[Roll] AD Review of draft-ietf-roll-useofrplinfo-23
Alvaro Retana <aretana.ietf@gmail.com> Tue, 14 August 2018 19:04 UTC
Return-Path: <aretana.ietf@gmail.com>
X-Original-To: roll@ietfa.amsl.com
Delivered-To: roll@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C5B4A130DE9; Tue, 14 Aug 2018 12:04:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pq0f5V0draDG; Tue, 14 Aug 2018 12:04:51 -0700 (PDT)
Received: from mail-oi0-x234.google.com (mail-oi0-x234.google.com [IPv6:2607:f8b0:4003:c06::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D8ACE124BE5; Tue, 14 Aug 2018 12:04:47 -0700 (PDT)
Received: by mail-oi0-x234.google.com with SMTP id m11-v6so35672698oic.2; Tue, 14 Aug 2018 12:04:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:mime-version:date:message-id:subject:to:cc; bh=9bwCKTRwKffjUgTMA1PaKABRW1SKfK4ap24A3dLoZIo=; b=VAMmUTL9PatN+V34T6/nhgxA3VX2VDNSLmQpnKy7amRtNSGd4B6Ko+btGo1yz5SqX3 yLq6XCljdoAJwtXok/XyKJUNCOuo7Fsn+Lj55j+fHF53l9A3Tq4Q2V0H1O+dPI/69AfW YSKqUdXr7us1nK+doZ4MFqA6TvfTWa9kEZtz1Bi3bPCbV0dW8u807rTI2m0kosBArTjl Mw0rI3lMFm03VpNGYTI10cchvrjj8UaF80FAax72b6JMImbSZ8+6wvp3Zn0OvAh49dRf A1O8/TGIJJMciYqnjEx6Za3/NaaIbSFcDXdYgvRZIqe+iSt5t6CI4DhhkIZwEDC4J2nf EJkg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:mime-version:date:message-id:subject:to:cc; bh=9bwCKTRwKffjUgTMA1PaKABRW1SKfK4ap24A3dLoZIo=; b=YUD4tnqIxwiqUFpNKpTxUk8cP0UMblZPIDd+Wsn3WhlkflxScXJwGVwuSWwdMnSIEy x8EOSZGqKb+ccG2TQjxB38ukotVH64NVDi3+bmM14eBPTvULHTSzkqZga6v+lKD8s7UZ 6YT5ndDmnrfV2UiCjQzfnFE5L8i6/TwxyziblHEX9XaJNtotR0zq61lPEPpevcxK941R Q/8mutPagbnofLLUWxNfNWSt9uTA6FqVC2L1f/lyLY6mfaUCsYNVXBupzMWYxUB4jqZy 0wGrbPDx1B6po11MuNhnC2SIWpGoJfzWeM3AK9C4MflNK3QcGOAAgEbt0Ng99nFo6V3z u2kA==
X-Gm-Message-State: AOUpUlEkcrFmjj4o4IWjNbQhlFB71byduuON2cx48oZtMlBo/BfC4N2E Y4g8MJ3qDBQK87YMT4VqZ8+BOF++y5qEIX3mmPsSPQ==
X-Google-Smtp-Source: AA+uWPxMDjnPjxp0XLkzAKlhnWtzcBP3IbhcqxmByK/uir6/381HovKCEC6EO2nEIBKXdxcFTnI3GTrCX9rbqhVTI9g=
X-Received: by 2002:aca:5004:: with SMTP id e4-v6mr25469714oib.111.1534273486135; Tue, 14 Aug 2018 12:04:46 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Tue, 14 Aug 2018 12:04:44 -0700
From: Alvaro Retana <aretana.ietf@gmail.com>
X-Mailer: Airmail (467)
MIME-Version: 1.0
Date: Tue, 14 Aug 2018 12:04:44 -0700
Message-ID: <CAMMESszeTZSZTTcLPG_zbFOyiwR_tPKw4Zfw=xT3yVayKT6WWA@mail.gmail.com>
To: draft-ietf-roll-useofrplinfo@ietf.org
Cc: roll@ietf.org, roll-chairs@ietf.org, Peter van der Stok <consultancy@vanderstok.org>
Content-Type: multipart/alternative; boundary="00000000000021297a057369e2ca"
Archived-At: <https://mailarchive.ietf.org/arch/msg/roll/6xBU7XPsx3GQT8rzDXdd61Idjo0>
X-Mailman-Approved-At: Tue, 14 Aug 2018 13:12:23 -0700
Subject: [Roll] AD Review of draft-ietf-roll-useofrplinfo-23
X-BeenThere: roll@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Routing Over Low power and Lossy networks <roll.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/roll>, <mailto:roll-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/roll/>
List-Post: <mailto:roll@ietf.org>
List-Help: <mailto:roll-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/roll>, <mailto:roll-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Aug 2018 19:05:00 -0000
Dear authors: I have (finally!) finished reading this document. Thanks for all the work and time put into working out all the details. I have several concerns. I'm listing some of the Major (and document-wide) ones up front. I also put more comments and questions inline below. (1) [major] Where is the specification of the data-plane behavior? This document does a couple of things: it Updates several other RFCs, and presents a list of *example* flows where the expected behavior is illustrated. The Updates are mostly about the new RPI value (0x23), but not about the behavior of the nodes. Most of the examples are worded such that they describe actions (encapsulate, remove, etc.)...and some even include rfc2119 Normative Keywords. But they are called examples! So...my questions are: is the behavior illustrated in §6 and §7 intended to be Normative? IOW, do these sections include both examples and specify the behavior expected in the LLN? Is the behavior already specified somewhere else (and this document is just illustrating)? [I am asking that last question just-in-case, because the Introduction says that "this document clarifies what is the correct and the incorrect behaviour."] §8 seems to attempt to summarize "observations about the cases", but (if it is intended to be *the* Normative text about the behavior) it is general and short. [Some of my comments below ask about Normative language... Please take those in context with the answers here.] (2) [major] Operational Considerations Non-storing mode networks don't need the change to 0x23 (§8.2)...but making the change creates a flag day, and even then, implementations should still process both values (§3.1). I would really like to see text about the operational considerations of introducing 0x23. It concerns me that a significant change that most[*] networks don't need is being introduced. Please take a look at rfc5706 (Guidelines for Considering Operations and Management of New Protocols and Protocol Extensions), specially §2. [*] Most deployed networks work in non-storing mode, right? (3) [minor] >= ?? There are several (25!) instances of text like this: 6LR_i are the intermediate routers from source to destination. In this case, "1 <= i >= n", n is the number of routers (6LR) that the packet go through from source (6LN) to destination (6LBR). Maybe it's just me, but I don't understand why (or how!) i could ever be >= n. The text says that i are the "intermediate routers from source to destination", while n is "the number of routers...from source (6LN) to destination (6LBR)". Isn't that the same thing? What am I missing? (4) Style nit: the document uses "we"...a third person style would be preferable. For example: s/In this section we are going to describe.../This section describes... I will wait for the major points to be addressed before starting the IETF LC. Thanks!! Alvaro. [Note: the numbers came from the idnits output.] ... 10 When to use RFC 6553, 6554 and IPv6-in-IPv6 11 draft-ietf-roll-useofrplinfo-23 [minor] Can we come up with a more descriptive tittle? Also, the "shorthand" version ("Useof6553") could be improved. ... 130 1. Introduction ... 