[Lake] LoRaWAN use case; Re: WGLC for draft-ietf-lake-reqs-01

dominique.barthel@orange.com Wed, 01 April 2020 08:47 UTC

Return-Path: <dominique.barthel@orange.com>
X-Original-To: lake@ietfa.amsl.com
Delivered-To: lake@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 748FD3A0987 for <lake@ietfa.amsl.com>; Wed, 1 Apr 2020 01:47:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id X6YviyiXgulF for <lake@ietfa.amsl.com>; Wed, 1 Apr 2020 01:47:45 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E61373A085A for <lake@ietf.org>; Wed, 1 Apr 2020 01:47:30 -0700 (PDT)
Received: from opfedar01.francetelecom.fr (unknown [xx.xx.xx.2]) by opfedar26.francetelecom.fr (ESMTP service) with ESMTP id 48sfw12K4bzFqMK; Wed, 1 Apr 2020 10:47:29 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1585730849; bh=Gy1aST5F6mP/LkM7nD+AmLb8rwS1Z5QkW6wQ3dk8IkQ=; h=From:To:Subject:Date:Message-ID:Content-Type:MIME-Version; b=Z1XX0xr0dO+RVKpYb11NomY98a/bNWqjVf+2c4pRVhugr9ESausW8Olu3v4IadI+R W+8GSeNBgfSklq+exyjcAEAzK+IlfvHWzY4Lv55zVWbHGnOz1jEL2ftuM47t3xGiH3 xNA1l44QLbLeWs+tEOhxULvXLgBumtrwourS66K/qG9v2Z+dg2UbwxXOqATbgCNdPa S5F4EdF5y4Iz37z4bFxkLpfZ5vb2CFCV6c35zONDRZoBh1uOUZJsfxH2/TWcp7gWIl 6J9xd0e03si6UHyQSlzXR78Tjgun/eFnvlTS2m/bHvh2rVqWcmFuT9sDY04c+6Sz2l mJ9EBL8+JIWuA==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.38]) by opfedar01.francetelecom.fr (ESMTP service) with ESMTP id 48sfw10ypszBrLS; Wed, 1 Apr 2020 10:47:29 +0200 (CEST)
From: <dominique.barthel@orange.com>
To: Eric Rescorla <ekr@rtfm.com>, =?utf-8?B?R8O2cmFuIFNlbGFuZGVy?= <goran.selander@ericsson.com>
CC: "lake@ietf.org" <lake@ietf.org>
Thread-Topic: LoRaWAN use case; Re: [Lake] WGLC for draft-ietf-lake-reqs-01
Thread-Index: AQHWCAIs9OPyB5Fp0EO5bNIH6Ep+Bg==
Date: Wed, 1 Apr 2020 08:47:28 +0000
Message-ID: <29734_1585730849_5E845521_29734_128_1_DAAA1C73.72FE4%dominique.barthel@orange.com>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
user-agent: Microsoft-MacOutlook/
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_DAAA1C7372FE4dominiquebarthelorangecom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/lake/2k5ij2VD1t97_prXnv0qsdA3I2w>
Subject: [Lake] LoRaWAN use case; Re: WGLC for draft-ietf-lake-reqs-01
X-BeenThere: lake@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Lightweight Authenticated Key Exchange <lake.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lake>, <mailto:lake-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lake/>
List-Post: <mailto:lake@ietf.org>
List-Help: <mailto:lake-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lake>, <mailto:lake-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Apr 2020 08:47:57 -0000

Hello Göran, Eric, all,

I've read draft-ietf-lake-reqs-02 and the ensuing discussions.
I can contribute to the description of the LoRaWAN constraints.

@Göran, I'm sorry to say that your text does not fairly depict the duty cycle limitation of Sub-GHz systems in Europe.
It is not true that after you have transmitted for 1 second, you have to wait for 99 seconds before your next transmission (to oblige the 1% duty cycle limit).
I highly recommend reading this paper [1].
Not only does it have very clear depictions of Sub-GHz sub-bands and their duty-cycle limitations, but it also contains pointers to the authoritative documents, and discussions on how systems like Sigfox and LoRaWAN comply with the regulations. It even has considerations on the impact of duty-cycle limitations for meshed networks using CoAP.

