IETF Logo Mail Archive

Re: [secdir] [Roll] Secdir last call review of draft-ietf-roll-turnon-rfc8138-12

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Wed, 09 September 2020 07:22 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4B1E3A104C for <secdir@ietfa.amsl.com>; Wed, 9 Sep 2020 00:22:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id o01sOhbUbdWs for <secdir@ietfa.amsl.com>; Wed, 9 Sep 2020 00:22:14 -0700 (PDT)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [63.128.21.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D61373A1077 for <secdir@ietf.org>; Wed, 9 Sep 2020 00:22:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1599636132; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=kbmdSmS2YGb8JtvcfXGe+J2s+Gw0z0HMIdqGa7BW4Zc=; b=gBEiZUeGTzn+UujwBTg7UQ+bDh5yqLgTazaRB3hR5+pu3ejAm8q54TzqOaa4+vpVEXVf7m 3f9MRrrCqgB34F6cIo2p+HsNCEkJ9M6kVBCHnn14WhWP3fDoIQjyI/u8w1JkC4vZV1qXko MTDRv+wOY4EnyOl5pL7HS8sOi6hEO+0=
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (mail-mw2nam10lp2103.outbound.protection.outlook.com [104.47.55.103]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-344-gu7VoNiONsGwFnub7WXudA-1; Wed, 09 Sep 2020 03:22:11 -0400
X-MC-Unique: gu7VoNiONsGwFnub7WXudA-1
Received: from MWHPR16MB1535.namprd16.prod.outlook.com (2603:10b6:320:27::22) by MWHPR16MB1630.namprd16.prod.outlook.com (2603:10b6:301:1d::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.15; Wed, 9 Sep 2020 07:22:09 +0000
Received: from MWHPR16MB1535.namprd16.prod.outlook.com ([fe80::2c6f:d09b:e22a:4a47]) by MWHPR16MB1535.namprd16.prod.outlook.com ([fe80::2c6f:d09b:e22a:4a47%11]) with mapi id 15.20.3348.019; Wed, 9 Sep 2020 07:22:09 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "Pascal Thubert (pthubert)" <pthubert=40cisco.com@dmarc.ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, Routing Over Low power and Lossy networks <roll@ietf.org>
CC: "draft-ietf-roll-turnon-rfc8138.all@ietf.org" <draft-ietf-roll-turnon-rfc8138.all@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: [Roll] Secdir last call review of draft-ietf-roll-turnon-rfc8138-12
Thread-Index: AQHWhO//Jg/t27q1LUCtpEEpCp1Ds6lf6dHQ
Date: Wed, 09 Sep 2020 07:22:09 +0000
Message-ID: <MWHPR16MB15357A52602FFDD92BAE5C19EA260@MWHPR16MB1535.namprd16.prod.outlook.com>
References: <MWHPR16MB15352A9604389BC647A87A5FEA2A0@MWHPR16MB1535.namprd16.prod.outlook.com> <1440.1599410092@localhost> <MN2PR11MB35655203344583049108AAC3D8280@MN2PR11MB3565.namprd11.prod.outlook.com>
In-Reply-To: <MN2PR11MB35655203344583049108AAC3D8280@MN2PR11MB3565.namprd11.prod.outlook.com>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.5.0.60
dlp-reaction: no-action
x-originating-ip: [49.37.200.126]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e15c1ca1-a05d-4efe-9993-08d85491102e
x-ms-traffictypediagnostic: MWHPR16MB1630:
x-microsoft-antispam-prvs: <MWHPR16MB1630A04F5EF4E5FB9553D470EA260@MWHPR16MB1630.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Go/+x3wEUaVqDfv3sZosjqqqyZ/z0fzu6lbq4KKVNBVqJNiky6EPFQ3C5mp/Z6oOVq7H5nDSxayS4hOydB9lS/mbM/sK74nsVe9S1oCCCUjloxSSGN9hePULnfQ5+yTQWDtRoEClUl8MFCtihe6iWseJTAFazbIegJMRNOv/uxhgl9tBU24zTrGBGqjEJY4dVYVnd7nPD8pAbNzxFiHXJfWLmoQweX+LGM/Qoou9v1AMMr3qDYDl7bdSABFKWJ69NepwYvsv1fAWYsLQUguFyZFZbsLBttLEhsUXOhirii+mc6AxDGmhIlsFUk9RimSSSqezXvWeQ0Ab0dOxoj7MAIUXSnySqUdY/el4yS7JaTrIv4BvJAUMDh1g5xrBU59RZ88WiMI+scC3iIiqVMpAItYJOmFFXDCxyJWucy3r/h2mj2Q2B87qRHx5+hrsl9MQE736ZNjYsBdj/mYY7KRgrCDDulLQDBR+MQewsMTBsjk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR16MB1535.namprd16.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(39860400002)(366004)(376002)(396003)(346002)(32952001)(186003)(316002)(4326008)(76116006)(66946007)(110136005)(5660300002)(71200400001)(83380400001)(64756008)(66446008)(54906003)(9686003)(66556008)(66574015)(52536014)(86362001)(55016002)(33656002)(66476007)(26005)(478600001)(6506007)(53546011)(8936002)(7696005)(966005)(8676002)(2906002)(85282002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: J7zzBhvvOSbhV9AFczO15HUmMC/z+laUx4bMJYJAcbnKD/LfEIWLAIDFXlKAcfD9s/H/9u30OGICLWAU+WRRPHe+hzwYnQF63KZ5QICo66J7GwMIRImclUM2+0WYGZvjAfa4N4Zw+82f7kJnlZfbh6wFTIy7tKgUY+qVyqNuljvJdkO0enHDshfhqe78rHvY7vKVZXC7CLhAMGnIy5i2G7lwhMY+FdXXZhCoGFPGvWshTb8Gjpx8ZrIIDGqgFV5iAgT69ukOWTiGG+OslscwX/mRZv41p+c26GElkhB7ssO57lXnsGR3zAVKZh7uyB1HMCVMKIO/y9mo1K0QPOT1VA4ZJXp/14CD4kR5NJ1TLc2kz87l4EGHaoRV4wA+aTs57fokc2qee9X2GUw7ENNQOv4hT3ZrUVMbH4yT4qXAke1s/fyppYsVX8HY2mh8tHGUlgM05o1JwgHhoYH2CxdfyZ0Sval/DWw5EE89bpFnMvFF+d7s2w7g48SHA5lHxCcXmcppgGFTKRwUb3xjIygYkZ3riMGBuHXfPqgC5+RlTXjU7yJDvgZDn/cJqmiNtZqTJ1MO0JTY6jFWq1WHqujoFmdGDXkTi17TVfjdtjwICuDtRZ3oJaSknPRjc6XhW4JQMPYFELJ4nt2z/LYgobdEpQ==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR16MB1535.namprd16.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e15c1ca1-a05d-4efe-9993-08d85491102e
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Sep 2020 07:22:09.0626 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: u32pp1zLpGnWZqN+1PybK460ACwaYhmRgSGATefb49Zl7XXB3nTQXpz7LhFN9hbUnITIAmQjh5Q92W37OCoo+DwvAwUcEq25/gOXVYJ8BbytzqysJGS9eqzm27NPqpFt
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR16MB1630
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA40A35 smtp.mailfrom=tirumaleswarreddy_konda@mcafee.com
X-Mimecast-Spam-Score: 0.004
X-Mimecast-Originator: mcafee.com
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/uOkJsbbXRYxOBRSsalZUkvXI6ZU>
Subject: Re: [secdir] [Roll] Secdir last call review of draft-ietf-roll-turnon-rfc8138-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2020 07:22:18 -0000

