Re: [6tisch] 6tisch join requirements for 6top
<yoshihiro.ohba@toshiba.co.jp> Tue, 02 December 2014 13:51 UTC
Return-Path: <yoshihiro.ohba@toshiba.co.jp>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B78011A1BAD for <6tisch@ietfa.amsl.com>; Tue, 2 Dec 2014 05:51:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.402
X-Spam-Level:
X-Spam-Status: No, score=-4.402 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_DNSWL_HI=-5, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ih7JM9wxFjDA for <6tisch@ietfa.amsl.com>; Tue, 2 Dec 2014 05:51:08 -0800 (PST)
Received: from imx12.toshiba.co.jp (imx12.toshiba.co.jp [61.202.160.132]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E94541A1B66 for <6tisch@ietf.org>; Tue, 2 Dec 2014 05:51:07 -0800 (PST)
Received: from arc11.toshiba.co.jp ([133.199.90.127]) by imx12.toshiba.co.jp with ESMTP id sB2Dp16K001083; Tue, 2 Dec 2014 22:51:01 +0900 (JST)
Received: (from root@localhost) by arc11.toshiba.co.jp id sB2Dp1lP005970; Tue, 2 Dec 2014 22:51:01 +0900 (JST)
Received: from ovp11.toshiba.co.jp [133.199.90.148] by arc11.toshiba.co.jp with ESMTP id YAA05968; Tue, 2 Dec 2014 22:51:01 +0900
Received: from mx12.toshiba.co.jp (localhost [127.0.0.1]) by ovp11.toshiba.co.jp with ESMTP id sB2Dp1KQ023320; Tue, 2 Dec 2014 22:51:01 +0900 (JST)
Received: from TGXML208.toshiba.local by toshiba.co.jp id sB2Dp1IY001208; Tue, 2 Dec 2014 22:51:01 +0900 (JST)
Received: from TGXML210.toshiba.local ([169.254.4.170]) by TGXML208.toshiba.local ([133.199.70.17]) with mapi id 14.03.0195.001; Tue, 2 Dec 2014 22:51:01 +0900
From: yoshihiro.ohba@toshiba.co.jp
To: mcr+ietf@sandelman.ca
Thread-Topic: [6tisch] 6tisch join requirements for 6top
Thread-Index: AQHQAp6mzn11Yy2yUkumPgLa1+2pqpxvN/yAgAA3cgCAATc9AIAAwgWAgAXb3wCABDOD4P//oHkAgAFNb6A=
Date: Tue, 02 Dec 2014 13:51:00 +0000
Message-ID: <674F70E5F2BE564CB06B6901FD3DD78B29D06479@TGXML210.toshiba.local>
References: <D0876D12.C03C%rsudhaak@cisco.com> <32412.1415737868@sandelman.ca> <D087B62D.C081%rsudhaak@cisco.com> <10653.1415740821@sandelman.ca> <CADJ9OA_LFkGDuyG_0bf=07d7cvC9FNRr5cMGTmYw2PR=g9XQHA@mail.gmail.com> <8193.1416253349@sandelman.ca> <21619.12717.53454.214321@fireball.kivinen.iki.fi> <E045AECD98228444A58C61C200AE1BD848A77CB5@xmb-rcd-x01.cisco.com> <21620.25926.119766.130028@fireball.kivinen.iki.fi> <54750807.9070901@berkeley.edu> <CADJ9OA_FS2qsTEGCDMMu_wwN=NsfARW26rw_9g9ROP=AHorB3g@mail.gmail.com> <674F70E5F2BE564CB06B6901FD3DD78B29D05F10@TGXML210.toshiba.local> <7934.1417488456@sandelman.ca>
In-Reply-To: <7934.1417488456@sandelman.ca>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
x-originating-ip: [133.199.17.102]
msscp.transfermailtomossagent: 103
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/6tisch/2Plv3gDtfBWBG4bWNVC867qBiFY
Cc: watteyne@eecs.berkeley.edu, ksjp@berkeley.edu, 6tisch@ietf.org
Subject: Re: [6tisch] 6tisch join requirements for 6top
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 13:51:10 -0000
I don't assume that an attacker has sufficient control of the rebooted node. If the rebooted node re-uses old frame counter values for the same key and send encrypted traffic, then it gives hints to the attacker about the encryption key, that is where weakness comes. I think re-joining requires authentication (as Thomas mentioned) in which protected frame counter synchronization is performed, and that re-joining authentication should not be protected by MAC layer to avoid possible re-use of frame counter. Yoshihiro Ohba -----Original Message----- From: 6tisch [mailto:6tisch-bounces@ietf.org] On Behalf Of Michael Richardson Sent: Tuesday, December 2, 2014 11:48 AM To: ohba yoshihiro(大場 義洋 ○RDC□NSL) Cc: watteyne@eecs.berkeley.edu; ksjp@berkeley.edu; 6tisch@ietf.org Subject: Re: [6tisch] 6tisch join requirements for 6top <yoshihiro.ohba@toshiba.co.jp> wrote: > There is some weakness if a device does not store a frame counter > (i.e., ASN in TSCH) across a reboot. There can be a replay attack by > sending a copy of beacon fame sent in the past, letting the rebooted > device to re-use the frame counter (until the device synch up with > correct ASN). First, let's assume that the node has been removed from the network, and is subject to a malicious beacon frame. It can never catch up, I guess. If the attacker had a record of subsequent (encrypted) frames that were present, the captured node would decrypt the traffic again. At this point, if one controls the node sufficiently that one can read ram, one could read the cleartext; but I would claim that in that case, one already has the key, and just decrypt the captured traffic directly. If we are talking about join traffic, it seems that already have the encryption key, so one doesn't even need the node, or the beacon frame. Is there another attack? Now, assuming that we have both malicious and regular transmitters of the beacon. Is there something else one can do? -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
- [6tisch] CoAP resource management - draft-ietf-6t… Raghuram Sudhaakar (rsudhaak)
- Re: [6tisch] CoAP resource management - draft-iet… Michael Richardson
- Re: [6tisch] CoAP resource management - draft-iet… Carsten Bormann
- Re: [6tisch] CoAP resource management - draft-iet… Raghuram Sudhaakar (rsudhaak)
- Re: [6tisch] CoAP resource management - draft-iet… Michael Richardson
- Re: [6tisch] CoAP resource management - draft-iet… Thomas Watteyne
- Re: [6tisch] CoAP resource management - draft-iet… Pascal Thubert (pthubert)
- [6tisch] 6tisch join requirements for 6top Michael Richardson
- Re: [6tisch] 6tisch join requirements for 6top Xavier Vilajosana
- Re: [6tisch] 6tisch join requirements for 6top Michael Richardson
- [6tisch] 6tisch join requirements for 6top Tero Kivinen
- Re: [6tisch] 6tisch join requirements for 6top Pascal Thubert (pthubert)
- [6tisch] on the fallacy of default keys (was: Re:… Rene Struik
- Re: [6tisch] on the fallacy of default keys (was:… Pascal Thubert (pthubert)
- Re: [6tisch] on the fallacy of default keys Rene Struik
- Re: [6tisch] 6tisch join requirements for 6top Pat Kinney
- Re: [6tisch] 6tisch join requirements for 6top Tero Kivinen
- Re: [6tisch] 6tisch join requirements for 6top Tero Kivinen
- Re: [6tisch] 6tisch join requirements for 6top Pascal Thubert (pthubert)
- Re: [6tisch] 6tisch join requirements for 6top Kris Pister
- Re: [6tisch] 6tisch join requirements for 6top Thomas Watteyne
- Re: [6tisch] 6tisch join requirements for 6top Michael Richardson
- Re: [6tisch] 6tisch join requirements for 6top Michael Richardson
- Re: [6tisch] 6tisch join requirements for 6top Tero Kivinen
- Re: [6tisch] 6tisch join requirements for 6top Tero Kivinen
- [6tisch] emails on 802.15.4 specs Rene Struik
- Re: [6tisch] 6tisch join requirements for 6top Michael Richardson
- Re: [6tisch] 6tisch join requirements for 6top Michael Richardson
- Re: [6tisch] 6tisch join requirements for 6top yoshihiro.ohba
- Re: [6tisch] 6tisch join requirements for 6top Michael Richardson
- Re: [6tisch] 6tisch join requirements for 6top Thomas Watteyne
- Re: [6tisch] 6tisch join requirements for 6top Carsten Bormann
- Re: [6tisch] 6tisch join requirements for 6top Thomas Watteyne
- Re: [6tisch] 6tisch join requirements for 6top Tero Kivinen
- Re: [6tisch] 6tisch join requirements for 6top Tero Kivinen
- Re: [6tisch] 6tisch join requirements for 6top yoshihiro.ohba
- Re: [6tisch] 6tisch join requirements for 6top Michael Richardson
- Re: [6tisch] 6tisch join requirements for 6top dejichen
- Re: [6tisch] 6tisch join requirements for 6top Michael Richardson
- Re: [6tisch] 6tisch join requirements for 6top Thomas Watteyne