Re: [6lo] Roman Danyliw's Discuss on draft-ietf-6lo-backbone-router-16: (with DISCUSS)
"Pascal Thubert (pthubert)" <pthubert@cisco.com> Tue, 03 March 2020 16:03 UTC
Return-Path: <pthubert@cisco.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 09EF23A22D3; Tue, 3 Mar 2020 08:03:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=hLJGiLBb; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=V42xmOXD
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jonwIyHS5rl7; Tue, 3 Mar 2020 08:03:41 -0800 (PST)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 137633A22CF; Tue, 3 Mar 2020 08:03:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=22474; q=dns/txt; s=iport; t=1583251421; x=1584461021; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=S4F9ALEVZlLhs7u+/wDQczuqzGALEhvJ30+S18ReLzM=; b=hLJGiLBb5ehnkp1GmsnqAp2g+KUhK9YMF0zDwfv6F0bVgquIGFSvTzs+ iYFvx+Gm6ROfC/B4S96mcHaTbuCfYtc9bp76DmsUDsVMjPNr3zADwPc1l 8xmBZ42hyLYfg9Dob8APb09zRzwrQNC16V8hEPhROUBhF43kRo6PUJcDo Q=;
IronPort-PHdr: 9a23:dlabIxWWwEWd/Jt4rdegSVbpxNrV8LGuZFwc94YnhrRSc6+q45XlOgnF6O5wiEPSA9yJ8OpK3uzRta2oGXcN55qMqjgjSNRNTFdE7KdehAk8GIiAAEz/IuTtankiAMRfXlJ/41mwMFNeH4D1YFiB6nA=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DSBQAQf15e/4ENJK1lDg4BAQEBAQcBAREBBAQBAYF7gVQkLAVsUAggBAsqhBSDRgOKZYJfmBWBQoEQA1QJAQEBDAEBIwoCBAEBhEACF4FlJDgTAgMBAQsBAQUBAQECAQUEbYUqByUMhWMBAQEBAgESEREMAQEmEQEECwIBCA4MAiYCAgIwFRACBAEJBA0agwWCSgMOIAEOoUYCgTmIYnWBMoJ/AQEFgTMCg0wYggwDBoEOKolcdjWBHhqBQT+BEAFHgX1QPoJkAgIagQ8FAQsHAQkagw8ygiyNTSAEL4ILO497jz8KgjyNH4ljgkmIH4t9hEyOcoFNmX4CBAIEBQIOAQEFgWkiRCNxcBU7gmxQGA2IDoYPDBcVgzuFFIUEPXSBKYx/AgUhB4IUAQE
X-IronPort-AV: E=Sophos;i="5.70,511,1574121600"; d="scan'208";a="727754123"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 Mar 2020 16:03:39 +0000
Received: from XCH-ALN-002.cisco.com (xch-aln-002.cisco.com [173.36.7.12]) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id 023G3dD6031108 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 3 Mar 2020 16:03:39 GMT
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by XCH-ALN-002.cisco.com (173.36.7.12) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 3 Mar 2020 10:03:39 -0600
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 3 Mar 2020 10:03:39 -0600
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 3 Mar 2020 10:03:38 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IfujoBJIHfTYRv//uGkDLtEHXudc9SN/mJbdVZRU36DMomM4yfNiD6UU5w/kMDhwplwpqSAUEkeWwzUgPSnIInBzw1KUAOvJj3VxejO8aX7frTefhv5LPk6B19qO07dLAgiov5c6hjV22LMtE385EwCHGCOf7i3gT7QT3bqhOzn8iXAoKfm+Olzkyx+MQEPoKa49R73TmAxtAhCH3ev5XybfAn+jz00Grzf3RCOSfvCJSYh9U2GU62gIQ3Bopb1UQPgmvCFQrAJtDMvl+jp3XsWSNFQk0/T1fJUfhTK52J59ztcy9nDnwU62giSamj+qW4mEkvxlBUupC+DEZtgWrA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;bh=S4F9ALEVZlLhs7u+/wDQczuqzGALEhvJ30+S18ReLzM=; b=hHNMy+IUBpAslPdRtV1BNaMcNti9tIoshh/vKrtAbICQq2/5n4OE+7KhLkMjntibEa829Q92sAkaHMbA65eiayYiPX3DfSlYXGW9LlCM9V9VtAACKf7CpyrO0Hj4DEOtZRk1ALAoDabc+BhJZptWmF3FFAvuDAaX7OV8veY1ClqmDuNHovs8TsxxUj9r+7Oga5BriZz4/d9NoBcZvX74VsnNgC7wbDeAVyzqY+IOKvZPQoAaFj1ITTHSVrQFgVY4jPQ7KIqOW3JzcN8GlQ7wuYTS5chL/vMCSctKsczgWIGzA3k9Zgw6zUcSfmzqH8kF48jsU0wMqfXkXI09eqOUKg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S4F9ALEVZlLhs7u+/wDQczuqzGALEhvJ30+S18ReLzM=; b=V42xmOXD5r8aUs82CRy1EAQKdfa4dFaRbpyJmEv4VzE4dedGNXMFIAaB+L1w7pEyPuolLOu2hy2UZ6pnBeFuZWNUFqccv4mrwEQIY5XvbCKVIk5f5tq19AMBNk4WuAc+pFMBQ1HdsEYaAxUjyG+Xj9P7ay6C0KIZC3mevc3s8ZA=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (2603:10b6:208:ea::31) by MN2PR11MB4615.namprd11.prod.outlook.com (2603:10b6:208:263::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2772.15; Tue, 3 Mar 2020 16:03:38 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::edba:2b0f:7341:2c24]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::edba:2b0f:7341:2c24%6]) with mapi id 15.20.2772.019; Tue, 3 Mar 2020 16:03:38 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>
