Unresolved issues with RPL-11: security section.
Michael Richardson <mcr@sandelman.ca> Fri, 20 August 2010 18:12 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: ietf@core3.amsl.com
Delivered-To: ietf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E11463A6AFC; Fri, 20 Aug 2010 11:12:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.834
X-Spam-Level:
X-Spam-Status: No, score=-1.834 tagged_above=-999 required=5 tests=[AWL=0.120, BAYES_00=-2.599, HOST_MISMATCH_NET=0.311, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2j58VsRPpM1o; Fri, 20 Aug 2010 11:12:45 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [67.23.6.41]) by core3.amsl.com (Postfix) with ESMTP id 16AE33A6B2E; Fri, 20 Aug 2010 11:12:17 -0700 (PDT)
Received: from marajade.sandelman.ca (unknown [132.213.238.4]) by relay.sandelman.ca (Postfix) with ESMTPS id BFF82346E2; Fri, 20 Aug 2010 14:12:51 -0400 (EDT)
Received: from marajade.sandelman.ca (unknown [127.0.0.1]) by marajade.sandelman.ca (Postfix) with ESMTP id 2B9BF98A97; Fri, 20 Aug 2010 14:12:51 -0400 (EDT)
From: Michael Richardson <mcr@sandelman.ca>
To: ietf@ietf.org, roll@ietf.org
Subject: Unresolved issues with RPL-11: security section.
X-Mailer: MH-E 8.1; nmh 1.1; XEmacs 21.4 (patch 21)
Date: Fri, 20 Aug 2010 14:12:51 -0400
Message-ID: <13773.1282327971@marajade.sandelman.ca>
Sender: mcr@sandelman.ca
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Aug 2010 18:12:47 -0000
I have read the security sections of draft-ietf-roll-rpl-11. The encumbered signature algorithms have been removed, which is good. There are two major issues which I thought were brought up in RPL-10 which are still unresolved: 1) if RPL is using a link-level security mechanism, how can the distinction in section 3.3.3 (and 10.1) between "pre-installed" and "authenticated" be communicated from the link-level security to the RPL-level? I.e. how is layer-2/layer-3 channel binding done? (When the security is built-in, then section 10.2 tries to explain it, and I think the idea will work, but I'm not sure if the actual details are right. The rules of 10.2 will take me some time to fully understand, and they are very new.) 2) we still do not know how to calculate the MAC. What byte does it start at? The beginning of the IPv6 header, it says in 10.8. What values go into the mutable fields? What about checksum? Flow-Label? I'd guess zero, but??? I'd like to see a sample packet in the document along with the keys involved. -- ] He who is tired of Weird Al is tired of life! | firewalls [ ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[ ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[ Kyoto Plus: watch the video <http://www.youtube.com/watch?v=kzx1ycLXQSE> then sign the petition.
- Unresolved issues with RPL-11: security section. Michael Richardson