IETF Logo Mail Archive

Re: [6tisch] 6tisch join requirements for 6top

Xavier Vilajosana <xvilajosana@eecs.berkeley.edu> Tue, 18 November 2014 04:42 UTC

Return-Path: <xvilajosana@gmail.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8B6C81A0087 for <6tisch@ietfa.amsl.com>; Mon, 17 Nov 2014 20:42:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.677
X-Spam-Level:
X-Spam-Status: No, score=-0.677 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_51=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RZdzR77G8DuW for <6tisch@ietfa.amsl.com>; Mon, 17 Nov 2014 20:42:54 -0800 (PST)
Received: from mail-wg0-x235.google.com (mail-wg0-x235.google.com [IPv6:2a00:1450:400c:c00::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF35B1A0083 for <6tisch@ietf.org>; Mon, 17 Nov 2014 20:42:53 -0800 (PST)
Received: by mail-wg0-f53.google.com with SMTP id l18so2967224wgh.40 for <6tisch@ietf.org>; Mon, 17 Nov 2014 20:42:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=yKGRBWGLb1z4XTLEJLNDoJL0InaunZhHrvkQkLuCHsI=; b=laHKEc7H4h7i3xxEY0IHFEhcH8SYTfX5+/CoMxBUBvr40W0cJWEPcXbo9bGTecDG7V vkBx6gF2+h0EtMqpY3abSCMuTQSDqWUuzlk90re0R5vsne0vcImzDygslQuAwtgoFnOb HFBXDmxfNN4BGkqBheaACQGqYFsZevaH+97l9x6FDDQ99wBiTJYW9KjBdy74GrTvNwyA cv7ipfmFG9p24YoijGDFQOD/KQi3qt3PfgZtP2y/dLi3/g9Xkz0BO2fQ6ZgWma3OPTYZ GE8Aznw3eQ3XQWR8URmis3RHZ13izLR9yjCqKyIlX8fm2zUOfvsW3ta+evkFXSI1I76m 7pWA==
MIME-Version: 1.0
X-Received: by 10.194.59.17 with SMTP id v17mr44283wjq.130.1416285772701; Mon, 17 Nov 2014 20:42:52 -0800 (PST)
Sender: xvilajosana@gmail.com
Received: by 10.27.0.193 with HTTP; Mon, 17 Nov 2014 20:42:52 -0800 (PST)
In-Reply-To: <8193.1416253349@sandelman.ca>
References: <D0876D12.C03C%rsudhaak@cisco.com> <32412.1415737868@sandelman.ca> <D087B62D.C081%rsudhaak@cisco.com> <10653.1415740821@sandelman.ca> <CADJ9OA_LFkGDuyG_0bf=07d7cvC9FNRr5cMGTmYw2PR=g9XQHA@mail.gmail.com> <8193.1416253349@sandelman.ca>
Date: Tue, 18 Nov 2014 05:42:52 +0100
X-Google-Sender-Auth: 6MTJ_356UUFBWiVHSZXk7Qsd4I0
Message-ID: <CAMsDxWSzGFUk=3Z7E7=1w81bhxv=pwKdsj1-a2mcr77HOw4_2g@mail.gmail.com>
From: Xavier Vilajosana <xvilajosana@eecs.berkeley.edu>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: multipart/alternative; boundary="047d7ba980ac61e68605081abab3"
Archived-At: http://mailarchive.ietf.org/arch/msg/6tisch/jOnYOx-DYhA2POsH47yOKQcTfIM
Cc: "Raghuram Sudhaakar (rsudhaak)" <rsudhaak@cisco.com>, "6tisch@ietf.org" <6tisch@ietf.org>, Robert Moskowitz <rgm@htt-consult.com>, Tero Kivinen <kivinen@iki.fi>
Subject: Re: [6tisch] 6tisch join requirements for 6top
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Nov 2014 04:42:57 -0000

Hi Michael,

I think part of these should go to the 6top interface expressed in YANG
model. Here some comments inline.

thanks!
X

joining node interface:
1) an enum (registry) saying what kind of network security is to be used.
   a) NO_SECURITY = 0
   b) network-wide MIC/key, to be used directly.
   c) a network-wide "PSK", to be used with 802.15.9 mode DTLS (DHE_PSK),
      unclear to me how broadcast/multicasts are keyed,I hope to read
      the 15.9 documents.
   d) a network-wide "PSK", to be used with 802.15.9 mode IKEv2
       (Shared key message integrity code. ditto about broadcast)
   f) a PK method: to be used with 802.15.9 mode DTLS (ECDSA),
   g) a PK method: to be used with 802.15.9 mode IKEv2 (ECDSA)
      I thought that 7296 would have rolled in the signature-auth work.
      I want to specify the ECDSA authentication methods.
   h) ditto above, s/IKEv2/HIP/
   i) perhaps a code for using draft-piro-6tisch-security-issues-02
   -- I'm unclear how MLE works at this point.

That's easy, a placeholder for that option can be added to the YANG model.
Is this an option that can be set and read right?

2) a space for an ECDSA PKIX certificate.  from 6top's point of view, this
is
   around 300 opaque bytes.  We should be transfering DER, not base64
encoded
   certificates!

Is this read only or read/write, write-once? .. Should be exposed so it is
queried/modified or is something static that will never change (except for
the first time)?

