Ericsson

Jorvas 02420 Finland jari.arkko@piuha.net

Cisco

170 West Tasman Drive San Jose CA 95134 United States of America +1 408 421-9990 fluffy@iii.ca

Edge Impulse

3031 Tisch Way San Jose CA 95128 United States of America zach@edgeimpulse.com

URN device identifier IMEI 1-Wire MAC address EUI-48 EUI-64 This document describes a new Uniform Resource Name (URN) namespace for hardware device identifiers. A general representation of device identity can be useful in many applications, such as in sensor data streams and storage or in equipment inventories. A URN-based representation can be passed along in applications that need the information.

Introduction This document describes a new Uniform Resource Name (URN) namespace for hardware device identifiers. A general representation of device identity can be useful in many applications, such as in sensor data streams and storage or in equipment inventories . A URN-based representation can be passed along in applications that need the information. It fits particularly well for protocols mechanisms that are designed to carry URNs . Finally, URNs can also be easily carried and stored in formats such as XML , JSON , or SenML . Using URNs in these formats is often preferable as they are universally recognized and self-describing and therefore avoid the need to agree to interpret an octet string as a specific form of a Media Access Control (MAC) address, for instance. Passing URNs may consume additional bytes compared to, for instance, passing 4-byte binary IPv4 addresses, but the former offers some flexibility in return. This document defines identifier URN types for situations where no such convenient type already exists. For instance, defines cryptographic identifiers, defines International Mobile station Equipment Identity (IMEI) identifiers for use with 3GPP cellular systems, and defines Mobile Equipment Identity (MEID) identifiers for use with 3GPP2 cellular systems. Those URN types should be employed when such identifiers are transported; this document does not redefine these identifiers in any way. Universally Unique Identifier (UUID) URNs are another alternative way to represent device identifiers and already support MAC addresses as one type of identifier. However, UUIDs can be inconvenient in environments where it is important that the identifiers be as simple as possible and where additional requirements on stable storage, real-time clocks, and identifier length can be prohibitive. Often, UUID-based identifiers are preferred for general purpose uses instead of the MAC-based device URNs defined in this document. The device URNs are recommended for constrained environments. Future device identifier types can extend the device URN type defined in this document (see ), or they can define their own URNs. Note that long-term stable unique identifiers are problematic for privacy reasons and should be used with care as described in . The rest of this document is organized as follows. defines the "DEV" URN type, and defines subtypes for IEEE MAC-48, EUI-48 and EUI-64 addresses, and 1-Wire device identifiers. gives examples. discusses the security and privacy considerations of the new URN type. Finally, specifies the IANA registration for the new URN type and sets requirements for subtype allocations within this type.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

DEV URN Definition

Namespace Identifier:

"dev"

Version:

1

Date:

2020-06-24

Registrant:

IETF and the CORE Working Group. Should the working group cease to exist, discussion should be directed to the Applications and Real-Time Area or general IETF discussion forums, or the IESG.

Purpose The DEV URNs identify devices with device-specific identifiers such as network card hardware addresses. DEV URNs are scoped to be globally applicable (see ) and, in general, enable systems to use these identifiers from multiple sources in an interoperable manner. Note that in some deployments, ensuring uniqueness requires care if manual or local assignment mechanisms are used, as discussed in . Some typical DEV URN applications include equipment inventories and smart object systems. DEV URNs can be used in various ways in applications, software systems, and network components, in tasks ranging from discovery (for instance, when discovering 1-Wire network devices or detecting MAC-addressable devices on a LAN) to intrusion detection systems and simple catalogues of system information. While it is possible to implement resolution systems for specific applications or network locations, DEV URNs are typically not used in a way that requires resolution beyond direct observation of the relevant identifier fields in local link communication. However, it is often useful to be able to pass device identifier information in generic URN fields in databases or protocol fields, which makes the use of URNs for this purpose convenient. The DEV URN namespace complements existing namespaces such as those involving IMEI or UUID identifiers. DEV URNs are expected to be a part of the IETF-provided basic URN types, covering identifiers that have previously not been possible to use in URNs.

Syntax The identifier is expressed in ASCII characters and has a hierarchical structure as follows: The above syntax is represented in Augmented Backus-Naur Form (ABNF) as defined in and . The syntax also copies the DIGIT and ALPHA rules originally defined in , exactly as defined there. The device identifier namespace includes five subtypes (see ), and more may be defined in the future as specified in . The optional underscore-separated components at the end of the DEV URN depict individual aspects of a device. The specific strings and their semantics are up to the designers of the device but could be used to refer to specific interfaces or functions within the device. With the exception of the MAC address and 1-Wire DEV URNs, each DEV URN may also contain optional colon-separated identifiers. These are provided for extensibility. There are no special character encoding rules or considerations for conforming with the URN syntax beyond those applicable for URNs in general or the context where these URNs are carried (e.g., inside JSON or SenML ). Due to the SenML rules in , it is not desirable to use percent-encoding in DEV URNs, and the subtypes defined in this specification do not really benefit from percent-encoding. However, this specification does not deviate from the general syntax of URNs or their processing and normalization rules as specified in and . DEV URNs do not use r-, q-, or f-components as defined in . Specific subtypes of DEV URNs may be validated through mechanisms discussed in . The string representation of the device identifier URN is fully compatible with the URN syntax.

