IETF Logo Mail Archive

Re: [6tisch] Tagging join traffic

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Wed, 29 November 2017 06:04 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5C941292D3 for <6tisch@ietfa.amsl.com>; Tue, 28 Nov 2017 22:04:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ikw6LHhbkP7u for <6tisch@ietfa.amsl.com>; Tue, 28 Nov 2017 22:04:25 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74B5F127601 for <6tisch@ietf.org>; Tue, 28 Nov 2017 22:04:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15641; q=dns/txt; s=iport; t=1511935465; x=1513145065; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=R205OP4aiFQ7Z4qRCVpxcEoEcP+TFtVlPFzYRqFH6zQ=; b=PV8Cz6wHX7U+t8wHtNbweN7JOaCJotjbmdEDZLw415T3OYJZ+qxmcVkd fXE8otDeNGLBibZuMDwinxWtS+kOEC5698V6ul+VGwvAyZkbdLIGFKlFv +xuEshfjN0Ti7vQbvaIthOHT5uTFeFqobXxAz8PaMQ7ciK6sy/di80DHJ 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0A1AQBvTR5a/4kNJK1cGQEBAQEBAQEBAQEBAQcBAQEBAYM8Zm4ng3+KII8ZgVeRUIVKghEKGAEOgVqCa08CGoRsPxgBAQEBAQEBAQFrKIUgAgEDAQEhNhULEAIBCD8DAgICJQsUEQIEDgWJPmQQpkyCJ4poAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWDPYIJgVaBaSkLgneINDGCMgWiTQKHcYNqiTCTUYx5iRwCERkBgTkBHzmBUW8VOioBgX5fg3Z3iiQBAQE
X-IronPort-AV: E=Sophos; i="5.44,471,1505779200"; d="scan'208,217"; a="37732621"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 29 Nov 2017 06:04:24 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id vAT64O74021382 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 29 Nov 2017 06:04:24 GMT
Received: from xch-rcd-001.cisco.com (173.37.102.11) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 29 Nov 2017 00:04:23 -0600
Received: from xch-rcd-001.cisco.com ([173.37.102.11]) by XCH-RCD-001.cisco.com ([173.37.102.11]) with mapi id 15.00.1320.000; Wed, 29 Nov 2017 00:04:23 -0600
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: 6tisch <6tisch@ietf.org>, Mališa Vučinić <malisa.vucinic@inria.fr>
Thread-Topic: [6tisch] Tagging join traffic
Thread-Index: AQHTaLF7E2ujmh4ii0yUSL5NU9NmLKMq3muQ
Date: Wed, 29 Nov 2017 06:04:23 +0000
Message-ID: <D28EDD34-A92B-4853-8245-65DEA62697D3@cisco.com>
References: <07BA1D2B-2546-4E7B-B722-0CCE1E395BEE@inria.fr> <5691.1509986797@dooku.sandelman.ca>,<7888.1511918950@obiwan.sandelman.ca>
In-Reply-To: <7888.1511918950@obiwan.sandelman.ca>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: multipart/alternative; boundary="_000_D28EDD34A92B4853824565DEA62697D3ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/q80gxSXrJhx8jLP7lQuJYWVqEqw>
Subject: Re: [6tisch] Tagging join traffic
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Nov 2017 06:04:28 -0000

Hello Michael :

I’m quite happy with most of your proposal.

Yet not sure the MAY on the return path is a good idea. Either make it a SHOULD or a no no. Otherwise we do not know what to expect in a given network with mixed implementations.

I think that it is actually an important traffic now that security checks were done. More so than some data from a sensor. It is probably still a good idea to tag this packet and the rest of the join but not with AF43. We want to favor it over data else the network will never come up...

Makes sense?

Pascal

Le 29 nov. 2017 à 02:29, Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>> a écrit :


Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>> wrote:
To be specific, I think that the JP should set the DSCP bits in the packet
as per rfc2597 section 6, we want AF43 (0b100110).

https://bitbucket.org/6tisch/draft-ietf-6tisch-minimal-security/pull-requests/4/join-traffic-marking/diff

The specific text is below.  Maybe it should be 5.2 rather than 5.1.1?

5.1.1.  Identification of Join Request Traffic

  The Join traffic that is proxied by the Join Traffic comes from
  unauthenticated nodes, and there may be an arbitrary amount of it.
  In particular an attacker may send fraudulent traffic in attempt to
  overwhelm the network.

  When operating as part of a [RFC8180] 6tisch minimal network using
  reasonable scheduling algorithms, the join traffic present may cause
  intermediate nodes to request additional bandwidth.  An attacker
  could use this property to cause the network to overcommit bandwidth
  (and energy) to the join process.

  The Join Proxy is aware of what traffic is join traffic as it
  received it on an insecured interface, and so can avoid allocating
  additional bandwidth itself.  Join Proxies SHOULD implement a
  bandwidth cap on join traffic.  This cap will not protect
  intermediate nodes as they can not tell join traffic from regular
  traffic.  Despite the bandwidth cap implemented seperately on each
  Join Proxy, the aggregate join traffic from many Join Proxies may
  cause intermediate nodes to decode to allocate additional cells.  It
  is undesirable to to do in response to the Join Request traffic.  In
  order to permit the intermediate nodes to avoid this the traffic
  needs to be tagged in some way.

  [RFC2597] defines a set of Per-Hop Behaviours that may be encoded
  into the Diffserv Code Points.  The code point AF43 ([RFC2597]
  section 6) of 0b100110 has the right properties.  The Join Proxy
  SHOULD set the DCSP of packets that produces as part of the relay
  process.

  Join Proxy that do not set the DCSP on traffic forwarded should set
  it to zero so that it will be compressed out.

  Intermediate nodes SHOULD NOT allocate additional cells as a result
  of traffic with code point AF43.

5.1.2.  Identification of Join Response Traffic

  Join Response traffic from the JRC to the proxy (and hence to the
  pledge) MAY be marked with a DCSP code AF43.

  When the JRC is not co-located with the DODAG root (6LBR), then the
  code point provides a clear indication to the 6LBR that this is join
  traffic.  There are other mechanisms that the 6LBR could use, in
  particular it could use an ACL to recognize the join traffic.

  Due to the tree structure of the DODAG, the cells immediately below
  the 6LBR are often the most congested, and from that point down there
  is progressively less (or equal) congestion.  If the 6LBR paces
  itself when sending join response traffic then it ought to never
  exceed the bandwidth allocated to the best effort traffic cells.  If
  the 6LBR has the capacity (if it is not constrained) then it should
  therefore provide some buffers in order to satisfy the Assured
  Forwarding behaviour.  Note that too many buffers are considered
  dangerous, see [RFC7567].







--
Michael Richardson <mcr+IETF@sandelman.ca<mailto:mcr+IETF@sandelman.ca>>, Sandelman Software Works
-= IPv6 IoT consulting =-



_______________________________________________
6tisch mailing list
6tisch@ietf.org<mailto:6tisch@ietf.org>
https://www.ietf.org/mailman/listinfo/6tisch

v2.23.0 | Report a Bug | By Email