IETF Logo Mail Archive

Re: [manet] Security documents for OLSRv2/NHDP

Henning Rogge <hrogge@googlemail.com> Sun, 24 March 2013 04:33 UTC

Return-Path: <hrogge@googlemail.com>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA90C21F8BB7 for <manet@ietfa.amsl.com>; Sat, 23 Mar 2013 21:33:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.828
X-Spam-Level:
X-Spam-Status: No, score=-0.828 tagged_above=-999 required=5 tests=[AWL=-1.150, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MANGLED_TOOL=2.3, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hggR8kMtVsCv for <manet@ietfa.amsl.com>; Sat, 23 Mar 2013 21:33:58 -0700 (PDT)
Received: from mail-la0-x22e.google.com (mail-la0-x22e.google.com [IPv6:2a00:1450:4010:c03::22e]) by ietfa.amsl.com (Postfix) with ESMTP id A2F1321F8B97 for <manet@ietf.org>; Sat, 23 Mar 2013 21:33:57 -0700 (PDT)
Received: by mail-la0-f46.google.com with SMTP id fq12so9544473lab.19 for <manet@ietf.org>; Sat, 23 Mar 2013 21:33:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=x-received:mime-version:in-reply-to:references:from:date:message-id :subject:to:cc:content-type; bh=dza/uv0BFHZTHddFPxIJ91LLeLWHthXp1QdQTPN9Of4=; b=McSvoZHwH8pXbLT6t1OSe+YV9qhJQmHhRzdYkMTd7zba1ahcXDDEzcNPJO0HZ+VKsJ I/uKoxZg89Gif32Wa0f8pPy20TAssCu/p7gA2qUBtjlz7tsatNVgh8aMcM45YVs6llcA jlOyfPfF5y+lzAFY5jU31qQOUfhRfD48nGVEC9aNr1euM5vXqucFkdbhxpUmQy+/+lWw 2ZHFTEIx2RgdtNsZHiD08stiaTNb0GnnjSr066NRUCMJKET0Vf/xS2mWvkIa7X8nw8QK 8u7vmNdelwmXpKy1fUUWbKjPpV4jLF308vHG/ntF7U/M4qzi5xuZVegQjIVCo4rps8bJ DICg==
X-Received: by 10.112.18.168 with SMTP id x8mr3746942lbd.102.1364099636572; Sat, 23 Mar 2013 21:33:56 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.114.92.165 with HTTP; Sat, 23 Mar 2013 21:33:36 -0700 (PDT)
In-Reply-To: <CAK=bVC8W_x68ZWLPKmcnV27OEH9ocX6HJ-hos-010=wE2A07Vw@mail.gmail.com>
References: <CAK=bVC-dubQKrdR7H8etpah7OibKjuG0aBm1FFdPf5y4n-wftw@mail.gmail.com> <2ED1D3801ACAAB459FDB4EAC9EAD090C10053162@xmb-aln-x03.cisco.com> <2ED1D3801ACAAB459FDB4EAC9EAD090C10066D80@xmb-aln-x03.cisco.com> <75F201E8-8BD0-4BF7-95D9-A8A7D4352F6B@gmail.com> <CAK=bVC8W_x68ZWLPKmcnV27OEH9ocX6HJ-hos-010=wE2A07Vw@mail.gmail.com>
From: Henning Rogge <hrogge@googlemail.com>
Date: Sun, 24 Mar 2013 05:33:36 +0100
Message-ID: <CAGnRvurT0y1xTJ4psqkx0b9LE4tu_hTamHDHEPOGKQfRW1X5ag@mail.gmail.com>
To: Ulrich Herberg <ulrich@herberg.name>
Content-Type: text/plain; charset="ISO-8859-1"
Cc: "Stan Ratliff (sratliff)" <sratliff@cisco.com>, Christopher Dearlove <chris.dearlove@baesystems.com>, "<manet@ietf.org>" <manet@ietf.org>, Thomas Clausen <thomas@thomasclausen.org>
Subject: Re: [manet] Security documents for OLSRv2/NHDP
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/manet>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Mar 2013 04:33:59 -0000

Just to state it,

using timestamps and synchronized clocks in Mesh networks can be a real mess.

We did it a couple of years ago when using SNMPv3 and it gave us all
kinds of headaches. But maybe the ubiquitous presence of GPS (and with
this a global clock) can help.

Including a 32 byte checksum into each OLSRv2 message is something
between overkill and insanity. I hope people keep in mind that you can
get a similar protection by using linklayer based security on the mesh
interface (WPA2 for example).