In a nutshell, the duty-cycle is evaluated on a 1-hour sliding window. It is legal to burst out transmissions to a total of 36 seconds air time on a 1%-duty-cyle sub-band, and then pause for the rest of the hour.

As a telco operating commercial LoRaWAN networks in Europe, here are my observations:
It's perfectly ok to have a technician stand one or two minutes next to the IoT device he/she has just provisioned, in order to make sure everything is up and running.
It's not ok to have the technician stand an hour next to the device, just because the provisioning protocol surpassed the 36 seconds air-time credit given in the first hour.
Hence the challenge to this Working Group (fairly decent worst case):
Can you make some useful/secure key exchange happen within 36 seconds of air-time at LoRaWAN SF12 data rate, taking into account 2 repetitions per packet (I.e. 3 transmissions)?
Or better yet, in only half or a third of that, because you want to give some air-time to the lower layer MAC frames and to the application itself.
Best regards,


[1] Saelens, Martijn & Hoebeke, Jeroen & Shahid, Adnan & De Poorter, Eli. (2019). Impact of EU duty cycle and transmission power limitations for sub-GHz LPWAN SRDs: an overview and future challenges. EURASIP Journal on Wireless Communications and Networking. 2019. 10.1186/s13638-019-1502-5. https://jwcn-eurasipjournals.springeropen.com/articles/10.1186/s13638-019-1502-5

De : Lake <lake-bounces@ietf.org<mailto:lake-bounces@ietf.org>> on behalf of Eric Rescorla <ekr@rtfm.com<mailto:ekr@rtfm.com>>
Date : Tuesday 31 March 2020 02:57
À : "goran.selander@ericsson.com<mailto:goran.selander@ericsson.com>" <goran.selander@ericsson.com<mailto:goran.selander@ericsson.com>>
Cc : "lake@ietf.org<mailto:lake@ietf.org>" <lake@ietf.org<mailto:lake@ietf.org>>
Objet : Re: [Lake] WGLC for draft-ietf-lake-reqs-01

> >    LoRaWAN has a variable MTU depending on the Spreading Factor (SF).
> >    The higher the spreading factor, the higher distances can be achieved
> >    and/or better reception.  If the coverage and distance allows it,
> >    with SF7 - corresponding to higher data rates - the maximum payload
> >    is 222 bytes.  For a SF12 - and low data rates - the maximum payload
> >    is 51 bytes on data link layer.
> >
> >    The benchmark used here is Data Rates 0-2 corresponding to a packet
> >    size of 51 bytes [LoRaWAN].  The use of larger frame size depend on
> >    good radio conditions which are not always present.  Some libraries/
> >    providers only support 51-bytes packet size.
> >    providers only support 51-bytes packet size.
> >
> > I'm not sure what I am supposed to do with this: it seems like we have
> > packet sizes that range from 51 to 222. I think what this is saying is
> > that I am supposed to assume 51-byte packets, but even that is
> > unclear.
> GS: This text was formed out of the SecDispatch discussion. Section
> 2.10.0 and other parts of the text highlights the need for
> benchmarks. Section indicates that the benchmark for LoRaWAN
> is a packet size of 51 bytes at link layer. The benchmarks are now
> compiled in 2.10.4, hope it is more clear now.

Not really, no. What I am looking for is something that clearly

   (1) the cost at various sizes (packets, flights, etc.)
   (2) what is expected/known to be achievable with a given technology

This is not giving me that, which seems to be what's needed here.

> GS: 2.10.2 speaks about the duty cycle of 1%:
>    “A duty cycle of 1% implies that the time to complete a
>    fragmentation of the payload increases by at least 10,000%. This
>    limitation determines how long time the device will have to wait for
>    next use, which encourages the reduction of the message size as much
>    as possible.”
> For each packet, wait 100 times the transmission time for next
> packet. This excludes potential retransmissions due to lost messages
> or errors etc.

OK, so what's the curve of handshake latency cost for protocols with
various message sizes? That's (in part) what I'm asking for.

> GS: The specified LoRaWAN packet size is at link layer. If fragmention
> with Blockwise, this results in multiple CoAP messages + increase of
> total CoAP header overhead.

Right, so I'm looking for this document to tell me that.

