Re: [6tisch] Roman Danyliw's No Objection on draft-ietf-6tisch-architecture-24: (with COMMENT)

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Fri, 23 August 2019 07:37 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7031F1201AA; Fri, 23 Aug 2019 00:37:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=PFPopvqw; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=UNekgDwn
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G_TNhwHcpuMe; Fri, 23 Aug 2019 00:37:27 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D2E712006F; Fri, 23 Aug 2019 00:37:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2600; q=dns/txt; s=iport; t=1566545847; x=1567755447; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=l6wlnpmaJAj1gQN5Xi58kBECbt9VdnjE84+LRNGrzCc=; b=PFPopvqwWuk/wWim372hfV+cgQ85iAVwt14nV5jBaVrlkScF8yMK/NMk C9+duJ+fdwZ6xW10x1ZUWhBKv9/3VKVm1WWKvnfZOlZDnFbb2dx9IAzZg iN9Bg8n+s0YZP73JW3EJf6XyqJIKnU5PhtDfqCYIKnDhgOY8QAYNkTF3U A=;
IronPort-PHdr: =?us-ascii?q?9a23=3A5C21QBbWsrL4ew9U7XCP8Rj/LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el20gabRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn?= =?us-ascii?q?1NksAKh0olCc+BB1f8KavycywnFslYSHdu/mqwNg5eH8OtL1A=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BMAQCwll9d/4QNJK1kHAEBAQQBAQc?= =?us-ascii?q?EAQGBVgQBAQsBgURQA4FDIAQLKoQgg0cDim6aQ4FCgRADVAkBAQEMAQEtAgE?= =?us-ascii?q?BhD8CF4JIIzcGDgIJAQEEAQEDAQYEbYUtDIVLAgEDEhERDAEBNwEPAgEIDgQ?= =?us-ascii?q?IAiYCAgIwFQIOAgQBDQ0ahGsDHQECoDgCgTiIYXOBMoJ7AQEFhSIYghYJgQw?= =?us-ascii?q?oAYR5hnUYgUA/gRFGgkw+hAg+gwkygiaPGY4WjjYJAoIdlFqCMocwjmqNY5g?= =?us-ascii?q?ZAgQCBAUCDgEBBYFmIoFYcBWDJ4JCOIM6ilNygSmLIAEB?=
X-IronPort-AV: E=Sophos;i="5.64,420,1559520000"; d="scan'208";a="618978097"
Received: from alln-core-10.cisco.com ([173.36.13.132]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Aug 2019 07:37:26 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by alln-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id x7N7bQgo017761 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 23 Aug 2019 07:37:26 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 23 Aug 2019 02:37:25 -0500
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 23 Aug 2019 03:37:24 -0400
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 23 Aug 2019 02:37:24 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Zq95q3RhLO0m7zotH8x7kPFfWnRhUXrUpuOg4KmH0iRcUsKtcqwDIt3Hw/yMwtsDufFVO33g7cbn1mpdQA0Doe93r9bkO9f0LiH5SF8HBJu+tVB+GkW26kZZNZs52VC/pnX3gL0Y6j2kyAWFScO5fKA8dmDI2gIL8762ntStUPEpu3iiiXUQsC11h1i1kOc8TXhtm9q1BQj69SapMqAIy6Hv+aAGdO3ZYlYV4yn4jBCTfYMG3THerMZflD9xY+s0JaqG3qtQKF+wd72ZQTiLbrydoWm8vRjTWEJGHIAOT0icZhdmICBYUaNlgRJsHoiKGkV4WagR3nPjrtP3b1QerQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l6wlnpmaJAj1gQN5Xi58kBECbt9VdnjE84+LRNGrzCc=; b=TaSYEfYdPphQkonZsGxDYJkDEzovP5s2+efv74MXp8HlgxPZaKLCif1RtKAZg2hOL/XZHYlmLdRfHr5+rQGoCtDH2FaNF6Z8298kHULuIIWTAay1t70bA5oZ7ZzXLb1jqffvkSZFtcaiOgseYCvJ0x3OS1+NhKz326iOTv2N+GdKscWZ+7rSNpvtAy7msC2Iry2ChmUnFv37VpzicHjpxwR3Sax3s9RqrpSolqxsT7rIOxv8n/Bu3o/0Yyu2z++DjrDJ8y6/QsugcfBzf69JX92sZVpbO9ABmDe07p0p21l+O7m105EuLMIGwun4X0FMgRT8WGY2CY1E4r2vbZk4hQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=l6wlnpmaJAj1gQN5Xi58kBECbt9VdnjE84+LRNGrzCc=; b=UNekgDwnXT0yDzi/8pOxUb5W4Nv3JYW5+E+CaFq++228923Pyh3EWGDvDaGVRavyheWnXdz0zcwjo1vJKCvZXMD1OsOkLYDZKrEpoG7ZKH37C6cQ18Sy5yQ4FUkXnF5Bk2EXAca6uCi6ZkHGw51mWtplVKFqdB2ckyMEHjMjgfo=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (20.178.250.159) by MN2PR11MB4365.namprd11.prod.outlook.com (52.135.38.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2178.18; Fri, 23 Aug 2019 07:37:23 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::89cf:9d:8a75:266e]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::89cf:9d:8a75:266e%3]) with mapi id 15.20.2178.020; Fri, 23 Aug 2019 07:37:23 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "draft-ietf-6tisch-architecture@ietf.org" <draft-ietf-6tisch-architecture@ietf.org>, "6tisch-chairs@ietf.org" <6tisch-chairs@ietf.org>, "shwetha.bhandari@gmail.com" <shwetha.bhandari@gmail.com>, "6tisch@ietf.org" <6tisch@ietf.org>
Thread-Topic: Roman Danyliw's No Objection on draft-ietf-6tisch-architecture-24: (with COMMENT)
Thread-Index: AQHVTaF+G14hOr6SnEK7QAov53sg46cHSeKwgABzNACAAK9GYA==
Date: Fri, 23 Aug 2019 07:37:12 +0000
Deferred-Delivery: Fri, 23 Aug 2019 07:36:58 +0000
Message-ID: <MN2PR11MB3565B5B6DF1A071413229DFCD8A40@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <156523837973.8301.2864865066450595993.idtracker@ietfa.amsl.com> <MN2PR11MB3565FC066DB6EB01DA5E30F1D8A50@MN2PR11MB3565.namprd11.prod.outlook.com> <359EC4B99E040048A7131E0F4E113AFC01B343BFC0@marathon>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC01B343BFC0@marathon>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pthubert@cisco.com;
x-originating-ip: [2001:420:c0c0:1007::143]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3cf894c1-5427-4f86-2170-08d7279cbd33
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600166)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:MN2PR11MB4365;
x-ms-traffictypediagnostic: MN2PR11MB4365:
x-microsoft-antispam-prvs: <MN2PR11MB4365D81AC83CF79EF0453760D8A40@MN2PR11MB4365.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0138CD935C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(396003)(136003)(376002)(346002)(39860400002)(189003)(199004)(66946007)(305945005)(81156014)(81166006)(486006)(25786009)(2906002)(76176011)(110136005)(6436002)(76116006)(54906003)(186003)(66556008)(476003)(8676002)(64756008)(66446008)(7696005)(11346002)(8936002)(446003)(316002)(99286004)(66476007)(46003)(14454004)(86362001)(74316002)(102836004)(7736002)(478600001)(6506007)(6666004)(229853002)(9686003)(4326008)(5660300002)(256004)(33656002)(6116002)(55016002)(52536014)(14444005)(71200400001)(71190400001)(6246003)(53936002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4365; H:MN2PR11MB3565.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: XZWEZFewodOVKFCo9qTL4Rj+ZDybVlJfZT4IdxjH0Dv6Afpm4NOtAi+R/o2NWM2WYbnPlgw6CWEq0HFcowDRXQ2KBfG5cV5WwfsCukFmDSPpMmNZcUKpRxA5XLn+6VQSJnaqL/tEAftSi2NziI7lZoQ7dm/wb8d6mX2VmDl/Q09ZA93yQM5MtASxf6l4FAp0LuVWKst0Bm0iU2iR8tHGdo5eWBLChxQfa/APhOqZD9eUBmJSuA2D8a6jLVbZoTMpE7NE+PKfdrzOJvYcR7303taaezEJaUznZBmGfDtqP+/3cXnmIw2LTVtxOrxCSO/klnwNLW55u/p+tZqTTcSBUbMkq5k+xRtfNuLy+mr53T18ILAqLdO5mnR5OPVRAB/6X9MW1FXXIZ7rPy3q/Xk68UDwHnqIX+34nBtzpJ4rQRo=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3cf894c1-5427-4f86-2170-08d7279cbd33
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Aug 2019 07:37:23.7571 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Kcsd8QyZxhzu3iEqkdeNRg0LzW3JaDnPJcvt/F/dWWtxkmXD3Ho/HpYS3NmbP60CLe8PegSZ8/eTTPvu0KOxbA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4365
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: alln-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/qzLOgSKfDorShT7PPgJHo0L8EJE>
Subject: Re: [6tisch] Roman Danyliw's No Objection on draft-ietf-6tisch-architecture-24: (with COMMENT)
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Aug 2019 07:37:29 -0000