3) a way to indicate if (2) replaces the devices' IDevID, or if it is in
fact
   the LDevID.   From a RESTful point of view, it would be best if a POST
   to (2) returned the URI of the new certificate. It could be a FIFO
   (so the oldest certificate gets silently dropped), or it could be an
error
   if the device is full.
   That same RESTful view would then want to get a list of certificates,
   with the IDevID one being listed, and one could delete it explicitely.

ok this can be done too.

4) for the PSK methods, a place to put the PSK. An opaque space of around
   128 ytes. Again, we should return a URI, and be able to list them.
   we might not want to support GET on this resource.

idem as before. in YANG we define the placeholder and the access method.

5) the PANID of the production network

the PANID is part of the 15.4 PIB. It should be exposed by 6top.

6) "GO" flag.
   A way to tell the device that provisioning is over, and it should
   probably restart and join the real network with the real credentials.

This is the joining/security state. We may think on a state machine (only
Go and Configuring options?)

======= Join Assistant

7) a toggle which enables a node to become a join assistant.
   This might return an error if the node is incapable or unwilling to do
   that.

Ok, this seems a capability indicator. Could this be a bitmap so we can
flag multiple capabilites?

8) a ULA to use to announce in the RA for joining nodes.  So
   128bits+prefixlen.  A device with multiple interfaces should configure
   different 64-bit prefixes.

How this ULA is build? could it be build/defined using 6top information? or
it is a completely new element?

9) some details about the enhanced beacon the join ssistant should transmit,
   which I am not qualified to specify.
10) the well-known beacon key to use for the join network. (Defaulting to
   "6TISCHJOIN")

Ok this requires space in the yang model to store the well-known key.

11) the address of the JCE, for the ACL about who can contact joining nodes.

Ok this is a L3 "important" address dictionary that a node should keep. Is
this the only address we need to know? PCE? other services in the network?

2014-11-17 20:42 GMT+01:00 Michael Richardson <mcr+ietf@sandelman.ca>:

>
> These are the things that we need to have for the 6top interface for
> joining.
> While some craters have shown up in the architecture, some of the details
> are
> still very solid. I am interested in making the terminology clearer and I
> imagine that we have to have some IANA Considerations.
> I hope to learn to write these things down in YANG.
>
> joining node interface:
> 1) an enum (registry) saying what kind of network security is to be used.
>    a) NO_SECURITY = 0
>    b) network-wide MIC/key, to be used directly.
>    c) a network-wide "PSK", to be used with 802.15.9 mode DTLS (DHE_PSK),
>       unclear to me how broadcast/multicasts are keyed,I hope to read
>       the 15.9 documents.
>    d) a network-wide "PSK", to be used with 802.15.9 mode IKEv2
>        (Shared key message integrity code. ditto about broadcast)
>    f) a PK method: to be used with 802.15.9 mode DTLS (ECDSA),
>    g) a PK method: to be used with 802.15.9 mode IKEv2 (ECDSA)
>       I thought that 7296 would have rolled in the signature-auth work.
>       I want to specify the ECDSA authentication methods.
>    h) ditto above, s/IKEv2/HIP/
>    i) perhaps a code for using draft-piro-6tisch-security-issues-02
>    -- I'm unclear how MLE works at this point.
>
> 2) a space for an ECDSA PKIX certificate.  from 6top's point of view, this
> is
>    around 300 opaque bytes.  We should be transfering DER, not base64
> encoded
>    certificates!
> 3) a way to indicate if (2) replaces the devices' IDevID, or if it is in
> fact
>    the LDevID.   From a RESTful point of view, it would be best if a POST
>    to (2) returned the URI of the new certificate. It could be a FIFO
>    (so the oldest certificate gets silently dropped), or it could be an
> error
>    if the device is full.
>    That same RESTful view would then want to get a list of certificates,
>    with the IDevID one being listed, and one could delete it explicitely.
>
> 4) for the PSK methods, a place to put the PSK. An opaque space of around
>    128 ytes. Again, we should return a URI, and be able to list them.
>    we might not want to support GET on this resource.
>
> 5) the PANID of the production network
> 6) "GO" flag.
>    A way to tell the device that provisioning is over, and it should
>    probably restart and join the real network with the real credentials.
>
> ======= Join Assistant
>
> 7) a toggle which enables a node to become a join assistant.
>    This might return an error if the node is incapable or unwilling to do
>    that.
>
> 8) a ULA to use to announce in the RA for joining nodes.  So
>    128bits+prefixlen.  A device with multiple interfaces should configure
>    different 64-bit prefixes.
>
> 9) some details about the enhanced beacon the join ssistant should
> transmit,
>    which I am not qualified to specify.
> 10) the well-known beacon key to use for the join network. (Defaulting to
>    "6TISCHJOIN")
> 11) the address of the JCE, for the ACL about who can contact joining
> nodes.
>
> --
> ]               Never tell me the odds!                 | ipv6 mesh
> networks [
> ]   Michael Richardson, Sandelman Software Works        | network
> architect  [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on
> rails    [
>
>
>
>
>
>
>
>
>
> _______________________________________________
> 6tisch mailing list
> 6tisch@ietf.org
> https://www.ietf.org/mailman/listinfo/6tisch
>
>

v2.23.0 | Report a Bug | By Email