Re: [secdir] SecDir Review of draft-ietf-roll-rpl-industrial-applicability
"Pascal Thubert (pthubert)" <pthubert@cisco.com> Fri, 20 December 2013 17:13 UTC
Return-Path: <pthubert@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9A431AD669 for <secdir@ietfa.amsl.com>; Fri, 20 Dec 2013 09:13:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -10.039
X-Spam-Level:
X-Spam-Status: No, score=-10.039 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RP_MATCHES_RCVD=-0.538, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yb7DYmZZOkkx for <secdir@ietfa.amsl.com>; Fri, 20 Dec 2013 09:13:52 -0800 (PST)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) by ietfa.amsl.com (Postfix) with ESMTP id 34CBF1ADFC1 for <secdir@ietf.org>; Fri, 20 Dec 2013 09:13:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3219; q=dns/txt; s=iport; t=1387559628; x=1388769228; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Na9sj9viOkAiz+m+72PGAe1oYSsG+BsBou2F9Afd/2E=; b=c5fRrMiJrwePdCM2PtPT9ENKxI2VGs8SGnbsH8IviKGc9FEn05c0Zuxr eWcsmTvZjdw2uIwHUKO9vNFewKJZUXznlOi0BP6uVIGiFQgQwJ3PwPB+q UNZR1lIsBMR4P30ZZUb3WxbgoqzX6R++CrHW7sVIGO2/oYMU0QQiBmFKK 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgMFAPJ5tFKtJXHA/2dsb2JhbABZgwuBDbk2gR4WdIIlAQEBBHkMBAIBCBEEAQELHQcyFAkIAgQBDQUIh3zKSReOOicxBwaDHYETAQOJC6EfgyuBaEI
X-IronPort-AV: E=Sophos;i="4.95,522,1384300800"; d="scan'208";a="8215298"
Received: from rcdn-core2-5.cisco.com ([173.37.113.192]) by alln-iport-4.cisco.com with ESMTP; 20 Dec 2013 17:13:47 +0000
Received: from xhc-rcd-x12.cisco.com (xhc-rcd-x12.cisco.com [173.37.183.86]) by rcdn-core2-5.cisco.com (8.14.5/8.14.5) with ESMTP id rBKHDlmW009529 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Fri, 20 Dec 2013 17:13:47 GMT
Received: from xmb-rcd-x01.cisco.com ([169.254.1.179]) by xhc-rcd-x12.cisco.com ([173.37.183.86]) with mapi id 14.03.0123.003; Fri, 20 Dec 2013 11:13:47 -0600
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Alexey Melnikov <alexey.melnikov@isode.com>, "draft-ietf-roll-rpl-industrial-applicability.all@tools.ietf.org" <draft-ietf-roll-rpl-industrial-applicability.all@tools.ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: SecDir Review of draft-ietf-roll-rpl-industrial-applicability
Thread-Index: AQHO/YV9o9lCIwsv2kKoXlizQBGqsZpdUiQQ
Date: Fri, 20 Dec 2013 17:13:47 +0000
Deferred-Delivery: Fri, 20 Dec 2013 17:13:00 +0000
Message-ID: <E045AECD98228444A58C61C200AE1BD8416520D9@xmb-rcd-x01.cisco.com>
References: <52B442CA.8090909@isode.com>
In-Reply-To: <52B442CA.8090909@isode.com>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.55.22.2]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Mailman-Approved-At: Thu, 26 Dec 2013 12:00:43 -0800
Cc: "secdir@ietf.org" <secdir@ietf.org>
Subject: Re: [secdir] SecDir Review of draft-ietf-roll-rpl-industrial-applicability
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Dec 2013 17:13:54 -0000
Thanks a lot Alexey! We'll dig into that, though probably after Christmas now : ) Cheers, Pascal > -----Original Message----- > From: Alexey Melnikov [mailto:alexey.melnikov@isode.com] > Sent: vendredi 20 décembre 2013 14:15 > To: draft-ietf-roll-rpl-industrial-applicability.all@tools.ietf.org; Michael > Richardson > Cc: secdir@ietf.org > Subject: SecDir Review of draft-ietf-roll-rpl-industrial-applicability > > Hi, > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area directors. > Document editors and WG chairs should treat these comments just like any > other last call comments. > > The document is well written and was quite educational for me. However the > Security Considerations section is incomplete and not quite ready. > > > This document does not specify operations that could introduce new > > threats. Security considerations for RPL deployments are to be > > developed in accordance with recommendations laid out in, for > > example, [I-D.tsao-roll-security-framework]. > > This document got obsoleted by a WG document. I am not entirely sure whether > this is intended to be draft-ietf-roll-security-threats or draft-ietf-roll-security- > framework. Please update your draft to point to the latest document. > > > Industrial automation networks are subject to stringent security > > requirements as they are considered a critical infrastructure > > component. At the same time, since they are composed of large > > numbers of resource- constrained devices inter-connected with > > limited-throughput links, many available security mechanisms are > > not practical for use in such networks. As a result, the choice of > > security mechanisms is highly dependent on the device and network > > capabilities characterizing a particular deployment. > > While this sounds plausible, this is not very helpful for deployments. > Are there any documents (maybe even research papers) that talk about different > types of deployments and suitable security mechanisms for them? > > > In contrast to other types of LLNs, in industrial automation > > networks centralized administrative control and access to > > a permanent secure infrastructure is available. > > As a result link-layer, transport-layer > > and/or application-layer security mechanisms are typically in place > > and may make use of RPL's secure mode unnecessary. > > Pointing to RFC 6550 and describing how RPL security services described there > can be replaced by link/transport/application-layer technologies would be > helpful as well. > > > 6.1. Security Considerations during initial deployment > > 6.2. Security > Considerations during incremental deployment > > These sections need completing. Looking at draft-ietf-roll-applicability- > template-03, I can see there a useful pointer to a document about getting initial > keys and trust anchors.
- [secdir] SecDir Review of draft-ietf-roll-rpl-ind… Alexey Melnikov
- Re: [secdir] SecDir Review of draft-ietf-roll-rpl… Pascal Thubert (pthubert)