Re: [6tsch] FW: draft-ohba-6tsch-security-00
Thomas Watteyne <watteyne@eecs.berkeley.edu> Thu, 27 June 2013 04:24 UTC
Return-Path: <twatteyne@gmail.com>
X-Original-To: 6tsch@ietfa.amsl.com
Delivered-To: 6tsch@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FB4C11E8198 for <6tsch@ietfa.amsl.com>; Wed, 26 Jun 2013 21:24:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.977
X-Spam-Level:
X-Spam-Status: No, score=-1.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, HTML_MESSAGE=0.001, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n3uUoO2haXyd for <6tsch@ietfa.amsl.com>; Wed, 26 Jun 2013 21:24:29 -0700 (PDT)
Received: from mail-pa0-x236.google.com (mail-pa0-x236.google.com [IPv6:2607:f8b0:400e:c03::236]) by ietfa.amsl.com (Postfix) with ESMTP id C998411E818F for <6tsch@ietf.org>; Wed, 26 Jun 2013 21:24:29 -0700 (PDT)
Received: by mail-pa0-f54.google.com with SMTP id kx10so488362pab.41 for <6tsch@ietf.org>; Wed, 26 Jun 2013 21:24:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type; bh=6wt487e707MvlQd/SKjEhIixb3mCGjoxvpLWEpAPLmc=; b=beb4Jrhn0Rg/3IahBP1+j6Uj7ptQ1ZXN3qw2xJpF9oI9JhRXpqu61lEG2z5pMRkLlI Qvt/jqSdxwH7IAmixgmwgfUSdBojhdUYoyQLpcHz/z/vPIx4cNp8HI761jAJLUzPVfZj IJPr+ioAvpx62fO1/GR5on21FDy/pjPxmbS8eOe3J8vD4xAIFFom0CkozkD5Y0EVnRdW 4suCcLs8NJiqDiMaLwzFBXC9KJc21LXmr4N3YFYXruj+pW2RvZXYafFmZ1Ena+yBeFi/ 7gQyRUUDdsntIlwz8F9UHrvO6Ipeqozl8JhqJzF/MvcE+nvu1NxXNBGTXR15ECI0jffv bc2A==
X-Received: by 10.68.231.200 with SMTP id ti8mr3966216pbc.46.1372307069452; Wed, 26 Jun 2013 21:24:29 -0700 (PDT)
MIME-Version: 1.0
Sender: twatteyne@gmail.com
Received: by 10.66.147.228 with HTTP; Wed, 26 Jun 2013 21:24:09 -0700 (PDT)
In-Reply-To: <E045AECD98228444A58C61C200AE1BD841331D7E@xmb-rcd-x01.cisco.com>
References: <674F70E5F2BE564CB06B6901FD3DD78B12D258EB@tgxml338.toshiba.local> <CALEMV4Zq5B9vDGQr-Jnkc9umPCxw+sLAdNzGx3dJmgPv1GiA_Q@mail.gmail.com> <E045AECD98228444A58C61C200AE1BD841331338@xmb-rcd-x01.cisco.com> <674F70E5F2BE564CB06B6901FD3DD78B12D25F39@tgxml338.toshiba.local> <E045AECD98228444A58C61C200AE1BD841331D7E@xmb-rcd-x01.cisco.com>
From: Thomas Watteyne <watteyne@eecs.berkeley.edu>
Date: Wed, 26 Jun 2013 21:24:09 -0700
X-Google-Sender-Auth: yUUCMZu5Apl57kU-BvMK4l5hIzE
Message-ID: <CADJ9OA_QnF3nHHZ_orjxSqg=_ikJRTUMLZVVvUDXp48Eq1RwHQ@mail.gmail.com>
To: "6tsch@ietf.org" <6tsch@ietf.org>
Content-Type: multipart/alternative; boundary="047d7b3398b765c8c504e01b236f"
Subject: Re: [6tsch] FW: draft-ohba-6tsch-security-00
X-BeenThere: 6tsch@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tsch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tsch>, <mailto:6tsch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tsch>
List-Post: <mailto:6tsch@ietf.org>
List-Help: <mailto:6tsch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tsch>, <mailto:6tsch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Jun 2013 04:24:31 -0000
Yoshihiro and co-authors, It's wonderful you were able to publish this draft so quickly! Here is a list of pseudo-random thoughts I had while reading it. I'd be happy if we could discuss the clarifying questions below on the ML and during the following weekly calls. Do not hesitate to spawn your answers into different e-mail threads if that's easier. I'm also adding some random remarks and typos at the end of this e-mail; feel free to ignore any or all of them. *Clarifying questions* *Credentials for P1 authentication.* The draft now reads that during the P1 bootstrapping phase, the new node authenticates to the authentication server. For this to be possible, the node must have something installed. That can be some pre-installed key, a certificate, or something more exotic. In any case, I believe it would be useful to have a section at the very beginning which indicates what the new node is expected to have when trying to join the network. This will have an impact either on the production phase of the devices, or on the pre-deployment routine the installer need to go through. *Interaction with IEEE802.15.4 security mechanisms*. IEEE802.15.4 (and IEEE802.15.4e) comes with a CCM*, a combined encryption and authentication block cipher mode, built on an AES-128 cipher. Using CCM*, a node can encrypt and/or authenticate all MAC-layer frames. CCM* allows you to choose which range of bytes you encrypt and/or authenticate in your packet. In addition, IEEE802.15.4e defines that the nonce counter used by CCM* contains the 5-byte ASN. This brings replay protection, since the ASN rolls over every 350 years with 10ms slots. It would be great if the security mechanism we come up with takes advantage of this capability, since at least parts of it is built into most (all?) IEEE802.15.4 radios/SoCs. Maybe the draft could contain some text explaining how this would work. *Session with the PCE.