IETF Logo Mail Archive

[6tisch] FW: [secdir] secdir review of draft-ietf-6tisch-architecture-21

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Tue, 25 June 2019 07:30 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14B35120251 for <6tisch@ietfa.amsl.com>; Tue, 25 Jun 2019 00:30:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=EQfXvrLu; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=dbQvqteV
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U6XGCycQKyTu for <6tisch@ietfa.amsl.com>; Tue, 25 Jun 2019 00:30:25 -0700 (PDT)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A887C120118 for <6tisch@ietf.org>; Tue, 25 Jun 2019 00:30:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9300; q=dns/txt; s=iport; t=1561447824; x=1562657424; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=TlhMNKlM8qXoeiyx6es/S4m7Dy+mBLMLU4mgKtb8g4w=; b=EQfXvrLuSL8WgQ9tqKXN2eKOBP4tnrv9W7SCvkxQZPhprDo4MZRAiyub qLZw1dxPtVCfcBbuH7V3fgBnL01rZ8UTJL14OxG5l2ovnYRofi6pPYUPi oA593VP18bHtrF7LJsqYmZZTjqidJKu8lB/AgIwi/3jXV5EwXEAIuDwrc A=;
IronPort-PHdr: 9a23:REJ0pxMilyTBODAG1Uwl6mtXPHoupqn0MwgJ65Eul7NJdOG58o//OFDEu6w/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETBoZkYMTlg0kDtSCDBjjMP73ZSEgAOxJVURu+DewNk0GUMs=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CqAABMzRFd/5JdJa1lGgEBAQEBAgEBAQEHAgEBAQGBZ4FEKScDgT8gBAsohBaDRwOOYYJblziCUgNUCQEBAQwBAS0CAQGEQAIXglsjOBMBAwEBBAEBAgEFbYo3DIVKAQEBAQMSEQQNDAEBNwELBAIBCBEBAwEBAQICJgICAjAVAgQBAQUDAgQOBQgagjWCNgMdAQKZbwKBOIhfcX4zgnkBAQWFAhiCEQmBDCiEcYQkdoE2HReBQD+BEUaCTD6ERoMIMoImi3kMgk6HIJM+ZQkCghSLMYhRl0qkMwIEAgQFAg4BAQWBZyGBWHAVgyeCQQwXg02KU3KBKYwkK4IlAQE
X-IronPort-AV: E=Sophos;i="5.63,415,1557187200"; d="scan'208";a="581518926"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by rcdn-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 25 Jun 2019 07:30:14 +0000
Received: from XCH-ALN-014.cisco.com (xch-aln-014.cisco.com [173.36.7.24]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id x5P7U7qa014816 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 25 Jun 2019 07:30:12 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-ALN-014.cisco.com (173.36.7.24) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 25 Jun 2019 02:30:08 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 25 Jun 2019 03:30:06 -0400
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 25 Jun 2019 02:30:06 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=TlhMNKlM8qXoeiyx6es/S4m7Dy+mBLMLU4mgKtb8g4w=; b=dbQvqteVKrQOQTkpTOmSU1aHeLyo5bPOD0TPKNsrJSYRdB47FyULdqa0GUsTFh9UD3BHffgxM7wajP2PV9Xw/Dm2wiv4x9YY0PLPCW0WgIQC86K33MRPSdN7opS+Q8qBg/dY6DKu8YKowuJOK4t8GX/OHo19XOOXG1tJXPgXPcc=
Received: from BYAPR11MB3558.namprd11.prod.outlook.com (20.178.206.75) by BYAPR11MB2951.namprd11.prod.outlook.com (20.177.224.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Tue, 25 Jun 2019 07:30:05 +0000
Received: from BYAPR11MB3558.namprd11.prod.outlook.com ([fe80::2ce6:329e:e7f1:5b4a]) by BYAPR11MB3558.namprd11.prod.outlook.com ([fe80::2ce6:329e:e7f1:5b4a%7]) with mapi id 15.20.2008.017; Tue, 25 Jun 2019 07:30:05 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Mališa Vučinić <malisav@ac.me>
