Re: [manet] On Forwarding-and-regeneration (was: Re: draft-ietf-manet-aodvv2-13 review - a couple of big ticket Items)

[ietf@thomasclausen.org]

Chris, all,

> On Apr 20, 2016, at 12:30, Dearlove, Christopher (UK) <chris.dearlove@baesystems.com> wrote:
> 
> Can I just say it’s quite hard to work out who is saying what in these exchanges. I’m having to guess some on the basis of “that sounds like Thomas” or “that sounds like Lotte”.

I think that your MUA is slightly broken, then, but when I have doubts I hit the archives, which correctly shows who says what — here’s the archive for the message in question:

	http://mailarchive.ietf.org/arch/msg/manet/MCxWf0tLc9Q7Ix_XW_0lAPyHIdc <https://mailarchive.ietf.org/arch/msg/manet/MCxWf0tLc9Q7Ix_XW_0lAPyHIdc>


>  
> What I’m not clear on is what conclusion, if any, you’ve drawn on hop count/limit.
>  
> As I see it, if the protocol receives a message then sends a message similar but not identical to that out, that can be reviewed as creating a new message. It is a new message as far as 7182 is concerned.

Hence why I wrote (or, I think I wrote) 7182-derived TLV.

>  
> But the protocol could impose some restrictions. For example “the only thing allowed to be changed is this field in this TLV”. Which it would therefore be a good idea for the creator of the message to include, even if it thus needed to include a link metric of zero. (Which is a design point - you might need to allow that in metric specification.) But you would need to state that. That enables some future designs - not 7182, possibly an extension to 7182, possibly something new.

YES, that’s my point.

> There is a problem that this idea would be putting in a need to understand specific TLVs, which is undesirable. I have some ideas there, such as using the protocol-specific space, but this isn’t a five minute job, and needs to be got right. While now is not the time to define this, some decisions could really impact on future designs. For example putting anything wanting to be mutable stuck in the middle of all the other TLVs would be constraining. Making all intended to be mutable by this protocol TLVs in the protocol specific space is probably the least bad idea, as that could be generalised (either making that space not covered by this hypothetical 7182 variant, or splitting it).

My position on that would be “never change the structure of the message in transit” and “never change the length on a TLV in transit”, and you’d have done a fairly good job of making it possible to do *something* clever for ICVs: the mutating field, which would be in a fixed position in the byte stream, you could zero that out, or do something else. 7182 does not do that. But something else might.

Not having that constraint means that “something else” would be impossible, would impede on extensibility.

>  
> That leaves hop count/limit. Technically you wouldn’t increment/decrement, as it’s a new message. But you can send any hop limit on any new message, so that could be one less than the one you received. Hop count is a bit more arguable. I’m not sure how clearly its meaning is indicated, whether it is a “real” hop count of this message. But if you needed to I wouldn’t be too strongly against doing what looks like incrementing that, as long as carefully explained.

Yes, I agree that that can be arguable.

Again, here my position is: if you change the slightest in the *structure* of the message, then a hop-count increment would be invalid (illegal? ;) ) 

Which is to say: regeneration => don’t use hop-count/hop-limit (in my opinion).

> (A key question is if you use 5497 TLVs. In that case I think - combined with the “only change one thing above” that you need to appear to increment hop limit, i.e. create a new message with a non-zero hop count.

Indeed, good catch. This document does, indeed, cite RFC5497 normatively. I’d not seen that interaction, but you are right it has to be matched up. I’ve not checked that/if it is.

