IETF Logo Mail Archive

Re: [Roll] AD Review of draft-ietf-roll-efficient-npdao-09

Rahul Arvind Jadhav <rahul.jadhav@huawei.com> Thu, 16 May 2019 05:37 UTC

Return-Path: <rahul.jadhav@huawei.com>
X-Original-To: roll@ietfa.amsl.com
Delivered-To: roll@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A615A120091; Wed, 15 May 2019 22:37:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ur9hte-tTI-V; Wed, 15 May 2019 22:37:52 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B019B12006D; Wed, 15 May 2019 22:37:51 -0700 (PDT)
Received: from lhreml701-cah.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 0E7EE6F06ECB6C3C78B0; Thu, 16 May 2019 06:37:50 +0100 (IST)
Received: from BLREML407-HUB.china.huawei.com (10.20.4.45) by lhreml701-cah.china.huawei.com (10.201.108.42) with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 16 May 2019 06:37:49 +0100
Received: from BLREML503-MBX.china.huawei.com ([169.254.9.86]) by BLREML407-HUB.china.huawei.com ([10.20.4.45]) with mapi id 14.03.0439.000; Thu, 16 May 2019 11:07:39 +0530
From: Rahul Arvind Jadhav <rahul.jadhav@huawei.com>
To: Alvaro Retana <aretana.ietf@gmail.com>
CC: roll <roll@ietf.org>, roll-chairs <roll-chairs@ietf.org>, "draft-ietf-roll-efficient-npdao@ietf.org" <draft-ietf-roll-efficient-npdao@ietf.org>
Thread-Topic: AD Review of draft-ietf-roll-efficient-npdao-09
Thread-Index: AQHU8KtHi2al9xV9Bkeco/7i1KUlVaZQCpOAgBAPg4CAChXQ0A==
Date: Thu, 16 May 2019 05:37:39 +0000
Message-ID: <982B626E107E334DBE601D979F31785C5DEA5543@BLREML503-MBX.china.huawei.com>
References: <CAMMESsy11FvVEZ6VGRK7PYo4FXzVs8x=G-y-0U8C3bkgyK5R8A@mail.gmail.com> <CAO0Djp16zsnfq266Y5=5sw6HbWx3KDdGqQfoQZ9jJfyUahVAfw@mail.gmail.com> <CAMMESswxytDEfBbtFxM0-cd7QTZ-j5-JTrCF6pDSckZQVM5KrQ@mail.gmail.com>
In-Reply-To: <CAMMESswxytDEfBbtFxM0-cd7QTZ-j5-JTrCF6pDSckZQVM5KrQ@mail.gmail.com>
Accept-Language: en-IN, zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.157.44]
Content-Type: multipart/alternative; boundary="_000_982B626E107E334DBE601D979F31785C5DEA5543BLREML503MBXchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/roll/1miB4bYeNwQSJ-QRVCXYfqSJdIM>
Subject: Re: [Roll] AD Review of draft-ietf-roll-efficient-npdao-09
X-BeenThere: roll@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Routing Over Low power and Lossy networks <roll.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/roll>, <mailto:roll-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/roll/>
List-Post: <mailto:roll@ietf.org>
List-Help: <mailto:roll-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/roll>, <mailto:roll-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 16 May 2019 05:37:55 -0000

Thanks Alvaro for rechecking the draft updates.
And thanks to Francis for the review comments.

Updates:

1.       Removal of redundant text, I-flag naming consistency as per Alvaro’s comments.

2.       Fixed nits as per Francis comments.
These updates are currently in roll-wg github only (here<https://github.com/roll-wg/efficient-route-invalidation/commit/775886bf93223e80273be04f9d993526d01cfb64>). Would be uploading the new ID along with changes, if any, resulting out of other discussion.

Please find comments inline for other points.

Still pending, is the discussion about allowing unsolicited DCO.

Regards,
Rahul



The only remaining item is whether you (the WG) want an ancestor to be able (as a feature) to generate a DCO without the corresponding DAO…. I’ll let you discuss that in the WG an include it (or not) before we start IESG Evaluation.

[RJ] This discussion is initiated.


The new text is redundant (talks about the lifetime twice):

   The DCO carries an RPL Target Option and an associated Transit

   Information Option with a lifetime of 0x00000000 to indicate a loss

   of reachability to that Target.  The lifetime indicated in the

   Transit Information Option of the DCO message MUST be set to

   0x00000000.

[RJ] Have removed the redundant text.

...

