Re: [6tisch] Roman Danyliw's No Objection on draft-ietf-6tisch-architecture-24: (with COMMENT)

Tero Kivinen <kivinen@iki.fi> Thu, 29 August 2019 22:06 UTC

Return-Path: <kivinen@iki.fi>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B596112091B; Thu, 29 Aug 2019 15:06:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.42
X-Spam-Level:
X-Spam-Status: No, score=-3.42 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id khnkJlRZMn3G; Thu, 29 Aug 2019 15:06:03 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D61AC120BCA; Thu, 29 Aug 2019 15:06:02 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id x7TM5arp008972 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 30 Aug 2019 01:05:36 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id x7TM5Xbo017710; Fri, 30 Aug 2019 01:05:33 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <23912.19501.694405.21535@fireball.acr.fi>
Date: Fri, 30 Aug 2019 01:05:33 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: "Pascal Thubert \(pthubert\)" <pthubert@cisco.com>
Cc: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, Benjamin Kaduk <kaduk@mit.edu>, "shwetha.bhandari\@gmail.com" <shwetha.bhandari@gmail.com>, "6tisch\@ietf.org" <6tisch@ietf.org>, "6tisch-chairs\@ietf.org" <6tisch-chairs@ietf.org>, "draft-ietf-6tisch-architecture\@ietf.org" <draft-ietf-6tisch-architecture@ietf.org>
In-Reply-To: <MN2PR11MB3565E6A131CEFBE8DD6E395CD8A00@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <156523837973.8301.2864865066450595993.idtracker@ietfa.amsl.com> <MN2PR11MB3565FC066DB6EB01DA5E30F1D8A50@MN2PR11MB3565.namprd11.prod.outlook.com> <359EC4B99E040048A7131E0F4E113AFC01B343BFC0@marathon> <MN2PR11MB35657EF40A759366396FD3FCD8A10@MN2PR11MB3565.namprd11.prod.outlook.com> <23909.10610.552936.793775@fireball.acr.fi> <MN2PR11MB3565E6A131CEFBE8DD6E395CD8A00@MN2PR11MB3565.namprd11.prod.outlook.com>
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 2 min
X-Total-Time: 1 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/_3oy22SGDLj8Im8AiZmdy16PmTE>
Subject: Re: [6tisch] Roman Danyliw's No Objection on draft-ietf-6tisch-architecture-24: (with COMMENT)
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Aug 2019 22:06:07 -0000

Pascal Thubert (pthubert) writes:
> > Even when the nonce reuse happens, I do not think there is any
> > leak of the network-wide keys in that case. What is lost is the
> > confidentiality of the those messages sharing nonce, i.e., only
> > those messages are broken, not the whole network key.
> 
> I'd really like to understand that. This is too deep for Archie
> anyway. I'll change the text to indicate that a nonce-reuse attack
> would be possible. Does the below work?
> 
> " The cryptographic mechanisms used by IEEE Std. 802.15.4 include
>       the 2-byte short address in the calculation of the context. A
>       nonce-reuse attack may become feasible if a short address is
>       reassigned to another node while the same network-wide keys
>       are in operation. "

Looks good.

> > >    o  Many cipher algorithms have some suggested limits on how many
> > >       bytes should be encrypted with that algorithm before a new key is
> > >       used.  These numbers are typically in the many to hundreds of
> > >       gigabytes of data.  On very fast backbone networks this becomes an
> > >       important concern.  On LLNs with typical data rates in the
> > >       kilobits/second, this concern is significantly less.  However, the
> > >       LLN may be expected to operate for decades at a time, and
> > >       operators are advised to plan for the need to rekey.
> > 
> > Note, that TSCH in general allows maximally of 2^40 frames to be
> > sent before ASN rolls over. In normal case the maximum packet size
> > is 2^7 octets, meaning the total amount of bytes that can be
> > transferred over TSCH network is 2^47 octects, meaning 2^43 blocks
> > of AES. Currently only cipher supported by the TSCH is AES-CCM-128
> > (altough 802.15.4y will be adding support for other algorithms
> > too), but I think the maximum number of blocks recommened for one
> > key for AES is more than 2^43, so this should not be a problem at
> > all. I.e., the ASN frame counter will be problem before this will
> > be problem. Even if using the PHY with 2^11 max frame length that
> > gives only 2^47 blocks at maximum.
> 
> Many thanks, Tero, all this is really useful. What about:
> 
> " With TSCH as it stands at the time of this writing, the ASN will
>       wrap after 2^40 timeslot durations, which means with the
>       default values around 350 years. Wrapping ASN is not expected
>       to happen within the lifetime of most LLNs. Yet, should the
>       ASN wrap, the network must be rekeyed to avoid a nonce-reuse
>       attack.
> 
>       Many cipher algorithms have some suggested limits on how many
>       bytes should be encrypted with that algorithm before a new key
>       is used. These numbers are typically in the many to hundreds
>       of gigabytes of data. On very fast backbone networks this
>       becomes an important concern. On LLNs with typical data rates
>       in the kilobits/second, this concern is significantly less.
>       With IEEE Std. 802.15.4 as it stands at the time of this
>       writing, the ASN will wrap before the limits of the current L2
>       crypto (AES-CCM-128) are reached, so the problem should never
>       occur.
> 
>       In any fashion, if the LLN is expected to operate continuously
>       for decades then the operators are advised to plan for the
>       need to rekey. "

That looks good also.
-- 
kivinen@iki.fi