IETF Logo Mail Archive

Re: [6tisch] [6tisch-security] proposed security text for architecture draft

Rafa Marin Lopez <rafa@um.es> Fri, 14 November 2014 11:31 UTC

Return-Path: <rafa@um.es>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 98C111A890A; Fri, 14 Nov 2014 03:31:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.795
X-Spam-Level:
X-Spam-Status: No, score=-4.795 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yR0UE9ULtljw; Fri, 14 Nov 2014 03:31:36 -0800 (PST)
Received: from xenon24.um.es (xenon24.um.es [155.54.212.164]) by ietfa.amsl.com (Postfix) with ESMTP id 7154B1A878C; Fri, 14 Nov 2014 03:31:36 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by xenon24.um.es (Postfix) with ESMTP id ED92ECC88; Fri, 14 Nov 2014 12:31:33 +0100 (CET)
X-Virus-Scanned: by antispam in UMU at xenon24.um.es
Received: from xenon24.um.es ([127.0.0.1]) by localhost (xenon24.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id Gorap-zEVJrJ; Fri, 14 Nov 2014 12:31:33 +0100 (CET)
Received: from [192.168.1.42] (18.Red-81-39-160.dynamicIP.rima-tde.net [81.39.160.18]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa) by xenon24.um.es (Postfix) with ESMTPSA id 518F4A69; Fri, 14 Nov 2014 12:31:29 +0100 (CET)
Content-Type: text/plain; charset="iso-2022-jp-2"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Rafa Marin Lopez <rafa@um.es>
In-Reply-To: <674F70E5F2BE564CB06B6901FD3DD78B272A9AFF@TGXML210.toshiba.local>
Date: Fri, 14 Nov 2014 12:31:29 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <C75D9F2A-664D-4245-8977-08B3BAD14AAA@um.es>
References: <20507.1415811045@sandelman.ca> <674F70E5F2BE564CB06B6901FD3DD78B272A8EFA@TGXML210.toshiba.local> <5854.1415835364@sandelman.ca> <674F70E5F2BE564CB06B6901FD3DD78B272A9108@TGXML210.toshiba.local> <29465.1415934436@sandelman.ca> <674F70E5F2BE564CB06B6901FD3DD78B272A988F@TGXML210.toshiba.local> <2187.1415945515@sandelman.ca> <674F70E5F2BE564CB06B6901FD3DD78B272A9AFF@TGXML210.toshiba.local>
To: yoshihiro.ohba@toshiba.co.jp
X-Mailer: Apple Mail (2.1878.6)
Archived-At: http://mailarchive.ietf.org/arch/msg/6tisch/m1MVrvYpWhpBVYoevtIkk6aTajc
Cc: mcr+ietf@sandelman.ca, 6tisch@ietf.org, 6tisch-security@ietf.org, Rafa Marin Lopez <rafa@um.es>
Subject: Re: [6tisch] [6tisch-security] proposed security text for architecture draft
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Nov 2014 11:31:39 -0000

Hi Yoshi:

I think this is a reasonable architecture for security, which would cover several important use cases in my opinion. Some comments inline...

El 14/11/2014, a las 10:50, <yoshihiro.ohba@toshiba.co.jp> <yoshihiro.ohba@toshiba.co.jp> escribió:

> Here is main PANA use:
> 
> 1. Creating a PANA SA (based on EAP MSK) between JCE and JN where JCE is PAA, JN is PaC, and JA is PANA relay.
> (PANA relay is a stateless relay as described in RFC 6345, and no need for loose source routing or ULA allocation.)
> 
> 2. Using the SA to securely distribute locally significant credentials such as a 802.11AR LDevID certificate or a network-wide shared symmetric key, and I am not in favor of the latter though :) 
> 
> For 1), existing RADIUS servers can be used if EAP server is a physically separated from PCE box where scalability is needed.  EAP-based approach can also support roaming cases where electric vehicles are authenticated via smart meters.

Not only RADIUS but also Diameter which is, by the way, widely used to support many users in 3G,4G networks.

> 
> For 2) we can define new PANA attributes to carry RFC 4210 CertRequest and CertResponse defined by PKIX for distributing 802.11AR LDevID certificate.

+1 

> 
> I did not think to use PANA to carry CoAP messages. I think DTLS should be used for protecting CoAP for 6top as being discussed.  The DTLS session for CoAP can be established, e.g., by using the locally significant credentials distributed in 2).

Perhaps for very small deployments a pre-installed PSK could be used for DTLS (as happens with WPA2-PSK) but certainly it is not scalable.

> 
> Support for UIM card (via EAP-SIM, EAP-AKA or a new EAP method) would make 6tisch more attractive to cover  certain business scenarios.

This is related with my comment about 3g,4g networks.
> 
> Please note that I do not disagree with DTLS-based approach for more resource constrained device (although more work seems to be needed to carry DTLS message between JCE and JN via JA), but we should support multiple options if one solution is difficult to cover all cases.

+1

Best Regards.

>  
> 
> Best Regards,
> Yoshihiro Ohba
> 
> 
> -----Original Message-----
> From: 6tisch-security [mailto:6tisch-security-bounces@ietf.org] On Behalf Of Michael Richardson
> Sent: Friday, November 14, 2014 3:12 PM
> To: ohba yoshihiro(大場 義洋 ○RDC□NSL)
> Cc: 6tisch@ietf.org; 6tisch-security@ietf.org
> Subject: Re: [6tisch-security] [6tisch] proposed security text for architecture draft
> 
> 
> <yoshihiro.ohba@toshiba.co.jp> wrote:
>> Use of EAP-TLS and terminating TLS session at AAA server does not mean
>> that all parameters have to be coming from AAA server.  Especially when
>> PANA is used, PAA can be co-located with JCE and provide 6top data over
>> a secure PANA SA.  Actually this model applies to any EAP method.
> 
> So, we would be creating a masterkey with EAP-TLS, and then we would use PANA as a transport for CoAP?
> 
> I understand why we want to use EAP when we have devices with humans at the far end;
> 1) it means the pieces in the middle do not need to know anything about the
>   kind of authentication will be done
> 
> 2) we can deploy new forms of authentication (such as challenge response
>   methods, and things like EAP-SIM or EAP-AKA) without changes to the middle
>   machines.
> 
> 3) we can proxy things all the way back to the users home service, which is 
>   how GSM roaming works these days.
> 
> I'm unaware that industrial/deterministic uses of 15.4 have requirements for ths kind of thing.  I seem to recall a conversation about whether or not including a SIM card into nodes would work from a power, size, and cost point of view.  Having a replaceable SIM card would definitely be a really easy way to imprint new devices.  If someone can do that, then we really don't need any of this... 
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -= IPv6 IoT consulting =-
> 
> 
> 
> _______________________________________________
> 6tisch mailing list
> 6tisch@ietf.org
> https://www.ietf.org/mailman/listinfo/6tisch

-------------------------------------------------------
Rafael Marin Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------

v2.39.1 | Report a Bug | By Email | System Status