[Roll] Benjamin Kaduk's No Objection on draft-ietf-roll-unaware-leaves-26: (with COMMENT)
Benjamin Kaduk via Datatracker <noreply@ietf.org> Thu, 17 December 2020 08:38 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: roll@ietf.org
Delivered-To: roll@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A2F73A1543; Thu, 17 Dec 2020 00:38:45 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit
From: Benjamin Kaduk via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-roll-unaware-leaves@ietf.org, roll-chairs@ietf.org, roll@ietf.org, JADHAV Rahul <rahul.ietf@gmail.com>, aretana.ietf@gmail.com, rahul.ietf@gmail.com
X-Test-IDTracker: no
X-IETF-IDTracker: 7.23.0
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Benjamin Kaduk <kaduk@mit.edu>
Message-ID: <160819432500.25662.694953130654522537@ietfa.amsl.com>
Date: Thu, 17 Dec 2020 00:38:45 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/roll/d874-YxsGXgODen3lWX60ACYS80>
Subject: [Roll] Benjamin Kaduk's No Objection on draft-ietf-roll-unaware-leaves-26: (with COMMENT)
X-BeenThere: roll@ietf.org
X-Mailman-Version: 2.1.29
List-Id: Routing Over Low power and Lossy networks <roll.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/roll>, <mailto:roll-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/roll/>
List-Post: <mailto:roll@ietf.org>
List-Help: <mailto:roll-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/roll>, <mailto:roll-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2020 08:38:46 -0000
Benjamin Kaduk has entered the following ballot position for draft-ietf-roll-unaware-leaves-26: No Objection When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html for more information about IESG DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-roll-unaware-leaves/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thanks to Carl Wallace for the secdir review, and to the authors for having addressed the review comments. There's a lot of updates in this document of various sorts, and it's a bit challenging to reason about all of them, especially with respect to feature negotiation/incremental deployment. This will be a recurring theme in my detailed comments. My current understanding so far is: - there is not currently any support for RULs, so we don't really need to worry about existing RULs that do not comply with this spec (though this spec does add a couple new requirements not present with the stock versions of 6LoWPAN ND, etc.) - If the RPL Root doesn't support this, it can't be used - the RPL Root advertises its support via the 'P' flag in the DODAG Configuration Option that is sent to all 6LRs - Many message flows require the support of a 6LR to initiate them - but there seem to be some cases where there are asynchronous messages originating from the root (or 6LBR) ... can they end up at a 6LR that does not support the new strucures? - The RPL Root can now proxy EDAR/EDAC ... but can a 6LR "miss the memo" for that and also attempt EDAR? (IIUC, "no", since such a 6LR wouldn't know about RULs in the first place.) - Some of the new mechanisms (e.g., suppression of periodic EDAR in favor of DAO and proxying by the RPL Root) are not limited to use by RULs (?) and thus could be triggered on behalf of nodes not expecting such services (?) It would be great to have some exposition on how this stuff is expected to be rolled out and how it's safe for incremental deployment, especially if (as the shepherd report indicates) we don't have any implementation experience to build confidence. There might be a small internal inconsistency in §9.2.2 in terms of what needs to be waited for before the NA(EARO) is emitted (see the detailed comments for why). I still feel that if we're going to incrementally add new properties to MOP 7, we should list the relevant documents as references in the registry until MOP 7 is fully specified. In this case we can arguably get away with not doing so since this document Updates: RFC 6550 already and thus could be said to be doing the reservation by modification of the core protocol, but we are not using that procedure universally (e.g., for turnon-rfc8138) and it seems prudent to use a consistent mechanism. Section 1 A RUL may be unable to participate because it is very energy- constrained, code-space constrained, or because it would be unsafe to let it inject routes in RPL. Using 6LoWPAN ND as opposed to RPL as the host-to-router interface limits the surface of the possible attacks by the RUL against the RPL domain, and can protect RUL for its address ownership. (nit?) I am not entirely sure what sense "and can protect" is used in. IIUC, a given leaf could either be a RAL or a RUL; an RAL participates in