IETF Logo Mail Archive

Re: [6tisch] [secdir] secdir review of draft-ietf-6tisch-architecture-21

Mališa Vučinić <malishav@gmail.com> Tue, 25 June 2019 08:21 UTC

Return-Path: <malishav@gmail.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 05A4A12026E for <6tisch@ietfa.amsl.com>; Tue, 25 Jun 2019 01:21:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iM-wOek-S8WG for <6tisch@ietfa.amsl.com>; Tue, 25 Jun 2019 01:21:55 -0700 (PDT)
Received: from mail-wm1-x341.google.com (mail-wm1-x341.google.com [IPv6:2a00:1450:4864:20::341]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7554120113 for <6tisch@ietf.org>; Tue, 25 Jun 2019 01:21:54 -0700 (PDT)
Received: by mail-wm1-x341.google.com with SMTP id s15so1925949wmj.3 for <6tisch@ietf.org>; Tue, 25 Jun 2019 01:21:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3To8eSE9xV9sxYOVgZujyougfFAbQaV0pWcM6b2gXeg=; b=WzIsltPOPcCIQJBd3/Tgcitq2M910erzP2lFGUS1ANUC5a7SGlzuGvxW4IxPz3kSxG h8hbkel9LUZrLsUxl8hKg2q/yF+/xH1q/Bbm5CiL/R6n5j/hvQlj6prPF+e7YkPv6MeL n9Rgjbj9+nDckl7aXYRgxPcxV5iTzuXCwhVv8qbtU52hf950+lVdJn++PtDXPyP2iHwH 8Fmweb3OzbSJEZ9/665ebfsr6xffmoNGxzgporLT641yt6EvUDGueIiQxsZ9OEzeHhSF Ipl2/MEEq9dpmKubK4inPVPUSUhIvkJTYLqA+MLg58ynwvn6no5rhwHUE77XrHmN3hvv gxmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=3To8eSE9xV9sxYOVgZujyougfFAbQaV0pWcM6b2gXeg=; b=XHa5+oYiFZ2c5ZBHnwBvgBMTjNcFE4fR0ueNmaVfZ+WvyXHNd9Mm01qa3H21nGAxOp 7MCzBQ+wRB800jsbYqtITrTztdl1Qwk+J5arktKaJhjmz8GV+MDal+HH19A9vYeG/UuH bJ/ZtWpxnsJlrVrUTtkD4sDMvNQJrqlHnHYbT8UqKjaPH0O7w7d8LNkMamd0+YxPK0sa 6BVy6JxpWTF2XZzvhfxurLnroluVHzpWvSIUM+6nnRKpN9dhoodQzaA0UnxuBWCxZ/Gu 4uwhCcCtD87k8ZO22VVZA2NczxG70uAJQq0rqCwK+ndmoT4Utej2iZ+0jb22oFakzZff MGAw==
X-Gm-Message-State: APjAAAUDDONfxK28ruUFSTXVpVldAvUPtoeg8GlZGHS/Zpe5mgEYtGVo 4/S+gO89HvbLKqtMYBLtLXw=
X-Google-Smtp-Source: APXvYqzB8p2ZezU+TT2YyXA03IaGRaJJL6pIi/PgHYR1bWLfc/p6WukSZt4iiPmMypwAXnVXK8GKdA==
X-Received: by 2002:a1c:39d6:: with SMTP id g205mr17891887wma.85.1561450913227; Tue, 25 Jun 2019 01:21:53 -0700 (PDT)
Received: from [10.14.88.73] ([89.188.33.31]) by smtp.gmail.com with ESMTPSA id d18sm40071674wrb.90.2019.06.25.01.21.52 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 25 Jun 2019 01:21:52 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Mališa Vučinić <malishav@gmail.com>
In-Reply-To: <BYAPR11MB3558261B37E1E8FFFF4D8D27D8E30@BYAPR11MB3558.namprd11.prod.outlook.com>
Date: Tue, 25 Jun 2019 10:21:51 +0200
Cc: "6tisch@ietf.org" <6tisch@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <62FC2528-9165-4E2E-89E5-6452D93030E0@gmail.com>
References: <2cced16c-d1df-88c2-eb21-7452b42f081a@mandelberg.org> <MN2PR11MB35651735463F27A247B4B0F0D8E00@MN2PR11MB3565.namprd11.prod.outlook.com> <23825.24715.882644.180316@fireball.acr.fi> <5229f400-076c-80e3-e0dc-a7cf3998abed@mandelberg.org> <MN2PR11MB35654D7658F0EEB05443F2ABD8E30@MN2PR11MB3565.namprd11.prod.outlook.com> <BYAPR11MB3558261B37E1E8FFFF4D8D27D8E30@BYAPR11MB3558.namprd11.prod.outlook.com>
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>, Tero Kivinen <kivinen@iki.fi>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/-oWres26-99wPzSrhITXyI12L20>
Subject: Re: [6tisch] [secdir] secdir review of draft-ietf-6tisch-architecture-21
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2019 08:21:57 -0000

