Re: [6lo] FW: I-D Action: draft-ietf-6lo-plc-03.txt

"Liubing (Remy)" <> Thu, 21 May 2020 09:20 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 85FD43A0B51 for <>; Thu, 21 May 2020 02:20:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id ce7ewS6GqaOS for <>; Thu, 21 May 2020 02:20:57 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6532B3A0B50 for <>; Thu, 21 May 2020 02:20:57 -0700 (PDT)
Received: from (unknown []) by Forcepoint Email with ESMTP id B425BFD584E5300EA4A8; Thu, 21 May 2020 10:20:53 +0100 (IST)
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1913.5; Thu, 21 May 2020 10:20:53 +0100
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256) id 15.1.1913.5 via Frontend Transport; Thu, 21 May 2020 10:20:53 +0100
Received: from ([]) by ([]) with mapi id 14.03.0487.000; Thu, 21 May 2020 17:20:16 +0800
From: "Liubing (Remy)" <>
To: Michael Richardson <>, "" <>, Carles Gomez Montenegro <>
Thread-Topic: [6lo] FW: I-D Action: draft-ietf-6lo-plc-03.txt
Thread-Index: AdYvTxsGcOwTY46vSwCav5/pg9mPNw==
Date: Thu, 21 May 2020 09:20:14 +0000
Message-ID: <>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
x-originating-ip: []
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <>
Subject: Re: [6lo] FW: I-D Action: draft-ietf-6lo-plc-03.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 21 May 2020 09:21:00 -0000

Hello Michael,

Is the following understanding correct? The difference between the "one-touch" and the "zero-touch" methods is that whether the key or certificate is provisioned by the manufacturer or by the operator at the deployment site. As long as the key/IDevID/certificate is provisioned before the device goes out of the factory, i.e., the operator doesn't have to provision/touch it on site to get it securely join the network, it can be considered as "zero-touch".

Even though the pledge ID is given privately by the manufacturer, and not as per 802.1 AR, the dtsecurity-zerotouch-join method can be implemented by using the MASA provided by the manufacturer? Is the dtsecurity-zerotouch-join method aimed at a scenario in which a certificate can't be provisioned a priori?

Many thanks.


发件人: Michael Richardson [] 
发送时间: 2020年5月20日 23:10
收件人: Liubing (Remy) <>;; Carles Gomez Montenegro <>
主题: Re: 答复: [6lo] FW: I-D Action: draft-ietf-6lo-plc-03.txt

Liubing (Remy) <> wrote:
    > Thank you for mentioning 6tisch-minimal-security.  There is also a
    > BRSKI-like 6tisch mechanism that uses IDevID.

    >   [Remy] I think you must
    > be talking about [draft-ietf-6tisch-dtsecurity-zerotouch-join]. The
    > minimal security is considered to be one-touch since the PSK has to be
    > configured a priori. And this document provides a zero-touch method, in
    > which the IDevID (provided by the manufacturer) in 802.1AR is used as
    > the credential for authentication. The authentication is done with the
    > help of the MASA. Am I understanding it correctly? I think the method
    > simplifies the provisioning procedure. However, the PLC standards have
    > not supported 802.1AR yet, thus this zero-touch method couldn't be used
    > in the implementation at this moment.

Whether or not the *PLC* documents specify 802.1AR is not really relevant.
They also don't specify any useful secure join mechanism at all.

The device either has a manufacturer provided keypair, or it has to be provisioned with a key by the operator.

    > Is it the case that the PLC devices can have no L2 security as an
    > option?  I believe that you may wish to outlaw that situation.

    > [Remy] All the PLC standards we mentioned in this document have L2
    > security mechanisms, such as encryption, data integrity, and
    > anti-replay. Since this document is focused on the adaptation layer and
    > above, the L2 security is considered to be applied by default.

Then uou can use dtsecurity-zerotouch-join or 6tisch-minimal-security.

Michael Richardson <>, Sandelman Software Works  -= IPv6 IoT consulting =-