Character Case and URN-Equivalence The DEV URN syntax allows both uppercase and lowercase characters. The URN-equivalence of the DEV URNs is defined per , i.e., two URNs are URN-equivalent if their assigned-name portions are octet-by-octet equal after applying case normalization to the URI scheme ("urn") and namespace identifier ("dev"). The rest of the DEV URN is compared in a case-sensitive manner. It should be noted that URN-equivalence matching merely quickly shows that two URNs are definitely the same for the purposes of caching and other similar uses. Two DEV URNs may still refer to the same entity and may not be found to be URN-equivalent according to the definition. For instance, in ABNF, strings are case insensitive (see ), and a MAC address could be represented either with uppercase or lowercase hexadecimal digits. Character case is not otherwise significant for the DEV URN subtypes defined in this document. However, future subtypes might include identifiers that use encodings such as base64, which encodes strings in a larger variety of characters and might even encode binary data. To facilitate equivalence checks, it is RECOMMENDED that implementations always use lowercase letters where they have a choice in case, unless there is a reason otherwise. (Such a reason might be, for instance, the use of a subtype that requires the use of both uppercase and lowercase letters.)

Assignment The process for identifier assignment is dependent on the used subtype and is documented in the specific subsection under . Device identifiers are generally expected to identify a unique device, barring the accidental issue of multiple devices with the same identifiers. In many cases, device identifiers can also be changed by users or are sometimes assigned in an algorithmic or local fashion. Any potential conflicts arising from such assignments are not something that the DEV URNs as such manage; they simply are there to refer to a particular identifier. And, of course, a single device may (and often does) have multiple identifiers, e.g., identifiers associated with different link technologies it supports. The DEV URN type SHOULD only be used for hardware-based identifiers that are expected to be persistent (with some limits, as discussed above).

Security and Privacy As discussed in , care must be taken in the use of device-identifier-based identifiers due to their nature as long-term identifiers that are not normally changeable. Leakage of these identifiers outside systems where their use is justified should be controlled.

Interoperability There are no specific interoperability concerns.

Resolution The device identifiers are not expected to be globally resolvable. No identifier resolution system is expected. Systems may perform local matching of identifiers to previously seen identifiers or configured information, however.

Documentation See RFC 9039.

Additional Information See for a discussion of related namespaces.

Revision Information This is the first version of this registration.

DEV URN Subtypes

MAC Addresses DEV URNs of the "mac" subtype are based on the EUI-64 identifier derived from a device with a built-in 64-bit EUI-64. The EUI-64 is formed from 24 or 36 bits of organization identifier followed by 40 or 28 bits of device-specific extension identifier assigned by that organization. In the DEV URN "mac" subtype, the hexstring is simply the full EUI-64 identifier represented as a hexadecimal string. It is always exactly 16 characters long. MAC-48 and EUI-48 identifiers are also supported by the same DEV URN subtype. To convert a MAC-48 address to an EUI-64 identifier, the Organizationally Unique Identifier (OUI) of the MAC-48 address (the first three octets) becomes the organization identifier of the EUI-64 (the first three octets). The fourth and fifth octets of the EUI are set to the fixed value 0xffff (hexadecimal). The last three octets of the MAC-48 address become the last three octets of the EUI-64. The same process is used to convert an EUI-48 identifier, but the fixed value 0xfffe is used instead. Identifier assignment for all of these identifiers rests within the IEEE Registration Authority. Note that where randomized MAC addresses are used, the resulting DEV URNs cannot be expected to have uniqueness, as discussed in .

1-Wire Device Identifiers The 1-Wire system is a device communications bus system designed by Dallas Semiconductor Corporation. (1-Wire is a registered trademark.) 1-Wire devices are identified by a 64-bit identifier that consists of an 8-bit family code, a 48-bit identifier unique within a family, and an 8-bit Cyclic Redundancy Check (CRC) code . In DEV URNs with the "ow" subtype, the hexstring is a representation of the full 64-bit identifier as a hexadecimal string. It is always exactly 16 characters long. Note that the last two characters represent the 8-bit CRC code. Implementations MAY check the validity of this code. Family code and identifier assignment for all 1-Wire devices rests with the manufacturers.

Organization-Defined Identifiers Device identifiers that have only a meaning within an organization can also be used to represent vendor-specific or experimental identifiers or identifiers designed for use within the context of an organization. Organizations are identified by their Private Enterprise Number (PEN) . These numbers can be obtained from IANA. Current PEN assignments can be viewed at , and new assignments are requested at . Note that when included in an "org" DEV URN, the number cannot be zero or have leading zeroes, as the ABNF requires the number to start with a non-zero digit.

Organization Serial Numbers The "os" subtype specifies an organization and serial number. Organizations are identified by their PEN. As with the organization-defined identifiers (), PEN number assignments are maintained by IANA, and assignments for new organizations can be made easily. Organization serial number DEV URNs consist of the PEN number and the serial number. As with other DEV URNs, for carrying additional information and extensibility, optional colon-separated identifiers and underscore-separated components may also be included. The serial numbers themselves are defined by the organization, and this specification does not specify how they are allocated. Organizations are also encouraged to select serial number formats that avoid the possibility of ambiguity in the form of leading zeroes or otherwise.

