IETF Logo Mail Archive

Re: [6tisch] [6tisch-security] proposed security text for architecture draft

<yoshihiro.ohba@toshiba.co.jp> Fri, 14 November 2014 03:26 UTC

Return-Path: <yoshihiro.ohba@toshiba.co.jp>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C25EC1A1BA3; Thu, 13 Nov 2014 19:26:33 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.286
X-Spam-Level:
X-Spam-Status: No, score=-2.286 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_JP=1.244, HOST_EQ_JP=1.265, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.594, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eVZI4LDJ8UoZ; Thu, 13 Nov 2014 19:26:30 -0800 (PST)
Received: from imx2.toshiba.co.jp (inet-tsb5.toshiba.co.jp [202.33.96.24]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2610A1A03A5; Thu, 13 Nov 2014 19:26:29 -0800 (PST)
Received: from arc1.toshiba.co.jp ([133.199.194.235]) by imx2.toshiba.co.jp with ESMTP id sAE3QSWK010464; Fri, 14 Nov 2014 12:26:28 +0900 (JST)
Received: (from root@localhost) by arc1.toshiba.co.jp id sAE3QRCX023667; Fri, 14 Nov 2014 12:26:27 +0900 (JST)
Received: from unknown [133.199.192.144] by arc1.toshiba.co.jp with ESMTP id NAA23659; Fri, 14 Nov 2014 12:26:27 +0900
Received: from mx12.toshiba.co.jp (localhost [127.0.0.1]) by ovp2.toshiba.co.jp with ESMTP id sAE3QQDQ001461; Fri, 14 Nov 2014 12:26:26 +0900 (JST)
Received: from TGXML207.toshiba.local by toshiba.co.jp id sAE3QPXj004196; Fri, 14 Nov 2014 12:26:25 +0900 (JST)
Received: from TGXML210.toshiba.local ([169.254.4.194]) by TGXML207.toshiba.local ([133.199.70.16]) with mapi id 14.03.0195.001; Fri, 14 Nov 2014 12:26:25 +0900
From: yoshihiro.ohba@toshiba.co.jp
To: mcr+ietf@sandelman.ca
Thread-Topic: [6tisch] [6tisch-security] proposed security text for architecture draft
Thread-Index: AQHP/7ggnmszuPai2ke5o8rzw2udIpxfct+A
Date: Fri, 14 Nov 2014 03:26:24 +0000
Message-ID: <674F70E5F2BE564CB06B6901FD3DD78B272A988F@TGXML210.toshiba.local>
References: <20507.1415811045@sandelman.ca> <674F70E5F2BE564CB06B6901FD3DD78B272A8EFA@TGXML210.toshiba.local> <5854.1415835364@sandelman.ca> <674F70E5F2BE564CB06B6901FD3DD78B272A9108@TGXML210.toshiba.local> <29465.1415934436@sandelman.ca>
In-Reply-To: <29465.1415934436@sandelman.ca>
Accept-Language: ja-JP, en-US
Content-Language: ja-JP
x-originating-ip: [133.199.17.133]
msscp.transfermailtomossagent: 103
Content-Type: text/plain; charset="iso-2022-jp"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/6tisch/jdbg_d2B7bWQZPgpcj79N8ac648
Cc: 6tisch@ietf.org, 6tisch-security@ietf.org
Subject: Re: [6tisch] [6tisch-security] proposed security text for architecture draft
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Nov 2014 03:26:34 -0000

Michael,

Use of EAP-TLS and terminating TLS session at AAA server does not mean that all parameters have to be coming from AAA server.  Especially when PANA is used, PAA can be co-located with JCE and provide 6top data over a secure PANA SA.  Actually this model applies to any EAP method.

Also, use of PANA with relay function neither requires a routable solution such as loose source routing to convey authentication message between JCE and JN nor requires a per-JN state on JA.

Regards,
Yoshihiro Ohba


-----Original Message-----
From: mcr@sandelman.ca [mailto:mcr@sandelman.ca] On Behalf Of Michael Richardson
Sent: Friday, November 14, 2014 12:07 PM
To: ohba yoshihiro(大場 義洋 ○RDC□NSL)
Cc: 6tisch@ietf.org; 6tisch-security@ietf.org
Subject: Re: [6tisch] [6tisch-security] proposed security text for architecture draft


{Please note that I am very familiar with EAP mechanisms, and I wrote EAP-SIM  for Freeradius a decade ago, when the document was going through many changes}

<yoshihiro.ohba@toshiba.co.jp> wrote:
    > Regarding EAP method, I mentioned EAP-TLS.  EAP-TLS works for both
    > certificate-based authentication and pre-shared key based
    > authentication (EAP-TLS-PSK) without EAP tunneling method such as
    > EAP-TTLS.  In the latter case, TLS session is typically terminated at
    > AAA server.

But, since the EAP-TLS session terminates at the the AAA server, all of the communications that we want to do (the 6top data), would have to come from
the AAA server.   

That means installing all of 6top/DTLS/CoAP code into the radius server.  
(That's because the EAP-TLS is between AAA(radius) server and joining node) Is that really what you want to do?

What other things would the AAA server provide to the joining node?
Are you thinking about various kinds of group policies, etc?

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.37.1 | Report a Bug | By Email | System Status