Pascal, Tero,

The issue raised seems valid and going through minimal-security and the MSF draft it seems that some clarification is needed. We purposely avoided keeping the network notion of time at the JRC in order to facilitate deployments where JRC is outside of the local network and is managing multiple 6tisch networks. I do not believe we want to change that, as it would be quite challenging to require the synchronization of the JRC with each 6tisch network. 

Instead, as with traditional TSCH, the joined node can obtain its time information from its time source neighbor, i.e. RPL preferred parent, by triggering an exchange of link-layer frames with L2 security features enabled. The MSF draft already mandates that the first outgoing message from the joined node after joining is the 6P ADD message to its preferred parent, which consequently gets protected with L2 security. What needs to be specified clearly is that this first 6P exchange should not be encrypted but only authenticated at L2. Upon successful completion of the first 6P exchange with its time (routing) parent, the joined node obtains a negotiated cell and as a side effect proves freshness of the ASN used. 

What seems missing is some text in minimal-security adding guidance for other scheduling function and stressing this issue beyond the text in the last paragraph of Section 9 of draft-ietf-6tisch-minimal-security-11 that is rather vague.

Mališa

> On 25 Jun 2019, at 09:29, Pascal Thubert (pthubert) <pthubert@cisco.com> wrote:
> 
> Hello Malisa:
> 
> I went through the security section of minimal-security and found that the text below would be useful there to. Alt a pointer to the security section of the architecture would do once I incorporate some of the below.
> (Though I thought it did at a time) minimal-security does not indicate that the JRC should be aware of the network ASN to enable the protection that Tero is discussing below, does it?
> 
> All the best,
> 
> Pascal
> 
> 
> 
>> -----Original Message-----
>> From: David Mandelberg <david@mandelberg.org>
>> Sent: mardi 25 juin 2019 02:31
>> To: Tero Kivinen <kivinen@iki.fi>; Pascal Thubert (pthubert) 
>> <pthubert@cisco.com>
>> Cc: secdir@ietf.org; iesg@ietf.org; 
>> draft-ietf-6tisch-architecture.all@ietf.org;
>> Thomas Watteyne <thomas.watteyne@inria.fr>; Michael Richardson 
>> <mcr+ietf@sandelman.ca>; Mališa Vučinić <malisav@ac.me>
>> Subject: Re: [secdir] secdir review of 
>> draft-ietf-6tisch-architecture-21
>> 
>> 
>> 
>> On 6/24/19 7:45 PM, Tero Kivinen wrote:
>>> Pascal Thubert (pthubert) writes:
>>>> Hello David:
>>>> 
>>>> Many thanks for your review. I do hope that you found it interesting.
>>>> 
>>>>> Sections 4.2.1 and 4.3.4 talk about the security of joining a 
>>>>> network, and time synchronization, respectively. Do any of the 
>>>>> security mechanisms in 4.2.1 rely on having an accurate clock?
>>>>> (E.g., to distrust old/expired keys.) Is time synchronization done 
>>>>> before the join process, and is there any way to exploit time 
>>>>> synchronization in order to cause a node to join a malicious 
>>>>> network?
>>>> 
>>>> This is really a MAC layer question for IEEE. I'm cc'ing Thomas who 
>>>> was one of the inventors of TSCH, as well as Michael and Malisa who 
>>>> led the join process study.
>>>> 
>>>> Time synchronization (date):
>>>> --------------------------------------
>>>> For all I know, the time sync is about giving a epoch time from 
>>>> which an Absolute Slot Number (ASN, expressed in slot duration 
>>>> e.g.,
>>>> 10ms) is derived. ASN plays a key role as it is used in NONCE. An 
>>>> attack that one could think of would be to fool the new node into 
>>>> thinking that ASN is earlier. This could happen before the keys are 
>>>> exchanged, or if an authorized peer is compromised. For the former, 
>>>> I'll defer to the others to answer fully how we protect the new 
>>>> comer. For the latter, 6TiSCH provides an additional protection 
>>>> since we derive time from a RPL parent. RPL has its own 
>>>> protections, some of them in the standard itself, some of them in 
>>>> zerotrust papers that need publishing.
>>> 
