[Roll] Benjamin Kaduk's No Objection on draft-ietf-roll-unaware-leaves-26: (with COMMENT)

[Benjamin Kaduk via Datatracker <noreply@ietf.org>]

Benjamin Kaduk has entered the following ballot position for
draft-ietf-roll-unaware-leaves-26: No Objection

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
for more information about IESG DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-roll-unaware-leaves/



----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

Thanks to Carl Wallace for the secdir review, and to the authors for
having addressed the review comments.

There's a lot of updates in this document of various sorts, and it's a
bit challenging to reason about all of them, especially with respect to
feature negotiation/incremental deployment.  This will be a recurring
theme in my detailed comments.  My current understanding so far is:

- there is not currently any support for RULs, so we don't really need
  to worry about existing RULs that do not comply with this spec (though
  this spec does add a couple new requirements not present with the
  stock versions of 6LoWPAN ND, etc.)
- If the RPL Root doesn't support this, it can't be used
- the RPL Root advertises its support via the 'P' flag in the DODAG
  Configuration Option that is sent to all 6LRs
- Many message flows require the support of a 6LR to initiate them
- but there seem to be some cases where there are asynchronous messages
  originating from the root (or 6LBR) ... can they end up at a 6LR that
  does not support the new strucures?
- The RPL Root can now proxy EDAR/EDAC ... but can a 6LR "miss the memo"
  for that and also attempt EDAR?  (IIUC, "no", since such a 6LR
  wouldn't know about RULs in the first place.)
- Some of the new mechanisms (e.g., suppression of periodic EDAR in
  favor of DAO and proxying by the RPL Root) are not limited to use by
  RULs (?) and thus could be triggered on behalf of nodes not expecting
  such services (?)

It would be great to have some exposition on how this stuff is expected
to be rolled out and how it's safe for incremental deployment,
especially if (as the shepherd report indicates) we don't have any
implementation experience to build confidence.


There might be a small internal inconsistency in §9.2.2 in terms of what
needs to be waited for before the NA(EARO) is emitted (see the detailed
comments for why).


I still feel that if we're going to incrementally add new properties to
MOP 7, we should list the relevant documents as references in the
registry until MOP 7 is fully specified.  In this case we can arguably
get away with not doing so since this document Updates: RFC 6550 already
and thus could be said to be doing the reservation by modification of
the core protocol, but we are not using that procedure universally
(e.g., for turnon-rfc8138) and it seems prudent to use a consistent
mechanism.

Section 1

   A RUL may be unable to participate because it is very energy-
   constrained, code-space constrained, or because it would be unsafe to
   let it inject routes in RPL.  Using 6LoWPAN ND as opposed to RPL as
   the host-to-router interface limits the surface of the possible
   attacks by the RUL against the RPL domain, and can protect RUL for
   its address ownership.

(nit?) I am not entirely sure what sense "and can protect" is used in.
IIUC, a given leaf could either be a RAL or a RUL; an RAL participates
in RPL and as such is assumed to be trusted to properly advertise
routes, including protecting routes to its own address.  In contrast, an
RUL requires assistance of the RPL router to be able to protect its
address, something that 6LoWPAN ND enables by virtue of the ROVR.  So I
feel like the contrast is more of a "but can still protect the RUL's
address ownership" -- the "and can" construction suggests that this is
an additional benefit of using 6LoWPAN ND that is not achieved when the
leaf is RPL-aware.  (Or am I conflating RPL and 6LoWPAN ND too much?)

Section 3

   details).  If the packet from the RUL has an RPI, the 6LR as a RPL
   border router SHOULD rewrite the RPI to indicate the selected
   Instance and set the flags, but it does not need to encapsulate the
   packet.

(1) why is there any normative language in a non-normative section?
(2) doesn't it need to be a MUST, if it's not encapsulating?

   A RUL is not expected to support the compression method defined in
   [RFC8138].  For that reason, the border router uncompresses the
   packet before forwarding it over an external route to a RUL
   [USEofRPLinfo].

