Re: [6tisch] #32 (terminology): New terms for security
Rene Struik <rstruik.ext@gmail.com> Fri, 19 December 2014 15:11 UTC
Return-Path: <rstruik.ext@gmail.com>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 129831A896D for <6tisch@ietfa.amsl.com>; Fri, 19 Dec 2014 07:11:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yOKbKM1ytn2w for <6tisch@ietfa.amsl.com>; Fri, 19 Dec 2014 07:11:02 -0800 (PST)
Received: from mail-ie0-x22e.google.com (mail-ie0-x22e.google.com [IPv6:2607:f8b0:4001:c03::22e]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 406E71A88D3 for <6tisch@ietf.org>; Fri, 19 Dec 2014 07:11:01 -0800 (PST)
Received: by mail-ie0-f174.google.com with SMTP id at20so852452iec.19 for <6tisch@ietf.org>; Fri, 19 Dec 2014 07:11:00 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type; bh=IeolQez8pO1PUL7JZXaTRFtK5vK3iYpfyj/+owkUzoc=; b=yEyO/ak7J+BV+Kv2CjTm54hgRlPW2GPIn7czlekyMfzscO/VQ8aoXCqVywHgkYm0UH 6mM21ERbrDKPuMcbFlIytueZcw3c9PqaWmzbUJcyotQq+uUqvfnL9itDvJF1DZapps6p 3/g9oOOWRLeY5C4fBm7FAqw+VrDXd420mpmhU27wO2YVaqNTHWezKF5oEHzY8KpVuZA2 z1su+fqufxtJRJ7Uzmwi7hDu0Cc0jJ5h0s7dpqMfrNJnFiIiOj8fS8o7ehZGsEFHDs3N dcavDmg/0x4RO3j19zkndD+HMdfdtfWmRBa6HTJiSCQAoyt3L5Qg7hgNmtP37Z3qOQk2 ZP5g==
X-Received: by 10.107.33.21 with SMTP id h21mr8022132ioh.37.1419001860080; Fri, 19 Dec 2014 07:11:00 -0800 (PST)
Received: from [192.168.0.10] (CPE7cb21b2cb904-CM7cb21b2cb901.cpe.net.cable.rogers.com. [99.231.49.38]) by mx.google.com with ESMTPSA id ci9sm1006938igc.1.2014.12.19.07.10.59 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 19 Dec 2014 07:10:59 -0800 (PST)
Message-ID: <54944001.3060109@gmail.com>
Date: Fri, 19 Dec 2014 10:10:57 -0500
From: Rene Struik <rstruik.ext@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.3.0
MIME-Version: 1.0
To: Thomas Watteyne <watteyne@eecs.berkeley.edu>, "Pascal Thubert (pthubert)" <pthubert@cisco.com>
References: <E045AECD98228444A58C61C200AE1BD848A9DF4C@xmb-rcd-x01.cisco.com> <E045AECD98228444A58C61C200AE1BD848A9DFB0@xmb-rcd-x01.cisco.com> <CADJ9OA9ULEn+Y7j+WanwN68aNEPh-4CM0Q50eMU=-AJenYGf2A@mail.gmail.com>
In-Reply-To: <CADJ9OA9ULEn+Y7j+WanwN68aNEPh-4CM0Q50eMU=-AJenYGf2A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------050500090609060206060804"
Archived-At: http://mailarchive.ietf.org/arch/msg/6tisch/tpQYfURQtmaALyKQq1kUAnffq54
Cc: "6tisch@ietf.org" <6tisch@ietf.org>
Subject: Re: [6tisch] #32 (terminology): New terms for security
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Dec 2014 15:11:13 -0000
Hi Thomas: I think adding these terms right now is somewhat premature (sometimes: really premature). Some comments below. Rene On 12/19/2014 7:56 AM, Thomas Watteyne wrote: > +1 on Pascal's suggestions. > > Maria Rita, are those definitions you would have time to add to the draft? > > On Sat, Dec 6, 2014 at 1:22 AM, Pascal Thubert (pthubert) > <pthubert@cisco.com <mailto:pthubert@cisco.com>> wrote: > > My own revue: > > Cheers > > > > JCE the Join Coordination Entity. This > acronym is > > > chosen to parallel the PCE. > > [PT] I'd remove "This acronym is chosen to parallel the PCE." And > say that this is a central entity like the PCE that is in charge > of authorization in the network and providing security material to > the joining devices. > > > > joining node The newly unboxed constrained node > that needs to > > > join a network. > RS>> The notion of "newly unboxed" is incorrect: a joining node is just a node that would like to be admitted to the network and be able to consume bandwidth resources. This could be a device just out of shrink wrap, but also a device that moves from one network to the next, does join n+1, etc. <<RS > > [PT] The joining node (JN) leverages the JA and the JCE to learn > or refresh its knowledge of the network operational state, > typically the TSCH schedule, and to obtain security material such > as keys, so as to participate to the production network. > RS>> There is no such thing as a production network. <<RS > > > > > join protocol the protocol which secures initial > communication > > > between the joining node and the JCE > > > > RS>> The join protocol is more refined than this, since includes three stages (authentication, authorization, and configuration steps). See also draft-struik-6tisch-security-architecture-elements-00. <<RS > > > > join assistant A constrained node near the joining > node that > > > will act as it's first 6LR, and will relay > > > traffic to/from the joining node. > > > > RS>> There is no conclusion yet as to whether the join assistant is simply a relay or not. This is still being discussed at the 6tisch security calls (came up during the call of last Tue, Dec 16, 2014, 5pm EST). <<RS > > [PT] Again, add the acronym > > > > unique join key a key shared between a newly joining > node, and > > > the JCE. This key supports smaller > installations > > > for which asymmetric methods are > considered too > > > large > RS>> This would conflict need to support heterogeneous deployment. Again, never discussed on security