IETF Logo Mail Archive

Re: [6tisch] Opsdir last call review of draft-ietf-6tisch-minimal-security-12

Linda Dunbar <linda.dunbar@futurewei.com> Fri, 11 October 2019 15:26 UTC

Return-Path: <linda.dunbar@futurewei.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28902120100; Fri, 11 Oct 2019 08:26:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=futurewei.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J90LQ5wEv4Yu; Fri, 11 Oct 2019 08:26:32 -0700 (PDT)
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (mail-eopbgr690128.outbound.protection.outlook.com [40.107.69.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B08712008D; Fri, 11 Oct 2019 08:26:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=i0ruAB/5j2rTLegGlcj9wVcOw34yUF3XsqWQYZedQ7imsAiiGl/NegQlxfC8SO+BuFJwnZPa81oHIkfUvyeWBtXtfi7KDGdwJmbeS0dDpU/Ihn5nTS9u1CMMm1b9e8Exbn1fQODGUlgh7+h1CA1jNCls8lKpXO/H5El5xrO4qitSy6z100C5Uj67wJSYfRAaBJDyFXnhzSw8+OdB1JicBVSErT/xvzSo9Mpi3FZUpUDF7c8mi/26sSe9Mn8KikY3JK8/9Wz2ATAgC/f9jyAo0SmrYdGjgvTV7u9rgAaf95OoTOfBiQqOjsfh8czj1E+PmhWulEEJc88VNnr5m1PMuQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3VwFMyPp4iXusSHxe2ypKbCQl3ZpCkT1KYgZyVmq1zo=; b=M28AgSbSOwQaWqVXdCyu7vDhL7IT1jzrNhi+xpdEg1wu+DgvpL1KTNAYk5l+dkwHfBO0cHmQ/OdY5c0mZQnr/54Kc/yeMJFIVhuvgtcEuoOVzzBqIODeSCZjdf+oJAwOMiKpn4bMh2CKLl0iKIjySXC5LPYEoNnkEi9QckDfqQ8UnMSPStI4LEO9Juyk8gKkJyNTwRDfQJnuMkdZFNFeqqX/wCs4HV9k3GuZbiedf/1Ay1T3EiZe6BvQGmSST3+OohqlSnQlFFa1t8UQNdnYiSsnqebuXLjSM2b30srxvgRXSicmFZ73P+29z0gFvj1lUHH/9fZSecXBweRt6mziVw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=futurewei.com; dmarc=pass action=none header.from=futurewei.com; dkim=pass header.d=futurewei.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Futurewei.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=3VwFMyPp4iXusSHxe2ypKbCQl3ZpCkT1KYgZyVmq1zo=; b=cAHZ0b28+7zXwc1k+9nPK+hgiLmrVS65XMh/i1Yh+0ME6fQ/drzOpb6kn3TmrfxBF2Zlo5rIwOZP4JtBcEHrx+fD28CLqPsWUZOl9bFMBWFv4uBhrgWC3YybUhb+Sd64PAG+7YUk0KlAi1YCBJKUYl0iMl2X6EKAnokULydBI9I=
Received: from MN2PR13MB2637.namprd13.prod.outlook.com (20.178.250.82) by MN2PR13MB3357.namprd13.prod.outlook.com (10.255.236.88) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.11; Fri, 11 Oct 2019 15:26:29 +0000
Received: from MN2PR13MB2637.namprd13.prod.outlook.com ([fe80::85a2:fa45:1435:d5f7]) by MN2PR13MB2637.namprd13.prod.outlook.com ([fe80::85a2:fa45:1435:d5f7%7]) with mapi id 15.20.2347.021; Fri, 11 Oct 2019 15:26:28 +0000
From: Linda Dunbar <linda.dunbar@futurewei.com>
To: Mališa Vučinić <malisa.vucinic@inria.fr>
CC: "ops-dir@ietf.org" <ops-dir@ietf.org>, 6tisch <6tisch@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>, "draft-ietf-6tisch-minimal-security.all@ietf.org" <draft-ietf-6tisch-minimal-security.all@ietf.org>
Thread-Topic: [6tisch] Opsdir last call review of draft-ietf-6tisch-minimal-security-12
Thread-Index: AQHVfSVQZ9nj+hQ7AUuquPXxUIXieKdUGEwAgAEW+QCAAGasoA==
Date: Fri, 11 Oct 2019 15:26:28 +0000
Message-ID: <MN2PR13MB26376DBB71A6C04D0B2F28E185970@MN2PR13MB2637.namprd13.prod.outlook.com>
References: <157023324915.1400.10416689027865506912@ietfa.amsl.com> <91540EE6-E74D-4ECA-9E54-9B5E35FA5937@inria.fr> <BN8PR13MB262886B2376BAD2ECBB317D985940@BN8PR13MB2628.namprd13.prod.outlook.com> <0EEA127F-FA8F-4BA2-8ED5-1614ECAC6566@inria.fr>
In-Reply-To: <0EEA127F-FA8F-4BA2-8ED5-1614ECAC6566@inria.fr>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=linda.dunbar@futurewei.com;
x-originating-ip: [72.180.73.64]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5699a692-7f97-44bb-ffa0-08d74e5f6326
x-ms-traffictypediagnostic: MN2PR13MB3357:
x-ms-exchange-purlcount: 4
x-microsoft-antispam-prvs: <MN2PR13MB33573C287C1CE50EAC1526A985970@MN2PR13MB3357.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0187F3EA14
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(4636009)(366004)(39850400004)(346002)(376002)(136003)(396003)(51914003)(13464003)(199004)(189003)(64756008)(446003)(66446008)(71190400001)(66556008)(71200400001)(66476007)(606006)(54896002)(6306002)(9686003)(8676002)(102836004)(7110500001)(81166006)(236005)(7736002)(966005)(6246003)(81156014)(14444005)(76176011)(15650500001)(2420400007)(229853002)(11346002)(486006)(476003)(52536014)(256004)(186003)(53546011)(86362001)(26005)(44832011)(6506007)(2906002)(7696005)(99286004)(4326008)(6116002)(25786009)(6436002)(66066001)(55016002)(316002)(790700001)(6916009)(5660300002)(3846002)(45080400002)(66946007)(8936002)(76116006)(14454004)(54906003)(33656002)(66574012)(478600001)(74316002); DIR:OUT; SFP:1102; SCL:1; SRVR:MN2PR13MB3357; H:MN2PR13MB2637.namprd13.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: futurewei.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YpAQ7MZsxBezLBtLET99HNlY/SXqJLIegGgQncZDfTDxGT8atWREGyEdeT/a4mFTik8xiY//2Ot76z8ksKrGc5HKBokw7UMdouU8eDqtsshKVjjkMt2ThNNr8GW2GWg6BRwGEHXEwaE2ajtphZIxevPh3zTOhCtDMAFL5TtZ+G1qsR/5rHzGULPng3/lPhNeDcBdBb/3sbeDIgSWv8ArCfKjtI+IAdTKPME/6rnpP6Mj9vQQuIw61oGpJ8w4/9v5sadB+vkfX4ln8GEaHpSsyLNFWJPGksu+a7H/78F44wNZfpjZMGdcAwomo6h4k2t27hMF0F9USyYz/Z1dsP6enK6dxUGWsf5XzoCiGu0DGQOYRbUcfgcMqXj70EdZFW3VpWzV3z9naZ/edQ55FdlTiB5tDJxB98dtO8Q53Vn1I0sFkIe0SObqA4erWKhxJh+AY5ov3oHMr1b3OefDnHutbw==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR13MB26376DBB71A6C04D0B2F28E185970MN2PR13MB2637namp_"
MIME-Version: 1.0
X-OriginatorOrg: Futurewei.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5699a692-7f97-44bb-ffa0-08d74e5f6326
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Oct 2019 15:26:28.4196 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 0fee8ff2-a3b2-4018-9c75-3a1d5591fedc
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: wGAlqvuy5SSkslWG/20oUj4WLznaVNlwI+FiemOXWD255AO2tnFg+XT5BitPVOUg82iPKm8nTcYpEl0wYXqxTA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR13MB3357
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/6A97hdESeHHD_nGZuwQDKr020RM>
Subject: Re: [6tisch] Opsdir last call review of draft-ietf-6tisch-minimal-security-12
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Oct 2019 15:26:37 -0000

