Re: [secdir] Éric Vyncke's Discuss on draft-ietf-6lo-ap-nd-13: (with DISCUSS and COMMENT)
"Pascal Thubert (pthubert)" <pthubert@cisco.com> Fri, 31 January 2020 10:22 UTC
Return-Path: <pthubert@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 800631200E9; Fri, 31 Jan 2020 02:22:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.498
X-Spam-Level:
X-Spam-Status: No, score=-14.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=eXclXFtA; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=EQkAVJhR
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HVUR88xuiFVC; Fri, 31 Jan 2020 02:22:57 -0800 (PST)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 33DA1120098; Fri, 31 Jan 2020 02:22:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8282; q=dns/txt; s=iport; t=1580466177; x=1581675777; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=s8JdGgJSFmiYHHhQS6O5p8Ik1InjhnAAiV/Pvu9lwGk=; b=eXclXFtAKEXjh9u+0l8TYVnmv/yZJG3FvWKOpBDUjAQJvWHaNuAZhTaA mgzsUa+LVRw49t11Gww7zvjSFqbp+EX2Nm6eeJUc/9ctskmcx8Wkb2E8G IVW+KXYz4tuEaebbbBxYfgP6fdHuNEkxrQaVL9fYiciFol2n+Bke12+4b c=;
IronPort-PHdr: 9a23:1hcWZxG63ZpxxLNI6LecSp1GYnJ96bzpIg4Y7IYmgLtSc6Oluo7vJ1Hb+e4z1Q3SRYuO7fVChqKWqK3mVWEaqbe5+HEZON0pNVcejNkO2QkpAcqLE0r+eeb2bzEwEd5efFRk5Hq8d0NSHZW2ag==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CxAAC8/zNe/49dJa1lGgEBAQEBAQEBAQMBAQEBEQEBAQICAQEBAYF7gVRQBWxYIAQLKoQUg0YDinOCX5gPglIDVAkBAQEMAQEjCgIBAYRAAheCGCQ4EwIDDQEBBAEBAQIBBQRthTcMhV4BAQEBAxIREQwBATcBCwQCAQYCEQQBAQECAiYCAgIwFQUDCAIEAQ0FCBqDBYJKAy4BAgyQZ5BmAoE5iGJ1gTKCfwEBBYEzAoNVGIIMAwaBDiqFHoU/gUMagUE/gRFHgkw+gmQCAhqBSRWCeTKCLI1hgjo7nhtwCoI7lliCSIgNhEiHI4RFg0mLF5sWAgQCBAUCDgEBBYFpIoFYcBWDJ1AYDY4dCRoVgzuFFIU/dIEpilwtghQBAQ
X-IronPort-AV: E=Sophos;i="5.70,385,1574121600"; d="scan'208";a="698830416"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 31 Jan 2020 10:22:50 +0000
Received: from XCH-ALN-001.cisco.com (xch-aln-001.cisco.com [173.36.7.11]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 00VAMoDK025359 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 31 Jan 2020 10:22:50 GMT
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by XCH-ALN-001.cisco.com (173.36.7.11) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 31 Jan 2020 04:22:50 -0600
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 31 Jan 2020 05:22:49 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 31 Jan 2020 05:22:48 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TrXY8ppZZg3mTrWxTwmIT1Y/YbWYO03fQtfEbDpVQb3bbEZXPjL5ZCs9vTOJB77aovzy7u3N4NFUGIR+ckjP4N9rKmBXdIiOjOcuSiA5/lpSxe3fa8hlgWY6+EWtD84kK2O6ZC2sgvOHDzgDZu11I4JhGOYlzz6JbshgKmuckbIs92jAfifutucPBUbsn1yZZ2lQwVXe3WilfZnWp25f65bUybUPRV5J23x4ADW7lYs7l18uIwClNgTNYJMU+O8k1tGSWGQ0qnaZruU6VWN6BVCudbh0w7NKpg5dOfaLlbVokHbY7TtGfc8nIieaNNtlyfCgc/guMEgA+jvJ9LTxfw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=s8JdGgJSFmiYHHhQS6O5p8Ik1InjhnAAiV/Pvu9lwGk=; b=oexvc7qsMiFm1vOYk8boZ8531IeDqOj5r3I3gXVQ44R2lAJT8YJkjJDEe9gZ81R3gTOeNJAdBjrrJYvb22gPzo6iVwXFOYv6naFHy2thdQxq0snHcBAyublMm3SFnePD4NdV+5LYuAq+UAfliy4K0PDJVOmD5gUl6dFx1eecg2avwskrdkS/uLpehdZL6wd1iLqZctCLf2U2skMeJQ6ZIvqzjBFzm7rviES4/3iOkkUSHtoizNEe0ANNt5IFYo5RMevGS71FVBdlGagE9Ld0+IKGwTdC+1JIASmNg0QozcgkZeSJbDpv+zjJTNSmbTs7xiGBereyrMQaPTq/EcXJxw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=s8JdGgJSFmiYHHhQS6O5p8Ik1InjhnAAiV/Pvu9lwGk=; b=EQkAVJhRfFofBtGR1J7zJ2cm2o2B0mPtW8nYkYb2Y2PAnDDjjUIuOey2Zzq8X7Qg/e8ueKiqiDh1sjTIMW1t9kmZXSIwu6eh5opRDcgyJISkBiJ2oKMV33Jk7Chy6erZmHNiiDcwqhRD36mR0MW5mz0p3pnXIhAX+GmIplNm5fc=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (20.178.250.159) by MN2PR11MB4125.namprd11.prod.outlook.com (10.255.181.