Re: [6tisch-security] secure join bootstrap
peter van der Stok <stokcons@xs4all.nl> Mon, 13 February 2017 11:20 UTC
Return-Path: <stokcons@xs4all.nl>
X-Original-To: 6tisch-security@ietfa.amsl.com
Delivered-To: 6tisch-security@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 561CF1295E2 for <6tisch-security@ietfa.amsl.com>; Mon, 13 Feb 2017 03:20:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.621
X-Spam-Level:
X-Spam-Status: No, score=-2.621 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xNSt1D6oBELn for <6tisch-security@ietfa.amsl.com>; Mon, 13 Feb 2017 03:20:15 -0800 (PST)
Received: from lb2-smtp-cloud6.xs4all.net (lb2-smtp-cloud6.xs4all.net [194.109.24.28]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EFF61295E1 for <6tisch-security@ietf.org>; Mon, 13 Feb 2017 03:20:15 -0800 (PST)
Received: from webmail.xs4all.nl ([IPv6:2001:888:0:22:194:109:20:215]) by smtp-cloud6.xs4all.net with ESMTP id kBLD1u00G13if5201BLDbu; Mon, 13 Feb 2017 12:20:13 +0100
Received: from AMontpellier-654-1-241-185.w92-133.abo.wanadoo.fr ([92.133.12.185]) by webmail.xs4all.nl with HTTP (HTTP/1.1 POST); Mon, 13 Feb 2017 12:20:13 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="US-ASCII"; format="flowed"
Content-Transfer-Encoding: 7bit
Date: Mon, 13 Feb 2017 12:20:13 +0100
From: peter van der Stok <stokcons@xs4all.nl>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Organization: vanderstok consultancy
Mail-Reply-To: consultancy@vanderstok.org
In-Reply-To: <7c735780-8a71-4100-a492-55fc9a77ac89@sandelman.ca>
References: <9376fa080ad8d67c8b44641c2d62a958@xs4all.nl> <7c735780-8a71-4100-a492-55fc9a77ac89@sandelman.ca>
Message-ID: <76d91fe6d76dd9f32bfb6909d006ffd7@xs4all.nl>
X-Sender: stokcons@xs4all.nl
User-Agent: XS4ALL Webmail
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch-security/_aSS-VGee5JbSdnaVLnzZLxwIxk>
Cc: 6tisch Security <6tisch-security@ietf.org>
Subject: Re: [6tisch-security] secure join bootstrap
X-BeenThere: 6tisch-security@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: consultancy@vanderstok.org
List-Id: Extended Design Team for 6TiSCH security architecture <6tisch-security.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch-security/>
List-Post: <mailto:6tisch-security@ietf.org>
List-Help: <mailto:6tisch-security-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 13 Feb 2017 11:20:17 -0000
Hi Michael, thanks for your answer; below some requests for additional information. -- changed 6tisch to 6tisch-security -- Michael Richardson schreef op 2017-02-10 13:23: > see inline. > > On 02/08/17 04:10, peter van der Stok wrote: >> Hi 6tisch security, >> >> Having re-read RPLinfo and reading the secure-join draft, I do have a >> suggestion about the traffic from pledge to registrar. The draft >> already >> mentions the IP-in-IP encapsulation specified in RPLinfo draft. Why >> not >> rely on the RPLinfo draft for the pledge to Registrar communication >> completely? > > This was always my intention: leverage the IPIP compression mechanism > and source route forwarding... no new code! I'm glad you came up with > the idea too, which means it must be a good one! My hope is making the protocol general and leave details to local routing protocol. > > I had a number of thoughts about how to do this. Thanks for the thoughts, but let me ask some questions such that I am sure to understand the reasons for the thoughts. Suppose the pledge has address P6 and the join proxy has address J6. When the encapsulated packet arrives at a RPL aware registrar, first the the encapsulating header is removed; losing address J6 or losing the LL address of the last router. (correct?) and then the Registrar receives the packet with address P6. The main question to be solved is how can RPL route a packet to P6 which is unknown. Therefore you suggest the two thoughts below? (correct?) > a) have the Join Proxy send a DAO about the pledge. This is simplest > in > many ways, and for non-storing networks, this has no impact on the > mesh. > For storing networks, this would be an issue, and I'd suggest having > another non-storing instance for joining... (but, mixed mode) The above looks efficient to me for non-storing mode. For storing networks, Creating a new DODAG instance sounds work intensive for every pledge. Instead, Encapsulating at Join Proxy with source address P6 instead of J6 might work? > b) use another signal from Join Proxy to JRC/root. This is what I'm > currently proposing, although I used GRASP which may demand TCP. The > DAO > mechanism has the downside of not providing any ACK. This I do not understand completely; GRASP is anima oriented at L3, and only comes after securing L2, I thought. > >> The pledge can be considered a non-RPL aware node, one hop away from a >> DODAG node. >> >> The pledge may receive (allocate itself) a "temporary" routable IPv6 >> address. > > I'm not convinced the pledge *needs* that routable address if all the > traffic is IPIP encapsulated. I'm pretty sure that I'd rather not > expose the prefix of the network to the unauthenticated pledge if we > can > avoid that. It also implies that the pledge needs to hear a RA. IMO, a routable address is needed when other routing protocols (not RPL) need to fill in their routing tables for the return messages from Registrar to Pledge. > >> When it sends requests to the Registrar the join-proxy (first 6lri in >> RPLinfo) will add the necessary IP-in-IP headers. Also for the message >> from Registrar to pledge the same RPLinfo specification will be used. >> The Registrar does not need to be part of the DODAG, because RPLinfo >> prescribes what to do. >> >> I don't think allocating a temporary routable address will make the >> network more vulnerable. >> Communication between pledge and assistant is still over an insecure >> link with a permission to allow traffic from this one routable address >> (instead of link-local address) to the registrar. > > I agree with you: it can be made to work. Are you thinking that the > temporary address would not be from the network's prefix, but entirely > different? Why do we even need that, I wonder. Equally not sure about what prefix to use. Most routing protocols do not care about prefixes, do they? They only care about routes to IPv6 addresses expressed in L2 addresses. > > Do you think there is any increased risk of one pledge attacking > another > one? > In general, an attacker will use a routable address or an LL address depending on its purpose. In the 6tisch case, the acceptance of packets is independent of the address but depends on the link being secured. So I don't see any preferences for LL or global addresses. Then we come to a malicious node taking over the IP address of the bona-fide pledge. The malicious node needs the identity information of the bona fide pledge to be effective. Why bother stealing the IP address when this identity information is already stolen? Do you know of other opportunities? > Peter
- Re: [6tisch-security] secure join bootstrap peter van der Stok