Re: [6tisch] Tagging join traffic
"Pascal Thubert (pthubert)" <pthubert@cisco.com> Wed, 29 November 2017 06:04 UTC
Return-Path: <pthubert@cisco.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E5C941292D3 for <6tisch@ietfa.amsl.com>; Tue, 28 Nov 2017 22:04:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ikw6LHhbkP7u for <6tisch@ietfa.amsl.com>; Tue, 28 Nov 2017 22:04:25 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 74B5F127601 for <6tisch@ietf.org>; Tue, 28 Nov 2017 22:04:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15641; q=dns/txt; s=iport; t=1511935465; x=1513145065; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=R205OP4aiFQ7Z4qRCVpxcEoEcP+TFtVlPFzYRqFH6zQ=; b=PV8Cz6wHX7U+t8wHtNbweN7JOaCJotjbmdEDZLw415T3OYJZ+qxmcVkd fXE8otDeNGLBibZuMDwinxWtS+kOEC5698V6ul+VGwvAyZkbdLIGFKlFv +xuEshfjN0Ti7vQbvaIthOHT5uTFeFqobXxAz8PaMQ7ciK6sy/di80DHJ 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0A1AQBvTR5a/4kNJK1cGQEBAQEBAQEBAQEBAQcBAQEBAYM8Zm4ng3+KII8ZgVeRUIVKghEKGAEOgVqCa08CGoRsPxgBAQEBAQEBAQFrKIUgAgEDAQEhNhULEAIBCD8DAgICJQsUEQIEDgWJPmQQpkyCJ4poAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWDPYIJgVaBaSkLgneINDGCMgWiTQKHcYNqiTCTUYx5iRwCERkBgTkBHzmBUW8VOioBgX5fg3Z3iiQBAQE
X-IronPort-AV: E=Sophos; i="5.44,471,1505779200"; d="scan'208,217"; a="37732621"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 29 Nov 2017 06:04:24 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id vAT64O74021382 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 29 Nov 2017 06:04:24 GMT
Received: from xch-rcd-001.cisco.com (173.37.102.11) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 29 Nov 2017 00:04:23 -0600
Received: from xch-rcd-001.cisco.com ([173.37.102.11]) by XCH-RCD-001.cisco.com ([173.37.102.11]) with mapi id 15.00.1320.000; Wed, 29 Nov 2017 00:04:23 -0600
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: 6tisch <6tisch@ietf.org>, Mališa Vučinić <malisa.vucinic@inria.fr>
Thread-Topic: [6tisch] Tagging join traffic
Thread-Index: AQHTaLF7E2ujmh4ii0yUSL5NU9NmLKMq3muQ
Date: Wed, 29 Nov 2017 06:04:23 +0000
Message-ID: <D28EDD34-A92B-4853-8245-65DEA62697D3@cisco.com>
References: <07BA1D2B-2546-4E7B-B722-0CCE1E395BEE@inria.fr> <5691.1509986797@dooku.sandelman.ca>,<7888.1511918950@obiwan.sandelman.ca>
In-Reply-To: <7888.1511918950@obiwan.sandelman.ca>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: multipart/alternative; boundary="_000_D28EDD34A92B4853824565DEA62697D3ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/q80gxSXrJhx8jLP7lQuJYWVqEqw>
Subject: Re: [6tisch] Tagging join traffic
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Nov 2017 06:04:28 -0000
Hello Michael : I’m quite happy with most of your proposal. Yet not sure the MAY on the return path is a good idea. Either make it a SHOULD or a no no. Otherwise we do not know what to expect in a given network with mixed implementations. I think that it is actually an important traffic now that security checks were done. More so than some data from a sensor. It is probably still a good idea to tag this packet and the rest of the join but not with AF43. We want to favor it over data else the network will never come up... Makes sense? Pascal Le 29 nov. 2017 à 02:29, Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>> a écrit : Michael Richardson <mcr+ietf@sandelman.ca<mailto:mcr+ietf@sandelman.ca>> wrote: To be specific, I think that the JP should set the DSCP bits in the packet as per rfc2597 section 6, we want AF43 (0b100110). https://bitbucket.org/6tisch/draft-ietf-6tisch-minimal-security/pull-requests/4/join-traffic-marking/diff The specific text is below. Maybe it should be 5.2 rather than 5.1.1? 