Re: [6lo] 答复: FW: I-D Action: draft-ietf-6lo-plc-03.txt

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 22 May 2020 15:20 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A777E3A0A01 for <6lo@ietfa.amsl.com>; Fri, 22 May 2020 08:20:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KgkKvU7g4zku for <6lo@ietfa.amsl.com>; Fri, 22 May 2020 08:20:50 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCF6B3A0AEB for <6lo@ietf.org>; Fri, 22 May 2020 08:20:26 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id BC40138A70; Fri, 22 May 2020 11:18:11 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id aMt7lDmDi4U2; Fri, 22 May 2020 11:18:09 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id C7CCE38A6F; Fri, 22 May 2020 11:18:09 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 5A30957; Fri, 22 May 2020 11:20:22 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Liubing \(Remy\)" <remy.liubing@huawei.com>
cc: "6lo\@ietf.org" <6lo@ietf.org>, Carles Gomez Montenegro <carlesgo@entel.upc.edu>
In-Reply-To: <BB09947B5326FE42BA3918FA28765C2E012BEAA2@DGGEMM506-MBX.china.huawei.com>
References: <BB09947B5326FE42BA3918FA28765C2E012BD516@DGGEMM506-MBX.china.huawei.com> <29443.1590073171@localhost> <BB09947B5326FE42BA3918FA28765C2E012BEAA2@DGGEMM506-MBX.china.huawei.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Date: Fri, 22 May 2020 11:20:22 -0400
Message-ID: <4328.1590160822@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/6lo/nrz8-33Hrp7ntQchgcsdbH5moSY>
Subject: Re: [6lo] =?utf-8?b?562U5aSNOiAgRlc6IEktRCBBY3Rpb246IGRyYWZ0LWlldGYt?= =?utf-8?q?6lo-plc-03=2Etxt?=
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 22 May 2020 15:20:55 -0000

Liubing (Remy) <remy.liubing@huawei.com> wrote:
    > It is highly recommended to conduct a mutual authentication between the
    > network and the device tending to join in it. The authentication can be
    > accomplished with the help of certificates or pre-shared keys
    > [I-D.ietf-6tisch-minimal-security] provisioned by the operator at the
    > deployment site. Alternatively, the certificates could be provisioned
    > by the manufacturer or the vendor before the shipment, and in this case
    > the authentication can be accomplished with the help of a MASA service
    > on the Internet [dtsecurity-zerotouch-join].

I suggest:

An onboarding process is required to enabled a new PLC node to join the
network.  This is required in order for the new node to acquire the network
encryption key appropriate for the layer-2.
Automated processes perform a mutual authentication of network and new node.
Methods include protocols such as [I-D.ietf-6tisch-minimal-security] (which
uses pre-shared keys), and constrained variations of
[I-D.ietf-anima-bootstrapping-keyinfra] such
[I-D.ietf-6tisch-dtsecurity-zerotouch-join].
It is also possible to use EAP methods such as [I-D.ietf-emu-eap-noob] via
transports like PANA [RFC5191].  No specific mechanism is specified by
this document as an appropriate mechanism will depend upon deployment circumstances.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-