RPL and as such is assumed to be trusted to properly advertise routes, including protecting routes to its own address. In contrast, an RUL requires assistance of the RPL router to be able to protect its address, something that 6LoWPAN ND enables by virtue of the ROVR. So I feel like the contrast is more of a "but can still protect the RUL's address ownership" -- the "and can" construction suggests that this is an additional benefit of using 6LoWPAN ND that is not achieved when the leaf is RPL-aware. (Or am I conflating RPL and 6LoWPAN ND too much?) Section 3 details). If the packet from the RUL has an RPI, the 6LR as a RPL border router SHOULD rewrite the RPI to indicate the selected Instance and set the flags, but it does not need to encapsulate the packet. (1) why is there any normative language in a non-normative section? (2) doesn't it need to be a MUST, if it's not encapsulating? A RUL is not expected to support the compression method defined in [RFC8138]. For that reason, the border router uncompresses the packet before forwarding it over an external route to a RUL [USEofRPLinfo]. Just to confirm: the "border router" here is not the 6LBR but rather a "normal" 6LR (i.e., an "RPL boder router")? Section 4.2 "Registration Extensions for 6LoWPAN Neighbor Discovery" [RFC8505] updates the behavior of RFC 6775 to enable a generic Address Registration to services such as routing and ND proxy, and defines the Extended Address Registration Option (EARO) as shown in Figure 2: nit: the grammar seems off here; it would scan better if it was "to provide services", but I'm not 100% sure that's correct. Section 4.3 The exchange is protected by the retry mechanism (ARQ) specified in Section 8.2.6 of [RFC6775], though in an LLN, a duration longer than the default value of the RetransTimer (RETRANS_TIMER) [RFC4861] of 1 second may be necessary to cover the round trip delay between the 6LR and the 6LBR. This is the only place in the document that we use the term ARQ (other than the glossary), and RFC 6775 itself does not use the term either. So I'm not sure that it's adding much value (just risk of confusion if someone expects it to be present in RFC 6775 the way I did). Section 5.1 To obtain routing services from a router that implements this specification, a RUL needs to implement [RFC8505] and sets the "R" and "T" flags in the EARO to 1 as discussed in Section 4.2.1 and Section 4.2.3, respectively. Section 9.2.1 specifies new behaviors nit: s/4.2.3/4.2.2/ Section 6.1 The updated format is illustrated in Figure 4. It is backward compatible with the Target Option in [RFC6550]. It is recommended I agree that it is backwards compatible in the sense that it degenerates into the previous structure when the ROVR size is zero. But do we have confidence that existing implementations will do something useful if we use bits that they treat as flags, to indicate that the overall size of the option is increased in a way not previously envisioned? Section 6.2 Section 4.3 of [USEofRPLinfo] updates [RFC6550] to indicate that the definition of the Flags applies to Mode of Operation (MOP) values zero (0) to six (6) only. For a MOP value of 7, the implementation MUST consider that the Root performs the proxy operation. How is this to be noted for future implementors of MOP value 7? Are we relying on the "Updates:" relationship with 6550 to note this? Section 6.3 Status Value: 6-bit unsigned integer. If the 'A' flag is set to 1 this field transports a Status value defined for IPv6 ND EARO. When the 'A' flag is set to 0, the Status value is defined for RPL. nit(?): I suggest "the Status value is as defined for RPL" (add "as", or perhaps "one" in the same place). Reciprocally, upon a DCO or a DAO-ACK message from the RPL Root with a RPL Status that has the 'A' flag set, the 6LR MUST copy the RPL Status value unchanged in the Status field of the EARO when generating an NA to the RUL. By my reading "copy the RPL Status value unchanged" includes the values of the E and A flags (and this is predicated on 'A' being set), which doesn't seem like it would have the desired effect...I expect that only the StatusValue field is supposed to be copied (with the high bits set to zero)? Section 7 In the case of a RUL, the 6LR that serves the RUL acts as the RAN that receives the Non-Storing DCO. This specification leverages the Non-Storing DCO between the Root and the 6LR that serves as attachment router for a RUL. A 6LR and a Root that support this specification MUST implement the Non-Storing DCO. Should we mention with in the discussion of the 'P' flag in §6.2? I'm not entirely sure how the negotiation/enablement procedure works for a RAL, either. Section 8 * If the RPL Root advertises the capability to proxy the EDAR/EDAC exchange to the 6LBR, the 6LR refrains from sending the keep-alive EDAR message. If it is separated from the 6LBR, the Root regenerates the EDAR message to the 6LBR periodically, upon a DAO message that signals the liveliness of the address. I feel like we should mention the situation where the RPL Root advertises the 'P' flag but the 6LR does not support this specification. Do we end up with both the 6LR and the RPL Root sending the EDAR message, or is the RPL Root expected to notice that the 6LR is sending one and refrain from generating an additional one? (I guess we expect it to be uncommon that 6LBR and RPL Root are different, anyway?) Or is this just not supposed to happen because the mechanism only exists to support RULs and an un-updated 6LR will not attempt to support RULs? Section 9.1 6LN/RUL 6LR <6LR*> Root 6LBR | | | | |<------ND------>|<----RPL----->|<-------ND-------->| | |<----------------ND-------------->| Are these arrows still part of the "legend" (of sorts) as opposed to being indications of the initial flow(s)? To achieve this, the Path Sequence and the Path Lifetime in the DAO message are taken from the Transaction ID and the Address Registration lifetime in the NS(EARO) message from the 6LN. Reusing an identifier taken from one context in one protocol to play a role in a different context in a different protocol has historically led to security-relevant flaws/attacks. What kind of analysis has been done to consider the risk of such issues here? [RFC8929] expects that the 6LBR is collocated with the RPL Root, but if not, the 6LBR MUST forward the status code to the originator of the EDAR, either the 6LR or the RPL Root that proxies for it. The ND status code is mapped in a RPL Status value by the RPL Root, and then back by the 6LR. Continuing the theme, can we get into a scenario where the 6LR in this flow does not implement this specification but receives a DCO carrying an EARO status code? Figure 9 illustrates this in the case where the 6LBR and the Root are not collocated, and the Root proxies the EDAR messages. (The figure shows an EDAC message being proxied, not an EDAR message, though for the general case using EDAR as the description seems to make sense.) Section 9.2.1 This specification does not alter the operation of a 6LoWPAN ND- compliant 6LN/RUL, which is expected to operate as follows: [...] 5. Following section 5.1 of [RFC8505], a 6LN acting as a RUL sets the R Flag in the EARO of its registration(s) for which it requires routing services. If the R Flag is not echoed in the NA, the RUL SHOULD attempt to use another 6LR. The RUL SHOULD ensure that one registration succeeds before setting the R Flag to 0. [...] AFAICT the SHOULDs here represent a divergence from the previously specified 6LN/RUL 6LoWPAN ND behavior (not least because this document seems to be the first definition of using the R flag in the NA as opposed to NS), in contravention to the initial statement. Section 9.2.2 As described in [RFC8505], if the "I" field is zero, then the Opaque field is expected to carry the RPLInstanceID suggested by the 6LN; otherwise, there is no suggested Instance. If the 6LR participates in the suggested RPL Instance, then the 6LR MUST use that RPL Instance for the Registered Address. This MUST-level requirement seems to preclude any kind of policy filter on the 6LR to apply authorization checks to attempts to use a given RPL Instance. Is that intended? NA(EARO) to the RUL. Upon receiving an asynchronous DCO message, if a DAO-ACK is pending then the 6LR MUST wait for the DAO-ACK to send the NA(EARO) and deliver the status found in the DCO, else it MUST send an asynchronous NA(EARO) to the RUL immediately. I think I missed the explanation for why it has to wait for the DAO-ACK before sending the NA(EARO), if the DCO is going to take precedence. In particular, it seems to be in conflict with the description of the general flow in §9.1, which says that "[u]pon the DAO-ACK - or the DCO if one arrives first - the 6LR responds to the RUL with an NA(EARO)." The 6LR MUST set the R Flag to 1 in the NA(EARO) back if and only if the 'E' flag is set to 0, indicating that the 6LR injected the Registered Address in the RPL routing successfully and that the EDAR proxy operation succeeded. Please use a bit more detail on where the 'E' flag is (I assume it's the one taken from a bit that was formerly part of the 'Status' field in the RPL message, but in the next paragraph we clearly say it's the flag "in the RPL Status" to avoid any doubt). An error injecting the route causes the 'E' flag to be set to 1. If the error is not related to