[6tisch-security] Short address assignment, nonces, and TSCH

[Tero Kivinen <kivinen@iki.fi>]

During the teleconf I pointed out about the issues with the short
address assignments and security. This email provides background
information and explains the situation bit more.

In all of this discussions I assume we are using IEEE Std.
802.15.4-2015 security.

When not using TSCH the nonce is generated using Source address +
Frame counter and security level. As Frame counter is separate for
each device, that means that only thing that makes sure the nonces are
different is the Source address. Because of this the Source address
must be extended address, as short addresses are only unique during
certain time, not globally.

When using TSCH the situation is bit different as Frame counter is
replaced with network global ASN. This means that Source address part
needs to be unique for that timeslot. This means that coordinator
assigining the short address must make sure that same short address is
not given to multiple nodes at the same time, but it can give short
address to node A, and when it is sure that node A does not use the
short address anymore, it can give the same short address to node B.
This means it can reuse the short addresses and it will not run out of
short addresses unless it has more than 65k nodes in network.

Now, if the short address assinged to the node A does not have any
timeframe how long it is valid, the coordinator does not know when the
node A stops using the short address, thus it cannot reuse the
address. It cannot assume that all nodes will contact it before going
away and send release for the address lease, so it must use some other
mechanism to guarantee that.

Easiest way would be to send the lifetime along the short address. As
we do have global time in the network (ASN), we can use that as a
global time frame, so the coordinator can send node A a short address
of 0x1234, and say that node A is allowed to use it until ASN
0x12345678a0. After that ASN is reached the node A would need to
contact coordinator again to renew the short address lease (or most
likely it would contact bit earlier and renew the lease so it gets the
same address again).

This is explained in the IEEE Std. 802.15.4-2015 section 9.3.2.2:
----------------------------------------------------------------------
    9.3.2.2 CCM* nonce for TSCH mode

	When TSCH mode is enabled, the nonce shall be formatted as
	shown in Figure 9-2.

	      +----------------+--------+
	      | Octets: 8      |   5    |
	      +----------------+--------+
	      | Source Address |  ASN   |
	      +----------------+--------+
	   Figure 9-2—CCM* nonce in TSCH mode

	The Source Address shall either be set to the extended address
	of the device originating the frame or shall be formatted as
	illustrated in Figure 9-3.

	    +-----------------+------+--------+---------------+
	    | Octets: 3       |   1  |   2    |      2        |
	    +-----------------+------+--------+---------------+
	    | IEEE 802.15 CID | 0x00 | PAN ID | Short address |
	    +-----------------+------+--------+---------------+
     Figure 9-3—Source Address field for TSCH mode with short addressing

	The IEEE 802.15 CID field contains the CID for IEEE 802.15.
	
	The PAN ID field contains the PAN ID.
	
	The Short Address field contains the short address of the
	device originating the frame.
	
	NOTE—When using short addresses in the nonce, it is important
	that the coordinator assign unique short addresses.
	
	The ASN shall be set to the ASN of the timeslot during which
	the frame is sent.
----------------------------------------------------------------------
PAN ID is added, as large networks might use multiple PANs, but still
use same secret key (it does not matter whether the ASNs are in sync
or not).
-- 
kivinen@iki.fi