Re: [6tisch] 6tisch join requirements for 6top
Xavier Vilajosana <xvilajosana@eecs.berkeley.edu> Tue, 18 November 2014 04:42 UTC
Return-Path: <xvilajosana@gmail.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B6C81A0087 for <6tisch@ietfa.amsl.com>; Mon, 17 Nov 2014 20:42:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_51=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RZdzR77G8DuW for <6tisch@ietfa.amsl.com>; Mon, 17 Nov 2014 20:42:54 -0800 (PST)
Received: from mail-wg0-x235.google.com (mail-wg0-x235.google.com [IPv6:2a00:1450:400c:c00::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF35B1A0083 for <6tisch@ietf.org>; Mon, 17 Nov 2014 20:42:53 -0800 (PST)
Received: by mail-wg0-f53.google.com with SMTP id l18so2967224wgh.40 for <6tisch@ietf.org>; Mon, 17 Nov 2014 20:42:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=yKGRBWGLb1z4XTLEJLNDoJL0InaunZhHrvkQkLuCHsI=; b=laHKEc7H4h7i3xxEY0IHFEhcH8SYTfX5+/CoMxBUBvr40W0cJWEPcXbo9bGTecDG7V vkBx6gF2+h0EtMqpY3abSCMuTQSDqWUuzlk90re0R5vsne0vcImzDygslQuAwtgoFnOb HFBXDmxfNN4BGkqBheaACQGqYFsZevaH+97l9x6FDDQ99wBiTJYW9KjBdy74GrTvNwyA cv7ipfmFG9p24YoijGDFQOD/KQi3qt3PfgZtP2y/dLi3/g9Xkz0BO2fQ6ZgWma3OPTYZ GE8Aznw3eQ3XQWR8URmis3RHZ13izLR9yjCqKyIlX8fm2zUOfvsW3ta+evkFXSI1I76m 7pWA==
MIME-Version: 1.0
X-Received: by 10.194.59.17 with SMTP id v17mr44283wjq.130.1416285772701; Mon, 17 Nov 2014 20:42:52 -0800 (PST)
Sender: xvilajosana@gmail.com
Received: by 10.27.0.193 with HTTP; Mon, 17 Nov 2014 20:42:52 -0800 (PST)
In-Reply-To: <8193.1416253349@sandelman.ca>
References: <D0876D12.C03C%rsudhaak@cisco.com> <32412.1415737868@sandelman.ca> <D087B62D.C081%rsudhaak@cisco.com> <10653.1415740821@sandelman.ca> <CADJ9OA_LFkGDuyG_0bf=07d7cvC9FNRr5cMGTmYw2PR=g9XQHA@mail.gmail.com> <8193.1416253349@sandelman.ca>
Date: Tue, 18 Nov 2014 05:42:52 +0100
X-Google-Sender-Auth: 6MTJ_356UUFBWiVHSZXk7Qsd4I0
Message-ID: <CAMsDxWSzGFUk=3Z7E7=1w81bhxv=pwKdsj1-a2mcr77HOw4_2g@mail.gmail.com>
From: Xavier Vilajosana <xvilajosana@eecs.berkeley.edu>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: multipart/alternative; boundary="047d7ba980ac61e68605081abab3"
Archived-At: http://mailarchive.ietf.org/arch/msg/6tisch/jOnYOx-DYhA2POsH47yOKQcTfIM
Cc: "Raghuram Sudhaakar (rsudhaak)" <rsudhaak@cisco.com>, "6tisch@ietf.org" <6tisch@ietf.org>, Robert Moskowitz <rgm@htt-consult.com>, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [6tisch] 6tisch join requirements for 6top
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Nov 2014 04:42:57 -0000
Hi Michael, I think part of these should go to the 6top interface expressed in YANG model. Here some comments inline. thanks! X joining node interface: 1) an enum (registry) saying what kind of network security is to be used. a) NO_SECURITY = 0 b) network-wide MIC/key, to be used directly. c) a network-wide "PSK", to be used with 802.15.9 mode DTLS (DHE_PSK), unclear to me how broadcast/multicasts are keyed,I hope to read the 15.9 documents. d) a network-wide "PSK", to be used with 802.15.9 mode IKEv2 (Shared key message integrity code. ditto about broadcast) f) a PK method: to be used with 802.15.9 mode DTLS (ECDSA), g) a PK method: to be used with 802.15.9 mode IKEv2 (ECDSA) I thought that 7296 would have rolled in the signature-auth work. I want to specify the ECDSA authentication methods. h) ditto above, s/IKEv2/HIP/ i) perhaps a code for using draft-piro-6tisch-security-issues-02 -- I'm unclear how MLE works at this point. That's easy, a placeholder for that option can be added to the YANG model. Is this an option that can be set and read right? 2) a space for an ECDSA PKIX certificate. from 6top's point of view, this is around 300 opaque bytes. We should be transfering DER, not base64 encoded certificates! Is this read only or read/write, write-once? .. Should be exposed so it is queried/modified or is something static that will never change (except for the first time)? 