Re: [manet] draft-ietf-manet-aodvv2-12 and draft-ietf-manet-dlep-17
Jiazi YI <ietf@jiaziyi.com> Thu, 03 December 2015 22:10 UTC
Return-Path: <yi.jiazi@gmail.com>
X-Original-To: manet@ietfa.amsl.com
Delivered-To: manet@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 255AF1ACE92 for <manet@ietfa.amsl.com>; Thu, 3 Dec 2015 14:10:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.077
X-Spam-Level:
X-Spam-Status: No, score=-0.077 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_35=0.6, J_CHICKENPOX_52=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id GCMewacSBXgo for <manet@ietfa.amsl.com>; Thu, 3 Dec 2015 14:10:42 -0800 (PST)
Received: from mail-wm0-x233.google.com (mail-wm0-x233.google.com [IPv6:2a00:1450:400c:c09::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66AAC1ACE90 for <manet@ietf.org>; Thu, 3 Dec 2015 14:10:41 -0800 (PST)
Received: by wmec201 with SMTP id c201so48459454wme.0 for <manet@ietf.org>; Thu, 03 Dec 2015 14:10:39 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=yGZ5nbWeDWFb/bHgQw67BaGoB4GJEEzII67q7Nv8o04=; b=BliurH9bVov0N6ZXeUTdPyR2WXGOvNF9/tRcznllpb86KBgtTtVo+VA4jDkYjVf4eH 1ZdMpQqZAyYu3S7Lw+eWvPHMr6ItF5zQpbekw6jOq/ZQzfefbzYfbhdIxUXAxe2402Jk YzON2GgH+Rarmy8PKTuZI3+NqEAa1mmySdQbi6B34e1fOJX+FCYfXh6XSy2VOZvahETe 6aI1RIfVHeu55+nboPEyQMr8ohyNbmSu5+alE8x1DkDD+fJ3TyuIes21gx3I3o5YBB6m J2/IFe96WH/B+dGwfPiaUQmzcgqIBcfUNeYexiTrhOR3JJU0yjlNRyjoJnSVRHfFUmEU tj3w==
MIME-Version: 1.0
X-Received: by 10.194.111.199 with SMTP id ik7mr13773026wjb.167.1449180639803; Thu, 03 Dec 2015 14:10:39 -0800 (PST)
Sender: yi.jiazi@gmail.com
Received: by 10.194.26.3 with HTTP; Thu, 3 Dec 2015 14:10:39 -0800 (PST)
In-Reply-To: <0E81A665-85F2-4358-A5E9-1151CCAB0E61@gmail.com>
References: <241ccb422cb941bda2617d7be275c649@VAUSDITCHM2.idirect.net> <9948DF10-0B9B-404E-BA09-C90CDE209756@thomasclausen.org> <DCC7ED56-7ED9-4610-91A0-3D70620B9823@gmail.com> <CAAePS4DtpBrWtgBbnWjLZN07mcyH=hmK0pzPvCrjwwLiTuXc2Q@mail.gmail.com> <CAAePS4AtbPekzU=m7aut08yHwZPmk-TiCdG4vvfNZtSWPowx=Q@mail.gmail.com> <8228CBB8-BCB5-4ED9-9E0C-F76CD63D2DFC@thomasclausen.org> <B31EEDDDB8ED7E4A93FDF12A4EECD30D7D76C1DB@GLKXM0002V.GREENLNK.net> <D2925838-C6F4-4E13-85F8-499651983056@thomasclausen.org> <CAN1bDFwtKOkA2-MWCk0gPHVJ9_eki2P2Rb5Gu4s65pKV1mKehA@mail.gmail.com> <0E81A665-85F2-4358-A5E9-1151CCAB0E61@gmail.com>
Date: Thu, 03 Dec 2015 23:10:39 +0100
X-Google-Sender-Auth: 7jywRE8LQNb7eGlO_GJVVZsr9wY
Message-ID: <CAN1bDFyEQkGr-vt+ngXt6V+21K6qiMv56FQu1boL=Ju+PQpqZQ@mail.gmail.com>
From: Jiazi YI <ietf@jiaziyi.com>
To: Christopher Dearlove <christopher.dearlove@gmail.com>
Content-Type: multipart/alternative; boundary="001a1130d0ea404083052605a96e"
Archived-At: <http://mailarchive.ietf.org/arch/msg/manet/zXVqWPbunmEuCMOam1_76mywbNk>
Cc: "Dearlove, Christopher (UK)" <chris.dearlove@baesystems.com>, manet <manet@ietf.org>, Victoria Mercieca <vmercieca0@gmail.com>
Subject: Re: [manet] draft-ietf-manet-aodvv2-12 and draft-ietf-manet-dlep-17
X-BeenThere: manet@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Mobile Ad-hoc Networks <manet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/manet>, <mailto:manet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/manet/>
List-Post: <mailto:manet@ietf.org>
List-Help: <mailto:manet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/manet>, <mailto:manet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Dec 2015 22:10:48 -0000