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2686.29; Fri, 31 Jan 2020 10:22:47 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::fd76:1534:4f9a:452a]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::fd76:1534:4f9a:452a%3]) with mapi id 15.20.2665.027; Fri, 31 Jan 2020 10:22:47 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: "Eric Vyncke (evyncke)" <evyncke@cisco.com>, The IESG <iesg@ietf.org>
CC: "draft-ietf-6lo-ap-nd@ietf.org" <draft-ietf-6lo-ap-nd@ietf.org>, "Shwetha Bhandari (shwethab)" <shwethab@cisco.com>, "6lo-chairs@ietf.org" <6lo-chairs@ietf.org>, "6lo@ietf.org" <6lo@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: Éric Vyncke's Discuss on draft-ietf-6lo-ap-nd-13: (with DISCUSS and COMMENT)
Thread-Index: AQHV1q8ObZjsSNLsNE+ME5HgTzGBvKgBtsSwgAASbYCAAsfmsA==
Date: Fri, 31 Jan 2020 10:22:45 +0000
Deferred-Delivery: Fri, 31 Jan 2020 10:21:49 +0000
Message-ID: <MN2PR11MB356504F13C767D71E5E2F3DED8070@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <158030752268.2728.2544838912831012540.idtracker@ietfa.amsl.com> <MN2PR11MB35655FBDC33DE5AB90253643D8050@MN2PR11MB3565.namprd11.prod.outlook.com> <AED6BD10-1EDE-4BF3-A63F-0B81A516E246@cisco.com>
In-Reply-To: <AED6BD10-1EDE-4BF3-A63F-0B81A516E246@cisco.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pthubert@cisco.com;
x-originating-ip: [2001:420:44f3:1300:41e7:7725:e525:b2e8]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d6238c67-5754-4249-2e06-08d7a63784c6
x-ms-traffictypediagnostic: MN2PR11MB4125:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MN2PR11MB4125F7EBE2CDF2D2A5693CA3D8070@MN2PR11MB4125.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 029976C540
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(376002)(136003)(346002)(39860400002)(366004)(396003)(189003)(199004)(966005)(76116006)(71200400001)(316002)(7696005)(110136005)(54906003)(66946007)(81166006)(53546011)(6506007)(81156014)(2906002)(86362001)(5660300002)(8936002)(66556008)(9686003)(52536014)(450100002)(33656002)(4326008)(55016002)(224303003)(186003)(478600001)(66446008)(64756008)(66476007); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4125; H:MN2PR11MB3565.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Q0z20dlmXNmead/TDuluzTWqyPbQQT6e6BTfEN3i2c2RU20pHIHM+Py9xiFQhAKEfFnEQRrthXSpLpWZmFsH8Ex+GhsGSB33e0H6SAqgInaM9fpcTclW15Ed6LiQBdd59mjBFxL445Iwy6iG8XKQEYJ6Gc5JGJkc+fvpJStg/Yx7lRlZQlPVi2byu09vljWAT48H+/Ac0FOOTvHrZKM9wIuoR8uiQdiI9p8li8o0OETfPbOMM4+aWcIjQalw2+jPqxvWZ6SbUJkqiNUtayToR//T/hUnXShLcNjaRzyiDUbdAxLjSZX8L66eFiTivuXiMBIdb4pbqO79ju0O3WbDF90iCXg58X60TjUCgSYHavzNT4EIg/pejex6djLzvQgndYgcPBrFHrg/mvYo8h0pb+KBxCkjEx/BHo7ey0N+Ma2WBxxCX4tYXYwhJ+hyNXpAzVa2hqqgXQ9TMxd4n+SmEyO9n0UsiGZfin3ZvmmUOkClg3tCVw4rMydDE22B1nLb9BQzFXWlloq4KJ5LFbLFPQ==
x-ms-exchange-antispam-messagedata: yWUv+oL5waeWkcyJShH7AEGjAAPG6OPgmfD4LbreJeED/Hg/C27B+f/7qsOhMQbgiTrM9RrmK6f9eb/E702DFZ88OngU4uZYSWZp/uPzBB+0xE2fPD/Jz/Kk08YLK9l9FFQI4711K1uim5AHxL7pfTe0iamzGdx1F23hCnNhrtmG4MHVA9MYwkZ/5hzOZPn9FEnvGI/KerooYTEUOtAPCg==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d6238c67-5754-4249-2e06-08d7a63784c6