> > The answers in this document are frankly pretty unsatisfactory. For
> > instance, it says:
> >
> >    Considering the duty cycle of LoRaWAN and associated unavailable
> >    times, the round trips and number of LoRaWAN packets needs to be
> >    reduced as much as possible.
> >
> >  What I would expect to see is something to the effect of: "this is
> > the incremental cost in {power, bandwidth, time to complete} of an
> > additional packet and therefore we should be able to keep to <X
> > packets",
> GS: This, together with the benchmarks, was requested in
> Secdispatch. That lead to the spreadsheets and comparison between TLS
> handshake and EDHOC e.g. Time-on-Air, presented in the virtual interim
> in March 2019 and in the BoF at IETF 105.. The spreadsheets are still
> tavailable:
> https://github.com/EricssonResearch/EDHOC/tree/master/docs
> https://github.com/EricssonResearch/EDHOC/blob/master/docs/LoRaWAN_ToA.xlsx<https://github.com/EricssonResearch/EDHOC/blob/master/docs/LoRaWAN_ToA..xlsx>

Yeah, these spreadsheets aren't quite what I want because they are
focused on DTLS vs. EDHOC rather than on what happens with various
protocol sizes. The idea here is to get the relevant curve, so for
instance, "time to handshake completion by size of Message 1
controlling for Message 2" or where the cliffs are, or something, so
that we know what we are designing for.

> > but really the only thing we get is in 2.10.4, which says:
> >
> >    Considering that an AKE protocol complying with these
> >    requirements is expected to have at least 3 messages, the optimal AKE
> >    has 3 messages and each message fits into as few frames as possible,
> >    ideally 1 frame per message.
> >
> > The problem here is that we *know* we are going to have to accept
> > some level of messages that span multiple radio units and so
> > getting a sense of where the real boundaries are is critical,
> > but this document frankly isn't much of a help.
> GS: For the certificate case we do need messages that span multiple
> radio units, but not necessarily for PSK or RPK. And those are the
> most relevant cases for constrained IoT. In LoRaAlliance, for example,
> there is work on an RPK-based authentication scheme. We added new text
> in 2.10..4 about this limitation of certificate based authentication.

Well, with RPK and signatures you will still be over three packets
because the server's first message contains both (1) a DH share
and (2) a signature, for a combined minimum of 96 bytes. So, as far
as I can tell, we have this problem. And it's also not clear (at least
to me) if there is incremental cost within the packet cliffs. Is
the answer "no"?

> > Abstract:
> >    authenticated key exchange protocol for OSCORE.  This draft is in a
> >    working group last call (WGLC) in the LAKE working group.  Post-WGLC,
> >    the requirements will be considered sufficiently stable for the
> >    working group to proceed with its work.  It is not currently planned
> >    to publish this draft as an RFC.
> >
> > You'll want to change this, obviously.
> GS: Some verbs needs to change to past tense, if that is what you mean?

Well, I would have removed this text entirely.

> > S 2.1.
> >    COSE provides the crypto primitives for OSCORE.  The AKE shall
> >    specify how COSE can be reused for identification of credentials and
> >    algorithms of OSCORE and the AKE, as extension point for new schemes,
> >    and to avoid duplicated maintenance of crypto library.
> >
> > This is the first of a number of places where this document tries
> > to pre-make design decisions. The requirement here is lightwightness,
> > not COSE. In general, this document should not be making any
> > such decisions; I've tried to call them out but may have missed
> > some.

> GS: See response to Richard.

Yeah, I don't think "strongly recommended" is appropriate either. This
is not properly the business of the requirements doc.

> >    Moreover, the AKE must support transport over CoAP.  Since the AKE
> >    messages most commonly will be encapsulated in CoAP, the AKE must not
> >    duplicate functionality provided by CoAP, or at least not duplicate
> >    functionality in such a way that it adds extra costs in terms of code
> >    size, code maintenance, etc.  It is therefore assumed that the AKE is
> >
> > This too is too strong. If it required .001% more of something, that might
> > be a totally reasonable tradeoff for some other feature.
> GS:  Added “non-negligible”:  “… it adds non-negligible extra costs … ”

I would say "should attempt to minimize".