Best,

Thomas

>  
> --
> 
> Christopher Dearlove
> Senior Principal Engineer
> BAE Systems Applied Intelligence Laboratories
> __________________________________________________________________________
> 
> T:  +44 (0)1245 242194  |  E: chris.dearlove@baesystems.com <mailto:chris.dearlove@baesystems.com>
> 
> BAE Systems Applied Intelligence, Chelmsford Technology Park, Great Baddow, Chelmsford, Essex CM2 8HN.
> www.baesystems.com/ai <http://www.baesystems.com/ai>
> BAE Systems Applied Intelligence Limited
> Registered in England & Wales No: 01337451
> Registered Office: Surrey Research Park, Guildford, Surrey, GU2 7YP
> 
>  
> From: manet [mailto:manet-bounces@ietf.org <mailto:manet-bounces@ietf.org>] On Behalf Of Thomas Clausen
> Sent: 20 April 2016 10:55
> To: Lotte Steenbrink
> Cc: Mobile Ad Hoc Networks mailing list
> Subject: [manet] On Forwarding-and-regeneration (was: Re: draft-ietf-manet-aodvv2-13 review - a couple of big ticket Items)
>  
>  
> *** WARNING ***
> This message originates from outside our organisation, either from an external partner or the internet.
> Consider carefully whether you should click on any links, open any attachments or reply.
> For information regarding Red Flags that you can look out for in emails you receive, click here <http://intranet.ent.baesystems.com/howwework/security/spotlights/Documents/Red%20Flags.pdf>.
> If you feel the email is suspicious, please follow this process <http://intranet.ent.baesystems.com/howwework/security/spotlights/Documents/Dealing%20With%20Suspicious%20Emails.pdf>.
> 
> *** WARNING ***
> EXTERNAL EMAIL -- This message originates from outside our organization.
>  
> Lotte, all,
>  
> On 19 Mar 2016, at 12:34, Lotte Steenbrink <lotte.steenbrink@fu-berlin.de <mailto:lotte.steenbrink@fu-berlin.de>> wrote:
> 
> Hi Thomas,
> thank you for reviewing AODVv2 yet again :) Some answers below:
>  
> Am 17.03.2016 um 17:00 schrieb ietf@thomasclausen.org <mailto:ietf@thomasclausen.org>:
>  
> Dear all,
>  
> Apologies for not having gotten this done sooner - day-job leaving few spare cycles.
>  
> I’ve previously offered reviews and comments, and some of those have been addressed in the latest I-D — others have not, but should be. I recall that there was some mail attempting to rebut parts of the review, and I will dig it out and reply to that.
>  
>  
> That wold be great.
>  
> I am finding a bit of time here and there when there are holes in the agenda, and am (as you likely have noticed) backtracking through emails when I get a chance. Apologies, I hope that I will get to these emails this, or next week, but day-job eats in to the available time ;(
> 
> 
> Forwarding-vs-regeneration
> Recent exchanges on the list made me understand that protocol control messages are *not* forwarded, but are consumed at each hop, then a new message with (almost-but-not-quite) the same content is generated and transmitted.
>  
> That’s what we’ve been trying to say all along! I’m really glad we’re having this conversation.
>  
> Then, let us have it -- it's a central point to get right.
> 
> 
> I have thought some more on this (& read some of the exchanges on the list on this topic by Chris, Ulrich, and others), and I am convinced that this is not the right way to go, at least for the following reasons:
>  
>  
>             o          It renders the hop-limit/hop-count fields in the RFC5444 message header useless.
>                         This would not be bad if the functionality offered by those fields was not useful
>                         — sadly, it is. For example, for scope limited flooding (expanding ring search, and 
>                         such) which may be of interest, and which require hop-limit. 
>                         A hop-count field may also provide a “cheap” (in terms of overhead) additional piece
>                         of information to use conjunctively with a “real” metric.
>  
>  
> I agree on the usefulness, which is why we were puzzled when we were told we weren’t allowed to use those fields (or, rather, that we were using them wrong, but that the right way to use them doesn’t work for AODvv2). I believe Vicky has written about this in more detail in previous discussions, and we were/are looking forward to reading your answers...
>  
> So, the source generates a message, the message is forwarded through the network, with each intermediate router decrementing the hop limit and incrementing the hop count.
>  
> As stated in the 5444-Usage document, when forwarding a message, the hop-limit/hop-count are modified, the rest of the message SHOULD not be. 
>  
> That is specifically, one thing where I kinda would like 5444-usage to go further is "the message structure MUST in all conditions preserved when forwarding" - but still say "and it is RECOMMENDED that the value field of TLVs are also not modified".