156 The related document A Routing Header Dispatch for 6LoWPAN (6LoRH) 157 [RFC8138] defines a method to compress RPL Option information and 158 Routing Header type 3 [RFC6554], an efficient IP-in-IP technique, and 159 use cases proposed for the [Second6TischPlugtest] involving 6loRH. [nit] I'm having trouble parsing this last paragraph. It sounds like rfc8138 (also) defines the use cases, but I don't remember seeing anything like that in there. Is that what you meant? [nit] I think the Introduction would benefit from an overview of the document; something like "section X talks about abc, section Y presents examples, etc.". 161 2. Terminology and Requirements Language 163 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 164 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 165 document are to be interpreted as described in RFC 2119 [RFC2119]. [major] Please use the RFC8174 template. ... 170 RPL-node: A device which implements RPL, thus we can say that the 171 device is RPL-capable or RPL-aware. Please note that the device can 172 be found inside the LLN or outside LLN. In this document a RPL-node 173 which is a leaf of a DODAG is called RPL-aware-leaf. [nit] RPL-capable is not used anywhere else. ... 180 pledge: a new device which seeks admission to a network. (from 181 [I-D.ietf-anima-bootstrapping-keyinfra]) 183 Join Registrar and Coordinator (JRC): a device which brings new nodes 184 (pledges) into a network. (from 185 [I-D.ietf-anima-bootstrapping-keyinfra]) [minor] Do these two terms need to be defined in this document? They are only used once, and with a reference to I-D.ietf-anima-bootstrapping-keyinfra next to them. Also, and more important, the definition here doesn't match the one in that other draft. Please take out the definitions and just make reference later on... 187 Flag day: A "flag day" is a procedure in which the network, or a part 188 of it, is changed during a planned outage, or suddenly, causing an 189 outage while the network recovers [RFC4192] [nit] rfc4192 seems like an odd place to pull a reference to "flag day" -- specially as it is being defined as "a procedure" and not the effect it causes, which seems to be how it is used in the text: "creates a flag day", "will experience a flag day", "avoid a flag day". This is not a big issue -- if it was up to me, I would either make my own definition, or just not define it at all: I think it is a well known term... 191 2.1. hop-by-hop IPv6-in-IPv6 headers 193 The term "hop-by-hop IPv6-in-IPv6" header refers to: adding a header 194 that originates from a node to an adjacent node, using the addresses 195 (usually the GUA or ULA, but could use the link-local addresses) of 196 each node. If the packet must traverse multiple hops, then it must 197 be decapsulated at each hop, and then re-encapsulated again in a 198 similar fashion. [minor] That term is not used anywhere...but "hop-by-hop IP-in-IP" is. IPv6-in-IPv6 and IP-in-IP are used interchangeably throughout the document. This use is not wrong, but it is inconsistent. Adding a note about it (even though it may be obvious to many readers that the terms refer to the same thing) would be nice...being consistent even nicer. Later on, "IPIP" is also used... [nit] Why is this definition in its own sub-section? 200 3. Updates to RFC6553, RFC6550 and RFC 8138 202 3.1. Updates to RFC 6553 ... 209 [RFC6553] states as showed below, that in the Option Type field of 210 the RPL Option header, the two high order bits MUST be set to '01' 211 and the third bit is equal to '1'. The first two bits indicate that 212 the IPv6 node MUST discard the packet if it doesn't recognize the 213 option type, and the third bit indicates that the Option Data may 214 change en route. The remaining bits serve as the option type. s/showed/shown [major] The 2 MUSTs used above are used paraphrasing rfc6553, and don't define Normative behavior in this document. Please either use a direct quote, or use non-normative language. ... 223 Recent changes in [RFC8200] (section 4, page 8), states: "it is now 224 expected that nodes along a packet's delivery path only examine and 225 process the Hop-by-Hop Options header if explicitly configured to do 226 so". Processing of the Hop-by-Hop Options header (by IPv6 227 intermediate nodes) is now optional, but if they are configured to 228 process the header, and if such nodes encounter an option with the 229 first two bits set to 01, they will drop the packet (if they conform 230 to [RFC8200]). Host systems should do the same, irrespective of the 231 configuration. [minor] The description above seems to be missing "...if the option is not recognized". 233 Based on That, if an IPv6 (intermediate) node (RPL-not-capable) 234 receives a packet with an RPL Option, it should ignore the HBH RPL 235 option (skip over this option and continue processing the header). s/That/that ... 266 When forwarding packets, implementations SHOULD use the same value as 267 it was received (This is required because, RPI type code can not be 268 changed by [RFC8200]). It allows to the network to be incrementally 269 upgraded, and for the DODAG root to know which parts of the network 270 are upgraded. [major] There seems to be a contradiction above: "SHOULD use the same value...this is required..." If required by rfc8200, why not use MUST? 272 When originating new packets, implementations SHOULD have an option 273 to determine which value to originate with, this option is controlled 274 by the DIO option described below. [minor] §3.3 defines the option...but it doesn't explicitly say what the receivers should do with it. It may be obvious, but it should be explicit for completeness. [major] It seems to me that the paragraph above may be out of place, doesn't say much, may be wrong...or maybe all 3. The text says that the originating value is controlled by the option in §3.3 (again, but that section doesn't explicitly say what should be done)...but it also says (with the SHOULD) that an implementation may have valid reasons to not pay attention to the option -- what are those?? ... 