Re: [6tisch] [secdir] secdir review of draft-ietf-6tisch-architecture-21

[Tero Kivinen <kivinen@iki.fi>]

Mališa Vučinić writes:
> Pascal,
> 
> Before the pledge selects a JP, the text from RFC8180 that is relevant seems to be (Section
> 6.2):
> 
> When a node joins a network, it may hear EBs sent by different nodes
>    already in the network.  The decision of which neighbor to
>    synchronize to (e.g., which neighbor becomes the node's initial time-
>    source neighbor) is implementation specific.  For example, after
>    having received the first EB, a node MAY listen for at most
>    MAX_EB_DELAY seconds until it has received EBs from
>    NUM_NEIGHBOURS_TO_WAIT distinct neighbors.  Recommended values for
>    MAX_EB_DELAY and NUM_NEIGHBOURS_TO_WAIT are defined in Figure 5.
>    When receiving EBs from distinct neighbors, the node MAY use the Join
>    Metric field in each EB to select the initial time-source neighbor,
>    as described in Section 6.3.6 of IEEE Std 802.15.4 [IEEE.802.15.4].
> 
> To me, this text is ambiguous on whether the pledge should duty
> cycle its radio according to the schedule found in the first
> received EB.

When I asked this from 802.15.4 experts they said that normally nodes
start listening on channel 1 and stays there for some time, and then
move to channel 2 and so on, but usually only limits themselfs to
first n channels, as going through all channels to find beacons takes
very long time.

Normal parameters means that 10 ms * 100 slots = shared slot every
second on some channel, with EB_PERIOD of 3 or so, means there will be
beacon every 3 seconds, and with 16 channels there will be beacon on
channel 1 every 48 seconds.

If we would want the system to work even if we miss two beacons then
we would need to stay on channel 1 for 144 seconds to be sure that
there is no beacons there. Then we would move to channel 2, and
repeat. To repeat this process for 16 channels takes 38 minutes...

The reason we might not hear anything from channel 1 is because it
might be omitted from the hopping sequence as there might be
interference on it. Thats why you need to try more than one channel,
but there is no need to listen all 16 channels, as if most of the
channels have too much interference to cause them not be used, then
that network is no longer functional...

> In case the pledge does not duty cycle its radio upon receiving the
> first EB that happens to be a replay, the attacker cannot really
> desync the pledge due to its radio being on 100% of the time waiting
> for additional beacons.

I think pledge should never do that. It should always stay for same
few channels when finding beacons as otherwise attacker sending beacon
to pledge can throw it completely out of sync, and single packet can
cause join to fail. 

> Eventually, as Michael noted, one fresh EB will arrive from a
> legitimate node with a higher ASN, at which point it becomes
> critical for the pledge to select the JP with the largest available
> ASN for a given advertised PAN ID. I believe this text deserves
> expanded discussion in the Security Considerations of
> minimal-security but I am not convinced on the need for a special
> mechanism to exchange/sign the ASN.

This only works if pedge stays on the same channel while listening
beacons, otherwise it will never hear any other beacons after it
received attackers beacon (which attacker can send all the time,
making sure this is the beacon pledge will hear, and attacker can send
it on first channel always, as that is most likely where the pledge
starts listening first. 

But yes, listening on the same channel for multiple beacons, after you
hear first one should be ok, with EB_PERIOD of 3 you should get
another beacon 48 seconds later, so if you stay for that channel for
180 seconds you should 3-4 beacons. 
-- 
kivinen@iki.fi