Re: [6lo] Roman Danyliw's Discuss on draft-ietf-6lo-backbone-router-16: (with DISCUSS)

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Mon, 23 March 2020 10:17 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E9923A0747; Mon, 23 Mar 2020 03:17:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=ELyujfY6; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=X52OIJdr
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xuNmJ2qW6eag; Mon, 23 Mar 2020 03:17:51 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C19F3A0765; Mon, 23 Mar 2020 03:17:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5050; q=dns/txt; s=iport; t=1584958671; x=1586168271; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=v63AwrIlC5HqBdCdWUJjfddEBL3wfSSmN8w91+rMK2g=; b=ELyujfY6XALAATP5XVUNEjGEb0x2ISodQeJ+bCwgidnniUD4wjXXkNUu zCfIcTUF+1J/3WDekpdkizHSY3r0P8u1AQ176RDHtGhVnvQBeOIF4Wdx0 NI6qu3rj9u5gU190pRpwSE4gXVubFVWL+WT9dAdjG0T+NWl9aYY4IkXSW Q=;
IronPort-PHdr: =?us-ascii?q?9a23=3A3JF7DBWJg8dekznh5mZq7iXsq5fV8LGuZFwc94?= =?us-ascii?q?YnhrRSc6+q45XlOgnF6O5wiEPSA9yJ8OpK3uzRta2oGXcN55qMqjgjSNRNTF?= =?us-ascii?q?dE7KdehAk8GIiAAEz/IuTtankiAMRfXlJ/41mwMFNeH4D1YFiB6nA=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0C1DAB9jHhe/5NdJa1mDoQHUAWBRCA?= =?us-ascii?q?ECyqEGINFA4pxToIRmByCUgNUCQEBAQwBAS0CBAEBhEUCF4IOJDgTAgMBAQs?= =?us-ascii?q?BAQUBAQECAQUEbYVWDIVjAQEBAQIBEhERDAEBNwEPAgEGAhoCJgICAjAVEAI?= =?us-ascii?q?EDg0WBIVQAw4gAZAekGcCgTmIYnWBMoJ/AQEFhRQYggwJgQ4qhSCHDxqBQT+?= =?us-ascii?q?BEAFHgk0+hC0ggw8ygiyQPDufWgqCPJckm1mqfgIEAgQFAg4BAQWBaSKBWHA?= =?us-ascii?q?VgydQGA2BGo07gzuKGD10gSmNbQEB?=
X-IronPort-AV: E=Sophos;i="5.72,296,1580774400"; d="scan'208";a="451634897"
Received: from rcdn-core-11.cisco.com ([173.37.93.147]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Mar 2020 10:17:50 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by rcdn-core-11.cisco.com (8.15.2/8.15.2) with ESMTPS id 02NAHnUk001267 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 23 Mar 2020 10:17:50 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 23 Mar 2020 05:17:49 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 23 Mar 2020 05:17:49 -0500
Received: from NAM02-CY1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 23 Mar 2020 06:17:48 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; =?utf-8?q?b=3DmnB0KWW6PcjChBpY/WKvMyeu/1wGQ4nWHrQXWa7FkBdWn4iBhRtenAN6xfvaj?= =?utf-8?q?FsKWH2nkMStWfg47sodBulJcj+O1QwoN+jXbkrCMKp7QMsCMbMpguxCG8aQEYbVEn?= =?utf-8?q?hjPisrE8G1nUWyuf0edteUfLzkNJeZ65/XnyJltsKSWucxwIDtjA9Flgy+5uwbQsn?= =?utf-8?q?nCYXjqBNZaVB3iW/+9cQOwuDa0tkvy6HRRB8BNBhM0GqpXFqzXeHiVZaw8HqONkj3?= =?utf-8?q?f3gAiZVbNVzNsXQYlyCrMPzZRd02tK8hcMJDYSjBsBikSuUIOKgrQR4amvDvxvXCd?= =?utf-8?q?CqEXjL6I0JUEeLL1LkBlg=3D=3D?=
