Re: [Roll] Roman Danyliw's No Objection on draft-ietf-roll-turnon-rfc8138-14: (with COMMENT)

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Thu, 10 September 2020 12:30 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: roll@ietfa.amsl.com
Delivered-To: roll@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D01BB3A0858; Thu, 10 Sep 2020 05:30:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=M2iDX2E4; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=oLPKCSCA
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id f_OTkJ4MBEbW; Thu, 10 Sep 2020 05:30:52 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 916CB3A0846; Thu, 10 Sep 2020 05:30:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3138; q=dns/txt; s=iport; t=1599741052; x=1600950652; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=MwM3+jgA3tJ4ghcAsXJidv+FGk8GSkgcAMR+HNaFD9g=; b=M2iDX2E4n7OYXBFvafWERFNCsCNPGLupK3xBqOfGSKzW4vuWv5AOM8pG VefPz124IzNlhLZAQBz02LnAg9CZ0NpF3iMjTxG/EuJoAWIBsM8+5XLN3 UkeAXWbID6mm6Squs4sPGB2wKokn2M17ZNR2KX7ahiIKXSVhg3FB7Jm3X 0=;
IronPort-PHdr: =?us-ascii?q?9a23=3AMJ6H6hWvdmGBJU7+niM3JfuhB8DV8LGuZFwc94?= =?us-ascii?q?YnhrRSc6+q45XlOgnF6O5wiEPSBNyBuflJkfaQtLrvCiQM4peE5XYFdpEEFx?= =?us-ascii?q?oIkt4fkAFoBsmZQVb6I/jnY21ffoxCWVZp8mv9PR1TH8DzNFbfuGH06iQdSV?= =?us-ascii?q?3zMANvLbHzHYjfx828y+G1/cjVZANFzDqwaL9/NlO4twLU48IXmoBlbK02z0?= =?us-ascii?q?jE?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DCCQAyG1pf/49dJa1fHgEBCxIMQIM?= =?us-ascii?q?hUQdwWS8sCoElgwmDRgONcoUok0mBQoERA1ULAQEBDQEBJQgCBAEBD4Q8Ahe?= =?us-ascii?q?CBQIkOBMCAwEBCwEBBQEBAQIBBgRthVwMhXIBAQEBAgESEREMAQE3AQ8CAQY?= =?us-ascii?q?CDgwCJgICAjAVEAIEAQ0NGoMFgksDDiABAwuXYZBpAoE5iGF2gTKDAQEBBYE?= =?us-ascii?q?zAYNfGIIQAwaBDiqCcYJcS0KCQYFGgksbgUE/gVRRgXw+glwCgUYbgxUzgi2?= =?us-ascii?q?SZgE8o1YKgmWIa5FtgwmJcI4hhUGSVIpOkGKEKQIEAgQFAg4BAQWBayOBV3A?= =?us-ascii?q?VgyRQFwINjh83gzqKVnQLLAIGAQkBAQMJfI1CAYEQAQE?=
X-IronPort-AV: E=Sophos;i="5.76,413,1592870400"; d="scan'208";a="539668182"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 10 Sep 2020 12:30:51 +0000
Received: from XCH-RCD-003.cisco.com (xch-rcd-003.cisco.com [173.37.102.13]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 08ACUpxC010875 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 10 Sep 2020 12:30:51 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-RCD-003.cisco.com (173.37.102.13) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 10 Sep 2020 07:30:51 -0500
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 10 Sep 2020 07:30:51 -0500
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 10 Sep 2020 08:30:50 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=G+CvMt2eeWNuEB7QLLYYpp6DXwoq9O7EJkBYCv17mDsB2W5e4yvGT7xWSwOAOPxGGnqkoQ1eRAg9GSlwE4g5UrH4eGN4hlpg589WwuDBNmEKRhjxMaAuC11T7YDbHlnw97Ec7xAr6vziNOMWF4IyPSfiFCSGNRQWLnkR44HrfifcdgdcmJkesbjDjQnV9OnLaffewB+mvWSRQRGfnKdWXjJj9OC9U73t2CiGqy6JfktPpZrZoW5x4l4rLy2OD6gHmUhlU+1tEf09BFaSQ531gTJS7gn3j7kW0JgGX6jZhu4LB0IRWmnwPywrneI3jdbcJFTHWZ5XzxE8DtrtHHhvUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MwM3+jgA3tJ4ghcAsXJidv+FGk8GSkgcAMR+HNaFD9g=; b=RojBFzYEcx1hxwvwW4qEW866Kp60zvPhXP8qze8dk26IwCdrsq0JP2mnqRu6+wRIr9nJyQo5wxCPawY5KPGHHTgJe7OchCHKdgC07N6FPlGxISaV38+5WAGtW45z7hATALORHLkLx63q1ru0PMq4iHQUsU9DT4ZHgxEmpwTwV+aXSnp178SSNKj6O0heIrkmpBkRoGR2+BIb4RvVwN3gctBPrFdgbtqoFOH+eA8PTikCtyrrBnD+gnvFCcSPAIfJI48THNcADli4LbSUGTvdr7qRFjU+YtXNSiIMQ2w3u8xJeN9C5+pre2vVPAA8hGeH0rUmyThHa3rP+qFbbHb9lw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=MwM3+jgA3tJ4ghcAsXJidv+FGk8GSkgcAMR+HNaFD9g=; b=oLPKCSCA8iODOHr1kTVSnJ2lgnbb/7XgL7sxRaQTFKxoPPM0E54vEBWSU9GCvSiI4jnodGW+lUXLmUU8VeVUXpwhfyhlodI/Y6E2x7xKd6vEi1mx23O8ms612oYCu3xUi6ALPpDE7rqb78JfgfScnQSGABkc+yPyNsiQ3VL6F2c=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (2603:10b6:208:ea::31) by MN2PR11MB3581.namprd11.prod.outlook.com (2603:10b6:208:f0::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.15; Thu, 10 Sep 2020 12:30:48 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::119:f851:5860:da95]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::119:f851:5860:da95%4]) with mapi id 15.20.3348.019; Thu, 10 Sep 2020 12:30:48 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>
