Re: [RTG-DIR] Rtgdir last call review of draft-ietf-roll-turnon-rfc8138-10
Alvaro Retana <aretana.ietf@gmail.com> Thu, 27 August 2020 19:45 UTC
Return-Path: <aretana.ietf@gmail.com>
X-Original-To: rtg-dir@ietfa.amsl.com
Delivered-To: rtg-dir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BADB93A1255 for <rtg-dir@ietfa.amsl.com>; Thu, 27 Aug 2020 12:45:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AxtQMln8CzFm for <rtg-dir@ietfa.amsl.com>; Thu, 27 Aug 2020 12:45:03 -0700 (PDT)
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 890213A1254 for <rtg-dir@ietf.org>; Thu, 27 Aug 2020 12:45:03 -0700 (PDT)
Received: by mail-ej1-x62b.google.com with SMTP id a21so9293263ejp.0 for <rtg-dir@ietf.org>; Thu, 27 Aug 2020 12:45:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:in-reply-to:references:mime-version:date:message-id:subject:to :cc; bh=aSDcqx38o3RVlVswwR0+fwEvoKIiOQukRxw+jpYwVXo=; b=oVox7oqJI8TCxERmDsEsKn1kh/cCBrtyLfMG5ttrssZv119JOCJWevbrxECVdXH9UM 1SKdw+ZrIFp2D0OZv/QtWEUKbAyT42mq1uh+FaJwZs1Yko8mB7cQo5ideQ2TEz3zcVo+ bJvZ29C3ODpz+SFiwArGOCEqcEn8CLxIsbPuwRTy7FBmGoUWa04L8OphsY24MsdGBfnY GLA/NuJhm5W534W1ulwXSzXrEnAQfLxjVahJ/IKqVO/eeEtWUhsLQVS3rGCDGe4Yoe/V A3nVxiWpGqyVNSL+5uQSPY+ZxnWIO1ygayXqUxYX8PX55AMBj6AmfCwTF1ixGfBBjXqL 0/fA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:in-reply-to:references:mime-version:date :message-id:subject:to:cc; bh=aSDcqx38o3RVlVswwR0+fwEvoKIiOQukRxw+jpYwVXo=; b=UYurPicP+fzMddrdOBRuWwKU7OrC+6Uf0T7mSrBmeMXdhjXGvC23awwpr7DA1VUqqt OOoekCnOVh3128RLHtUHLmeLftzbbxEeItNK2Cs7LmjqAiSGqGhsPBzCHtBUjOplIHyQ aKjLchbQDpASbr/j2BfZ8akIrJQkbU1KUV0gdTgop8S6zmQwEWUKs17n+oFId9/i4V2q 60alBF+x+82uYbwZiJgxariKQNoSP++9cIwEKCaFndS2F8Irarl+zQTIYbZpxai+H0NW h3zP9BLQaqaebftIyk5l+hkZ/bJEnvcpxC7ISBMYkXtFa/PmunqVI7nXmuOHnXdPk6Au RMtg==
X-Gm-Message-State: AOAM532jBaefg8nEdT+pm1e8KSTs2xDOzqxL4IZUOEtyLs+9k+W3i7qd 4OMtBglAMi/rY+XgaxD/P6ZlzQN5e9w61gIlrTU=
X-Google-Smtp-Source: ABdhPJzGVsIYHwS0G7tqT4vfs0hzzkvcjdLilB1NU2KwzIPxjwvfDxEBme98rrAX9ZusaJlbTxkGcCqgFNocjRsBZps=
X-Received: by 2002:a17:906:7d90:: with SMTP id v16mr22439014ejo.27.1598557501996; Thu, 27 Aug 2020 12:45:01 -0700 (PDT)
Received: from 1058052472880 named unknown by gmailapi.google.com with HTTPREST; Thu, 27 Aug 2020 12:45:01 -0700
From: Alvaro Retana <aretana.ietf@gmail.com>
In-Reply-To: <MN2PR11MB356549055B6757B9841EF32BD8550@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <159743131948.29404.7285894923089059952@ietfa.amsl.com> <MN2PR11MB3565D36B4FB2E9D40EFCD400D85C0@MN2PR11MB3565.namprd11.prod.outlook.com> <MN2PR11MB35650CDF364323901C9227F8D8550@MN2PR11MB3565.namprd11.prod.outlook.com> <CAMMESswxHfZ2RTL69pfAZYSXQgu3gE2ZwvKOE+QFxWQa40jJ+g@mail.gmail.com> <MN2PR11MB3565C0C52E917B6D2C5593F9D8550@MN2PR11MB3565.namprd11.prod.outlook.com> <CAMMESszGdKX6=yzdd2rZ55ZZ_YLoXgMsXeBWVTNWJd1KZupaEw@mail.gmail.com> <MN2PR11MB356549055B6757B9841EF32BD8550@MN2PR11MB3565.namprd11.prod.outlook.com>
MIME-Version: 1.0
Date: Thu, 27 Aug 2020 12:45:01 -0700
Message-ID: <CAMMESsyZ2_THfcWS73nbBKyCAktmmejQZAHwauGTj4vu-x8P8Q@mail.gmail.com>
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>, Stewart Bryant <stewart.bryant@gmail.com>
Cc: "rtg-dir@ietf.org" <rtg-dir@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000000f438f05ade12c7f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtg-dir/RRNaWzSV2xU011TlbKSq4FaD_eU>
Subject: Re: [RTG-DIR] Rtgdir last call review of draft-ietf-roll-turnon-rfc8138-10
X-BeenThere: rtg-dir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Routing Area Directorate <rtg-dir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtg-dir/>
List-Post: <mailto:rtg-dir@ietf.org>
List-Help: <mailto:rtg-dir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtg-dir>, <mailto:rtg-dir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2020 19:45:06 -0000