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AMessage-ID=3ACont?= =?utf-8?q?ent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADCheck=3B?= =?utf-8?q?bh=3Dv63AwrIlC5HqBdCdWUJjfddEBL3wfSSmN8w91+rMK2g=3D=3B_b=3DB1s6d8?= =?utf-8?q?8WlASIVEBCaaF2XQMI5zhd9MhEyspMN1icIjwrBTrNrKvZ7wAZW3JvmzklFqcwiEs?= =?utf-8?q?jgbKDqe5EqENakcUQOtT7g/E8MvHxhVB7aiNB5EElAKzskEBKuLDUwBql40AZbLUu?= =?utf-8?q?zuBsa9ZFK7jBiDxZuM2Sqq7oDRw6vAfyVHv+uW2ONMeKrUd2jkvdWrgC/XA1qGOq8?= =?utf-8?q?qkX/q90f8ItDyljggFg1sJkIx5aKuDYbYoVB3RXyvCAcn6NTDhxBwE7dki57SMCic?= =?utf-8?q?1A7dwjRJ+spPxtKTgVwrqnQQ18yCNiKc/BB/s8rNKvpzebsuA/KDwG1otO3S62+kt?= =?utf-8?q?kwIcHmpsA2g=3D=3D?=
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; =?utf-8?q?h=3DFrom=3ADate=3ASubject=3AM?= =?utf-8?q?essage-ID=3AContent-Type=3AMIME-Version=3AX-MS-Exchange-SenderADC?= =?utf-8?q?heck=3B_bh=3Dv63AwrIlC5HqBdCdWUJjfddEBL3wfSSmN8w91+rMK2g=3D=3B_b?= =?utf-8?q?=3DX52OIJdrNmsWnWoKSqMJIowJibWGjNPgJ9vd3er0INWfUgkP+d9OUc4DMJFEwV?= =?utf-8?q?ytOvz1Af+V6x67B7uCd/QQ/puWU+LZhNhfrJIG5E/8y/iscK1mOuaN4I8rTZc7LKd?= =?utf-8?q?mcvZeBNStOKj19/WOIXHP4NimpyU0gbdKDKFeic1yNj0=3D?=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (2603:10b6:208:ea::31) by MN2PR11MB4111.namprd11.prod.outlook.com (2603:10b6:208:138::32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2835.22; Mon, 23 Mar 2020 10:17:47 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::113b:3127:ef12:ea7]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::113b:3127:ef12:ea7%7]) with mapi id 15.20.2835.021; Mon, 23 Mar 2020 10:17:47 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: The IESG <iesg@ietf.org>, "draft-ietf-6lo-backbone-router@ietf.org" <draft-ietf-6lo-backbone-router@ietf.org>, Carles Gomez <carlesgo@entel.upc.edu>, Samita Chakrabarti <samitac.ietf@gmail.com>, "Shwetha Bhandari (shwethab)" <shwethab@cisco.com>, "6lo-chairs@ietf.org" <6lo-chairs@ietf.org>, Roman Danyliw <rdd@cert.org>, "6lo@ietf.org" <6lo@ietf.org>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-6lo-backbone-router-16: (with DISCUSS)
Thread-Index: AQHV53zkstvbyNNlvE+QqWau4rvLJag2tzBAgB1ESQCAASzrgIAA3KvQ
Date: Mon, 23 Mar 2020 10:17:43 +0000
Deferred-Delivery: Mon, 23 Mar 2020 10:16:54 +0000
Message-ID: =?utf-8?q?=3CMN2PR11MB35656584660590C7583A407FD8F00=40MN2PR11MB3?= =?utf-8?q?565=2Enamprd11=2Eprod=2Eoutlook=2Ecom=3E?=
References: <158215515848.17730.5131182816417321507.idtracker@ietfa.amsl.com> =?utf-8?q?=3CMN2PR11MB356509E64B148481894581CFD8E40=40MN2PR11MB3565=2Enampr?= =?utf-8?q?d11=2Eprod=2Eoutlook=2Ecom=3E?= <359EC4B99E040048A7131E0F4E113AFC0216FBA15C@marchand> <20200322185707.GA50174@kduck.mit.edu>
In-Reply-To: <20200322185707.GA50174@kduck.mit.edu>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pthubert@cisco.com;