Sure. thanks for making it more precise :) Jiazi On Thu, Dec 3, 2015 at 10:53 PM, Christopher Dearlove < christopher.dearlove@gmail.com> wrote: > In OLSRv2 a compromised router can only speak for itself if ICVs are > linked to specific routers. Use a shared secret key (as RFC 7183) then a > compromised router can impersonate any router. draft-ietf-manet-ibs is > however an example where it can't. > > -- > Christopher Dearlove > christopher.dearlove@gmail.com (iPhone) > chris@mnemosyne.demon.co.uk (home) > > On 3 Dec 2015, at 21:42, Jiazi YI <ietf@jiaziyi.com> wrote: > > I agree with Chris and Thomas on their concerns on the hop-by-hop security > issue. > > This is very different from classical DV protocol, in which the vector > information is designed to be exchanged between neighbours. > In AODVv2, the RREQ/RREP/RERR are to be forwarded through multiple hops. A > router can sign a message that isn't actually initialised by itself -- this > is, at least, against intuition. > > This can be an issue if we have compromised routers in the network. Of > course, a compromised router is a problem for every protocol, like OLSRv2. > But in OLSRv2, a compromised router can only speak on behalf of itself -- > however, in AODVv2, a compromised/mis-configured router can pretend to be > any other router (for example, generate RREQ messages using another address > as OrigAddr). The consequence will be much more serious if that happens. > > best > > Jiazi > > > On Thu, Dec 3, 2015 at 2:53 PM, Thomas Heide Clausen < > ietf@thomasclausen.org> wrote: > >> That is exactly the thing - the trust model assumed (& the protocol >> mechanics) need to be understood before designing the necessary MTI >> security, and before deciding which bits (if any) from 7182 to use... >> >> Thomas >> >> On 3 déc. 2015, at 14:26, Dearlove, Christopher (UK) < >> chris.dearlove@baesystems.com> wrote: >> >> If you go down this route of assuming transitive trust, then you might as >> well use 7182’s packet ICV and timestamp rather than message ICV and >> timestamp. >> >> >> >> There is a complication (mostly one of presentation) that the 5444 >> multiplexer (rather than AODVv2) needs to do this, at least for packets >> containing AODVv2 messages (but at which point, probably all 5444 packets). >> So you either, depending on your point of view, need to request it to do >> that, or (administratively) decline to operate except over a 5444 >> multiplexer that is doing this. >> >> >> >> The advantage is one of saved space and time when packets contain more >> than one message. Plus slightly better protection (hop count and limit are >> covered) but which probably doesn’t matter here. >> >> >> >> If messages are changed/replaced on a one-to-one basis as forwarded, then >> the only solutions I can see are hop by hop transitive trust (packets or >> messages per hop), or something complicated involving aggregation and >> knowledge of changes. But the latter would be a research task to develop, >> so let’s not try that. >> >> >> >> >> >> *From:* manet [mailto:manet-bounces@ietf.org <manet-bounces@ietf.org>] *On >> Behalf Of *ietf@thomasclausen.org >> *Sent:* 03 December 2015 12:22 >> *To:* Victoria Mercieca >> *Cc:* manet >> *Subject:* Re: [manet] draft-ietf-manet-aodvv2-12 and >> draft-ietf-manet-dlep-17 >> >> >> >> Dear Victoria, >> >> >> >> Responding twice to this email, intentionally as I want to address two >> different aspects independently…. >> >> >> >> On Nov 19, 2015, at 17:09, Victoria Mercieca <vmercieca0@gmail.com> >> wrote: >> >> >> >> >> >> Hi Thomas and Christopher, >> >> Thank you for your comments. If I may address just one point for >> starters - regeneration vs forwarding. We use the term regeneration since >> forwarding seems inappropriate when the message content changes at each hop. >> >> The changes we make to the message content are: >> >> 1) We change the metric so that each router along the path learns a route >> from the message, with the metric associated with the path up to that point >> 2) AckReq only applies between hops, so needs to be removed at each hop, >> and a new AckReq element may need to be added for the next hop. >> 3) ValidityTime could potentially be added by any intermediate router >> that wishes to limit the time it will forward packets on the route. >> 4) Stripping out Unreachable Addresses from RERR which did not affect our >> route set. >> >> Can we really use the term "forwarding" if we are changing the metric >> value, adding a validity time, adding/removing