CC: "6tisch@ietf.org" <6tisch@ietf.org>
Thread-Topic: [secdir] secdir review of draft-ietf-6tisch-architecture-21
Thread-Index: AQHVKitVZAMqDsUZHEuS/CYS/vDUhKaqVH6wgAEk6YCAAAywAIAAbXDggAACzzA=
Date: Tue, 25 Jun 2019 07:29:47 +0000
Deferred-Delivery: Tue, 25 Jun 2019 07:29:37 +0000
Message-ID: <BYAPR11MB3558261B37E1E8FFFF4D8D27D8E30@BYAPR11MB3558.namprd11.prod.outlook.com>
References: <2cced16c-d1df-88c2-eb21-7452b42f081a@mandelberg.org> <MN2PR11MB35651735463F27A247B4B0F0D8E00@MN2PR11MB3565.namprd11.prod.outlook.com> <23825.24715.882644.180316@fireball.acr.fi> <5229f400-076c-80e3-e0dc-a7cf3998abed@mandelberg.org> <MN2PR11MB35654D7658F0EEB05443F2ABD8E30@MN2PR11MB3565.namprd11.prod.outlook.com>
In-Reply-To: <MN2PR11MB35654D7658F0EEB05443F2ABD8E30@MN2PR11MB3565.namprd11.prod.outlook.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pthubert@cisco.com;
x-originating-ip: [2001:420:44f3:1300:552f:ff32:b86:aad7]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 930b4c9b-c487-460f-8bd2-08d6f93ef16a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BYAPR11MB2951;
x-ms-traffictypediagnostic: BYAPR11MB2951:
x-microsoft-antispam-prvs: <BYAPR11MB29513E1C70E9C160411170EAD8E30@BYAPR11MB2951.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0079056367
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(396003)(366004)(346002)(136003)(376002)(199004)(13464003)(189003)(81166006)(66574012)(55016002)(86362001)(8676002)(81156014)(7696005)(4326008)(71200400001)(71190400001)(7736002)(68736007)(99286004)(305945005)(316002)(486006)(6916009)(256004)(14444005)(46003)(53936002)(478600001)(25786009)(446003)(11346002)(186003)(6666004)(8936002)(476003)(2906002)(2473003)(5660300002)(14454004)(53546011)(6436002)(6506007)(33656002)(102836004)(229853002)(76176011)(74316002)(66446008)(6116002)(66476007)(64756008)(66946007)(66556008)(52536014)(73956011)(76116006)(9686003); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR11MB2951; H:BYAPR11MB3558.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 1s5VKRwyVOe8XL+0kglV2xaqlG2rdfJmcuvUl9P6Vk1V81aFtcPTfLkB40JLupu7NLqYioTBAwdP00zqf67rC7afYsApuMUhivwllYduLsEhbMGVwVFfj1jILGKzZvj4v8RJJolTfErUiU5ddkRPTk0KGZYMWLeTu68AhDpZPTQB8ldDcbJMTBIxUUqkvS1PjrMmoCRUcRTOKbto3+/DQWiNZEbiwjx/Y695LwqXukMEEbkWk7wHQT+OlwaKL78PNdPOKHAWufYCj5/0qK2iK4+ieoa/TkehLN8b+W8wk4nA58c6wXK8vNLRK4nLUObLKFC9JqpZUjMD4Movq2bZx98PCgwEhGwXC82bbKnp4wJMH1/ug+fHqNK54wWR98M0+xnYS4kX4zrYd61KVl4QdjOrGcJV2CDhK3egnpAA0sE=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 930b4c9b-c487-460f-8bd2-08d6f93ef16a
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jun 2019 07:30:05.1534 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pthubert@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB2951
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.24, xch-aln-014.cisco.com
X-Outbound-Node: rcdn-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/XXoPQGiWJIbnrn6sXkTLshbyBmw>
Subject: [6tisch] FW: [secdir] secdir review of draft-ietf-6tisch-architecture-21
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2019 07:30:27 -0000