Just to confirm: the "border router" here is not the 6LBR but rather a
"normal" 6LR (i.e., an "RPL boder router")?

Section 4.2

   "Registration Extensions for 6LoWPAN Neighbor Discovery" [RFC8505]
   updates the behavior of RFC 6775 to enable a generic Address
   Registration to services such as routing and ND proxy, and defines
   the Extended Address Registration Option (EARO) as shown in Figure 2:

nit: the grammar seems off here; it would scan better if it was "to
provide services", but I'm not 100% sure that's correct.

Section 4.3

   The exchange is protected by the retry mechanism (ARQ) specified in
   Section 8.2.6 of [RFC6775], though in an LLN, a duration longer than
   the default value of the RetransTimer (RETRANS_TIMER) [RFC4861] of 1
   second may be necessary to cover the round trip delay between the 6LR
   and the 6LBR.

This is the only place in the document that we use the term ARQ (other
than the glossary), and RFC 6775 itself does not use the term either.
So I'm not sure that it's adding much value (just risk of confusion if
someone expects it to be present in RFC 6775 the way I did).

Section 5.1

   To obtain routing services from a router that implements this
   specification, a RUL needs to implement [RFC8505] and sets the "R"
   and "T" flags in the EARO to 1 as discussed in Section 4.2.1 and
   Section 4.2.3, respectively.  Section 9.2.1 specifies new behaviors

nit: s/4.2.3/4.2.2/

Section 6.1

   The updated format is illustrated in Figure 4.  It is backward
   compatible with the Target Option in [RFC6550].  It is recommended

I agree that it is backwards compatible in the sense that it degenerates
into the previous structure when the ROVR size is zero.  But do we have
confidence that existing implementations will do something useful if we
use bits that they treat as flags, to indicate that the overall size of
the option is increased in a way not previously envisioned?

Section 6.2

   Section 4.3 of [USEofRPLinfo] updates [RFC6550] to indicate that the
   definition of the Flags applies to Mode of Operation (MOP) values
   zero (0) to six (6) only.  For a MOP value of 7, the implementation
   MUST consider that the Root performs the proxy operation.

How is this to be noted for future implementors of MOP value 7?  Are we
relying on the "Updates:" relationship with 6550 to note this?

Section 6.3

   Status Value:  6-bit unsigned integer.  If the 'A' flag is set to 1
      this field transports a Status value defined for IPv6 ND EARO.
      When the 'A' flag is set to 0, the Status value is defined for
      RPL.

nit(?): I suggest "the Status value is as defined for RPL" (add "as", or
perhaps "one" in the same place).

   Reciprocally, upon a DCO or a DAO-ACK message from the RPL Root with
   a RPL Status that has the 'A' flag set, the 6LR MUST copy the RPL
   Status value unchanged in the Status field of the EARO when
   generating an NA to the RUL.

By my reading "copy the RPL Status value unchanged" includes the values
of the E and A flags (and this is predicated on 'A' being set), which
doesn't seem like it would have the desired effect...I expect that only
the StatusValue field is supposed to be copied (with the high bits set
to zero)?

Section 7

   In the case of a RUL, the 6LR that serves the RUL acts as the RAN
   that receives the Non-Storing DCO.  This specification leverages the
   Non-Storing DCO between the Root and the 6LR that serves as
   attachment router for a RUL.  A 6LR and a Root that support this
   specification MUST implement the Non-Storing DCO.

Should we mention with in the discussion of the 'P' flag in §6.2?
I'm not entirely sure how the negotiation/enablement procedure works for
a RAL, either.

Section 8

   *  If the RPL Root advertises the capability to proxy the EDAR/EDAC
      exchange to the 6LBR, the 6LR refrains from sending the keep-alive
      EDAR message.  If it is separated from the 6LBR, the Root
      regenerates the EDAR message to the 6LBR periodically, upon a DAO
      message that signals the liveliness of the address.

