IETF Logo Mail Archive

Re: [6lo] Secdir last call review of draft-ietf-6lo-multicast-registration-16

Pascal Thubert <pascal.thubert@gmail.com> Mon, 15 April 2024 15:17 UTC

Return-Path: <pascal.thubert@gmail.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BA499C14F6B9; Mon, 15 Apr 2024 08:17:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZYNI3_5w9APd; Mon, 15 Apr 2024 08:16:59 -0700 (PDT)
Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1FA9EC14F6B2; Mon, 15 Apr 2024 08:16:59 -0700 (PDT)
Received: by mail-pl1-x633.google.com with SMTP id d9443c01a7336-1e651a9f3ffso6131565ad.1; Mon, 15 Apr 2024 08:16:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1713194218; x=1713799018; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=lN34UVDbo9fjo09Sp2bpptTw2c0UaPxgAMuxJb413d8=; b=SniU/iFPtcaHwHdhBj1ti+Bn3ePMOngQp8qShKZjzQ4fILTi5u3louYR+AwJHVKnwS VD3p76X/O3mkZyALrJM0t4QSBDOBPjLObgPAl8Jh72F2NnBDLi423H4X09FzQM6ZDldv hG1CVBtvAw3qU9Khp/E3H+AsuQ3uoL7rztkrEvDuQrKZTw8slAtsMfQ4THcwDKpZ9s/C SHhcUP1cLzPtmiTkX2r1R38wY8DjPc+kyXwtwxrgOBVmDU4rBXWm7P5vEQDm9go9Fkwm dKYV+Yq9Bf/Nobu6i96zNGFeQVQJ50ah4CI8GjNqvMDl8e3HirtdXE4MIAfyzt/jV9Lc EDNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713194218; x=1713799018; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=lN34UVDbo9fjo09Sp2bpptTw2c0UaPxgAMuxJb413d8=; b=r4rYJR9wLuxTmuzfVN2Kr5W4D2FV51BH7D+55zdiltOt5PD6LbCy3Bl4k38MLr6YMk uER3Z7S7QrwBoExxGT6aQ9fOEdX+lX1+ywPUkHar5TsHGEg95chC3hl174dtZp+G10VF +4Jaj5mMXBT43MZZxP2pVBurA8HJpOp0fixrf83Cd7oGwTX+szpoYzMGSEa4xT11DbZP cbqLLvyrPH2PIydQoJJRqPx1Okyy2vdu1ASQDZsjNudysR5dMgWDBHvBIHxueYwSBZTU T6xcp/zSdV26fYEUEmFE8zw8Lvc+LivyO0pTZPXlDAZxCwzO95Q8jl77GfOz+W4c2OpI l4ow==
X-Gm-Message-State: AOJu0YzrQUOw31p5C/L6GBUMm9gHibVOVJ3f4xwHXDl3G0RaDep8i+E/ EQrAciiXbwkGgYE6yTTG14hOW/r7XPePO75WVXUplyaX9HZaqCk3lj7CJSJQQJWClKcSXerzqdu 0nyH9Nw9YzTNYuYs9P1MzbWe2EMextA==
X-Google-Smtp-Source: AGHT+IF01fIZVYi5l8elIk5rsSiC/qmP6D6av6awkx0a+EKTy5ObZmtcrrr7vWYYoXRLovS63pCVFcXr8ix2/SEyvlU=
X-Received: by 2002:a17:903:2286:b0:1e2:718d:f290 with SMTP id b6-20020a170903228600b001e2718df290mr10563019plh.67.1713194217808; Mon, 15 Apr 2024 08:16:57 -0700 (PDT)
MIME-Version: 1.0
References: <171182290049.29863.677175473205471754@ietfa.amsl.com> <641ba244-964b-4ea6-8441-9f95a1a9ad24@gmail.com>
In-Reply-To: <641ba244-964b-4ea6-8441-9f95a1a9ad24@gmail.com>
From: Pascal Thubert <pascal.thubert@gmail.com>
Date: Mon, 15 Apr 2024 17:16:44 +0200
Message-ID: <CADPqcJ+Y2UYF4E=GC2Ea=Yo6oh+VdTq6Cu_d0Nd6S10+UzHnSQ@mail.gmail.com>
To: 6lo@ietf.org
Cc: draft-ietf-6lo-multicast-registration.all@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c8b05f0616241c5f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/6lo/aVJ33pEUxOY7C2ClAvN_zS3PcxI>
Subject: Re: [6lo] Secdir last call review of draft-ietf-6lo-multicast-registration-16
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Apr 2024 15:17:03 -0000

Dear all

During the sec dir review, Scott asked whether we see some new security
issue potentially opened by the new behaviour of registering multicast (as
opposed to unicast) vs RFC 8505.
If you see such a thing, now is a perfect time to have this discussion :)
Many thanks iun advance!

Pascal

Le lun. 8 avr. 2024 à 11:34, Pascal Thubert <pascal.thubert@gmail.com> a
écrit :

> Hello Scott
>
> many thanks for the time and contributions to the progress of this
> document.
> Le 30/03/2024 à 19:21, Scott Kelly via Datatracker a écrit :
>
> Reviewer: Scott Kelly
> Review result: Has Nits
>
> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by the IESG. These comments
> were written primarily for the benefit of the security area directors. Document
> editors and WG chairs should treat these comments just like any other last call
> comments.
>
> From the introduction, “This specification Extends [RFC8505] and [RFC9010] to
> add the capability for the 6LN to subscribe anycast and multicast addresses and
> for the 6LR to inject them in RPL when appropriate.”
>
> I want to start by saying that I have little experience with the protocols
> described in 8505 and 9010; I’d suggest that the AD have my security-related
> comments double-checked with someone who has both security expertise and
> expertise in these protocols.
>
>
> Ack, Eric is now added to the "to" list to attract his attention.
>
> As a general comment, it took me several passes to make sense of the
> introduction. It seems to aim toward explaining the gaps motivating this RFC,
> along with the building blocks this document uses to fill those gaps. It might
> help readers to explain this from the outset, and to explicitly call out which
> is which. There are still some paragraphs/sentences there whose purpose I don’t
> understand.
>
> For the security considerations, I have 2 suggestions: first, it currently
> calls out the “security section” of RFC 8505. Shouldn’t it also call out the
> security considerations of RFC 9010? Second (and I’m not sure about this), does
> this extension potentially permit any new bad behavior (distinct from 8505 and
> 9010) that should be called out? I don’t understand the protocol nuances well
> enough to say, but I’d have felt more certain if it said so explicitly.
>
>
> Makes sense. The call out is easy to do. I'll ask the list for inputs on
> new security holes potentially being created by this.
>
> On the RPL side, I do not see much since multicast was already there. We
> clarify the use of the sequence counter and add the concept of origin. I do
> not see an attack vector there but we can think twice about it.
>
> As of using RFC 8505 on the first hop instead of RPL, we effectively add
> the capability to validate the origin of the registration, which was not
> present in RPL and could be the subject of a future ROV in RPL. So I'd say
> we are improving the security situation, denoting that the segregation
> allows less trusted devices to use the RPL network without allowing them to
> inject RPL messages directly, which could be a more ope attack vector for
> them.
>
> I'll craft some text around the above if that's all right with you?
>
> all the best;
>
>
> Pascal
>
>
>
>
>
>

-- 
Pascal

v2.23.0 | Report a Bug | By Email