> > S 2.2.
> >    To further minimize the bandwidth consumption it is required to
> >    support transporting certificates and raw public keys by reference
> >    rather than by value.  Considering the wide variety of deployments,
> >    the AKE must support different schemes for transporting and
> >    identifying credentials, including those identified in Section 2 of
> >    [I-D.ietf-cose-x509].
> >
> > Really? so we need to support both x509bag and x509chain? Why?
> GS: One point with using COSE is that it specifies schemes relevant
> for constrained IoT, like x5u, x5t and provides an extension point for
> new smart schemes in this setting. Do we need both x5bag and x5chain?
> We do want to support x5chain for simpler processing, but I’ve heard
> of people using either (but not both). We omitted x5bag pending input
> from the WG.

So I don't think the way to phrase this is by reference to COSE but
by reference to the requirements, which seem to be:

- Certs by URL
- Certs by hash
- Certs explicitly [Incidentally, TLS experience was we specified
  what's effectively x5chain but everyone wanted x5bag because
  of cross-signatures]

> >    Assuming that both signature public keys and static DH public keys
> >    are in use, then also the case of mixed credentials need to be
> >    supported with one endpoint using a static DH public key and the
> >    other using a signature public key.  The AKE shall support the
> >    initiator signaling which public key credential mix to be used in the
> >    protocol such that the responder knows and can verify that the
> >    intended variant was executed.
> >
> > I don't understand what this means. The initiator doesn't know what
> > the responder can use and so can offer but can't dictate it.
> GS: In constrained deployments the initiator could very well know
> e.g. because only one is supported. We rephrased this.
> ”The AKE shall support negotiation of public key credential mix and
> that both can verify the variant that was executed..”


> > S 2.3.
> >    The AKE must provide mutual authentication during the protocol run.
> >
> > So unilateral authentication is completely out of scope? Why?
> GS: See response to Richard’s mail.

I am surprised to hear that,but OK.

> >    authenticated the other's credential.  In particular, both endpoints
> >    must agree on a fresh session identifier, and the roles and
> >    credentials of both endpoints..
> >
> > What are the properties of this identifier? I don't see it described.
> > Is this a CK-style session identifier?
> GS: Yes, as far as I understand. Karthik provided this input for formal verification purposes.

OK, so I think this needs to be a lot clearer, given that you
also use "connection identifier".

> >     *  The AKE shall protect against identity misbinding attacks
> >       [Misbinding].  Note that the identity may be directly related to a
> >       public key such as for example the public key itself, a hash of
> >       the public key, or data unrelated to a key.
> >
> > I don't understand what this means, but it seems like having names
> > that are public keys is a potential cause of misbinding attacks.
> GS: This is a placeholder for the analysis needed to take into account
> different ways of identifying the subject.

Well, I don't really think that placeholders have a place in requirements
documents. In any case, it's very different to have the key pointed
at by reference and have the endpoint identified by the key, and they
have differentbinding properties.

> >    Moreover, it shall be possible for the receiving endpoint to detect a
> >    replayed AKE message.
> >
> > What does this mean? I don't know how to detect replay of the initial
> > message without maintaining infinite state or an extra round trip
> > (or catching it later in the protocol run) do you.
> GS: Rephrased based on proposal by Chris.

Will take a lool.

> >    Furthermore, the endpoints shall be able to verify that the identity
> >    of the other endpoint is an acceptable identity that it is intended
> >    to authenticate to.  (This requirement extends beyond the AKE in that
> >
> > What does this text mean?
> GS: This was requested by people working on formal verification. The
> requirement means that the AKE shall have a step verifying the
> endpoint being authenticated. In TLS web setting when connecting to
> example.com<http://example.com> it needs to verify that the certificate is issued for this
> domain. In 3GPP when connecting to a visited network it needs to
> verify that there is a roaming agreement. A more restricted setting
> could be a pre-provisioned public key of the manufacturer used to
> verify information about which network to join. Can we formulate this
> better?

Not sure. Can you give me an example of something that is an AKE that
doesn't otherwise have this property?

