IETF Logo Mail Archive

Re: [6tisch] differential security for CoAP resources

Thomas Watteyne <watteyne@eecs.berkeley.edu> Thu, 07 May 2015 13:46 UTC

Return-Path: <twatteyne@gmail.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9D2A1A896D for <6tisch@ietfa.amsl.com>; Thu, 7 May 2015 06:46:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.277
X-Spam-Level:
X-Spam-Status: No, score=-1.277 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ES7luOCvtF4Z for <6tisch@ietfa.amsl.com>; Thu, 7 May 2015 06:46:22 -0700 (PDT)
Received: from mail-wi0-x22b.google.com (mail-wi0-x22b.google.com [IPv6:2a00:1450:400c:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 849C31A87D4 for <6tisch@ietf.org>; Thu, 7 May 2015 06:46:21 -0700 (PDT)
Received: by widdi4 with SMTP id di4so60552052wid.0 for <6tisch@ietf.org>; Thu, 07 May 2015 06:46:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:content-type; bh=yaCBbtmwgOy4hNGBU1062gxbWpSH2RSsQY7YlR30EtM=; b=DpJMYTzsHmtFFL3JF1CQfO6KBmWJggurWayCPz1i3+20QfiQUKKGcLKxpUDq307Cob h7yD5rY5mKVukUAnWXZdbq2E3ga/plOl3a0lr+R9MaOoY2mbILs68Grt2BOd7RjoFwNF 0PHvJhE/4FTTnDkqJCTfMwT/kV5wPOk45xRZ6wbPFPp8vLiN7cf0I93qNIK0xmnShqaO FDPEto4PvNEXr07LJKUOqNGoC87oiYsKCXirokaJZ4sP1WVEO2p5xbKIEyzbSIZNWIPV FqSzbgCgGZx4fPSmk2IzDb87+Sb37gf/7PeJH0VR5d8aW2n9q5MO4U00FVdL7eD/sBcv avTA==
X-Received: by 10.180.216.103 with SMTP id op7mr6786284wic.90.1431006380313; Thu, 07 May 2015 06:46:20 -0700 (PDT)
MIME-Version: 1.0
Sender: twatteyne@gmail.com
Received: by 10.28.57.133 with HTTP; Thu, 7 May 2015 06:45:59 -0700 (PDT)
In-Reply-To: <ACA1D97F-BFAC-4296-A959-45CE40A8E447@imag.fr>
References: <554AB31A.6030200@berkeley.edu> <ACA1D97F-BFAC-4296-A959-45CE40A8E447@imag.fr>
From: Thomas Watteyne <watteyne@eecs.berkeley.edu>
Date: Thu, 07 May 2015 15:45:59 +0200
X-Google-Sender-Auth: 6fpXu83J77JokKdEw2aSHDe9uO0
Message-ID: <CADJ9OA_TbHhAWpM5_-RBCMu2NwM+O-OQqKzgfomTM9LyLzncbw@mail.gmail.com>
To: "6tisch@ietf.org" <6tisch@ietf.org>
Content-Type: multipart/alternative; boundary="001a1134d092f854cd05157e228c"
Archived-At: <http://mailarchive.ietf.org/arch/msg/6tisch/P41TWQRrLpvrFBYWwE8QPOpjji0>
Subject: Re: [6tisch] differential security for CoAP resources
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 May 2015 13:46:25 -0000

Kris,

You're asking the right questions...

To keep 6TiSCH focused, we chose to "outsource" all centralized management
to CoMI/CoAP, and focus on the data model.
The assumption here is that everything you describe (for the centralized
case) is handled by CoAP's security mechanism.
The authorization aspect being currently handled by ACE.
Unfortunately, I haven't been following the ACE work closely.
Can anyone shine a light on whether ACE is handling all of Kris' concerns?

