Re: [Gen-art] [6tisch] Review of draft-ietf-6tisch-minimal-17

PWK <pat.kinney@kinneyconsultingllc.com> Fri, 06 January 2017 14:56 UTC

Return-Path: <pat.kinney@kinneyconsultingllc.com>
X-Original-To: gen-art@ietfa.amsl.com
Delivered-To: gen-art@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0FD2E129555 for <gen-art@ietfa.amsl.com>; Fri, 6 Jan 2017 06:56:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.919
X-Spam-Level:
X-Spam-Status: No, score=-1.919 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OGiWtn4JtSfL for <gen-art@ietfa.amsl.com>; Fri, 6 Jan 2017 06:55:57 -0800 (PST)
Received: from p3plsmtpa06-10.prod.phx3.secureserver.net (p3plsmtpa06-10.prod.phx3.secureserver.net [173.201.192.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F1F9129529 for <gen-art@ietf.org>; Fri, 6 Jan 2017 06:55:57 -0800 (PST)
Received: from [10.0.1.4] ([50.158.195.176]) by :SMTPAUTH: with SMTP id PVvPc7WBo4I6sPVvQcTUyN; Fri, 06 Jan 2017 07:55:26 -0700
From: PWK <pat.kinney@kinneyconsultingllc.com>
Message-Id: <EF0ABA82-E27A-44B9-B82C-B879098E989D@kinneyconsultingllc.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_41643A30-5B8C-4767-8E1E-3CADFE1568E1"
Mime-Version: 1.0 (Mac OS X Mail 10.2 \(3259\))
Date: Fri, 6 Jan 2017 08:55:23 -0600
In-Reply-To: <CALb6MQVSk6W6vW5rC1pd8F9rsoCayKoDJEtUtbfem6uDsbpa2Q@mail.gmail.com>
To: pister@eecs.berkeley.edu
References: <148140959184.3857.2236566242217564901.idtracker@ietfa.amsl.com> <CADJ9OA8vju=Y13u8EtfsrpT0Kcaf4X-TWzmgfJ=oKkWo+pdxWw@mail.gmail.com> <CADJ9OA_q391_4thKKsXnTQw1gyS3vp+8-CRPUwDqqCzoNKZMDQ@mail.gmail.com> <3b1ec831-33b1-91ee-d380-1315cb7a3f81@gmail.com> <22638.28317.918545.716649@fireball.acr.fi> <CALb6MQVSk6W6vW5rC1pd8F9rsoCayKoDJEtUtbfem6uDsbpa2Q@mail.gmail.com>
X-Mailer: Apple Mail (2.3259)
X-CMAE-Envelope: MS4wfHT0m7Qqt8WkdGVnifeEjWS1souLpwsADXd5kwVZqfjZb18uK7f5gCl4k4NEpDPtA8NiQyAvjLHqPSvI1tG0L7mpCUw5zGJIPoh/lj3skobJEvmyVElh /+VgLcWgvKbsHn7uDNR/0i2JK4SKdQ2aJAUdCzF3dmcoIuyf9hC3G0CF1ZRDzZWILeAkEmHMrSHrdkRk/QlZeU3+AFdCueny0Qk0dlb/nvjXHnhuvdycN9T+ jBk7t9xdCo9U5dNtUD/ad3vsW5ri/UnVEm9c1uOyXx6w1NnjhrAE+mjrG07zRNDmwN+9O5Z3uKn/g2gkeqyALni2JQnhwpAHCaoRp+yg9C4zyQ55IZAtfx9A 9mBm5M5DU/IAqKmkwCROLk0dKOTxEvL+X0wjyFkcOlQ2mTAVkH0=
Archived-At: <https://mailarchive.ietf.org/arch/msg/gen-art/NwAMhdEWqBUXod4wNMsW-79KUzM>
Cc: gen-art@ietf.org, Tero Kivinen <kivinen@iki.fi>, draft-ietf-6tisch-minimal.all@ietf.org, Thomas Watteyne <thomas.watteyne@inria.fr>, 6tisch <6tisch@ietf.org>
Subject: Re: [Gen-art] [6tisch] Review of draft-ietf-6tisch-minimal-17
X-BeenThere: gen-art@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "GEN-ART: General Area Review Team" <gen-art.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/gen-art>, <mailto:gen-art-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/gen-art/>
List-Post: <mailto:gen-art@ietf.org>
List-Help: <mailto:gen-art-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/gen-art>, <mailto:gen-art-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 06 Jan 2017 14:56:00 -0000

Kris; I totally agree with your explanation, but perhaps a slight editorial change?

