For Internet of things (IoT)/M2M the amount of devices that need to be managed will be very big which makes the usability of the management solution an important factor. A natural solution is to have a centralized point from which the devices are managed. One such approach is to have a management web portal to which devices register and are managed from, instead of managing each device directly.
Capillary networks comprise constrained machine devices connected to the public network through a CGW, which in many cases use 3rd generation partnership project (3GPP) access technologies towards the public network, and low power radio towards the capillary devices. The constrained devices in the capillary networks have limited, and varying, computational and power resources. In addition, in an IoT scenario, the amount of capillary devices that will be deployed is huge which makes ease of use and deployment a key factor for the success of the IoT. This also means that the amount of manual configuration that is needed to deploy such devices should be minimized. Furthermore, to provide the best possible service, the CGW should restrict the devices accessing through it to only authorized devices as unauthorized devices would otherwise consume the resources of the CGW, possibly lessening the quality of service for authorized devices.
Constrained devices are often deployed to be connected to the public network through a CGW. Some of these CGWs may have to provide connectivity to other devices connecting to them, similar to a public wireless local area network (WLAN) hot spots.
However, for reasons of bandwidth allocation, network isolation and/or security issues, the CGW operator or owner, may wish to limit the service to devices and/or device owners, with which the CGW operator has a business agreement. Since the number of deployments is huge in IoT, manually configuring the connectivity for each device separately is not attractive.
Presently, one way of implementing authentication of a device to a CGW is by using a shared secret or a client side certificate. A shared secret, essentially a username/password pair, requires manual work during deployment, and requires CGW to have an interface for adding new credentials/devices. This by itself does not remove the burden of having to prove who owns the device. Effectively identifying the owner relies on trusting that whoever uses the interface can assure a linkage between the device and its owner. However, when a device is moving and connects to different CGWs over time, this would require that all possible CGWs to which the device will connect would have to be configured to accept the device.
Furthermore, all new interfaces should be treated as potential hazards, and will require their own security solution.
Client side certificates, on the other hand, require a trusted third party to act as a certificate authority. The CGW would have to trust that authority. This would not be a problem if the authority is one of the established authorities. This solution suffers from the same problem as the shared secret does; the client certificate only authenticates the device.
It would be infeasible to also provide the name of the owner in the client certificate, for the reason that such information would become outdated on second hand markets.
3GPP Generic bootstrapping architecture (GBA), as defined in technical specification (TS) 33.220, vers. 12.2.0, defines a mechanism of setting up a shared secret between a User equipment (UE) and an application server, referred to as a Network application function (NAF). GBA is one possible way of authenticating a device to a service. Other options include, but are not limited to, e.g. public key certificates and username/password based authentication.
By bootstrapping an IoT device to a management portal, typically performed during a bootstrapping procedure of the device, remotely managing of the device is enabled.
However, there is a need to provide a procedure with which a machine device can be bound to a subscription in the CGW for network connectivity with minimal user interaction and minimal requirements on the machine device.