architecture. Figure 2: Protocol Stack
© ARM 2017 6
Architecture, cont.
Internet of Things designs follow a few, frequently re-used design patterns. For an introduction on the design patterns see at http://www.internetsociety.org/doc/iot-overview and https://tools.ietf.org/html/rfc7452.
LWM2M Device
LWM2MProtocol
LWM2M Service
RESTful API over HTTP / HTTPS
In scopeof the
LwM2Mtechnical
specification Outside the scopeof the LwM2M
Technical specification
Device-to-Cloud Pattern
Back-end data sharing pattern
ApplicationServer
© ARM 2017 7
LWM2M and
mbed OSLinuxMicrium...
IoT devices
Services
mbed Cloudmbed Client, ...
Protected by
mbed TLS
CoAP
with GET, PUT, POST,
and DELETE HTTPS
with GET, PUT, POST,
and DELETE
Your application
server
© ARM 2017 8
Agenda
� Device management and the LwM2M architecture
� Gentle introduction to LwM2M
� Securing LwM2M and bootstrapping
� Examples
� Outlook
� Summary
© ARM 2017 9
Weather station example
Design questions: � How to encode the request/response messages?
� How to access multiple sensors and actuators on the IoT device?
� How to access multiple instances of the same sensor/actuator?
� How to encode the response messages efficiently?
� How to secure the access?
LwM2M server
Endpoint1
IoT device
LwM2M clientendpoint1
Temperature Sensor
1. RequestCurrent temperature
2. ResponseTemperature is 50°C
Temperature Sensor
© ARM 2017 10
The LwM2M RESTful API
High-level message pattern hiding details of networking and security protocols
• Information reporting interface
– Publish/subscribe interaction for observing changes in resources.
• Bootstrap interface
– Configure servers info, credentials & ACLs
• Registration interface
– Informs server about “existence” and supported functionality (e.g., objects, transport bindings)
• Device management & service enablement interface
– Ability to access object instances and resources
© ARM 2017 11
Building blocks for LwM2M version 1.0
CoAP DTLS Object Model
© ARM 2017 12
Object model
� Objects/Resources are accessed with simple URIs:
/{Object ID}/{Object Instance}/{Resource ID}
Example:
© ARM 2017 13
Objects
The LwM2M technical specification itself defines eight objects; the repository contains many more contributed by IPSO alliance, oneM2M, and from vendors.
Object Name ID Description
LwM2M Security 0 Keying material of a LwM2M client to access a LwM2M server.
LwM2M Server 1 Data related to a LwM2M server.
Access Control 2 Information used to check whether a LwM2M server has access to object.
Device 3 Device related information, including device reboot and factory reset function.
Connectivity Monitoring 4 Parameters related to network connectivity.
Firmware 5 Capability to update firmware
Location 6 Device location information
Connectivity Statistics 7 Information like transmit and receive counters
© ARM 2017 14
Example: IPSO Temperature object Resource ID Operations Type Description
Sensor value 5700 R Float Last or current measured value from the sensor
Min measured value 5601 R Float The minimum value measured by the sensor since power ON or reset
Max measured value 5602 R Float The maximum value measured by the sensor since power ON or reset
Min range value 5603 R Float The minimum value that can be measured by the sensor
Min range value 5604 R Float The minimum value that can be measured by the sensor
Max range value 5604 R Float The maximum value that can be measured by the sensor
Sensor units 5701 R String Measurement units definition
Reset min and max measured values
5605 E String Reset the min and max measured values to current value
Data
Metadata
A detailed description of this object and many others can be found at the IPSO Github repository.
Actions
© ARM 2017 15
Defining new objects and resources
� Sharing object definitions used in IoT deployments with the community helps to increase interoperability and avoids duplicate efforts.
� Object IDs are registered with the OMA repository.
� Defining a new object is simple!
� Everyone can register an object.
� You don’t need to be an OMA member.
� You don’t need to work in a standards developing organization.
� The easiest way to create a new object is via a dedicated editor tool.
� Objects can be created from scratch or by re-using and modifying existing
objects.
©Sensinode 2013
© ARM 2017 16
Weather station example, cont.
