IoT Zone is brought to you in partnership with:

Paul Fremantle is CTO at WSO2, where he leads the technical team in the most dynamic Open Source Middleware company. He has been the chair of the WSRX TC at OASIS and he is VP of Apache Synapse at the Apache Software Foundation. Paul has co-authored two books on XML and Web Services and is a regular speaker at conferences. Previously Paul was a Senior Technical Staff Member at IBM where he led development of the IBM Web Services Gateway. In his spare time Paul plays traditional music on the tin whistle. Paul is a DZone MVB and is not an employee of DZone and has posted 15 posts at DZone. You can read more from them at their website. View Full User Profile

Internet of Things - Protocols and Access Keys

  • submit to reddit

 I've just read this article from Mark O'Neill on the 10 concerns for the Internet of Things. Mark brings up some very interesting aspects and concerns. I'd like to comment on two of those: protocols and access keys.

His primary concern is protocol proliferation. I agree this is an issue. Mark explicitly mentions CoAP, MQTT, AMQP and XMPP. Interestingly he doesn't mention HTTP, which I have found to be heavily used by devices, especially the new generation of Raspberry Pi based systems. Many Arduino's also use HTTP.

I will admit to a strong bias. I think that MQTT is the best of these protocols for IoT devices, with CoAP a distant second.

Let's get XMPP out of the way. I love XMPP. I think its a fantastic protocol. Do I want to create XML packets on my Arduino? Er... nope. Even on 32-bit controllers, there is still the network traffic to consider: suppose I'm using a GPRS connection and I have thousands of devices deployed: minimizing network traffic is important for cost and efficiency, and XMPP was not designed for that.

AMQP is not an appropriate protocol for IoT devices and was not designed for that. It is designed for "the efficient exchange of information within and between enterprises". It was certainly not designed for lightweight, non-persistent, non-transactional systems. To that end, my own system (WSO2) will be providing efficient bridging for AMQP and MQTT to enable lightweight systems to get their data into wider enterprise contexts. I also demonstrated HTTP to MQTT bridging with the WSO2 ESB at the MQTT Interop held last week at EclipseCon.

How about CoAP vs MQTT. Firstly, CoAP is more appropriate to compare to MQTT-SN. It is UDP only, and designed to emulate a RESTful model over UDP. My biggest concern with CoAP is this: most people don't actually understand REST - they understand HTTP. If I had a dollar for every time I've come across supposedly RESTful interfaces that are really HTTP interfaces, I'd be a rich man! 
Interestingly, despite MQTT having been around for 10 years, the Google Trend shows that it has only recently hit the public notice:
However, as you can see, it has quickly overtaken CoAP. In terms of traffic, it is a clear winner: every Facebook mobile app uses MQTT to communicate with the Facebook servers.
The other area I'd like to comment on is access keys. I agree this is a big issue, and that is the reason I've been working on using OAuth2 access keys with MQTT and IoT devices. I recently gave talks about this at FOSDEM, QCon London, and EclipseCon.  The EclipseCon talk also covered a set of wider security concerns and the slides are available here. OAuth2 and OpenID Connect are important standards that have got incredible traction in a short period of time. They have evolved out of 10+ years of trying to solve the distributed, federated identity and access control problems of the Internet. 
In my presentation I strongly argued that passwords are bad for users, but worse for devices. Tokens are the correct model, and the OAuth2 token is the best available token to use at this point. There was considerable interest in the MQTT interop session on standardizing the use of OAuth2 tokens with the protocol. 
My personal prediction is that we will see MQTT and HTTP become the most-used IoT protocols, and I strongly urge (and hope) that OAuth2 tokens will become the de-facto model across both of these.
Published at DZone with permission of Paul Fremantle, author and DZone MVB. (source)

(Note: Opinions expressed in this article and its replies are the opinions of their respective authors and not those of DZone, Inc.)


Fabien Bergeret replied on Mon, 2014/04/14 - 3:50am

On a technical point-of-view, HTTP is certainly not the best protocol to be used for the IoT.

But, there are more and more connected appliance that use Android, or other high-level platforms where HTTP is quite well supported, meaning that defining communication over HTTP of these devices is simplier and using other protocols.

Another point is the company PoV: in many companies, Internet access is make through proxies. Currently, proxies handle HTTP, HTTPS, some FTP, but no more. If a company has connected devices that need to access the net, then HTTP should be used.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.