Re: [6tisch] Warren Kumari's Discuss on draft-ietf-6tisch-enrollment-enhanced-beacon-13: (with DISCUSS and COMMENT)

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 21 February 2020 12:39 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8534120819; Fri, 21 Feb 2020 04:39:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 3.55
X-Spam-Level: ***
X-Spam-Status: No, score=3.55 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_12_24=1.049, KHOP_HELO_FCRDNS=0.399, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_SOFTFAIL=0.665, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rtJSixXki4Z3; Fri, 21 Feb 2020 04:39:31 -0800 (PST)
Received: from relay.sandelman.ca (minerva.sandelman.ca [IPv6:2a01:7e00::3d:b000]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7F17C120033; Fri, 21 Feb 2020 04:39:31 -0800 (PST)
Received: from dooku.sandelman.ca (CPEbc4dfbbcd553-CMbc4dfbbcd550.cpe.net.cable.rogers.com [99.230.57.100]) by relay.sandelman.ca (Postfix) with ESMTPS id A8DA11F488; Fri, 21 Feb 2020 12:39:29 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 88E3C1A3B76; Thu, 20 Feb 2020 19:54:54 +0100 (CET)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Warren Kumari <warren@kumari.net>
cc: "The IESG" <iesg@ietf.org>, pthubert@cisco.com, 6tisch-chairs@ietf.org, 6tisch@ietf.org, draft-ietf-6tisch-enrollment-enhanced-beacon@ietf.org
In-reply-to: <158215024778.17684.13698521401379090423.idtracker@ietfa.amsl.com>
References: <158215024778.17684.13698521401379090423.idtracker@ietfa.amsl.com>
Comments: In-reply-to Warren Kumari via Datatracker <noreply@ietf.org> message dated "Wed, 19 Feb 2020 14:10:47 -0800."
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.2.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature"
Date: Thu, 20 Feb 2020 19:54:54 +0100
Message-ID: <2595.1582224894@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/XYRVsH9XueLjz_a-ZfACidz45jM>
Subject: Re: [6tisch] Warren Kumari's Discuss on draft-ietf-6tisch-enrollment-enhanced-beacon-13: (with DISCUSS and COMMENT)
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Feb 2020 12:39:34 -0000

Warren Kumari via Datatracker <noreply@ietf.org> wrote:
    > [ Be ye not afraid - this should be easy to answer / address ] The
    > Privacy Considerations says: "The use of a network ID may reveal
    > information about the network."  Good point - but it also goes on to
    > say: "The use of a SHA256 hash of the DODAGID, rather than using the
    > DODAGID (which is usually derived from the LLN prefix) directly
    > provides some privacy for the the addresses used within the network, as
    > the DODAGID is usually the IPv6 address of the root of the RPL mesh."

    > I don't know if this is an issue, but how much entropy is in a DODAGID?
    > From what I could find, the DODAGID is often just an IP address - and
    > subnets are not randomly distributed, nor are L2 addresses (inputs to
    > address generation) - if I know that many of the nodes come from
    > vendor_A, and I know their L2 / MAC range, can I enumerate this, and by
    > extension the DODAGID, and so the hash?

The point of a good hash is to spread whatever entropy there is in the input
all over the output.   If there are a very few number of inputs, then akin to
the /etc/passwd dictionary attacks, an attacker can just pre-calculate a
bunch of things.

So, can you enumerate the DODAGIDs?  Maybe.

The 6LBR address which is usually used as the DODAGID is an IPv6 address.
So there is some ~32-bits of space assuming that the RIR assigned prefix
(e.g. 2001:db8::/32) is discoverable by looking up www.example.com
This assumes that you know who you are trying learn about.
The next 32-bits will be operator or DHCPv6-PD assigned, and maybe not guess
that part.  And then the IID could be assigned via any number of our RFC8064,
or might be ::1.

So if you know what network you are looking for, you can probably find it.
The operator is allowed to generate the NetworkID with a random number
generator, btw.

But, if you observe ten LLNs the hash makes it hard to trivially map them
back to a specific operator.

Do you feel that I need to add this to the document?
I feel that it distracts: SHA256 is just a suggestion.

    > I will happily admit that I haven't fully researched this / thought it
    > through, so "Nah, won't work" or "Yes, will work, but we did say
    > 'provides some privacy', not 'absolute privacy'" or all acceptable
    > answers :-)

Some privacy.

    > ----------------------------------------------------------------------
    > COMMENT:
    > ----------------------------------------------------------------------

    > I found this document to be well written, and helpfully explained the
    > background, issue, etc. Thank you!

    > Question: "Pledges which have not yet enrolled are unable to
    > authenticate the beacons, and will be forced to temporarily take the
    > contents on faith. After enrollment, a newly enrolled node will be able
    > to return to the beacon and validate it."  Yes, this is true - a newly
    > enrolled node will be able to do this -- but I don't see a suggestion /
    > requirement that they actually *do* so. I'm perfectly capable of
    > picking up my socks, but.... :-)

You want to read draft-ietf-6tisch-minimal-security section 5 and section 9,
last paragraph.
Doing so is somewhat optional: if the pledge doesn't verify the beacon it saw
then it will verify the next beacon.
If the beacon was bogus, then the 6tisch-CoJP likely also failed, or the
pledge won't get to the Join Proxy at all, since it will not have a workable
TSCH schedule.

    > Nit: "Although However, even in this case, a" - typo / redundancy.

    > Please also see Qin Wu's Opsdir review
    > (https://datatracker.ietf.org/doc/review-ietf-6tisch-enrollment-enhanced-beacon-08-opsdir-lc-wu-2020-01-21/),
    > which has some useful questions / nits.

I thought I had, but I don't have anything in my outbox, so I'll grab it when
I land.

--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-