Using endpoint client name and/or keys in LwM2M bootstrap interface

Question

I've been reading the LwM2M spec (version 1.1.1) and have played around with Eclipse Leshan to test things out myself. I've managed to bootstrap a client using a BS server, and then register to the device management server and send data there successfully. But so far I've done all of this using the "nosec" security mode, configuring a dedicated endpoint for the client on my BS server and using the same name for the endpoint in the client.

I tried using pre-shared key (PSK) with an identity instead on the BS server, and it works as long as I set the endpoint client name to null on the client. I've understood the parameter is optional and can be left out if it's included in the identity already, but that the bootstrap server MUST check the endpoint client name against the given identity if both are given, and return "bad request" if they don't match.

I've also understood that endpoint client name should be unique for each client (per server).

Doesn't this mean that the bootstrap server must know in advance all the clients that are going to request bootstrapping from it? If each client can send a unique endpoint client name and the server must check it if one is given, it sounds like the server must have a list of allowed names and/or identities for the bootstrapping to succeed.

I had previously planned to have a bootstrap server that could serve a single customer's all devices – thousands of them – as long as they each asked for a config using a customer-specific identity and key, without having to know how many of those devices there would be or their device-specific identities. I could then provide each of those devices the same LwM2M Server config and just collect a list of devices that have bootstrapped (and registered).

But now it seems such an approach is impossible, or then I've badly misunderstood something about the bootstrap interface. Which is it?

Update:
I think what I should have asked to be better understood is: "Do all devices need to be pre-provisioned to the bootstrap server before they can start the bootstrap interface?"

I've come to believe it's indeed needed if the server fulfills the LwM2M standard also from the security point of view; the BS server needs to identify each client, and as each client should have a unique key (or certificate), the server can only recognize clients whose keys it has been pre-provisioned with.

Answer 1

In the Leshan demo server, this is indeed the case - you need to define the Common Name of the device certificate in the Leshan service. In general, it could be handled differently. For example, you can have one private key that will sign multiple device certificates (every device certificate is provisioned to another device). The certificate that corresponds to this private key will be uploaded to the LwM2M service and the cloud will identify the devices by verifying the device certificate is signed by the uploaded certificate. This is how we implement it in Izuma Cloud - https://www.izumanetworks.com/

Answer 2

(I'm a Leshan Developer)

I tried using pre-shared key (PSK) with an identity instead on the BS server, and it works as long as I set the endpoint client name to null on the client.

This sounds strange behavior, Please open an issue at Leshan repository to discuss about that.

I've understood the parameter is optional and can be left out if it's included in the identity already, but that the bootstrap server MUST check the endpoint client name against the given identity if both are given, and return "bad request" if they don't match.

That's true since LWM2M v1.1.x. With LWM2M v1.0.x endpoint name is mandatory for Register and Bootstrap Request.

This is not yet implemented in Leshan, I created the corresponding issue. (do not hesitate to comment if you need it)

I've also understood that endpoint client name should be unique for each client (per server).

Reading this, I understand that too.

Doesn't this mean that the bootstrap server must know in advance all the clients that are going to request bootstrapping from it? If each client can send a unique endpoint client name and the server must check it if one is given, it sounds like the server must have a list of allowed names and/or identities for the bootstrapping to succeed.

For leshan-server-demo and leshan-bsserver-demo, yes they must know each devices. (but this is just demos)

For LWM2M in general, having a list of all known devices is probably the simple solution. But you can imagine to have a kind of pattern or algorithm which allow you to know if device is allowed. (It could be more tricky in term of security than a simple list)

For Leshan library (which is used to build leshan-?server-demos), there is some interface that allow you to implement your own behavior. (See Authorizer, BootstrapAuthorizer, DefaultAuthorizer, DefaultBootstrapAuthorizer, BootstrapConfigStore)

I had previously planned to have a bootstrap server that could serve a single customer's all devices – thousands of them – as long as they each asked for a config using a customer-specific identity and key, without having to know how many of those devices there would be or their device-specific identities. I could then provide each of those devices the same LwM2M Server config and just collect a list of devices that have bootstrapped (and registered).

But now it seems such an approach is impossible, or then I've badly misunderstood something about the bootstrap interface. Which is it?

What you have in mind is not totally clear to me, but I guess this could be doable if you implement your own server (at least Leshan library should provide API which allow you to do that ☝)

But keep in mind that using this way, this is pretty easy to decrease the level of security.