281 3.2. Updates to RFC 8138 283 RPI-6LoRH header provides a compressed form for the RPL RPI 284 [RFC8138]. It should be considered when the Option Type in RPL 285 Option is decompressed, should take the value of 0x23 instead of 286 0x63. [major] AFAICT, the compression specified in rfc8138 doesn't include the RPI option type...but the use of the 6LoRH Type 5 implies the RPI. If I got that right, then how would the decompressing node know which RPI type was in use when first compressed? Given that both types may be used in a network (§3.1), how would one know unless the 6LoRH type was also changed? Or are you suggesting that the decompression should always use 0x23? In any case, I think that stronger language might be needed. 288 3.3. Updates to RFC 6550: Indicating the new RPI in the DODAG 289 Configuration Option Flag. 291 In order to avoid a flag day caused by lack of interoperation between 292 new RPI (0x23) and old RPI (0x63) nodes, when there is a mix of new 293 nodes and old nodes, the new nodes may be put into a compatibility 294 mode until all of the old nodes are replaced or upgraded. 296 This can be done via a DODAG Configuration Option flag which will 297 propogate through the network. Failure to receive this information 298 will cause new nodes to remain in compatibility mode, and originate 299 traffic with the old-RPI (0x63) value. s/propogate/propagate [major] "compatibility mode" What is "compatibility mode"? Initially I thought that it was maybe the ability of new nodes to use both RPI values...but the end of the second paragraph suggests using only 0x63. The text suggests that "compatibility mode" can be enabled via "via a DODAG Configuration Option flag" -- that flag is not defined anywhere...but "failure to receive this information will cause new nodes to remain in compatibility mode". So...would it be enabled using a flag, or is it the default? Why wouldn't the default be the new RPI? I can see how most of the networks will support the old RPI, but that will eventually be the exception... 301 As stated in [RFC6550] the DODAG Configuration option is present in 302 DIO messages. The DODAG Configuration option distributes 303 configuration information. It is generally static, and does not 304 change within the DODAG. This information is configured at the DODAG 305 root and distributed throughout the DODAG with the DODAG 306 Configuration option. Nodes other than the DODAG root do not modify 307 this information when propagating the DODAG Configuration option. 309 The DODAG Configuration Option has a Flags field which is modified by 310 this document. Currently, the DODAG Configuration Option in 311 [RFC6550] is as follows. . 313 Flags: The 4-bits remaining unused in the Flags field are reserved 314 for flags. The field MUST be initialized to zero by the sender and 315 MUST be ignored by the receiver. 317 0 1 2 3 318 +-----------------+---------------------------------------------------+ 319 | Type = 0x04 | Opt Length = 14| Flags | A | PCS| DIOIntDoubl. | 320 +---------------------------------------------------------------------+ 321 | DIOIntMin. | DIORedund. | MaxRankIncrease | 322 +-----------------+---------------------------------------------------+ 323 | MinHopRankIncrease | OCP | 324 +-----------------+---------------------------------------------------+ 325 |Reserved | Def. Lifetime | Lifetime Unit | 326 +-----------------+-----------------+---------------------------------+ 328 Figure 3: DODAG Configuration Option. [minor] Suggestion: instead of copying (and not quoting the Normative language) the text from rfc6550 above, just indicate what the Update is: "the unused bits MUST...". Also, I think that Figure 3 is not needed. ... 342 In case of rebooting, the node does not remember the flag. Thus, the 343 DIO is sent with flag indicating the new RPI value. [minor] By "the node", which node are you referring to? The root? If it doesn't remember, it means that it needs to be configured -- how does that happen? Why isn't the configuration persistent at the root? 345 4. Sample/reference topology 347 A RPL network in general is composed of a 6LBR (6LoWPAN Border 348 Router), Backbone Router (6BBR), 6LR (6LoWPAN Router) and 6LN 349 (6LoWPAN Node) as leaf logically organized in a DODAG structure. 350 (Destination Oriented Directed Acyclic Graph). [minor] The 6BBR doesn't appear in the Figure. [nit] BTW, it might be better to put the topology diagram right after this first paragraph. [nit] The DODAG expansion should be on first use. 352 RPL defines the RPL Control messages (control plane), a new ICMPv6 353 [RFC4443] message with Type 155. DIS (DODAG Information 354 Solicitation), DIO (DODAG Information Object) and DAO (Destination 355 Advertisement Object) messages are all RPL Control messages but with 356 different Code values. A RPL Stack is showed in Figure 5. [minor] Not exactly sure what this paragraph has to do with the reference topology (yet), but (same comment as above) it might be good to put the figure right after the text. s/showed/shown ... 428 Figure 6: A reference RPL Topology. 430 Figure 2 shows the reference RPL Topology for this document. The 431 letters above the nodes are there so that they may be referenced in 432 subsequent sections. In the figure, 6LR represents a full router 433 node. The 6LN is a RPL aware router, or host. s/Figure 2/Figure 6 [minor] The 6LN is defined in the first paragraph as a node (not a router). BTW, what is the difference between a "full router" and (just) a "router" (6LR vs 6LN)? [minor] 6LN is characterized above as "RPL aware", but (below) the "Raf" mark is also used for that -- so it seems that "~Raf 6LN" would be a "not-RPL aware leaf...RPL aware router, or host". Some terminology clean up is needed. 435 But, the 6LN leaves (Raf - "RPL aware leaf"-) marked as (F, H and I) 436 are RPL nodes with no children hosts. [minor] Is there a relevance to the "children hosts" existing? Can it be concluded that ~Raf nodes have children hosts? ... 446 5. Use cases ... 507 This means that when the no-drop RPI option code 0x23 is used, a 508 packet that leaves the RPL domain of an LLN (or that leaves the LLN 509 entirely) will not be discarded when it contains the [RFC6553] RPL 510 Hop-by-Hop option known as RPI. Thus, the RPI Hop-by-Hop option MAY 511 be left in place even if the end host does not understand it. [minor] If the last RPL-aware node knows that the host doesn't understand the RPI, why would it not remove it (if it can)? IOW, I understand how it causes no harm (leading to the optional behavior above), but just because it can be done doesn't mean that it should. Are there cases where it can be used for something? If the RPI can't be removed because the border is not the destination, then the MAY above is insignificant: no one can strip it, so there's no real option. 