Re: [6tisch] Warren Kumari's Discuss on draft-ietf-6tisch-enrollment-enhanced-beacon-13: (with DISCUSS and COMMENT)

Michael Richardson <> Fri, 21 February 2020 12:39 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B8534120819; Fri, 21 Feb 2020 04:39:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 3.55
X-Spam-Level: ***
X-Spam-Status: No, score=3.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_12_24=1.049, KHOP_HELO_FCRDNS=0.399, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rtJSixXki4Z3; Fri, 21 Feb 2020 04:39:31 -0800 (PST)
Received: from ( [IPv6:2a01:7e00::3d:b000]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 7F17C120033; Fri, 21 Feb 2020 04:39:31 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTPS id A8DA11F488; Fri, 21 Feb 2020 12:39:29 +0000 (UTC)
Received: by (Postfix, from userid 179) id 88E3C1A3B76; Thu, 20 Feb 2020 19:54:54 +0100 (CET)
From: Michael Richardson <>
To: Warren Kumari <>
cc: "The IESG" <>,,,,
In-reply-to: <>
References: <>
Comments: In-reply-to Warren Kumari via Datatracker <> message dated "Wed, 19 Feb 2020 14:10:47 -0800."
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.2.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Date: Thu, 20 Feb 2020 19:54:54 +0100
Message-ID: <2595.1582224894@dooku>
Archived-At: <>
Subject: Re: [6tisch] Warren Kumari's Discuss on draft-ietf-6tisch-enrollment-enhanced-beacon-13: (with DISCUSS and COMMENT)
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Fri, 21 Feb 2020 12:39:34 -0000

Warren Kumari via Datatracker <> wrote:
    > [ Be ye not afraid - this should be easy to answer / address ] The
    > Privacy Considerations says: "The use of a network ID may reveal
    > information about the network."  Good point - but it also goes on to
    > say: "The use of a SHA256 hash of the DODAGID, rather than using the
    > DODAGID (which is usually derived from the LLN prefix) directly
    > provides some privacy for the the addresses used within the network, as
    > the DODAGID is usually the IPv6 address of the root of the RPL mesh."

    > I don't know if this is an issue, but how much entropy is in a DODAGID?
    > From what I could find, the DODAGID is often just an IP address - and
    > subnets are not randomly distributed, nor are L2 addresses (inputs to
    > address generation) - if I know that many of the nodes come from
    > vendor_A, and I know their L2 / MAC range, can I enumerate this, and by
    > extension the DODAGID, and so the hash?

The point of a good hash is to spread whatever entropy there is in the input
all over the output.   If there are a very few number of inputs, then akin to
the /etc/passwd dictionary attacks, an attacker can just pre-calculate a
bunch of things.

So, can you enumerate the DODAGIDs?  Maybe.

The 6LBR address which is usually used as the DODAGID is an IPv6 address.
So there is some ~32-bits of space assuming that the RIR assigned prefix
(e.g. 2001:db8::/32) is discoverable by looking up
This assumes that you know who you are trying learn about.
The next 32-bits will be operator or DHCPv6-PD assigned, and maybe not guess
that part.  And then the IID could be assigned via any number of our RFC8064,
or might be ::1.

So if you know what network you are looking for, you can probably find it.
The operator is allowed to generate the NetworkID with a random number
generator, btw.

But, if you observe ten LLNs the hash makes it hard to trivially map them
back to a specific operator.

Do you feel that I need to add this to the document?
I feel that it distracts: SHA256 is just a suggestion.

    > I will happily admit that I haven't fully researched this / thought it
    > through, so "Nah, won't work" or "Yes, will work, but we did say
    > 'provides some privacy', not 'absolute privacy'" or all acceptable
    > answers :-)

Some privacy.

    > ----------------------------------------------------------------------
    > COMMENT:
    > ----------------------------------------------------------------------

    > I found this document to be well written, and helpfully explained the
    > background, issue, etc. Thank you!

    > Question: "Pledges which have not yet enrolled are unable to
    > authenticate the beacons, and will be forced to temporarily take the
    > contents on faith. After enrollment, a newly enrolled node will be able
    > to return to the beacon and validate it."  Yes, this is true - a newly
    > enrolled node will be able to do this -- but I don't see a suggestion /
    > requirement that they actually *do* so. I'm perfectly capable of
    > picking up my socks, but.... :-)

You want to read draft-ietf-6tisch-minimal-security section 5 and section 9,
last paragraph.
Doing so is somewhat optional: if the pledge doesn't verify the beacon it saw
then it will verify the next beacon.
If the beacon was bogus, then the 6tisch-CoJP likely also failed, or the
pledge won't get to the Join Proxy at all, since it will not have a workable
TSCH schedule.

    > Nit: "Although However, even in this case, a" - typo / redundancy.

    > Please also see Qin Wu's Opsdir review
    > (,
    > which has some useful questions / nits.

I thought I had, but I don't have anything in my outbox, so I'll grab it when
I land.

Michael Richardson <>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-