IETF Logo Mail Archive

Re: [6tisch] [secdir] secdir review of draft-ietf-6tisch-architecture-21

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Thu, 27 June 2019 09:53 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 486D21200E7 for <6tisch@ietfa.amsl.com>; Thu, 27 Jun 2019 02:53:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=WVnf9fy4; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=IqEvP9wW
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LzmFE51XOErw for <6tisch@ietfa.amsl.com>; Thu, 27 Jun 2019 02:53:42 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 25C9F1200B8 for <6tisch@ietf.org>; Thu, 27 Jun 2019 02:53:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5428; q=dns/txt; s=iport; t=1561629222; x=1562838822; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=YQU0Jl/KUrkuCHRICi+0OhLTGXTNvklfZo27t9Mbh4I=; b=WVnf9fy4WFW+POINl7Gj5eYW4G3toLZs/8w0ecykvP03oyJLnk8Qtdya AeK4mx5ld4DJj63H28BobettNfvi0Dia5RNjluHBabF8hH1vE4MhXuJXI Xm1WGWJ8Ne1XMHYYtOnON4KJKBaHjbqcgJ8VyKXv2kIaJXH5Bk/jPgE8T 4=;
IronPort-PHdr: 9a23:vlu5ehWv6EIlJ1u7rS28uaMbpbbV8LGuZFwc94YnhrRSc6+q45XlOgnF6O5wiEPSA9yJ8OpK3uzRta2oGXcN55qMqjgjSNRNTFdE7KdehAk8GIiAAEz/IuTtankiAMRfXlJ/41mwMFNeH4D1YFiB6nA=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ATAADjkBRd/5xdJa1kGgEBAQEBAgEBAQEHAgEBAQGBVQMBAQEBCwGBQyknA2pVIAQLKIQZg0cDjlyCW4lLjXSBLoEkA1QJAQEBDAEBHw4CAQGBS4J1AheCaCM2Bw4BAwEBBAEBAgEFbYo3DIVKAQEBBBIREQwBATcBCwQCAQgRAQMBAQECAiYCAgIfERUCBggCBAENBQgTB4I1TIFqAx0BAppJAoE4iGBxgTKCeQEBBYUIDQuCEQmBDCgBhHGEJIIsHReBQD+BEUaBTn4+ghqCLIMIMoImjl6bDT8JAoIXkASEDJdejSmJKI12AgQCBAUCDgEBBYFXAi+BWHAVgycJgjiDHVSKU3KBKYszK4IlAQE
X-IronPort-AV: E=Sophos;i="5.63,423,1557187200"; d="scan'208";a="578517074"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 27 Jun 2019 09:53:40 +0000
Received: from XCH-RCD-008.cisco.com (xch-rcd-008.cisco.com [173.37.102.18]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id x5R9resV001547 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 27 Jun 2019 09:53:40 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-RCD-008.cisco.com (173.37.102.18) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 27 Jun 2019 04:53:40 -0500
Received: from xhs-rcd-001.cisco.com (173.37.227.246) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 27 Jun 2019 04:53:39 -0500
Received: from NAM05-BY2-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-001.cisco.com (173.37.227.246) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 27 Jun 2019 04:53:39 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YQU0Jl/KUrkuCHRICi+0OhLTGXTNvklfZo27t9Mbh4I=; b=IqEvP9wWH3nGsWGJs5g1POL28VtNz2suZftZrWMfJq8iKw1Kfe9V6YD3bejLOtTtq/8+1WtdxKl+JBrPgWSTIQ4KpUB/43o2RFG1jnl0yvCgwDYsbIQEFUGve9WRLdwTKFOgvnwTbP+6tNsQb9jF4fFFz6aA69pdqu6LjTf31MI=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (20.178.250.159) by MN2PR11MB4046.namprd11.prod.outlook.com (20.179.149.156) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Thu, 27 Jun 2019 09:53:38 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::1ce9:1582:146c:c50a]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::1ce9:1582:146c:c50a%6]) with mapi id 15.20.2008.018; Thu, 27 Jun 2019 09:53:38 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Mališa Vučinić <malishav@gmail.com>
CC: "6tisch@ietf.org" <6tisch@ietf.org>, Tero Kivinen <kivinen@iki.fi>
