PLATFORM FOR THE INTERNET OF THINGS Using ... - IoT Week

croutonsgruesomeΔίκτυα και Επικοινωνίες

16 Φεβ 2014 (πριν από 3 χρόνια και 5 μήνες)

55 εμφανίσεις

PLATFORM FOR

THE INTERNET OF THINGS


Using P2P technology for ultra scalable, secure,
robust and autonomous
IoT

device management


N
ABTO

-

S
HORTLY


We

sell

a platform for
device

vendors


Our

customers

are

normally
:


Big


Consumer and
Prosumer

products


High
volume


Very

cost

focussed


Large
customer

deployments

in 10k
-
100k
range


(
we

don’t

have +1m
yet
, but
getting

there
)


I
NTERNET

OF

THINGS



C
USTOMER

CHALLENGES


Complexity


Internet technology complicates embedded designs by a
factor 5
-
10


nobody wants
complexitiy

on embedded


Security


Standard embedded designs normally doesn’t address
(internet) security


End
-
customer easy
-
of
-
use


IP
-
addresses, Firewalls, Identification, Remote access


Cost
-

Increased complexity => increased costs


Hardware


R&D + support


Operation


NO RECURRING COST PLEASE


Time
-
to
-
market



P
ROBLEM

1 : F
IREWALLS

Outbound

initiated

traffic

Ok


Inbound

initiated

traffic

not Ok

Outbound

initiated

traffic

Ok


Inbound

inititated

traffic

not Ok

P
ROBLEM

2 : R
ESOURCES

CPU:
Ghz

RAM: GB

Storage: GB/TB


CPU:
Mhz

RAM: kB

Storage: kB/
M
B

P
ROBLEM

3 : S
ECURITY

Current


state
-
of
-
art”:

HTTP
basic

authentication

HTTPS/SSL

N
AIVE

SOLUTION

Device

Cloud

service

Dabase+Web

interface+

Data
capture

HTTPS

Data
-
push




All data relays the cloud service


Footprint

on
cloudservice

= <
number

of
device
> x <
device

storage
>


No internet = no interface and access


All HMI computing is central


Latency is suboptimal


Privacy? Who can access my data? (besides PRISM ;
-
)



GOOD LUCK RUNNING MULTI MILLION OF DEVICES

Client

S
CALABILLITY

WITH

P2P

P
EER
-
T
O
-
P
EER

SOLUTION

-

I
NTERNET

UDP stack

System

On Chip

P2P

uServer

Client

Basestation

Super Node

Direct interactive

P2P connection

P2P

Client

API

Connect

Request

Identification

Data
-
push

Awareness

Connect accept



PC, Tablet, Smartphone, etc.


Located in Cloud

IOT Device

Data model

& GUI
transformation
Definition

Download &

Cache

A
UTONOMOUS

LAN
OPERATION

UDP stack

System

On Chip

P2P

uDevice

Client

Local
Discorvery

P2P connection

P2P

Client

API

PC, Tablet, Smartphone, etc.

Located in Cloud or on Media

IOT Device

Data model


& GUI
Definition

Install

&

Cache

W
HY

: R
ESSOURCE

DISTRIBUTION


Cloud service responsibility:


Keep

track

of
devices

=>


Recieve


I’m

alive

data”


Update in
memory

Device
table


Mediate connections requests between client and device


Device responsibility:


Send (encrypted) simple data


Client responsibility:


Compute = transform raw device data to higher level output


Pro’s

:


We

have 100%
control

of
security

mechanism


Highly
scalable


R
essource
footprint

of
devices

are

minimized


Ressource
footprint

of
cloud

services
are

minimized


Connectivity is
latency

optimized


Since

client

&
device

can

act

autonomous



system
works

without

internet
connectivity


Privacy



Data is
only

shared

between

device

and
user


Simulation shows
that

on
even


smallish
” server
settings

we

can

acommodate

millions of
devices

(With 100%
connect

pr.
day
)


System is IPv6 or IPv4
agnostic

S
OME

INTERESTING

NUMBERS


Our

C++ Server performance on a 8
core

Intel
server is ~ 250k
memory

state

based

network

operations pr.
second


Average
idle

firewall timeout is ~ 1.5 min.


Device average
idle

network

footprint

~ 3kb


Generally
we

can

do
direct

P2P
connections

in
+80% of cases…


We

are

increasing

this

number

every

day


D
ECENTRALIZED

GUI
-
COMPUTATION

S
CALABLE

IDENTIFICATION

AND

MANAGEMENT

P2P

u
Device

Basestation

Super Node

P2P

Client


Device is
identified

by a
unique

DNS
address
, fx. : 49924.nabto.net


Device DNS id’s
resolves

to
ip

address

of
supporting

Basestations


Locating

basestation is a DNS
resolve


Supporting

basestations
can

be

easily

managed by
adjusting

DNS


Basestations
are

stateless

=
easy

management



Basestation

Super Node

Basestation

Super Node

49924.nabto.net =


base1, base2, base N

P2P
CONNECTION
: STUN (RFC 5389, 3489)

Nabto

STUN

NAT

UDP socket

IP1,Port1

UDP socket

IPS2,PortS2

UDP socket

IPS1,PortS1

UDP socket

IP
-
FW,Port
-
FW

Same for

IPS1 and IPS2?

