IETF Logo Mail Archive

Re: [RTG-DIR] Rtgdir last call review of draft-ietf-roll-turnon-rfc8138-10

Alvaro Retana <aretana.ietf@gmail.com> Thu, 27 August 2020 19:45 UTC

Return-Path: <aretana.ietf@gmail.com>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BADB93A1255 for <rtg-dir@ietfa.amsl.com>; Thu, 27 Aug 2020 12:45:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AxtQMln8CzFm for <rtg-dir@ietfa.amsl.com>; Thu, 27 Aug 2020 12:45:03 -0700 (PDT)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 890213A1254 for <rtg-dir@ietf.org>; Thu, 27 Aug 2020 12:45:03 -0700 (PDT)
Received: by mail-ej1-x62b.google.com with SMTP id a21so9293263ejp.0 for <rtg-dir@ietf.org>; Thu, 27 Aug 2020 12:45:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=aSDcqx38o3RVlVswwR0+fwEvoKIiOQukRxw+jpYwVXo=; b=oVox7oqJI8TCxERmDsEsKn1kh/cCBrtyLfMG5ttrssZv119JOCJWevbrxECVdXH9UM 1SKdw+ZrIFp2D0OZv/QtWEUKbAyT42mq1uh+FaJwZs1Yko8mB7cQo5ideQ2TEz3zcVo+ bJvZ29C3ODpz+SFiwArGOCEqcEn8CLxIsbPuwRTy7FBmGoUWa04L8OphsY24MsdGBfnY GLA/NuJhm5W534W1ulwXSzXrEnAQfLxjVahJ/IKqVO/eeEtWUhsLQVS3rGCDGe4Yoe/V A3nVxiWpGqyVNSL+5uQSPY+ZxnWIO1ygayXqUxYX8PX55AMBj6AmfCwTF1ixGfBBjXqL 0/fA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=aSDcqx38o3RVlVswwR0+fwEvoKIiOQukRxw+jpYwVXo=; b=UYurPicP+fzMddrdOBRuWwKU7OrC+6Uf0T7mSrBmeMXdhjXGvC23awwpr7DA1VUqqt OOoekCnOVh3128RLHtUHLmeLftzbbxEeItNK2Cs7LmjqAiSGqGhsPBzCHtBUjOplIHyQ aKjLchbQDpASbr/j2BfZ8akIrJQkbU1KUV0gdTgop8S6zmQwEWUKs17n+oFId9/i4V2q 60alBF+x+82uYbwZiJgxariKQNoSP++9cIwEKCaFndS2F8Irarl+zQTIYbZpxai+H0NW h3zP9BLQaqaebftIyk5l+hkZ/bJEnvcpxC7ISBMYkXtFa/PmunqVI7nXmuOHnXdPk6Au RMtg==
X-Gm-Message-State: AOAM532jBaefg8nEdT+pm1e8KSTs2xDOzqxL4IZUOEtyLs+9k+W3i7qd 4OMtBglAMi/rY+XgaxD/P6ZlzQN5e9w61gIlrTU=
X-Google-Smtp-Source: ABdhPJzGVsIYHwS0G7tqT4vfs0hzzkvcjdLilB1NU2KwzIPxjwvfDxEBme98rrAX9ZusaJlbTxkGcCqgFNocjRsBZps=
X-Received: by 2002:a17:906:7d90:: with SMTP id v16mr22439014ejo.27.1598557501996; Thu, 27 Aug 2020 12:45:01 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Thu, 27 Aug 2020 12:45:01 -0700
From: Alvaro Retana <aretana.ietf@gmail.com>
In-Reply-To: <MN2PR11MB356549055B6757B9841EF32BD8550@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <159743131948.29404.7285894923089059952@ietfa.amsl.com> <MN2PR11MB3565D36B4FB2E9D40EFCD400D85C0@MN2PR11MB3565.namprd11.prod.outlook.com> <MN2PR11MB35650CDF364323901C9227F8D8550@MN2PR11MB3565.namprd11.prod.outlook.com> <CAMMESswxHfZ2RTL69pfAZYSXQgu3gE2ZwvKOE+QFxWQa40jJ+g@mail.gmail.com> <MN2PR11MB3565C0C52E917B6D2C5593F9D8550@MN2PR11MB3565.namprd11.prod.outlook.com> <CAMMESszGdKX6=yzdd2rZ55ZZ_YLoXgMsXeBWVTNWJd1KZupaEw@mail.gmail.com> <MN2PR11MB356549055B6757B9841EF32BD8550@MN2PR11MB3565.namprd11.prod.outlook.com>
MIME-Version: 1.0
Date: Thu, 27 Aug 2020 12:45:01 -0700
Message-ID: <CAMMESsyZ2_THfcWS73nbBKyCAktmmejQZAHwauGTj4vu-x8P8Q@mail.gmail.com>
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>, Stewart Bryant <stewart.bryant@gmail.com>
Cc: "rtg-dir@ietf.org" <rtg-dir@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000f438f05ade12c7f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/RRNaWzSV2xU011TlbKSq4FaD_eU>
Subject: Re: [RTG-DIR] Rtgdir last call review of draft-ietf-roll-turnon-rfc8138-10
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2020 19:45:06 -0000