Henning Rogge

On Sun, Mar 24, 2013 at 1:19 AM, Ulrich Herberg <ulrich@herberg.name> wrote:
> Dear all,
>
> as you have seen, we have submitted the two documents as WG documents (with
> the same contents as the individual counterparts), and we have updated them
> to a -01 revision.
>
> Brief summary of changes (besides editorial changes) from -00 to -01:
> 1) nhdp-olsrv2-sec:
>    - Stephen Farrell has caught one oversight in the OLSRv-18, which is that
> we talk about "one single shared secret key" that is used in the default use
> case of integrity and replay protection. As he pointed out, there could be a
> small number of N shared keys that are all pre-deployed. Using RFC6622-bis,
> it is straight-forward to select the index of the key that is used within
> the MANET.
> This led to a minimal update of both OLSRv2 and nhdp-olsrv2-sec
>
> 2) RFC6622-bis:
>   - Stephen suggested to normatively cite this document from OLSRv2 (it is
> already transitively cited via nhdp-olsrv2-sec anyway).
>   - We added one subsection "changes to RFC6622" that describes the
> differences to RFC6622
>
>
> The authors believe that the two security documents are stable. Note in
> particular that
>    (i) nhdp-olsrv2-sec is the same mechanism that has been discussed in
> draft-ietf-manet-nhdp-sec, just applied to both OLSRv2 and NHDP (and
> updating RFC6130). nhdp-sec has been in the WG for a long time.
>    (ii) RFC6622-bis has the same specification as RFC6622 with the exception
> of one additional type extension for the ICV TLV that has the same TLV value
> structure, but includes the IP source address of the IP datagram, when
> calculating the ICV.
>   (iii) OLSRv2-19 has normative references to both security documents; it
> will not be published as RFC as long as these two documents are not
> finished.
>
> Therefore, I hope that we can initiate a first WG LC on both security
> documents very soon.
>
> Thanks
> Ulrich
>
>
>
> On Sat, Mar 23, 2013 at 12:04 PM, Christopher Dearlove
> <christopher.dearlove@googlemail.com> wrote:
>>
>> Thanks, Stan.
>>
>> --
>> Christopher Dearlove
>> christopher.dearlove@gmail.com (iPhone)
>> chris@mnemosyne.demon.co.uk (home)
>>
>> On 23 Mar 2013, at 18:57, "Stan Ratliff (sratliff)" <sratliff@cisco.com>
>> wrote:
>>
>> > WG Participants:
>> >
>> > The polling period has passed, *without* negative opinions on accepting
>> > the documents as WG documents. Therefore, they have been submitted via the
>> > data-tracker, and you should get email on their posting.
>> >
>> > Regards,
>> > Stan
>> >
>> > On Mar 15, 2013, at 3:04 PM, Stan Ratliff (sratliff) wrote:
>> >
>> >> Ulrich,
>> >>
>> >> Thanks for this email. OK, Working Group participants: Consider this a
>> >> 1-week poll for adoption of these docs as WG documents. Polling period ends
>> >> March 22. And, silence will be deemed to be agreement that the documents
>> >> *should be* accepted as WG docs.
>> >>
>> >> Regards,
>> >> Stan
>> >>
>> >> On Mar 15, 2013, at 1:51 PM, Ulrich Herberg wrote:
>> >>
>> >>> Dear all,
>> >>>
>> >>> The OLSRv2 authors have had a discussion with Stephen Farrell
>> >>> (Security AD)
>> >>> and Adrian about how to resolve the remaining security related DISCUSS
>> >>> on OLSRv2, and we agreed on a way forward that involves the following
>> >>> steps:
>> >>>
>> >>> 1) Publication of:
>> >>> http://tools.ietf.org/html/draft-herberg-manet-nhdp-olsrv2-sec-01
>> >>>
>> >>> This document mandates (at least) implementation of HMAC/SHA2
>> >>> integrity protection of OLSRv2 messages. Deployments of OLSRv2 should
>> >>> use that mechanism unless they have a more appropriate solution (e.g.,
>> >>> different cipher) for that particular deployment. This document also
>> >>> updates NHDP and mandates to implement the same HMAC/SHA2 protection
>> >>> for HELLO messages.
>> >>>
>> >>> 2) Publication of:
>> >>> http://tools.ietf.org/html/draft-herberg-manet-rfc6622-bis-01
>> >>>
>> >>> This document obsoletes RFC6622bis by fixing an oversight in RFC6622.
>> >>> The differences are minor to RFC6622 and can be seen here:
>> >>>
>> >>> http://tools.ietf.org/rfcdiff?url1=rfc6622&url2=draft-herberg-manet-rfc6622-bis
>> >>> Essentially, RFC6622 does not protect the IP source address of the
>> >>> interface over which the control message is sent. Since that address
>> >>> is used to establish neighbors in NHDP (and therefore must be
>> >>> protected), a new type extension 3 of the ICV TLV has been added to
>> >>> the registry.
>> >>>
>> >>> 3) Publication of an update to OLSRv2, referencing the use of the
>> >>> defined security mechanism, and resolving other smaller issues from
>> >>> Stephen's DISCUSS.
>> >>>
>> >>> In order to not hold up OLSRv2 further, and upon discussions with Stan
>> >>> and Adrian, we would like to request WG adoption of these two new
>> >>> documents - asking that the chairs will officially poll the WG on this
>> >>> matter shortly. The documents are brief, and addresses issues
>> >>> requested by the ADs, so we hope that processing them should also be a
>> >>> brief affair.
>> >>>
>> >>> Best regards
>> >>> Ulrich
>> >>> _______________________________________________
>> >>> manet mailing list
>> >>> manet@ietf.org
>> >>> https://www.ietf.org/mailman/listinfo/manet
>> >>
>> >> _______________________________________________
>> >> manet mailing list
>> >> manet@ietf.org
>> >> https://www.ietf.org/mailman/listinfo/manet
>> >
>> > _______________________________________________
>> > manet mailing list
>> > manet@ietf.org
>> > https://www.ietf.org/mailman/listinfo/manet
>
>
>
> _______________________________________________
> manet mailing list
> manet@ietf.org
> https://www.ietf.org/mailman/listinfo/manet
>



-- 
We began as wanderers, and we are wanderers still. We have lingured
long enough on the shores of the cosmic ocean. We are ready at last to
set sail for the stars - Carl Sagan

v2.23.0 | Report a Bug | By Email