calls to have this mode. This may needlessly complicate the design, except when evidence to the contrary is provided. <<RS > > > > > > > production network A 802.15.4e network whose encryption/ > > > authentication keys are determined by some > > > algorithm/protocol. There may have > network-wide > > > group keys, or per-link keys. > RS>> This definition is meaningless. <<RS > > > > > > > production network key A L2-key known by all authorized > nodes, used > > > for multicast messages > > > > RS>> This seems to refer to a network-wide key, as 802.15.4 defines with KeyIdMode unequal to 0x00. However, term is very imprecise. <<RS > > > > per-peer L2 key a key that results from an exchange > (such as MLE) > > > that creates a pair-wise L2 key which > is known > > > only to the two nodes involved, > > > [I-D.piro-6tisch-security-issues] calls this a > > > LinkKey > RS>> The term link key is defined in 802.15.4-2006 onwards. No need for new definitions. <<RS > > > > > > > The following terms are used in this document and come > from other > > > documents: > > > > > > DevID [IEEE.802.1AR] defines the secure DEVice > > > IDentifier as a device identifier that is > > > cryptographically bound to the device > and is > > > composed of the Secure Device > Identifier Secret > > > and the Secure Device Identifier > Credential. > > > > RS>> Completely premature to bake in 802.1ar certs. <<RS > > > > IDevID The Initial secure DEVice IDentifier > (IDevID) is > > > the Device Identifier which was > installed on the > > > device by the manufacturer. > RS>> Completely premature again. Besides, model promotes lock-in and very negative press. Issue has not been addressed so far. <<RS > > > > > > > LDevID A Locally significant secure DEVice > IDentifiers > > > (LDevIDs) is a Secure Device Identifier > > > credential that is unique in the local > > > administrative domain in which the > device is > > > used. The LDevID is usually a new > certificate > > > provisioned by some local means, such > as the 6top > > > mechanism defined in this document. > > > > RS>> Again, completely premature to drop something in that has not been ironed out. <<RS > > > > CoAP The CoAP protocol, defined in > [RFC7252] is an > > > HTTP-like resource access protocol. > CoAP runs > > > over UDP. > > > > > > DTLS The datagram version of TLS, defined in > > > [RFC6347], and which can be used to > secure CoAP > > > in the same way that TLS secures HTTP. > > > > > > ARO [RFC6775]defines a number of new Neighbor > > > Discovery options including the Address > > > Registration Option > > > > > > DAR/DAC [RFC6775]defines the Duplicate Address > Request > > > and Duplicate Address Confirmation > options to > > > turn the multicasted Duplicate Address > Detection > > > protocol into a client/server process > > > > > > EARO [I-D.thubert-6lo-rfc6775-update-reqs]extends the > > > ARO option to include some additional > fields > > > necessary to distinguish duplicate > addresses from > > > nodes that have moved networks when > there are > > > mulitple LLNs linked over a backbone. > > > > > > -- > > > > -------------------------------------------------+---------------------- > > > -------------------------------------------------+--- > > > Reporter: Michael Richardson | Owner: > > > <mcr+ietf@sandelman.ca <mailto:mcr%2Bietf@sandelman.ca>> > | pthubert@cisco.com <mailto:pthubert@cisco.com> > > > Type: defect | Status: new > > > Priority: major | Milestone: > > > Component: terminology | Version: > > > Severity: Active WG Document | Keywords: > > > > -------------------------------------------------+---------------------- > > > -------------------------------------------------+--- > > > > > > Ticket URL: <http://trac.tools.ietf.org/wg/6tisch/trac/ticket/32> > > > 6tisch <http://tools.ietf.org/6tisch/> > > > > _______________________________________________ > > 6tisch mailing list > > 6tisch@ietf.org <mailto:6tisch@ietf.org> > > https://www.ietf.org/mailman/listinfo/6tisch > > _______________________________________________ > 6tisch mailing list > 6tisch@ietf.org <mailto:6tisch@ietf.org> > https://www.ietf.org/mailman/listinfo/6tisch > > > > _______________________________________________ > 6tisch mailing list > 6tisch@ietf.org > https://www.ietf.org/mailman/listinfo/6tisch -- email: rstruik.ext@gmail.com | Skype: rstruik cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
- Re: [6tisch] #32 (terminology): New terms for sec… Pascal Thubert (pthubert)
- Re: [6tisch] #32 (terminology): New terms for sec… Pascal Thubert (pthubert)
- Re: [6tisch] #32 (terminology): New terms for sec… Thomas Watteyne
- Re: [6tisch] #32 (terminology): New terms for sec… Qin Wang
- Re: [6tisch] #32 (terminology): New terms for sec… Rene Struik
- Re: [6tisch] #32 (terminology): New terms for sec… Michael Richardson
- Re: [6tisch] #32 (terminology): New terms for sec… Pat Kinney
- Re: [6tisch] #32 (terminology): New terms for sec… Michael Richardson
- Re: [6tisch] #32 (terminology): New terms for sec… Pat Kinney