IoT

The Software Updates for Internet of Things (SUIT) Working Group is tackling one of the most pressing challenges in IoT security: reliable, secure, and interoperable firmware updates for constrained devices.

Today IoT deployments often depend on proprietary update mechanisms that are fragmented and difficult to audit. As vulnerabilities continue to emerge, security experts, researchers, and regulators agree: every IoT device should have a robust and standardized way to update firmware securely.

The SUIT WG is designing a comprehensive solution, focusing on devices with very limited resources, those with as little as ~10 KiB of RAM and ~100 KiB of flash storage, while also supporting more capable systems.

Key components of the SUIT approach include:

• A manifest, providing metadata about firmware packages, their dependencies, and cryptographic protections.
• Use of CBOR (Concise Binary Object Representation) for compact encoding, along with COSE cryptographic mechanisms to secure manifests.
• Extensions to support encryption, trust domains, update management, and integration with other IoT frameworks like MUD (Manufacturer Usage Description).
• Mechanisms for devices to report update status securely, enabling visibility and compliance across IoT fleets.

The group collaborates closely with the Remote ATtestation Procedures (RATS) WG to define claims that can attest to firmware update status, strengthening supply chain transparency and trust.

The SUIT WG is also committed to working with silicon vendors, OEMs, and the broader IoT ecosystem to drive real-world implementations, including participation in IETF Hackathons to validate and improve specifications.

Link to the WG: https://datatracker.ietf.org/group/suit/about/
Link to the WG Documents: https://datatracker.ietf.org/group/suit/documents/

The IoTops (IoT Operations) WG at the IETF has a document called Terminology for Constrained-Node Networks, whose abstract is as follows:

"The Internet Protocol Suite is increasingly used on small devices with severe constraints on power, memory, and processing resources, creating constrained-node networks. This document provides a number of basic terms that have been useful in the standardization work for constrained-node networks." A new version of this document is dated 7 July 2025.

Link to the document: https://datatracker.ietf.org/doc/draft-ietf-iotops-7228bis/

IoTops WG: https://datatracker.ietf.org/wg/iotops/documents/

The IRTF draft titled "Guidance on RESTful Design for Internet of Things Systems"(https://datatracker.ietf.org/doc/draft-irtf-t2trg-rest-iot/) provides recommendations for applying REST (Representational State Transfer) principles to the design of IoT systems. REST is a well-known architectural style for building scalable and interoperable web services. This draft explores how those same principles can be adapted to the unique constraints and characteristics of the Internet of Things, where devices often have limited resources and operate in constrained networks.

One of the central ideas is that RESTful approaches can help create machine-understandable interfaces that reduce the need for human intervention and make integration between systems easier. To support this, the draft emphasizes the use of lightweight protocols like CoAP (Constrained Application Protocol) and compact data formats suited for constrained environments. It also recommends designing interactions that are resource-based and stateless whenever possible.

The document acknowledges that IoT devices may act both as clients and servers and provides guidance for managing these roles within a RESTful framework. Additionally, because IoT deployments are long-lived and widely distributed, the draft encourages designs that support extensibility and gradual evolution over time, without requiring simultaneous updates to all nodes.

By promoting RESTful design principles tailored for IoT, the draft aims to improve interoperability among devices and systems from different vendors. This reduces integration complexity and fosters a more robust and adaptable IoT ecosystem.

We introduced LoRa mesh networks at in the GAIA WG meeting at IETF 122. Different to LoRaWAN, LoRa mesh networks are not standardized. The current proprietary solutions and open source solutions are not interoperable. The lack of standardization is a difficulty for a quicker adoption of LoRa mesh network technology.

The Internet-Draft titled "Comparison of CoAP Security Protocols" analyzes and compares the message sizes of key exchange processes and per-packet overheads associated with various security protocols used to secure the Constrained Application Protocol (CoAP). Minimizing message sizes is crucial in constrained radio networks, such as Low-Power Wide Area Networks (LPWANs), to reduce energy consumption, latency, and completion times.

The security protocols evaluated in this document include:

• Datagram Transport Layer Security (DTLS) 1.2 and 1.3
• Transport Layer Security (TLS) 1.2 and 1.3
• Compact TLS (cTLS)
• Ephemeral Diffie-Hellman Over COSE (EDHOC)
• Object Security for Constrained RESTful Environments (OSCORE)
• Group OSCORE

The analysis considers the DTLS and TLS record layers with and without 6LoWPAN-GHC compression and examines DTLS both with and without Connection ID.

Find in here https://datatracker.ietf.org/meeting/118/proceedings/ the proceedings of IETF 118, where you can check IoT Working Group work such as ROLL, 6Lo, IoTOps, etc. Minutes, Slides and Video Recording are available.

The IRTF Thing-to-Thing Research Group is working on a document that describes the IoT Edge Challenges and Functions. 

Link: https://datatracker.ietf.org/doc/draft-irtf-t2trg-iot-edge/

From Charter: "The Supply Chain Integrity, Transparency, and Trust (SCITT) WG will define a set of interoperable building blocks that will allow implementers to build integrity and accountability into software supply chain systems to help assure trustworthy operation. For example, a public computer interface system could report its software composition that can then be compared against known software compositions or certifications for such a device thereby giving confidence that the system is running the software expected and has not been modified, either by attack or accident, in the supply chain." 

Source: https://datatracker.ietf.org/wg/scitt/about/

To Subscribe: 

https://www.ietf.org/mailman/listinfo/scitt