Re: [6tisch] Iotdir early review of draft-ietf-6tisch-6top-protocol-09
Xavi Vilajosana Guillen <xvilajosana@uoc.edu> Thu, 01 March 2018 11:50 UTC
Return-Path: <xvilajosana@uoc.edu>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC88F12E055 for <6tisch@ietfa.amsl.com>; Thu, 1 Mar 2018 03:50:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=uoc.edu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Z2oEdVB3Zp4L for <6tisch@ietfa.amsl.com>; Thu, 1 Mar 2018 03:50:35 -0800 (PST)
Received: from mail-qt0-x241.google.com (mail-qt0-x241.google.com [IPv6:2607:f8b0:400d:c0d::241]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3637F127909 for <6tisch@ietf.org>; Thu, 1 Mar 2018 03:50:35 -0800 (PST)
Received: by mail-qt0-x241.google.com with SMTP id j4so7087814qth.8 for <6tisch@ietf.org>; Thu, 01 Mar 2018 03:50:34 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=uoc.edu; s=google; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=637LawZOYetB7A2lv2dOfd0NrMiQwNm94TnUrSK5J2k=; b=IKKQak26ElJrWbcei12UUphTy1BQIS3R7J0Dqrs4sMtbbZQcCSEYO/P86zLXZY4Gu7 5hL5rxCgvglVK/Vr3rId+UnfyuU0qoztvyeyowvdzsQBiRAhVtaT2Y8MmTeMfuoQnUdI EJrg2W2FevJosqT26KyYtESVIeNOYEmy3XVio=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=637LawZOYetB7A2lv2dOfd0NrMiQwNm94TnUrSK5J2k=; b=P4LgEU27C571VFvB1aFGRMBkfJvA5aPIvcGtaNuSdHU+rScryTbQWd9Zi/FDVN9BVr NeEBTSx7jv1eacV3wdz7g6lFFY+gII1keJtS/5cpjC+ZuFKJskdsFP6LDzRj+dUDi/c7 OAF1r5c97TcThQtLpnSaR45YKyKJ/cnECCq3f1FKMDoYAEYNSIAoQj0BsshEDyMj9LN1 +Ny1J7mB35NnVP+z0JcgRk2h783EgP0qxTg/bHmEw/32BRrW81i1BrkfP1GFbwH1UMXx eHIFN8wRVmkDL1Upie7ITWMWKRsANgqdoDOIKaO6rEi50U9+TLYxLKQ9gDreeyYxUAoz EYYg==
X-Gm-Message-State: AElRT7FDkMA8rZkpCG6if/ixpFarO5OV3LrghSQ72t2SfXmJYOvqpaFd 3BXa9FCCJs1nagVbPRVhj4SVGUhlhPLlhzOMDMraGg==
X-Google-Smtp-Source: AG47ELvCNuwC4EFvcjg/jlvHGrHs3fqlfjxJpID8ClCq9/W/T5H73fzYWhN0BfXQMCFuVDH46f3mrAg/Qx6gwCMxf6s=
X-Received: by 10.200.27.215 with SMTP id m23mr2497958qtk.212.1519905033721; Thu, 01 Mar 2018 03:50:33 -0800 (PST)
MIME-Version: 1.0
Received: by 10.12.135.248 with HTTP; Thu, 1 Mar 2018 03:50:33 -0800 (PST)
In-Reply-To: <2022080076.1388276.1519346146233.JavaMail.root@vilafranca.uoc.es>
References: <2022080076.1388276.1519346146233.JavaMail.root@vilafranca.uoc.es>
From: Xavi Vilajosana Guillen <xvilajosana@uoc.edu>
Date: Thu, 01 Mar 2018 12:50:33 +0100
Message-ID: <CAC9+vPiBfHZMLX_rheRwtw=GozWyrtZ30Lzq_01MVwBCJds=-Q@mail.gmail.com>
To: Alexander Pelov <a@ackl.io>
Cc: Iot-dir@ietf.org, draft-ietf-6tisch-6top-protocol.all@ietf.org, tisch <6tisch@ietf.org>, IETF discussion list <ietf@ietf.org>
Content-Type: multipart/alternative; boundary="001a114ddd40a0e04d0566587788"
Archived-At: <https://mailarchive.ietf.org/arch/msg/6tisch/r8voyuchmfMfbdPMyzOYfgs9Z9Y>
Subject: Re: [6tisch] Iotdir early review of draft-ietf-6tisch-6top-protocol-09
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 Mar 2018 11:50:40 -0000
Dear Alex, Thanks so much for your constructive review. Let us answer inline your comments (XV:). We are taking them into account in the new draft version that will be published before the cut-off date. regards Xavi ---- Reviewer: Alexander Pelov Review result: Ready with Issues Hello all, This is the review for the IoT Directorate. Document: draft-ietf-6tisch-6top-protocol-09 Reviewer: Alexander Pelov Date: 22 February 2018 The general feeling of the reviewer is that the document is a solid work. Multiple examples are given and the document is easy to understand as a whole. There are some nits, and some text that need to be clarifier. The general feeling of the reviewer is that the document relies heavily on the definition of an external Scheduling Function (SF). The recommended values seem very reasonable to the reviewer and it is not clear what is the benefit of anticipating that an SF can override the semantics of most of the fields. For example, most of the fields are opaque to the 6P sublayer and only make sense to the SF : CellOptions, Metadata, CellList. For one, in Wireshark, there will be the need for separate disector for each SF. XV: we aimed to support particular needs of an SF. For example the Metadata field can be used to indicate to what Slotframe Handle the 6P operation should be applied. However we think as well that a large set of SFs will use the fields as defined by 6P (celllist) for example. A final point here is that there seem to be no readily available polished SF that would help in the understanding of the concepts beyond what is already on the 6P draft. XV: We think the MSF (https://tools.ietf.org/html/draft-chang-6tisch-msf-00) clearly maps to the requirements from 6P. For example, the SF0 draft (draft-ietf-6tisch-6top-sfx-00) redefines quite heavily the behavior of CellList introducing notion of WhiteList and BlackList of cells. The reviewer is aware that these are distinct works, but it feels that there should be a minimum level of interoperability, where an upper layer does not completely redefine what is happening on lower layers. Having extension mechanisms may seem like a better way to solve richness of proposals if this is necessary. XV: We agree on that. We think however that most SFs can be developed without redefining the 6P fields. Note also that the SIGNAL command is designed to that aim. i.e., an SF issues SIGNALS which are opaque to 6P internals in order to transmit information to the other Node SF. One point which remained unclear is how do the Minimal 6TiSCH and 6P interact? It could be useful to provide a description on the bootstrap of 6P interaction (how does a sender A initiate the first 6P Request - over Minimal 6TiSCH-managed cell?). XV: This is detailed in the MSF draft for example. 6P defines the messaging structure and protocol interaction but does not define a particular behaviour. The SF is the responsible of defining the behaviour at boot, what cells are used and how new cells are added. 6P Provides the l2 transport semantics for the SF to operate. How do they enter in play in case of de-synchronisation ? (e.g. A rescheduling all 6P cells, but B not getting the final L2 ACK, which puts A's 6P cells on a completely different schedule than B's.. so B can't signal back transaction rollback / CLEAR). Is this solved by 6TiSCH minimal or through a different mechanism? The Security section could be enriched. A notable example is the handling of resource reservation, which could lead to DOS attacks. XV: this has been clarified thanks to another reviewer comment. - - - - - - - - - - - - - - - Section 3.2.3: 6P CellOptions - ends with the statement that it is an "Opaque set of bits", which MAY be redefined by the SF (format, meaning). As pointed out earlier, if there is a need to redefine this for each SF, maybe there are other ways of defining such flexibility (e.g. TLVs). XV: We enable an SF to redefine that field but we do not expect that most of the SFs redefine it. The table in Figure 7 provides the recommended meaning of the bitmap for 6P COUNT and 6P LIST. What is the recommended meaning for 6P ADD/DELETE/RELOCATE? XV: thanks, we clarify this in the text. We added Figure 8 with a table describing the behaviour of 6P when the different cellOPtions are present in ADD/DELETE/RELOCATE requests. Nits: there seems to be errors in Figure 7: examples of "all cells are marked as RX" and "all cells are marked as TX" seem inverted (same for TX=1,RX=0,S=1 and TX=0,RX=1,S=1). XV: no, this is correct :). The request is issued by node A, saying for example COUNT TX cells to B. B responds with the list of cells marked as RX in its schedule for neighbor A. (as in A they are marked as TX). - - - - - - - - - - - - - - - Section 3.3.1: How does the sender/receiver know the size of CellList? (infer from packet size?) XV: the IE header contains the size of the 6top IE. The header field sizes are known and hence the celllist length can be determined from that. The candidate cells (a total of NumCandidate) are presumably provided by the SF. However, it is up to 6P to handle the case when they do not fit in the packet size. The text specifies that this should be handled in more than one 6P