513 NOTE: There is some possible security risk when the RPI information 514 is released to the Internet. At this point this is a theoretical 515 situation; no clear attack has been described. At worst, it is clear 516 that the RPI option would waste some network bandwidth when it 517 escapes. This is traded off against the savings in the LLN by not 518 having to encapsulate the packet in order to remove the artifact. [major] AFAICT, leaking the RPI means leaking the RPLInstanceID and the SenderRank. The Security Considerations already mentions what an attacker could do if it knows the RPLInstanceID...but it doesn't say anything about the SenderRank. I'm thinking that the SenderRank may help an attacker to have an idea of the topology of the LLN, right? I don't know what an attacker can do with that information, but the fact that could be used for that (and it could be a privacy issue) should be mentioned in the Security Considerations section. ... 526 A corollory is that an SHR3 or RPI Option can only be removed by an 527 intermediate router if it is placed in an encapsulating IPv6 Header, 528 which is addressed TO the intermediate router. When it does so, the 529 whole encapsulating header must be removed. (A replacement may be 530 added). This sometimes can result in outer IP headers being 531 addressed to the next hop router using link-local addresses. s/corollory/corollary ... 541 RPI should be present in every single RPL data packet. There is one 542 exception in non-storing mode: when a packet is going down from the 543 root. In a downward non-storing mode, the entire route is written, 544 so there can be no loops by construction, nor any confusion about 545 which forwarding table to use (as the root has already made all 546 routing decisions). However, there are still cases, such as in 547 6tisch, where the instanceID portion of the RPI header may still be 548 needed to pick an appropriate priority or channel at each hop. [major] So...does that mean: in all cases, except downward non-storing mode if 6tisch is not used, the RPI SHOULD be present? Note that some of the examples in §7 actually say that the RPI is optional... 550 In the tables present in this document, the term "RPL aware leaf" is 551 has been shortened to "Raf", and "not-RPL aware leaf" has been 552 shortened to "~Raf" to make the table fit in available space. s/is has been/has been [nit] There's some repetition; Raf, for example, was already introduced earlier in this section. ... 557 6. Storing mode 559 In storing mode (fully stateful), the sender can determine if the 560 destination is inside the LLN by looking if the destination address 561 is matched by the DIO's PIO option. [nit] Please expand PIO... 563 The following table itemizes which headers are needed in the 564 following scenarios, and indicates if the IP-in-IP header must be 565 inserted on a hop-by-hop basis, or when it can target the destination 566 node directly. There are these possible situations: hop-by-hop 567 necessary (indicated by "hop"), or destination address possible 568 (indicated by "dst"). In all cases hop by hop MAY be used. [major] Should there be something else Normative in this paragraph? Maybe a MUST to indicate the need for "hop", as in "the IP-in-IP header MUST be inserted on a hop-by-hop basis"? [minor] I'm confused by the nomenclature. The description above seems to indicate that "hop" and "dst" are mutually exclusive...but the table shows a column with a title using "dst" and specific rows containing "hop". What does that mean? 570 In cases where no IP-in-IP header is needed, the column is left 571 blank. [minor] In Figure 7, there are "blank" columns (containing "--"), but there are also entries that say "No". Are they meant to indicate the same thing? 573 In all cases the RPI headers are needed, since it identifies 574 inconsistencies (loops) in the routing topology. In all cases the 575 RH3 is not needed because we do not indicate the route in storing 576 mode. 578 In each case, 6LR_i are the intermediate routers from source to 579 destination. "1 <= i >= n", n is the number of routers (6LR) that 580 the packet go through from source (6LN) to destination. 582 The leaf can be a router 6LR or a host, both indicated as 6LN (see 583 Figure 6). 585 +---------------------+--------------+----------+--------------+ 586 | Interaction between | Use Case | IP-in-IP | IP-in-IP dst | 587 +---------------------+--------------+----------+--------------+ 588 | | Raf to root | No | -- | 589 + +--------------+----------+--------------+ 590 | Leaf - Root | root to Raf | No | -- | 591 + +--------------+----------+--------------+ 592 | | root to ~Raf | No | -- | 593 + +--------------+----------+--------------+ 594 | | ~Raf to root | Yes | root | 595 +---------------------+--------------+----------+--------------+ 596 | | Raf to Int | No | -- | 597 + +--------------+----------+--------------+ 598 | Leaf - Internet | Int to Raf | Yes | Raf | 599 + +--------------+----------+--------------+ 600 | | ~Raf to Int | Yes | root | 601 + +--------------+----------+--------------+ 602 | | Int to ~Raf | Yes | hop | 603 +---------------------+--------------+----------+--------------+ 604 | | Raf to Raf | No | -- | 605 + +--------------+----------+--------------+ 606 | | Raf to ~Raf | No | -- | 607 + Leaf - Leaf +--------------+----------+--------------+ 608 | | ~Raf to Raf | Yes | dst | 609 + +--------------+----------+--------------+ 610 | | ~Raf to ~Raf | Yes | hop | 611 +---------------------+--------------+----------+--------------+ 613 Figure 7: IP-in-IP encapsulation in Storing mode. ... 