I feel like we should mention the situation where the RPL Root
advertises the 'P' flag but the 6LR does not support this specification.
Do we end up with both the 6LR and the RPL Root sending the EDAR
message, or is the RPL Root expected to notice that the 6LR is sending
one and refrain from generating an additional one?  (I guess we expect
it to be uncommon that 6LBR and RPL Root are different, anyway?)  Or is
this just not supposed to happen because the mechanism only exists to
support RULs and an un-updated 6LR will not attempt to support RULs?

Section 9.1

          6LN/RUL            6LR   <6LR*>   Root               6LBR
             |                |              |                   |
             |<------ND------>|<----RPL----->|<-------ND-------->|
             |                |<----------------ND-------------->|

Are these arrows still part of the "legend" (of sorts) as opposed to
being indications of the initial flow(s)?

   To achieve this, the Path Sequence and the Path Lifetime in the DAO
   message are taken from the Transaction ID and the Address
   Registration lifetime in the NS(EARO) message from the 6LN.

Reusing an identifier taken from one context in one protocol to play a
role in a different context in a different protocol has historically led
to security-relevant flaws/attacks.  What kind of analysis has been done
to consider the risk of such issues here?

   [RFC8929] expects that the 6LBR is collocated with the RPL Root, but
   if not, the 6LBR MUST forward the status code to the originator of
   the EDAR, either the 6LR or the RPL Root that proxies for it.  The ND
   status code is mapped in a RPL Status value by the RPL Root, and then
   back by the 6LR.

Continuing the theme, can we get into a scenario where the 6LR in this
flow does not implement this specification but receives a DCO carrying
an EARO status code?

   Figure 9 illustrates this in the case where the 6LBR and the Root are
   not collocated, and the Root proxies the EDAR messages.

(The figure shows an EDAC message being proxied, not an EDAR message,
though for the general case using EDAR as the description seems to make
sense.)

Section 9.2.1

   This specification does not alter the operation of a 6LoWPAN ND-
   compliant 6LN/RUL, which is expected to operate as follows:
   [...]
   5.  Following section 5.1 of [RFC8505], a 6LN acting as a RUL sets
       the R Flag in the EARO of its registration(s) for which it
       requires routing services.  If the R Flag is not echoed in the
       NA, the RUL SHOULD attempt to use another 6LR.  The RUL SHOULD
       ensure that one registration succeeds before setting the R Flag
       to 0.  [...]

AFAICT the SHOULDs here represent a divergence from the previously
specified 6LN/RUL 6LoWPAN ND behavior (not least because this document
seems to be the first definition of using the R flag in the NA as
opposed to NS), in contravention to the initial statement.

Section 9.2.2

   As described in [RFC8505], if the "I" field is zero, then the Opaque
   field is expected to carry the RPLInstanceID suggested by the 6LN;
   otherwise, there is no suggested Instance.  If the 6LR participates
   in the suggested RPL Instance, then the 6LR MUST use that RPL
   Instance for the Registered Address.

This MUST-level requirement seems to preclude any kind of policy filter
on the 6LR to apply authorization checks to attempts to use a given RPL
Instance.  Is that intended?

   NA(EARO) to the RUL.  Upon receiving an asynchronous DCO message, if
   a DAO-ACK is pending then the 6LR MUST wait for the DAO-ACK to send
   the NA(EARO) and deliver the status found in the DCO, else it MUST
   send an asynchronous NA(EARO) to the RUL immediately.

I think I missed the explanation for why it has to wait for the DAO-ACK
before sending the NA(EARO), if the DCO is going to take precedence.
In particular, it seems to be in conflict with the description of the
general flow in §9.1, which says that "[u]pon the DAO-ACK - or the DCO
if one arrives first - the 6LR responds to the RUL with an NA(EARO)."

   The 6LR MUST set the R Flag to 1 in the NA(EARO) back if and only if
   the 'E' flag is set to 0, indicating that the 6LR injected the
   Registered Address in the RPL routing successfully and that the EDAR
   proxy operation succeeded.