ADD requests - which is OK on the conceptual level, but seems underspecified for an implementation. What if NumCells is smaller than the number of candidate cells that can fit in a single transaction - should they be also split in two transactions? XV: NumCells tells how many cells need to be added/deleted/relocated. I think you refer to the 6P list command instead. In a 6P LIST Command we use MaxNumCells which indicate an upper bound of the cells to be listed (lique in SQL when we do LIMIT). If in a 6p LIST the number of returned cells is smaller than MaxNumCells, then the issuer may send another LIST with an specific offset (e.g the number of cells received) in order to get the remaining cells. This is how "pagination works" indeed. What happens if the first 6P ADD is successful, but the second one fails? Should the sender 6P DELETE the successfully added first batch of cells? XV:If you refer to an ADD Request where numcells is larger than the number of cells that fit in a packet, then this should be handled by the SF, splitting the request in multiple ADD operations. If one fails a node can retray later. Can allocation of 0 cells be considered as partial success? NOALLOC return code is not defined. XV: Why someone wants to do a 0 cell ADD request? I think that the response in this case can be RC_SUCCESS, indicating that 0 cells have been scheduled. - - - - - - - - - - - - - - - Section 3.3.3. Figure 17 - it seems counterintuitive to have RC_SUCCESS on failed relocation. Could NOALLOC be used in this case? XV: We had long discussions about this while we wrote the specification. Our consensus was that the return code indicates that the 6P transaction worked (RC_SUCCESS) and that the celllist length tells us the result in terms of cells relocated. So no strong arguments in both sides I guess but we agreed to take that approach. In both Relocation and Allocation 3-step 6P transaction there is the risk of a security attack. If a malicious node constantly renews 3-step requests and never acknowledges, the neighboring node will be keeping the proposed cells as "reserved" and not allocate them to other nodes, thus provoding a DOS attack. Probably a way to limit repeated requests could be useful for this case. XV: We know that any 3-step transaction/protocol can be subject to a DoS attack as long as one of the messages is not replayed (same happens with TCP handshake attacks). We do not want to introduce policies to handle that for a particular situation but we think that this needs to be clarified in the security considerations section. To this aim we indicated the following: We added a consideration in the security section. The 6P protocol does not provide protection against DOS attacks. This is relevant in 3-step transactions when a confirmation message could not be sent in purpose by the attacker. Such situations SHOULD be handled by an appropiate policy such as blacklisting the attacker after several attempts. Other DoS attacks are possible by sending unmeaningful requests to nodes. The effect to the overall network can be minimal as communication between attacked node and attacker happen in dedicated cells. DoS then only limits that cells. Yet, this can be avoided by blacklisting the node after several attempts. When to blacklist is policy specific and SHOULD be addressed by the SF. - - - - - - - - - - - - - - - Section 3.3.5. "To retrieve the list of scheduled cells at B" - all cells scheduled at B? Or the cells scheduled for A? (could be clarified) XV: We rephrased like this: To retrieve a list of scheduled cells at B, node A issues a 6P LIST command. Nits: Node B MAY returns -> Node B MAY return XV: Thanks. we fixed that. - - - - - - - - - - - - - - - Section 3.3.6. There may be two parallel transactions: 1) A->B and 2) B->A. If a 6P CLEAR is issued on one, how does this affect the other? (presumably clear both?) XV: A transaction is not applied until the transaction is committed, this is the Confirmation message is received on one side and the L2 ACK is received at the other