> > S 2.4.
> >    Perfect Forward Secrecy may alternatively be achieved with a nonce
> >    exchange followed by appropriately derived new session keys provided
> >    that state can be kept in the form of a session counter.  Note that
> >    OSCORE specifies a method for session key update involving a nonce
> >    exchange (see Appendix B in [RFC8613]).
> >
> > As noted in my comments on SAAG, the whole FS landscape is pretty
> > complicated, and this doesn't do that great a job of capturing it. For
> > instance, where do session tickets fit in?
> GS: I put in this text in as placeholder for Karthik’s mails about
> alternatives for forward secrecy, and added text about hash-based
> ratcheting after Chris’s recent comment. The draft does not pretend to
> give any deeper insights on this topic. The function of this paragraph
> is merely as placeholder for input provided to the requirements
> discussion, so those inputs do not get lost in mail archive, and so
> that we can return to that when we evaluate the solution against the
> requirements. We can add text about session tickets here, but may just
> as well wait with that to the solution discussion where probably this
> entire discussion better belong.

I believe that this document should be self-contained, so I'm not that
enthusiastic about placeholders.

> >    *  The AKE shall support negotiation of COSE algorithms
> >       [IANA-COSE-Algorithms] to be used in the AKE and in OSCORE.  A
> >       successful negotiation shall result in the most preferred
> >       algorithms of one of the parties which are supported by the other.
> >
> > This is overly specific, and I don't see why it's a requirement. The
> > way you want to phrase this is that it resists downgrade.
> GS: One reason why we may want to require more than “resisting
> downgrade” is that a protocol that always results in the least
> preferred common algorithm would comply with that requirement, and
> that obviously is not desirable.

I'd be interested in understanding how you propose to define
this property. For instance consider a protocol like TLS where
one end sends their list and the other end picks, that doesn't
guarantee highest preferred algorithm. It seems like the
definition people have come to is about integrity of negotiation
not about "best preferred" https://eprint.iacr.org/2016/072.pdf.

> >    The AKE negotiation must provide strong integrity guarantees against
> >    active attackers.  At the end of the AKE protocol, both endpoints
> >    must agree on both the crypto algorithms that were proposed and those
> >    that were chosen.  In particular, the protocol must protect against
> >    downgrade attacks.
> >
> > Would be good to quantify "strong". I suggest >= 128 bits.
> GS: This is another topic we discussed in connection with the BoF at
> IETF 105 and decided at the time not to do. Another reason for leaving
> this out is that it is not always clear what 128 bits mean. Curve25519
> may be characterized as < 128 bits. MACs shorter than 128 bits may be
> acceptable, this needs to be verified in the concrete protocol. The
> purpose of this work is to provide an AKE that works in very
> constrained settings. If too strong integrity requirement leads to a
> protocol that no one uses because of low performance then nothing is
> gained.

Hmm... I don't really remember that discussion, but I don't agree with
that outcome, and the purpose of a WGLC is to discuss this kind of
question. On the technical merits the 25519 thing is easy to handle by
either just saying 127 bits or just saying that we consider 25519 to
be about 128 bits. As for the MAC, the requirement I am talking about
is the strength of the protocol, not the size of the MAC, and I
think we should specify that.

> > S 2.6.
> >    In case of a PSK identifier, this may be protected against passive
> >    attackers, for example with a key derived from a Diffie-Hellman
> >    shared secret at the earliest in flight 3.  As a consequence, in
> >    order to authenticate the responder within the AKE, at least four
> >    protocol flights are needed in case of symmetric key authentication
> >    with identity protection.  Considering the need to keep the number of
> >    round-trips at a minimum (see Section 2.10.4), unless there are other
> >    good reasons for having more than 3 flights, it is not required to
> >    protect the PSK identifier, and it may thus be sent in the first
> >    flight.
> >
> > This kind of buries the lede. I would just say it's not a requirement.
> GS: This text came out of a mail discussion about what kind of
> identity protection is needed for PSK. If we remove the motivation
> the next reviewer will ask why. We kept one sentence as placeholder
> for that discussion.


> >    The AKE should avoid mechanisms where an initiator takes a guess at
> >    the policy, and when it receives a negative response, must guess,
> >    based upon what it has tried, what to do next.
> >
> > I don't agree with this at all, and I'm not sure why this is
> > here. There are good reasons to do this. In fact, it's the main way to
> > get a three message protocol with confidentiality for the server's
> > first flight.
> GS: This text was suggested by Michael. Just noting a potential
> difference in what you say: Michael’s text speaks about initiator
> guessing twice. In your example that is not the case, right?

Right.. Thanks for pointing that out.



Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.