AckReq or removing addresses >> and their associated TLVs? >> >> OK, so assume that I understand regeneration as per my previous email, as >> meaning “generate a new message and send to my neighbors, based on what I >> learned when processing a received message” — just like any distance vector >> protocol does. >> >> >> >> In that model, what you write makes sense: each originator of a control >> message (i.e., whoever generates or regenerates it) is free to include the >> information it desires, such as the 4 points you list above. No issues with >> that. >> >> >> >> However, and this joins what I pointed out in a previous email, you write >> in the applicability statement: >> >> >> >> Providing security for a reactive routing protocol can be difficult. >> >> >> While we can discuss if the nature of “reactive routing protocol” generates particular difficulties, we certainly can agree that this protocol has the same “difficulties” as a distance vector protocol: routing topology information (by definition) not being exchanged end-to-end, but between neighbors (who do calculations and generate their own announcements — regeneration, as you call it). >> >> >> This means that a specific security model of transitive trust must be assumed, no? I trust Victoria, therefore when Victoria says “Stan told me” then I trust that she actually verified that "it was indeed Stan who told her …” — and either way, I have no way of verifying? >> >> >> I did not see the trust model / trust assumption discussed in the specification (specifically not in applicability and in section 13, both of where it should be called out), but I think that this is actually a crucial point to get right, in order to approach developing the MTI security mechanisms. >> >> >> Anyways, that observation actually contrasts strongly with what the applicability statement then goes on to say, namely: >> >> >> >> AODVv2 provides for message integrity and security against replay >> >> attacks by using integrity check values, timestamps and sequence >> >> numbers, as described in Section 13 <https://tools.ietf.org/html/draft-ietf-manet-aodvv2-12#section-13>. >> >> >> This is true only in as much as messages are indeed exchanged between neighbors: when you “regenerate” a message, i.e., generate a new message in response to receipt of a message, you generate brand new payload (but possibly including some of the data from the received message, of course): thus, any ICVs “from farther away than the neighbor” will be useless (or, if you zero out the parts that you change, these parts will not be protected). >> >> >> The above sentence, quoted from the applicability statement, and that which transpires from section 13, seems - certainly, absent the trust model assumed - to suggest that end-to-end protection/validation is provided. But, this is *not* the case. >> >> >> Finally to the applicability statement, a question: >> >> >> If security associations can be >> >> established, encryption can be used for AODVv2 messages to ensure >> >> that only trusted routers participate in routing operations. >> >> >> >> What you want to say here is that “if all trusted routers have a shared >> secret, then we’re able to use that shared secret to ignore non-trusted >> routers”, right? >> >> While “security associations” that do not pass through a shared secret >> probably can be thought up, it’s not trivial and I did not find any >> discussion of that in the document? >> >> >> >> Having, on the topic of security, re-read Section 13, which starts: >> >> >> >> This section describes various security considerations and potential >> >> avenues to secure AODVv2 routing. >> >> >> >> While this is an honest description of what follows, I remain convinced >> that this is not sufficient. So let me ask as precisely as I can: >> >> >> >> o what is the MTI security mechanism that a >> conformant implementation must provide? >> >> Specifically: >> >> - which are the processing >> steps (for example in section 7.2.1 >> >> and section 7.2.2 for >> RREP - and similarly for the other message >> >> types) that define that >> security mechanism >> >> >> >> o what protection is offered by that MTI security >> mechanism? And what remains >> >> vulnerable. >> >> >> >> If this specification targets std.track, then it should include >> (reasonably solid, but definitely well specified) MTI security. >> >> >> >> Best >> >> >> >> Thomas >> >> >> >> Further, in reply to the comment about use of the msg-hop-count and >> msg-hop-limit fields, I think it does not matter that a message only >> travels one hop in that particular form, with that exact set of information >> enclosed. Hop limit and hop count are part of the message and used by the >> routing protocol, and so they refer to the multi-hop path that the AODVv2 >> message will follow, indicating when not to regenerate any further. So >> AODVv2 uses these fields as suggested in RFC5444 Appendix B, to limit the >> number of hops across which it will regenerate a packet so as to "prevent >> messages from endlessly circulating in a MANET". >> >> Kind regards, >> Victoria. >> >> >> >> On Wed, Nov 18, 2015 at 8:49 AM, Christopher Dearlove < >> christopher.dearlove@gmail.com> wrote: >> >> I've not had time to look at either yet, though I hope to review DLEP >> very soon. >> >> >> >> But this has made me think about the RFC 6621 reference in AODVv2. It's >> always been clear this has been rather a throwaway comment that needed >> thought, but until now I hadn't really given it any. >> >> >> >> And it doesn't work. RFC 6621 is fundamentally unusable here. Let's >> consider each on turn. >> >> >> >> AODVv2 is in the RFC 5444 structure. As has been noted on many occasions, >> AOVDVv2 gets to use messages, but packets are not in its competence. >> >> >> >> RFC 6621 is about packets. But not even RFC 5444 packets but IP packets. >> It's about whether or not to forward them. But RFC 5444 packets aren't just >> not forwarded in unchanged IP packets, they aren't even forwarded at all. >> They are each a single hop construct, and if a message is forwarded (which >> is by the routing protocol, as far as RFC 5444 is concerned, it's a new >> message) it will be in a new packet, with possibly new companions. >> >> >> >> If AODVv2 wants to use a more efficient flooding process, it needs one at >> the message level. Now an example of that exists - the mechanism on RFC >> 7181. Unfortunately we didn't break that out as a separate draft (we would >> have liked to, but there were reasons we didn't). >> >> >> >> And even if (by reference or other means) it were used - or some related >> mechanism such as a CDS - that processing/forwarding mechanism assumes you >> have defined MPRs (or similarly, that you have defined a CDS). And that >> needs a local exchange of information, such as NHDP's HELLO messages (and >> the rest of NHDP) augmented with RFC 7181's MPR TLV (though only the >> flooding bit is needed). >> >> >> >> In other words, taking some real work to define. And also raising a >> question for the WG - why do we want a reactive protocol? The main >> attraction as I see it is the "if you're not doing anything, you're not >> transmitting" property. Which adding this voids. Of course maybe the WG >> doesn't value that. Or it is acceptable as an option. But if so it needs to >> be an option that all routers use, or none. And if all, compatibly. (MPR >> flooding allows different MPR selection algorithms - but only as long as >> they satisfy the fundamental MPR algorithm properties.) >> >> >> >> In short, RFC 6621 must go. The alternative is nothing, or significant >> work. >> >> -- >> >> Christopher Dearlove >> >> christopher.dearlove@gmail.com (iPhone) >> >> chris@mnemosyne.demon.co.uk (home) >> >> >> On 18 Nov 2015, at 01:35, Thomas Clausen <ietf@thomasclausen.org> wrote: >> >> Dear all, >> >> >> >> I have started looking through the recently >> updated