[6tisch] My comments to the draft-ietf-6tisch-minimal-security-06
Tero Kivinen <kivinen@iki.fi> Wed, 27 June 2018 22:23 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA69B130E2C for <6tisch@ietfa.amsl.com>; Wed, 27 Jun 2018 15:23:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.121
X-Spam-Level:
X-Spam-Status: No, score=-1.121 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7PttN5aUTnNN for <6tisch@ietfa.amsl.com>; Wed, 27 Jun 2018 15:23:24 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.acr.fi [83.145.195.1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAE7C130E34 for <6tisch@ietf.org>; Wed, 27 Jun 2018 15:23:23 -0700 (PDT)
Received: from fireball.acr.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.15.2/8.15.2) with ESMTPS id w5RMNKwX013767 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for <6tisch@ietf.org>; Thu, 28 Jun 2018 01:23:20 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.acr.fi (8.15.2/8.14.8/Submit) id w5RMNKQg024883; Thu, 28 Jun 2018 01:23:20 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <23348.3672.286690.390631@fireball.acr.fi>
Date: Thu, 28 Jun 2018 01:23:20 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: 6tisch@ietf.org
X-Mailer: VM 8.2.0b under 25.1.1 (x86_64--netbsd)
X-Edit-Time: 69 min
X-Total-Time: 330 min
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/dCBckcscvIviorj1raiA3vYZ7aM>
Subject: [6tisch] My comments to the draft-ietf-6tisch-minimal-security-06
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 27 Jun 2018 22:23:27 -0000
In section 3 there is text saying: The "network identifier" uniquely identifies the 6TiSCH network in the namespace managed by a JRC. Typically, this is the 16-bit Personal Area Network Identifier (PAN ID) defined in [IEEE802.15.4]. Note, that the PAN ID is not stable. The PAN coordinator is expected to change to use new PAN ID if it detect another network using the same PAN ID, i.e., if there is PAN ID conflict. See section 6.3.2 of the IEEE 802.15.4-2015. Because of this it might be better to use something else as PAN ID if stable network identifier is needed. Also in quite many cases the PAN ID is not known beforehand, so configuring the PAN ID to the pledge is challenging, as is describied in the section 4. Using something like Network ID from the draft-richardson-6tisch-enrollment-enhanced-beacon, would provide better alternative. -- In section 4 there is text saying: o Pre-Shared Key (PSK). The JRC additionally needs to store the pledge identifier bound to the given PSK. The PSK SHOULD be at least 128 bits in length, generated uniformly at random. It is RECOMMENDED to generate the PSK with a cryptographically secure pseudorandom number generator. Each (6LBR) pledge SHOULD be provisioned with a unique PSK. This text is fine, but knowing that most of the vendors in this space have been known to use unsafe methods like scrambling, encrypting, hashing, or macing serial number or EUI-64 address to generate "random unique PSKs" (or simply using fixed PSK for all devices), it might be good idea to provide bit more emphasis on the unique properly generated PSK, even when it is outside the actual scope of this document. Or add something like that to the security considerations section. -- In section 5.2 there is text saying "How JP accepts these unprotected frames is discussed in Section 6. ", but this same thing also applies to the section 5.3.1 too. I.e., the Join request from the pledge to JP is also unauthenticated and unencrypted. Perhaps that should be noted also there. -- In section 5.3.2 there is text saying: The JP operates as the application- layer proxy, and does not keep any state to forward the message. This is not completely true. It needs to keep state to know when the pledge starts joining process and it needs to keep it until the pledge finishes it as it needs to allow pledge to send unencrypted and unauthenticated frames through it as explained in section 6. I.e., JP do store state for each pledge, at least for the secExempt. Also during this phase the pledge will be using its extended address, so that is also used by the JP to know which pledges are in progess of joining. Also section 7 says that JP does keep separate neighbor cache for untrusted entries, so that is even more state it will keep... -- In section 6 there is text saying: How the JP learns whether the join process is ongoing is out of scope of this specification. This is very important part of the process, and I think it should be part of this document, and not out of scope for this document. Which document will specify this if not this? My guess is that JP willing to act as JP will receive first frame from pledge and when it sees it, it will start joining process, start forwarding the frames and mark that given extended address as something that is allowed to bypass security by setting secExempt for that extended address. The question is how can the JP know when the pledge is done. Can it just trust that there will be exactly one Join Response, and forward that and then clear out the secExempt flag from its tables and forget the pledge? Or should it just timeout the secExempt entries after certain number of seconds of inactivity? Or even pledge sending some kind of notify to JP using its extended address and link key to tell he is done? Fixing this here by specifying method for is solves the issue for good, leaving it out of scope will make hard to debug problems when different JPs uses different methods to know when pledge is done. -- Again the section 7 says that it is out of scope how JP decides to transtion from "untrusted to trusted cache". The proposed solution given there does not work. The text says: One implementation technique is to use the information whether the incoming frames are secured at the link layer. The unauthenticated and unencrypted frames use extended address as their level 2 addresses. After joining process