Re: [6tisch] rekeying the 6TiSCH network

Don Sturek <d.sturek@att.net> Tue, 20 August 2019 20:16 UTC

Return-Path: <d.sturek@att.net>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B23DD120086 for <6tisch@ietfa.amsl.com>; Tue, 20 Aug 2019 13:16:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.996
X-Spam-Level:
X-Spam-Status: No, score=-1.996 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=att.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ib1yMmp3cFZS for <6tisch@ietfa.amsl.com>; Tue, 20 Aug 2019 13:16:44 -0700 (PDT)
Received: from sonic307-12.consmr.mail.ne1.yahoo.com (sonic307-12.consmr.mail.ne1.yahoo.com [66.163.190.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEFFD12001E for <6tisch@ietf.org>; Tue, 20 Aug 2019 13:16:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=att.net; s=s1024; t=1566332203; bh=Lmlfz7F7wOyZ5iS4liznQU3QnpmX5J9ntU+B6t5OgQg=; h=Date:Subject:From:To:References:In-Reply-To:From:Subject; b=j+BB10Gq1tOSlEROjxIAiR5ivz+vuVxzvCajVUE029yY6YszRxnAbAhDjZCs/BoT8pYitmksRTzLofSREGeHuFth9ZnWuak2BUSSj8S7rNzckhAOr7gKOaMAAD3oTOSEmsB9W36eEvEQMOwPpg5aLcnAEj5wRp/2ln4ywYC4qAs=
X-YMail-OSG: E1lZIJUVM1m9In6bRa7y_UWfzuOMT4_FqMErP52HZmI0h3qqD7a7faRjkmhK463 XL2obeQvT3EGm11uHIZMbxCfKVPLVW_f6caxMRjriBPk99HYLH4quOica53q0eegp4KKM48cJOuG 7fm4gESr4jM_FxvafLAIehxy1IsVDHNh2tqVp3I5djbfEogeqMkn0bOk1npXNooEqXa2VwPyfuRR j9OJ5KTe4tN4jFLtklJP0DKTTpnXwT7E3aT9z9Y49dOFc47ytIY7g2Ssh_2GZHJanjn2OlVLdGmL UvpPxFhao57AoB1O23UIMllutp8ASYRbk0XAJmMjWU0B7vuxKRnD4vYr2sIJvB0OL4m2Q9lhwzew tCzv8QY9lleSacBB3W9Wwo2Mxahp7D2uTjO4YxQHbJCMArC3NE3PGyt4eq_69ZBYhxxdulzfJlTT YJNK_M9gjB3WUlrUmLZ6r0RkEXLeQWqIbmmr8Sw_bJKpBpIfxOhtEzSB27A2t9TURj4M0cWRuWCc xWsNdvqdLmK.tZ_la4.E9RFxX3Ltu.VPOcrZXOAZ2CvruhnsUVK5y3b6CIHLTw7A6f7BgcMRtoSK 5KaC8mkc29D2kGRBh.0SEOJ2.PBynpN1EgD5rVF1SCYGdYLzshWibX0rcLvcX8Eh2FZp1Qj2dl9m HhspA0pVn.LwQ2bJ6B3Y9Mt8XxiMxK8oREWgiOsZFQKdG23xeCtsps6dASFsMQb2GBhJ3_xo0lCF EUU_FLeb_D8K_eZQ_VF6daXnxWRASWfE0Gb6zyd_whRIb3Oe4LHpU0siQpxO8dtkhQmSAREk.VJ5 meodejT3oyTeFn9sn94VztmRYc1PR4BXlVATVysWndMrzyLzdonJErNN5VNZRQk2vQjZkTJKExHJ .860p1TsOKc.YfvqLEGufnitG8Dtlp9BExs2iJG0ASyvrCcsUvk2.A_TChq6vz1McgcEqQenUe3L Pt8wKnZ3tfW66rBNILMow2qfbQyiK7LwpOqdDWbdexoX_DEAqn1xHVFfDMoBl2QUNb0fAda45uNA gP7kZTDjNVLlTgKD4tTfy_DjGYG9YeHLO9DJQWgkbxrbHrHypav6nL6p1zrIyZ1frzkt.OEKtAzO h9TVIuY8hUvbHmz7ZqbHXS0hcDABWrXCJx8b16e2GDNCMrKjULz6PTSIjtl1oc2xyUfLCOo3xE1h qL5L9z_JEb01lYPbBuIwfV8NI59AYUIRtuuHRfAqQz4LbQlHwubtRycxRALaBY.VGKPBTNG3dJ0k 6k1Vh31tUBigJoMJ_
Received: from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.ne1.yahoo.com with HTTP; Tue, 20 Aug 2019 20:16:43 +0000
Received: by smtp409.mail.ne1.yahoo.com (Oath Hermes SMTP Server) with ESMTPA ID 28d48a235b79cff78dc948664df93336; Tue, 20 Aug 2019 20:16:43 +0000 (UTC)
User-Agent: Microsoft-MacOutlook/14.7.3.170325
Date: Tue, 20 Aug 2019 13:16:38 -0700
From: Don Sturek <d.sturek@att.net>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "Pascal Thubert (pthubert)" <pthubert@cisco.com>, Benjamin Kaduk <kaduk@mit.edu>, Mališa Vučinić <malisa.vucinic@inria.fr>, Tero Kivinen <kivinen@iki.fi>, "6tisch@ietf.org" <6tisch@ietf.org>
Message-ID: <D981A2BD.43D45%d.sturek@att.net>
Thread-Topic: [6tisch] rekeying the 6TiSCH network
References: <MN2PR11MB356576EF7D90B7515043744DD8AB0@MN2PR11MB3565.namprd11.prod.outlook.com> <12588.1566331392@localhost>
In-Reply-To: <12588.1566331392@localhost>
Mime-version: 1.0
Content-type: text/plain; charset="ISO-8859-1"
Content-transfer-encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/NiV6Fbyuo8S59ERs6e_11ARXVE8>
Subject: Re: [6tisch] rekeying the 6TiSCH network
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Aug 2019 20:16:46 -0000

