IETF Logo Mail Archive

Re: [Roll] security solutions for ROLL

Michael Richardson <mcr+ietf@sandelman.ca> Fri, 24 February 2012 21:14 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: roll@ietfa.amsl.com
Delivered-To: roll@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 175ED21F86FF for <roll@ietfa.amsl.com>; Fri, 24 Feb 2012 13:14:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.21
X-Spam-Level:
X-Spam-Status: No, score=-1.21 tagged_above=-999 required=5 tests=[AWL=0.744, BAYES_00=-2.599, HOST_MISMATCH_NET=0.311, IP_NOT_FRIENDLY=0.334]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8hpX45A2qUeH for <roll@ietfa.amsl.com>; Fri, 24 Feb 2012 13:14:05 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [67.23.6.41]) by ietfa.amsl.com (Postfix) with ESMTP id 62CA621F87DB for <roll@ietf.org>; Fri, 24 Feb 2012 13:14:03 -0800 (PST)
Received: from marajade.sandelman.ca (unknown [132.213.238.4]) by relay.sandelman.ca (Postfix) with ESMTPS id 23055344B9; Fri, 24 Feb 2012 16:11:36 -0500 (EST)
Received: by marajade.sandelman.ca (Postfix, from userid 179) id D615A9827A; Fri, 24 Feb 2012 16:13:58 -0500 (EST)
Received: from marajade.sandelman.ca (localhost [127.0.0.1]) by marajade.sandelman.ca (Postfix) with ESMTP id D2CC598182; Fri, 24 Feb 2012 16:13:58 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: roll@ietf.org
In-Reply-To: <85A23E0910B2FB4B8EF60D0888CB083648C30D@EVS2.nam.ci.root>
References: <30931.1330033889@marajade.sandelman.ca> <85A23E0910B2FB4B8EF60D0888CB083648C30D@EVS2.nam.ci.root>
X-Mailer: MH-E 8.3; nmh 1.3-dev; XEmacs 21.4 (patch 22)
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Fri, 24 Feb 2012 16:13:58 -0500
Message-ID: <25671.1330118038@marajade.sandelman.ca>
Sender: mcr@sandelman.ca
Cc: "Tsao, Tzeta" <Tzeta.Tsao@cooperindustries.com>
Subject: Re: [Roll] security solutions for ROLL
X-BeenThere: roll@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Routing Over Low power and Lossy networks <roll.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/roll>, <mailto:roll-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/roll>
List-Post: <mailto:roll@ietf.org>
List-Help: <mailto:roll-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/roll>, <mailto:roll-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2012 21:14:06 -0000

>>>>> "Tzeta" == Tzeta Tsao <Tsao> writes:
    Tzeta> My understanding of the DISCUSS on the security framework
    Tzeta> draft is that it seeks to address the perceived lack of key
    Tzeta> management for RPL.  However, the second item in your post
    Tzeta> seems to go beyond that; is it a set of questions to justify
    Tzeta> the use or non-use of RPL security, for example? Please
    Tzeta> clarify.

I agree that point #2 is almost a non-sequitar.
My appologies for this, I should have seperated it out.

It came out of a discussion thread which I think was not well archived.
(In fact, due to top-posting, I could barely understand it)

What I did was share three things with the ADs involved to confirm my
understanding prior to posting.

I think it is up to the writers of the applicability statement to decide
if they want to recommend layer-2 or layer-3 security for an LLN
deployment in their environment that includes RPL.  
If they recommend layer-2, then it is, "not our problem".

If they recommend layer-3 or do not make a clear recommendation, then
there needs to be a clear set of questions.  These are questions
relating to the knobs which are presently available in rpl-19, not to
things that we might invent to do key management.  

We are making the same request in these documents for things like
MinHopRankInc, Storing Mode, etc.

draft-ietf-roll-security-framework has essentially setup a list of
requirements, which rpl-19 has tried to satisfy with some knobs.

For instance, should an industrial network operate with Authentication
Enabled?  Yes/No.
Should they use KIM 0, 1 or 2?  If so, what LVL?

draft-ietf-roll-security-framework should be identifying why we have
those 3 x 4 choices.  (i.e. what were the security requirements that
made us decide we needed MAC-32/ENC-MAC-32 and 64-bit versions)


    >> -----Original Message----- From: roll-bounces@ietf.org
    >> [mailto:roll-bounces@ietf.org] On Behalf
    Tzeta> Of
    >> Michael Richardson Sent: Thursday, February 23, 2012 4:51 PM To:
    >> roll@ietf.org Subject: [Roll] security solutions for ROLL
    >> 
    >> 
    >> 1) there is an Security AD DISCUSS from Stephen Farrell/Tim Polk.
    >> http://datatracker.ietf.org/doc/draft-ietf-roll-security-
    >> framework/ballot/#stephen-farrell It has been there for 9 months,
    >> and we need to act on it, because this DISCUSS is keeping
    >> draft-ietf-roll-of0-20 from advancing, and that will keep
    >> draft-ietf-roll-rpl-19 from being published.
    >> 
    >> So to be clear, this chain of dependancies/references means that
    >> while rpl-19 has been done for some time, it won't get published
    >> until we do something.
    >> 
    >> Stephen Farrell will lift his DISCUSS on this and let us proceed
    >> if he sees some credible plan to get useable security into the
    >> layer-3 of RPL.
    >> 
    >> For a lot of you, you have assumed security at layer-2 is enough,
    >> and you may never care about this mechanism, but I still need
    >> your participation here.
    >> 
    >> 2) We will need to provide, in the
    >> draft-ietf-roll-security-framework, a clear set of security
    >> related *questions* that each applicability statement will need
    >> to answer.  In esssence, this is a template that needs to be
    >> filled out.
    >> 
    >> 3) A proposal for moving forward is to adopt/adapt MIKEY
    >> (RFC3830) for our uses.  This has been proposed in:
    >> draft-alexander-roll-mikey-lln-key-mgmt
    >> 
    >> This draft needs to be resubmitted for the WG to consider it.  (A
    >> rumour is that it can be found at:
    >> http://tools.ietf.org/id/draft-alexander-roll-mikey-lln-key-mgmt-
    >> 02.txt )
    >> 
    >> The WG is open to other proposals, but they need to come in
    >> quickly.  We do not need to complete the work, but we do need to
    >> know what
    Tzeta> work
    >> we need to do, and we need to update our milestones to include
    >> that work in order that we can progress.
    >> 
    >> --
    >> ] He who is tired of Weird Al is tired of life!  | firewalls [ ]
    >> Michael Richardson, Sandelman Software Works, Ottawa, ON |net
    >> architect[ ] mcr@sandelman.ottawa.on.ca
    >> http://www.sandelman.ottawa.on.ca/
    Tzeta> |device
    >> driver[ Kyoto Plus: watch the video
    >> <http://www.youtube.com/watch?v=kzx1ycLXQSE> then sign the
    >> petition.

v2.23.0 | Report a Bug | By Email