For the distributed CoAPIE case,
https://tools.ietf.org/html/draft-wang-6tisch-6top-coapie-00 doesn't focus
on security (it's a -00). IMO, there are two options:
- we consider CoAPIE security to be part of L2 security. That is, a
network-wide PSK, or neighbor-by-neighbor keys installed by the JCE
- the CoAPIE also encapsulates the DTLS record. Packet will be (much)
bigger, and neighbor-to-neighbor authentication would be needed.

Thomas

On Thu, May 7, 2015 at 9:29 AM, Mališa Vučinić <Malisa.Vucinic@imag.fr>
wrote:

> Kris,
>
> Some comments inline.
>
> Regards,
> Mališa Vučinić
>
> On 06 May 2015, at 17:34, Kris Pister <ksjp@berkeley.edu> wrote:
>
> Mote M has a number of CoAP resources, including temperature and light
> sensors
> coap://M/S/T and /S/L
> as well as 6top resources such as slotframes and cells
> /6t/6/sf1 and /6t/4/c12_14      (I don't actually know the format).
>
> I might want to allow anyone (host A) on the internet to access the
> temperature, /S/T,
> but only a select few to access anything in /6t.  Maybe some with READ (L2
> neighbors, B),
> maybe only one with DELETE (e.g. the PCE, C).
>
> Today the assumption is that we will have a DTLS session to protect these
> resources.
> Some problems that I see:
> What is the mechanism that the mote uses to differentiate between A, B,
> and C?
> Let's assume that the hand-off between the DTLS module and the CoAP module
> tells CoAP if the packet was properly encrypted (vs. the hand-off from
> UDP).  My
> mote needs some sort of table that binds resources to security
> requirements.  That
> takes care of host A asking for temperature (OK) vs. slotframe info (not
> allowed if
> not protected with DTLS).
>
> But how does the mote differentiate between a READ and a DELETE from mote B
> or C?  Both will be encrypting their requests with DTLS.  Does the mote
> need a
> table of hosts, each with a list of resources, each resource with a 4 bit
> flag of
> permissions?
>
>
> If we want to avoid additional packet exchanges with JCE, I believe it is
> necessary to locally keep such a table. We could for instance optimize this
> with some sort of .htaccess for 6top.
>
> However, I am a bit skeptical of having DTLS sessions with both B and C,
> where B can be the set of all the radio neighbors of the mote. Consider
> that DTLS handshake exchanges 10+ packets and for instance in tinyDTLS
> implementation, each session occupies around 400B of RAM. This session
> overhead is certainly necessary with PCE and JCE but I am not sure if it’d
> be wise to do it for each radio neighbor.
>
>
> And what about OTF, where we will be sending CoAP packets as MLME IEs
> protected
> at layer2?
>
> I know that ACE is working on this, and I'm trying to understand the three
> competing
> solutions and their impact on 6TiSCH.  No matter what they do, it won't
> completely
> solve the OTF/coapIE problem.
>
>
> I agree - this is very specific to 6TiSCH and I don’t really see how we
> could leverage [1] / DTLS to differentiate OTF CoAP exchanges within the
> IEs. Outside of ACE, I noticed some work around COSE (CBOR Object Signing
> and Encryption) [2] that should provide an optimized cryptographic format
> which 6TiSCH could use at any layer (generic formats for encryption, MIC,
> signature). IEs carrying CoAP could therefore have the CoAP payload
> encrypted/authenticated/replay-protected with COSE and by managing
> different keys we could differentiate the access to different resources.
> [3] in fact specifies how a generic crypto format such as COSE could be
> used to also encrypt/authenticate parts of the CoAP header.
>
> [1] https://tools.ietf.org/html/draft-gerdes-ace-dcaf-authorize-02
> [2] http://www.ietf.org/mail-archive/web/cose/current/maillist.html
> [3] https://tools.ietf.org/html/draft-selander-ace-object-security-01
>
>
>
>
> _______________________________________________
> 6tisch mailing list
> 6tisch@ietf.org
> https://www.ietf.org/mailman/listinfo/6tisch
>
>

v2.23.0 | Report a Bug | By Email