726 6.1.4. SM: Example of Flow from not-RPL-aware-leaf to root 728 In this case the flow comprises: 730 not-RPL-aware-leaf (IPv6) --> 6LR_1 --> 6LR_i --> root (6LBR) 732 For example, a communication flow could be: Node G --> Node E --> 733 Node B --> Node A root(6LBR) 735 When the packet arrives from IPv6 node (Node G) to 6LR_1 (Node E), 736 the 6LR_1 will insert a RPI header, encapsuladed in a IPv6-in-IPv6 737 header. The IPv6-in-IPv6 header can be addressed to the next hop 738 (Node B), or to the root (Node A). The root removes the header and 739 processes the packet. [minor] The table below doesn't reflect the case where the IPv6-in-IPv6 header is addressed to the next hop. 741 +------------+------+---------------+---------------+---------------+ 742 | Header | IPv6 | 6LR_1 | 6LR_i | 6LBR | 743 +------------+------+---------------+---------------+---------------+ 744 | Inserted | -- | IP-in-IP(RPI) | -- | -- | 745 | headers | | | | | 746 | Removed | -- | -- | -- | IP-in-IP(RPI) | 747 | headers | | | | | 748 | Re-added | -- | -- | -- | -- | 749 | headers | | | | | 750 | Modified | -- | -- | IP-in-IP(RPI) | -- | 751 | headers | | | | | 752 | Untouched | -- | -- | -- | -- | 753 | headers | | | | | 754 +------------+------+---------------+---------------+---------------+ 756 Storing: Summary of the use of headers from not-RPL-aware-leaf to 757 root ... 772 6.2.1. SM: Example of Flow from RPL-aware-leaf to Internet 774 RPL information from RFC 6553 MAY go out to Internet as it will be 775 ignored by nodes which have not been configured to be RPI aware. [major] The "MAY" (Normative) is out of place as the sentence above is stating a fact, not specifying a behavior. s/MAY/may ... 835 6.2.3. SM: Example of Flow from not-RPL-aware-leaf to Internet 837 In this case the flow comprises: 839 not-RPL-aware-leaf (IPv6) --> 6LR_1 --> 6LR_i -->root (6LBR) --> 840 Internet 842 For example, a communication flow could be: Node G --> Node E --> 843 Node B --> Node A root(6LBR) --> Internet 845 The 6LR_1 (i=1) node will add an IP-in-IP(RPI) header addressed 846 either to the root, or hop-by-hop such that the root can remove the 847 RPI header before passing upwards. The IP-in-IP addressed to the 848 root cause less processing overhead. On the other hand, with hop-by- 849 hop the intermediate routers can check the routing tables for a 850 better routing path, thus it could be more efficient and faster. 851 Implementation should decide wich approach to take. s/wich/which [minor] The hop-by-hop option is not reflected in the table. 853 The originating node will ideally leave the IPv6 flow label as zero 854 so that the packet can be better compressed through the LLN. The 855 6LBR will set the flow label of the packet to a non-zero value when 856 sending to the Internet. 858 +---------+-----+-------------+-------------+-------------+---------+ 859 | Header | IPv | 6LR_1 | 6LR_i | 6LBR | Interne | 860 | | 6 | | [i=2,..,n]_ | | t | 861 +---------+-----+-------------+-------------+-------------+---------+ 862 | Inserte | -- | IP-in- | -- | -- | -- | 863 | d | | IP(RPI) | | | | 864 | headers | | | | | | 865 | Removed | -- | -- | -- | IP-in- | -- | 866 | headers | | | | IP(RPI) | | 867 | Re- | -- | -- | -- | -- | -- | 868 | added | | | | | | 869 | headers | | | | | | 870 | Modifie | -- | -- | IP-in- | -- | -- | 871 | d | | | IP(RPI) | | | 872 | headers | | | | | | 873 | Untouch | -- | -- | -- | -- | -- | 874 | ed | | | | | | 875 | headers | | | | | | 876 +---------+-----+-------------+-------------+-------------+---------+ 878 Storing: Summary of the use of headers from not-RPL-aware-leaf to 879 Internet 881 6.2.4. SM: Example of Flow from Internet to non-RPL-aware-leaf 883 In this case the flow comprises: 885 Internet --> root (6LBR) --> 6LR_i --> not-RPL-aware-leaf (IPv6) 887 For example, a communication flow could be: Internet --> Node A 888 root(6LBR) --> Node B --> Node E --> Node G 890 The 6LBR will have to add an RPI header within an IP-in-IP header. 891 The IP-in-IP is addressed to the not-RPL-aware-leaf, leaving the RPI 892 inside. [minor] The table below seems to be missing the not-RPL-aware-leaf removing the IP-in-IP header. 894 Note that there is a requirement that the final node be able to 895 remove one or more IP-in-IP headers which are all addressed to it, 896 mentioned in [I-D.thubert-roll-unaware-leaves] : 898 "RPL data packets are often encapsulated using IP in IP. The 6LN 899 MUST be able to decapsulate a packet when it is the destination of 900 the outer header and process correctly the inner header." [major] I realize that we're not reviewing I-D.thubert-roll-unaware-leaves at this point, but how can a requirement be placed on a not-RPL-aware-leaf if, by definition, it is not aware of RPL?? ...and I don't think we can assume it is aware of any other requirement... If this document depends on the requirement in I-D.thubert-roll-unaware-leaves, then the reference should be Normative (it is now listed as Informative). ... 935 6.3.1. SM: Example of Flow from RPL-aware-leaf to RPL-aware-leaf ... 959 It is assume that the two nodes are in the same RPL Domain (that they 960 share the same DODAG root). At the common parent (Node B), the 961 direction of RPI is changed (from increasing to decreasing the rank). s/assume/assumed ... 1079 6.3.4. SM: Example of Flow from not-RPL-aware-leaf to not-RPL-aware- 1080 leaf ... 1102 The 6LR_1 (Node E) receives the packet from the the IPv6 node (Node 1103 G) and inserts the RPI header (RPIa), encapsulated in an IPv6-in-IPv6 1104 header. The IPv6-in-IPv6 header is addressed to the final 1105 destination. [minor] As in 6.2.4, which node removes the IP-in-IP header? For completion, it seems like the table is missing the fact that the "IPv6 dst" node ignores the RPI. 1107 +----------+-----+-------------+--------------+--------------+------+ 1108 | Header | IPv | 6LR_1 | 6LR_ia | 6LR_m | IPv6 | 1109 | | 6 | | | | dst | 1110 | | src | | | | | 1111 +----------+-----+-------------+--------------+--------------+------+ 1112 | Inserted | -- | IP-in- | -- | -- | -- | 1113 | headers | | IP(RPI) | | | | 1114 | Removed | -- | -- | -- | -- | -- | 1115 | headers | | | | | | 1116 | Re-added | -- | -- | -- | -- | -- | 1117 | headers | | | | | | 1118 | Modified | -- | -- | IP-in- | IP-in- | -- | 1119 | headers | | | IP(RPI) | IP(RPI) | | 1120 | Untouche | -- | -- | -- | -- | -- | 1121 | d | | | | | | 1122 | headers | | | | | | 1123 +----------+-----+-------------+--------------+--------------+------+ 1125 Storing: Summary of the use of headers from not-RPL-aware-leaf to 1126 non-RPL-aware-leaf 1128 7. Non Storing mode ... 