IETF Logo Mail Archive

Re: [RTG-DIR] Rtgdir last call review of draft-ietf-roll-turnon-rfc8138-10

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Thu, 27 August 2020 17:45 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CA7993A1157 for <rtg-dir@ietfa.amsl.com>; Thu, 27 Aug 2020 10:45:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=AxRijGrx; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=r0yCAH7c
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JFxxmJUwXr94 for <rtg-dir@ietfa.amsl.com>; Thu, 27 Aug 2020 10:45:09 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3EA33A114F for <rtg-dir@ietf.org>; Thu, 27 Aug 2020 10:45:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=17534; q=dns/txt; s=iport; t=1598550309; x=1599759909; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=AKyRFbOYJfW42KSVYnytLz/QUd5AU2ItEQ+fRH1rU4s=; b=AxRijGrx8zcIZ440qiqdrOlzd6oLCUijbwRL13GMmDHXZ039oLOZ5+Vl P2prABr7qQknNCGKktkuil1lAB/PhH29g5TONeahQc/OxCSnTOWDe3HTp h+ryUDQWfpubvqkd64kc7PjDGm2LN0J76TgNRwwNOU1sw7NhwC0yNDYAj g=;
IronPort-PHdr: 9a23:BQ4/9x2mBc7s/l1CsmDT+zVfbzU7u7jyIg8e44YmjLQLaKm44pD+JxWGuadiiVbIWcPQ7PcXw+bVsqW1X2sG7N7BtX0Za5VDWlcDjtlehA0vBsOJSCiZZP7nZiA3BoJOAVli+XzoPk1cGcK4bFrX8TW+6DcIEUD5Mgx4bu3+Bo/ViZGx0Oa/s53eaglFnnyze7R3eR63tg7W8MIRhNhv
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ASCADw70df/4wNJK1gHQEBAQEJARIBBQUBggqBIy9RB3BYLyyEN4NGA41yiguJeIRuglMDVQMIAQEBDAEBJQgCBAEBhEwCF4IyAiQ4EwIDAQELAQEFAQEBAgEGBG2FXAyFcgEBAQMBEhEKEwEBNwEECwIBBgIOAwQBASgDAgICHxEUCQgCBAENBQgagwWBfk0DDiABDpdJkGgCgTmIYXaBMoMBAQEFgTcChAINC4IQAwaBOIJxgldLQ4QEgksbgUE/gRFDgk0+ghpCAQECAYFeKwmCYTOCLZMRhmmLaJApUQqCY4hmjESFJKBFkkyKS4JmjXKEKAIEAgQFAg4BAQWBayOBV3AVgyRQFwINjh+DcYUUhUJ0NwIDAwEJAQEDCXyPdQEB
X-IronPort-AV: E=Sophos;i="5.76,360,1592870400"; d="scan'208,217";a="565753488"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 27 Aug 2020 17:45:08 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 07RHj8mQ021859 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 27 Aug 2020 17:45:08 GMT
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 27 Aug 2020 12:45:08 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Thu, 27 Aug 2020 12:45:07 -0500
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Thu, 27 Aug 2020 13:45:07 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=faTh3l7gsf44cOQn1e5B2l3LwGfhO1/Opq8Q3EV+tw0nDUkIuapvEDiLV1KwvrqmbocHd0pO6brII1cjTKAIE2/1wf07IzChxRsZUMfYMag+EqtkQx3YHZ2Q4w5jCEppytyPkwlZd7ngw0pmhDvss80kIjUYy5F//E/h2/rDBc8jKlzxvZPcAqHAp+XuE2WQ7MHs7JT1hVpGtgB9pAnfc6F9o7DZy6l7wQOrd9FB893azyL+L3cmeh93xG7w8Zh+ikjW17Okn5fONhfu1Eg9s8QC0QSe+iWWkGuEPleZ5dc4FwcI1t0lABdD9NSBcqdXmzC+kLhPTRv13k13CQVLsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AKyRFbOYJfW42KSVYnytLz/QUd5AU2ItEQ+fRH1rU4s=; b=VUl7ZWTGqTg54WjAgs/rLo8ATrYzz+aRS8l6nq4WwUsheMEdMgMBLGWBHrdXx94ZU98xTI+ARGTWsr3iD84A6adtYduQT4bllge9RcUB1DHb0Z2zLys5EnqPiJELAZ9X6z8wOc2P8wqgHNarbRE42mV1jwmesZfKfimPeW4HadmlWqoEA9D7TJ/roOcseyj6gfN35NVQkYpkVrwJaVV8iuOp70qghj51Z+6XaFvO+FsEcYUa0ctRjDTHYuTwHg0Fv+qCJuO0JkvGwsbdtYRqEyHwlomyi4N0oLffl8eczzjloz0tiUh330tkGla6CqutSoa57BBqjSnJPW9IqWDVtA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=AKyRFbOYJfW42KSVYnytLz/QUd5AU2ItEQ+fRH1rU4s=; b=r0yCAH7c1KS4HUWOBRkZNCCk+5EQF+WIEV5qENLX0wUOKSuEyE2U4XGwQlyaGnAVuMWmzBJ1qweaCSkmCKKbY3stzUl//5tWBAKEDU9s2tU/lVU3AtB74Q9Y/f7ye0NZ3tUrRTVBoiBzKopo1v/yiEl0iBT3pmyuHtTzNqHDHSY=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (2603:10b6:208:ea::31) by MN2PR11MB3775.namprd11.prod.outlook.com (2603:10b6:208:f7::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3326.19; Thu, 27 Aug 2020 17:45:06 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::40e1:2d7d:1a3:cf8a]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::40e1:2d7d:1a3:cf8a%3]) with mapi id 15.20.3305.032; Thu, 27 Aug 2020 17:45:06 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Alvaro Retana <aretana.ietf@gmail.com>, Stewart Bryant <stewart.bryant@gmail.com>