>  
> What this buys is several things, in the context of this protocol:
>  
>             o          hop-limit/hop-count could be useful for the usual 
>                         purposes (ensuring that messages do not live forever, 
>                         scope-limited flooding, ...)
>  
>             o          if the accumulated path metric is stored in a TLV value field, that 
>                         value field can (with suitable disclaimer to call out "we know it is
>                         RECOMMENDED to not do this, but here's why we are OK in doing
>                         it anyways") be modified when forwarding the message, and
>  
>             o          as that path metric field is in a message whose structure does not
>                         change, it will be "at the same place in the byte-stream" at each hop,
>                         which
>             
>             o          allows useful things such as deriving from RFC7182 a form of
>                         "when calculating the ICV, zero out that field in the message ' when
>                           validating an ICV, also zero out that field" -- which goes one step
>                           further (when coupled with a time stamp) than simple transitive trust, 
>                           but also
>  
>             o          allows even more fancy and useful (albeit experimental) things such
>                         as aggregate signatures to work correctly.
>  
> Furthermore.....
> 
> 
>                         The only practical solution would be to re-introduce these functions by way of inserting a
>                         MessageTLV — which (i) is not specified in this document, and (ii) which would just
>                         serve to render messages bigger than strictly needed.
>  
> Exactly; we’d really like to avoid this as well.
>  
>  
> ... It avoids the above, and....
> 
> 
>  
>                         Scope limited flooding  does seem to be a necessary requirement, if for no
>                         other reason than to prevent information from “circulating forever in the network”.
>  
> AODVv2’s duplicated detection hopefully should take care of that. Iirc, We interpreted your earlier E-Mails to (implicitly) mean that you think we should rely on that, since you said we can’t use the hop-limit/hop-count fields.
>  
>  
> ....if done (proper forwarding with preservation of the structure, rather than regeneration which opens up the "this is a new message with potentially new structure" can of worms) as I describe, also addresses the above.
>  
> With respect to what I said earlier when I said "can't use hop-limit/hop-count fields"....when you regenerate, you absolutely, definitely, can't.
> 
> 
> When you "regenerate" a message, that means "you construct a brand new message" which may shuffle addresses inside address blocks, or between address blocks, shuffle TLVs differently than they were originally, even use TLVs of different structure (e.g., single-value TLVs instead of multi-value TLVs). 
> 
> 
> This means that some assumptions (such as when producing an ICV for the message, which depends on the byte order) don't hold. Well, they may not hold, so that means we can't assume that they do. Which means that the originator of a message cannot generate an ICV that can be correctly interpreted (which is what my next section in my original mail was about).
> 
> 
> Which means, in conclusion,  that the information in the message profoundly change -- and therefore these hop-count/hop-limit values do not even apply to "the information". 
> 
> 
> However if proper forwarding with preservation of the structure, rather than regeneration which opens up the "this is a new message with potentially new structure" can of worms, as I (& Ulrich & others) have suggested, is taken to heart, it also addresses the issue below regarding end-to-end authentication (which, while still hard, is possible).
> 
> 
> A couple of more comments below
> 
> 
>  
>             o          It makes end-to-end authentication unnecessarily hard.
>                         I think Chris called this out already, but it bears repeating: S generates a message 
>                         (say, a RREQ), and includes an ICV calculated over the content of the message.
>                         For any recipient to be able to validate the ICV, the message has to be exactly
>                         the same — not just in content, but in structure — as what was generated.
>  
>                         “Regenerating” rather than “forwarding” messages means, that the intermediate
