Re: [Roll] security for multi-link subnets

Ulrich Herberg <> Tue, 12 March 2013 18:31 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CCF9311E8164 for <>; Tue, 12 Mar 2013 11:31:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id qT8-Rpgez2xB for <>; Tue, 12 Mar 2013 11:31:46 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id A65E411E8165 for <>; Tue, 12 Mar 2013 11:31:45 -0700 (PDT)
Received: by with SMTP id p1so80593vcq.6 for <>; Tue, 12 Mar 2013 11:31:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=dkim; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type; bh=3QDnNIGtnL7IyVT4Gy42llRn27yRE/3V0bWL7fcyi7w=; b=Gun6wHuC6D5RkcF5MNyqhnQ1Xl62IAurV6crJ7lV3jYKthD1GBy/k+hALFQ/JaFY9C nwlZ5y4Tbz6epqKAXFwHFj7gHE53VYqPeZF7i69kNEsQRx+mdntJBI1xyIkjbqaHQX0r yfY1mTvUNtjxYTCgxIgooa+FOKdgZbUYDegP0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=mime-version:x-received:in-reply-to:references:date:message-id :subject:from:to:cc:content-type:x-gm-message-state; bh=3QDnNIGtnL7IyVT4Gy42llRn27yRE/3V0bWL7fcyi7w=; b=SbokIpcD3jmkw2RIZzL5B3TsH/h8BWsIHa+VA7ayOPt38GqDoAegIhLRZwB7O6WsEz Y2uVoBlSogdg9GPYbhmVfaOYgTKR5OLQGqNJn3+wNpvw6fNYcUkoBx/6FYyBhA+le6/s WPd+u4gImxS92NatSCyGJ5Xcscnnyoit74fYN9607qwPMOBF+GMiYNeIb0135A1lwjxn 8AYBytxwjHCPvvfEaUtWXrecfZCuhcPIKR8gYYgCNi8FwsNCfK3ljrmOhgSQcW70sZbh aKxPjDJQPrLVfwsEW6iCnJNwAZaPtQsFtJV6XybYqseLdMU1mND9QsHw93UIZYqrLg8E 3CQA==
MIME-Version: 1.0
X-Received: by with SMTP id k8mr6015520vdh.40.1363113105105; Tue, 12 Mar 2013 11:31:45 -0700 (PDT)
Received: by with HTTP; Tue, 12 Mar 2013 11:31:44 -0700 (PDT)
In-Reply-To: <>
References: <>
Date: Tue, 12 Mar 2013 14:31:44 -0400
Message-ID: <>
From: Ulrich Herberg <>
To: Michael Richardson <>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQkqHH9ulT4/ZgU3IvigPpmSv6+kRQ9+I+hvq+FwzLeQZ2mLAgmUiaN1iywbp6forGIgeRwS
Cc:, Ted Lemon <>,, Ralph Droms <>
Subject: Re: [Roll] security for multi-link subnets
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Routing Over Low power and Lossy networks <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 12 Mar 2013 18:31:47 -0000


I think it is also worth mentioning RFC4903, in particular:

"A multi-link subnet model should be avoided.  IETF working groups
   using, or considering using, multi-link subnets today should
   investigate moving to one of the other models."

Have the issues mentioned in RFC4903 been sufficiently addressed?

Best regards

On Tue, Mar 12, 2013 at 2:20 PM, Michael Richardson
<>; wrote:
> It was pointed out in a private discussion that the inclusion of
> security parameters in the ROLL applicability statements might be
> surprising to some.  For those who want a quick look:
> Specifically, people wouldn't not normally think to look at
> applicability statements for a routing protocol to see that it is
> specifying not just security parameters for the routing protocol
> itself, but in some cases, requirements on access to the LLN as well.
> I agreed that perhaps this needed additional socialization, which I'm
> trying to do with this email.
> Some of my logic of what we are doing is that by (securely) assembling
> a bunch of links into a multi-link subnet, that in effect the ROLL
> applicability statements are in effect a kind of IP-over-FOO document.
> To parallel it to other IP-over-FOO documents better, they often specify
> things like how to encapsulate, and how to do address resolution on the
> subnet.
> RPL LLNs do not use stock-ND/ARP (which normally would be specified in an
> IP-over-FOO document), but rather use the RPL messages to discover other
> nodes on the subnet.     I have asked that the applicability statements
> be clear about if they use RFC6775 (6lowpan-ND), and if so, how.
> It was suggested really, we never did that before: specify security of
> the network in IP-over-FOO documents.  Well, that's true, because we
> never did a an IP-over-802.11, because it was ethernet.
> When WIFI's various incarnations happened (remember borrowing 2Mb/s *FH*
> wireless PCICIA cards back at IETF46?), they tried hard to make it look
> like ethernet, with ethernet-like physical security (WEP == "Wired Equivalent
> Privacy").  It's too bad that we didn't get more involved at the time,
> in the end, we did EAP and keyprov in great part to get that part done
> right.  I still think that the 802.11 security is largely a disaster.
> It is possible that the problem is the word "applicability", and perhaps
> we should have a different term.  I would welcome discussion here, or
> even just +1 that this is the right approach.
> --
> Michael Richardson <>;, Sandelman Software Works
> IETF ROLL WG co-chair.
> _______________________________________________
> Roll mailing list