CC: "draft-ietf-6lo-backbone-router@ietf.org" <draft-ietf-6lo-backbone-router@ietf.org>, Carles Gomez <carlesgo@entel.upc.edu>, Samita Chakrabarti <samitac.ietf@gmail.com>, "Shwetha Bhandari (shwethab)" <shwethab@cisco.com>, "6lo-chairs@ietf.org" <6lo-chairs@ietf.org>, "6lo@ietf.org" <6lo@ietf.org>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-6lo-backbone-router-16: (with DISCUSS)
Thread-Index: AQHV53zkstvbyNNlvE+QqWau4rvLJag2tzBA
Date: Tue, 03 Mar 2020 16:03:14 +0000
Deferred-Delivery: Tue, 3 Mar 2020 16:02:24 +0000
Message-ID: <MN2PR11MB356509E64B148481894581CFD8E40@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <158215515848.17730.5131182816417321507.idtracker@ietfa.amsl.com>
In-Reply-To: <158215515848.17730.5131182816417321507.idtracker@ietfa.amsl.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pthubert@cisco.com;
x-originating-ip: [2001:420:44f3:1300:d8e8:3716:c097:25ac]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 23d736de-c89a-4b27-fba8-08d7bf8c6f52
x-ms-traffictypediagnostic: MN2PR11MB4615:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MN2PR11MB46150859FF9A81FDD2EBFC99D8E40@MN2PR11MB4615.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 03319F6FEF
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(136003)(346002)(376002)(396003)(366004)(199004)(189003)(6666004)(66574012)(33656002)(9686003)(52536014)(55016002)(966005)(7696005)(76116006)(71200400001)(5660300002)(6506007)(54906003)(66446008)(66556008)(66476007)(64756008)(81156014)(316002)(478600001)(110136005)(30864003)(8936002)(186003)(8676002)(66946007)(86362001)(81166006)(4326008)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4615; H:MN2PR11MB3565.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: oeii1PqKZiI5PyaoZsgpXvRelTUBBC1pfQEHS8QF4Z4HAMx7YbFBJKXbzqqQGiiBcWET1Z/rR2P9ZLfHgFydMnKi5uaLjhRG48EzGjxHVVeL00CmNlQ7BdEAMzBNhq8u5CVxscqAMJhZWblaxXw+nSyrE5sPQeNispGDtKaQagXhKVn9OhlYmqj06ty6VMkJXL73vSck0JueQO0msq2G+p5ASy5vVtc/6RC7woErj/Yeo+Nz7CAk+PID9RhIf/2g2uKMSMeBuLqkgikJTQ4yNYlsZkX4NMDd3VGOvyOSK68tyexPY862GaoKBtpzFT3P3qwSsBzOrxu6e0KH8FwsBXuDf8ldmTDYUipTcx90dr1QAiK1enHzNWVX7RjPSA2YxIIfGre0XkpN0nBrkBIRJrTu+ecpmU2GtHYUMv7KLbDAbsFukReqXv/Def1glCKtRU6FZUSrdZQLwDtwRVJdgBk7pz0d5xjbmdET7Fk1OMdFckou811R/2vz8Nac5JlKNSnHpYuVhx91l9sGSuWQmg==
x-ms-exchange-antispam-messagedata: NIngDWDI+l68HAcnjOyktwJSCms4ZoWcBL0eWymj0BDIqWxSCPPJeKqK3geqPrk3AfDJsgZi7Tc6yLqHQEyexnae3+bh6wWAdQYGjVPkDaUaC5TFfYzX11nwjGInE7MIae2vg5MfHu4Wg7kseqgfJrC8gtIY3GoI6jvYwMuSINNgGyAsmQuIK9xGDZWdymYkHLaIk3KzzOvXbS8gaiFTCA==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 23d736de-c89a-4b27-fba8-08d7bf8c6f52
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Mar 2020 16:03:37.7162 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: F2Qw2B/0Js2ggaKODub+LcXZj6VdnaRAKNE4CqeLblCbNH0PZ2iGIFrZ/q0Y8XV6E8FePy1+bTxlNeiO893PwQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4615
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.12, xch-aln-002.cisco.com
X-Outbound-Node: alln-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/6lo/j1EfZqQOvsYCasLKNDeJ68DmhlA>
Subject: Re: [6lo] Roman Danyliw's Discuss on draft-ietf-6lo-backbone-router-16: (with DISCUSS)
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2020 16:03:44 -0000