>                         router “regenerating” the RREQ may chose a different structure (e.g., include TLVs
>                         in a different order).
>  
>                         The proposal from https://tools.ietf.org/html/draft-perkins-manet-aodv-e2esec-00 <https://tools.ietf.org/html/draft-perkins-manet-aodv-e2esec-00>
>                         is to add constraints on (i) the set of elements to include in a signature and (ii) the
>                         order of these elements.
>  
>                         One problem with that approach is (i): if an extension adds a message TLV, or an 
>                         Address TLV, to a message, then that will not be “covered” by the proposed e2esec TLV.
>                         Rather for *each* extension developed, an “updates e2esec” clause needs to be done.
>  
>                         I’d say that this approach would be prone to errors — and add entropy to the process
>                         of designing protocol extensions. The alternative, a message being generated by the
>                         source and *forwarded* (as we do in OLSRv2, for example) would allow ICV TLVs 
>                         (even, allow reuse of those specified for OLSRv2) for covering a message and 
>                         extensions.
>  
>                         “But what about the metrics value which will change on each hop”, you may say?
>                         Fortunately, that is relatively easy to handle: simply zero out the value of that TLV when
>                         generating or verifying the ICV MessageTLV. And use Packet-TLVs for hop-by-hop 
>                         authentication, if needed (but, see below).
>  
>             o          It prevents the use of more clever/advanced signature schemes/ICVs
>                         Aggregate signature algorithms ( https://crypto.stanford.edu/~dabo/papers/aggsurvey.pdf <https://crypto.stanford.edu/~dabo/papers/aggsurvey.pdf>)
>                         exist, and an interesting use-case can be found in also reactive protocols, allowing verifying
>                         not “just” the end points, but also the intermediaries (again, with the appropriate “zero out”
>                         discussed above, or something smarter).
>                         Regeneration of messages, rather than forwarding, renders that impossible (or, if used,
>                         updating to  https://tools.ietf.org/html/draft-perkins-manet-aodv-e2esec-00 <https://tools.ietf.org/html/draft-perkins-manet-aodv-e2esec-00>)
>  
> There are other reasons, but the above are those that jump at me as immediate show-stoppers.
>  
> I do honestly not see what possible benefit there is from “regeneration” — but I see very clear inconveniences, and security is not the least of these. Insisting on “regeneration” requires development of “non-general workarounds” as pointed out above.
>  
> The possible benefit is that we need to accumulate & transport metric values somehow, and we can’t do that without regenerating at least parts of the message.
> If we’re missing a solution here, please share it with us.
>  
>  
> Done in the above.
> 
> 
>  
> Security Considerations
>  
> Just for context’s sake, did you review the security considerations in draft-ietf-manet-aodvv2-13 or the ones proposed in the thread „AODVv2: Security considerations update“?
>  
> I did. It still is a far cry from passing the bar. I've posted on why in the past, and some more in this mail (which also contains some suggestions).
>  
> I would suggest that settling the rearchitecturing to do forwarding, as I describe in the above, should be done, which would ease the security considerations issue considerably (and which would be necessary even if ignoring the security considerations, IMO, for this doc to go anywhere). 
> 
> 
> With a new version covering that, the authors (I wanted to write "you", but decided to be inclusive) could you go look at the different security emails and perhaps start a separate thread on that, towards a resolution?
>  
>  
> Best,
>  
> Thomas
>  
> 
> 
> 
> 
> This is an always thorny subject. When OLSRv2 was going through the process we got a thorough education in how little we knew about security from the SEC-ADs, and had to spend about a year or so developing RFC7183. The bottom line is, that this protocol needs its “RFC7183  equivalent”, either as part of the main document, or as an independent document. currently, that is not the case.
>  
> A minima, looking at BCP72 and BCP107 — taking inspiration from RFC7183 might be aw good idea, as that was the most recent that went through the SEC AD. Regardless of how, however, a “mandatory to implement” security mechanism most be specified (I think the right term was “MUST implement, SHOULD use”), in sufficient detail to ensure interoperable implementations.