Š. On the rekeying topic for IEEE 802.15.4.

Have a look at IEEE 802.15.9.   It takes existing key establishment
protocols (IEEE 802.1x, etc.) and provides encapsulation over IEEE
802.15.4.  

 IEEE 802.15.9 does not solve all of your rekey needs but the tools are
there when you agree on how you want rekeying to work.

Don 



On 8/20/19, 1:03 PM, "6tisch on behalf of Michael Richardson"
<6tisch-bounces@ietf.org on behalf of mcr+ietf@sandelman.ca> wrote:

>
>Pascal Thubert (pthubert) <pthubert@cisco.com> wrote:
>    > I'm looking for a consensus on how to address the following review
>    > comment on the 6TiSCH Architecture by Benjamin:
>
>    >> It would be good to see some architectural discussion about key
>    >> management
>    >> for the link-layer keys.  (Given that 802.15.4 leaves key
>management
>    >> as out of
>    >> scope, it is clearly our problem.)  Thus far I don't even have a
>sense
>    >> for when it is
>    >> possible to rotate a network's keys.
>
>    PT> I'll take that to a separate thread with Michael, Tero and
>Malisa. It
>    PT> is certainly possible to rotate keys. We had a draft about
>rekeying
>    PT> that went stale. We isolated cases where this is desirable in the
>    PT> discussion on the minimal security draft. I'm unclear how deep we
>    PT> need to go in this regards vs. what belongs to the minimal
>security
>    PT> specification.
>
>6tisch-minimal-security has a section 8.2 "Parameter Update Exchange"
>Maybe it should include "(and Rekey)"
>
>We further have section 8.4.3.1 and 8.4.3.2 to explain how to use that
>to rekey the entire network.
>
>I'm not sure what's in the Architecture document about this, but I'd
>rather that it just said less.
>
>--
>Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
>
>
>
>_______________________________________________
>6tisch mailing list
>6tisch@ietf.org
>https://www.ietf.org/mailman/listinfo/6tisch