ND, the 'A' flag is set to 0. In that case, the registration succeeds, but the RPL route is not installed. So the NA(EARO) is returned with a status indicating success but the R Flag set to 0, which means that the 6LN obtained a binding but no route. Continuing the theme, can we get into a situation where the RUL does not check the R flag and assumes that there is a route installed? If the 'A' flag is set to 0 in the RPL Status of the DAO-ACK, then the 6LoWPAN ND operation succeeded, and an EARO Status of 0 (Success) MUST be returned to the 6LN. The EARO Status of 0 MUST also be used if the 6LR did not attempt to inject the route but could create the binding after a successful EDAR/EDAC exchange or refresh it. If the 'E' flag is set to 1 in the RPL Status of the DAO-ACK, then the route was not installed and the R flag MUST be set to 0 in the NA(EARO). The R flag MUST be set to 0 if the 6LR did not attempt to inject the route. These two paragraphs seem to have some amount of redundancy with the preceding few paragraphs, though I'm not entirely sure how much. In a network where Address Protected Neighbor Discovery (AP-ND) is enabled, in case of a DAO-ACK or a DCO indicating transporting an nit: It seems that we should just pick one of "indicating transporting". EARO Status value of 5 (Validation Requested), the 6LR MUST challenge the 6LN for ownership of the address, as described in section 6.1 of [RFC8928], before the Registration is complete. This flow, illustrated in Figure 10, ensures that the address is validated before it is injected in the RPL routing. To me Figure 10 is showing the flow where the 6LR itself initiates the "Validation Requested" state; I don't see a triggering DAO-ACK or DCO. The 6LR may at any time send a unicast asynchronous NA(EARO) with the R Flag set to 0 to signal that it stops providing routing services, Staying on theme, what will a RUL that doesn't know about this spec do with such an asynchronous NA(EARO)? Section 9.2.3 A RPL Root MUST set the 'P' flag to 1 in the RPL DODAG Configuration Option of the DIO messages that it generates (see Section 6) to signal that it proxies the EDAR/EDAC exchange and supports the Updated RPL Target option. [just noting that this is another place, in addition to §6.2, where we enumerate what the 'P' flag signals, which may be incomplete, per my previous comment.] Section 10 The 6LR acts as a generic MLD querier and generates a DAO with the Multicast Address as the Target Prefix as described in section 12 of [RFC6550]. As for the Unicast host routes, the Path Lifetime associated to the Target is mapped from the Query Interval, and set to be larger to account for variable propagation delays to the Root. (Is this just the "round up, if needed" setting, or is there more to consider when accounting for variable propagation delays?) The Root proxies the MLD exchange as a listener with the 6LBR acting as the querier, so as to get packets from a source external to the RPL domain. (Only if the source is external to the RPL domain, right?) Section 11 It is worth noting that with [RFC6550], every node in the LLN is RPL- aware and can inject any RPL-based attack in the network. This specification isolates edge nodes that can only interact with the RPL routers using 6LoWPAN ND, meaning that they cannot perform RPL insider attacks. (editorial) I suggest some phrasing akin to "this specification improves the situation by isolating edge nodes so they can only interact [...]". In a general manner, the Security Considerations in [RFC7416] [RFC6775], and [RFC8505] apply to this specification as well. But not those of RFC 6550? More importantly, the 6LR is the node that injects the traffic in the RPL domain, so it has the final word on which RPLInstance is to be used for the traffic coming from the RUL, per its own policy. [I do believe I commented previously about just this topic :) ]
- [Roll] Benjamin Kaduk's No Objection on draft-iet… Benjamin Kaduk via Datatracker
- Re: [Roll] Benjamin Kaduk's No Objection on draft… Pascal Thubert (pthubert)
- Re: [Roll] Benjamin Kaduk's No Objection on draft… Michael Richardson
- Re: [Roll] Benjamin Kaduk's No Objection on draft… Alvaro Retana
- Re: [Roll] Benjamin Kaduk's No Objection on draft… Benjamin Kaduk
- Re: [Roll] Benjamin Kaduk's No Objection on draft… Michael Richardson
- Re: [Roll] Benjamin Kaduk's No Objection on draft… Alvaro Retana
- Re: [Roll] Benjamin Kaduk's No Objection on draft… Pascal Thubert (pthubert)
- Re: [Roll] Benjamin Kaduk's No Objection on draft… Alvaro Retana
- Re: [Roll] Benjamin Kaduk's No Objection on draft… Benjamin Kaduk
- Re: [Roll] Benjamin Kaduk's No Objection on draft… Pascal Thubert (pthubert)