side. In a particular slot a node may be only receiving or sending a packet at a time and hence this B->A A->B transaction cannot happen unless they use 2 radios. In case of using 2 radios this may lead to an inconsistency in the schedules that will be resolved in the next message thanks to the SeqNum set to 0 in the side that cleared. How does this affect separate SF? If there is a state kept by each SF, are all SFs cleared? Are statistics also cleared for SFs? (probably SF-dependent, out of the scope) XV: the commands use an SFID that maps the action to a particular SF. Hence if a clear happens in the cells scheduled by one SF other cells scheduled by another SF won't be affected. - - - - - - - - - - - - - - - Section 3.4.6. Figure 27: "Clear or Reset" - Reset could be ambiguous (device has restarted vs transaction failed, RC_RESET) XV: We clarified with: Clear or After device Reset - - - - - - - - - - - - - - - Section 6.2.5. Consider having Specification required for the range SFID 128-255. XV: Expert review is a well understood term. - - - - - - - - - - - - - - - Section 6.2.4. It would have seem more readable to have RC_ERR_ prefix for errors. It may not be outright evident that RC_CELLLIST or RC_VERSION is an error. XV:Thanks for this comment. We renamed them as indicated. - - - - - - - - - - - - - - - Overall a rich document, with probably some minor changes to be made. Best, Alexander 2018-02-23 1:35 GMT+01:00 Alexander Pelov <a@ackl.io>: > Reviewer: Alexander Pelov > Review result: Ready with Issues > > Hello all, > > This is the review for the IoT Directorate. > > Document: draft-ietf-6tisch-6top-protocol-09 > Reviewer: Alexander Pelov > Date: 22 February 2018 > > The general feeling of the reviewer is that the document is a solid work. > Multiple examples are given and the document is easy to understand as a > whole. > There are some nits, and some text that need to be clarifier. > > The general feeling of the reviewer is that the document relies heavily on > the > definition of an external Scheduling Function (SF). The recommended values > seem > very reasonable to the reviewer and it is not clear what is the benefit of > anticipating that an SF can override the semantics of most of the fields. > For > example, most of the fields are opaque to the 6P sublayer and only make > sense > to the SF : CellOptions, Metadata, CellList. For one, in Wireshark, there > will > be the need for separate disector for each SF. > > A final point here is that there seem to be no readily available polished > SF > that would help in the understanding of the concepts beyond what is > already on > the 6P draft. For example, the SF0 draft (draft-ietf-6tisch-6top-sfx-00) > redefines quite heavily the behavior of CellList introducing notion of > WhiteList and BlackList of cells. The reviewer is aware that these are > distinct > works, but it feels that there should be a minimum level of > interoperability, > where an upper layer does not completely redefine what is happening on > lower > layers. Having extension mechanisms may seem like a better way to solve > richness of proposals if this is necessary. > > One point which remained unclear is how do the Minimal 6TiSCH and 6P > interact? > It could be useful to provide a description on the bootstrap of 6P > interaction > (how does a sender A initiate the first 6P Request - over Minimal > 6TiSCH-managed cell?). How do they enter in play in case of > de-synchronisation > ? (e.g. A rescheduling all 6P cells, but B not getting the final L2 ACK, > which > puts A's 6P cells on a completely different schedule than B's.. so B can't > signal back transaction rollback / CLEAR). Is this solved by 6TiSCH > minimal or > through a different mechanism? > > The Security section could be enriched. A notable example is the handling > of > resource reservation, which could lead to DOS attacks. > > - - - - - - - - - - - - - - - > > Section 3.2.3: > 6P CellOptions - ends with the statement that it is an "Opaque set of > bits", > which MAY be redefined by the SF (format, meaning). As pointed out > earlier, if > there is a need to redefine this for each SF, maybe there are other ways of > defining such flexibility (e.g. TLVs). > > The table in Figure 7 provides the recommended meaning of the bitmap for 6P > COUNT and 6P LIST. What is the recommended meaning for 6P > ADD/DELETE/RELOCATE? > > Nits: there seems to be errors in Figure 7: examples of "all cells are > marked > as RX" and "all cells are marked as TX" seem inverted (same for > TX=1,RX=0,S=1 > and TX=0,RX=1,S=1). > > - - - - - - - - - - - - - - - > > Section 3.3.1: > How does the sender/receiver know the size of CellList? (infer from packet > size?) > > The candidate cells (a total of NumCandidate) are presumably provided by > the > SF. However, it is up to 6P to handle the case when they do not fit in the > packet size. The text specifies that this should be handled in more than > one 6P > ADD requests - which is OK on the conceptual level, but seems > underspecified > for an implementation. What if NumCells is smaller than the number of > candidate > cells that can fit in a single transaction - should they be also split in > two > transactions? What happens if the first 6P ADD is successful, but the > second > one fails? Should the sender 6P DELETE the successfully added first batch > of > cells? > > Can allocation of 0 cells be considered as partial success? > > NOALLOC return code is not defined. > > - - - - - - - - - - - - - - - > > Section 3.3.3. > Figure 17 - it seems counterintuitive to have RC_SUCCESS on failed > relocation. > Could NOALLOC be used in this case? > > In both Relocation and Allocation 3-step 6P transaction there is the risk > of a > security attack. If a malicious node constantly renews 3-step requests and > never acknowledges, the neighboring node will be keeping the proposed > cells as > "reserved" and not allocate them to other nodes, thus provoding a DOS > attack. > Probably a way to limit repeated requests could be useful for this case. > > - - - - - - - - - - - - - - - > > Section 3.3.5. > "To retrieve the list of scheduled cells at B" - all cells scheduled at B? > Or > the cells scheduled for A? (could be clarified) > > Nits: Node B MAY returns -> Node B MAY return > > - - - - - - - - - - - - - - - > > Section 3.3.6. > There may be two parallel transactions: 1) A->B and 2) B->A. If a 6P CLEAR > is > issued on one, how does this affect the other? (presumably clear both?) > > How does this affect separate SF? If there is a state kept by each SF, are > all > SFs cleared? Are statistics also cleared for SFs? (probably SF-dependent, > out > of the scope) > > - - - - - - - - - - - - - - - > > Section 3.4.6. > Figure 27: "Clear or Reset" - Reset could be ambiguous (device has > restarted vs > transaction failed, RC_RESET) > > - - - - - - - - - - - - - - - > > Section 6.2.5. > Consider having Specification required for the range SFID 128-255. > > - - - - - - - - - - - - - - - > > Section 6.2.4. > It would have seem more readable to have RC_ERR_ prefix for errors. It may > not > be outright evident that RC_CELLLIST or RC_VERSION is an error. > > - - - - - - - - - - - - - - - > > Overall a rich document, with probably some minor changes to be made. > > Best, > Alexander > > > _______________________________________________ > 6tisch mailing list > 6tisch@ietf.org > https://www.ietf.org/mailman/listinfo/6tisch > -- Dr. Xavier Vilajosana Wireless Networks Lab *Internet Interdisciplinary Institute (IN3)Professor* (+34) 646 633 681 xvilajosana@uoc.edu <usuari@uoc.edu> http://xvilajosana.org http://wine.rdi.uoc.edu Parc Mediterrani de la Tecnologia Av Carl Friedrich Gauss 5, B3 Building 08860 Castelldefels (Barcelona). Catalonia. Spain [image: Universitat Oberta de Catalunya]
- [6tisch] Iotdir early review of draft-ietf-6tisch… Alexander Pelov
- Re: [6tisch] Iotdir early review of draft-ietf-6t… Xavi Vilajosana Guillen
- Re: [6tisch] [IoT-DIR] Iotdir early review of dra… Alexander Pelov
- Re: [6tisch] [IoT-DIR] Iotdir early review of dra… Xavi Vilajosana Guillen