Thread-Topic: [6tisch] [secdir] secdir review of draft-ietf-6tisch-architecture-21
Thread-Index: AQHVKitVZAMqDsUZHEuS/CYS/vDUhKaqVH6wgAEk6YCAAAywAIAAbXDggAACzzCAAI0ZqoABNPqAgABgmgCAAR/2UA==
Date: Thu, 27 Jun 2019 09:53:28 +0000
Deferred-Delivery: Thu, 27 Jun 2019 09:08:10 +0000
Message-ID: <MN2PR11MB356596FED088A56533857022D8FD0@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <2cced16c-d1df-88c2-eb21-7452b42f081a@mandelberg.org> <MN2PR11MB35651735463F27A247B4B0F0D8E00@MN2PR11MB3565.namprd11.prod.outlook.com> <23825.24715.882644.180316@fireball.acr.fi> <5229f400-076c-80e3-e0dc-a7cf3998abed@mandelberg.org> <MN2PR11MB35654D7658F0EEB05443F2ABD8E30@MN2PR11MB3565.namprd11.prod.outlook.com> <BYAPR11MB3558261B37E1E8FFFF4D8D27D8E30@BYAPR11MB3558.namprd11.prod.outlook.com> <62FC2528-9165-4E2E-89E5-6452D93030E0@gmail.com> <28248.1561477015@localhost> <7C7A7473-7266-4B09-BB41-79C871142BC9@gmail.com> <15836.1561564142@localhost>
In-Reply-To: <15836.1561564142@localhost>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pthubert@cisco.com;
x-originating-ip: [2001:420:c0c0:1006::89]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 1b108385-469d-4f07-6b2c-08d6fae5540f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:MN2PR11MB4046;
x-ms-traffictypediagnostic: MN2PR11MB4046:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <MN2PR11MB40461CDA6FEC3F655FF0991ED8FD0@MN2PR11MB4046.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 008184426E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(39860400002)(376002)(136003)(366004)(346002)(13464003)(199004)(51444003)(189003)(14444005)(33656002)(4326008)(25786009)(55016002)(46003)(68736007)(9686003)(256004)(53936002)(446003)(486006)(229853002)(11346002)(476003)(66574012)(76116006)(6306002)(7736002)(478600001)(71200400001)(7696005)(6246003)(64756008)(102836004)(6666004)(52536014)(2906002)(8676002)(305945005)(73956011)(66556008)(14454004)(54906003)(53546011)(74316002)(110136005)(66476007)(966005)(71190400001)(8936002)(316002)(81166006)(81156014)(6116002)(6436002)(6506007)(5660300002)(86362001)(66446008)(99286004)(186003)(66946007)(76176011); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4046; H:MN2PR11MB3565.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: OVPzX/C3mrdf7QAilmJhW+/g7Dgrb1EjAXW2GxBh8CcejnWKekkW+SitoGWA/h2h8bOvwfQRrWd6kWJmIZlVo7cVIk3M7IB+HNcMGB5JtxtDUfTwO/sNx33h9sjnThc0PZF2yFKQ8jYPNZYO8weZtZjapCov1LbYxF0uQLS9rzHqX991qeA61F9hzzrhfg349x44dhA7Es8gcTZ7yMmbsg13ClYK1wC+QUWBFnSdtNy53atraingnX6ClZsjyZypcEmq74HQAlV6zQVZYr4u6lB7XTkylXkoy+D49m5RUbam0b3q/IzgEXPtnwJ6aPArm+IFxhAKxwOF3TGp8AvM3qS9nRQjSjlSsU2RLnUtua0qjUi7hpO/84aY9YFyouG/z+UnZes2KU4SY53qdzawEq9KgzS+9cwM6Ivf8Ca+1Wg=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 1b108385-469d-4f07-6b2c-08d6fae5540f
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Jun 2019 09:53:38.3365 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pthubert@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4046
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.18, xch-rcd-008.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/VhHnE37O5MoWPv_gBzgIU5XV4UU>
Subject: Re: [6tisch] [secdir] secdir review of draft-ietf-6tisch-architecture-21
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2019 09:53:44 -0000