Thanks Pascal, update looks good.

-Tiru

> -----Original Message-----
> From: secdir <secdir-bounces@ietf.org> On Behalf Of Pascal Thubert
> (pthubert)
> Sent: Monday, September 7, 2020 1:52 PM
> To: Michael Richardson <mcr+ietf@sandelman.ca>; Routing Over Low power
> and Lossy networks <roll@ietf.org>
> Cc: draft-ietf-roll-turnon-rfc8138.all@ietf.org; secdir@ietf.org
> Subject: Re: [secdir] [Roll] Secdir last call review of draft-ietf-roll-turnon-
> rfc8138-12
> 
> CAUTION: External email. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> Hello Tiru and Michael:
> 
> Many thanks for your time, your review and your help.
> 
> Let's explore how we can improve the text to reduce the reader's
> puzzlements.
> 
> 
> >
> > Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
> > wrote:
> >     > [1] You may want to clarify how the attacker manages to modify a
> >     > protected configuration including the "T" flag introduced in this
> >     > spec.
> >
> > Every router within every routing protocol can do wrong things :-) RPL
> > is an IGP, so all routers are within the same security control, and at the
> same level.
> >
> > An attacker would have to introduce malware into the device to modify
> data.
> > RFC7416 lays out all of these threats: they are no different for the
> > T-bit than other bits.
> >
> 
> Good point, I will add an informative ref to RFC7416:
> "
>    It is worth noting that in RPL [RFC6550], every node in the LLN that
>    is RPL-aware and has access to the RPL domain can inject any RPL-
>    based attack in the network, more in [RFC7416].
> 
> "
> 
> 
> >     > [2] Is it possible to identify the attacker (or compromised router) who
> >     > set the "T" flag to remediation measures ?
> >
> > Maybe. Probably not.
> > There are few things we can do within any routing protocol to identify
> > mis- behaving routers.
> 
> And during a transition there will be parents that advertise a different setting.
> As Michael said, this is true for any other information as well, so the art of
> debunking applies.
> 
> >     > [3] If due to an human error one or more of the on-path routers are not
> >     > upgraded or if the router sees both settings, I presume an alert could
> >     > be sent to the network management for troubleshooting. You may
> want to
> >     > add text to discuss the same.
> >
> > At present, RPL does not include a standard off-path alerting mechanism.
> > This remains a todo item for the WG.
> > Some use NETCONF or HTTP to collect statistics in a proprietary way.
> > We can send ICMPs, but since the affects how the packets are encoded,
> > we likely can't send an ICMP to a relevant router, just one hop in the
> > direction it came from.
> 
> Agreed. In addition, I would not add code in a constrained router to detect
> this mistake, though.
> Either you know your network (through management) and you can do the
> live upgrade, or, for a small network you do the flag day alternative and
> check everything is back up.
> 
> 
> 
> >
> >     > [4] What do you mean by "subDAG" (I don't see any definition in
> > this spec and RFC8138) ?
> >
> > It's a sub-portion of a DAG. A sub-tree.
> 
> I made a small clarifying change:
> "
>    An attacker in the middle of the network may reset the "T" flag to
>    cause extra energy spending in the subset of the DODAG formed by its
>    descendants (its subDAG).
> "
> 
> The diffs are visible here: https://github.com/roll-wg/roll-turnon-
> rfc8138/commit/889faccec19038b2b68685bb0e31e9cb91d4da62
> 
> Again, many thanks!
> 
> Please let us know if you see we need to do more.
> 
> Keep safe
> 
> Pascal
> _______________________________________________
> secdir mailing list
> secdir@ietf.org
> https://www.ietf.org/mailman/listinfo/secdir
> wiki: http://tools.ietf.org/area/sec/trac/wiki/SecDirReview

v2.23.0 | Report a Bug | By Email