CC: "draft-ietf-roll-turnon-rfc8138@ietf.org" <draft-ietf-roll-turnon-rfc8138@ietf.org>, "roll-chairs@ietf.org" <roll-chairs@ietf.org>, "roll@ietf.org" <roll@ietf.org>, Ines Robles <mariainesrobles@googlemail.com>, "aretana.ietf@gmail.com" <aretana.ietf@gmail.com>
Thread-Topic: Roman Danyliw's No Objection on draft-ietf-roll-turnon-rfc8138-14: (with COMMENT)
Thread-Index: AQHWhrjDA/p5NhV/YE21cylcrcYTp6lgaDqggAFddICAAAdzAA==
Date: Thu, 10 Sep 2020 12:30:48 +0000
Deferred-Delivery: Thu, 10 Sep 2020 12:29:52 +0000
Message-ID: <MN2PR11MB3565A6E073151141E9FC3620D8270@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <159966310991.32249.4584030650116177263@ietfa.amsl.com> <MN2PR11MB356548E58C054951B6519D7BD8260@MN2PR11MB3565.namprd11.prod.outlook.com> <63f9e20b35ec4cd7afdcd0cd08eccfcc@cert.org>
In-Reply-To: <63f9e20b35ec4cd7afdcd0cd08eccfcc@cert.org>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: cert.org; dkim=none (message not signed) header.d=none;cert.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [90.118.154.54]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b5919adf-f5b7-44f6-63da-08d8558558f6
x-ms-traffictypediagnostic: MN2PR11MB3581:
x-microsoft-antispam-prvs: <MN2PR11MB3581FF3E7CF88905BF89CF4FD8270@MN2PR11MB3581.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: WWmSBHxI//1slj6u2427bj6kIdHvnOOc7uSxM/6dnVnNGWajR3OgeKuCV1LwLBWTshB5LbbYTPV8BHkkfwAQx5jNm/0IJYl1uTMJG9dhhp9IGcdKYr3X1fp8J40MLwz9SFCZpF5nlNB71Fh3n+F26kjdJ2QfbhOvWQgaMZGBV3MenM0Rpuin3TKCjSj/cTBCkjR7XTUiRSw+sWDHgkYwguIO/Mm1FMtNPOtETYwPfFASzlDqVOVqpRnpWTx+ZrqwQV+PPCKeiw5lUzQKKiIOixHkWYS1PevG7lGcka525uNt2z05LFoWtWEntu6A3IybovS+rsY/reI9I/Ew5Wn8l4Mq8uPbTHX7CUQ9SSW7xNzRIuoGqel1IystETNg9Ik44N382uTuF5Qj0TeuQKWgLQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB3565.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(346002)(376002)(396003)(39860400002)(136003)(2906002)(4326008)(86362001)(110136005)(8676002)(71200400001)(33656002)(8936002)(7696005)(9686003)(316002)(478600001)(54906003)(6506007)(186003)(66946007)(76116006)(66476007)(64756008)(52536014)(55016002)(26005)(5660300002)(966005)(66446008)(66556008)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: UbhGGWfIc/GnuTdi4RSmYIYiDp5efMAVpVEOEOAkpc6QZuQj5NAlyqRrFcs03XhH1HaU11izLBEQjTP6cBzt6DCG0AEaktn0pqjlQbKcOdtlwFt14DVKzGVqPxY0mc9ZLgiJQMmcgJLnoIgp1Ojg/okdvlYYFrqbUzj3H5qBLHQ7xNQ5nxwJHrjnx/Jcg9eiHH3qr4z/K0Tb6DzYSqzalF1OTWY4lLtKJTg4OvquXLtGRjYWPjcrzOW1PekwcSv9FYNkLmLmSNHkeYgi4JMZzwbjKKsxUff7GlJCo4Rno/pxjHjh5Vw3wB7ZiIzA6eBGPaH5+C7gRFg+xTZBhXlzOIxRp93IL6zKnt8egFXm6w4E6kUp2wRRWMe1hsp1BYCNlTk6/0Qbd5Yc3CDLRoH+jlzgzAE0oHkZ2JKOQrFUgm7RwVcQGM+iMwNF8NeJh/lXUHNBdOwjBwIHDQebBrvihbJrGp/P9wWXIUzwOp7X6qKenOkaKFU/BwgNLnUumHk1jnUUXXBPZ9Qo/S//cdl27LbwYYLFA76vmECMQ4Fxv4WObk1Y05HtmZ24L6mDATMj2fmzwB8fu8K41+SSVstrfGv/OyE1wdcK1uMHPa8cJeP28Iettc0LEAXLTFWFCxo/nZws0HGkxx5UEGoLvq96qw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB3565.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b5919adf-f5b7-44f6-63da-08d8558558f6
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Sep 2020 12:30:48.3469 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: svntXFKDFfAcRdy/EUxyWnInrCj8zzRGYyxwbfNWIOsGI5cLrmRPlvh4QLKXomsx60VakNOx/w1ytcMqRiGxQg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3581
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.13, xch-rcd-003.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/roll/gaxEFwep69aPjZa0fpXjAccRMgw>
Subject: Re: [Roll] Roman Danyliw's No Objection on draft-ietf-roll-turnon-rfc8138-14: (with COMMENT)
X-BeenThere: roll@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Routing Over Low power and Lossy networks <roll.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/roll>, <mailto:roll-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/roll/>
List-Post: <mailto:roll@ietf.org>
List-Help: <mailto:roll-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/roll>, <mailto:roll-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Sep 2020 12:30:55 -0000