Dear Roman and Benjamin Many thanks for your reviews! I took the liberty to merge your comments on section 11 in a single thread, since they have commonalities. Also, I'll try to answer the questions with my own words as they come, and then propose a global change to section 11 at the end of the email. The overall changes are posted as -1ç but you may use the copied text below to propose amendments / additions, I hope that all works for you. https://www.ietf.org/rfcdiff?url2=draft-ietf-6lo-backbone-router-19 Please see below: > > ---------------------------------------------------------------------- > DISCUSS (Roman): > ---------------------------------------------------------------------- > > Section 11. Can assumptions of the about the security properties of the links > be clarified. > > This specification applies to LLNs and a backbone in which the > individual links are protected against rogue access, e.g., by > authenticating a node that attaches to the network and encrypting at > the MAC layer the transmissions that may be overheard. In > particular, the LLN MAC is required to provide secure unicast to/from > the Backbone Router and secure Broadcast from the Backbone Router in > a way that prevents tampering with or replaying the RA messages. > > -- what are the specific assumptions about the protections that will be on the > link. Is the list of properties in the “e.g.” the full list? For all I know it is the full list, let me remove the "e.g.,". Compiling this question with Benjamin's below I'd say that this work inherits from ND, which allows any node that can access the link to do anything, appear as a router, source traffic and attract traffic. ND can also be used to DoS a network from a remote node by sending high volumes of packets, each to a different forged address, and each causing a temp state in the router and a broadcast on the fabric. We interwork with that on the backbone, and the draft gives precedence to the legacy operation, meaning that a node that can attack ND can attack us in the exact same way. I can add words to say that. RFC 4861 section 11.1 tells us to "keep the bad guys out or all bets are off", IOW, Woodstock. Section 11.2 has the hopeful thinking that SeND will be deployed, and we know it will not happen. For info, this only implementation that shipped that I'm aware of is the router side by our co-author Eric in Cisco's IOS. We are well placed to know it's doomed and very motivated to give another chance to securing ND. Which lead us to AP-ND. And since ND does nothing for that, it means "do not let the bad guys access the network at L2" and "do not let the bad guys compromise any system on the network". I will not even try the Woodstock analogy there. What changes: - nodes that are attached to the LLN cannot attack that easily (if AP-ND is enforced) - we have nodes that are more sensitive than others (the 6BBR and 6LBR are new targets that can impact many nodes, note that the default router already was one, and anybody could impersonate it). - when a policy enforces AP-ND to all nodes including the backbone then : * the increased security that we have on the LLN will also apply to the backbone (no impersonation or stealing address) * the complete list of addresses n the network will be known to the default router which will block the remote DoS attacks * DAD and Lookups will be fast and without multicast, which again will be a protection against some ND-based DoS attacks. * DAD will work on Wi-Fi (arguably it does not today in a large conference like IETF) * L2 tables will be small and stable > -- As the second sentence references the only the LLN MAC, using Figure 1 > and 2 as a reference (realizing they are non-normative), what’s expected > properties of the links between the router-and-6BBR or IPv6 node-and-6BBR > (i.e., the links connecting to the “backbone side”)? This is typically (IOW always) a legacy ethernet link and the expectation has to be compatible with existing deployments and capabilities (Woodstock). The registration is an attempt to migrate to a more zero-trusty behavior. > > > ---------------------------------------------------------------------- > COMMENT: (Benjamin) > ---------------------------------------------------------------------- > > > We force a sequencing that has EDAR/EDAC occur before normal NS(DAD); > does this provide a new DoS avenue by virtue of delaying the normal > NS(DAD) procedure by (e.g.) dropping the EDAC messages? I do not see a large opening since the unicast query is rapid. The node could have a short time out in the order of a few ms before it starts DADing. Which is negligible compared to the 1s (time x retries) DAD time out that plagues IPv6 over Wi-Fi in IEEE 802.11ai (Fast Link Setup, aka FILS) scenarios. I see a DoS attack against the 6LBR, but that's common to any server like DNS or LISP MSMR, and the traditional methods apply. > It might be worth a brief preface that since we're modifying the ND and DAD > processes, the attacks in scope are basically limited to blocking discovery of > taking over addresses from other nodes (which, to be fair, can in some cases > have substantial consequences in terms of reading the "stolen" traffic!). I had trouble parsing but after a night's sleep it appears that an s/of/or/ helps a lot. Point taken, this relates to the classical ND attacks on the backbone that cannot be defeated unless the registration is the only form of ND on the backbone. It seems relevant to point out the Woodstock approach in classical ND in the intro and indicate that we're subject to it by contagion on the backbone. " This specification considers a special type of MLSN with a central backbone that federates edge (LLN) links, each Link providing its own protection against rogue access and tempering or replaying packets. In particular, the use of classical IPv6 ND on the backbone requires that the all nodes are trusted and that rogue access to the backbone is prevented at all times (see Section 11). " > This specification applies to LLNs and a backbone in which the > individual links are protected against rogue access, e.g., by > authenticating a node that attaches to the network and encrypting at > the MAC layer the transmissions that may be overheard. In > particular, the LLN MAC is required to provide secure unicast to/from > the Backbone Router and secure Broadcast from the Backbone Router in > a way that prevents tampering with or replaying the RA messages. > > It seems like it would be worth stating these requirements/applicability > statement much earlier in the document (possibly in addition to here), e.g., in > the Introduction. Incorporated in the above > > provide the proof-of-ownership. A possible attack over the backbone > can be done by sending an NS with an EARO and expecting the NA(EARO) > back to contain the TID and ROVR fields of the existing state. With > that information, the attacker can easily increase the TID and take > over the Binding. > > The 6BBR can also perform such an attack, right? It might be worth explicitly > stating that we trust it to behave honestly in order for this stuff to work > properly. We trust any node on the backbone to behave honestly, that's the Woodstock. In the 'what changes' text I need to mention the 6BBR and the 6LBR, as points of concentration which would naturally attract an attacker, because they are bottlenecks that see all of a particular type of traffic. But as look as classical ND is operated in the network, compromising any node is probably enough to perform any ND attack. > > We could also discuss how things break if the "distributed database" of > registrations gets out of sync across 6BBRs/etc.. Yes, I'll have a paragraph on that, bottom line is that a stale state will lose in a fight and disappear ultimately when there is none. Still, a legacy node that does not understand EARO in NA may pick the old 6BBR even if the new one also responds. > > How do things degrade if a secondary 6BBR "stands back" to let a primary > handle a given message but the primary 6BBR has gone offline unbeknownst > to the secondary? Yes, text needed too. Not just in the security section. If the registering node loses a 6BBR, it should reregister to another (that's an obvious), and if it is