Re: [6lo] Secdir last call review of draft-ietf-6lo-multicast-registration-16
Pascal Thubert <pascal.thubert@gmail.com> Mon, 08 April 2024 09:34 UTC
Return-Path: <pascal.thubert@gmail.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CE4FC14F6FE; Mon, 8 Apr 2024 02:34:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.097
X-Spam-Level:
X-Spam-Status: No, score=-7.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VfblPUYuOaXY; Mon, 8 Apr 2024 02:34:50 -0700 (PDT)
Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F2CBC14F695; Mon, 8 Apr 2024 02:34:50 -0700 (PDT)
Received: by mail-wm1-x332.google.com with SMTP id 5b1f17b1804b1-41551639550so29470975e9.2; Mon, 08 Apr 2024 02:34:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712568889; x=1713173689; darn=ietf.org; h=in-reply-to:from:content-language:references:cc:to:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=jaKiwulPrk9gGSCu6oLqhqYxLczlIxw9sK5LL+VFd5Q=; b=YZpH9N18FCJD1OF5H1MtrV5VdWBvQtmdIwLRs+1tN66iVX3tkcx872pj0HM5WAzE9q GROgfQfKTJPHoBhc1qfrS3RxLuxW8sGfMnCujXKB7VjsGYJAWkujQy3kKeMJt6LoAY/J 56JiSmMuNOJinnV0xHyUQP5WfzTqitwDvP34V2ZpQBNofrD7tK08Q0OXLRVT75wuspun lvx2rJ3XKlo8VMrKBup/4b3BiN/J9CdlOS9mkCALdTQTbwD+mxMpFlLXLHn6WFLm4M2o R9khQXGwpVsmbn9Bh+XJHciyLpLEhpbAWlY85VPVqL4a6wMqDw4f8Xga/Krt9tFAoGwG gPlQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712568889; x=1713173689; h=in-reply-to:from:content-language:references:cc:to:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=jaKiwulPrk9gGSCu6oLqhqYxLczlIxw9sK5LL+VFd5Q=; b=Q4SIk/LvRyVKmeiu+DFKjIHjcR+uzDfzEqJdwZJP6HoflVP6J4OueAzQqzTrchLhd5 se/m14LWlp+LZavl4BirBUZZpgvF8rdqOx3vGfEjPyUa7Iu1zWqmt4tOnM3pEV3cZkBH JQ10KAiR3pbu2En3qq4AykCGu7jEXAWk87pfr382cSYfIuGhyX1nJ+QILNTNKimkRKrU F9pAEhuW3CjCSPQsUirLQ6zfQWIGGBhAO2wemL2EjXtR6zzg89vgTRfDYVEFOD/EBXQB nS3ZpLP/BV5bzsGtroNXxabUoPZYB0Q1JPlagmBgpEA3pZiusnNNK2GYRTzxV38GTAF4 zkCQ==
X-Forwarded-Encrypted: i=1; AJvYcCUTG3p3cALj3nnGPpXzTNXXICUmci/MSU4QQDJhrtWK8cVVdNNse8/7xgGmNKKYhAN74glE6bW2vqaFJ+bw9TH564zbPZ3QmMGjAIENwf3wGl18Z6Fai0NwOk0pe4X9Mt8IFIRoyju/M51bS8tEvSDhXU8NIkh7gFFLsWzWOpxBi/EvJa38whA=
X-Gm-Message-State: AOJu0YysSFIv5leF5a6dZGJJkf3GkboQzuO8DzMfYy28yOTiuGKexzd9 PFv9lkD5zmwQhXQiNtF8D1D7UU32LHNCcCuV88Sxj9TTG+tHAsDP
X-Google-Smtp-Source: AGHT+IGStLg/sc0hWGM5PxbW+CEV+8aETuHDwOzg/9BcwhE19usHmPaqzBY4EqMrpDRwKgsSl3V3rQ==
X-Received: by 2002:a05:600c:35c6:b0:416:89bc:ded3 with SMTP id r6-20020a05600c35c600b0041689bcded3mr383845wmq.5.1712568888507; Mon, 08 Apr 2024 02:34:48 -0700 (PDT)
Received: from ?IPV6:2a01:cb1d:a8:a100:9c94:7cc5:8392:79b9? ([2a01:cb1d:a8:a100:9c94:7cc5:8392:79b9]) by smtp.gmail.com with ESMTPSA id n6-20020a5d6606000000b0033e745b8bcfsm8510111wru.88.2024.04.08.02.34.47 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 08 Apr 2024 02:34:47 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------L3DisINMj1vEbCl0Z8qGT3FB"
Message-ID: <641ba244-964b-4ea6-8441-9f95a1a9ad24@gmail.com>
Date: Mon, 08 Apr 2024 11:34:33 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Scott Kelly <scott@hyperthought.com>, secdir@ietf.org, Eric Vyncke <evyncke@cisco.com>
Cc: 6lo@ietf.org, draft-ietf-6lo-multicast-registration.all@ietf.org, last-call@ietf.org
References: <171182290049.29863.677175473205471754@ietfa.amsl.com>
Content-Language: en-US, fr
From: Pascal Thubert <pascal.thubert@gmail.com>
