Re: [6lo] Mirja Kühlewind's No Objection on draft-ietf-6lo-ap-nd-14: (with COMMENT)
"Pascal Thubert (pthubert)" <pthubert@cisco.com> Fri, 31 January 2020 14:03 UTC
Return-Path: <pthubert@cisco.com>
X-Original-To: 6lo@ietfa.amsl.com
Delivered-To: 6lo@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DC67A1200DF; Fri, 31 Jan 2020 06:03:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=EZ/unAOD; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=0DO02SzZ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JfAbbCHTAm7N; Fri, 31 Jan 2020 06:03:52 -0800 (PST)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A0E6D12008D; Fri, 31 Jan 2020 06:03:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4624; q=dns/txt; s=iport; t=1580479431; x=1581689031; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=nQWVNi5oV/+cszBneT8p5KQfT3vNs0dI77ROnCX6mEY=; b=EZ/unAODQFny30DORcNbNnZiOYnRQ/LvTVX8H2/2jj57IE2dwS3MJCok AmJQNTKrvF5SBG30V2EHE3vYx1Dwp8ftn/oR8b22zREm45uLgYpSnoBLY thDa8qSYrig0umzOq3cPpgMjdnzNRcDPtpVbOJugRbfu5GiSDPQr7S1vl 4=;
IronPort-PHdr: 9a23:89WJXR2MNQzzRdzrsmDT+zVfbzU7u7jyIg8e44YmjLQLaKm44pD+JxKGt+51ggrPWoPWo7JfhuzavrqoeFRI4I3J8RVgOIdJSwdDjMwXmwI6B8vQEVH7MfTndTASF8VZX1gj9Ha+YgBY
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BsAABwMjRe/5xdJa1lHQEBAQkBEQUFAYFnCAELAYFTUAVsWCAECyqEFINGA4RahhqCX5gPgS4UgRADVAkBAQEMAQEYCwoCAQGEQAIXghkkNAkOAgMNAQEEAQEBAgEFBG2FNwyFZgEBAQECAQEBEBERDAEBLAsBBAsCAQgaAiYCAgIlCxUFCwIEAQ0FCBqDBYJKAw4gAQIMohkCgTmIYnWBMoJ/AQEFgS8Bg1oYggwDBoEOKgGFHYQ5dhCBQxqBQT+BEUeCTD6CZAEBgScWKIMOMoIsjT0kgnWeHnAKgjuWWoJIiA2QMINJixebGAIEAgQFAg4BAQWBUjmBWHAVO4JsUBgNjh04gzuFFIU/dIEpil4BJgeCFAEB
X-IronPort-AV: E=Sophos;i="5.70,386,1574121600"; d="scan'208";a="711992972"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 31 Jan 2020 14:03:50 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 00VE3oug029369 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 31 Jan 2020 14:03:50 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 31 Jan 2020 08:03:49 -0600
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 31 Jan 2020 09:03:48 -0500
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 31 Jan 2020 08:03:48 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LdDD6Ah9G5CulIg9jAIAduiQIYKNWsfIqvNeSgncRTA4mzgP+w/xeXJvHBr5nD6w4JwuUwyHyeeCUx4HMMvuREmlfdx2jhwe2I4uoCy21KemrIX55dZ6szK+/CH3L81b84LWKJSy/umZb5nw9GPdLYj1me7c1Fu408H7A37Hl0tr1qYl8wze+QF2zux7OqllcbJhXQxxw6m+7NO2DX6D//qD23kHI9Z1N+OIH0knabcy2oNv5/Qm0qC5hIT88UumdXUI69aI/lMUSb9184OQhfYvEP9kNHC2eqR+2XzAEMIISC/duJZ3fjLd8Gxl5cGYDgk0nooTtPJM+jR01q2klA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nQWVNi5oV/+cszBneT8p5KQfT3vNs0dI77ROnCX6mEY=; b=NlEcNsjAjunTvNR19yS6UQtEaDLTCJrN5EJxf0/D/sXKuLtYku0ybCnJjrJy1u4hu0NoJpaAM+kPSjygYHlUCPYd9/zHEdROfLOtCX0bariUhzZHuy3HRQ11Z2k9uQkp77pF9qiAKdCL8ymG4Y36NuVCQoFpG+wfE48PH1R2yIRhdmFuZ+coiqhu+1Ljk9yPqeuNEBq0qYyWg6dq5Td4J+CHREp4GnJtVFDbk2KUkzIoFG9oQcJAQU26F73YW6g+rXHZAOBro+EmXErXytl3RzutwT8hlP5ucawxfV71z3AugFI2Mgr2s9lGNy3Dp0w4DTnwvoISuuiDCFiJfQscTg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nQWVNi5oV/+cszBneT8p5KQfT3vNs0dI77ROnCX6mEY=; b=0DO02SzZ7qmmVcryTSfDGZZMGYs7uBzTZSIO5M3qaFXZrjzC8PjDBvGOhM6y8Agqhi6CeZn+i+uLV7biknHdJ6j7UAb1ppuchh/WRJJqx+j+Nc/TUQ0w9EkFlrMGhKmX9lLNmw+mxKHwONOXnGohDsSIPzW9SFGm9/NjEIPjClg=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (20.178.250.159) by MN2PR11MB4351.namprd11.prod.outlook.com (52.135.39.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2686.29; Fri, 31 Jan 2020 14:03:47 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::fd76:1534:4f9a:452a]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::fd76:1534:4f9a:452a%3]) with mapi id 15.20.2665.027; Fri, 31 Jan 2020 14:03:47 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Mirja Kühlewind <ietf@kuehlewind.net>, The IESG <iesg@ietf.org>