* The PCE plays a special role in a 6TSCH networks. Since it is responsible for the TSCH schedule (and maybe even for some routing), it's essential that the communication between a node and the PCE be confidential and authenticated. Do we need to have a special requirement for the mote-to-PCE communication? If not, is this completely covered by the discussion about P3? *Authentication relay.* I'm a bit confused by the exact natore of the authentication relay. This comes up for example in the following requirement: R1-2: Phase-1 KMP MUST support stateless authentication relay operation. What I understand is that it's the role the motes already in the network play when a new node joins and is multiple hops away from the authentication server. In this case, do those nodes need to play any security role at all? Can they not relay a opaque sequence of bytes which happens to be the (end-to-end secure) authentication traffic between the authentication server and the new mote? The following paragraph seems to indicate this: A Phase-3 node can forward Phase-1 KMP messages originated from or destined for a Phase-1 node that is joining the mesh network through the Phase-3 node. *Footprint of keying material.* The draft indicates that, in the extreme case, a node maintains separate keying material to communicate with each of its neighbors. Is this accurate? This might introduce a large footprint, both in memory and complexity. Is it possible to optionally relax P2 this for low-end implementations, and e.g. have a common network key? I understand the implication which you highlight in the introduction w.r.t. ZIP. *EB protection.* I understand the concern you express in Section 6, but thanks to the TSCH nature of our little networks, the counter wraps every 350 years. I believe this significantly lowers the vulnerability of using a pre-installed key. *Random remarks* - About section 2, I would argue that definitions live in the terminology draft. It's already referenced at the bottom, so maybe put that cross-reference at the beginning of Section 2? - The draft lists the requirements for a secure 6TSCH solutions. PANA is listed as one of the candidate KMPs. Maybe remove PANA it from the abstract? *Typos and other minor things* - "provide adequate Time Sensitive behaviors" -> "provide adequate levels of determinism" - Following Metcalf's law: add reference? - "value of using radios" -> "the value of using radios" - "wraps up" -> "wraps" (not sure)? - "temporal PIN" -> "temporary PIN" (again, not sure)? - "located in the coordinator" -> "co-located with the coordinator"? - The SA of a link between node i and node j maintains MAC keys. - MAC key, I assume using CCM*? encryption? authentication? both? - bi-directinal -> bi-directional - "on required security level" -> "on the required security level" - "seciton" -> "section" - "reply protected" -> "replay protected" - "candiate" -> "candidate" - "e.g sensor" -> "e.g. sensor" - DTLS[RFC6347]: please make this s XREF - "multicast key exportation" -> "exporting multicast keys"? - "exported key material" -> "exported keying material"? - "intergrity" -> "integrity" Thomas On Tue, Jun 25, 2013 at 8:30 AM, Pascal Thubert (pthubert) < pthubert@cisco.com> wrote: > Dear all:**** > > ** ** > > I realized that the list was not copied; fixing this now. The discussion > is around section 2 that is missing the expansion of 6TSCH**** > > ** ** > > Cheers,**** > > ** ** > > Pascal**** > > ** ** > > *From:* yoshihiro.ohba@toshiba.co.jp [mailto:yoshihiro.ohba@toshiba.co.jp] > > *Sent:* mardi 25 juin 2013 11:04 > *To:* Pascal Thubert (pthubert); xvilajosana@eecs.berkeley.edu; > maria-rita.palattella@uni.lu > > *Cc:* watteyne@eecs.berkeley.edu > *Subject:* RE: [6tsch] draft-ohba-6tsch-security-00**** > > ** ** > > ** ** > > ** ** > > *From:* Pascal Thubert (pthubert) [mailto:pthubert@cisco.com<pthubert@cisco.com>] > > *Sent:* Tuesday, June 25, 2013 5:46 PM > *To:* xvilajosana@eecs.berkeley.edu; ohba yoshihiro(大場 義洋 ○RDC□NSL); > maria-rita.palattella@uni.lu > *Cc:* watteyne@eecs.berkeley.edu > *Subject:* RE: [6tsch] draft-ohba-6tsch-security-00**** > > ** ** > > Hello Xavi and Yoshi.