There is redundant text here too:

   Option to identify the freshness of the DCO message.  The Path

   Sequence in the DCO MUST use the same Path Sequence number present in

   the regular DAO message when the DCO is generated in response to a

   DAO message.  The Path Sequence present in the Transit Information

   Option of the DAO and the correspondingly triggered DCO MUST be same.
[RJ] Removed the redundant text.

...
[major] "Path Sequence in the DCO MUST use the same Path Sequence number
present in the regular DAO message when the DCO is generated in response to
DAO message" The DAO message is obviously the one that triggered the
DCO... When would a DCO *not* be originated in response to a DAO? Are
there other cases when the DCO can be originated? Requiring the same Path
Sequence is fine...the reason for this comment is the condition ("when the
DCO...").

[RJ] One other condition that i can think of is, if the common ancestor node
somehow believes that there are other high priority routing entries that it
must entertain, thus evicting existing ones. During such eviction the common
ancestor node could make use of the stored path sequence and initiate a DCO.
DCO can fully support this in current form. Do you think this use-case makes
sense? We introduced 'I' bit especially so that target is in full control of
its own invalidation. With such change we loosen up that part.

Hmm…I initially thought that this case would be a vulnerability. :-(

Are there cases that you can come up with where those other “high priority routing entries” would have to be invalidated and that they wouldn’t just be preferred normally??  It is really up to the WG to determine if that is an use case that makes sense….

[RJ] I’ll leave this to the explicit discussion we are having on another thread.

Either way, the vulnerability still exists.

[RJ] The weak points of DCO is same as that of DAO. I mean, if there is a malicious 6lr which somehow manages to break into RPL network i.e. gets access keys used for encryption/mic, then there are several attacks possible using existing DAO itself … The route invalidation vulnerability exists with DAO itself. Any malicious 6LR can trigger a no-path DAO causing route invalidation, the same could be done with DCO as well. In the security consideration, we raised the possibility that malicious 6LR can initiate DCO unilaterally and invalidate active routes. The prevention plan is same as RFC6550.

...
498 4.4.1. Dependent Nodes invalidation

500 Current RPL [RFC6550] does not provide a mechanism for route
501 invalidation for dependent nodes. This document allows the dependent
502 nodes invalidation. Dependent nodes will generate their respective
503 DAOs to update their paths, and the previous route invalidation for
504 those nodes should work in the similar manner described for switching
505 node. The dependent node may set the I-bit in the transit
506 information option as part of regular DAO so as to request
507 invalidation of previous route from the common ancestor node.

[major] This part is underspecified. How do the dependent nodes know of
the switch? Is A (Figure 1) the common ancestor node mentioned above?

I found the same question being asked during WGLC, and the answer seems to
be: "the dependent nodes will always set the I-flag". Is that my correct
interpretation? The behavior needs to be reflected in the specification.

https://mailarchive.ietf.org/arch/msg/roll/LejLNET8Hk92wPWU3Xi6OaxCujg

[RJ] I have added a para to describe this more. Please check if it makes sense.

If the dependent node always sets the I bit, wouldn’t that result in constant invalidation (unless no route existed before)?  IOW, it seems like the setting of the I bit has to be conditional.  The mail archive talks about the DTSN incrementing — I’m assuming this will happen then the parent switches to a different parent…is that true?  If so, then I think that this piece of text still needs some work.

[nit] The I bit is sometimes called the I flag…please be consistent.

[RJ] Made it I flag everywhere consistently.

...

570 7. Security Considerations

[major] This section mostly points at rfc6550 (which is ok), but it doesn't
say anything about vulnerabilities (if any) that this specification may be
introducing...or why it doesn't. [See my related comment in §4.3.3.]

I would like to see (perhaps after the current text) something along the
lines of "This document introduces the ability to do abc. It doesn't
introduce any new vulnerabilities becasue... OR ... These are the new
vulnerabilities and this is how they can be mitigated...or why they are not
really of concern..."

[RJ] Have added this text in the beginning of the security considerations
section. Also have updated the "Unsecured" mode para, to say that the DCO and
DCO-ACK MUST be link-layer encrypted if link-layer security is been put to use.

That is not what I read in the new text: "A DCO and DCO-ACK message which is not encrypted at link-layer MUST not be handled by the RPL layer.  Also all the DCO and DCO-ACK messages that are transmitted MUST be link-layer encrypted.”  I read this text as saying that the DCO/DCO-ACK MUST always be link-layer encrypted…    I couldn’t find that to be the same expectation as in rfc6550.

[RJ] Yes. MUST is not mentioned in 6550. Thanks for this observation. I have removed the two stmts and aligned it with 6550 text.

v2.23.0 | Report a Bug | By Email