ACE of Spades in the IoT Security Game: A Flexible IPsec Security Profile for Access Control

TL;DR

This paper introduces a novel ACE IPsec profile for IoT security, enabling resource-constrained devices to establish secure IPsec channels for access control, with an open-source implementation and performance validation on IoT hardware.

Contribution

It presents the first open-source ACE IPsec profile for IoT, integrating IPsec with ACE for secure access control on constrained devices.

Findings

The ACE IPsec profile is feasible on resource-limited IoT devices.

The implementation supports both direct provisioning and IKEv2.

Performance tests show the profile is practical for constrained environments.

Abstract

The Authentication and Authorization for Constrained Environments (ACE) framework provides fine-grained access control in the Internet of Things, where devices are resource-constrained and with limited connectivity. The ACE framework defines separate profiles to specify how exactly entities interact and what security and communication protocols to use. This paper presents the novel ACE IPsec profile, which specifies how a client establishes a secure IPsec channel with a resource server, contextually using the ACE framework to enforce authorized access to remote resources. The profile makes it possible to establish IPsec Security Associations, either through their direct provisioning or through the standard IKEv2 protocol. We provide the first Open Source implementation of the ACE IPsec profile for the Contiki OS and test it on the resource-constrained Zolertia Firefly platform. Our experimental performance evaluation confirms that the IPsec profile and its operating modes are affordable and deployable also on constrained IoT platforms.