Pascal: The link-layer security is a mechanism that applies to all the RPL messages. It doesn’t just apply to messages associated with this document. Making it required (or even just normatively recommending it) in this document feels like overreaching because we’re just defining a flag, not changing how the RPL adjacency works. I rather go with something akin to the Security Considerations in, for example, draft-ietf-roll-efficient-npdao (also approved by Ben)…which is where I borrowed the "This document assumes that the security mechanisms as defined in [RFC6550] are followed…” phrase from. BTW, we should at least point the reader to the Security Considerations in rfc6550 and rfc8138. Thanks! Alvaro. On August 27, 2020 at 1:45:09 PM, Pascal Thubert (pthubert) ( pthubert@cisco.com) wrote: Hello again Alvaro We had a pass on similar text (with Benjamin K.) for the IESG review of https://tools.ietf.org/html/draft-ietf-6lo-fragment-recovery-21 (now in RFC ED queue) and ended up with As indicated in [FRAG-FWD <https://tools.ietf.org/html/draft-ietf-6lo-fragment-recovery-21#ref-FRAG-FWD>], Secure joining and the Link-Layer security are REQUIRED to protect against those attacks, as the fragmentation protocol does not include any native security mechanisms. Indeed this requirement is common to anything 6LoWPAN or RPL. And MUSTing it in the form above seemed to reach consensus. In the case of RPL alone it’s either as above or one of RPL’s secured modes, preinstalled of authenticated. RPL’s security section discusses the last to but does not really say what to do with Unsecured. We could fill that gap. What about combining all this as: “ It is worth noting that with [RFC6550], every node in the LLN that is RPL-aware can inject any RPL-based attack in the network. This document assumes that the RPL exchange are protected against on-link attacks such as forged and replayed packets. Section 10 of [RPL] proposes 3 security modes, Unsecured, Preinstalled and Authenticated. In the Unsecured Mode, secure joining and the Link-Layer security are REQUIRED to protect against those attacks. “ Keep safe, Pascal *From:* Alvaro Retana <aretana.ietf@gmail.com> *Sent:* jeudi 27 août 2020 19:18 *To:* Pascal Thubert (pthubert) <pthubert@cisco.com>; Stewart Bryant < stewart.bryant@gmail.com> *Cc:* rtg-dir@ietf.org *Subject:* RE: [RTG-DIR] Rtgdir last call review of draft-ietf-roll-turnon-rfc8138-10 Sure… I just to want to recommend anything that is not already specified somewhere else for RPL. :-) On August 27, 2020 at 1:05:39 PM, Pascal Thubert (pthubert) ( pthubert@cisco.com) wrote: Hello Alvaro 😊 I see your point. > It is worth noting that with [RFC6550], every node in the LLN that is > RPL-aware can inject any RPL-based attack in the network. This document > assumes that the security mechanisms as defined in [RFC6550] are followed. This should be clarified a little bit. RPL has a security mechanism that to my best knowledge no one uses ( https://tools.ietf.org/html/rfc6550#section-10). What everyone uses is a Layer 2 access security. The text above seems to recommend to use RPL's secured mode. Is there a way to reword that a bit? Take care, Pascal
- [RTG-DIR] Rtgdir last call review of draft-ietf-r… Stewart Bryant via Datatracker
- Re: [RTG-DIR] Rtgdir last call review of draft-ie… Pascal Thubert (pthubert)
- Re: [RTG-DIR] Rtgdir last call review of draft-ie… Pascal Thubert (pthubert)
- Re: [RTG-DIR] Rtgdir last call review of draft-ie… Alvaro Retana
- Re: [RTG-DIR] Rtgdir last call review of draft-ie… Pascal Thubert (pthubert)
- Re: [RTG-DIR] Rtgdir last call review of draft-ie… Alvaro Retana
- Re: [RTG-DIR] Rtgdir last call review of draft-ie… Pascal Thubert (pthubert)
- Re: [RTG-DIR] Rtgdir last call review of draft-ie… Alvaro Retana
- Re: [RTG-DIR] Rtgdir last call review of draft-ie… Pascal Thubert (pthubert)
- Re: [RTG-DIR] Rtgdir last call review of draft-ie… Alvaro Retana
- Re: [RTG-DIR] Rtgdir last call review of draft-ie… Pascal Thubert (pthubert)