Re: [6lo] New I-D draft-delcarpio-6lo-wlanah-00.txt - security

[Alexandru Petrescu <alexandru.petrescu@gmail.com>]

Le 18/06/2015 18:26, Felipe Del Carpio a écrit :
> Dear Alexandru,
>
> This security considerations needed to be study with more detail. I
> imagine that the comments are general to all 6LoWPAN specifications
> (802.15.4/BLE/etc.).

In general one can say so.

But each of these drafts (BTLE, 15.4, 11ah, NFC, G-9x) are different.

> The IEEE 802.11ah specs defines only PHY(L1) and MAC(L2), they don't
> mention IPV4/IPv6 or 6LoWPAN in any way. This is the reason to start
> this conversation on 6Lo WG.

I think the IEEE specs should define much of what the LOWPAN_IPHC does.

And many IEEE 802.11 specs do talk IPv6.

Alex

>
> Br, Felipe
>
>> -----Original Message----- From: Alexandru Petrescu
>> [mailto:alexandru.petrescu@gmail.com] Sent: Thursday, June 18, 2015
>> 7:00 PM To: Felipe Del Carpio; 6lo@ietf.org Cc: Roberto Morabito;
>> MARIA INES ROBLES Subject: Re: [6lo] New I-D
>> draft-delcarpio-6lo-wlanah-00.txt - security
>>
>> Dear Felipe,
>>
>> Le 18/06/2015 12:28, Felipe Del Carpio a écrit : [...]
>>> [FDC] Please note that there is no intermediary routers in
>>> 802.11ah.
>>
>> Ok. I meant IPv6 routers:
>>
>> +-----------+      +-----------+        ---------
>> +-----------+ |11ah device|------|IPv6 router|-------|Internet
>> |-----|11ah device| +-----------+      +-----------+
>> ---------      +-----------+
>>
>>> However we believe that IPsec can be implemented in this kind of
>>> networks following
>>> [https://tools.ietf.org/html/draft-raza-6lowpan-ipsec-01]
>>
>> Well, that draft seems to be trying to compress IPsec headers,
>> similarly to LOWPAN_IPHC substituting new headers for RFC2460 IPv6
>> headers.
>>
>> But the LOWPAN_IPHC header is insecure, whereas the IPv6 Base
>> Header is secured by IPsec.
>>
>> The risk includes faking LOWPAN_IPHC headers between two 11ah
>> devices in the same subnet.
>>
>> Waht do you think?
>>
>> Further, you are saying in the draft the following:
>>> The security considerations defined in [RFC4944] and its update
>>> [RFC6282] can be assumed valid for the 802.11ah case as well.
>>
>> Neither RFC6282 nor RFC4944 offer a security mechanism for the
>> LOWPAN_IPHC header.
>>
>>> Indeed, the transmission of IPv6 over 802.11ah links meets all
>>> the requirements for security as for IEEE 802.15.4.
>>
>> No.
>>
>> The transmission of IPv6 over 802.11ah links requires that IPsec
>> works fine on them.  An IPv6 11ah-only device must be able to use
>> IPsec to protect its IPv6 communications with an IPv6 11b-only
>> device in the same subnet.  And an IPv6 11ah-only device must be
>> able to use IPsec to protect its IPv6 communications to an IPv6
>> 11ah-only device across the Internet.
>>
>> These are the security requirements for IPv6 over 11ah.
>>
>> Do you agree?
>>
>>> The standard IEEE 802.11ah defines all those aspects related with
>>> Link Layer security.
>>
>> Where?  Is a document publicly available?
>>
>> Is the Link Layer security defined by IEEE 802.11ah protecting the
>> LOWPAN_IPHC header?
>>
>> Does IEEE 802.11ah even mention LOWPAN_IPHC?
>>
>>> As well as for other existing WiFi solutions, 802.11ah Link
>>> Layer supports security mechanism such as WPA, WPS, 802.1X.
>>
>> But neither of these (WPA, WPS, 802.1X) carry LOWPAN_IPHC headers
>> as far as I know.  They carry IPv6 Base Headers, ethertype 0x86dd.
>>
>> Alex
>
>