Pascal:


The link-layer security is a mechanism that applies to all the RPL
messages.  It doesn’t just apply to messages associated with this
document.  Making it required (or even just normatively recommending it) in
this document feels like overreaching because we’re just defining a flag,
not changing how the RPL adjacency works.

I rather go with something akin to the Security Considerations in, for
example, draft-ietf-roll-efficient-npdao (also approved by Ben)…which is
where I borrowed the "This document assumes that the security mechanisms as
defined in [RFC6550] are followed…” phrase from.


BTW, we should at least point the reader to the Security Considerations in
rfc6550 and rfc8138.


Thanks!

Alvaro.



On August 27, 2020 at 1:45:09 PM, Pascal Thubert (pthubert) (
pthubert@cisco.com) wrote:

Hello again Alvaro



We had a pass on similar text (with Benjamin K.) for the IESG review of
https://tools.ietf.org/html/draft-ietf-6lo-fragment-recovery-21 (now in RFC
ED queue) and ended up with



   As indicated in [FRAG-FWD
<https://tools.ietf.org/html/draft-ietf-6lo-fragment-recovery-21#ref-FRAG-FWD>],
Secure joining and the Link-Layer

   security are REQUIRED to protect against those attacks, as the

   fragmentation protocol does not include any native security

   mechanisms.



Indeed this requirement is common to anything 6LoWPAN or RPL. And MUSTing
it in the form above seemed to reach consensus.

In the case of RPL alone it’s either as above or one of RPL’s secured
modes, preinstalled of authenticated. RPL’s security section discusses the
last to but does not really say what to do with Unsecured. We could fill
that gap.



What about combining all this as:

“

It is worth noting that with [RFC6550], every node in the LLN that is
RPL-aware can inject any RPL-based attack in the network.

This document assumes that the RPL exchange are protected against on-link
attacks such as forged and replayed packets.

Section 10 of [RPL] proposes 3 security modes, Unsecured, Preinstalled and
Authenticated.

In the Unsecured Mode, secure joining and the Link-Layer security are
REQUIRED to protect against those attacks.

“



Keep safe,



Pascal

*From:* Alvaro Retana <aretana.ietf@gmail.com>
*Sent:* jeudi 27 août 2020 19:18
*To:* Pascal Thubert (pthubert) <pthubert@cisco.com>; Stewart Bryant <
stewart.bryant@gmail.com>
*Cc:* rtg-dir@ietf.org
*Subject:* RE: [RTG-DIR] Rtgdir last call review of
draft-ietf-roll-turnon-rfc8138-10



Sure…



I just to want to recommend anything that is not already specified
somewhere else for RPL.  :-)



On August 27, 2020 at 1:05:39 PM, Pascal Thubert (pthubert) (
pthubert@cisco.com) wrote:

Hello Alvaro 😊

I see your point.

> It is worth noting that with [RFC6550], every node in the LLN that is
> RPL-aware can inject any RPL-based attack in the network. This document
> assumes that the security mechanisms as defined in [RFC6550] are
followed.

This should be clarified a little bit. RPL has a security mechanism that to
my best knowledge no one uses (
https://tools.ietf.org/html/rfc6550#section-10).
What everyone uses is a Layer 2 access security. The text above seems to
recommend to use RPL's secured mode. Is there a way to reword that a bit?

Take care,

Pascal

v2.23.0 | Report a Bug | By Email