IETF Logo Mail Archive

Re: [6tisch] ASN replay attack -- proposed text

Tero Kivinen <kivinen@iki.fi> Sat, 27 July 2019 04:08 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBECC12025F for <6tisch@ietfa.amsl.com>; Fri, 26 Jul 2019 21:08:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.42
X-Spam-Level:
X-Spam-Status: No, score=-3.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JleL9gojqDiy for <6tisch@ietfa.amsl.com>; Fri, 26 Jul 2019 21:08:25 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 62FB712022E for <6tisch@ietf.org>; Fri, 26 Jul 2019 21:08:25 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id x6R48Fdj009978 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 27 Jul 2019 07:08:15 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id x6R48EIs022536; Sat, 27 Jul 2019 07:08:14 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23867.52782.558815.945572@fireball.acr.fi>
Date: Sat, 27 Jul 2019 07:08:14 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
Cc: Thomas Watteyne <thomas.watteyne@inria.fr>, malisa.vucinic@inria.fr, 6tisch <6tisch@ietf.org>
In-Reply-To: <MN2PR11MB35655639497685D38075B1EFD8C00@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <187B5557-C49C-44A3-AD16-C4CFF00FB91B@inria.fr> <08DADD63-7A1D-4D17-93E5-CCAC9ED7ED97@inria.fr> <MN2PR11MB35655639497685D38075B1EFD8C00@MN2PR11MB3565.namprd11.prod.outlook.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 7 min
X-Total-Time: 9 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/2nJ-kOx_Ab1_IvvN4fn-KNI5xHc>
Subject: Re: [6tisch] ASN replay attack -- proposed text
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Jul 2019 04:08:27 -0000

Pascal Thubert (pthubert) writes:
> I'm wondering about the delayed security processing. That processing
> may be delayed beyond the current ASN. Is the ASN of the receive
> time attached to the frame as a meta of sorts to enable the delayed
> validation? 

There is TimeStamp parameter to the MCSP-DATA.indication which tells
when the frame was received. TimeStamp is also available in the
PANDescriptor when you are scanning the network for beacons, and when
joining to TSCH network the upper layer needs to somehow calculate
current ASN from the TimeStamp of received beacon and the TSCH
Synchorinization IE contained in the Beacon. This means this kind of
operation where timestamp is converted to timeslots is something upper
layer needs to be able to do anyways, so it should be able to convert
the TimeStamp of received frame to ASN and then use that ASN to do
security processing.
-- 
kivinen@iki.fi

v2.23.0 | Report a Bug | By Email