1147 +-----------------+--------------+-----+-----+----------+----------+ 1148 | Interaction | Use Case | RPI | RH3 | IP-in-IP | IP-in-IP | 1149 | between | | | | | dst | 1150 +-----------------+--------------+-----+-----+----------+----------+ 1151 | | Raf to root | Yes | No | No | -- | 1152 + +--------------+-----+-----+----------+----------+ 1153 | Leaf - Root | root to Raf | Opt | Yes | No | -- | 1154 + +--------------+-----+-----+----------+----------+ 1155 | | root to ~Raf |no(1)| Yes | Yes | 6LR | 1156 + +--------------+-----+-----+----------+----------+ 1157 | | ~Raf to root | Yes | No | Yes | root | 1158 +-----------------+--------------+-----+-----+----------+----------+ 1159 | | Raf to Int | Yes | No | Yes | root | 1160 + +--------------+-----+-----+----------+----------+ 1161 | Leaf - Internet | Int to Raf |no(1)| Yes | Yes | dst | 1162 + +--------------+-----+-----+----------+----------+ 1163 | | ~Raf to Int | Yes | No | Yes | root | 1164 + +--------------+-----+-----+----------+----------+ 1165 | | Int to ~Raf |no(1)| Yes | Yes | 6LR | 1166 +-----------------+--------------+-----+-----+----------+----------+ 1167 | | Raf to Raf | Yes | Yes | Yes | root/dst | 1168 + +--------------+-----+-----+----------+----------+ 1169 | | Raf to ~Raf | Yes | Yes | Yes | root/6LR | 1170 + Leaf - Leaf +--------------+-----+-----+----------+----------+ 1171 | | ~Raf to Raf | Yes | Yes | Yes | root/6LN | 1172 + +--------------+-----+-----+----------+----------+ 1173 | | ~Raf to ~Raf | Yes | Yes | Yes | root/6LR | 1174 +-----------------+--------------+-----+-----+----------+----------+ 1176 (1)-6tisch networks may need the RPI information. [major] When? What are the conditions when it is needed? 1178 Figure 8: Headers needed in Non-Storing mode: RPI, RH3, IP-in-IP 1179 encapsulation. ... 1194 7.1.1. Non-SM: Example of Flow from RPL-aware-leaf to root 1196 In non-storing mode the leaf node uses default routing to send 1197 traffic to the root. The RPI header must be included to avoid/detect 1198 loops. [major] Should that "must" be Normative? ... 1224 7.1.2. Non-SM: Example of Flow from root to RPL-aware-leaf ... 1236 The 6LBR will insert an RH3, and may optionally insert an RPI header. [major] Under which conditions should the RPI header be inserted? Or is it the case where it is not necessary, but it causes no harm if it's there? Are there benefits? It would be nice to be precise in the specification to achieve consistent behavior. ... 1254 7.1.3. Non-SM: Example of Flow from root to not-RPL-aware-leaf ... 1267 In 6LBR the RH3 is added, it is modified at each intermediate 6LR 1268 (6LR_1 and so on) and it is fully consumed in the last 6LR (6LR_n), 1269 but left there. If RPI is left present, the IPv6 node which does not 1270 understand it will ignore it (following RFC8200), thus encapsulation 1271 is not necesary. Due the complete knowledge of the topology at the 1272 root, the 6LBR may optionally address the IP-in-IP header to the last 1273 6LR, such that it is removed prior to the IPv6 node. s/necesary/necessary [major] So...encapsulation is not needed, but an IP-in-IP header is optional. When? Are there advantages, disadvantages? Same questions about the RPI. 1275 +---------------+-------------+---------------+--------------+------+ 1276 | Header | 6LBR | 6LR_i(i=1) | 6LR_n(i=n) | IPv6 | 1277 +---------------+-------------+---------------+--------------+------+ 1278 | Inserted | (opt: RPI), | -- | -- | -- | 1279 | headers | RH3 | | | | 1280 | Removed | -- | RH3 | -- | -- | 1281 | headers | | | | | 1282 | Re-added | -- | -- | -- | -- | 1283 | headers | | | | | 1284 | Modified | -- | (opt: RPI), | (opt: RPI), | -- | 1285 | headers | | RH3 | RH3 | | 1286 | Untouched | -- | -- | -- | RPI | 1287 | headers | | | | | 1288 +---------------+-------------+---------------+--------------+------+ [minor] In this case, the destination node would also leave the RH3 header untouched, right? 1290 Non Storing: Summary of the use of headers from root to not-RPL- 1291 aware-leaf [minor] This table (and several others) have no name/number. ... 1375 7.2.2. Non-SM: Example of Flow from Internet to RPL-aware-leaf ... 1393 The RPI may be added or not as required by networks such as 6tisch. [major] When would that be? Is there a reference? 1394 The RPI is unnecessary for loop detection. [major] Yet the Table shows it...when would it be used, why, etc.? 1396 +----------+---------+--------------+---------------+---------------+ 1397 | Header | Interne | 6LBR | 6LR_i | 6LN | 1398 | | t | | | | 1399 +----------+---------+--------------+---------------+---------------+ 1400 | Inserted | -- | IP-in-IP (RH | -- | -- | 1401 | headers | | 3,opt:RPI) | | | 1402 | Removed | -- | -- | -- | IP-in-IP | 1403 | headers | | | | (RH3,opt:RPI) | 1404 | Re-added | -- | -- | -- | -- | 1405 | headers | | | | | 1406 | Modified | -- | -- | IP-in-IP | -- | 1407 | headers | | | (RH3,opt:RPI) | | 1408 | Untouche | -- | -- | -- | -- | 1409 | d | | | | | 1410 | headers | | | | | 1411 +----------+---------+--------------+---------------+---------------+ 1413 Non Storing: Summary of the use of headers from Internet to RPL- 1414 aware-leaf ... 1566 7.3.2. Non-SM: Example of Flow from RPL-aware-leaf to not-RPL-aware- 1567 leaf ... 1583 As in the previous case, the 6LN will insert an RPI (RPI_1) header 1584 which MUST be in an IP-in-IP header addressed to the root so that the 1585 6LBR can remove this RPI. The 6LBR will then insert an RH3 inside a 1586 new IP-in-IP header addressed to the 6LN destination node. The RPI 1587 is optional from 6LBR to 6LR_id (RPI_2). [minor] The text says that the "new IP-in-IP header [is] addressed to the 6LN destination node", but the Table below shows the 6LR_id removing it. 1589 +-----------+----------+----------+------------+------------+-------+ 1590 | Header | 6LN | 6LR_1 | 6LBR | 6LR_id | IPv6 | 1591 +-----------+----------+----------+------------+------------+-------+ 1592 | Inserted | IP-in-IP | -- | IP-in-IP | -- | -- | 1593 | headers | (RPI1) | | (RH3, opt | | | 1594 | | | | RPI_2) | | | 1595 | Removed | -- | -- | IP-in-IP | IP-in-IP | -- | 1596 | headers | | | (RPI_1) | (RH3, opt | | 1597 | | | | | RPI_2) | | 1598 | Re-added | -- | -- | -- | -- | -- | 1599 | headers | | | | | | 1600 | Modified | -- | IP-in-IP | -- | IP-in-IP | -- | 1601 | headers | | (RPI_1) | | (RH3, opt | | 1602 | | | | | RPI_2) | | 1603 | Untouched | -- | -- | -- | -- | opt | 1604 | headers | | | | | RPI_2 | 1605 +-----------+----------+----------+------------+------------+-------+ 1607 Non Storing: Summary of the use of headers from RPL-aware-leaf to 1608 not-RPL-aware-leaf ... 