X-MS-Exchange-CrossTenant-originalarrivaltime: 31 Jan 2020 10:22:47.5907 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: c4KCdEgQHa0zgAnB8frtMTrovSa73fxFb6uRQaa6deZEq2gmAfnA0pTr0rVk6BDQPq0eszZkYZ6VjWnbHNMSCA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4125
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.11, xch-aln-001.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/4tTykGPE7XEFnDwYF1QcDHmofAI>
Subject: Re: [secdir] Éric Vyncke's Discuss on draft-ietf-6lo-ap-nd-13: (with DISCUSS and COMMENT)
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 31 Jan 2020 10:22:59 -0000
Hello Eric: Again many thanks for your review : ) I just published 14, and added text on the Nonce to remove the impossible must. We talked between authors and the indication is same as RFC 3971 that this should be a random. The quality of the random is linked with the security level that can be obtained from it. Coupling randoms from both parties largely increases the protection, but in an IOT network that reboots, there is still a risk of a replay. All in all we give the general direction of the random, but allow an ever increasing value as well, which is simpler to obtain for a node and yields the same Nonce benefits. A diff from the previous version is available at: https://www.ietf.org/rfcdiff?url2=draft-ietf-6lo-ap-nd-14 Please let us know if the text now conforms your expectations? Many thanks again Pascal > -----Original Message----- > From: Eric Vyncke (evyncke) <evyncke@cisco.com> > Sent: mercredi 29 janvier 2020 16:47 > To: Pascal Thubert (pthubert) <pthubert@cisco.com>; The IESG > <iesg@ietf.org> > Cc: draft-ietf-6lo-ap-nd@ietf.org; Shwetha Bhandari (shwethab) > <shwethab@cisco.com>; 6lo-chairs@ietf.org; 6lo@ietf.org; secdir@ietf.org > Subject: Re: Éric Vyncke's Discuss on draft-ietf-6lo-ap-nd-13: (with DISCUSS > and COMMENT) > > Pascal > > Thank you for your prompt reply. I will clear my DISCUSS in a moment as you > will change the text. > > Agreed on all the points except for the 'nonce'. I know the concept of course > but the sentence "was never used with this device" is still too strong IMHO. To > comply, it would require to keep the history for ever... I would prefer a less > stringent wording. > > -éric > > On 29/01/2020, 16:38, "Pascal Thubert (pthubert)" <pthubert@cisco.com> > wrote: > > Hello Eric : ) > > Many thanks for your review! I cc'ed SEC-DIR because we could really use > their recommendation to solve some of your questions, more below. > > Please see below: > > > == DISCUSS == > > > > -- Section 4.4 -- > > The length of the reserved field is not specified. Or am I missing > something > > obvious ? > > I concatenated the reserved fields in the picture and declared it as 40 bits. > Also added the number of bits in the reserved fields of other structures. > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > == COMMENTS == > > > > -- Section 4.2 -- > > While status is set to 0 when sending a NS, what is the expected behavior > of a > > receiver ? > > Changed to > " > In NS messages it MUST be set to 0 by the sender and ignored by the > receiver. > " > > > -- Section 4.3 and 4.4 -- > > Why is the Pad Length field a 8-bit