x-originating-ip: [2a01:cb1d:4ec:2200:21e6:d690:3c23:51d]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6a8c3ef9-bd01-48ab-ed23-08d7cf136f95
x-ms-traffictypediagnostic: MN2PR11MB4111:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: =?utf-8?q?=3CMN2PR11MB4111DA52C2751B2235374846D8F?= =?utf-8?q?00=40MN2PR11MB4111=2Enamprd11=2Eprod=2Eoutlook=2Ecom=3E?=
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0351D213B3
x-forefront-antispam-report: SFV:NSPM; =?utf-8?q?SFS=3A=2810009020=29=284636?= =?utf-8?b?MDA5KSgzNjYwMDQpKDM3NjAwMikoMzk4NjA0MDAwMDIpKDM0NjAwMikoMTM2?= =?utf-8?b?MDAzKSgzOTYwMDMpKDE5OTAwNCkoNzY5NjAwNSkoNjY2NjAwNCkoMzM2NTYwMDIp?= =?utf-8?q?=2886362001=29=2881156014=29=2866574012=29=2881166006=29=28691600?= =?utf-8?b?OSkoMTg2MDAzKSg4Njc2MDAyKSg4OTM2MDAyKSg1MjUzNjAxNCkoNjY1NTYwMDgp?= =?utf-8?q?=2876116006=29=2866946007=29=2866476007=29=2864756008=29=28664460?= =?utf-8?q?08=29=2871200400001=29=286506007=29=285660300002=29=2855016002=29?= =?utf-8?b?KDU0OTA2MDAzKSgyOTA2MDAyKSgzMTYwMDIpKDQzMjYwMDgpKDQ3ODYwMDAwMSko?= =?utf-8?q?9686003=29=3B?= DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4111; H:MN2PR11MB3565.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: =?utf-8?q?OuTAH46JNyR9Uagp5SLffaVv2Oaer/w?= =?utf-8?q?a1ztaWH5XY1TAY9Ax7ahvh/ZbKsaLyap6Xn00W4nKJQeuuii4+uwkpMP9J1uvarZH?= =?utf-8?q?dVr648Onb8ZN3My06LOISlkP3RB7SxG/X+C2oEa+VRFt0CG3kIMSTCbV4fljXSUES?= =?utf-8?q?Fw8jXmMtN4rHQ8PlmsMKk3habEbHFXanVJjPUx1c+0bEwCI9HOgwnMV5eFU7Y6+L+?= =?utf-8?q?iS0wwYXHgC1cX7yt2BlEF3S7sT/wPMjOxkDkeSDycUkiWG3XySR1ytADZZNgFfO59?= =?utf-8?q?blAJJxNQ7u60mHckcSaB80JXa9OhCP/bHGLe2cVYR4OSrU8KYWWOrwY3nvz5nKE+d?= =?utf-8?q?9juqPzxW8hEbuucBir536gUEklDGohSnqrLJMDwo5P/XygopADQ7vjpD9WVUW1jzw?= =?utf-8?q?K5/vRX039r6//pusEw8MxSLLBZ9?=
x-ms-exchange-antispam-messagedata: =?utf-8?q?npzMyg8zqiQUyi5mbQGVT5460PMFVb?= =?utf-8?q?7NGNxKs2hMr1RBhAL3t9n+jOXV+UwHc4ruBtcxdhsiX+QTHZpX+/m3zNcLn45AyXs?= =?utf-8?q?YHV2PGvFXAEkj7MEoku2IhDnmpSFWxxXwUTjKvdRrck0FJCHGQCwwAqg3xXrQ12+d?= =?utf-8?q?5kbwIN7WzA0D4qREBquEuI/tMVBp2w2Okz37wqLTsbz099f9kw/rKg=3D=3D?=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 6a8c3ef9-bd01-48ab-ed23-08d7cf136f95
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Mar 2020 10:17:47.7860 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: =?utf-8?q?AOW9iHUu6DOY0MnMTQes1?= =?utf-8?q?qoMIZGHDcy5Kpb62sBfEZNgkDatsymMNjrdEAzYpwQcGR/tmnJf8EA/7AAG8qMgQA?= =?utf-8?q?=3D=3D?=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4111
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: rcdn-core-11.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/6lo/pv7k0-3SGCUaSejg7mJLNDfnUcM>
Subject: Re: [6lo] Roman Danyliw's Discuss on draft-ietf-6lo-backbone-router-16: (with DISCUSS)
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Mar 2020 10:17:54 -0000