1654 7.3.4. Non-SM: Example of Flow from not-RPL-aware-leaf to not-RPL- 1655 aware-leaf ... 1674 +------------+-------+-----------+------------+-------------+-------+ 1675 | Header | IPv6 | 6LR_1 | 6LBR | 6LR_id | IPv6 | 1676 | | src | | | | dst | 1677 +------------+-------+-----------+------------+-------------+-------+ 1678 | Inserted | -- | IP-in-IP | IP-in-IP | -- | -- | 1679 | headers | | (RPI_1) | (RH3) | | | 1680 | Removed | -- | -- | IP-in-IP | IP-in-IP | -- | 1681 | headers | | | (RPI_1) | (RH3, opt | | 1682 | | | | | RPI_2) | | 1683 | Re-added | -- | -- | -- | -- | -- | 1684 | headers | | | | | | 1685 | Modified | -- | -- | -- | -- | -- | 1686 | headers | | | | | | 1687 | Untouched | -- | -- | -- | -- | -- | 1688 | headers | | | | | | 1689 +------------+-------+-----------+------------+-------------+-------+ [minor] The optional RPI_2 is not indicated in the 6LBR column. ... 1696 8.1. Storing mode ... 1705 Thanks to the change of the RPI option type from 0x63 to 0x23, there 1706 is no longer any uncertainty about when to use an IP-in-IP header in 1707 the storing mode. A Hop-by-Hop Options Header containing the RPI 1708 option SHOULD always be added when 6LRs originate packets (without 1709 IP-in-IP headers), and IP-in-IP headers should always be added 1710 (addressed to the root when on the way up, to the end-host when on 1711 the way down) when a 6LR find that it needs to insert a Hop-by-Hop 1712 Options Header containing the RPI option. [major] This paragraph starts by saying that "there is no longer any uncertainty about when to use an IP-in-IP header". However, the specification is a "SHOULD", which means that there are cases when the action may not be performed. It sounds like a contradiction to me. In any case, what are the cases that make it a "SHOULD" and not a "MUST"? [major] Should this text include a "SHOULD" as well: "and IP-in-IP headers should always be added..."? ... 1731 9. 6LoRH Compression cases 1733 The [RFC8138] proposes a compression method for RPI, RH3 and IPv6-in- 1734 IPv6. 1736 In Storing Mode, for the examples of Flow from RPL-aware-leaf to non- 1737 RPL-aware-leaf and non-RPL-aware-leaf to non-RPL-aware-leaf comprise 1738 an IP-in-IP and RPI compression headers. The type of this case is 1739 critical since IP-in-IP is encapsulating a RPI header. 1741 +--+-----+---+--------------+-----------+-------------+-------------+ 1742 |1 | 0|0 |TSE| 6LoRH Type 6 | Hop Limit | RPI - 6LoRH | LOWPAN IPHC | 1743 +--+-----+---+--------------+-----------+-------------+-------------+ 1745 Figure 9: Critical IP-in-IP (RPI). [major] Shouldn't this section also be an Update to rfc8138? [major] 6LoRH Type 6 is defined in rfc8138 as an elective type, but it is introduced as Critical here. The header must then be completely specified in this document and the appropriate registry must be updated (in the IANA Consideration section). Specifically...referring to rfc8138... - the meaning of the TSE depends on the Type (§4.2), - the Hop Limit is defined in §7, should it have the same behavior/meaning here? - does the "RPI - 6LoRH" field correspond to the RPI-6LoRH header (§6.3)? - I'm assuming that the "LOWPAN IPHC" field refers to LOWPAN_IPHC (rfc6282). ... 1774 11. Security Considerations 1776 The security considerations covering of [RFC6553] and [RFC6554] apply 1777 when the packets get into RPL Domain. s/covering of/covered in [minor] Do you mean "are in the RPL Domain" instead of "get into" it? Or are you talking about when a packet comes into the domain from a non-RPL-aware node (like a non-RPL-aware-leaf)? I ask because it seems to me that those RFCs only talk about packets that are inside the domain (and not about them getting in). 1779 The IPIP mechanism described in this document is much more limited 1780 than the general mechanism described in [RFC2473]. The willingness 1781 of each node in the LLN to decapsulate packets and forward them could 1782 be exploited by nodes to disguise the origin of an attack. 1784 Nodes outside of the LLN will need to pass IPIP traffic through the 1785 RPL root to perform this attack. To counter, the RPL root SHOULD 1786 either restrict ingress of IPIP packets (the simpler solution), or it 1787 SHOULD do a deep packet inspection wherein it walks the IP header 1788 extension chain until it can inspect the upper-layer-payload as 1789 described in [RFC7045]. In particular, the RPL root SHOULD do BCP38 1790 ([RFC2827]) processing on the source addresses of all IP headers that 1791 it examines in both directions. [major] For all 3 SHOULDs above... Why are they not a MUST? IOW, when (if countering) would the actions not be performed? Are there other mechanisms that the root could consider? 1793 Note: there are some situations where a prefix will spread across 1794 multiple LLNs via mechanisms such as described in 1795 [I-D.ietf-6lo-backbone-router]. In this case the BCP38 filtering 1796 needs to take this into account. s/such as described/such as the one described [major] The text above sounds like the root needs to get some type of routing information from the other LLN, is that true? What are the security implications of that? I took a very quick look at I-D.ietf-6lo-backbone-router and it seems to me that there are probably other considerations to be included related to that mechanism in the context of this document. Given the "in passing" nature of the note above, and the fact that I-D.ietf-6lo-backbone-router is still in process in 6lo, I suggest you take the text/reference out. 1798 Nodes with the LLN can use the IPIP mechanism to mount an attack on 1799 another part of the LLN, while disguising the origin of the attack. 