Hello Michael

Both ASN and sync create event horizons.
* A wrong ASN will cause MIC processing to fail and the packet will be ignored.
* If an attacker syncs a pledge outside of the network sync's beyond guard time, the pledge will not even see that legitimate nodes are sending.

In both cases, a node that believes an attacker has no way to validate ASN right there. It needs an additional one-hop authenticated exchange with a legitimate node with a, e.g., random nonce in payload. Some people will want that step even if the window is narrow. I think we should describe it in archie and in minimal sec.

6P or MSF could be used for that purpose when present but cannot be the only way since they are optional.

All the best,

Pascal

> -----Original Message-----
> From: 6tisch <6tisch-bounces@ietf.org> On Behalf Of Michael Richardson
> Sent: mercredi 26 juin 2019 17:49
> To: =?utf-8?B?TWFsacWhYSBWdcSNaW5pxIc=?= <malishav@gmail.com>
> Cc: Pascal Thubert (pthubert) <pthubert@cisco.com>; 6tisch@ietf.org; Tero
> Kivinen <kivinen@iki.fi>
> Subject: Re: [6tisch] [secdir] secdir review of draft-ietf-6tisch-architecture-21
> 
> 
> Mališa Vučinić <malishav@gmail.com> wrote:
>     >> Mališa Vučinić <malishav@gmail.com> wrote:
>     >>> Instead, as with traditional TSCH, the joined node can obtain its time
>     >>> information from its time source neighbor, i.e. RPL preferred parent,
>     >>> by triggering an exchange of link-layer frames with L2 security
>     >>> features enabled. The MSF draft already mandates that the first
>     >>> outgoing message from the joined node after joining is the 6P ADD
>     >>> message to its preferred parent, which consequently gets protected
> with
>     >>> L2 security.
>     >>
>     >> But, how can the L2-security work if the newly-joined node has an
> ancient
>     >> ASN?  Won't the parent just drop the packet as being a replay, and then
> what?
> 
>     > Yes, so the node will desynchronize eventually, fall out of network and
>     > restart the join process, hopefully with a different network.
> 
> hmm.   Or, it sees a new beacon, which it can integrity check, and then sees
> the ASN jump forward.  This would be the same as if it had slept for awhile.
> 
> Unless the attacker can continuously *block* the node from seeing the latest
> beacons, and continuously feeds it old beacons, the problem should go away.
> 
> So maybe this is really not as a big a deal as I thought.
> 
>     >>> What needs to be specified clearly is that this first 6P
>     >>> exchange should not be encrypted but only authenticated at L2.
>     >>> Upon successful completion of the first 6P exchange with its time
> (routing)
>     >>> parent, the joined node obtains a negotiated cell and as a side effect
>     >>> proves freshness of the ASN used.
>     >>
>     >> I'd rather that we added a new exchange, rather than special casing some
> 6P
>     >> interaction here.   An RPL DIS would be a better choice here, I think, with
>     >> an RPL DAO unicast reply.  Still, I hate to special case this as being
>     >> authenticated only.
>     >> Doesn't that have to happen first?
> 
>     > Whatever packet we send here, be it DIS or 6P, they need to have
>     > special handling in terms of L2 security… Is DIS mandatory to send upon
>     > preferred parent selection?
> 
> I think that we can do nothing.
> 
> Maybe the replayed beacon attack (and solution: wait for another beacon)
> belongs in the Security Considerations of the Architecture.
> 
> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
> 
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -
> = IPv6 IoT consulting =-
> 
>

v2.23.0 | Report a Bug | By Email