>>> In normal TSCH in 802.15.4 the joining node will listen to beacons 
>>> sent by the nodes already part of the network, and they will find 
>>> out the ASN from there. As they do not yet have keys for the network 
>>> they cannot verify the message integrity code authenticating the 
>>> beacon, and even if they did have the keys, they still cannot verify 
>>> it as it could be replay by attacker.
>>> 
>>> After they find out the ASN, they need to authenticate themself to 
>>> the network using some mechanism outside the 802.15.4. This 
>>> authentication step must be such that it cannot be replayed by 
>>> attacker, i.e., they must not trust ASN giving them any protection.
>>> 
>>> Note, that in general 802.15.4 TSCH DOES NOT provide replay 
>>> protection at all. I.e., attacker can cause legimite node to 
>>> retransmit its previous message by destroying ack, and upper layer 
>>> protocol must provide way to detect replays and cope with them.
>>> 
>>> During the authentication the JRC needs to provide the keying 
>>> material to the joining node, but that does NOT provide protection 
>>> against spoofed ASN. After the node has actual keys used in the 
>>> network it still needs to verify the ASN by sending some message to 
>>> JRC using authentication and verify that JRC replies to that.
>>> 
>>> If this 2nd step is omitted attacker do following attack:
>>> 
>>> Joining node (JN)   attacker	     		  JRC
>>> 		    <- beacon for ASN=23	  <- beacon for ASN=44
>>> See beacon
>>> from attacker,
>>> assume ASN=23.
>>> 
>>> Auth->JRC
>>> (no security)					  Check authentication
>>> 						  Return keys
>>> 						  keys->JN
>>> 
>>> Receive keys
>>> send first
>>> frame using
>>> keys using ASN=23->
>>> 
>>> 
>>> Now, if JN is using extended address to generate nonce, the nonce 
>>> will be different for all other nonces ever used, even the ASN is 
>>> faked, and has been used before. On the other hand if JN also 
>>> receives short address assignment from the JRC, JRC needs to make 
>>> sure that short address has not been assigned to anybody else 
>>> before, as if it was used by someone else, and frame sent by JN is 
>>> encrypted, then attacker will now have two packets with same ASN, 
>>> and short address, meaning same nonce, and it can now decrypt packets.
>> 
>> Is this discussion of nonce reuse in any relevant documents already, 
>> or is it something that should be added somewhere?
>> 
>>> Note, that attacker might be able to replay valid ACKs for the frame 
>>> sent by the JN, provided that the JRC (or whoever JN sent the 
>>> message
>>> to) happened to ack message using the same ASN attacker faked for JN.
>>> 
>>> If JN sends message to JRC which only JRC can reply, and uses wrong 
>>> ASN, the JRC will not be able to decrypt/validate that frame because 
>>> of wrong ASN in nonce, and will drop it silently, so if JN uses 
>>> wrong ASN it might be getting ACKs, but it will not get any real 
>>> reply frames back from real participants in the network. After it 
>>> will not receive confirmation from JRC that it has proper keys and 
>>> ASN, it knows something went wrong.
>>> 
>>> 
>>>> Time synthonization (precise tic, hourless)
>>>> --------------------------------------------------------
>>>> This is the process whereby a node corrects its tic to realign with 
>>>> the parent. ASN is not changed but the drift of crystals is 
>>>> compensated. An attacker could try to inject a sense of time that 
>>>> it slightly shifted to the point that the node lose sync with the 
>>>> rest of the network (the guard time is like an event horizon). Then 
>>>> again, RPL provides an additional protection on top of the MAC provisions.
>>> 
>>> Those time syncronization IEs are also protected by MAC level 
>>> authentication, so attackers who do not know the keys cannot 
>>> generate them. Attackers who do know keys can do whatever they like anyways...
>>> 
>>> Btw, I will be leaving for vacation tomorrow, so I might not be able 
>>> to reply any messages related to this until I get back end of next 
>>> week.
>>> 
> 
> -- 
> MailScanner believes this is threat-free - www.ucg.ac.me
>

v2.23.0 | Report a Bug | By Email