[6lo] Benjamin Kaduk's Discuss on draft-ietf-6lo-plc-06: (with DISCUSS and COMMENT)
Benjamin Kaduk via Datatracker <email@example.com> Wed, 11 August 2021 17:13 UTC
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id CA2123A1D57; Wed, 11 Aug 2021 10:13:26 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
From: Benjamin Kaduk via Datatracker <firstname.lastname@example.org>
To: "The IESG" <email@example.com>
Cc: firstname.lastname@example.org, email@example.com, firstname.lastname@example.org, Carles Gomez <email@example.com>, firstname.lastname@example.org
Reply-To: Benjamin Kaduk <email@example.com>
Date: Wed, 11 Aug 2021 10:13:26 -0700
Subject: [6lo] Benjamin Kaduk's Discuss on draft-ietf-6lo-plc-06: (with DISCUSS and COMMENT)
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:firstname.lastname@example.org?subject=unsubscribe>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:email@example.com?subject=subscribe>
X-List-Received-Date: Wed, 11 Aug 2021 17:13:27 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-6lo-plc-06: Discuss When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-6lo-plc/ ---------------------------------------------------------------------- DISCUSS: ---------------------------------------------------------------------- Further details in the COMMENT, but can we briefly discuss the apparent requirement for the PANID/NID to have a couple bits set to zero (the ones that would be U/L and Individual/Group in the resulting IID)? It seems like (but is not entirely clear to me) this is a new requirement on the layer-2 behavior that is being imposed by the IPv6 adaptation layer, and in particular that this is setting up a scenario where certain existing layer-2 deployments would be unable to utilize the IPv6 adaptation layer, which would be a very surprising behavior for an IETF Proposed Standard. What alternatives were explored and rejected before settling on this approach that introduces new limitations on the underlying PLC deployments? I mention in a few places in the COMMENT scenarios where we pull in part of the functionality from RFC 6282 and RFC 4944, e.g., the IP header compression scheme and the fragmentation format. It seems to me that the intent is that our payload always use the RFC 4944 "dispatch" scheme and that we only use a subset of (and only sometimes?) the particular functionality that RFC 4944/6282 can dispatch to. But the current text doesn't mention the dispatch behavior at all, so it's hard for me to be certain that my understanding is correct. It seems that some more explicit treatment in the document of how what we are specifying interacts with/uses the RFC 4944 dispatch layer would be important in order for someone to be able to implement from this document. I support Roman and Éric's Discusses. ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Section 4.1 Since the derived Interface ID is not global, the "Universal/Local" (U/L) bit (7th bit) and the Individual/Group bit (8th bit) MUST both be set to zero. In order to avoid any ambiguity in the derived Interface ID, these two bits MUST NOT be used to generate the PANID (for IEEE 1901.2 and ITU-T G.9903) or NID (for IEEE 1901.1). In other words, the PANID or NID MUST always be chosen so that these bits are zeros. Is this a new requirement on the PANID/NID not already imposed by the underlying specifications? If so, it seems that it presents a limitation on the ability of already deployed PLC networks to adopt this IPv6 adaptation layer. For privacy reasons, the IID derived from the MAC address SHOULD only be used for link-local address configuration. A PLC host SHOULD use the IID derived from the link-layer short address to configure the IPv6 address used for communication with the public network; otherwise, the host's MAC address is exposed. As per [RFC8065], when short addresses are used on PLC links, a shared secret key or version number from the Authoritative Border Router Option [RFC6775] can be used to improve the entropy of the hash input, thus the generated IID can be spread out to the full range of the IID address space while stateless address compression is still allowed. The phrasing "derived from" is a little ambiguous to me, since it can encompass procedures ranging from the "flip the U/L bit and append PLC IID to the network's prefix" procedure to RFC 7217-style stable but opaque IIDs that incorporate the MAC address into the pseudorandom function's inputs. Given the follow-up text about "host's MAC address is exposed", it feels like this is implying more of the former procedure. Wouldn't the latter type of procedure be preferred, though (as implied by the "hash input" in the last sentence)? In particular, the last sentence seems to imply that there is *always* a hash input, which is at odds with the "former" interpretation that I present for "derived from". I'm not confident that I understand the intent of this paragraph. Section 4.3.1 In order to avoid the possibility of duplicated IPv6 addresses, the value of the NID MUST be chosen so that the 7th and 8th bits of the first byte of the NID are both zero. As above, it's not clear that the NID is something that this adaptation layer can assert control over. Section 4.3.2 In order to avoid the possibility of duplicated IPv6 addresses, the value of the PAN ID MUST be chosen