CC: "draft-ietf-6lo-ap-nd@ietf.org" <draft-ietf-6lo-ap-nd@ietf.org>, "6lo-chairs@ietf.org" <6lo-chairs@ietf.org>, "Shwetha Bhandari (shwethab)" <shwethab@cisco.com>, "6lo@ietf.org" <6lo@ietf.org>
Thread-Topic: [6lo] Mirja Kühlewind's No Objection on draft-ietf-6lo-ap-nd-14: (with COMMENT)
Thread-Index: AQHV2CMxDA7BOKDK2UuiVRjw/jV2IKgEte/g
Date: Fri, 31 Jan 2020 14:03:20 +0000
Deferred-Delivery: Fri, 31 Jan 2020 14:03:12 +0000
Message-ID: <MN2PR11MB3565FA312B1ADBECD0FB7FCBD8070@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <158046736337.21223.4144533670523691595.idtracker@ietfa.amsl.com>
In-Reply-To: <158046736337.21223.4144533670523691595.idtracker@ietfa.amsl.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pthubert@cisco.com;
x-originating-ip: [2001:420:44f3:1300:41e7:7725:e525:b2e8]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8fa11825-d70f-4ba2-9388-08d7a6566465
x-ms-traffictypediagnostic: MN2PR11MB4351:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MN2PR11MB4351BC854A531377925402CED8070@MN2PR11MB4351.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 029976C540
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(396003)(366004)(136003)(346002)(39860400002)(199004)(189003)(966005)(66946007)(76116006)(7696005)(8936002)(6506007)(186003)(5660300002)(316002)(6666004)(110136005)(54906003)(71200400001)(4326008)(33656002)(66446008)(64756008)(66556008)(66476007)(224303003)(55016002)(52536014)(86362001)(2906002)(9686003)(478600001)(81156014)(81166006); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4351; H:MN2PR11MB3565.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: qXErbPdd7oL9qX1ju4kKB4Kw6RMBu9yvJQQl7/UzVwbgMKM4Xgm/8oTD1CNsHXe2L7UpP0YXovMyhCSFgaTV/c9PiN6w0aH3/Fue11p0ncnGoOgfx4k/xX/g01trqoahKakYnha5iDNW7y0txX4fAJUeG3koo3sb7/7oHzHCMovm1KcGOqobusGgo9Qjd2qppGdBOboRYTIQhDtpZ/LEZldV0OjFH3GUlTjjAXdmPeuHsLLiwPh/tDyufgXiyl6GfzosC0u4ydJcr2OpqpwFnKaGHx+jMEn7+BMQD8Z9ljuoXgVSMXKNaXMuEyaSRabZOKkXKc5/VyHNcSoyti1g0bRmsKXAMttZlkbfaQ0VjszGht5X+3zTmm0VlNsI78f1S23xpDvq+SkyxkNKbmw0GybXjPXmxpyzOwimONzJPy5q2dQFd77NkbOhMtC1oybHsTYXXTheBVeRmfiaQlS+OZr+UCzXTSXNiL+lJ1LKS7JJlWMwr6nSPN8HFduiRbt4bC0vZxcUCoR/QWLJulqNjg==
x-ms-exchange-antispam-messagedata: C7MeuW92ngz49WRpFVtC3XJv6Owjp530BVLF2QhOC7zCNzaiDIVYt3xgx/TS64ZMrToLAujoGmsN5P7gtNY8cInAdbjpK/xDwTqjHbPlBe/FnA7x71ZzQwO8G9e3lNVD6f+BcAe9onqS+4UxM0OAE618PvhAsOTPAL2NpRgnZD1AGVfn9K0qvu7vWrCQQ2KrvAkRK1Oqa1v2r1MaHEWQjQ==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 8fa11825-d70f-4ba2-9388-08d7a6566465
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jan 2020 14:03:47.5542 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: iV0exdrZIyTNFyAoRZOu1N6EzjCd86FC/G+/H2CGDwl0oIWt5u8uz153Ec8CDLj59d3xKw0aeR5pbJgRFeJiug==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4351
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.13, xch-rcd-003.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/6lo/yRllxIfrncEsw7WIFr2PDOSiBIk>
Subject: Re: [6lo] Mirja Kühlewind's No Objection on draft-ietf-6lo-ap-nd-14: (with COMMENT)
X-BeenThere: 6lo@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Mailing list for the 6lo WG for Internet Area issues in IPv6 over constrained node networks." <6lo.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6lo>, <mailto:6lo-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6lo/>
List-Post: <mailto:6lo@ietf.org>