registered to multiple 6BBRs, it should refresh the other registrations with a new TID (text needed). We have no design for a registered node using multiple registering node, and that's worth mentioning too. Proposed changes in 3.5. Primary and Secondary 6BBRs " A Registering Node MAY register the same address to more than one 6BBR, in which case the Registering Node uses the same EARO in all the parallel registrations. On the other hand, there is no provision in 6LoWPAN ND for a 6LN (acting as Registered Node) to select its 6LBR (acting as Registering Node), so it cannot select more than one either. To allow for this, ND(DAD) and NA messages with an EARO that indicate an identical Binding in another 6BBR (same Registered address, same TID, same ROVR) are silently ignored but for the purpose of selecting the primary 6BBR for that registration. <...> If a Registering Node loses connectivity to its or one of the 6BBRs to which it registered an address, it retries the registration to the (one or more) available 6BBR(s). When doing that, the Registering Node MUST increment the TID in order to force the migration of the state to the new 6BBR, and the reselection of the primary 6BBR if it is the node that was lost. " > > Are there any noteworthy scaling requirements to the bridging and routing > proxy modes? (I don't think so, and we just allude to "dimensioned for the > number of registrations that each needs to support" > in Appendix B, but it doesn't hurt to ask.) Not really that I can figure, beyond the obvious that you mention. Putting it all together there we go for the proposed section 11 update: " 11. Security Considerations This specification applies to LLNs and a backbone in which the individual links are protected against rogue access, by authenticating a node that attaches to the network and encrypting at the MAC layer the transmissions so packets may neither be overheard or nor forged. In particular, the LLN MAC is required to provide secure unicast to/from the Backbone Router and secure broadcast from the routers in a way that prevents tampering with or replaying the ND messages. For the IPv6 ND operation over the backbone, and unless the classical ND is disabled (e.g., by configuration), the classical ND messages are interpreted as emitted by the address owner and have precedence over the 6BBR that is only a proxy. It results that the security threats that are detailed in section 11.1 of [RFC4861] fully apply to this specification as well. In very short: * Any node that can send a packet on the backbone can take over any address including addresses of LLN nodes by claiming it with an NA message and the Override bit set. This means that the real owner will stop receiving its packets. * Any node that can send a packet on the backbone can forge traffic and pretend it is issued from a address that it does not own, even if it did not claim the address using ND. * Any node that can send a packet on the backbone can present itself as a preferred router to intercept all traffic outgoing the subnet. It may even expose a prefix on the subnet as not-on-link and intercept all the traffic within the subnet. * If the rogue can receive a packet from the backbone it can also snoop all the intercepted traffic, be it by stealing an address or the role of a router. This means that any rogue access to the backbone must be prevented at all times, and that nodes that are attached to the backbone must be fully trusted / never compromised. Using address registration as the sole ND mechanism on a link and coupling it with [I-D.ietf-6lo-ap-nd] guarantees the ownership of a registered address within that link. The protection is based on a proof-of-ownership encoded in the ROVR field and protects against address theft and impersonation by a 6LN, because the 6LR can challenge the Registered Node for a