so that the 7th and 8th bits of the first byte of the PAN ID are both zero. (likewise) Section 4.5 The compression of IPv6 datagrams within PLC MAC frames refers to [RFC6282], which updates [RFC4944]. Header compression as defined in [RFC6282] which specifies the compression format for IPv6 datagrams on top of IEEE 802.15.4, is the basis for IPv6 header compression in PLC. For situations when PLC MAC MTU cannot support the 1280-octet IPv6 packet, headers MUST be compressed according to [RFC6282] encoding formats. RFC 6282 refers to both a "Dispatch" value and the LOWPAN_IPHC header compression encoding. I strongly suggest clarifying whether both, or just LOWPAN_IPHC, is used. For IEEE 1901.2 and G.9903, the IP header compression follows the instruction in [RFC6282]. However, additional adaptation MUST be considered for IEEE 1901.1 since it has a short address of 12 bits instead of 16 bits. The only modification is the semantics of the "Source Address Mode" when set as "10" in the section 3.1 of [RFC6282], which is illustrated as following. Is there anything useful to say about how carrying 12 vs 16 bits affects byte alignment of the overal compressed message? A quick survey of RFC 6282 finds many items that retain byte alignment, and I didn't actually find anything that left the encoded bit stream in a non-aligned state. SAM: Source Address Mode: I see that RFC 6282 also has procedures for Destination Address Mode (DAM), including a scenario that involves conveying a 16-bit address component. Do we need to treat that DAM analogously to how we treat the SAM here? (This might also handle the byte alignment question from my previous remark...) Section 4.6 In IEEE 1901.1 and IEEE 1901.2, the MAC layer supports payloads as big as 2031 octets and 1576 octets respectively. However when the channel condition is noisy, it is possible to configure smaller MTU at the MAC layer. If the configured MTU is smaller than 1280 octects, the fragmentation and reassembly defined in [RFC4944] MUST be used. Does this imply that implementing the IPv6 adaptation layer fragmentation+reassembly logic is mandatory for implementations of IPv6 over IEEE 1901.1 and 1901.2, since the implementation might be configured in a way that requires that support? Please be clear about what is required of implementations and in what circumstances. Also, as above, please be clear about the interaction with the RFC 4944 dispatch layer. Section 5 node; PAN Devices are typically PLC meters and sensors. The PANC also serves as the Routing Registrar for proxy registration and DAD procedures, making use of the updated registration procedures in [RFC8505]. IPv6 over PLC networks are built as tree, mesh or star If the PANC always serves as the Routing Registrar (and thus the RFC 8505 procedures are always used), why do we allow for both RFC 6775 and 8505 DAD procedures up in §4.4? Section 8 We should probably incorporate by reference the security considerations of the documents whose technologies we are adopting. One might hope that it goes without saying, but it's nonetheless probably worth noting that the PANC, being in a position to observe all traffic, is necessarily a trusted entity. Due to the high accessibility of power grid, PLC might be susceptible to eavesdropping within its communication coverage, e.g., one apartment tenant may have the chance to monitor the other smart meters in the same apartment building. Thus link layer security mechanisms are designed in the PLC technologies mentioned in this document. Key management for these security mechanisms will of course be quite important. IoT devices are notoriously vulnerable to physical attacks and key extraction, so there may be something useful to say about the importance of key management and what is exposed if the key material available to a single device is compromised. It's quite hard to make an evaluation of the actual security properties provided by the link-layer mechanisms without access to the actual specification documents for those technologies. I'd actually seriously consider adding another clause that "and additional end-to-end security services can be used for sensitive traffic and as additional protection against compromised PLC nodes" (or something in that general vein). Additionally, it's often the case that the link-layer security mechanisms involve group-shared symmetric keys, so that a compromise of even a single device puts the entire network, or a large chunk of the network, at risk. If this is the case for the PLC link layers, it seems imperative to mention that risk in this document. Malicious PLC devices could paralyze the whole network via DOS attacks, e.g., keep joining and leaving the network frequently, or multicast routing messages containing fake metrics. A device may Is there potential for interfering with/corrupting legitimate traffic as a DoS vector, as well? illegal users. Mutual authentication of network and new device can be conducted during the onboarding process of the new device. Methods include protocols such as [RFC7925] (exchanging pre-installed certificates over DTLS) , [I-D.ietf-6tisch-minimal-security] (which uses pre-shared keys), and [I-D.ietf-6tisch-dtsecurity-zerotouch-join] (which uses IDevID and MASA service). It is also possible to use EAP methods such as [I-D.ietf-emu-eap-noob] via