Bind a local UDP socket, and examine its public internet IP and Port

UDP
HOLEPUNCHING

Nabto

Client

Base

station

NAT

MYADDRESS:

UDP socket

IP
-
FW1,Port
-
FW1

Nabto

Enabled

Device

NAT

MYADDRESS:

UDP socket

IP
-
FW2,Port
-
FW2

Transmit this information via the basestation to/from both peers

A
CCESS

WITHOUT

INTERNET

Browser

Nabto

Browser

Plugin

Nabto

Framework

Embedded

Logic

PC

Nabto device

2. I’m here : IP address

3. nabto:// connection

NB: LAN can be just a net
-
cable from Laptop
to device

1. Broadcast :


are you on
LAN?

I
NTERFACING

TO

OTHER

SYSTEMS

P2P

u
Device

Basestation

Super Node

IoT

system

Translator

Gateway

(
CoAP
, HTTP,
webservice)

S
CALABLE

IDENTIFICATION

AND

MANAGEMENT

P2P

uServer

Basestation

Super Node

P2P

Client


Device is
identified

by a
unique

DNS
address
, fx. : 49924.nabto.net


Device DNS id’s
resolves

to
ip

address

of
supporting

Basestations


Locating

basestation is a DNS
resolve


Supporting

basestations
can

be

easily

managed by
adjusting

DNS


Basestations
are

stateless

=
easy

management



Basestation

Super Node

Basestation

Super Node

49924.nabto.net =


base1, base2, base N

D
ECENTRALIZED

GUI
-
COMPUTATION

E
XAMPLE

: M
APPING

<query name="
getTemperature
" id="
0x0a
">


<request>



<parameter name="
sensorId
" type="
uint16
"/>



<parameter name="
filter
" type="
uint8
" default="0"/>


</request>


<response
format
=“
json
"
>



<parameter name="
temperature
" type=“
uint16
"/>


</response>

</query>

E
XAMPLE
: E
VENT

H
ANDLER

application_event_result_t application_event(





application_request_t
*
req, buffer_read_t
* i
buf, buffer_write_t
* o
buf) {


switch (req
-
>query_id)
{



case
0x0a
: {




uint16_t sensor_id;




uint8_t filter;




uint16_t temperature;




buffer_read_uint16
(ibuf, &
sensor_id
);




buffer_read_uint8
(ibuf, &
filter
);




temperature
=
readTemperature(sensor_id, filter);




buffer_write_uint16
(obuf,
temperature
);




return
AER_REQ_RESPONSE_READY
;



}


}


return AER_REQ_INV_QUERY_ID; }

E
XAMPLE
: S
IMPLE

M
AIN

L
OOP

int main
() {


nabto_main_context_t
nmc
;



nabto_init_default_values
(&(nmc.nms
));


nmc.nms.id
= "foo.u.nabto.net
";



nabto_main_init
(&nmc
);


while (true
)
{



nabto_main_tick
(&nmc
);



sleep_ms(10);


}


nabto_main_close
(&nmc
);


return
0
;

}

L
IGHT

WEIGHT

VERSION

Nabto

Browser

Plugin

Nabto

Framework

Embedded

Logic

Internet aware device

Browser

User input
-

via a nice menu

nabto
://foo.u.nabto.net/getTemperature?sensorId=3

0x0a
| 0x00 0x03 | 0x00

Buf[0]

: GetTemperature request identifier

Buf
[1,2]

: Sensor identification

Buf[3]

: Filter identification

(see former slide for XML definition)

Request buffer:

C call

a
pplication_event
(
0x0a, &Buf[1], 3 )

L
IGHT

WEIGHT

VERSION

Nabto

Client

API

Nabto

Framework

Embedded

Logic

Internet aware device

Browser

0x16 0x80

Response buffer:

The temperature is:
22,5

User GUI

a
pplication_event
()
function

returns response buffer

Respone

in JSON format

Handled by JavaScript:


function queryDevice(request)
{


jQuery.getJSON(request
, null, function(response) {



var response = response["response"];



$(”button”).val(
response[”temperature
"])


}
);

}

S
ECURITY



GENERAL

SOLUTION

P2P

uServer

Basestation

Super Node

Challenge
response

via
p
ublic
key

authentication

Symmetric

session
key

establishment

Basically

3
way

SSL

P2P

Client


Public/private
key

+
certificates

Public/private
key

+
certificates

Notice
:

NO
direct

connection

before

authentication

Essentially

basestation
can

be

untrusted

3rd party

Public
key

+
certificate

+

Challenge
response

+
answer

Part of session
crypto

key

S
ECURITY

OPTIMIZED

FOR

SMALL

DEVICES

UDP stack

System

On Chip

P2P

uServer

Client

Basestation

Super Node

Direct interactive

P2P connection

P2P

Client

API

Preshared

key

Based

on
device

identification

PC, Tablet, Smartphone, etc.

IOT Device

Public/private
key

+
certificates

Preshared

key

For
device

key

calculation

Device domain
certificate

S
ECURITY


Public key infrastructure to identify clients..
Possible devices


No passwords shipped to devices


For small devices, trust relationship between
cloud and device. Authenticity of user is
handled on cloud => negotiated encryption
keys are shipped to device.