Re: [6tisch-security] Short address assignment
Tero Kivinen <kivinen@iki.fi> Fri, 24 February 2017 11:34 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: 6tisch-security@ietfa.amsl.com
Delivered-To: 6tisch-security@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63E491296AF for <6tisch-security@ietfa.amsl.com>; Fri, 24 Feb 2017 03:34:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XsDMTMezV2DO for <6tisch-security@ietfa.amsl.com>; Fri, 24 Feb 2017 03:34:45 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3876A1296C0 for <6tisch-security@ietf.org>; Fri, 24 Feb 2017 03:34:45 -0800 (PST)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id v1OBYf9w018927 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 24 Feb 2017 13:34:41 +0200 (EET)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id v1OBYfPq004332; Fri, 24 Feb 2017 13:34:41 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <22704.6737.180577.285794@fireball.acr.fi>
Date: Fri, 24 Feb 2017 13:34:41 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Michael Richardson <mcr+ietf@sandelman.ca>
In-Reply-To: <26408.1487779241@obiwan.sandelman.ca>
References: <22592.7216.968126.340725@fireball.acr.fi> <26408.1487779241@obiwan.sandelman.ca>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 6 min
X-Total-Time: 8 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch-security/A4ZxtU4NUpgxO2ULZnazBAzpQyI>
Cc: 6tisch-security@ietf.org
Subject: Re: [6tisch-security] Short address assignment
X-BeenThere: 6tisch-security@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Extended Design Team for 6TiSCH security architecture <6tisch-security.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch-security/>
List-Post: <mailto:6tisch-security@ietf.org>
List-Help: <mailto:6tisch-security-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2017 11:34:47 -0000
Michael Richardson writes: > > Tero Kivinen <kivinen@iki.fi> wrote: > > During the teleconf I pointed out about the issues with the short > > address assignments and security. This email provides background > > information and explains the situation bit more. > > thank you! > > > When using TSCH the situation is bit different as Frame counter is > > replaced with network global ASN. This means that Source address part > > needs to be unique for that timeslot. This means that coordinator > > Attached below is a yang module to describe the short-address assignment. > > > PAN ID is added, as large networks might use multiple PANs, but still > > use same secret key (it does not matter whether the ASNs are in sync or > > not). > > Do you think we should slip the PANID in with the short-address > assignment? What do you mean by that? > We have not explained how the pledge knows about PANIDs: clearly it > could just use whatever PANID the beacons it hears contain. Do you > think we need to be more explicit? When device searches for network it will listen beacons, and when it hears beacons it will pick one and set its macPanId to match for that and join that network. Device can only be part of one PAN at the same time, i.e. it can only receive frames which are directed to its macPanId value (or broadcast PAN ID). It can send frames to other PANs by providing both source and destination PAN. Each short address is associated with exactly one PAN, i.e., the PAN of the coordinator who gave it out. > Perhaps we should at least put it in the yang model such that it > read back? Could be useful if we at one point want to have networks crossing multiple PANs. > I have included an inception date for the short-address for this > reason as well. I called it "effectiveat", but maybe there is a > better name. Looks ok to me. -- kivinen@iki.fi
- [6tisch-security] Short address assignment, nonce… Tero Kivinen
- Re: [6tisch-security] Short address assignment, n… Mališa Vučinić
- Re: [6tisch-security] Short address assignment, n… Tero Kivinen
- Re: [6tisch-security] Short address assignment, n… Michael Richardson
- Re: [6tisch-security] Short address assignment Michael Richardson
- Re: [6tisch-security] Short address assignment, n… Michael Richardson
- Re: [6tisch-security] Short address assignment, n… Tero Kivinen
- Re: [6tisch-security] Short address assignment Tero Kivinen
- Re: [6tisch-security] Short address assignment Michael Richardson