[secdir] Re: [Roll] Secdir early review of draft-ietf-roll-enrollment-priority-10

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 22 May 2024 02:27 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 50C10C151557; Tue, 21 May 2024 19:27:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Level:
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6I-81exLTkBU; Tue, 21 May 2024 19:27:04 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2064BC14F6A2; Tue, 21 May 2024 19:26:59 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 5DE9A3898D; Tue, 21 May 2024 22:26:57 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id k5PsYbphW8EC; Tue, 21 May 2024 22:26:54 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 6F8093898C; Tue, 21 May 2024 22:26:54 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1716344814; bh=KdD3K9Hayb9pvpFz26uEbCsKzb72R+sQmknUq64M1Dk=; h=From:To:cc:Subject:In-Reply-To:References:Date:From; b=F5n6YnuLPyTkSB4bE8UIyn5p8CjmivCAIlpW42XAzXB2dDc4JGMDI6b9P2RsZgKOg qJ4elg0nK5iHzlOpIJtF10KtOv470JST5cWgzZ8paRVNHSOE2SYQdxbQvEFxvwNeMJ 0icGpR9OfmU/BVE3bSVqK6f7GN0M1ZvIkqM93zPQ297I5bwa0kZKDBZSAcKm3YokyH jg+iUCl1kkEDlYEiW7WwJ03ndoYZ2pI2Z7oJeKiNuYM/ZcuwGFgPuRbJ2AXY3vWmYK SUPWYvOPW+dh4YsF9qlOhP+ZClOfCQD6ngTQ4mNH1a1ZYlBYHqYBN2IfZowLJ/V3yf gH2nMQ7T2k7/Q==
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 6401FAA8; Tue, 21 May 2024 22:26:54 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, Routing Over Low power and Lossy networks <roll@ietf.org>
In-Reply-To: <170653896861.2657.1666635940205248863@ietfa.amsl.com>
References: <170653896861.2657.1666635940205248863@ietfa.amsl.com>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Tue, 21 May 2024 22:26:54 -0400
Message-ID: <31301.1716344814@obiwan.sandelman.ca>
Message-ID-Hash: 2L6UX54VCF44D2GSV4OQKOPKYMW7INQT
X-Message-ID-Hash: 2L6UX54VCF44D2GSV4OQKOPKYMW7INQT
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: secdir@ietf.org, draft-ietf-roll-enrollment-priority.all@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [secdir] Re: [Roll] Secdir early review of draft-ietf-roll-enrollment-priority-10
List-Id: Security Area Directorate <secdir.ietf.org>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>

{I'm sorry to take so long to reply}

Rifaat Shekh-Yusef via Datatracker <noreply@ietf.org> wrote:
    > The following is a quote from the Security Consideration section of the
    > draft: "The use of layer-2 or layer-3 security for RPL control messages
    > prevents the two aforementioned attacks, by preventing malicious nodes
    > from becoming part of the control plane."

Yes.

    > The following quote is from RFC7416, section 7.1.2: "A number of
    > deployments, such as [ZigBeeIP] specify no Layer 3 (L3) / RPL
    > encryption or authentication and rely upon similar security at Layer 2
    > (L2).  These networks are immune to outside wiretapping attacks but are
    > vulnerable to passive (and active) routing attacks through compromises
    > of nodes (see Section 8.2)."

Yes, I wrote much of that document too.
(I was voluntold around 2010)

    > The draft seems to suggest layer-2 security might be sufficient
    > protection, while RFC7416 seems to suggest that solely relying on
    > layer-2 might not be enough.

So, the tension is that in RPL, layer-3 security involves the use of the
secured RPL messages, and in order to make it sensible, requires use of
assymetric algorithms (RSA, EcDSA, EdDSA, etc.)

Back a decade (+) when RFC7415 (and RFC6550) was being developed, most were
skeptical that we could do such signatures on constrained devices at a speed
(and power consumption basis) that would be practical.  Today, many M-class
CPUs have some accelerations that would help a lot, but that still requires
that the assymetric keys be provisioned.  BRSKI (RFC8995) was one protocol
that came out of this work to fill the gap.

However, to date I'm aware of no RPL implementations that actually implement
the secured L3 messages.  (I really wish that wasn't the case)

Secured L3 messages are better for control plane security because they
eliminate the possibility of one node impersonating another node.  This could
be accidental or malicious (malware).

This is also true of all the other routing protocols.  BGP continues to
struggle with this, for instance.  RPKI deals slightly with authorization,
but there is significant work still to do, and the core routers don't suffer
from being power constrained.
Secured L3 messages also allow for the possibility that not all nodes are
authorized to become routers (6LRs) and must remain as leaf nodes.

However, Secured L3 messages do nothing to enhance the privacy of the
network.  While IPsec (also L3) and application layer security (TLS, OSCORE) can help
here, absent a secured L2, a non-participating malicious node would be able
to view or forge traffic, even if it would be unable to disrupt existing
traffic.

    > RFC7416, section 8.2 states: "RPL provides for asymmetric
    > authentication at L3 of the RPL Control Message carrying the DIO, and
    > this may be warranted in some deployments."

    > I feel that this should be discussed here to make it clear that in some
    > deployments, layer-2 by itself might not be sufficient and the use of
    > asymmetric authentication at L3 might be required.

I think it's inappropriate in a short extension document to re-litigate the
work that RFC7416 already did.   I have however, rewritten the section
slightly to attempt to emphasize that L3 security does not provide privacy.

https://github.com/roll-wg/draft-ietf-roll-enrollment-priority/commit/467947fd192a25fca0c1b3e07a20096c6b8d2126

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide