Mid-term progress report on the DiNS project and Afnic’s work

About the DiNS project

This project, resulting from our response to the Agence Nationale de la Recherche’s 2019 generic call for projects, brings together players from the industry and the academia in France: the Grenoble Computer Science Laboratory (LIG) (project coordinator), Acklio, Bouygues Telecom, IMT Atlantique and Afnic. The objective is to break the silos of the Internet of Things (IoT) networks and enable interoperability based on the DNS infrastructure and its recent developments.

To this end, the consortium has identified four pathways and segmented its work around them:

• using the DNS database and its protocol extensions as a basic functionality for identifying and naming objects;
• designing a secure, resilient authentication mechanism based on DNS, so distributed and accessible worldwide;
• defining semantic names for things;
• validating the proposed design and hypothesis in one of the most constrained IoT network – LoRaWAN

This document constitutes a mid-term progress report on the different pathways and details the contributions made by Afnic in association with the DiNS consortium partners.

An identification and naming architecture to leverage the connectivity of objects on heterogeneous IoT networks

The experimental platform based on LoRaWAN networks has fragmented coverage involving multi-stakeholder. It consists of Country-wide networks termed as ‘Public Networks’, Private networks wherein the coverage is limited to a specific area such as withing an organisation and ‘Community Networks’. Afnic, a member of the LoRa Alliance, has contributed to defining the architecture that allows roaming based on DNS infrastructure. The main challenge is how to take account of the identifiers of the IoT devices and thus make uniform resolution of the names possible, irrespective of the type of network.

IoTRoam: an open, unified, roaming infrastructure for the IoT

The flagship themes on which Afnic is working in the context of the IoT are unity, interoperability and security. These naturally play an essential part in the DiNS project. Afnic researchers and engineers made a major contribution in the form of the design, implementation, testing and performance analysis of a unified IoT roaming infrastructure based on the DNS.

This design concept called IoTRoam, provides a transparent and secure roaming service across different IoT networks. The infrastructure designed relies on the DNS and its security extensions (DNSSEC & DANE). We have thus been able to show that the DNS allows safe and effective access to the parameters enabling an object to connect to the visited network. We have succeeded in showing that the DNS, a distributed, robust and scalable service, is a service entirely suited to this mediation role between different LoRaWANs’

Roaming employs certificates for mutually authenticating the parties. We are currently working on integrating DANE (DNS Authentication of Named Entities) with DNSSEC on the IoTRoam platform. The objective is to be able to store the data associated with a certificate (fingerprint) of an entity using IoTRoam in the DNS. This allows each IoT network to communicate securely with other networks by using self-signed certificates. We also presented this work to the technical community at IETF 113  meeting and carried out a demonstration on the occasion of the IETF hackathon.

We believe this development constitutes a useful and necessary contribution to an interoperable and secure approach to IoT networks. Projections of the global deployment of objects and networks (“massive IoT”) lead us to believe that it is necessary to implement appropriate solutions so as to be in a position to let connected objects communicate on several thousand different networks, public and private, which do not “know” each other in advance (as is currently the case with the Internet).

Accordingly, Afnic has designed, developed and made available an open project containing all the basic elements necessary for its execution: a software application, a user interface, documentation and a video tutorial.

These resources are available here: https://github.com/AFNIC/IoTRoam-Tutorial

Launch of an experimental technical architecture based on object identifiers to simplify the recovery of data from objects on public networks

The State of the Art  was based on solutions standardised by the IETF and the LoRa Alliance. Improved roaming integration requires us to anticipate how these standards will evolve to offer new functionalities. In particular, account must be taken of the life cycles and configuration of the objects concerned. For example, an object may change owner and reconfiguring it may prove complex. A DNS zone can be used to identify the owner, and a change of owner leads it to change zone.

Based on our work, a modified IoTRoam architecture was defined by IMT Atlantique. It minimises the protocol impact and redefines two roles:

• Owners of objects who integrate in their DNS with the parameters of their object
• Network operators:
  • who, subject to law, can interrogate the DNS of the object owners in order to authorise the objects to connect to their network;
  • who play a third-party intermediary role in grouping together the information on owners and managing the authentication certificates.

The exchanges rely on intensive use of the DNS and the DoH (DNS over HTTPS) protocol. The notion of a private DNS was also introduced in order to provide security checks allowing exchanges to be blocked (DNS resolution). Lastly, from a performance perspective, the use of a private DNS leads to a reduction in latency in exchanges between the object and the network to which it is connected, while at the same time limiting the number of DNS queries on the network.

A joint experiment with IMT is currently in the start-up phase to study a number of use cases and to take complementary measurements on a more significant volume of resources.