IETF Logo Mail Archive

Re: [6tisch] 6tisch join requirements for 6top

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 18 November 2014 08:00 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28AE91A001D for <6tisch@ietfa.amsl.com>; Tue, 18 Nov 2014 00:00:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_51=0.6, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bD8ICIOKveKS for <6tisch@ietfa.amsl.com>; Tue, 18 Nov 2014 00:00:26 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 556321A001E for <6tisch@ietf.org>; Tue, 18 Nov 2014 00:00:26 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id DC7112009E; Tue, 18 Nov 2014 03:02:51 -0500 (EST)
Received: by sandelman.ca (Postfix, from userid 179) id 09298637F5; Tue, 18 Nov 2014 03:00:24 -0500 (EST)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id DD097637EA; Tue, 18 Nov 2014 03:00:24 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Xavier Vilajosana <xvilajosana@eecs.berkeley.edu>
In-Reply-To: <CAMsDxWSzGFUk=3Z7E7=1w81bhxv=pwKdsj1-a2mcr77HOw4_2g@mail.gmail.com>
References: <D0876D12.C03C%rsudhaak@cisco.com> <32412.1415737868@sandelman.ca> <D087B62D.C081%rsudhaak@cisco.com> <10653.1415740821@sandelman.ca> <CADJ9OA_LFkGDuyG_0bf=07d7cvC9FNRr5cMGTmYw2PR=g9XQHA@mail.gmail.com> <8193.1416253349@sandelman.ca> <CAMsDxWSzGFUk=3Z7E7=1w81bhxv=pwKdsj1-a2mcr77HOw4_2g@mail.gmail.com>
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Tue, 18 Nov 2014 03:00:24 -0500
Message-ID: <12297.1416297624@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: http://mailarchive.ietf.org/arch/msg/6tisch/UQZRClBGFKOBDOmsve-0XI2fKMo
Cc: "Raghuram Sudhaakar (rsudhaak)" <rsudhaak@cisco.com>, "6tisch@ietf.org" <6tisch@ietf.org>, Robert Moskowitz <rgm@htt-consult.com>, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [6tisch] 6tisch join requirements for 6top
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Nov 2014 08:00:30 -0000

Xavier Vilajosana <xvilajosana@eecs.berkeley.edu> wrote:
    > I think part of these should go to the 6top interface expressed in YANG
    > model. Here some comments inline.

Yes, that was my intention.

  mcr> joining node interface:
  mcr> 1) an enum (registry) saying what kind of network security is to be used.
  mcr> a) NO_SECURITY = 0
  mcr> b) network-wide MIC/key, to be used directly.
  mcr> c) a network-wide "PSK", to be used with 802.15.9 mode DTLS (DHE_PSK),
  mcr> unclear to me how broadcast/multicasts are keyed,I hope to read
  mcr> the 15.9 documents.
  mcr> d) a network-wide "PSK", to be used with 802.15.9 mode IKEv2
  mcr> (Shared key message integrity code. ditto about broadcast)
  mcr> f) a PK method: to be used with 802.15.9 mode DTLS (ECDSA),
  mcr> g) a PK method: to be used with 802.15.9 mode IKEv2 (ECDSA)
  mcr> I thought that 7296 would have rolled in the signature-auth work.
  mcr> I want to specify the ECDSA authentication methods.
  mcr> h) ditto above, s/IKEv2/HIP/
  mcr> i) perhaps a code for using draft-piro-6tisch-security-issues-02
  mcr> -- I'm unclear how MLE works at this point.

    > That's easy, a placeholder for that option can be added to the YANG model.
    > Is this an option that can be set and read right?

Yes, R/W.

  mcr> 2) a space for an ECDSA PKIX certificate.  from 6top's point of view, this
  mcr> is
  mcr> around 300 opaque bytes.  We should be transfering DER, not base64
  mcr> encoded
  mcr> certificates!

    > Is this read only or read/write, write-once? .. Should be exposed so it is
    > queried/modified or is something static that will never change (except for
    > the first time)?

It could be read for diagnostics and management, but it's mostly write.  


  mcr> 3) a way to indicate if (2) replaces the devices' IDevID, or if it is in
  mcr> fact
  mcr> the LDevID.   From a RESTful point of view, it would be best if a POST
  mcr> to (2) returned the URI of the new certificate. It could be a FIFO
  mcr> (so the oldest certificate gets silently dropped), or it could be an
  mcr> error
  mcr> if the device is full.
  mcr> That same RESTful view would then want to get a list of certificates,
  mcr> with the IDevID one being listed, and one could delete it explicitely.

    > ok this can be done too.

Good.


  mcr> 4) for the PSK methods, a place to put the PSK. An opaque space of around
  mcr> 128 ytes. Again, we should return a URI, and be able to list them.
  mcr> we might not want to support GET on this resource.

    > idem as before. in YANG we define the placeholder and the access
    > method.

  mcr> 5) the PANID of the production network

    > the PANID is part of the 15.4 PIB. It should be exposed by 6top.

Good, no need to duplicate.


  mcr> 6) "GO" flag.
  mcr> A way to tell the device that provisioning is over, and it should
  mcr> probably restart and join the real network with the real credentials.

    > This is the joining/security state. We may think on a state machine (only
    > Go and Configuring options?)

Yes, we likely need to define a state machine; I'm suggesting that this is
just an input to that.

  mcr> ======= Join Assistant

  mcr> 7) a toggle which enables a node to become a join assistant.
  mcr> This might return an error if the node is incapable or unwilling to do
  mcr> that.

    > Ok, this seems a capability indicator. Could this be a bitmap so we can
    > flag multiple capabilites?

Are you suggesting that the ability to be a Join Assistant is in a separate
capabilities resource?

  mcr> 8) a ULA to use to announce in the RA for joining nodes.  So
  mcr> 128bits+prefixlen.  A device with multiple interfaces should configure
  mcr> different 64-bit prefixes.

    > How this ULA is build? could it be build/defined using 6top information? or
    > it is a completely new element?

I think that the JCE determines it.  Pascal has the notion that it needs to
be unique per Join Assistant, I'm not yet convinced one way or another, but I
suggest that the JCE assign it.

  mcr> 9) some details about the enhanced beacon the join ssistant should transmit,
  mcr> which I am not qualified to specify.
  mcr> 10) the well-known beacon key to use for the join network. (Defaulting to
  mcr> "6TISCHJOIN")

    > Ok this requires space in the yang model to store the well-known key.

Yes.


  mcr> 11) the address of the JCE, for the ACL about who can contact joining nodes.

    > Ok this is a L3 "important" address dictionary that a node should keep. Is
    > this the only address we need to know? PCE? other services in the network?

It's all that is necessary as part of becoming a Join Assistant.

-- 
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email