Re: [6tisch] [6tisch-security] proposed security text for architecture draft
"Pascal Thubert (pthubert)" <pthubert@cisco.com> Fri, 14 November 2014 18:25 UTC
Return-Path: <pthubert@cisco.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E2761A6F7F; Fri, 14 Nov 2014 10:25:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -12.645
X-Spam-Level:
X-Spam-Status: No, score=-12.645 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, MIME_CHARSET_FARAWAY=2.45, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PI1-x_cKX_sV; Fri, 14 Nov 2014 10:25:12 -0800 (PST)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 142B11A6F68; Fri, 14 Nov 2014 10:25:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5970; q=dns/txt; s=iport; t=1415989512; x=1417199112; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=FwWQ8EwqDuZobD7OWyji0Qjef32bx+R/twZNUigkh3E=; b=Ss/Iej/BghzDnRmiOx/RSiXeIkHku8CgRD9SJvxrw9LG2JkNRfJXvbau wPmOnPaR9is748dDI4VVCnVCh2sAk4CURrW0W1UIqFgy0xA95aSPso0Vr EGqueFVa44Q9f1xBnOCNFbnwLxwm61c8v2nMElyxj6fguAFOD+XsdF7fk s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: Ak0IAJ1HZlStJV2b/2dsb2JhbABRCoMOVVmDBsl1CoZ5VQIcgQAWAQEBAQFyC4QCAQEBAwEBAQEJKDMHCwwEAgEGAhEBAwEBAQQjBQICJQsUAwYIAgQOBRuIHQkNnmKcawiWMQEBAQEBAQEBAQEBAQEBAQEBAQEBARMEgSmMJAGCeA5OBwaCbTqBHgEEkkeMBYE0g1SNaIQKghCBbG2CSwEBAQ
X-IronPort-AV: E=Sophos;i="5.07,387,1413244800"; d="scan'208";a="96722975"
Received: from rcdn-core-4.cisco.com ([173.37.93.155]) by alln-iport-6.cisco.com with ESMTP; 14 Nov 2014 18:25:11 +0000
Received: from xhc-rcd-x07.cisco.com (xhc-rcd-x07.cisco.com [173.37.183.81]) by rcdn-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id sAEIPBbE030957 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 14 Nov 2014 18:25:11 GMT
Received: from xmb-rcd-x01.cisco.com ([169.254.1.165]) by xhc-rcd-x07.cisco.com ([173.37.183.81]) with mapi id 14.03.0195.001; Fri, 14 Nov 2014 12:25:10 -0600
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: "yoshihiro.ohba@toshiba.co.jp" <yoshihiro.ohba@toshiba.co.jp>
Thread-Topic: [6tisch-security] [6tisch] proposed security text for architecture draft
Thread-Index: AQHP/9Hsmv4jLXPqmkGCw6POgAr77Jxf0IxwgACgdYU=
Date: Fri, 14 Nov 2014 18:25:09 +0000
Message-ID: <976D1F6A-3A48-4BBB-8297-58071788A04E@cisco.com>
References: <20507.1415811045@sandelman.ca> <674F70E5F2BE564CB06B6901FD3DD78B272A8EFA@TGXML210.toshiba.local> <5854.1415835364@sandelman.ca> <674F70E5F2BE564CB06B6901FD3DD78B272A9108@TGXML210.toshiba.local> <29465.1415934436@sandelman.ca> <674F70E5F2BE564CB06B6901FD3DD78B272A988F@TGXML210.toshiba.local> <2187.1415945515@sandelman.ca>, <674F70E5F2BE564CB06B6901FD3DD78B272A9AFF@TGXML210.toshiba.local>
In-Reply-To: <674F70E5F2BE564CB06B6901FD3DD78B272A9AFF@TGXML210.toshiba.local>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/6tisch/lr-cY0ZGdM87rqXp1HPBEuL3UX4
Cc: "mcr+ietf@sandelman.ca" <mcr+ietf@sandelman.ca>, "6tisch@ietf.org" <6tisch@ietf.org>, "6tisch-security@ietf.org" <6tisch-security@ietf.org>
Subject: Re: [6tisch] [6tisch-security] proposed security text for architecture draft
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Nov 2014 18:25:18 -0000
Hello Yoshi: Please see below and many thanks for all this Pascal > Le 13 nov. 2014 ¨¤ 23:50, "yoshihiro.ohba@toshiba.co.jp" <yoshihiro.ohba@toshiba.co.jp> a ¨¦crit : > > Here is main PANA use: > > 1. Creating a PANA SA (based on EAP MSK) between JCE and JN where JCE is PAA, JN is PaC, and JA is PANA relay. > (PANA relay is a stateless relay as described in RFC 6345, and no need for loose source routing or ULA allocation.) On this I respectfully disagree. The IP address of the PaC is not sufficient information to identify the join bundle should there be more than one. This is why RH usually carries ULA or global addresses, with the intention that the prefix indicates the next interface - to your earlier point. But then in a ML subnetwork this is no help whatsoever since multiple interfaces may be on a same subnet. This is where the ULA comes into play; hiding the network ID from untrusted lurkers and yet providing an unequivocal bundle ID. Makes sense? Pascal > > 2. Using the SA to securely distribute locally significant credentials such as a 802.11AR LDevID certificate or a network-wide shared symmetric key, and I am not in favor of the latter though :) > > For 1), existing RADIUS servers can be used if EAP server is a physically separated from PCE box where scalability is needed. EAP-based approach can also support roaming cases where electric vehicles are authenticated via smart meters. > > For 2) we can define new PANA attributes to carry RFC 4210 CertRequest and CertResponse defined by PKIX for distributing 802.11AR LDevID certificate. > > I did not think to use PANA to carry CoAP messages. I think DTLS should be used for protecting CoAP for 6top as being discussed. The DTLS session for CoAP can be established, e.g., by using the locally significant credentials distributed in 2). > > Support