Please use a bit more detail on where the 'E' flag is (I assume it's the
one taken from a bit that was formerly part of the 'Status' field in the
RPL message, but in the next paragraph we clearly say it's the flag "in
the RPL Status" to avoid any doubt).

   An error injecting the route causes the 'E' flag to be set to 1.  If
   the error is not related to ND, the 'A' flag is set to 0.  In that
   case, the registration succeeds, but the RPL route is not installed.
   So the NA(EARO) is returned with a status indicating success but the
   R Flag set to 0, which means that the 6LN obtained a binding but no
   route.

Continuing the theme, can we get into a situation where the RUL does not
check the R flag and assumes that there is a route installed?

   If the 'A' flag is set to 0 in the RPL Status of the DAO-ACK, then
   the 6LoWPAN ND operation succeeded, and an EARO Status of 0 (Success)
   MUST be returned to the 6LN.  The EARO Status of 0 MUST also be used
   if the 6LR did not attempt to inject the route but could create the
   binding after a successful EDAR/EDAC exchange or refresh it.

   If the 'E' flag is set to 1 in the RPL Status of the DAO-ACK, then
   the route was not installed and the R flag MUST be set to 0 in the
   NA(EARO).  The R flag MUST be set to 0 if the 6LR did not attempt to
   inject the route.

These two paragraphs seem to have some amount of redundancy with the
preceding few paragraphs, though I'm not entirely sure how much.

   In a network where Address Protected Neighbor Discovery (AP-ND) is
   enabled, in case of a DAO-ACK or a DCO indicating transporting an

nit: It seems that we should just pick one of "indicating transporting".

   EARO Status value of 5 (Validation Requested), the 6LR MUST challenge
   the 6LN for ownership of the address, as described in section 6.1 of
   [RFC8928], before the Registration is complete.  This flow,
   illustrated in Figure 10, ensures that the address is validated
   before it is injected in the RPL routing.

To me Figure 10 is showing the flow where the 6LR itself initiates the
"Validation Requested" state; I don't see a triggering DAO-ACK or DCO.

   The 6LR may at any time send a unicast asynchronous NA(EARO) with the
   R Flag set to 0 to signal that it stops providing routing services,

Staying on theme, what will a RUL that doesn't know about this spec do
with such an asynchronous NA(EARO)?

Section 9.2.3

   A RPL Root MUST set the 'P' flag to 1 in the RPL DODAG Configuration
   Option of the DIO messages that it generates (see Section 6) to
   signal that it proxies the EDAR/EDAC exchange and supports the
   Updated RPL Target option.

[just noting that this is another place, in addition to §6.2, where we
enumerate what the 'P' flag signals, which may be incomplete, per my
previous comment.]

Section 10

   The 6LR acts as a generic MLD querier and generates a DAO with the
   Multicast Address as the Target Prefix as described in section 12 of
   [RFC6550].  As for the Unicast host routes, the Path Lifetime
   associated to the Target is mapped from the Query Interval, and set
   to be larger to account for variable propagation delays to the Root.

(Is this just the "round up, if needed" setting, or is there more to
consider when accounting for variable propagation delays?)

   The Root proxies the MLD exchange as a listener with the 6LBR acting
   as the querier, so as to get packets from a source external to the
   RPL domain.

(Only if the source is external to the RPL domain, right?)

Section 11

   It is worth noting that with [RFC6550], every node in the LLN is RPL-
   aware and can inject any RPL-based attack in the network.  This
   specification isolates edge nodes that can only interact with the RPL
   routers using 6LoWPAN ND, meaning that they cannot perform RPL
   insider attacks.

(editorial) I suggest some phrasing akin to "this specification improves
the situation by isolating edge nodes so they can only interact [...]".

   In a general manner, the Security Considerations in [RFC7416]
   [RFC6775], and [RFC8505] apply to this specification as well.

But not those of RFC 6550?

   More importantly, the 6LR is the node that injects the traffic in the
   RPL domain, so it has the final word on which RPLInstance is to be
   used for the traffic coming from the RUL, per its own policy.

[I do believe I commented previously about just this topic :) ]