CC: "rtg-dir@ietf.org" <rtg-dir@ietf.org>
Thread-Topic: [RTG-DIR] Rtgdir last call review of draft-ietf-roll-turnon-rfc8138-10
Thread-Index: AQHWfIh/iWFkC6nI2kOTIh6SNvGeE6lMLZyQgAAFNgCAAAMmIA==
Date: Thu, 27 Aug 2020 17:45:03 +0000
Deferred-Delivery: Thu, 27 Aug 2020 17:44:56 +0000
Message-ID: <MN2PR11MB356549055B6757B9841EF32BD8550@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <159743131948.29404.7285894923089059952@ietfa.amsl.com> <MN2PR11MB3565D36B4FB2E9D40EFCD400D85C0@MN2PR11MB3565.namprd11.prod.outlook.com> <MN2PR11MB35650CDF364323901C9227F8D8550@MN2PR11MB3565.namprd11.prod.outlook.com> <CAMMESswxHfZ2RTL69pfAZYSXQgu3gE2ZwvKOE+QFxWQa40jJ+g@mail.gmail.com> <MN2PR11MB3565C0C52E917B6D2C5593F9D8550@MN2PR11MB3565.namprd11.prod.outlook.com> <CAMMESszGdKX6=yzdd2rZ55ZZ_YLoXgMsXeBWVTNWJd1KZupaEw@mail.gmail.com>
In-Reply-To: <CAMMESszGdKX6=yzdd2rZ55ZZ_YLoXgMsXeBWVTNWJd1KZupaEw@mail.gmail.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2a01:cb1d:4ec:2200:e147:8688:e776:fff1]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 17b1d3fe-9259-4dc8-b410-08d84ab0ef4c
x-ms-traffictypediagnostic: MN2PR11MB3775:
x-microsoft-antispam-prvs: <MN2PR11MB3775F4DE8C988AC102FE950AD8550@MN2PR11MB3775.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: TGF5zNgRJSKC7ubUR0yl9T670ZH6da01bUyAnVHHQUP1BTj7Xrs47A6LgxcQhvie/yQQyFGSCF1RZJ3pBzw25+3Bwotsk8lQLYTZM6ZYnFNBFmzhn+r0ci5ii+2EzxLjD92S+np1NNyelyFZEyS8QMr2WKgg7GDZ3GlQS7hpbNCSrrENuDaaZYFyI44uR4XcuN7baxnPUWIdGHrmdcx/It/N94wv1h+rCXMfspxbvp/HYp4gmvTsVpceCh+8a+0+JoDn46q+m1OjKnT2MtuL6rOj+Lw6VxLMl+CkY61OqmJN/3PXBngJKmb1zD4IwfHFT2QJUkTmV0D+C41Nj9aTciTvpxr131h0JKvDEzLyQPS2HY17LShMZNCVchsOobDPzlnHBMRVDbQQmObhfSu2d8xiTFu5vCO86pkDO1DlzdpCQWKoQv+vdNh60+ejWbmupWUvettcF6vIIAHgo3L35qoi7iyQHoke2OGaI78TFNo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB3565.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(346002)(366004)(376002)(396003)(39860400002)(53546011)(66946007)(66574015)(86362001)(8676002)(83380400001)(66476007)(6506007)(64756008)(76116006)(66556008)(4326008)(6666004)(7696005)(2906002)(186003)(9686003)(55016002)(52536014)(8936002)(166002)(71200400001)(316002)(5660300002)(66446008)(110136005)(966005)(478600001)(33656002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: EQz+auTV71ewj2yJHQjEbTSEr/NDHs33t6KKL2ufs06NBzpkcwFjDXIRinuHdCWVNE3ZPu4p9IBvuNKubNl9THYBQBnNxHeeRW5DWp93MOdxDJPPaPGRRkx2Vn29gBGygLf6+/Xz36IKlvvAq6Jge/J4qVh2MP2kHhF52n5yGrvjlMY/up7BDegw7h24NCI8SkLuTxZZUvUfBYZnZ1zO0PnypujNBFi+tGJnAyN7gzW+S4oWDeJSqv0+gqHOAsngWuLEDl8+CMXC9piZPyfJv6yJrqufA94uRp0kZSuO8fn9qFQcNs81rbVsgfMajQLjmXCNLrnPuup589Wd2XyF0XMl36aM3FOiMgw6hqhkNfZK0XULXosRiULQ7UzxEf24vRklaHVS7qyqST7TXR5Fl16QbPx7wIVGvRX7W+sxolLY5AWop2qVVLzjr2V+cwhJTGKZ5pt0CPq5UVAJC2QFjnNYwtoA9ybnWfeJsNmTAarBudWplvSDfMvUnR0lXM/QeGjH1QJrtN2cvhTOdCkapT8/wq6mchEUcrd2srUWuXMSgQNzYjUoZKROeF+LqhOeR4E1BlIPaI5E2DXQwwHQ1FAFHENPAHqVJ0tWkkufyXpGD0mhdXoap1kxHWT5sFMnN6jeFEllzPsiUnJgmQqzwrL4FsTtiWec+f937M1QZrxJYhtxQQNCB7w3ZyYX9u5fy/fQwmbBtlEpnqPfWg5nTA==
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB356549055B6757B9841EF32BD8550MN2PR11MB3565namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB3565.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 17b1d3fe-9259-4dc8-b410-08d84ab0ef4c
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Aug 2020 17:45:05.9837 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ELhfMxL9pi3ZoD4Kx93abNh3BfrBaDCToqUnguR+Dz1SjHOMOjLido1R+ffLs1ZSzJrkAW+DvJMs4uPbKzvTrw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3775
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: alln-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/2BcIIXnPrCZWjlwUSeZAJ7bRKdU>
Subject: Re: [RTG-DIR] Rtgdir last call review of draft-ietf-roll-turnon-rfc8138-10
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2020 17:45:12 -0000