� IoT device with various objects: � Temperature (3303)
� Humidity (3304)
� Barometer (3315)
+ various default objects
� Observe temperature object� GET /3303 observe
� Device reports changes to the temperature object every time it changes:
� Notify 14.5C
� Notify 13C
Simple observation Observation with attributes
� Notifications are not sent unless temperature goes below 5C or above 10C� lt= 5C, and
gt=10C
� Command: � PUT /3303/0/5700?lt=5>=10
© ARM 2017 17
Limiting notifications
� Publish/subscribe is great but think about bandwidth consumption.
� Information reporting interface offers features to limit the amount of reported information.
� Time-based limits with minimum period and maximum period:� Pmin – Minimum time to wait (in seconds) before sending a new notify
� Pmax – Maximum time in seconds between two consecutive notify
� Threshold-based limits with less than and greater than: � Lt – Low limit measurement notification, like low alarm
� Gt – High limit measurement notification, like a high alarm
� Limits based on rate of change:� St – Minimum delta change required to notify
© ARM 2017 18
Energy efficiency
� “Always-on” devices are easy to work with.
� Energy consumption may, however, be a concern for battery powered devices.
� Silicon partners offer microcontrollers with sophisticated low power modes.
� Many IoT devices sleep most of the time.
� LwM2M helps energy efficiency designs with the “queue mode” feature.
© ARM 2017 19
LWM2M server
LwM2M queue mode
Endpoint1
Temperature (3303)
0
Max value(5602)
Value(5700)
IoT device
LwM2M clientendpoint1
Temperature (3303)
0
Max value(5602)
Object ID
Object instance
Resource ID
89Resource value
Value(5700)
23
4. Request for endpoint 1
11. Response
Application server
1. Device registrationwith queue mode
7. Registration update
2. After some time without messages device enterssleep mode
3. LwM2M serverqueues messageswhile IoT device issleeping
6. Device wakesup before registration lifetime expires.
8. LwM2M server sends queued messages
9. Relayed request fromapplication server
5. Provisional ResponseDevice sleeping
10. Response
© ARM 2017 20
Agenda
� Device management and the LwM2M architecture
� Gentle introduction to LwM2M
� Securing LwM2M and bootstrapping
� Examples
� Outlook
� Summary
© ARM 2017 21
Securing LwM2M
� IoT devices may exchange sensitive information and need to be protected.
� IoT end points need to be authenticated and communication requires protection.
� LwM2M supports three credential types: 1. Pre-shared secrets,
2. Raw public keys, and
3. Certificates
� Recommended algorithms are AES-128 and ECC (for public key crypto)
� DTLS requires a random number generator.� The danger is that there is little (or no) randomness in embedded systems.
� Paul Bakker talks about “Entropy Requirements in IoT” on the ARM mbedYoutube channel.
© ARM 2017 22
Bootstrapping architecture
� LwM2M client needs credentials to securely communicate with the LwM2M server using DTLS. Configuration and access rights might change.
LwM2M clientLwM2M clientWhere does this informationcome from?
IoT Device
Device credentials
DTLS LwM2M serverLwM2M server
ACLs Config Device credentials
Several deployment choices:� Factory bootstrap
� Bootstrap from smartcard
� Client initiated bootstrap
� Server initiated bootstrap
© ARM 2017 23
Agenda
� Device management and the LwM2M architecture
� Gentle introduction to LwM2M
� Securing LwM2M and bootstrapping
� Examples
� Outlook
� Summary
© ARM 2017 24
LwM2M server
Device registration and discovery
Application server
IoT device
LwM2M clientendpoint1
Temperature (3303)
0
Max Value(5602)
Object ID
Object Instance
Resource ID
89Resource Value
Value(5700)
23
IoT device
LwM2M clientendpoint2
Temperature (3303)
0
Max value(5602)
Object ID
Object instance
Resource ID
321Resource value
Value(5700)
145
Endpoint1
Temperature (3303)
0
Max value(5602)
Value(5700)
1. Register
4. DiscoverGET /endpoints
2. NotifyPOST /notification”registrations” : [{”ep”: ”Endpoint1”,
”resources” : [{”path”: ”/3303/0/5700”,...}],...}]
5. Discover[{”name”: ”Endpoint1”, ...},{”name”: ”Endpoint2”, ...}]
An API documentation is available offering further examples.