Hello again Benjamin:

Just to make sure you're kept busy ; )

> > Proposed changes in 3.5.  Primary and Secondary 6BBRs
> >
> > "
> >    A Registering Node MAY register the same address to more than one
> >    6BBR, in which case the Registering Node uses the same EARO in all
> >    the parallel registrations.  On the other hand, there is no provision
> >    in 6LoWPAN ND for a 6LN (acting as Registered Node) to select its
> 
> I'm assuming that "6LoWPAN ND" here means "stuff currently published as
> RFCs, excluding this document, AP-ND, etc."

That is correct in -20 but AP-ND does not either. 

In the terminology section (2.4) we say


   6LoWPAN ND:  Neighbor Discovery Optimization for Low-Power and Lossy
      Networks [RFC6775] and "Registration Extensions for 6LoWPAN
      Neighbor Discovery" [RFC8505].

But then, I believe that it should include AP-ND.
Note that both this are in C310, held by the same docs

"
   6LoWPAN ND:  Neighbor Discovery Optimization for Low-Power and Lossy
      Networks [RFC6775], "Registration Extensions for 6LoWPAN Neighbor
      Discovery" [RFC8505], and " Address Protected Neighbor Discovery
      for Low-power and Lossy Networks" [I-D.ietf-6lo-ap-nd].
"
Note that AP-ND is mentioned several times later;  Is that OK? (more below)


> 
> >    6LBR (acting as Registering Node), so it cannot select more than one
> >    either.  To allow for this, ND(DAD) and NA messages with an EARO
> > that
> 
> (in particular with respect to "cannot select more than one".)

I guess you're confused between 6LR and 6LBR. The 6LN can attached to multiple 6LRs but it is the 6LRs that select the 6LBR, not the 6LN.

Are we in sync?


> > 11.  Security Considerations
> >
> >    This specification applies to LLNs and a backbone in which the
> >    individual links are protected against rogue access, by
> >    authenticating a node that attaches to the network and encrypting at
> >    the MAC layer the transmissions so packets may neither be overheard
> >    or nor forged.  In particular, the LLN MAC is required to provide
> 
> I think that the "authenticating a node that attaches [...]" is meant to apply to
> the LLN links, and perhaps the backbone provides the protection against rogue
> access by physical access protection?  Maybe we need two clauses after the
> comma, e.g., "on the LLN by [...], and on the backbone by [...]".

Yes, as discussed in the next block, the attacks on the backbone are a lot easier if backwards compatibility has to be maintained. There's the discussion on who should win when a legacy fights with an LLN node, the current text has the legacy win to enable a smooth incremental deployment.

Proposed change:
"
  This specification applies to LLNs and a backbone in which the
   individual links are protected against rogue access, on the LLN by
   authenticating a node that attaches to the network and encrypting at
   the MAC layer the transmissions, and on the backbone side using the
   physical security and access control measures that are typically
   applied there, so packets may neither be overheard or nor forged.

"


> 
> >    If the classical ND is disabled on the backbone and the use of
> >    [I-D.ietf-6lo-ap-nd] and a 6LBR are mandated, the network will
> >    benefit from the following new advantages:
> >
> >    Zero-trust security for ND flows within the whole subnet:  the
> 
> (I'm tempted to try to work "non-router" in here somehow, but not sure it's
> worth the effort.)

Sorry I'm not sure I see the point. The duplication may be with a router.

More answering your own review 😊

Pascal