Organization Product and Serial Numbers The DEV URN "ops" subtype was originally defined in the LwM2M standard but has been incorporated here to collect all syntaxes associated with DEV URNs in one place. The "ops" subtype specifies an organization, product class, and a serial number. Organizations are identified by their PEN. Again, as with the organization-defined identifiers (), PEN number assignments are maintained by IANA. Organization product and serial number DEV URNs consist of the PEN number, product class, and the serial number. As with other DEV URNs, for carrying additional information and extensibility, optional colon-separated identifiers and underscore-separated components may also be included. Both the product class and serial numbers themselves are defined by the organization, and this specification does not specify how they are allocated. Organizations are also encouraged to select product and serial number formats that avoid possibility for ambiguity.

Future Subtypes Additional subtypes may be defined in future specifications. See . The DEV URN "example" subtype is reserved for use in examples. It has no specific requirements beyond those expressed by the ABNF in .

Examples The following provides some examples of DEV URNs:

URN	Description
urn:dev:mac:0024beffff804ff1	The MAC-48 address of 0024be804ff1, converted to EUI-64 format
urn:dev:mac:0024befffe804ff1	The EUI-48 address of 0024be804ff1, converted to EUI-64 format
urn:dev:mac:acde48234567019f	The EUI-64 address of acde48234567019f
urn:dev:ow:10e2073a01080063	A 1-Wire temperature sensor
urn:dev:ow:264437f5000000ed_humidity	The humidity part of a multi-sensor device
urn:dev:ow:264437f5000000ed_temperature	The temperature part of a multi-sensor device
urn:dev:org:32473-foo	An organization-specific URN in the example organization 32473 in
urn:dev:os:32473-123456	Device 123456 in the example organization in
urn:dev:os:32473-12-34-56	A serial number with dashes in it
urn:dev:ops:32473-Refrigerator-5002	Refrigerator serial number 5002 in the example organization in
urn:dev:example:new-1-2-3_comp	An example of something that is not defined today, and is not one of the mac, ow, os, or ops subtypes

The DEV URNs themselves can then appear in various contexts. A simple example of this is the use of DEV URNs in SenML data. This example from shows a measurement from a 1-Wire temperature gauge encoded in the JSON syntax:

Security Considerations On most devices, the user can display device identifiers. Depending on circumstances, device identifiers may or may not be modified or tampered with by the user. An implementation of the DEV URN MUST preserve such limitations and behaviors associated with the device identifiers. In particular, a device identifier that is intended to be immutable should not become mutable as a part of implementing the DEV URN type. More generally, nothing in this document should be construed to override what the relevant device specifications have already said about the identifiers.

Privacy Other devices in the same network may or may not be able to identify the device. For instance, on an Ethernet network, the MAC address of a device is visible to all other devices. DEV URNs often represent long-term stable unique identifiers for devices. Such identifiers may have privacy and security implications because they may enable correlating information about a specific device over a long period of time, location tracking, and device-specific vulnerability exploitation . Also, in some systems, there is no easy way to change the identifier. Therefore, these identifiers need to be used with care, and special care should be taken to avoid leaking identifiers outside of the system that is intended to use them.

Validity Information about identifiers may have significant effects in some applications. For instance, in many sensor systems, the identifier information is used for deciding how to use the data carried in a measurement report. In some other systems, identifiers may be used in policy decisions. It is important that systems be designed to take into account the possibility of devices reporting incorrect identifiers (either accidentally or maliciously) and the manipulation of identifiers in communications by illegitimate entities. Integrity protection of communications or data objects, the use of trusted devices, and various management practices can help address these issues. Similar to the advice in : Do not assume that DEV URNs are hard to guess.

IANA Considerations Per this document, IANA has registered a new URN namespace for "dev", as described in . IANA has created a "DEV URN Subtypes" registry under "Device Identification". The initial values in this registry are as follows:

Subtype	Description	Reference
mac	MAC Addresses	RFC 9039,
ow	1-Wire Device Identifiers	RFC 9039,
org	Organization-Defined Identifiers	RFC 9039,
os	Organization Serial Numbers	RFC 9039,
ops	Organization Product and Serial Numbers	RFC 9039,
example	Reserved for examples	RFC 9039,

Additional subtypes for DEV URNs can be defined through Specification Required or IESG Approval . These allocations are appropriate when there is a new namespace of some type of device identifier that is defined in a stable fashion and has a publicly available specification. Note that the organization () device identifiers can also be used in some cases, at least as a temporary measure. It is preferable, however, that long-term usage of a broadly employed device identifier be registered with IETF rather than used through the organization device identifier type.

References Normative References IEEE Maxim Informative References

Acknowledgments The authors would like to thank , , , , , , , , , , , , , , , , , , , , , , , , , , , and for their feedback and interesting discussions in this problem space. We would also like to note prior documents that focused on specific device identifiers, such as and .