Re: [Roll] Ralph Droms' Discuss on draft-ietf-roll-of0-15: (withDISCUSS and COMMENT)
"Pascal Thubert (pthubert)" <pthubert@cisco.com> Tue, 09 August 2011 16:47 UTC
Return-Path: <pthubert@cisco.com>
X-Original-To: roll@ietfa.amsl.com
Delivered-To: roll@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74D8821F8B07; Tue, 9 Aug 2011 09:47:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.462
X-Spam-Level:
X-Spam-Status: No, score=-10.462 tagged_above=-999 required=5 tests=[AWL=0.137, BAYES_00=-2.599, RCVD_IN_DNSWL_HI=-8]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EazbQqqPz45F; Tue, 9 Aug 2011 09:47:47 -0700 (PDT)
Received: from ams-iport-1.cisco.com (ams-iport-1.cisco.com [144.254.224.140]) by ietfa.amsl.com (Postfix) with ESMTP id 3E92C21F85CA; Tue, 9 Aug 2011 09:47:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=pthubert@cisco.com; l=3414; q=dns/txt; s=iport; t=1312908497; x=1314118097; h=mime-version:content-transfer-encoding:subject:date: message-id:in-reply-to:references:from:to:cc; bh=4YSDHldBsk2k+smzFW+nJmdkf3HfjIjaPGuryq8l6aQ=; b=fjsQuFuq7yF4GdZDxfXR/4Ma/6Q543/CyPhIjZr0B3XhxPfYbLldcFtk SzXi0NxCLCoKqjND1lag4MD4bYptU2PH52bHfjVQxnRlCdMnhJB0lna3e 0KiHaw/7gpVMLpJnJtSL2klwC+vRQ7eBAhvc6ZcKDM895PeVOm0gLwKwa 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AuAAACxkQU6Q/khL/2dsb2JhbABCl2CPXneBQAEBAQEDAQEBDwEdCjQLDAQCAQgOAwQBAQEKBhcBBgEgBh8JCAEBBAESCBEJh0+gEQGRPY0uhWdfBJgXhF2Gfg
X-IronPort-AV: E=Sophos;i="4.67,344,1309737600"; d="scan'208";a="108480872"
Received: from ams-core-2.cisco.com ([144.254.72.75]) by ams-iport-1.cisco.com with ESMTP; 09 Aug 2011 16:48:15 +0000
Received: from xbh-ams-201.cisco.com (xbh-ams-201.cisco.com [144.254.75.7]) by ams-core-2.cisco.com (8.14.3/8.14.3) with ESMTP id p79GmFrh010210; Tue, 9 Aug 2011 16:48:15 GMT
Received: from xmb-ams-107.cisco.com ([144.254.74.82]) by xbh-ams-201.cisco.com with Microsoft SMTPSVC(6.0.3790.4675); Tue, 9 Aug 2011 18:48:15 +0200
X-MimeOLE: Produced By Microsoft Exchange V6.5
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Date: Tue, 09 Aug 2011 18:48:12 +0200
Message-ID: <6A2A459175DABE4BB11DE2026AA50A5D053A3C87@XMB-AMS-107.cisco.com>
In-Reply-To: <73AD8D4B-A9F9-49EC-A8C3-07BAA3924943@gmail.com>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: [Roll] Ralph Droms' Discuss on draft-ietf-roll-of0-15: (withDISCUSS and COMMENT)
Thread-Index: AcxWsLF8tY6XtYNDT6yiceUPhA5eAwAAgh3w
References: <20110808232350.30897.61741.idtracker@ietfa.amsl.com><2982.1312901544@marajade.sandelman.ca> <73AD8D4B-A9F9-49EC-A8C3-07BAA3924943@gmail.com>
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Ralph Droms <rdroms.ietf@gmail.com>, draft-ietf-roll-of0@tools.ietf.org
X-OriginalArrivalTime: 09 Aug 2011 16:48:15.0579 (UTC) FILETIME=[22428AB0:01CC56B4]
Cc: roll@ietf.org, The IESG <iesg@ietf.org>, roll-chairs@tools.ietf.org
Subject: Re: [Roll] Ralph Droms' Discuss on draft-ietf-roll-of0-15: (withDISCUSS and COMMENT)
X-BeenThere: roll@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Routing Over Low power and Lossy networks <roll.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/roll>, <mailto:roll-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/roll>
List-Post: <mailto:roll@ietf.org>
List-Help: <mailto:roll-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/roll>, <mailto:roll-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Aug 2011 16:47:48 -0000
Hi Ralph;
I agree with you that this text would benefit from being more specific.