the pledge might move to use short address provided to it by the JRC. As far as I understand the message from JRC to pledge is encrypted, and JP cannot read it, thus JP cannot learn what will be the short address matching the pledge it has in its tables. Of course it can guess, that if there is pledge with extended address of 0x1234567812345678 and then suddenly there is new node with short address of 0x0010, then most likely they are same, but this might not be good idea to try to do guessing of the identities. Also outsiders can also do the same guess, so they will be able to coordinate the short address 0x0010 to the extended address quite easily, even when the section 11 claims otherwise. I think the overall protocol would be better if the JP would get information about the successful completion of the joining process. I.e., if the JRC sending frame to be forwarded to pledge by JP, would also indicate something in the frame that tells JP that this pledge is now done, and it can be removed from the untrusted neighbor cache, and from the secExempt list. -- In section 8.1. the ID of the pledge is 0x00, but ID of JRC is 0x4a5243. As far as I understood the OSCORE for the security it would be enough to just use any different value for them, i.e., using 0x00 for pledge and 0x01 for JRC. Why does the JRC use 0x4a5243 ("JRC") instead of just 0x01? The pledge identifier is used as ID context, which is added to both sender and recipient key generation so in all cases the final keys are different even if the PSK is same as long as the pledge identifier is unique. If pledge identifier and PSK are not unique, then we do have nonce collision as both devices start with sequence number of 0. -- I was just about to point out about the persistency of the sequence numbers, and I was more than happy to see that it was actually already mentioned in the draft. Good work! (My guess is that there is huge number of IoT devices which do not do that properly) -- In section 9.3.2 there is description about the rekey algorithm which has following sentence: Upon reception and successful security processing of a link-layer frame secured with a key from the new key set, a non-6LBR node MUST remove any old keys it has installed from the previous key set. I think it would be better to wait for a while before deleting the old set, but immediately move to use the new set for transmissions. I.e., we might have node B and C, which both have old and new keys, their parent A sends an EB with new keys out, but node C is not able to receive it correctly. Now if C wants to send frame to A or B, it will still be using old key as it has not yet seen any new frames. Both A and B will throw that frame out as it is using old key. If this would be changed to say that "node MUST remove any old keys after delay of N seconds" (or delay of N slotframes or whatever). -- In section 9.3.2 there is text about link-layer short address, but there is no requirement for the JRC, that mandates it to ensure that it will be unique at any given time. I.e., the security of the network will depend that there is never two sort address using same keys at the same time. I.e., if JRC is restarted and its loosing the state of which short addresses are allocated it MUST rekey the whole network with newly generated key (and as it cannot do that by sending updates, as it does not know who is part of network, it must force everybody to rejoin). If JRC gives out the short address without giving lease_time, it MUST not ever reuse those short addresses. If it does give lease time it should wait for some guard time before reusing short address that has already been expired. This guard time should include cases where node has sent out message and the message is waiting in transmit queue, but has not been sent out yet, while the address expires, and node might not have code to purge the tranmission from the queue. So adding guard time that is in order of maximum wait time for sending frame or so, would be good. -- In section 9.3.2.2 there is text saying that "short address is unique LOCALLY in the network". This is incorrect. It needs to be unique in the whole network using the same key, i.e., globally in the network using the same key and part of the same TSCH network. I know that some vendors have been using duplicate short addresses for different parts of the network, when there is no risk of them overhearing each other for other 802.15.4 networks, but that is not safe to do in TSCH when short addresses are used in the nonce. I do understand that the text is trying to say it does not need to be unique in the global internet, but in the local network it needs to be unique globally inside the whole network. Note, that short address of 0xfffe (associated, but not given short address) and 0xffff (broadcast) are reserved in 802.15.4-2015 and cannot be used. Also some other 802.15.4 extensions like L2R (layer 2 routing) 802.15.10 do reserve additional set of short addresses for example for multicast (0xff00-0xfffd). Most likely this text should be reflected to that, saying that if address is 0xfffe, then pledge has joined the network, but JRC decided not to give him short address (for example it is running out of them), and the device should use extended address to talk to others. If JRC gives out short address of 0xffff, then it should be considered invalid. -- kivinen@iki.fi
- [6tisch] My comments to the draft-ietf-6tisch-min… Tero Kivinen
- Re: [6tisch] My comments to the draft-ietf-6tisch… Mališa Vučinić
- Re: [6tisch] My comments to the draft-ietf-6tisch… Tero Kivinen
- Re: [6tisch] My comments to the draft-ietf-6tisch… Mališa Vučinić
- Re: [6tisch] My comments to the draft-ietf-6tisch… Tero Kivinen
- Re: [6tisch] My comments to the draft-ietf-6tisch… Mališa Vučinić
- Re: [6tisch] My comments to the draft-ietf-6tisch… Tero Kivinen
- Re: [6tisch] My comments to the draft-ietf-6tisch… Mališa Vučinić