>  
> As an example, both [RFC6130] and [RFC7181] set out that that:
>  
>       On receiving a ... message, a router MUST first check if the
>       message is invalid for processing by this router
>  
> and then proceed to give a number of conditions that, each, will lead to a rejection of the message as "badly formed and therefore invalid for processing” — a list which RFC7183 then amended. That gave a “hook” for RFC7183 for inserting “rejection”. Idem for message generation.
>  
> If I was to do RFC7181/RFC6130 today, I would include that directly into the protocol specifications. It turned out to be more overhead (and slow down publication anyways) to do it as separate documents.
>  
> Secondly, we need to be a lot more rigid in terms of what ICVs, Timestamps, etc. are added/removed, and what that brings.
>  
> For example (with the assumption that messages are *forwarded* and *not* regenerated), this could be one option:
>  
>                         o          When a RREQ, RREP message is generated, add an ICV Message TLV, which is calculated <this way>
>                                      …(take inspiration from RFC7183 here)
>  
>                         o          When a RREQ, RREP message is transmitted  (by the source, or forwarded by an intermediary)
>                                     in an RFC5444 packet, an ICV Packet TLV is added to the packet, which is calculated <this way> …
>  
>                         o          When an RFC5444 packet is received, validate the ICV Packet TLV <this way> and if the ICV doesn’t validate,
>                                     discard the contained messages.
>  
>                         o          When receiving a RREQ/RREP (either as destination, or as an intermediary), validate the ICV Message TLV 
>                                     <this way> and if the ICV doesn’t validate, discard the message, do not process, do not forward.
>  
> This is a different (and more flexible?) model than “just” transitive trust and “just” end-to-end trust discussed previously, and is enabled by the “forwarding” bit described previously.
>  
> Metrics
> I have asked this numerous times, but have not gotten any answer so I am escalating this again. Why is this document having a normative reference to RFC6551?
>  
>    [RFC6551 <>]  Vasseur, JP., Ed., Kim, M., Ed., Pister, K., Dejean, N.,
>               and D. Barthel, "Routing Metrics Used for Path Calculation
>               in Low-Power and Lossy Networks", RFC 6551 <https://tools.ietf.org/html/rfc6551>, DOI 10.17487/
>               RFC6551 <https://tools.ietf.org/html/rfc6551>, March 2012,
>               <http://www.rfc-editor.org/info/rfc6551 <http://www.rfc-editor.org/info/rfc6551>>.
>  
>  
> Unless I am mistaken, this is not the ROLL WG. And the abstract to RFC6551 explicitly reads:
>  
>    Low-Power and Lossy Networks (LLNs) have unique characteristics
>    compared with traditional wired and ad hoc networks that require the
>    specification of new routing metrics and constraints.  
> Which explicitly is disclaiming that these metrics are not applicable in ad hoc networks— and, I am wondering, what has changed since the publication of RFC6551 to suddenly make these applicable?
>  
>  I am also wondering if looking at (and, perhaps, using?) the same metric type TLV type as in OLSRv2 is not a possibility?
>  
> Either way, referencing RFC6551 here is wrong.
>  
> RFC6621 (SMF) usage
> As late as earlier this month, RFC6621 reared its head again on the mailing list. I understand that the authors are set on using flooding reduction as part of RREQ distribution. If that is the case, then this protocol MUST specify that flooding reduction. 
>  
> Saying “Use RFC6621” won’t work, for reasons Chris point out in an email earlier to the list:
> The network does not and fundamentally cannot offer multicast suppression to AODVv2. This isn't a hard concept, but seems to keep having to be said. AODVv2 messages are carried in 5444 packets, and those only travel one hop. That doesn't allow for suppression. Furthermore AODVv2 is creating new messages each hop. That needs AODVv2 specific handling.
>  
> And quoting an email from myself:
> If protocol X relies on using a flooding operation, then it certainly is protocol X's responsibility to  specify the flooding operation (or, at least, the requirements to the flooding operation ) for correct functioning of protocol X.
>  
> I’ve previously pointed out that RFC6621 requires some degree of configuration (can’t just, for example, pick two different relay set selection algorithms, as that may produce a disconnected flooding domain).
>  