Hello Roman 😊

> > The "T" flag is in a message (the DIO) that is propagated in a fashion
> > that is akin to multicast though it's not. The RPL node receives DIO
> > messages from neighbors that are willing to be parents. If this node
> > decides to also be a parent, it will regenerate a DIO that contains
> > some fields unchanged, including the DODAG configuration option.
> >
> > In that process, the bad guy may change some fields it shouldn't,
> > including the "T" flag, but it's just one of many fields in that same
> > situation. His children and their descendant will repeat that wrong
> > setting. Note that this is not a tree but a DODAG. So you get DIOs from not
> one (candidate) parent but multiple ones.
> > A descendant may discover an inconsistency between its parents (if
> > some descend from the attacker and others do not) and could raise an
> > alert, but the case can be normal, e.g., during a transition. RPL does
> > not really specify that, it is left to implementations, e.g.,
> > constrained nodes will not spend code looking for anomalies.
> >
> > Bottom line, there is no path to be on. There's a wave coming, the
> > attacker relays that wave, and modifies it. If it is in the middle of
> > the network this has an effect - on its descendants. If the attacker
> > is at the leaf edge, the attack as no effect since this node has no descendant.
> >
> > What do you think?
> 
> Understood.  I now appreciate the vagueness of the original words.  I'm trying
> to find an alternative to using "middle of the network" since this doesn't
> convey for me the hierarchy you are describing.  See below:
> 
> > > OLD
> > > An attacker in the middle of the network may reset the "T" flag to
> > > cause extra energy spending in its subDAG.
> 
> NEW
> An attacker may reset the "T" flag to force additional energy consumption of
> child or descendant nodes in its subDAG.
> 
> Regards,

I love it, Roman!

I'll be holding the publication till Alvaro and Benjamin reach an agreement on whether this updates RFC 6550 or not.

Till then I committed the diffs as  https://github.com/roll-wg/roll-turnon-rfc8138/commit/80fa3425e8c0c60a8482ddb2583f75f405fe490a

Please let me know if we are good now.

Take care,

Pascal