transports like PANA [RFC5191]. No specific mechanism is specified by this document as an appropriate mechanism will depend upon deployment circumstances. Would SZTP (RFC 8572) be applicable for these scenarios? (Also, I would recognize "BRSKI" more than "IDevID and [a] MASA service", though I don't know if I am the right population to be sampling for readibility data.) scanning. Schemes such as limited lease period in DHCPv6 [RFC3315], Cryptographically Generated Addresses (CGAs) [RFC3972], privacy extensions [RFC4941], Hash-Based Addresses (HBAs) [RFC5535], or semantically opaque addresses [RFC7217] SHOULD be considered to enhance the IID privacy. "SHOULD be considered" is a fairly weak guidance; I would think that "SHOULD be used" would be more consistent with the IETF consensus position, while still leaving ample space for other behaviors. Section 10.2 I would consider classifying RFC 4291 as normative. NITS meters for electricity. The inherent advantage of existing electricity infrastructure facilitates the expansion of PLC deployments, and moreover, a wide variety of accessible devices raises the potential demand of IPv6 for future applications. This "Advantage" typically implies a comparison with some other thing or things as measured on a particular axis or axes. While one might presume that this refers to the advantages of using existing wires over new wires in terms of cost and ease of deployment, it's probably worth stating it more clearly. Section 1 century. With the advantage of existing power grid, Power Line Communication (PLC) is a good candidate for supporting various service scenarios such as in houses and offices, in trains and As above, what is "the advantage of existing power grid"? Section 2 PANC: PAN Coordinator, a coordinator which also acts as the primary controller of a PAN. PAN is not marked as "well-known" at https://www.rfc-editor.org/materials/abbrev.expansion.txt (in fact, is not even defined there), and thus should get its own expansion. Section 4.4 information in the replied Neighbor Advertisements from the 6LR. If DHCPv6 is used to assign addresses or the IPv6 address is derived from unique long or short link layer address, Duplicate Address Detection (DAD) MUST NOT be utilized. Otherwise, the DAD MUST be performed at the 6LBR (as per [RFC6775]) or proxied by the routing registrar (as per [RFC8505]). The registration status is feedbacked via the DAC or EDAC message from the 6LBR and the Neighbor Advertisement (NA) from the 6LR. A few words on how the 6LR+6LBR must know whether 6775 or 8505 is in use on the network, and thus there is no ambiguity about which entity is performing DAD, might be helpful. Section 4.5 10: 12 bits. The first 116 bits of the address are elided.The value of the first 64 bits is the link-local prefix padded with spaces after the sentence break. Section 5 [RFC8505]. IPv6 over PLC networks are built as tree, mesh or star according to the use cases. Generally, each PLC network has one I think "as a tree, mesh or star topology" the size of PLC networks. A simple use case is the smart home scenario where the ON/OFF state of air conditioning is controlled by the state of home lights (ON/OFF) and doors (OPEN/CLOSE). AODV-RPL Almost all the other examples in the document refer to PLC meters or sensors (mostly meters), so the "smart home" scenario sticks out as being rather different when only mentioned in passing like this. I don't question the conclusion, but the overall writing style of the document might be improved if we introduced this scenario earlier on so that it was a more continual theme. enables direct PAN device to PAN device communication, without being obliged to transmit frames through the PANC, which is a requirement often cited for AMI infrastructure. The only earlier mention of AODV-RPL was in §3.4; we might consider repeating the reference here in case the reader missed it the previous time. Section 6 self-managed. The software or firmware is flushed into the devices s/flushed/flashed/? before deployment by the vendor or operator. And during the deployment process, the devices are bootstrapped, and no extra configuration is needed to get the device connected to each other. s/device/devices/ gateway. The recently-formed iotops WG in IETF is aming to design more features for the management of IOT networks. s/aming/aiming/ Also, a reference to the WG's datatracker page might be worthwhile. Section 8 Malicious PLC devices could paralyze the whole network via DOS attacks, e.g., keep joining and leaving the network frequently, or multicast routing messages containing fake metrics. A device may I think s/multicast/sending/multicast/ also join a wrong or even malicious network, exposing its data to illegal users. Mutual authentication of network and new device can Maybe "inadvertently join"? IP addresses may be used to track devices on the Internet; such devices can in turn be linked to individuals and their activities. I think s/can in turn/can often in turn/. There are some IoT devices that are basically uncorrelated to individual humans. Cryptographically Generated Addresses (CGAs) [RFC3972], privacy extensions [RFC4941], Hash-Based Addresses (HBAs) [RFC5535], or RFC 4941 has been obsoleted by RFC 8981.
- [6lo] Benjamin Kaduk's Discuss on draft-ietf-6lo-… Benjamin Kaduk via Datatracker