> In other words, what the authors propose in https://tools.ietf.org/html/draft-perkins-manet-using-rfc6621-00 <https://tools.ietf.org/html/draft-perkins-manet-using-rfc6621-00> is insufficient.
>  
> Multiple interfaces configured with the same address(es) - & RFC6621
> I think that it has been established that the ability to use the same address on multiple interfaces is a requirement. It’s not clear to me that a single way of doing so has been proposed, nor that the “operating conditions” are called out (for example, will it work  if router A and router B both have two interfaces, and that all 4 interfaces use the same IP address?)
>  
> This is not entirely unrelated to flooding reduction and RFC6621. One of the complexities is to get that just right: OLSRv2 - for example - calculates Flooding-MPRs per interface, and RFC6130 is careful in how it detects bidirectionality of links. 
>  
> I have not worked out all the details of how this impacts this protocol — but, it requires attention. Especially when wanting to be able to say “…use RFC6621”, then the interface configuration constraints when faced with multiple interfaces must be worked out.
>  
> Prefixes & Gateways
> A question to my mind, and I am not sure I know how to answer that from reading the draft since it is not discussed in section 9 (at least), is: “What happens if I send a RREQ to a prefix” (i.e., a /<128 in IPv6)?
>  
>             o          If the whole prefix is part of the attached network set of a single router, 
>                         then I expect to get a single RREP back, is that the case?
>  
>             o          If "half the prefix"  is part of the attached network set of a single router, 
>                         and the other half is part of the attached network set of another  single router, 
>                         then I expect two RREPs, is that the case?
>  
>             o          More generally, will I get a tree build through the network here?
>  
> AODVv2 currently doesn’t support RREQs for prefixes. I’ve already added „If RteMsg is a RREQ, RteMsg.TargPrefixLen SHOULD equal address length.“ to RteMsg.TargPrefixLen in section  <>4.6 <https://tools.ietf.org/html/draft-ietf-manet-aodvv2-13#section-4.6>. Multicast Route Message Table in response to Justin’s comments, but I’ll go through the draft again and see where we need to state this more clearly.
>  
> Best regards,
> Lotte Steenbrink
> 
> 
>  
> Section 9 (or, the whole spec) is also not explicit enough about multiple  "default gateways" — i.e., the external network being “the rest of the Internet”, and there being multiple gateways to the Internet. I understand how the RREQ gets to the gateway, and how the gateway determines if it should respond (the destination is not part of “the MANET prefix, with which it is configured”).
>  
> But, if A is close to GW1, and B is close to GW2, but A and B being far far apart (according to the metric used) within the MANET, then it would be preferential for the route from A to B to go via GW1-“the-Internet”-GW2? 
>  
> Is this a supported configuration? 
>             o          If yes, how is it (seq# wise, I would expect some complications) handled? 
>             o          If not, where is it stated that this configuration is not possible with this protocol?
>  
>  
> The applicability statement says:
>  
>    AODVv2 is designed for stub or disconnected mobile ad hoc networks,
>    i.e., non-transit networks or those not connected to the internet.
>    AODVv2 can, however, be configured to perform gateway functions when
>    attached to external networks, as discussed in Section 9 <https://tools.ietf.org/html/draft-ietf-manet-aodvv2-13#section-9>.
>  
> I believe that the scenario I describe is indeed a stub network (and not a transit network)?
>  
> — — — 
>  
> As I indicated, these are the big-picture issues that I have gotten around to thinking about enough to write up. I’m not through working through the document, but those were the ones that came to mind, and which seem imperative to resolve.
>  
> Best,
>  
> Thomas
>  
>  
>  
> _______________________________________________
> manet mailing list
> manet@ietf.org <mailto:manet@ietf.org>
> https://www.ietf.org/mailman/listinfo/manet <https://www.ietf.org/mailman/listinfo/manet>
>  
> ********************************************************************
> This email and any attachments are confidential to the intended
> recipient and may also be privileged. If you are not the intended
> recipient please delete it from your system and notify the sender.
> You should not copy it or use it for any purpose nor disclose or
> distribute its contents to any other person.
> ********************************************************************
>