IETF Logo Mail Archive

Re: [6tisch] differential security for CoAP resources

Mališa Vučinić <Malisa.Vucinic@imag.fr> Thu, 07 May 2015 18:46 UTC

Return-Path: <Malisa.Vucinic@imag.fr>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 617AD1A1A82 for <6tisch@ietfa.amsl.com>; Thu, 7 May 2015 11:46:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.48
X-Spam-Level:
X-Spam-Status: No, score=-0.48 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, HTML_MESSAGE=0.001, MIME_8BIT_HEADER=0.3, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U_5rkrRFV45h for <6tisch@ietfa.amsl.com>; Thu, 7 May 2015 11:46:55 -0700 (PDT)
Received: from shiva.imag.fr (mx1.imag.fr [IPv6:2001:660:5301:6::5]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33A161A1A9D for <6tisch@ietf.org>; Thu, 7 May 2015 11:46:38 -0700 (PDT)
Received: from globule.imag.fr (globule.imag.fr [129.88.34.238]) by shiva.imag.fr (8.13.8/8.13.8) with ESMTP id t47IkYwt020645 (version=TLSv1/SSLv3 cipher=ADH-AES256-SHA bits=256 verify=NO) for <6tisch@ietf.org>; Thu, 7 May 2015 20:46:34 +0200
Received: from dhcp-33-61.eecs.berkeley.edu (dhcp-33-61.EECS.Berkeley.EDU [128.32.33.61]) (authenticated bits=0) by globule.imag.fr (8.13.8/8.13.8) with ESMTP id t47IkXgF025932 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <6tisch@ietf.org>; Thu, 7 May 2015 20:46:35 +0200
From: Mališa Vučinić <Malisa.Vucinic@imag.fr>
Content-Type: multipart/alternative; boundary="Apple-Mail=_43354CB7-8FB9-4340-B5CF-B26F87675F97"
Message-Id: <5C431BC2-2291-43BC-9F2D-EE4D61EB1F4C@imag.fr>
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2098\))
Date: Thu, 07 May 2015 11:46:34 -0700
References: <554AB31A.6030200@berkeley.edu> <ACA1D97F-BFAC-4296-A959-45CE40A8E447@imag.fr> <CADJ9OA_TbHhAWpM5_-RBCMu2NwM+O-OQqKzgfomTM9LyLzncbw@mail.gmail.com>
To: 6tisch@ietf.org
In-Reply-To: <CADJ9OA_TbHhAWpM5_-RBCMu2NwM+O-OQqKzgfomTM9LyLzncbw@mail.gmail.com>
X-Mailer: Apple Mail (2.2098)
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 (shiva.imag.fr [129.88.30.5]); Thu, 07 May 2015 20:46:34 +0200 (CEST)
X-IMAG-MailScanner-Information: Please contact MI2S MIM for more information
X-MailScanner-ID: t47IkYwt020645
X-IMAG-MailScanner: Found to be clean
X-IMAG-MailScanner-SpamCheck:
X-IMAG-MailScanner-From: malisa.vucinic@imag.fr
MailScanner-NULL-Check: 1431629194.21967@i3FCh3VDLixO+0ulsvFBEg
Archived-At: <http://mailarchive.ietf.org/arch/msg/6tisch/0gH4QSR76RAnPMn0iMoa2xVQezc>
Subject: Re: [6tisch] differential security for CoAP resources
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2015 18:46:57 -0000

Thomas,

> On 07 May 2015, at 06:45, Thomas Watteyne <watteyne@eecs.berkeley.edu> wrote:
> 
> For the distributed CoAPIE case, https://tools.ietf.org/html/draft-wang-6tisch-6top-coapie-00 <https://tools.ietf.org/html/draft-wang-6tisch-6top-coapie-00> doesn't focus on security (it's a -00). IMO, there are two options:
> - we consider CoAPIE security to be part of L2 security. That is, a network-wide PSK, or neighbor-by-neighbor keys installed by the JCE

Even if you consider CoAPIE security to be protected by different L2 keys, you need to take care of actual CoAP resource access i.e. difference between nodes that can READ and DELETE a 6top resource from Kris’ mail. Assuming the mote possesses a table/ACL locally, you would essentially be doing some sort of implicit CoAP authorization using L2 keys. The problem is that higher access granularity at CoAP resource level would then translate to more complex L2 key distribution schemes, which could be considered a layer violation.  

> - the CoAPIE also encapsulates the DTLS record. Packet will be (much) bigger, and neighbor-to-neighbor authentication would be needed.

If I am reading https://tools.ietf.org/html/draft-wang-6tisch-6top-coapie-00 <https://tools.ietf.org/html/draft-wang-6tisch-6top-coapie-00> correctly, CoAPIE’s payload at L2 is directly a CoAP message - the rest of the protocol stack is not included. Do you consider including the full protocol stack in the IE in order to get DTLS working?

Mališa

v2.23.0 | Report a Bug | By Email