Endpoint2
Temperature (3303)
0
Max value(5602)
Value(5700)
2. Register
3. Notify
© ARM 2017 25
LwM2M server
Information retrieval
Endpoint1
Temperature (3303)
0
Max value(5602)
Value(5700)
IoT device
LwM2M clientendpoint1
Temperature (3303)
0
Max value(5602)
Object ID
Object instance
Resource ID
89Resource value
Value(5700)
23
Endpoint2
Temperature (3303)
0
Max value(5602)
Value(5700)
1. RequestGET /Endpoint1/3303/0/5602
2. Response{ ”async-id”: ”1232”, ...}
Application server5. Notify
POST /notification”async-responses” : [{ ”id: ”1232”, ”payload” : ”base64(89)”, ...}]
3. GET/3303/0/5602
4. Response89
© ARM 2017 26
LwM2M Server
Information reporting
Endpoint1
Temperature (3303)
0
Max value(5602)
Value(5700)
IoT device
LwM2M clientendpoint1
Temperature (3303)
0
Max value(5602)
Object ID
Object instance
Resource ID
89Resource value
Value(5700)
20
Endpoint2
Temperature (3303)
0
Max value(5602)
Value(5700)
1. RequestPUT/subscription/Endpoint1/3303/0/5700
2. Response{ ”async-id”: ”1232”, ...}
Application server5. Notify
POST /notification”async-responses” : [{ ”id: ”1232”, ”status” : 200, ...}]
7. NotifyPOST /notification”notifications” : [{”ep”: ”Endpoint1”, ”path” : ”/3303/0/5700”,”payload”: ”base64(23)”, ...}]
3.Observe/3303/0/5700
4.Success
6.Notify/3303/0/570023
23
© ARM 2017 27
Agenda
� Device management and the LwM2M architecture
� Gentle introduction to LwM2M
� Securing LwM2M and bootstrapping
� Examples
� Outlook
� Summary
© ARM 2017 28
Outlook
� LwM2M version 1.0 is finalized.
� Implementation and deployment feedback lead to desire to cover additional use cases.
� Envisioned additions: � Support for CoAP over TCP/TLS
� Protocol gateway support
� Support for other transports, such as HTTP/2.
� Additional security features
� Enhanced support for low power WANs
� Feature list still in discussion till mid April.
© ARM 2017 29
Agenda
� Device management and the LwM2M architecture
� Gentle introduction to LwM2M
� Securing LwM2M and bootstrapping
� Examples
� Outlook
� Summary
© ARM 2017 30
1. LwM2M version 1.0 is a big step in standardization that will simplify secure IoT device management.
2. It re-uses proven internet security technologies.
3. You can get involved in standardization and play with the code.
Summary
© ARM 2017 31
More background information?
OMA LwM2M version 1.0 specification.http://openmobilealliance.org/release/LightweightM2M/V1_0-20170208-A/
ARM whitepaper about device management.
https://developer.mbed.org/blog/entry/Whitepaper-Managing-Internet-of-Things/
© ARM 2017 32
LWM2M: How to Participate?� I want to contribute to the technical specification
� Submit new objects definitions to the OMA operated repository.
� File issues with the public OMA LWM2M Github issue tracker.
� Become OMA member and participate in the standardization process.
� Participate in the IETF for foundational standards (such as CoAP, DTLS/TLS, HTTP, etc.)
� I want to write code� Several open source projects are happy to receive your contributions.
� Examples: ARM mbed client, Leshan / Wakaama, AVSystems
� I want to test my implementation� Join an interoperability test event (PlugFest, TestFest). Info about upcoming events can be found
at the OMA testfest website. The next event takes place 17th – 19th May in Pittsburgh/US.
� Use one of the available open source implementations to test against.
The trademarks featured in this presentation are registered and/or unregistered trademarks of ARM Limited (or its subsidiaries) in the EU and/or elsewhere. All rights reserved. All other marks featured may be trademarks of their respective owners.
Copyright © 2016 ARM Limited
© ARM 2016
Questions?