5.1.1. Identification of Join Request Traffic The Join traffic that is proxied by the Join Traffic comes from unauthenticated nodes, and there may be an arbitrary amount of it. In particular an attacker may send fraudulent traffic in attempt to overwhelm the network. When operating as part of a [RFC8180] 6tisch minimal network using reasonable scheduling algorithms, the join traffic present may cause intermediate nodes to request additional bandwidth. An attacker could use this property to cause the network to overcommit bandwidth (and energy) to the join process. The Join Proxy is aware of what traffic is join traffic as it received it on an insecured interface, and so can avoid allocating additional bandwidth itself. Join Proxies SHOULD implement a bandwidth cap on join traffic. This cap will not protect intermediate nodes as they can not tell join traffic from regular traffic. Despite the bandwidth cap implemented seperately on each Join Proxy, the aggregate join traffic from many Join Proxies may cause intermediate nodes to decode to allocate additional cells. It is undesirable to to do in response to the Join Request traffic. In order to permit the intermediate nodes to avoid this the traffic needs to be tagged in some way. [RFC2597] defines a set of Per-Hop Behaviours that may be encoded into the Diffserv Code Points. The code point AF43 ([RFC2597] section 6) of 0b100110 has the right properties. The Join Proxy SHOULD set the DCSP of packets that produces as part of the relay process. Join Proxy that do not set the DCSP on traffic forwarded should set it to zero so that it will be compressed out. Intermediate nodes SHOULD NOT allocate additional cells as a result of traffic with code point AF43. 5.1.2. Identification of Join Response Traffic Join Response traffic from the JRC to the proxy (and hence to the pledge) MAY be marked with a DCSP code AF43. When the JRC is not co-located with the DODAG root (6LBR), then the code point provides a clear indication to the 6LBR that this is join traffic. There are other mechanisms that the 6LBR could use, in particular it could use an ACL to recognize the join traffic. Due to the tree structure of the DODAG, the cells immediately below the 6LBR are often the most congested, and from that point down there is progressively less (or equal) congestion. If the 6LBR paces itself when sending join response traffic then it ought to never exceed the bandwidth allocated to the best effort traffic cells. If the 6LBR has the capacity (if it is not constrained) then it should therefore provide some buffers in order to satisfy the Assured Forwarding behaviour. Note that too many buffers are considered dangerous, see [RFC7567]. -- Michael Richardson <mcr+IETF@sandelman.ca<mailto:mcr+IETF@sandelman.ca>>, Sandelman Software Works -= IPv6 IoT consulting =- _______________________________________________ 6tisch mailing list 6tisch@ietf.org<mailto:6tisch@ietf.org> https://www.ietf.org/mailman/listinfo/6tisch
- [6tisch] Tagging join traffic Mališa Vučinić
- Re: [6tisch] Tagging join traffic Michael Richardson
- Re: [6tisch] Tagging join traffic Thomas Watteyne
- Re: [6tisch] Tagging join traffic Thomas Watteyne
- Re: [6tisch] Tagging join traffic Mališa Vučinić
- Re: [6tisch] Tagging join traffic Thomas Watteyne
- Re: [6tisch] Tagging join traffic Michael Richardson
- Re: [6tisch] Tagging join traffic Michael Richardson
- Re: [6tisch] Tagging join traffic Thomas Watteyne
- Re: [6tisch] Tagging join traffic Pascal Thubert (pthubert)
- Re: [6tisch] Tagging join traffic Thomas Watteyne
- Re: [6tisch] Tagging join traffic Pascal Thubert (pthubert)
- Re: [6tisch] Tagging join traffic Thomas Watteyne
- Re: [6tisch] Tagging join traffic Michael Richardson
- Re: [6tisch] Tagging join traffic Thomas Watteyne
- Re: [6tisch] Tagging join traffic Michael Richardson
- Re: [6tisch] Tagging join traffic Pascal Thubert (pthubert)
- Re: [6tisch] Tagging join traffic Michael Richardson
- Re: [6tisch] Tagging join traffic Michael Richardson
- Re: [6tisch] Tagging join traffic Pascal Thubert (pthubert)
- Re: [6tisch] Tagging join traffic Michael Richardson
- Re: [6tisch] Tagging join traffic Mališa Vučinić
- Re: [6tisch] Tagging join traffic Pascal Thubert (pthubert)
- Re: [6tisch] Tagging join traffic Mališa Vučinić
- Re: [6tisch] Tagging join traffic Pascal Thubert (pthubert)
- Re: [6tisch] Tagging join traffic Mališa Vučinić
- Re: [6tisch] Tagging join traffic Pascal Thubert (pthubert)
- Re: [6tisch] Tagging join traffic Michael Richardson
- Re: [6tisch] Tagging join traffic Mališa Vučinić
- Re: [6tisch] Tagging join traffic Mališa Vučinić
- Re: [6tisch] Tagging join traffic Michael Richardson
- Re: [6tisch] Tagging join traffic Mališa Vučinić
- Re: [6tisch] Tagging join traffic Michael Richardson