3) a way to indicate if (2) replaces the devices' IDevID, or if it is in fact the LDevID. From a RESTful point of view, it would be best if a POST to (2) returned the URI of the new certificate. It could be a FIFO (so the oldest certificate gets silently dropped), or it could be an error if the device is full. That same RESTful view would then want to get a list of certificates, with the IDevID one being listed, and one could delete it explicitely. ok this can be done too. 4) for the PSK methods, a place to put the PSK. An opaque space of around 128 ytes. Again, we should return a URI, and be able to list them. we might not want to support GET on this resource. idem as before. in YANG we define the placeholder and the access method. 5) the PANID of the production network the PANID is part of the 15.4 PIB. It should be exposed by 6top. 6) "GO" flag. A way to tell the device that provisioning is over, and it should probably restart and join the real network with the real credentials. This is the joining/security state. We may think on a state machine (only Go and Configuring options?) ======= Join Assistant 7) a toggle which enables a node to become a join assistant. This might return an error if the node is incapable or unwilling to do that. Ok, this seems a capability indicator. Could this be a bitmap so we can flag multiple capabilites? 8) a ULA to use to announce in the RA for joining nodes. So 128bits+prefixlen. A device with multiple interfaces should configure different 64-bit prefixes. How this ULA is build? could it be build/defined using 6top information? or it is a completely new element? 9) some details about the enhanced beacon the join ssistant should transmit, which I am not qualified to specify. 10) the well-known beacon key to use for the join network. (Defaulting to "6TISCHJOIN") Ok this requires space in the yang model to store the well-known key. 11) the address of the JCE, for the ACL about who can contact joining nodes. Ok this is a L3 "important" address dictionary that a node should keep. Is this the only address we need to know? PCE? other services in the network? 2014-11-17 20:42 GMT+01:00 Michael Richardson <mcr+ietf@sandelman.ca>: > > These are the things that we need to have for the 6top interface for > joining. > While some craters have shown up in the architecture, some of the details > are > still very solid. I am interested in making the terminology clearer and I > imagine that we have to have some IANA Considerations. > I hope to learn to write these things down in YANG. > > joining node interface: > 1) an enum (registry) saying what kind of network security is to be used. > a) NO_SECURITY = 0 > b) network-wide MIC/key, to be used directly. > c) a network-wide "PSK", to be used with 802.15.9 mode DTLS (DHE_PSK), > unclear to me how broadcast/multicasts are keyed,I hope to read > the 15.9 documents. > d) a network-wide "PSK", to be used with 802.15.9 mode IKEv2 > (Shared key message integrity code. ditto about broadcast) > f) a PK method: to be used with 802.15.9 mode DTLS (ECDSA), > g) a PK method: to be used with 802.15.9 mode IKEv2 (ECDSA) > I thought that 7296 would have rolled in the signature-auth work. > I want to specify the ECDSA authentication methods. > h) ditto above, s/IKEv2/HIP/ > i) perhaps a code for using draft-piro-6tisch-security-issues-02 > -- I'm unclear how MLE works at this point. > > 2) a space for an ECDSA PKIX certificate. from 6top's point of view, this > is > around 300 opaque bytes. We should be transfering DER, not base64 > encoded > certificates! > 3) a way to indicate if (2) replaces the devices' IDevID, or if it is in > fact > the LDevID. From a RESTful point of view, it would be best if a POST > to (2) returned the URI of the new certificate. It could be a FIFO > (so the oldest certificate gets silently dropped), or it could be an > error > if the device is full. > That same RESTful view would then want to get a list of certificates, > with the IDevID one being listed, and one could delete it explicitely. > > 4) for the PSK methods, a place to put the PSK. An