Re: [6tisch] Benjamin Kaduk's No Objection on draft-ietf-6tisch-enrollment-enhanced-beacon-13: (with COMMENT)

Benjamin Kaduk <kaduk@mit.edu> Sat, 22 February 2020 05:12 UTC

Date: Fri, 21 Feb 2020 21:11:55 -0800
From: Benjamin Kaduk <kaduk@mit.edu>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: The IESG <iesg@ietf.org>, pthubert@cisco.com, 6tisch-chairs@ietf.org, 6tisch@ietf.org, draft-ietf-6tisch-enrollment-enhanced-beacon@ietf.org
Message-ID: <20200222051155.GJ53538@kduck.mit.edu>
References: <158206755196.14101.10514108989438939697.idtracker@ietfa.amsl.com> <3706.1582226579@dooku>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3706.1582226579@dooku>
User-Agent: Mutt/1.12.1 (2019-06-15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/-hk8eNb_y4bteYqlUE_KKhGnh-8>
Subject: Re: [6tisch] Benjamin Kaduk's No Objection on draft-ietf-6tisch-enrollment-enhanced-beacon-13: (with COMMENT)
Precedence: list

Thanks for these updates!  I see you had one question at the end...

On Thu, Feb 20, 2020 at 08:22:59PM +0100, Michael Richardson wrote:
> 
> Benjamin Kaduk via Datatracker <noreply@ietf.org> wrote:
>     > ----------------------------------------------------------------------
>     > COMMENT:
>     > ----------------------------------------------------------------------
> 
>     > Where is PAN/PANID defined?  I did not find it in RFC 6550, 8180, or
>     > draft-ietf-6tisch-architecture, nor in the RFC Editor's list
>     > (https://www.rfc-editor.org/materials/abbrev.expansion.txt).
> 
> PAN/PANID is an IEEE thing, and I've added a reference and explanation:
> 
>           These are called Personal Area Networks (PAN).
>           Each instance will have a separate Layer-2 security profile, and
>           will be distinguished by a different PANID.
> 
>           The PANID is part of the {{ieee802154}} layer-2 header: it is a
>           16-bit value which is chosen to be unique, and it contributes context to the
>           layer-2 security.
> 
>           The PANID provides a context similar to the ESSID does in 802.11
>           networking, and can be conceived of in a similar fashion as the
>           802.3 ethernet VLAN tag in that it provides context for all layer-2
>           addresses.
> 
>     > Section 1.3
> 
>     >    Although However, even in this case, a unicast RS may be transmitted
>     > in response[RFC6775] reduces the amount of multicast necessary to do
>     > address resolution via Neighbor Solicitation (NS) messages, it still
>     > requires multicast of either RAs or RS.  This is an expensive
> 
>     > nits: two capitalized words in a row, also some further rewording is
>     > needed (and maybe s/unicast RS/unicast RA/?).
> 
> fixed.
> 
>     > Section 2
> 
>     > We should probably say something about the 'res' bits being reserved,
>     > set to zero, and ignored by recipients.
> 
> done.
> 
>     >       In most cases, every node sending a beacon will set this flag,
>     > and in a typical mesh, this will be every single node.  When this bit
>     > is not set, it indicates that this node may be under provisioned, or
>     > may have no additional slots for additional nodes.  This could make
>     > this node more interesting to an attacker.
> 
>     > nit: this phrasing suggests that the list is an exhaustive list of
>     > reasons why the flag could be unset; I'd suggest "it might indicate"
>     > instead.
> 
> agreed.
> 
>     >       This value MUST be ignored by pledges, it is to help enrolled
>     > devices only to compare different connection points.
> 
>     > nit: comma splice.  Maybe also reword to "It is only to help enrolled
>     > devices to compare different connection points"?
> 
> fixed.
> 
>     >       This field communicates an Interface ID bits that should be used
>     > for this nodes' layer-3 address, if it should not be derived from
> 
>     > nit: singular/plural mistmatch in "an Interface ID bits" nit:
>     > s/nodes'/node's/
> 
> done.
> 
>     >       the layer-2 address.  Communication with the Join Proxy occurs in
>     > the clear, this field avoids the need for an additional service
>     > discovery process for the case where the L3 address is not derived from
>     > the L2 address.  An attacker will see both L2 and L3
> 
>     > nit: comma splice.  I'd also hyphenate "service-discovery".
> 
> fixed.
> 
>     >       once.  That is just a suggestion for a default algorithm: it may
>     > be set in any convenience way that results in a non-identifing value.
>     > In some LLNs where multiple PANIDs may lead to the same
> 
>     > nits: I suggest "Per [RFC6550], that is just a suggestion",
>     > s/convenience/convenient/, and s/identifing/identifying/ (though what
>     > exactly it is that is not being identified might be worth clarifying,
>     > too).
> 
> network ID is new, it's not in RFC6550.
> DODAGID is though.
> 
>     >       management device (the JRC), then a common value that is the same
>     > across all PANs MUST be configured so that pledges that attempt to
> 
>     > nit: I think "all the PANs" is more appropriate, since we only care
>     > about the ones that lead to the same JRC (and there may be other PANIDs
>     > in play).
> 
> okay.
> 
>     >       enroll do not waste time attempting multiple times with the same
>     > network that has multiple attachment points.
> 
>     > nit: I'd consider expanding (again) what is being attempted.
> 
> Rewritten to:
> 
> In some LLNs where multiple PANIDs may lead to the same management device
> (the Join Registrar/Coordinator - JRC), then a common value that is the same across all the PANs MUST be
> configured.
> Pledges that see the same networkID will not waste time
> attempting to enroll multiple times with the same network that when the network has multiple attachment points.
> 
> 
>     >       If the network ID is derived as suggested, then it will an
>     > opaque,
> 
>     > nit: s/will/will be/
> 
> okay
> 
>     >       seemingly random value, and will reveal nothing in of itself.  An
> 
>     > I suggest "will not directly reveal any information about the network".
> 
> edited.
> 
>     > Section 3
> 
>     >    The sensitivity of each field is describe within the description of
>     > each field.
> 
>     > nit: s/describe/described/
> 
>     >    visible.  Encrypting the schedule does not prevent an attacker from
>     > jamming, but rather increases the energy cost of doing that jamming.
> 
>     > Perhaps also the side effects/collateral damage of the jamming.
> 
> I'm not sure what you are saying/suggesting here.

If the attacker doesn't know the schedule, they use more power ("energy
cost") to jam all the time, in some sort of always-on broadband jamming
technique.  This broadband jamming could end up blocking traffic the
attacker doesn't care about, in addition to the target of the jamming;
that in turn might make the fact that the attacker is jamming at all easier
to detect.  I'm suggesting that the attacker's decision process about
whether/how to jam is much more complicated if they don't have the schedule
available, and there are additional factors that would come into play that
might discourage the attacker from jamming even though (as is already
noted) it does not "prevent" the attacker from jamming.

-Ben

[6tisch] Benjamin Kaduk's No Objection on draft-i… Benjamin Kaduk via Datatracker
Re: [6tisch] Benjamin Kaduk's No Objection on dra… Michael Richardson
Re: [6tisch] Benjamin Kaduk's No Objection on dra… Benjamin Kaduk
Re: [6tisch] Benjamin Kaduk's No Objection on dra… Michael Richardson
Re: [6tisch] Benjamin Kaduk's No Objection on dra… Benjamin Kaduk