field while the actual padding will > always be > > less than 8 bytes. Suggest to make it a 3 or 4 bits field and extend the > reserved > > field. > > Actually I thought that if we want to extend the option in the future, it is > better to indicate the length of the public key as follows: > > | Type | Length | Reserved| Public Key Length | > > Where: > > Public Key Length: 13-bit unsigned integer. The length of the Public Key field > in bytes. > Public Key: A variable-length field, size indicated in the Public Key Length > field. > JWK-Encoded Public Key [RFC7517] > >Padding: A variable-length field completing the Public Key field to align to > the next 8-bytes boundary. > > > Works? > > > > > > > -- Section 6.1 -- > > About "Nonce option MUST contain a random Nonce value that was never > used > > with this device", how can it be done? Keeping a local history? Giving > some > > operational hints would bee welcome. Especially, when there are multiple > 6LR in > > the LLN: how can they synchronize the nonce? > > The nonce is used once, so there's no synchronization. A new pair is formed > and exchanged at each validation. > > The nonce game used here appear to be common practice. Yes, there's > usually a need of local history, and the fact that we get a nonce from both > side, apart from guaranteeing that the result is effectively unique to both > parties, also makes the chances for history to repeat very low. > > CC'ing SEC-DIR: Please help: if there is a reference for that practice, what it > takes to maintain a nonce, and why we have a nonce from both sides? Trying > to reinvent that text does not look like a good idea for this draft. > > > > > > > -- References -- > > Is there a reason why the crypto algorithms RFC 7748 and 8032 are not > > normative? > > Interestingly they are informational. So that would be a downref. > > CC'ing SEC-DIR: Please help: should we make these refs normative? > > > > > > == NITS == > > > > -- Section 2.2 -- > > To be honest, I am not a big fan of simply announcing concepts and > referring to > > many other RFCs. Suggest to mention which terms and concepts are > defined in > > each document. Else, the current section 2.2 mostly forces the readers to > read > > all the references. > > Yes and they are really there as additional reading, not normative. > I changed the text to > " The reader may get additional context for this specification from the > following references" > I also moved classical ND and SEND references to informational references. > > Works? > > > -- Section 6 -- > > s/may use a same Crypto-ID/may use the same Crypto-ID/ ? > > Done > > Many thanks again Eric! > > Let's see what SEC-DIR thinks > > And a very happy new year (in France we have till Jan 31st to send wishes > 😉) > > Pascal > > > >
- Re: [secdir] Éric Vyncke's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [secdir] Éric Vyncke's Discuss on draft-ietf-… Eric Vyncke (evyncke)
- Re: [secdir] Éric Vyncke's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [secdir] Éric Vyncke's Discuss on draft-ietf-… Pascal Thubert (pthubert)
- Re: [secdir] Éric Vyncke's Discuss on draft-ietf-… Eric Vyncke (evyncke)
- Re: [secdir] Éric Vyncke's Discuss on draft-ietf-… Benjamin Kaduk
- Re: [secdir] Éric Vyncke's Discuss on draft-ietf-… Pascal Thubert (pthubert)