IETF Logo Mail Archive

Re: [6tisch-security] Short address assignment, nonces, and TSCH

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 22 February 2017 17:26 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: 6tisch-security@ietfa.amsl.com
Delivered-To: 6tisch-security@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D83D129A14 for <6tisch-security@ietfa.amsl.com>; Wed, 22 Feb 2017 09:26:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eeYxEEryJCnQ for <6tisch-security@ietfa.amsl.com>; Wed, 22 Feb 2017 09:26:16 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5461E12999E for <6tisch-security@ietf.org>; Wed, 22 Feb 2017 09:26:16 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 5C531E1D3; Wed, 22 Feb 2017 12:48:08 -0500 (EST)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 4F2B1636BB; Wed, 22 Feb 2017 12:26:14 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Tero Kivinen <kivinen@iki.fi>
In-Reply-To: <22593.32141.375714.870333@fireball.acr.fi>
References: <22592.7216.968126.340725@fireball.acr.fi> <163CC403-7DDC-4895-A2EA-A8C1D8396B5F@inria.fr> <22593.32141.375714.870333@fireball.acr.fi>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 22 Feb 2017 12:26:14 -0500
Message-ID: <15597.1487784374@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch-security/nLo10JCGhXbRKiwnjOTDZB10COI>
Cc: =?utf-8?Q?Mali=C5=A1a_Vu=C4=8Dini=C4 =87?= <malisa.vucinic@inria.fr>, 6tisch-security@ietf.org
Subject: Re: [6tisch-security] Short address assignment, nonces, and TSCH
X-BeenThere: 6tisch-security@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Extended Design Team for 6TiSCH security architecture <6tisch-security.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch-security/>
List-Post: <mailto:6tisch-security@ietf.org>
List-Help: <mailto:6tisch-security-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch-security>, <mailto:6tisch-security-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 22 Feb 2017 17:26:18 -0000

Tero Kivinen <kivinen@iki.fi> wrote:
    >> Then, the question becomes whether we need a mechanism to detect nodes
    >> that are no longer present in the network. In case we use the lease
    >> time as you propose, to have such a mechanism useful, we would need to
    >> set it to a fairly small value (24h or less),

    > Why? The only reason for the lease time is to allow JCE to clean up
    > unused short addresses, and as there is 65k of them, it could be also
    > much longer time, lets say a year or so. If the JCE ever starts running
    > out of addresses (i.e., more than half of the address space is in use),
    > it can shorten the lifetime to a day or so for new devices.

Yes, but that just makes the new devices fight each other for new addresses.
Probably, it should be allocating addresses with some kind of time-based
horizon against which it allocates.  If it knows it will rekey everything by
time X, then it always allocates lifetimes such that they expire by X.

    > As far as I have understood the networks are supposed to be up and
    > running for years, thus having life time of one year etc is not an
    > issue.

Rekeying once a year seems reasonable to me.
Once you rekey, you have to reach out to every node, and the ones that you
fail to reach after some time, are gone, and get cleaned up.

    > On the other hand TSCH nodes, are required to keep constant
    > communication with their timekeeping neighbors (i.e., send packet every
    > few minutes), thus the extra power consumption used for renewal of the
    > address every day or so is negligible.

That might be reasonable, but I think the scale can be extended a lot.

    >> but then we require the whole network to ‘rejoin’ in the same time
    >> frame, which is quite an overhead. I am thinking whether we could
    >> achieve the same functionality by having neighboring nodes report to
    >> JCE that a node left the network upon the removal from the neighbor
    >> table. What do you think?

    > JCE could of course also use the routing table to find out which nodes
    > are still in the network, but that requires whole routing table to be
    > known to the JCE (I am not familiar with the routing protocol used, so
    > I do not know whether it is true or not).

6tisch networks are generally non-storing, which means that the DODAG root(s)
know how to get to every single node.  The JRC (new name for JCE) might have
access to that routing table, but access could be arranged using something
like i2rs perhaps.  In any case, presence of a route does not mean that the
node is alive, or that it's a current route.  RPL is reactive rather than
proactive: if links go in active and nobody is in the forest to notice, then
nobody hears it (to paraphrase a philosophical question).

The JRC contacting the node to attempt to rekey it would be traffic, and said
traffic would cause either a reactive attempt to find the node (if it was
reachable from the same next-hop router), or would fail until the node woke
up and reconnected.  Upon failure, the node's address could be cleaned up at
next rekey, I think.

    > Anyways we are going to need some kind of renewal method, i.e., where
    > node comes back to JCE and says he wants to use same address he had
    > before. This is needed if the node is temperarely disconnect from the
    > network, and when he rejoins the network he needs to go back to the JCE
    > and verify his address is not given out to anybody else while he was
    > away.

    > So as this mechanism is needed regardless whether we have lease time or
    > not if want to cope with JCE reusing addresses, then requiring nodes to
    > do it periodically based on the lease time is not really big overhead.

If the lease time hasn't expired, I think that the address should not be
garbage collected, until a rekey.  Upon rekey, the node is off the network
anyway, and has to do something.

I think that most networks will have enough fewer than 64K nodes that they
can tolerate some leak/loss of 2-byte addresses and mostly never have to
change addresses, even through rekeys.  But the leak will be reclaimed upon
rekey.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email