IETF Logo Mail Archive

Re: [6tisch] [secdir] secdir review of draft-ietf-6tisch-architecture-21

Mališa Vučinić <malishav@gmail.com> Wed, 26 June 2019 10:03 UTC

Return-Path: <malishav@gmail.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9D0B6120276 for <6tisch@ietfa.amsl.com>; Wed, 26 Jun 2019 03:03:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.997
X-Spam-Level:
X-Spam-Status: No, score=-1.997 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_EXCESS_BASE64=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cMmu9LGOqmuv for <6tisch@ietfa.amsl.com>; Wed, 26 Jun 2019 03:03:21 -0700 (PDT)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 538BB1201F8 for <6tisch@ietf.org>; Wed, 26 Jun 2019 03:03:21 -0700 (PDT)
Received: by mail-wr1-x42f.google.com with SMTP id d18so1999430wrs.5 for <6tisch@ietf.org>; Wed, 26 Jun 2019 03:03:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=f0uMW0Vqgn+cGWrQSrjeZ5gVk5DSQyTtBdmqkv5V9qk=; b=f9OiDL5q6TQCQ5xSKdFtneu00IK/Ql1c8fSBrnhcTpzFEkk/evyVQpI0+fbt15MBqv UPOvzP5ly2QUa0PcJ2NNwUtT/mXt3kuafGBpemSbdKCorPFXBWNV4cQdo59FRuf2MApb doKWTy+kn2DaPg+Whv8ce4CBaxNKGouXv5ftL9PxQmBnhCaWgRfWjZhfun7XCGN/Haab ElcHggMDNy4HyHnavVzkV6L7LpmOVwVB4/p9dKfB9iwgBP4b3XE4Tle5Kek/gb5A9kzo HqbfeAKc9ZM9QVSxDB0aDkrsHjQwKPOiA+W1Y8sOkv3pN2zrOBlOqAgqJmj5+mYhJAt4 fGjQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=f0uMW0Vqgn+cGWrQSrjeZ5gVk5DSQyTtBdmqkv5V9qk=; b=WAHjipsTWzG2H2Q7lUBKY+tc2NJL8iSem6/oxVaUXzKaNXVtYXfcv6FB+1XEA8TJ2Y 37fj2PIPtTlTlaNN4CTQBaDy6luK/ykYdkbnFlikyxW28ZI3eq03hWxyN6Xad3cCMgYJ /L9rPflDaNCATsaLI16JcV+EjAkcY67Qabl8qcR2d4wMNCOfkuJX6RrKgVYL/iM/yqC0 3Y3MakHo93l5/EFhi/zeF1ZbzjpqpKLPWj9YMtN/ZmEVG0L806NDu7OoaRWYgtxsb777 nZ9boNDmbhuimGHArrTlkQk0bzh1tEAWxSHTIhMXuGecN38lUrOXLv3Qtlb8ICOt8eJv 9RlA==
X-Gm-Message-State: APjAAAV2Nhm2ytW8toB+WlZLpEf3b6TOVup8eARBk1D8eNoU4XMDdrpe 4zxFOvkMCp6fS6xLePA95a0=
X-Google-Smtp-Source: APXvYqxT9IW9HfZJ6UPpBAlugSghg5stscN8albo/+DlikwzD8NOljbEM76yb89mnMO9G6PbiylXfw==
X-Received: by 2002:adf:efc8:: with SMTP id i8mr3032312wrp.220.1561543399690; Wed, 26 Jun 2019 03:03:19 -0700 (PDT)
Received: from [10.14.88.73] ([89.188.33.31]) by smtp.gmail.com with ESMTPSA id f2sm23172182wrq.48.2019.06.26.03.03.18 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 26 Jun 2019 03:03:19 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Mališa Vučinić <malishav@gmail.com>
In-Reply-To: <28248.1561477015@localhost>
Date: Wed, 26 Jun 2019 12:03:17 +0200
Cc: "Pascal Thubert (pthubert)" <pthubert@cisco.com>, Tero Kivinen <kivinen@iki.fi>, "6tisch@ietf.org" <6tisch@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <7C7A7473-7266-4B09-BB41-79C871142BC9@gmail.com>
References: <2cced16c-d1df-88c2-eb21-7452b42f081a@mandelberg.org> <MN2PR11MB35651735463F27A247B4B0F0D8E00@MN2PR11MB3565.namprd11.prod.outlook.com> <23825.24715.882644.180316@fireball.acr.fi> <5229f400-076c-80e3-e0dc-a7cf3998abed@mandelberg.org> <MN2PR11MB35654D7658F0EEB05443F2ABD8E30@MN2PR11MB3565.namprd11.prod.outlook.com> <BYAPR11MB3558261B37E1E8FFFF4D8D27D8E30@BYAPR11MB3558.namprd11.prod.outlook.com> <62FC2528-9165-4E2E-89E5-6452D93030E0@gmail.com> <28248.1561477015@localhost>
To: Michael Richardson <mcr+ietf@sandelman.ca>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/L5TbLemsjkAzMrv20oeULsR8E94>
Subject: Re: [6tisch] [secdir] secdir review of draft-ietf-6tisch-architecture-21
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2019 10:03:24 -0000


> On 25 Jun 2019, at 17:36, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
> Mališa Vučinić <malishav@gmail.com> wrote:
>> Instead, as with traditional TSCH, the joined node can obtain its time
>> information from its time source neighbor, i.e. RPL preferred parent,
>> by triggering an exchange of link-layer frames with L2 security
>> features enabled. The MSF draft already mandates that the first
>> outgoing message from the joined node after joining is the 6P ADD
>> message to its preferred parent, which consequently gets protected with
>> L2 security.
> 
> But, how can the L2-security work if the newly-joined node has an ancient
> ASN?  Won't the parent just drop the packet as being a replay, and then what?

Yes, so the node will desynchronize eventually, fall out of network and restart the join process, hopefully with a different network. 

>> What needs to be specified clearly is that this first 6P
>> exchange should not be encrypted but only authenticated at L2.
>> Upon successful completion of the first 6P exchange with its time (routing)
>> parent, the joined node obtains a negotiated cell and as a side effect
>> proves freshness of the ASN used.
> 
> I'd rather that we added a new exchange, rather than special casing some 6P
> interaction here.   An RPL DIS would be a better choice here, I think, with
> an RPL DAO unicast reply.  Still, I hate to special case this as being
> authenticated only.
> Doesn't that have to happen first?

Whatever packet we send here, be it DIS or 6P, they need to have special handling in terms of L2 security… Is DIS mandatory to send upon preferred parent selection?

> 
> Is the DIS unicast or multicast. Hmm.
> How do we put something unique in it that has to be replied to proving the
> freshness of the ASN against a reply attack.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email