draft-ietf-manet-aodvv2-12. A lot has changed, and I regret not to >> have had a blow-by-bow comeback to the previous review comments - would >> have made it a somewhat easier task to check if all have been addressed or >> not. >> >> >> >> But, I will work through it and produce a detailed review - but from my >> first quick read-through there're a couple of issue that jumped at me as >> worth bringing forward on a more global level already. >> >> >> >> The first relates to how RREQs are forwarded -- or, more generally, are >> not. >> >> >> >> The protocol currently talks about "message is regenerated" rather than >> "forwarded". I have understood that this means that a RREQ is actually not >> an "end to end" entity, but is a "hop by hop" entity. >> >> >> >> First, that is a curious design choice, is there any reason why this is >> so considered? >> >> >> >> Second, if a RREQ message is hop-by-hop only, then I do not think that >> the use of the RFC5444 hop-limit/hop-count fields is appropriate. >> >> >> >> Third, the statement in section 6.5 on the use of RFC6621 is incorrect in >> two ways: RFC6621 does specify how messages are *forwarded* (but, as >> discussed above, you are not forwarding messages). >> >> >> >> More seriously, this paragraph is incorrect: >> >> >> >> "Implementations MAY choose to employ techniques to reduce the number of multicast messages sent. Use of [RFC6621 <https://tools.ietf.org/html/rfc6621>] in deployments is recommended. Employing [RFC6621 <https://tools.ietf.org/html/rfc6621>] in a subset of the operational AODVv2 routers in a network, or configuring different algorithms on different routers, will not cause interoperability issues, but will reduce the effectiveness of the multicast reduction scheme." >> >> >> >> Different routers using different relay selection algorithms in the same >> network will not *just* cause loss of efficiency, but *will* cause >> interoperability issues. >> >> >> >> For example if "router A" decides to suppress its message relaying >> because it estimates that "router B" provides sufficient coverage - and >> conversely "router B" suppresses relaying for the same reason: neither A >> nor B would relay, and so any routers reachable only via A and B would not >> be covered. >> >> >> >> This is not a far-sought example: it can be as simple as A and B simply >> using self-selecting relay algorithms with different tie-breakers. >> >> >> >> In short: I think that the whole message flooding/regeneration part >> requires serious work. >> >> >> >> The second issue is that I also suspect that there is some issue with >> buffering, or rather with how it is specified; starting in section 6.6, I >> am not sure that leaving that as "a matter of policy at each router" is >> entirely right. >> >> >> >> Also on buffering, I am wondering if the "start delivering buffered >> packets" conditions (penultimate paragraph in 6.6, and of course through >> the processing sections) is sufficient; I suspect that the condition "When >> a valid route is installed" is not sufficient - that there are situations >> where a routing table entry is installed, but the complete route is not >> available or is not bidirectional?This obviously is related to RREP_Ack >> being hop-by-hop and not end-to-end.... >> >> >> >> Either way, the parts of the specification that relate to buffering >> contain a mixture of normative and non-normative verbiage (a lot of "can" >> but also a lot of MUST/SHOULD) which I think could do with a tightening up. >> >> >> >> But....is buffering even something that should be specified by this >> document? It does not impact interoperability and it interferes >> substantially with transport and congestion control, and I am not sure that >> we understand the consequences (I am not convinced that the claims in the >> document on benefits to TCP are substantiated or even true). >> >> >> >> As I indicated, a complete review will follow, but I thought that these >> was a global enough topics to call out and get engineered right. >> >> >> >> Thomas >> >> >> >> PS: I remain convinced that the security considerations section is >> insufficient ; I will try to articulate my thoughts on why that is, but for >> starters looking at the recently raised (by somebody else, the Chris >> replied) AODV security questions would probably be helpful >> >> >> On 10 Nov 2015, at 02:10, Ratliff, Stanley <sratliff@idirect.net> wrote: >> >> Hello WG participants – >> >> >> >> The above referenced drafts were posted Oct. 13 (for AODVv2), and Oct. 16 >> (DLEP). The co-authors and the chairs ask that you please take some time to >> review and comment on the new submissions. >> >> >> >> Regards, >> >> Stan >> >> >> >> >> >> >> _____________________________________________________ >> This electronic message and any files transmitted with it contains >> information from iDirect, which may be privileged, proprietary >> and/or confidential. It is intended solely for the use of the individual >> or entity to whom they are addressed. If you are not the original >> recipient or the person responsible for delivering the email to the >> intended recipient, be advised that you have received this email >> in error, and that any use, dissemination, forwarding, printing, or >> copying of this email is strictly prohibited. If you received this email >> in error, please delete it and immediately notify the sender. >> _____________________________________________________ >> >> _______________________________________________ >> manet mailing list >> manet@ietf.org >> https://www.ietf.org/mailman/listinfo/manet >> >> _______________________________________________ >> manet mailing list >> manet@ietf.org >> https://www.ietf.org/mailman/listinfo/manet >> >> >> _______________________________________________ >> manet mailing list >> manet@ietf.org >> https://www.ietf.org/mailman/listinfo/manet >> >> >> >> >> >> _______________________________________________ >> manet mailing list >> manet@ietf.org >> https://www.ietf.org/mailman/listinfo/manet >> >> >> >> ******************************************************************** >> This email and any attachments are confidential to the intended >> recipient and may also be privileged. If you are not the intended >> recipient please delete it from your system and notify the sender. >> You should not copy it or use it for any purpose nor disclose or >> distribute its contents to any other person. >> ******************************************************************** >> >> >> _______________________________________________ >> manet mailing list >> manet@ietf.org >> https://www.ietf.org/mailman/listinfo/manet >> >> > _______________________________________________ > manet mailing list > manet@ietf.org > https://www.ietf.org/mailman/listinfo/manet > >
- [manet] draft-ietf-manet-aodvv2-12 and draft-ietf… Ratliff, Stanley
- Re: [manet] draft-ietf-manet-aodvv2-12 and draft-… Thomas Clausen
- Re: [manet] draft-ietf-manet-aodvv2-12 and draft-… Christopher Dearlove
- [manet] Fwd: draft-ietf-manet-aodvv2-12 and draft… Victoria Mercieca
- Re: [manet] draft-ietf-manet-aodvv2-12 and draft-… Victoria Mercieca
- Re: [manet] draft-ietf-manet-aodvv2-12 and draft-… Awokoya Emma
- Re: [manet] draft-ietf-manet-aodvv2-12 and draft-… Thomas Clausen
- Re: [manet] draft-ietf-manet-aodvv2-12 and draft-… Awokoya Emma
- Re: [manet] draft-ietf-manet-aodvv2-12 and draft-… ietf
- Re: [manet] draft-ietf-manet-aodvv2-12 and draft-… ietf
- Re: [manet] draft-ietf-manet-aodvv2-12 and draft-… Dearlove, Christopher (UK)
- Re: [manet] draft-ietf-manet-aodvv2-12 and draft-… Thomas Heide Clausen
- Re: [manet] draft-ietf-manet-aodvv2-12 and draft-… Jiazi YI
- Re: [manet] draft-ietf-manet-aodvv2-12 and draft-… Christopher Dearlove
- Re: [manet] draft-ietf-manet-aodvv2-12 and draft-… Jiazi YI
- [manet] Loops & Specification (was: Re: draft-iet… ietf
- Re: [manet] Loops & Specification Charlie Perkins