1800 The mechanism can even be abused to make it appear that the attack is 1801 coming from outside the LLN, and unless countered, this could be used 1802 to mount a Distributed Denial Of Service attack upon nodes elsewhere 1803 in the Internet. See [DDOS-KREBS] for an example of such attacks 1804 already seen in the real world. s/Nodes with the LLN/Nodes within the LLN [major] Is there any possible mitigation to this inside-the-LLN attack? It seems to me that this issue is not something introduced by this document, right? Would authentication help -- is it even possible? Is there a discussion of this in the main spec? 1806 While a typical LLN may be a very poor origin for attack traffic (as 1807 the networks tend to be very slow, and the nodes often have very low 1808 duty cycles) given enough nodes, they could still have a significant 1809 impact, particularly if the attack was on another LLN! Additionally, 1810 some uses of RPL involve large backbone ISP scale equipment 1811 [I-D.ietf-anima-autonomic-control-plane], which may be equipped with 1812 multiple 100Gb/s interfaces. [nit] Suggestion: reorder the paragraphs so that the discussion of the internal threats starts in the third paragraph. It should improve readability and may avoid some repetition. 1814 Blocking or careful filtering of IPIP traffic entering the LLN as 1815 described above will make sure that any attack that is mounted must 1816 originate compromised nodes within the LLN. The use of BCP38 1817 filtering at the RPL root on egress traffic will both alert the 1818 operator to the existence of the attack, as well as drop the attack 1819 traffic. As the RPL network is typically numbered from a single 1820 prefix, which is itself assigned by RPL, BCP38 filtering involves a 1821 single prefix comparison and should be trivial to automatically 1822 configure. s/originate compromised/originate from compromised [major] Yes, BCP38 will stop an attack, but only if the source addresses are spoofed. What if they're not? Given that the attack may be hidden, and assuming that nodes are compromised across multiple LLNs, an attacker may not care enough to spoof the origins. 1824 There are some scenarios where IPIP traffic SHOULD be allowed to pass 1825 through the RPL root, such as the IPIP mediated communications 1826 between a new Pledge and the Join Registrar/Coordinator (JRC) when 1827 using [I-D.ietf-anima-bootstrapping-keyinfra] and 1828 [I-D.ietf-6tisch-dtsecurity-secure-join]. This is the case for the 1829 RPL root to do careful filtering: it occurs only when the Join 1830 Coordinator is not co-located inside the RPL root. [major] Because of the "SHOULD", both references should be Normative. The second ID is Informational. Does that really need to be a "SHOULD"?? It seems to me that "should" would be enough in this case. [minor] I'm having trouble parsing the last sentence. What are you trying to suggest? 1832 With the above precautions, an attack using IPIP tunnels will be by a 1833 node within the LLN on another node within the LLN. Such an attack 1834 could, of course, be done directly. An attack of this kind is 1835 meaningful only if the source addresses are either fake or if the 1836 point is to amplify return traffic. Such an attack, could also be 1837 done without the use of IPIP headers using forged source addresses. 1839 If the attack requires bi-directional communication, then IPIP 1840 provides no advantages. 1842 [RFC2473] suggests that tunnel entry and exit points can be secured, 1843 via the "Use IPsec". This solution has all the problems that [minor] "This solution"...which one? The rfc2473 suggestion or the one described in this document? 1844 [RFC5406] goes into. In an LLN such a solution would degenerate into 1845 every node having a tunnel with every other node. It would provide a 1846 small amount of origin address authentication at a very high cost; 1847 doing BCP38 at every node (linking layer-3 addresses to layer-2 1848 addresses, and to already present layer-2 cryptographic mechanisms) 1849 would be cheaper should RPL be run in an environment where hostile 1850 nodes are likely to be a part of the LLN. 1852 The RH3 header usage described here can be abused in equivalent ways 1853 with an IPIP header to add the needed RH3 header. As such, the 1854 attacker's RH3 header will not be seen by the network until it 1855 reaches the end host, which will decapsulate it. An end-host SHOULD 1856 be suspicious about a RH3 header which has additional hops which have 1857 not yet been processed, and SHOULD ignore such a second RH3 header. [nit] Hmmm...it seems like these threats should have been identified in rfc6554... [major] What does "SHOULD be suspicious" mean? How is that a Normative behavior? Would being suspicious include dropping the packet or some other similar action? When would the router *not* be suspicious? Why is that not a "MUST"? [major] When should a second RH3 header not be ignored? Why is "MUST" not used? 1859 In addition, the LLN will likely use [RFC8138] to compress the IPIP 1860 and RH3 headers. As such, the compressor at the RPL-root will see 1861 the second RH3 header and MAY choose to discard the packet if the RH3 1862 header has not been completely consumed. A consumed (inert) RH3 [major] It seems to me that the optional action of the root of discarding the packet is is contradiction with the "SHOULD ignore such a second RH3 header" above. Is the subtle difference that we're talking about the root here, and the end-host above? Why wouldn't the actions be the same if in both cases the second RH3 header may indicate some type of attack, or at least something anomalous?? 1863 header could be present in a packet that flows from one LLN, crosses 1864 the Internet, and enters another LLN. As per the discussion in this 1865 document, such headers do not need to be removed. However, there is 1866 no case described in this document where an RH3 is inserted in a non- 1867 storing network on traffic that is leaving the LLN, but this document 1868 SHOULD NOT preclude such a future innovation. It should just be 1869 noted that an incoming RH3 must be fully consumed, or very carefully 1870 inspected. [major] The "SHOULD NOT" seems out of place as there is nothing Normative in the statement. [major] What does "very carefully inspected" mean? Are there actions resulting from that? 1872 The RPI header, if permitted to enter the LLN, could be used by an 1873 attacker to change the priority of a packet by selecting a different 1874 RPL instanceID, perhaps one with a higher energy cost, for instance. s/RPL instanceID/RPLinstanceID ... 1911 13.1. Normative References [minor] I think that the following references can be made Informative: RFC2473, RFC5406 ... 1965 13.2. Informative References [nit] I-D.ietf-6man-rfc6434-bis is not referenced in the text.
- [Roll] AD Review of draft-ietf-roll-useofrplinfo-… Alvaro Retana
- Re: [Roll] AD Review of draft-ietf-roll-useofrpli… Ines Robles