opaque space of around > 128 ytes. Again, we should return a URI, and be able to list them. > we might not want to support GET on this resource. > > 5) the PANID of the production network > 6) "GO" flag. > A way to tell the device that provisioning is over, and it should > probably restart and join the real network with the real credentials. > > ======= Join Assistant > > 7) a toggle which enables a node to become a join assistant. > This might return an error if the node is incapable or unwilling to do > that. > > 8) a ULA to use to announce in the RA for joining nodes. So > 128bits+prefixlen. A device with multiple interfaces should configure > different 64-bit prefixes. > > 9) some details about the enhanced beacon the join ssistant should > transmit, > which I am not qualified to specify. > 10) the well-known beacon key to use for the join network. (Defaulting to > "6TISCHJOIN") > 11) the address of the JCE, for the ACL about who can contact joining > nodes. > > -- > ] Never tell me the odds! | ipv6 mesh > networks [ > ] Michael Richardson, Sandelman Software Works | network > architect [ > ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on > rails [ > > > > > > > > > > _______________________________________________ > 6tisch mailing list > 6tisch@ietf.org > https://www.ietf.org/mailman/listinfo/6tisch > >
- [6tisch] CoAP resource management - draft-ietf-6t… Raghuram Sudhaakar (rsudhaak)
- Re: [6tisch] CoAP resource management - draft-iet… Michael Richardson
- Re: [6tisch] CoAP resource management - draft-iet… Carsten Bormann
- Re: [6tisch] CoAP resource management - draft-iet… Raghuram Sudhaakar (rsudhaak)
- Re: [6tisch] CoAP resource management - draft-iet… Michael Richardson
- Re: [6tisch] CoAP resource management - draft-iet… Thomas Watteyne
- Re: [6tisch] CoAP resource management - draft-iet… Pascal Thubert (pthubert)
- [6tisch] 6tisch join requirements for 6top Michael Richardson
- Re: [6tisch] 6tisch join requirements for 6top Xavier Vilajosana
- Re: [6tisch] 6tisch join requirements for 6top Michael Richardson
- [6tisch] 6tisch join requirements for 6top Tero Kivinen
- Re: [6tisch] 6tisch join requirements for 6top Pascal Thubert (pthubert)
- [6tisch] on the fallacy of default keys (was: Re:… Rene Struik
- Re: [6tisch] on the fallacy of default keys (was:… Pascal Thubert (pthubert)
- Re: [6tisch] on the fallacy of default keys Rene Struik
- Re: [6tisch] 6tisch join requirements for 6top Pat Kinney
- Re: [6tisch] 6tisch join requirements for 6top Tero Kivinen
- Re: [6tisch] 6tisch join requirements for 6top Tero Kivinen
- Re: [6tisch] 6tisch join requirements for 6top Pascal Thubert (pthubert)
- Re: [6tisch] 6tisch join requirements for 6top Kris Pister
- Re: [6tisch] 6tisch join requirements for 6top Thomas Watteyne
- Re: [6tisch] 6tisch join requirements for 6top Michael Richardson
- Re: [6tisch] 6tisch join requirements for 6top Michael Richardson
- Re: [6tisch] 6tisch join requirements for 6top Tero Kivinen
- Re: [6tisch] 6tisch join requirements for 6top Tero Kivinen
- [6tisch] emails on 802.15.4 specs Rene Struik
- Re: [6tisch] 6tisch join requirements for 6top Michael Richardson
- Re: [6tisch] 6tisch join requirements for 6top Michael Richardson
- Re: [6tisch] 6tisch join requirements for 6top yoshihiro.ohba
- Re: [6tisch] 6tisch join requirements for 6top Michael Richardson
- Re: [6tisch] 6tisch join requirements for 6top Thomas Watteyne
- Re: [6tisch] 6tisch join requirements for 6top Carsten Bormann
- Re: [6tisch] 6tisch join requirements for 6top Thomas Watteyne
- Re: [6tisch] 6tisch join requirements for 6top Tero Kivinen
- Re: [6tisch] 6tisch join requirements for 6top Tero Kivinen
- Re: [6tisch] 6tisch join requirements for 6top yoshihiro.ohba
- Re: [6tisch] 6tisch join requirements for 6top Michael Richardson
- Re: [6tisch] 6tisch join requirements for 6top dejichen
- Re: [6tisch] 6tisch join requirements for 6top Michael Richardson
- Re: [6tisch] 6tisch join requirements for 6top Thomas Watteyne