List-Help: <mailto:6lo-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6lo>, <mailto:6lo-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2020 14:03:54 -0000
Hello Mirja: Many thanks for your review : ) > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > A couple of small comments: > > 1) Sec 2.2: If actually all terms from all the RFC listed in section 2.2 are used, > all the reference would need to be normative. Maybe double-check this! I went through that with Eric's review and some refs moved back and forth before I finally published 14. I found that from that list the generic LLN discussion and the legacy IPv6 ND are not necessary to understand and implement this specification. The needed normative references are the 6LoWPAN ND and RFC 3971, and crypto references. I think we are OK now. > 2) Sec 3: I would have expected that section 3 says something about backward > compatibility (what if not all nodes in a network are updated?) and gives a > strong recommend to use this scheme (or even obsolete the old one?) Right. What about adding: " Section 5.3 of [RFC8505] introduces the ROVR as a generic object that is designed for backward compatibility with the capability to introduce new computation methods in the future. Section 7.3 discusses collisions when heterogeneous methods to compute the ROVR field coexist inside a same network. [RFC8505] was designed in preparation for this specification, which is the RECOMMENDED method for building a ROVR field. " > 3) Nit sec 4.4: s/it an be found/it can be found/ Fixed > 4) Sce 6: Use of normative language: s/The node may use a same Crypto- > ID/The node MAY use a same Crypto-ID/ done > 5) Security Consideration Section: Is there a new risk/possible attack because > computational complexity of the proposed scheme is higher than the one in > RFC8505? Could that be used as an attack against a central node? Would it be > necessary to rate limit requests somehow? Or is there already a rate limit > (that should be mentioned here)? Actually the challenge is distributed at the edge of the network. That's a limit if the scheme that a compromised 6LR may admit an attacker. What about adding a section as follows in the security section: " 7.6. Compromised 6LR This specification distributes the challenge and its validation at the edge of the network, between the 6LN and its 6LR. The central 6LBR is offloaded, which avoids DOS attacks targeted at that central entity. This also saves back and forth exchanges across a potentially large and constrained network. The downside is that the 6LBR needs to trust the 6LR for performing the checking adequately, and the communication between the 6LR and the 6LBR must be protected to avoid tempering with the result of the test. If a 6LR is compromised, it may pretend that it owns any address and defeat the protection. It may also admit any rogue and let it take ownership of any address in the network, provided that the 6LR knows the ROVR field used by the real owner of the address. " Again, many thanks Mirja. Please let me know if the above looks OK and I'll publish. All the best, Pascal > > > _______________________________________________ > 6lo mailing list > 6lo@ietf.org > https://www.ietf.org/mailman/listinfo/6lo
- [6lo] Mirja Kühlewind's No Objection on draft-iet… Mirja Kühlewind via Datatracker
- Re: [6lo] Mirja Kühlewind's No Objection on draft… Pascal Thubert (pthubert)
- Re: [6lo] Mirja Kühlewind's No Objection on draft… Mirja Kühlewind (IETF)
- Re: [6lo] Mirja Kühlewind's No Objection on draft… Pascal Thubert (pthubert)