Re: [6tisch] Roman Danyliw's No Objection on draft-ietf-6tisch-architecture-24: (with COMMENT)
Tero Kivinen <kivinen@iki.fi> Thu, 29 August 2019 22:06 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B596112091B; Thu, 29 Aug 2019 15:06:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.42
X-Spam-Level:
X-Spam-Status: No, score=-3.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id khnkJlRZMn3G; Thu, 29 Aug 2019 15:06:03 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D61AC120BCA; Thu, 29 Aug 2019 15:06:02 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id x7TM5arp008972 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 30 Aug 2019 01:05:36 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id x7TM5Xbo017710; Fri, 30 Aug 2019 01:05:33 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23912.19501.694405.21535@fireball.acr.fi>
Date: Fri, 30 Aug 2019 01:05:33 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
Cc: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>, "shwetha.bhandari@gmail.com" <shwetha.bhandari@gmail.com>, "6tisch@ietf.org" <6tisch@ietf.org>, "6tisch-chairs@ietf.org" <6tisch-chairs@ietf.org>, "draft-ietf-6tisch-architecture@ietf.org" <draft-ietf-6tisch-architecture@ietf.org>
In-Reply-To: <MN2PR11MB3565E6A131CEFBE8DD6E395CD8A00@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <156523837973.8301.2864865066450595993.idtracker@ietfa.amsl.com> <MN2PR11MB3565FC066DB6EB01DA5E30F1D8A50@MN2PR11MB3565.namprd11.prod.outlook.com> <359EC4B99E040048A7131E0F4E113AFC01B343BFC0@marathon> <MN2PR11MB35657EF40A759366396FD3FCD8A10@MN2PR11MB3565.namprd11.prod.outlook.com> <23909.10610.552936.793775@fireball.acr.fi> <MN2PR11MB3565E6A131CEFBE8DD6E395CD8A00@MN2PR11MB3565.namprd11.prod.outlook.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 2 min
X-Total-Time: 1 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/_3oy22SGDLj8Im8AiZmdy16PmTE>
Subject: Re: [6tisch] Roman Danyliw's No Objection on draft-ietf-6tisch-architecture-24: (with COMMENT)
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Aug 2019 22:06:07 -0000
Pascal Thubert (pthubert) writes: > > Even when the nonce reuse happens, I do not think there is any > > leak of the network-wide keys in that case. What is lost is the > > confidentiality of the those messages sharing nonce, i.e., only > > those messages are broken, not the whole network key. > > I'd really like to understand that. This is too deep for Archie > anyway. I'll change the text to indicate that a nonce-reuse attack > would be possible. Does the below work? > > " The cryptographic mechanisms used by IEEE Std. 802.15.4 include > the 2-byte short address in the calculation of the context. A > nonce-reuse attack may become feasible if a short address is > reassigned to another node while the same network-wide keys > are in operation. " Looks good. > > > o Many cipher algorithms have some suggested limits on how many > > > bytes should be encrypted with that algorithm before a new key is > > > used. These numbers are typically in the many to hundreds of > > > gigabytes of data. On very fast backbone networks this becomes an > > > important concern. On LLNs with typical data rates in the > > > kilobits/second, this concern is significantly less. However, the > > > LLN may be expected to operate for decades at a time, and > > > operators are advised to plan for the need to rekey. > > > > Note, that TSCH in general allows maximally of 2^40 frames to be > > sent before ASN rolls over. In normal case the maximum packet size > > is 2^7 octets, meaning the total amount of bytes that can be > > transferred over TSCH network is 2^47 octects, meaning 2^43 blocks > > of AES. Currently only cipher supported by the TSCH is AES-CCM-128 > > (altough 802.15.4y will be adding support for other algorithms > > too), but I think the maximum number of blocks recommened for one > > key for AES is more than 2^43, so this should not be a problem at > > all. I.e., the ASN frame counter will be problem before this will > > be problem. Even if using the PHY with 2^11 max frame length that > > gives only 2^47 blocks at maximum. > > Many thanks, Tero, all this is really useful. What about: > > " With TSCH as it stands at the time of this writing, the ASN will > wrap after 2^40 timeslot durations, which means with the > default values around 350 years. Wrapping ASN is not expected > to happen within the lifetime of most LLNs. Yet, should the > ASN wrap, the network must be rekeyed to avoid a nonce-reuse > attack. > > Many cipher algorithms have some suggested limits on how many > bytes should be encrypted with that algorithm before a new key > is used. These numbers are typically in the many to hundreds > of gigabytes of data. On very fast backbone networks this > becomes an important concern. On LLNs with typical data rates > in the kilobits/second, this concern is significantly less. > With IEEE Std. 802.15.4 as it stands at the time of this > writing, the ASN will wrap before the limits of the current L2 > crypto (AES-CCM-128) are reached, so the problem should never > occur. > > In any fashion, if the LLN is expected to operate continuously > for decades then the operators are advised to plan for the > need to rekey. " That looks good also. -- kivinen@iki.fi
- [6tisch] Roman Danyliw's No Objection on draft-ie… Roman Danyliw via Datatracker
- Re: [6tisch] Roman Danyliw's No Objection on draf… Pascal Thubert (pthubert)
- Re: [6tisch] Roman Danyliw's No Objection on draf… Roman Danyliw
- Re: [6tisch] Roman Danyliw's No Objection on draf… Pascal Thubert (pthubert)
- Re: [6tisch] Roman Danyliw's No Objection on draf… Pascal Thubert (pthubert)
- Re: [6tisch] Roman Danyliw's No Objection on draf… Tero Kivinen
- Re: [6tisch] Roman Danyliw's No Objection on draf… Pascal Thubert (pthubert)
- Re: [6tisch] Roman Danyliw's No Objection on draf… Michael Richardson
- Re: [6tisch] Roman Danyliw's No Objection on draf… Pascal Thubert (pthubert)
- Re: [6tisch] Roman Danyliw's No Objection on draf… Tero Kivinen
- Re: [6tisch] Roman Danyliw's No Objection on draf… Tero Kivinen