IETF Logo Mail Archive

Re: [6tisch] WGLC for https://www.ietf.org/id/draft-ietf-6tisch-architecture-17.txt

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Wed, 12 December 2018 12:51 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 628BC12777C for <6tisch@ietfa.amsl.com>; Wed, 12 Dec 2018 04:51:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.958
X-Spam-Level:
X-Spam-Status: No, score=-15.958 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-1.459, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hHgQ-Zr4s1yJ for <6tisch@ietfa.amsl.com>; Wed, 12 Dec 2018 04:51:21 -0800 (PST)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46FE7127133 for <6tisch@ietf.org>; Wed, 12 Dec 2018 04:51:21 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=28268; q=dns/txt; s=iport; t=1544619081; x=1545828681; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=xDs5rr4qtDx7gkRuft1gF2ERYcJkYE7M2WFbGQ8aTrY=; b=SeyWa/gEMJEIIBvH7jkHTD+f/CUQfvpEHh1lWe3dG3LT75veGn2fumDo tZswMIzCjJp7qXVa/ousFJrkOK2quzwUM0LZJjvT02b5n4oT/VnPim5aZ ZtQyn+okohtH+nWYkv5e9EC0qa8cS2O2HPZnAnnlejzrUCg7QJD7ZYAkj g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ADAAC0AxFc/4wNJK1jGQEBAQEBAQEBAQEBAQcBAQEBAQGBUQQBAQEBAQsBgQ12ZoECJwqDcYgZjBKCDZdTFIFmCwEBI4RJAheCZCI0CQ0BAwEBAgEBAm0cDIU8AQEBBCMKTBACAQgRAQMBASEKAgICMBcGCAIEDgUIgxqBHWQPpVWBL4orBYw8F4FAP4ERgxKDHgKBJYNAglcCiT2FcIZRiw4JAopIhwUggVyFGodXgnmZGAIRFIEnHziBVnAVgyeCUBiINIU/QTEBjGOBHwEB
X-IronPort-AV: E=Sophos;i="5.56,344,1539648000"; d="scan'208,217";a="211996420"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 12 Dec 2018 12:51:20 +0000
Received: from XCH-RCD-001.cisco.com (xch-rcd-001.cisco.com [173.37.102.11]) by alln-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id wBCCpJd6001862 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 12 Dec 2018 12:51:20 GMT
Received: from xch-rcd-001.cisco.com (173.37.102.11) by XCH-RCD-001.cisco.com (173.37.102.11) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Wed, 12 Dec 2018 06:51:19 -0600
Received: from xch-rcd-001.cisco.com ([173.37.102.11]) by XCH-RCD-001.cisco.com ([173.37.102.11]) with mapi id 15.00.1395.000; Wed, 12 Dec 2018 06:51:19 -0600
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Mališa Vučinić <malisa.vucinic@inria.fr>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "6tisch@ietf.org" <6tisch@ietf.org>
Thread-Topic: [6tisch] WGLC for https://www.ietf.org/id/draft-ietf-6tisch-architecture-17.txt
Thread-Index: AQHUjKwsiAVlTLmO0E2OlfMzIBcoFaVxp4dwgAm3iID//6d2YA==
Date: Wed, 12 Dec 2018 12:51:08 +0000
Deferred-Delivery: Wed, 12 Dec 2018 12:50:20 +0000
Message-ID: <7ec1a3dc9bb942139dc70484f70f9e5d@XCH-RCD-001.cisco.com>
References: <eaeba2a200c644738778e865a5f539b2@XCH-RCD-001.cisco.com> <CANDGjyeaD1=_ogUEpEKbjwqT8+UA_kvOdeiUjaOKYZGnYqKn0A@mail.gmail.com> <4efc02ce5ff340158078a0cfca69e698@XCH-RCD-001.cisco.com> <CANDGjyftAFwLgdzyd0xr2LDnwDTm-WO=BWmhWMioKHw4icA+rQ@mail.gmail.com>
In-Reply-To: <CANDGjyftAFwLgdzyd0xr2LDnwDTm-WO=BWmhWMioKHw4icA+rQ@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.61.86.72]
Content-Type: multipart/alternative; boundary="_000_7ec1a3dc9bb942139dc70484f70f9e5dXCHRCD001ciscocom_"
MIME-Version: 1.0
X-Outbound-SMTP-Client: 173.37.102.11, xch-rcd-001.cisco.com
X-Outbound-Node: alln-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/JVB1psE6ZB6SVsL960Z4ni750Fg>
Subject: Re: [6tisch] WGLC for https://www.ietf.org/id/draft-ietf-6tisch-architecture-17.txt
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Dec 2018 12:51:24 -0000

