Re: [Roll] Stephen Farrell's No Objection on draft-ietf-roll-applicability-home-building-12: (with COMMENT)

peter van der Stok <> Tue, 28 July 2015 07:49 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 2B2341A7025; Tue, 28 Jul 2015 00:49:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id KWWr6TGOpuTE; Tue, 28 Jul 2015 00:48:58 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id CBB081A702B; Tue, 28 Jul 2015 00:48:56 -0700 (PDT)
Received: from ([]) by with ESMTP id xjou1q00G4h15BW01joucB; Tue, 28 Jul 2015 09:48:54 +0200
Received: from [2001:983:a264:1:3948:5a3f:df60:1149] by with HTTP (HTTP/1.1 POST); Tue, 28 Jul 2015 09:48:54 +0200
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII; format=flowed
Content-Transfer-Encoding: 7bit
Date: Tue, 28 Jul 2015 09:48:54 +0200
From: peter van der Stok <>
To: Routing Over Low power and Lossy networks <>
Organization: vanderstok consultancy
In-Reply-To: <>
References: <>
Message-ID: <>
X-Sender: (ILay9q94+zd42i+vbosjna52Tfc222k+)
User-Agent: XS4ALL Webmail
Archived-At: <>
Cc:,, The IESG <>,,,
Subject: Re: [Roll] Stephen Farrell's No Objection on draft-ietf-roll-applicability-home-building-12: (with COMMENT)
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To:, Routing Over Low power and Lossy networks <>
List-Id: Routing Over Low power and Lossy networks <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 28 Jul 2015 07:49:01 -0000

Hi Stephen,

thanks for your reaction.
Below a recap of the past discussions, copied from earlier e_mail 
Actual text changes in the draft after the comment answers below are not 
reproduced here, but can be checked in version 12.


Stephen Farrell schreef op 2015-07-25 16:08:
> Stephen Farrell has entered the following ballot position for
> draft-ietf-roll-applicability-home-building-12: No Objection
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> Please refer to 
> for more information about IESG DISCUSS and COMMENT positions.
> The document, along with other ballot positions, can be found here:
> ----------------------------------------------------------------------
> ----------------------------------------------------------------------
> Thanks for the discussion about security. I didn't check
> if the comments below were handled in -12, happy to
> chat about that if you want.
> First two comments are about text that's new in -11:
> - 4.1.8: "MUST be present" is ambiguous - do you mean
> it must be used? I think you do.
<pvds> done</pvds>
> - 4.1.8: "MUST be distributed or established in a
> secure fashion" isn't really a protocol requirement.
> Do you really just mean "see" ?
The symmetric key distributions has a scope ( and MUST follow a 
mechanism (
> OLD COMMENTS FOR -10 below, I didn't check if you'd made
> any related changes.
> - I don't get how there's an IPR disclosure for this, but
> whatever.
This refers to 5.1.1 and in particular the rt-layer that is proposed to 
reduce delays and losses under overload.
> - The non-security parts of this were quite a good read.
> - 4.1.8: 1st sentence makes no sense. It says RPL does X or
> not-X in order to Y. There is no choice but for RPL to do X or
> not-X.

The aim is to say:

"In order to support low-cost devices and devices running on a battery, 
RPL MAY use either unsecured messages or secured messages"

The omitted subtext is probably "..., not just secured messages" as that 
is what is being emphasised here, i.e. a greater choice and thus implied 
security policy choice.

Would the following make more sense?:

"In order to support low-cost devices and devices running on a battery, 
there are two security policies applicable to RPL; one where RPL uses 
unsecured messages and another where RPL uses secured messages"
> - 4.1.8 seems to me to imply that link layer security is
> always needed since there can always be some node that will
> send an unsecured RPL messsage. If you agree, then I think
> that should be made more clear. If you disagree, I'd like to
> understand how.

<RCC>If the security policy option where RPL uses unsecured messages 
applies, then link layer security will always be needed. It is a policy 
choice applicable to the deployed network</RCC>
> - 4.1.8, I am surprised not to see a recommendation that
> separate group keys SHOULD be used for different applications
> in the same bulding network. But that may be too fine grained
> a recommendation for this document perhaps.

<RCC>That is a separate issue from securing RPL messages, which is what 
this section is about</RCC>
> -, I think it'd be clearer to say Imin should be
> between 10 and 50 ms. The "10 - 50 ms" notation can be
> confusing. (Same elsewhere.)
<RCC>Agree suggestion is clearer</RCC>
> - section 7, 3rd para, "can rely on" is sales language, please
> strike that or s/rely on/depend upon/
Rephrase as:

"The following mechanisms MAY be used: (i) pre-installation using an 
out-of-band method, (ii) secure delivery when a device is introduced 
into the network or (iii) secure delivery by a trusted neighbouring 

> - section 7, 3rd para, last sentence: this is sales language
> and should be deleted. Or perhaps s/is/SHOULD be/ would turn
> it back into a piece of specification language.

<RCC>Agree with suggested change</RCC>
> - 7.1 - this is odd text to see in a proposed standard, but I
> think it's accurately describing the level of interop to
> expect in RPL security, so is probably the right thing to say.
> I'd argue that it'd be even better to bluntly admit/say that
> there is currently no interoperable automated key management
> for RPL. (Same for 7.3) Or, and better, to fix that lack. (See
> my discuss point.)

<RCC>There are many ways to achieve key distribution and in some 
respects it would be nice to see one single way to do it. However, this 
is unlikely to ever happen. The main reason is that a deployment 
standard is a complex animal of which RPL is typically one small part. 
The key management is also just a part and in itself typically is a 
conglomeration of various RFCs and applicability statements, 
irrespective of what routing protocol is chosen for said deployment. 
ZigBee IP is a good example of a full interoperable deployment and there 
is an extensive list of 43 RFCs and IDs directly referenced, not to 
mention the further indirect references from those. We chose which 
protocols to use for key management and set security policy </RCC>
<pvds> and see text in 4.1.8 following DISCUSS </pvds>
> - 7.2, 1st sentence: this is meaningless as I read it - what
> are you trying to say?
Has been rephrased with two cases: (1) addition of nodes during 
operation (2) node is compromised
> - 7.2, when a node is stolen, the chances are that any keys
> contained in the node are at significant risk of being leaked.
<pvds> see above </pvds>
> - 7.3, I do not believe that [I-D.keoh-dice-multicast-security]
> is necessarily going to proceed via the DICE WG. Depending
> on it would be fairly high-risk in any case.
<pvds> 7.3 severely reduced to 1 phrase </pvds>
> - 7.4, last sentence: more sales talk
<pvds>removed </pvds>
> - 7.5, what is this specifying? I don't get it. Does 7416 set
> out what to implement to get interop? (I didn't think so, but
> nor does this seem to.)
<pvds> adapted to summary section, explaining relation to RFC7416 
> _______________________________________________
> Roll mailing list