Malisa,

Thank you very much for the change. It is very good.

Linda

From: Mališa Vučinić <malisa.vucinic@inria.fr>
Sent: Friday, October 11, 2019 4:18 AM
To: Linda Dunbar <linda.dunbar@futurewei.com>
Cc: ops-dir@ietf.org; 6tisch <6tisch@ietf.org>; ietf@ietf.org; draft-ietf-6tisch-minimal-security.all@ietf.org
Subject: Re: [6tisch] Opsdir last call review of draft-ietf-6tisch-minimal-security-12

Dear Linda,

After a second look, I noticed that the ASN acronym only had a couple of occurrences in the text. To address your comment, I replaced the occurrences of “ASN" with the expanded version “absolute slot number” without defining the acronym in our document. The changes following your review can be found at:

https://bitbucket.org/6tisch/draft-ietf-6tisch-minimal-security/commits/83e751fd8c97441e0362df983dec2801b6177300<https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbitbucket.org%2F6tisch%2Fdraft-ietf-6tisch-minimal-security%2Fcommits%2F83e751fd8c97441e0362df983dec2801b6177300&data=02%7C01%7Clinda.dunbar%40futurewei.com%7C038dad038f5847faec6c08d74e2bede6%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637063822939619268&sdata=w5P2WtMwBPlra3M2gwvHav1kggRFXMlMbFEC%2Bt7Hbzs%3D&reserved=0>

Please let me know whether I should go ahead and upload the new version to the datatracker.

