Re: [6lo] FW: I-D Action: draft-ietf-6lo-plc-03.txt

"Liubing (Remy)" <remy.liubing@huawei.com> Thu, 21 May 2020 09:20 UTC

Return-Path: <remy.liubing@huawei.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 85FD43A0B51 for <6lo@ietfa.amsl.com>; Thu, 21 May 2020 02:20:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ce7ewS6GqaOS for <6lo@ietfa.amsl.com>; Thu, 21 May 2020 02:20:57 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6532B3A0B50 for <6lo@ietf.org>; Thu, 21 May 2020 02:20:57 -0700 (PDT)
Received: from lhreml701-chm.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id B425BFD584E5300EA4A8; Thu, 21 May 2020 10:20:53 +0100 (IST)
Received: from lhreml701-chm.china.huawei.com (10.201.108.50) by lhreml701-chm.china.huawei.com (10.201.108.50) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1913.5; Thu, 21 May 2020 10:20:53 +0100
Received: from DGGEMM405-HUB.china.huawei.com (10.3.20.213) by lhreml701-chm.china.huawei.com (10.201.108.50) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256) id 15.1.1913.5 via Frontend Transport; Thu, 21 May 2020 10:20:53 +0100
Received: from DGGEMM506-MBX.china.huawei.com ([169.254.3.4]) by DGGEMM405-HUB.china.huawei.com ([10.3.20.213]) with mapi id 14.03.0487.000; Thu, 21 May 2020 17:20:16 +0800
From: "Liubing (Remy)" <remy.liubing@huawei.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "6lo@ietf.org" <6lo@ietf.org>, Carles Gomez Montenegro <carlesgo@entel.upc.edu>
Thread-Topic: [6lo] FW: I-D Action: draft-ietf-6lo-plc-03.txt
Thread-Index: AdYvTxsGcOwTY46vSwCav5/pg9mPNw==
Date: Thu, 21 May 2020 09:20:14 +0000
Message-ID: <BB09947B5326FE42BA3918FA28765C2E012BD516@DGGEMM506-MBX.china.huawei.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.108.203.246]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/6lo/aEf6okoS5F0Iu0Me9mjVYVKH6Xc>
Subject: Re: [6lo] FW: I-D Action: draft-ietf-6lo-plc-03.txt
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2020 09:21:00 -0000

Hello Michael,

Is the following understanding correct? The difference between the "one-touch" and the "zero-touch" methods is that whether the key or certificate is provisioned by the manufacturer or by the operator at the deployment site. As long as the key/IDevID/certificate is provisioned before the device goes out of the factory, i.e., the operator doesn't have to provision/touch it on site to get it securely join the network, it can be considered as "zero-touch".

Even though the pledge ID is given privately by the manufacturer, and not as per 802.1 AR, the dtsecurity-zerotouch-join method can be implemented by using the MASA provided by the manufacturer? Is the dtsecurity-zerotouch-join method aimed at a scenario in which a certificate can't be provisioned a priori?

Many thanks.

Remy

-----邮件原件-----
发件人: Michael Richardson [mailto:mcr+ietf@sandelman.ca] 
发送时间: 2020年5月20日 23:10
收件人: Liubing (Remy) <remy.liubing@huawei.com>om>; 6lo@ietf.org; Carles Gomez Montenegro <carlesgo@entel.upc.edu>
主题: Re: 答复: [6lo] FW: I-D Action: draft-ietf-6lo-plc-03.txt


Liubing (Remy) <remy.liubing@huawei.com> wrote:
    > Thank you for mentioning 6tisch-minimal-security.  There is also a
    > BRSKI-like 6tisch mechanism that uses IDevID.

    >   [Remy] I think you must
    > be talking about [draft-ietf-6tisch-dtsecurity-zerotouch-join]. The
    > minimal security is considered to be one-touch since the PSK has to be
    > configured a priori. And this document provides a zero-touch method, in
    > which the IDevID (provided by the manufacturer) in 802.1AR is used as
    > the credential for authentication. The authentication is done with the
    > help of the MASA. Am I understanding it correctly? I think the method
    > simplifies the provisioning procedure. However, the PLC standards have
    > not supported 802.1AR yet, thus this zero-touch method couldn't be used
    > in the implementation at this moment.

Whether or not the *PLC* documents specify 802.1AR is not really relevant.
They also don't specify any useful secure join mechanism at all.

The device either has a manufacturer provided keypair, or it has to be provisioned with a key by the operator.

    > Is it the case that the PLC devices can have no L2 security as an
    > option?  I believe that you may wish to outlaw that situation.

    > [Remy] All the PLC standards we mentioned in this document have L2
    > security mechanisms, such as encryption, data integrity, and
    > anti-replay. Since this document is focused on the adaptation layer and
    > above, the L2 security is considered to be applied by default.

Then uou can use dtsecurity-zerotouch-join or 6tisch-minimal-security.

--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works  -= IPv6 IoT consulting =-