"This specification assumes the existence of one protocol identifier, P1, and one cryptographic
key K2.  P1’s purpose is to provide message integrity, it is not to provide security.”

Pat


On 5, Jan2017, at 15:44, Kristofer PISTER <pister@eecs.berkeley.edu> wrote:

Tero - you bring up a good point that after all of the discussion of this issue we have
still not done a good job explaining it, since it's clear that there are still misunderstandings.

The text in section 4.6 says "This specification assumes the existence of two cryptographic keys."
That is incorrect, and should be changed.  I propose
"This specification assumes the existence of one protocol identifier, P1, and one cryptographic
key K2.  P1 provides no security."

Let me go over the reasoning behind having P1.  Any implementation of 6TiSCH has one of
three choices for message integrity on the EBs:
1) use no message integrity
2) use a well-known protocol identifiier, with no security value
3) use a secret key

There is ample evidence that sending 15.4 frames without message integrity is problematic, so 
we'd prefer not to do option 1.
Option 2 provides no security, but it does provide message integrity, and it provides some level
of confidence that the sender of the frame is using the same version of the protocol that the
receiver is using.
Option 3 provides all of the benefits of option 2, plus some level of security.  It is a fine option,
but it assumes the existence of a pre-distributed cryptographic key K1, which is a non-starter.

ksjp

On Thu, Jan 5, 2017 at 8:04 AM, Tero Kivinen <kivinen@iki.fi <mailto:kivinen@iki.fi>> wrote:
Brian E Carpenter writes:
> Hi Thomas,
>
> The responses to my comments almost all look fine to me. Just one point,
> on MINOR COMMENT 4 (slide 8):
>
> "Shouldn't this also say that this value MUST NOT be used in
> operational networks?"
>
> We've seen many cases over the years of informal values making it into shipped
> products... generally a Bad Thing. But with my lack of IEEE802.15.4 expertise,
> I really don't know whether it matters in this case. Whatever the WG decides
> is good, as long as the point is considered.

It does matter. If anybody knows the key they can do single packet DoS
attack against network and kill it...

I.e. send EB to some of the nodes, so that it changes the schedule.
After that the nodes in the network are out of sync, and after few
minutes or tens of minutes they will realize this and start to
recover, but it takes long time, and can cause lots of disruption.

If node receives EB which says that the EB slot is not timeslot 0, or
that it has channel offset of 1 or something like that, then it will
be listening EBs from wrong channel after that. After it misses enough
of packets from the network it realizes it is out of sync and
reinitializes itself back to network. This means it needs to do
passive scan over the 16 channels listening each channel for slot
frame size * timeslot duration * EB_PERIOD (at minimum, perhaps twice
in case it happens to miss EB). Meaning that with 101 slot frames, and
10ms timeslot duration, and with EB_PERIOD of 3 that is 3 seconds per
channel, and for 16 channels it takes 48 seconds.

During that time nodes which were children of that node, will notice
that it has gone, and they will start doing same...

The attacker can cause even more confusion by changing the timeslot
parameters, or channel hopping order, but I would hope that
implementations would ignore changes to those IEs while the network is
running.

On the other changing channel offset or timeslot number for EBs, is
something that might happen, so nodes might need to cope with that.

I have complained this clear text password in the specification for
long time, and I do not think there is any reason to include that key
in the RFC. The early interoperability testing people can agree on key
they use in the interoperability events it does not need to be
hardcoded in the RFC or in the code.

> I hope the interim goes well, it is too far out of my time zone to attend!
--
kivinen@iki.fi <mailto:kivinen@iki.fi>

_______________________________________________
6tisch mailing list
6tisch@ietf.org
https://www.ietf.org/mailman/listinfo/6tisch