Re: [6tisch] [6tisch-security] proposed security text for architecture draft

Hi Pascal,

Can you please explain a use case where a JA has multiple LLN interfaces as I could find it in draft-ietf-6tisch-architecture?

If multiple LLN interfaces need to be supported, then I agree that link-local address solely does not work for a JN to communicate with a JCE via a JA using a relay or a RH or whatsoever.

Yoshihiro Ohba

-----Original Message-----
From: Pascal Thubert (pthubert) [mailto:pthubert@cisco.com] 
Sent: Saturday, November 15, 2014 3:25 AM
To: ohba yoshihiro(´óö ÁxÑó ¡ð£Ò£Ä£Ã¡õ£Î£Ó£Ì)
Cc: mcr+ietf@sandelman.ca; 6tisch@ietf.org; 6tisch-security@ietf.org
Subject: Re: [6tisch-security] [6tisch] proposed security text for architecture draft

Hello Yoshi:

Please see below and many thanks for all this 

Pascal
> Le 13 nov. 2014 ¨¤ 23:50, "yoshihiro.ohba@toshiba.co.jp" <yoshihiro.ohba@toshiba.co.jp> a ¨¦crit :
> 
> Here is main PANA use:
> 
> 1. Creating a PANA SA (based on EAP MSK) between JCE and JN where JCE is PAA, JN is PaC, and JA is PANA relay.
> (PANA relay is a stateless relay as described in RFC 6345, and no need 
> for loose source routing or ULA allocation.)

On this I respectfully disagree.

The IP address of the PaC is not sufficient information to identify the join bundle should there be more than one.

This is why RH usually carries ULA or global addresses, with the intention that the prefix indicates the next interface - to your earlier point.

But then in a ML subnetwork this is no help whatsoever since multiple interfaces may be on a same subnet.

This is where the ULA comes into play; hiding the network ID from untrusted lurkers and yet providing an unequivocal bundle ID.

Makes sense?

Pascal

> 
> 2. Using the SA to securely distribute locally significant credentials 
> such as a 802.11AR LDevID certificate or a network-wide shared 
> symmetric key, and I am not in favor of the latter though :)
> 
> For 1), existing RADIUS servers can be used if EAP server is a physically separated from PCE box where scalability is needed.  EAP-based approach can also support roaming cases where electric vehicles are authenticated via smart meters.
> 
> For 2) we can define new PANA attributes to carry RFC 4210 CertRequest and CertResponse defined by PKIX for distributing 802.11AR LDevID certificate.
> 
> I did not think to use PANA to carry CoAP messages. I think DTLS should be used for protecting CoAP for 6top as being discussed.  The DTLS session for CoAP can be established, e.g., by using the locally significant credentials distributed in 2).
> 
> Support for UIM card (via EAP-SIM, EAP-AKA or a new EAP method) would make 6tisch more attractive to cover  certain business scenarios.
> 
> Please note that I do not disagree with DTLS-based approach for more resource constrained device (although more work seems to be needed to carry DTLS message between JCE and JN via JA), but we should support multiple options if one solution is difficult to cover all cases.  
> 
> Best Regards,
> Yoshihiro Ohba
> 
> 
> -----Original Message-----
> From: 6tisch-security [mailto:6tisch-security-bounces@ietf.org] On 
> Behalf Of Michael Richardson
> Sent: Friday, November 14, 2014 3:12 PM
> To: ohba yoshihiro(´óö ÁxÑó ¡ð£Ò£Ä£Ã¡õ£Î£Ó£Ì)
> Cc: 6tisch@ietf.org; 6tisch-security@ietf.org
> Subject: Re: [6tisch-security] [6tisch] proposed security text for 
> architecture draft
> 
> 
> <yoshihiro.ohba@toshiba.co.jp> wrote:
>> Use of EAP-TLS and terminating TLS session at AAA server does not 
>> mean that all parameters have to be coming from AAA server.  
>> Especially when PANA is used, PAA can be co-located with JCE and 
>> provide 6top data over a secure PANA SA.  Actually this model applies to any EAP method.
> 
> So, we would be creating a masterkey with EAP-TLS, and then we would use PANA as a transport for CoAP?
> 
> I understand why we want to use EAP when we have devices with humans 
> at the far end;
> 1) it means the pieces in the middle do not need to know anything about the
>   kind of authentication will be done
> 
> 2) we can deploy new forms of authentication (such as challenge response
>   methods, and things like EAP-SIM or EAP-AKA) without changes to the middle
>   machines.
> 
> 3) we can proxy things all the way back to the users home service, which is 
>   how GSM roaming works these days.
> 
> I'm unaware that industrial/deterministic uses of 15.4 have requirements for ths kind of thing.  I seem to recall a conversation about whether or not including a SIM card into nodes would work from a power, size, and cost point of view.  Having a replaceable SIM card would definitely be a really easy way to imprint new devices.  If someone can do that, then we really don't need any of this... 
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  
> -= IPv6 IoT consulting =-
> 
> 
> 
> _______________________________________________
> 6tisch-security mailing list
> 6tisch-security@ietf.org
> https://www.ietf.org/mailman/listinfo/6tisch-security