proof-of-ownership. The protection extends to the full LLN in the case of an LLN Link, but does not extend over the backbone since the 6BBR cannot provide the proof-of-ownership when it defends the address. A possible attack over the backbone can be done by sending an NS with an EARO and expecting the NA(EARO) back to contain the TID and ROVR fields of the existing state. With that information, the attacker can easily increase the TID and take over the Binding. If the classical ND is disabled on the backbone and the use of [I-D.ietf-6lo-ap-nd] and a 6LBR are mandated, the network will benefit from the following new advantages: Zero-trust security for ND flows within the whole subnet: the increased security that [I-D.ietf-6lo-ap-nd] provides on the LLN will also apply to the backbone; it becomes impossible for an attached node to claim an address that belongs to another node using ND, and the network can filter packets that are not originated by the owner of the source address (SAVI), as long as that the routers are known and trusted. Remote ND DoS attack avoidance: the complete list of addresses in the network will be known to the 6LBR and available to the default router; with that information the router does not need to send a multicast NA(Lookup) in case of a Neighbor Cache miss for an incoming packet, which is a source of remote DoS attack against the network Less IPv6 ND-related multicast on the backbone: DAD and NS(Lookup) become unicast queries to the 6LBR Better DAD operation on wireless: DAD has been found to fail to detect duplications on large Wi-Fi infrastructures due to the unreliable broadcast operation on wireless; using a 6LBR enables a unicast lookup Less Layer-2 churn on the backbone: Using the Routing Proxy approach, the Link-Layer address of the LLN devices and their mobility are not visible in the backbone; only the Link-Layer addresses of the 6BBR and backbone nodes are visible at Layer 2 on the backbone. This is mandatory for LLNs that cannot be bridged on the backbone, and useful in any case to scale down, stabilize the forwarding tables at Layer 2 and avoid the gratuitous frames that are typically broadcasted to fix the transparent bridging tables when a wireless node roams from an AP to the next. This specification introduce a 6BBR that is a router on the path of the LLN traffic and a 6LBR that is used for the lookup. They could be interesting targets for an attacker, but not more than a default router and a DHCP server, respectively, which already exist in classical networks, and can be defended using the same methods. A possible attack over the LLN can still be done by compromising a 6LR. A compromised 6LR may modify the ROVR of EDAR messages in flight and transfer the ownership of the Registered Address to itself or a tier. It may also claim that a ROVR was validated when it really wasn't, and reattribute an address to self or to an attached 6LN. This means that 6LRs, as well as 6LBRs and 6BBRS must still be fully trusted / never compromised. This specification mandates to check on the 6LBR on the backbone before doing the classical DAD, in case the address already exists. This may delay the DAD operation and should be protected by a short timer, in the order of 100ms or less, which will only represent a small extra delay versus the 1s wait of the DAD operation. "
- [6lo] Roman Danyliw's Discuss on draft-ietf-6lo-b… Roman Danyliw via Datatracker
- Re: [6lo] Roman Danyliw's Discuss on draft-ietf-6… Pascal Thubert (pthubert)
- Re: [6lo] Roman Danyliw's Discuss on draft-ietf-6… Roman Danyliw
- Re: [6lo] Roman Danyliw's Discuss on draft-ietf-6… Pascal Thubert (pthubert)
- Re: [6lo] Roman Danyliw's Discuss on draft-ietf-6… Benjamin Kaduk
- Re: [6lo] Roman Danyliw's Discuss on draft-ietf-6… Pascal Thubert (pthubert)
- Re: [6lo] Roman Danyliw's Discuss on draft-ietf-6… Benjamin Kaduk