In-Reply-To: <171182290049.29863.677175473205471754@ietfa.amsl.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/6lo/f3kIFgzkKm55XH2xmQIybBUtDkc>
Subject: Re: [6lo] Secdir last call review of draft-ietf-6lo-multicast-registration-16
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Apr 2024 09:34:51 -0000
Hello Scott many thanks for the time and contributions to the progress of this document. Le 30/03/2024 à 19:21, Scott Kelly via Datatracker a écrit : > Reviewer: Scott Kelly > Review result: Has Nits > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These comments > were written primarily for the benefit of the security area directors. Document > editors and WG chairs should treat these comments just like any other last call > comments. > > From the introduction, “This specification Extends [RFC8505] and [RFC9010] to > add the capability for the 6LN to subscribe anycast and multicast addresses and > for the 6LR to inject them in RPL when appropriate.” > > I want to start by saying that I have little experience with the protocols > described in 8505 and 9010; I’d suggest that the AD have my security-related > comments double-checked with someone who has both security expertise and > expertise in these protocols. Ack, Eric is now added to the "to" list to attract his attention. > As a general comment, it took me several passes to make sense of the > introduction. It seems to aim toward explaining the gaps motivating this RFC, > along with the building blocks this document uses to fill those gaps. It might > help readers to explain this from the outset, and to explicitly call out which > is which. There are still some paragraphs/sentences there whose purpose I don’t > understand. > > For the security considerations, I have 2 suggestions: first, it currently > calls out the “security section” of RFC 8505. Shouldn’t it also call out the > security considerations of RFC 9010? Second (and I’m not sure about this), does > this extension potentially permit any new bad behavior (distinct from 8505 and > 9010) that should be called out? I don’t understand the protocol nuances well > enough to say, but I’d have felt more certain if it said so explicitly. > Makes sense. The call out is easy to do. I'll ask the list for inputs on new security holes potentially being created by this. On the RPL side, I do not see much since multicast was already there. We clarify the use of the sequence counter and add the concept of origin. I do not see an attack vector there but we can think twice about it. As of using RFC 8505 on the first hop instead of RPL, we effectively add the capability to validate the origin of the registration, which was not present in RPL and could be the subject of a future ROV in RPL. So I'd say we are improving the security situation, denoting that the segregation allows less trusted devices to use the RPL network without allowing them to inject RPL messages directly, which could be a more ope attack vector for them. I'll craft some text around the above if that's all right with you? all the best; Pascal
- [6lo] Secdir last call review of draft-ietf-6lo-m… Scott Kelly via Datatracker
- Re: [6lo] Secdir last call review of draft-ietf-6… Pascal Thubert
- Re: [6lo] Secdir last call review of draft-ietf-6… Eric Vyncke (evyncke)
- Re: [6lo] Secdir last call review of draft-ietf-6… Pascal Thubert