Hello Malisa:

I went through the security section of minimal-security and found that the text below would be useful there to. Alt a pointer to the security section of the architecture would do once I incorporate some of the below.
(Though I thought it did at a time) minimal-security does not indicate that the JRC should be aware of the network ASN to enable the protection that Tero is discussing below, does it?

All the best,

Pascal



> -----Original Message-----
> From: David Mandelberg <david@mandelberg.org>
> Sent: mardi 25 juin 2019 02:31
> To: Tero Kivinen <kivinen@iki.fi>; Pascal Thubert (pthubert) 
> <pthubert@cisco.com>
> Cc: secdir@ietf.org; iesg@ietf.org; 
> draft-ietf-6tisch-architecture.all@ietf.org;
> Thomas Watteyne <thomas.watteyne@inria.fr>; Michael Richardson 
> <mcr+ietf@sandelman.ca>; Mališa Vučinić <malisav@ac.me>
> Subject: Re: [secdir] secdir review of 
> draft-ietf-6tisch-architecture-21
> 
> 
> 
> On 6/24/19 7:45 PM, Tero Kivinen wrote:
> > Pascal Thubert (pthubert) writes:
> >> Hello David:
> >>
> >> Many thanks for your review. I do hope that you found it interesting.
> >>
> >>> Sections 4.2.1 and 4.3.4 talk about the security of joining a 
> >>> network, and time synchronization, respectively. Do any of the 
> >>> security mechanisms in 4.2.1 rely on having an accurate clock?
> >>> (E.g., to distrust old/expired keys.) Is time synchronization done 
> >>> before the join process, and is there any way to exploit time 
> >>> synchronization in order to cause a node to join a malicious 
> >>> network?
> >>
> >> This is really a MAC layer question for IEEE. I'm cc'ing Thomas who 
> >> was one of the inventors of TSCH, as well as Michael and Malisa who 
> >> led the join process study.
> >>
> >> Time synchronization (date):
> >> --------------------------------------
> >> For all I know, the time sync is about giving a epoch time from 
> >> which an Absolute Slot Number (ASN, expressed in slot duration 
> >> e.g.,
> >> 10ms) is derived. ASN plays a key role as it is used in NONCE. An 
> >> attack that one could think of would be to fool the new node into 
> >> thinking that ASN is earlier. This could happen before the keys are 
> >> exchanged, or if an authorized peer is compromised. For the former, 
> >> I'll defer to the others to answer fully how we protect the new 
> >> comer. For the latter, 6TiSCH provides an additional protection 
> >> since we derive time from a RPL parent. RPL has its own 
> >> protections, some of them in the standard itself, some of them in 
> >> zerotrust papers that need publishing.
> >
> > In normal TSCH in 802.15.4 the joining node will listen to beacons 
> > sent by the nodes already part of the network, and they will find 
> > out the ASN from there. As they do not yet have keys for the network 
> > they cannot verify the message integrity code authenticating the 
> > beacon, and even if they did have the keys, they still cannot verify 
> > it as it could be replay by attacker.
> >
> > After they find out the ASN, they need to authenticate themself to 
> > the network using some mechanism outside the 802.15.4. This 
> > authentication step must be such that it cannot be replayed by 
> > attacker, i.e., they must not trust ASN giving them any protection.
> >
> > Note, that in general 802.15.4 TSCH DOES NOT provide replay 
> > protection at all. I.e., attacker can cause legimite node to 
> > retransmit its previous message by destroying ack, and upper layer 
> > protocol must provide way to detect replays and cope with them.
> >
> > During the authentication the JRC needs to provide the keying 
> > material to the joining node, but that does NOT provide protection 
> > against spoofed ASN. After the node has actual keys used in the 
> > network it still needs to verify the ASN by sending some message to 
> > JRC using authentication and verify that JRC replies to that.
> >
> > If this 2nd step is omitted attacker do following attack:
> >
> > Joining node (JN)   attacker	     		  JRC
> > 		    <- beacon for ASN=23	  <- beacon for ASN=44
> > See beacon
> > from attacker,
> > assume ASN=23.
> >
> > Auth->JRC
> > (no security)					  Check authentication
> > 						  Return keys
> > 						  keys->JN
> >
> > Receive keys
> > send first
> > frame using
> > keys using ASN=23->
> >
> >
> > Now, if JN is using extended address to generate nonce, the nonce 
> > will be different for all other nonces ever used, even the ASN is 
> > faked, and has been used before. On the other hand if JN also 
> > receives short address assignment from the JRC, JRC needs to make 
> > sure that short address has not been assigned to anybody else 
> > before, as if it was used by someone else, and frame sent by JN is 
> > encrypted, then attacker will now have two packets with same ASN, 
> > and short address, meaning same nonce, and it can now decrypt packets.
> 
> Is this discussion of nonce reuse in any relevant documents already, 
> or is it something that should be added somewhere?
> 
> > Note, that attacker might be able to replay valid ACKs for the frame 
> > sent by the JN, provided that the JRC (or whoever JN sent the 
> > message
> > to) happened to ack message using the same ASN attacker faked for JN.
> >
> > If JN sends message to JRC which only JRC can reply, and uses wrong 
> > ASN, the JRC will not be able to decrypt/validate that frame because 
> > of wrong ASN in nonce, and will drop it silently, so if JN uses 
> > wrong ASN it might be getting ACKs, but it will not get any real 
> > reply frames back from real participants in the network. After it 
> > will not receive confirmation from JRC that it has proper keys and 
> > ASN, it knows something went wrong.
> >
> >
> >> Time synthonization (precise tic, hourless)
> >> --------------------------------------------------------
> >> This is the process whereby a node corrects its tic to realign with 
> >> the parent. ASN is not changed but the drift of crystals is 
> >> compensated. An attacker could try to inject a sense of time that 
> >> it slightly shifted to the point that the node lose sync with the 
> >> rest of the network (the guard time is like an event horizon). Then 
> >> again, RPL provides an additional protection on top of the MAC provisions.
> >
> > Those time syncronization IEs are also protected by MAC level 
> > authentication, so attackers who do not know the keys cannot 
> > generate them. Attackers who do know keys can do whatever they like anyways...
> >
> > Btw, I will be leaving for vacation tomorrow, so I might not be able 
> > to reply any messages related to this until I get back end of next 
> > week.
> >

v2.23.0 | Report a Bug | By Email