IETF Logo Mail Archive

Re: [6tisch] [6tisch-security] proposed security text for architecture draft

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 14 November 2014 03:07 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30E251A1B28; Thu, 13 Nov 2014 19:07:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.495
X-Spam-Level:
X-Spam-Status: No, score=-2.495 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ibZggq06dLHH; Thu, 13 Nov 2014 19:07:21 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8064B1A1B8B; Thu, 13 Nov 2014 19:07:17 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 8470020098; Thu, 13 Nov 2014 22:09:28 -0500 (EST)
Received: by sandelman.ca (Postfix, from userid 179) id 4C298637F4; Thu, 13 Nov 2014 22:07:16 -0500 (EST)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 363CA637EA; Thu, 13 Nov 2014 22:07:16 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: yoshihiro.ohba@toshiba.co.jp
In-Reply-To: <674F70E5F2BE564CB06B6901FD3DD78B272A9108@TGXML210.toshiba.local>
References: <20507.1415811045@sandelman.ca> <674F70E5F2BE564CB06B6901FD3DD78B272A8EFA@TGXML210.toshiba.local> <5854.1415835364@sandelman.ca> <674F70E5F2BE564CB06B6901FD3DD78B272A9108@TGXML210.toshiba.local>
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Thu, 13 Nov 2014 22:07:16 -0500
Message-ID: <29465.1415934436@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: http://mailarchive.ietf.org/arch/msg/6tisch/iYvIPhuKFChC6MrnSqcLyhQmttA
Cc: 6tisch@ietf.org, 6tisch-security@ietf.org
Subject: Re: [6tisch] [6tisch-security] proposed security text for architecture draft
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Nov 2014 03:07:28 -0000

{Please note that I am very familiar with EAP mechanisms, and I wrote EAP-SIM
 for Freeradius a decade ago, when the document was going through many changes}

<yoshihiro.ohba@toshiba.co.jp> wrote:
    > Regarding EAP method, I mentioned EAP-TLS.  EAP-TLS works for both
    > certificate-based authentication and pre-shared key based
    > authentication (EAP-TLS-PSK) without EAP tunneling method such as
    > EAP-TTLS.  In the latter case, TLS session is typically terminated at
    > AAA server.

But, since the EAP-TLS session terminates at the the AAA server, all of the
communications that we want to do (the 6top data), would have to come from
the AAA server.   

That means installing all of 6top/DTLS/CoAP code into the radius server.  
(That's because the EAP-TLS is between AAA(radius) server and joining node)
Is that really what you want to do?

What other things would the AAA server provide to the joining node?
Are you thinking about various kinds of group policies, etc?

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.37.1 | Report a Bug | By Email | System Status