Hello Mališa

Please see below ( I pushed the result in the repo, please let me know if we are OK now )

From: 6tisch <6tisch-bounces@ietf.org> On Behalf Of Mališa Vucinic
Sent: mercredi 12 décembre 2018 15:01
To: Pascal Thubert (pthubert) <pthubert@cisco.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>; 6tisch@ietf.org
Subject: Re: [6tisch] WGLC for https://www.ietf.org/id/draft-ietf-6tisch-architecture-17.txt

Hello Pascal,

Most of the resolutions to my comments look good. Couple of nits inline.

Mališa

[PT>] I think we need to define an entry for CoJP, similar to 6P. What about;

   CoJP (Constrained Join Protocol):  CoJP is a one-touch join protocol

               defined in the Minimal Security Framework for 6TiSCH

               [I-D.ietf-6tisch-minimal-security].  CoJP requires the

               distribution of preshared keys (PSK), and enables a node

               to join with a single round trip to the JRC via the JP.

How about:
CoJP (Constrained Join Protocol): CoJP enables a pledge to securely join a 6TiSCH network by distributing network parameters over a secure channel. CoJP is defined in the Minimal Security Framework for 6TiSCH [I-D.ietf-6tisch-minimal-security]. In the minimal setup with pre-shared keys defined in [I-D.ietf-6tisch-minimal-security], CoJP allows the pledge to join the network in a single round trip exchange.
[PT>]
The second sentence is extraneous, correct?
[PT>] what about

   CoJP (Constrained Join Protocol):  The Constrained Join Protocol
               (CoJP) enables a pledge to securely join a 6TiSCH network
               and obtain network parameters over a secure channel.  In
               the minimal setup with pre-shared keys defined in
               [I-D.ietf-6tisch-minimal-security], CoJP can operate with
               a single round trip exchange.

=====================================================
Section 3.1: 6TiSCH Stack

- add Constrained Join Protocol in the Figure above CoAP. Use “Constrained Join Protocol” instead of “Minimal Security Framework for 6TiSCH”.
- Description of DTLS seems as a remnant. I would stress OSCORE here as the primacy choice with DTLS also being an option for applications.
[PT>]
[PT>] This gives :



      +--------+--------+

      |  CoJP  | Applis |

      +--------+--------+--------------+-----+

      | CoAP / OSCORE   |  6LoWPAN ND  | RPL |

      +-----------------+--------------+-----+

      |       UDP       |      ICMPv6        |

      +-----------------+--------------------+

      |                 IPv6                 |

      +--------------------------------------+----------------------+

      |     6LoWPAN HC   /   6LoRH HC        | Scheduling Functions |

      +--------------------------------------+----------------------+

      |     6top (to be IEEE Std 802.15.12) inc. 6top protocol      |

      +-------------------------------------------------------------+

      |                 IEEE Std 802.15.4 TSCH                      |

      +-------------------------------------------------------------+

Nit: Swap Applis and CoJP to have control plane "kind of" on the left side :-).

[PT>] OK

Security Considerations in WIP-19:

   As detailed in Section 6, a pledge that wishes to join the 6TiSCH

   network must participate to a join process to obtain its security

   keys.

Nits: Replace "must participate to a join process" with "must trigger the join protocol".
[PT>]
OK, but  “must use” then. You do not trigger a protocol, you trigger its operation.


   The join process can be zero-touch and leverage ANIMA procedures, as

   detailed in the 6tisch Zero-Touch Secure Join protocol

   [I-D.ietf-6tisch-dtsecurity-zerotouch-join].

   Alternatively, the join process can be one-touch, in which case the

   pledge is provisioned with a preshared key (PSK), and uses CoJP as

   specified in [I-D.ietf-6tisch-minimal-security].

Proposal to replace the paragraph above with:

The join protocol used in 6TiSCH is Constrained Join Protocol (CoJP). In the minimal setting defined in [I-D.ietf-6tisch-minimal-security], the authentication is based on a pre-shared key, based on which a secure session is derived. CoJP exchange may also be preceded with a zero-touch handshake [I-D.ietf-6tisch-dtsecurity-zerotouch-join] in order to enable pledge joining based on certificates and/or inter-domain communication.

v2.23.0 | Report a Bug | By Email