Hello again Alvaro

We had a pass on similar text (with Benjamin K.) for the IESG review of https://tools.ietf.org/html/draft-ietf-6lo-fragment-recovery-21 (now in RFC ED queue) and ended up with

   As indicated in [FRAG-FWD<https://tools.ietf.org/html/draft-ietf-6lo-fragment-recovery-21#ref-FRAG-FWD>], Secure joining and the Link-Layer
   security are REQUIRED to protect against those attacks, as the
   fragmentation protocol does not include any native security
   mechanisms.

Indeed this requirement is common to anything 6LoWPAN or RPL. And MUSTing it in the form above seemed to reach consensus.
In the case of RPL alone it’s either as above or one of RPL’s secured modes, preinstalled of authenticated. RPL’s security section discusses the last to but does not really say what to do with Unsecured. We could fill that gap.

What about combining all this as:
“
It is worth noting that with [RFC6550], every node in the LLN that is RPL-aware can inject any RPL-based attack in the network.
This document assumes that the RPL exchange are protected against on-link attacks such as forged and replayed packets.
Section 10 of [RPL] proposes 3 security modes, Unsecured, Preinstalled and Authenticated.
In the Unsecured Mode, secure joining and the Link-Layer security are REQUIRED to protect against those attacks.
“

Keep safe,

Pascal
From: Alvaro Retana <aretana.ietf@gmail.com>
Sent: jeudi 27 août 2020 19:18
To: Pascal Thubert (pthubert) <pthubert@cisco.com>; Stewart Bryant <stewart.bryant@gmail.com>
Cc: rtg-dir@ietf.org
Subject: RE: [RTG-DIR] Rtgdir last call review of draft-ietf-roll-turnon-rfc8138-10

Sure…

I just to want to recommend anything that is not already specified somewhere else for RPL.  :-)


On August 27, 2020 at 1:05:39 PM, Pascal Thubert (pthubert) (pthubert@cisco.com<mailto:pthubert@cisco.com>) wrote:
Hello Alvaro 😊

I see your point.

> It is worth noting that with [RFC6550], every node in the LLN that is
> RPL-aware can inject any RPL-based attack in the network. This document
> assumes that the security mechanisms as defined in [RFC6550] are followed.

This should be clarified a little bit. RPL has a security mechanism that to my best knowledge no one uses (https://tools.ietf.org/html/rfc6550#section-10).
What everyone uses is a Layer 2 access security. The text above seems to recommend to use RPL's secured mode. Is there a way to reword that a bit?

Take care,

Pascal

v2.23.0 | Report a Bug | By Email