Hello Roman:

I elided the pieces where we are in sync
 

> > > ** Section 6.  Per “Section 9 of [RFC8453] applies equally to
> > > 6TiSCH”, this reference organizes threats and mitigations around the
> > > CMI and MPI interfaces.
> > > What is the analog to those in this architecture?
> >
> > PT> This is the same parallel as done in the DetNet architecture from
> > PT> which
> > this is inherited, using the same reference.
> > The security issues that arise when a centralized control is separate
> > from the forwarding plane are similar: rogue access to one of the
> > components, and attacks on the connectivity on the control path,
> > including interception, blackholing or latency injection.
> > I can remove the reference and replace by text like the above, please advise.
> > In parammme please condsider the security section of the detnet
> > architecture, it is in AUTH 48 but still changeable.
> 
> I would recommend taking a hybrid approach.  I think it's worth making the
> more specific statement you propose but also citing that the more general
> version of this consideration comes from [RFC8453].
> 

PT> I caught that hint and gave it a try in 25, which is already a change in that direction:

   As with DetNet in general, the communication with the PCE must be
   secured and should be protected against DoS attacks, including delay
   injection and blackholing attacks, and secured as discussed in the
   security considerations defined for Abstraction and Control of
   Traffic Engineered Networks (ACTN) in Section 9 of [RFC8453], which
   applies equally to DetNet and 6TiSCH.  In a similar manner, the
   communication with the JRC must be secured and should be protected
   against DoS attacks when possible. 

PT> I'm happy to modify it deeper in 26, and would appreciate a suggestion : )

Many thanks again!

Pascal