IETF Logo Mail Archive

Re: [6lo] New I-D draft-delcarpio-6lo-wlanah-00.txt - security

Felipe Del Carpio <felipe.del.carpio@ericsson.com> Thu, 18 June 2015 16:26 UTC

Return-Path: <felipe.del.carpio@ericsson.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 674361B331E for <6lo@ietfa.amsl.com>; Thu, 18 Jun 2015 09:26:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.201
X-Spam-Level:
X-Spam-Status: No, score=-4.201 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M6d6pmtIjEah for <6lo@ietfa.amsl.com>; Thu, 18 Jun 2015 09:26:33 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C520A1B331B for <6lo@ietf.org>; Thu, 18 Jun 2015 09:26:29 -0700 (PDT)
X-AuditID: c1b4fb3a-f79ec6d000006dc0-f3-5582f133bdc0
Received: from ESESSHC007.ericsson.se (Unknown_Domain [153.88.253.125]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id AD.35.28096.331F2855; Thu, 18 Jun 2015 18:26:28 +0200 (CEST)
Received: from ESESSMB108.ericsson.se ([169.254.8.71]) by ESESSHC007.ericsson.se ([153.88.183.39]) with mapi id 14.03.0210.002; Thu, 18 Jun 2015 18:26:27 +0200
From: Felipe Del Carpio <felipe.del.carpio@ericsson.com>
To: Alexandru Petrescu <alexandru.petrescu@gmail.com>, "6lo@ietf.org" <6lo@ietf.org>
Thread-Topic: [6lo] New I-D draft-delcarpio-6lo-wlanah-00.txt - security
Thread-Index: AQHQqd/KdkpVV0sbSEKUFEBkW84rUp2yca8w
Date: Thu, 18 Jun 2015 16:26:26 +0000
Message-ID: <5EF40C5436D7B040B95EE286EE383A9C0F7CA8A0@ESESSMB108.ericsson.se>
References: <5EF40C5436D7B040B95EE286EE383A9C0BF20226@ESESSMB101.ericsson.se> <5581A8BA.2010202@gmail.com> <5EF40C5436D7B040B95EE286EE383A9C0F7C7538@ESESSMB108.ericsson.se> <5582EAE8.7040507@gmail.com>
In-Reply-To: <5582EAE8.7040507@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [153.88.183.149]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrDLMWRmVeSWpSXmKPExsUyM+Jvra7Jx6ZQgy3PuSyapwhYzHz3g9WB yWPnrLvsHkuW/GQKYIrisklJzcksSy3St0vgytj//yhzwUuJim+du5kaGO8KdzFyckgImEjc OH+LDcIWk7hwbz2QzcUhJHCUUaJn8y8oZzGjxOEl94AcDg42AQuJuWvMQRpEBMIkHu46xwhi MwtkSXw99AvMFhZwlzj4E2KoiICHxMvTvWCtIgJGEguuuoOEWQRUJXZeeM0CYvMK+ErM+7qZ HWLVeUaJOas3gfVyCmhKbDp2lRnEZgQ67vupNUwQu8Qlbj2ZzwRxtIDEkj3nmSFsUYmXj/+x QthKEmsPb2eBqNeTuDF1ChuErS2xbOFrZojFghInZz5hmcAoNgvJ2FlIWmYhaZmFpGUBI8sq RtHi1OLi3HQjI73Uoszk4uL8PL281JJNjMDoObjlt9UOxoPPHQ8xCnAwKvHwKqg1hQqxJpYV V+YeYpTmYFES552xOS9USCA9sSQ1OzW1ILUovqg0J7X4ECMTB6dUA6PCjamc//J0t83NnXJA fr5JfPLLxS3XXzyfpls826myxuj6En5e28P6e7V69q+ZrNjxbvLDphvGT/IqnCUTy47f9jYV n1vd+3NNt+X9pUXb5kW8SPlusHHmom0JlpKiotO3mhrMN1gRdrTjRkjIwet3vIN2VzIbdqSI vv+sbljg5TKj+XJdh4cSS3FGoqEWc1FxIgBy6TWufwIAAA==
Archived-At: <http://mailarchive.ietf.org/arch/msg/6lo/aLgnLMCIXy5UdR1dI5EyQUGjX1U>
Cc: Roberto Morabito <roberto.morabito@ericsson.com>, MARIA INES ROBLES <maria.ines.robles@ericsson.com>
Subject: Re: [6lo] New I-D draft-delcarpio-6lo-wlanah-00.txt - security
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jun 2015 16:26:35 -0000