for UIM card (via EAP-SIM, EAP-AKA or a new EAP method) would make 6tisch more attractive to cover certain business scenarios. > > Please note that I do not disagree with DTLS-based approach for more resource constrained device (although more work seems to be needed to carry DTLS message between JCE and JN via JA), but we should support multiple options if one solution is difficult to cover all cases. > > Best Regards, > Yoshihiro Ohba > > > -----Original Message----- > From: 6tisch-security [mailto:6tisch-security-bounces@ietf.org] On Behalf Of Michael Richardson > Sent: Friday, November 14, 2014 3:12 PM > To: ohba yoshihiro(´óö ÁxÑó ¡ð£Ò£Ä£Ã¡õ£Î£Ó£Ì) > Cc: 6tisch@ietf.org; 6tisch-security@ietf.org > Subject: Re: [6tisch-security] [6tisch] proposed security text for architecture draft > > > <yoshihiro.ohba@toshiba.co.jp> wrote: >> Use of EAP-TLS and terminating TLS session at AAA server does not mean >> that all parameters have to be coming from AAA server. Especially when >> PANA is used, PAA can be co-located with JCE and provide 6top data over >> a secure PANA SA. Actually this model applies to any EAP method. > > So, we would be creating a masterkey with EAP-TLS, and then we would use PANA as a transport for CoAP? > > I understand why we want to use EAP when we have devices with humans at the far end; > 1) it means the pieces in the middle do not need to know anything about the > kind of authentication will be done > > 2) we can deploy new forms of authentication (such as challenge response > methods, and things like EAP-SIM or EAP-AKA) without changes to the middle > machines. > > 3) we can proxy things all the way back to the users home service, which is > how GSM roaming works these days. > > I'm unaware that industrial/deterministic uses of 15.4 have requirements for ths kind of thing. I seem to recall a conversation about whether or not including a SIM card into nodes would work from a power, size, and cost point of view. Having a replaceable SIM card would definitely be a really easy way to imprint new devices. If someone can do that, then we really don't need any of this... > > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- > > > > _______________________________________________ > 6tisch-security mailing list > 6tisch-security@ietf.org > https://www.ietf.org/mailman/listinfo/6tisch-security
- [6tisch] proposed security text for architecture … Michael Richardson
- Re: [6tisch] [6tisch-security] proposed security … Pascal Thubert (pthubert)
- Re: [6tisch] [6tisch-security] proposed security … yoshihiro.ohba
- Re: [6tisch] [6tisch-security] proposed security … Rene Struik
- Re: [6tisch] [6tisch-security] proposed security … Michael Richardson
- Re: [6tisch] [6tisch-security] proposed security … Subir Das
- Re: [6tisch] [6tisch-security] proposed security … Pascal Thubert (pthubert)
- Re: [6tisch] [6tisch-security] proposed security … Michael Richardson
- Re: [6tisch] [6tisch-security] proposed security … Michael Richardson
- [6tisch] (procedural) Re: [6tisch-security] propo… Rene Struik
- Re: [6tisch] [6tisch-security] proposed security … Michael Richardson
- Re: [6tisch] [6tisch-security] proposed security … yoshihiro.ohba
- Re: [6tisch] [6tisch-security] proposed security … Pascal Thubert (pthubert)
- Re: [6tisch] [6tisch-security] proposed security … Michael Richardson
- Re: [6tisch] [6tisch-security] proposed security … Michael Richardson
- Re: [6tisch] [6tisch-security] proposed security … Pascal Thubert (pthubert)
- Re: [6tisch] [6tisch-security] proposed security … Michael Richardson
- Re: [6tisch] [6tisch-security] proposed security … yoshihiro.ohba
- Re: [6tisch] [6tisch-security] proposed security … yoshihiro.ohba
- Re: [6tisch] [6tisch-security] proposed security … Michael Richardson
- Re: [6tisch] [6tisch-security] proposed security … Michael Richardson
- Re: [6tisch] [6tisch-security] proposed security … yoshihiro.ohba
- Re: [6tisch] [6tisch-security] proposed security … Rafa Marin Lopez
- Re: [6tisch] [6tisch-security] proposed security … Subir Das
- Re: [6tisch] [6tisch-security] proposed security … Pascal Thubert (pthubert)
- Re: [6tisch] [6tisch-security] proposed security … yoshihiro.ohba
- Re: [6tisch] [6tisch-security] proposed security … Michael Richardson
- Re: [6tisch] [6tisch-security] proposed security … Michael Richardson
- Re: [6tisch] [6tisch-security] proposed security … Michael Richardson
- Re: [6tisch] [6tisch-security] proposed security … yoshihiro.ohba
- Re: [6tisch] [6tisch-security] proposed security … yoshihiro.ohba
- Re: [6tisch] [6tisch-security] proposed security … Rafa Marin Lopez
- Re: [6tisch] [6tisch-security] proposed security … Michael Richardson
- Re: [6tisch] [6tisch-security] proposed security … yoshihiro.ohba
- Re: [6tisch] [6tisch-security] proposed security … Michael Richardson
- Re: [6tisch] [6tisch-security] proposed security … Michael Richardson
- Re: [6tisch] [6tisch-security] proposed security … yoshihiro.ohba