IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-6tisch-architecture-21

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 25 June 2019 15:31 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B3F01205DE; Tue, 25 Jun 2019 08:31:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E8VFguW80XoS; Tue, 25 Jun 2019 08:31:27 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D4BD61205FE; Tue, 25 Jun 2019 08:31:13 -0700 (PDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id 75F3D3808A; Tue, 25 Jun 2019 11:29:29 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 81558109C; Tue, 25 Jun 2019 11:31:11 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 7E8D09BC; Tue, 25 Jun 2019 11:31:11 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Tero Kivinen <kivinen@iki.fi>
cc: "Pascal Thubert (pthubert)" <pthubert@cisco.com>, David Mandelberg <david@mandelberg.org>, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-6tisch-architecture.all@ietf.org" <draft-ietf-6tisch-architecture.all@ietf.org>, Thomas Watteyne <thomas.watteyne@inria.fr>, =?iso-8859-2?Q?Mali=B9a_Vu=E8ini=E6?= <malisav@ac.me>
In-Reply-To: <23825.24715.882644.180316@fireball.acr.fi>
References: <2cced16c-d1df-88c2-eb21-7452b42f081a@mandelberg.org> <MN2PR11MB35651735463F27A247B4B0F0D8E00@MN2PR11MB3565.namprd11.prod.outlook.com> <23825.24715.882644.180316@fireball.acr.fi>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 25 Jun 2019 11:31:11 -0400
Message-ID: <26791.1561476671@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Vd-LqBHwO76CUPJKv19Gw9OG3rQ>
Subject: Re: [secdir] secdir review of draft-ietf-6tisch-architecture-21
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2019 15:31:30 -0000

Tero Kivinen <kivinen@iki.fi> wrote:
    > During the authentication the JRC needs to provide the keying material
    > to the joining node, but that does NOT provide protection against
    > spoofed ASN. After the node has actual keys used in the network it
    > still needs to verify the ASN by sending some message to JRC using
    > authentication and verify that JRC replies to that.

I thought that the 6LRs could provide authentication of the beacons with the
network-wide-key, and that we could (after the join process), verify the beacon we
saw, using the key(s) that the JRC provided.

    > If this 2nd step is omitted attacker do following attack:

>Joining node (JN)   attacker	     		  JRC
>		    <- beacon for ASN=23	  <- beacon for ASN=44
>See beacon
>from attacker,
>assume ASN=23.

So this is a replay of the valid beacon with ASN=23.

    > Now, if JN is using extended address to generate nonce, the nonce will
    > be different for all other nonces ever used, even the ASN is faked, and
    > has been used before. On the other hand if JN also receives short
    > address assignment from the JRC, JRC needs to make sure that short
    > address has not been assigned to anybody else before, as if it was used
    > by someone else, and frame sent by JN is encrypted, then attacker will
    > now have two packets with same ASN, and short address, meaning same
    > nonce, and it can now decrypt packets.

I thought that we have text in 6tisch-minimal about needing to rekey the
network if we run out of short-addresses for this reason.  Well, no.
We explain how to rekey well, but not why to rekey :-)

Are you suggesting that we need to put this in the architecture document too?
Maybe we should have included the ASN as an attribute in the JRC response.

    > If JN sends message to JRC which only JRC can reply, and uses wrong
    > ASN, the JRC will not be able to decrypt/validate that frame because of
    > wrong ASN in nonce, and will drop it silently, so if JN uses wrong ASN
    > it might be getting ACKs, but it will not get any real reply frames
    > back from real participants in the network. After it will not receive
    > confirmation from JRC that it has proper keys and ASN, it knows
    > something went wrong.

Still, that's more code to implement a heuristic.


--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email