IETF Logo Mail Archive

Re: [6tisch] 6tisch join requirements for 6top

Tero Kivinen <kivinen@iki.fi> Tue, 02 December 2014 11:22 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F34F31A1A87 for <6tisch@ietfa.amsl.com>; Tue, 2 Dec 2014 03:22:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.131
X-Spam-Level:
X-Spam-Status: No, score=-1.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VduvdH7eTC1P for <6tisch@ietfa.amsl.com>; Tue, 2 Dec 2014 03:22:10 -0800 (PST)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4EC721A1A93 for <6tisch@ietf.org>; Tue, 2 Dec 2014 03:22:09 -0800 (PST)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id sB2BGunN026684 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 2 Dec 2014 13:16:56 +0200 (EET)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id sB2BGuLe004080; Tue, 2 Dec 2014 13:16:56 +0200 (EET)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21629.40872.448775.231380@fireball.kivinen.iki.fi>
Date: Tue, 02 Dec 2014 13:16:56 +0200
From: Tero Kivinen <kivinen@iki.fi>
To: Michael Richardson <mcr+ietf@sandelman.ca>
In-Reply-To: <13778.1417451752@sandelman.ca>
References: <D0876D12.C03C%rsudhaak@cisco.com> <32412.1415737868@sandelman.ca> <D087B62D.C081%rsudhaak@cisco.com> <10653.1415740821@sandelman.ca> <CADJ9OA_LFkGDuyG_0bf=07d7cvC9FNRr5cMGTmYw2PR=g9XQHA@mail.gmail.com> <8193.1416253349@sandelman.ca> <21619.12717.53454.214321@fireball.kivinen.iki.fi> <6905.1417383707@sandelman.ca> <21628.27758.767111.663703@fireball.kivinen.iki.fi> <13778.1417451752@sandelman.ca>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 34 min
X-Total-Time: 21 min
Archived-At: http://mailarchive.ietf.org/arch/msg/6tisch/YLXi0UfpUTDIJMJVMstZqtRHDjc
Cc: "Raghuram Sudhaakar (rsudhaak)" <rsudhaak@cisco.com>, 6tisch@ietf.org, Robert Moskowitz <rgm@htt-consult.com>
Subject: Re: [6tisch] 6tisch join requirements for 6top
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Dec 2014 11:22:12 -0000

Michael Richardson writes:
> So I am assuming that some of these details would go into the YANG model as
> additional fields.  Some, such as what ciphers to use, we might initially
> "default" to AES-CCM, assuming that if there an option, it's an upgrade, and
> a new YANG model would include the bit to turn it on.

In 15.4 there is only one cipher, i.e. AES-CCM*. There is 7 security
levels for it, but they just affect whether the payload is encrypted
and how long MIC (message integrity code) is added to the frame.

> 1) There are multiple senders.

Is there going to be multiple multicast keys also, or just one network
wide broadcast key. Do we need to support rekeying of the key, i.e. do
we want to exclude someone from the group and distribute the key only
to those we should be part of the new group. 

> 2) There is a mesh, and not all nodes have a direct connection to the root.

How is the mesh forwarding be done. Or is there any mesh forwarding,
i.e. can node X send frame to node Y, which is not in direct
communication range? If so how will it get forwarded. Is the
forwarding done on the upper layer, or so? When node X is sending
frame to node Y, does it uses node Y's address on the frame when
sending the frame out or what? 

> 3) I imagine that the root (6LBR) has to own the key.

With key you mean here what? Public key to authenticate the root, or
multicast key, or what?

>     > You could for example specify that the pan coordinator "owns" the
>     > multicast key, so he will take care of rekying etc, and the Key Source
>     > field of the auxiliary security header specifies him.
> 
> I don't think we have a specific pan coordinator in 6tisch.

Each 15.4 network has one PAN coordinator and can have multiple
coordinators. The first node creating the network will work as PAN
coordinator for the network.

I.e. if you have two 15.4 devices talking to each other, one of them
must be fully functional device (FFD) and act as PAN coordinator and
other one connects to it.

The PAN coordinator it the device who assigns the short addresses for
the devices, if you want to use them. 

>     > For example using Key Identifier Mode 1 (everybody set their
>     > macDefaultKeySource to match the extended address of the pan
>     > coordinator) and specifying that Key Index 0x10-0x1f is used for this
>     > multicast group (this would allow 16 groups so pan coordinator can
>     > create new key, and every time he sees someone using old key, he can
>     > send them new key, and ask them to delete old one).
> 
> I'm confused by why we would have to set the macDefaultKeySource to
> match the pan coordinator. Probably, I don't know what that field
> controls.

The macDefaultKeySource is used instead of the KeySource in the frame,
when Key Identifier Mode 1 is used. I.e. it is used to compress the
KeySource field in the frame. Many setups use star topology and in
that case all communication is between the leaf node and the PAN
coordinator. When the device associates with the network it will know
the extended address of the PAN coordinator and then it can configure
macDefaultKeySource with that address. After that the PAN coordinator
can send packets out by simply omitting the whole source address field
(i.e. using source address mode of NONE, which means the whole source
address fields are left out), and it can also use Key Indentifier Mode
1 which means the KeySource field in the auxiliary security header is
just one byte of Key Index. The recipient will then know from these
that this frame is from PAN coordinator, and as they know the extended
address of the PAN coordinator, and it is configure in the
macDefaultKeySource PIB for them, then they process the frames.

On the other direction when sending packet to the PAN coordinator,
they can leave the destination address away (i.e. packet goes to PAN
coordinator), and they can use the same group key own by the PAN
coordinator (i.e Key Identifier Mode 1), and then they just include
their own extended address or short address in the source addressing
fields of the header.

So most of these complications in the 15.4 are because of saving bits
on the air... 

> It would be nice if the pan coordinator could see all the transmissions, but
> that won't be the case; the join coordinator will have to refresh the keys.

So I assume your setup is that you have multiple coordinators, which
send out beacons and each device associates with one of those
coordinators, and the coordinators then talk the PAN coordinator using
some mechanism outside the scope of 15.4 to do the short address
assignment and group key management. 
-- 
kivinen@iki.fi

v2.39.1 | Report a Bug | By Email | System Status