RPL requires a number of validations to happen. A deployment might
require additional policies, and use for instance L2 crypto to enforce
them. So validating a router involves security concerns, like link
access, and/or RPL security as Michael indicates. Additionally, RPL
section 13 requires a continuous link quality validation. So this refers
but is not limited to RPL sections 3.2.3 and 13.
Suggestion:
2. An implementation SHOULD validate a router prior to selecting it
as preferred. This validation process is implementation and
link type dependent, and is out of scope. A router that
succeeded that validation process is preferable.
=>
2. An implementation SHOULD validate a router prior to selecting it
as preferred. This validation process is implementation and
link type dependent, and is out of scope. The validation
involves
but is not limited to application of [RPL] sections 3.2.3 and 13
as
appropriate, and may involve deployment specific policies
as well. A router that succeeded that validation process is
preferable.
What do you think?
Pascal
> -----Original Message-----
> From: roll-bounces@ietf.org [mailto:roll-bounces@ietf.org] On Behalf
Of
> Ralph Droms
> Sent: Tuesday, August 09, 2011 6:23 PM
> To: draft-ietf-roll-of0@tools.ietf.org
> Cc: roll@ietf.org; The IESG; roll-chairs@tools.ietf.org
> Subject: Re: [Roll] Ralph Droms' Discuss on draft-ietf-roll-of0-15:
> (withDISCUSS and COMMENT)
>
>
> On Aug 9, 2011, at 10:52 AM 8/9/11, Michael Richardson wrote:
>
> >
> >>>>>> "Ralph" == Ralph Droms <rdroms.ietf@gmail.com> writes:
> > Ralph> 5. In section 4.2.1, what does it mean to "validate a
> > Ralph> router"? Why would a router that passes validation
> > Ralph> ("succeeded that validation process") only be
"preferable"?
> >
> > I think, it refers to rpl-19 section 3.2.3, to the "authenticated"
mode.
> > This mode is completely unworkable with asymmetric crypto. I guess
I
> > need to write an ID that explains this better.
>
> Pascal - can you confirm that section 4.2.1 refers to rpl-19 section
3.2.3?
>
> - Ralph
>
> > The reason why an authenticated router is only preferred is because
the
> > node might need to get online in order to actually validate things.
Any
> > node which will pass enough traffic so that a new node can validate
some
> > certificate chain is good enough.
> >
> > While a new node can do all manner of DOS attacks to prevent the
> > prospective node from validating some security properties, none of
them
> > (if you trust your crypto) are worse than having the prospective
node
> > find itself without any network.
> >
> > --
> > ] He who is tired of Weird Al is tired of life! |
firewalls [
> > ] Michael Richardson, Sandelman Software Works, Ottawa, ON |net
> architect[
> > ] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/
> |device driver[
> > Kyoto Plus: watch the video
> <http://www.youtube.com/watch?v=kzx1ycLXQSE>
> > then sign the petition.
>
> _______________________________________________
> Roll mailing list
> Roll@ietf.org
> https://www.ietf.org/mailman/listinfo/roll
- [Roll] Ralph Droms' Discuss on draft-ietf-roll-of… Ralph Droms
- Re: [Roll] Ralph Droms' Discuss on draft-ietf-rol… Pascal Thubert (pthubert)
- Re: [Roll] Ralph Droms' Discuss on draft-ietf-rol… Michael Richardson
- Re: [Roll] Ralph Droms' Discuss on draft-ietf-rol… Ralph Droms
- Re: [Roll] Ralph Droms' Discuss on draft-ietf-rol… Ralph Droms
- Re: [Roll] Ralph Droms' Discuss on draft-ietf-rol… Pascal Thubert (pthubert)
- Re: [Roll] Ralph Droms' Discuss on draft-ietf-rol… Pascal Thubert (pthubert)
- Re: [Roll] Ralph Droms' Discuss on draft-ietf-rol… Michael Richardson
- Re: [Roll] Ralph Droms' Discuss on draft-ietf-rol… Tsao, Tzeta