Mališa


On 10 Oct 2019, at 18:42, Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>> wrote:

Malisa,

Thanks for the changes.

I didn't realize that IEEE802.15 uses ASN for completely different purpose than the IETF's ASN. Maybe add a note stating "this ASN is completely different from the BGP's ASN".

Linda

-----Original Message-----
From: Mališa Vučinić <malisa.vucinic@inria.fr<mailto:malisa.vucinic@inria.fr>>
Sent: Monday, October 07, 2019 10:39 AM
To: Linda Dunbar <linda.dunbar@futurewei.com<mailto:linda.dunbar@futurewei.com>>
Cc: ops-dir@ietf.org<mailto:ops-dir@ietf.org>; 6tisch <6tisch@ietf.org<mailto:6tisch@ietf.org>>; ietf@ietf.org<mailto:ietf@ietf.org>; draft-ietf-6tisch-minimal-security.all@ietf.org<mailto:draft-ietf-6tisch-minimal-security.all@ietf.org>
Subject: Re: [6tisch] Opsdir last call review of draft-ietf-6tisch-minimal-security-12

Dear Linda,

Many thanks for your review. Please find the responses inline.

Kind regards,
Mališa


On 5 Oct 2019, at 01:54, Linda Dunbar via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> wrote:

Reviewer: Linda Dunbar
Review result: Has Nits

Reviewer: Linda Dunbar
Review result: Has Nits  & with comment

I am the assigned Ops area reviewer for this draft. The Ops
directorate reviews all IETF documents being processed by the IESG for
the IETF Chair.  Please treat these comments just like any other last call comments.

This document is written very clear, specifying a framework for a new
device to securely join a 6TiSCH network.



One question: the document assumes that there is pre-shared key (PSK)
between the device and the controller. The Security Consideration does
describe the common pitfall of  a single PSK shared among a group of
devices. Is there any way to prevent it? Is it necessary to require
the Key to be periodically changed?

Please note that the document mandates unique PSKs between each device and the JRC (Section 3, PSK), thus a compromise of a single device does not leak the PSK of other devices in the network. The discussion you refer to in the Security Consideration section makes an attempt to draw attention to the unsafe practices, but beyond mandating the PSK to be unique for each pledge, which is already a strong requirement, I am not sure we can do much more about it. Requiring the PSK to be periodically changed would require periodic in-situ manipulation of devices (by the 100s or even 1000s), something that is not realistically going to happen…What we could do, however, is to mandate the PSK to be changed upon device re-commissioning to a new owner, when it is likely that a device needs to be manipulated, so I would propose the following sentence be added at the end of Section 3, PSK:

NEW:
In case of device re-commissioning to a new owner, it is REQUIRED to change the PSK.

Would that work?


Another  suggestion:
Section 5.1 introduces an acronym ASN to represent "Absolute slot number".

Can you use a different acronym because ASN has been widely used in
networking as the Autonomous System Number.

ASN for "Absolute slot number” was defined in the IEEE 802.15.4 specification and the acronym is widely used in our community. I would refrain from re-defining it as it would cause confusion, given that is already used in other documents produced by the 6TiSCH working group (RFC8180, RFC7554).


---
An autonomous system number (ASN) is a unique number that's available
globally to identify an autonomous system and which enables that
system to exchange exterior routing information with other neighboring autonomous systems.

Thank you.

Linda Dunbar


_______________________________________________
6tisch mailing list
6tisch@ietf.org<mailto:6tisch@ietf.org>
https://nam03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.
ietf.org<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fietf.org%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7C038dad038f5847faec6c08d74e2bede6%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637063822939629224&sdata=5dDLBvc6Itp5G3VirKSxW06CrJgTx9wLdlCPmSGC8m4%3D&reserved=0>%2Fmailman%2Flistinfo%2F6tisch&amp;data=02%7C01%7Clinda.dunbar
%40futurewei.com<https://nam03.safelinks.protection.outlook.com/?url=http%3A%2F%2F40futurewei.com%2F&data=02%7C01%7Clinda.dunbar%40futurewei.com%7C038dad038f5847faec6c08d74e2bede6%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637063822939629224&sdata=HDLrcswehTEd0IWAQ8kFTvlyDogI4XilGsjtNO0Zb0Y%3D&reserved=0>%7C4b48bea8289a448fc54308d74b3c7064%7C0fee8ff2a3b24018
9c753a1d5591fedc%7C1%7C1%7C637060595293959400&amp;sdata=eD9OiaPzigRIqt
66tBC1fANtpgzVzIX2SxldjSYwsq4%3D&amp;reserved=0

v2.23.0 | Report a Bug | By Email