Dear Alexandru,

This security considerations needed to be study with more detail. I imagine that the comments are general to all
6LoWPAN specifications (802.15.4/BLE/etc.).

The IEEE 802.11ah specs defines only PHY(L1) and MAC(L2), they don't mention IPV4/IPv6 or 6LoWPAN in any way. This is the
reason to start this conversation on 6Lo WG.

Br, 
Felipe

> -----Original Message-----
> From: Alexandru Petrescu [mailto:alexandru.petrescu@gmail.com]
> Sent: Thursday, June 18, 2015 7:00 PM
> To: Felipe Del Carpio; 6lo@ietf.org
> Cc: Roberto Morabito; MARIA INES ROBLES
> Subject: Re: [6lo] New I-D draft-delcarpio-6lo-wlanah-00.txt - security
> 
> Dear Felipe,
> 
> Le 18/06/2015 12:28, Felipe Del Carpio a écrit :
> [...]
> > [FDC] Please note that there is no intermediary routers in 802.11ah.
> 
> Ok. I meant IPv6 routers:
> 
>   +-----------+      +-----------+        ---------      +-----------+
>   |11ah device|------|IPv6 router|-------|Internet |-----|11ah device|
>   +-----------+      +-----------+        ---------      +-----------+
> 
> > However we believe that IPsec can be implemented in this kind of
> > networks following
> > [https://tools.ietf.org/html/draft-raza-6lowpan-ipsec-01]
> 
> Well, that draft seems to be trying to compress IPsec headers, similarly to
> LOWPAN_IPHC substituting new headers for RFC2460 IPv6 headers.
> 
> But the LOWPAN_IPHC header is insecure, whereas the IPv6 Base Header is
> secured by IPsec.
> 
> The risk includes faking LOWPAN_IPHC headers between two 11ah devices in
> the same subnet.
> 
> Waht do you think?
> 
> Further, you are saying in the draft the following:
> > The security considerations defined in [RFC4944] and its update
> > [RFC6282] can be assumed valid for the 802.11ah case as well.
> 
> Neither RFC6282 nor RFC4944 offer a security mechanism for the
> LOWPAN_IPHC header.
> 
> > Indeed, the transmission of IPv6 over 802.11ah links meets all the
> > requirements for security as for IEEE 802.15.4.
> 
> No.
> 
> The transmission of IPv6 over 802.11ah links requires that IPsec works fine on
> them.  An IPv6 11ah-only device must be able to use IPsec to protect its IPv6
> communications with an IPv6 11b-only device in the same subnet.  And an IPv6
> 11ah-only device must be able to use IPsec to protect its IPv6 communications
> to an IPv6 11ah-only device across the Internet.
> 
> These are the security requirements for IPv6 over 11ah.
> 
> Do you agree?
> 
> > The standard IEEE 802.11ah defines all those aspects related with Link
> > Layer security.
> 
> Where?  Is a document publicly available?
> 
> Is the Link Layer security defined by IEEE 802.11ah protecting the
> LOWPAN_IPHC header?
> 
> Does IEEE 802.11ah even mention LOWPAN_IPHC?
> 
> >    As well as for other existing WiFi solutions, 802.11ah Link Layer
> >    supports security mechanism such as WPA, WPS, 802.1X.
> 
> But neither of these (WPA, WPS, 802.1X) carry LOWPAN_IPHC headers as far as I
> know.  They carry IPv6 Base Headers, ethertype 0x86dd.
> 
> Alex

v2.23.0 | Report a Bug | By Email