**** > > ** ** > > I’d agree that our terminology is not perfect for that definition. Let us > discuss this at the next call.**** > > “**** > > 6TSCH: Entity that sets up the schedule, controls the**** > > connectivity graph of the network, and the resources**** > > allocated to each scheduled cell in that connectivity**** > > graph. It may be an adaptation layer, a distributed**** > > reservation protocol, a centralized path computation**** > > entity, or any combination thereof.**** > > ** ** > > “**** > > I think that the definition should 1) spell out the acronym “IPv6 over > Time Slotted Channel Hopping”, and 2) explain that 6TSCH defines a set of > IETF sublayers and protocols, as well as an architecture to bind them > together, for use in TSCH based networks. Which in turns reminds me that > people are getting confused when we tell them that 6TSCH pronounces > “SIXTUS” and that we also have a sublayer called 6TUS. Shouldn’t we change > something there?**** > > ** ** > > Yoshi: I think section 2 should refer to our terminology. There is > already a XREF link at the end of the draft. If the terminology expands the > acronym for 6TSCH you’re all set : )**** > > *[YO] As soon as we agree on the acronym for 6TSCH I will put it in > section 2.***** > > ** ** > > About section 3. Could we separate the commissioning from the > bootstrapping? I would like to see a phase 0 when the device is prepared > and the management systems are provisioned. In particular: What are the > expectation on the device off the factory: Some builtin vendor crypto > material / certificate? And then when the device is acquired and prepared > for installation: Should the OT people configure an IPv6 address? > Additional crypto material like a shared secret?**** > > ** ** > > *[YO] We could add text for phase 0 for commissioning (I think Figure 1 > can still start with phase 1 since phase 0 does not need to be > standardized). The purpose of phase 0 is to install phase 1 KMP > credentials in a physically secured and managed location before the devices > are placed where they are expected to operate.* > > * * > > *Regards,* > > *Yoshihiro Ohba* > > ** ** > > ** ** > > Cheers,**** > > ** ** > > Pascal**** > > _______________________________________________ > 6tsch mailing list > 6tsch@ietf.org > https://www.ietf.org/mailman/listinfo/6tsch > >
- [6tsch] draft-ohba-6tsch-security-00 yoshihiro.ohba
- [6tsch] FW: draft-ohba-6tsch-security-00 Pascal Thubert (pthubert)
- Re: [6tsch] FW: draft-ohba-6tsch-security-00 Thomas Watteyne
- Re: [6tsch] draft-ohba-6tsch-security-00 Maria Rita PALATTELLA
- Re: [6tsch] draft-ohba-6tsch-security-00 yoshihiro.ohba
- Re: [6tsch] draft-ohba-6tsch-security-00 Pascal Thubert (pthubert)
- Re: [6tsch] FW: draft-ohba-6tsch-security-00 yoshihiro.ohba
- Re: [6tsch] FW: draft-ohba-6tsch-security-00 Qin Wang
- Re: [6tsch] draft-ohba-6tsch-security-00 Jonathan Simon
- Re: [6tsch] draft-ohba-6tsch-security-00 Jonathan Simon
- Re: [6tsch] FW: draft-ohba-6tsch-security-00 yoshihiro.ohba
- Re: [6tsch] FW: draft-ohba-6tsch-security-00 Michael Richardson
- Re: [6tsch] draft-ohba-6tsch-security-00 yoshihiro.ohba
- Re: [6tsch] FW: draft-ohba-6tsch-security-00 Kris Pister
- Re: [6tsch] draft-ohba-6tsch-security-00 Maria Rita PALATTELLA
- Re: [6tsch] FW: draft-ohba-6tsch-security-00 Michael Richardson
- Re: [6tsch] draft-ohba-6tsch-security-00 Rafa Marin Lopez
- Re: [6tsch] draft-ohba-6tsch-security-00 Pascal Thubert (pthubert)
- Re: [6tsch] FW: draft-ohba-6tsch-security-00 Kris Pister
- Re: [6tsch] draft-ohba-6tsch-security-00 Pascal Thubert (pthubert)