Re: [secdir] secdir review of draft-ietf-6tisch-architecture-21
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 25 June 2019 15:45 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5553D12065B; Tue, 25 Jun 2019 08:45:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J2QzRPOFzP42; Tue, 25 Jun 2019 08:45:11 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70DA212067A; Tue, 25 Jun 2019 08:45:10 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 97F033808A; Tue, 25 Jun 2019 11:43:27 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id A79E6109C; Tue, 25 Jun 2019 11:45:09 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id A538BDF1; Tue, 25 Jun 2019 11:45:09 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
cc: David Mandelberg <david@mandelberg.org>, =?utf-8?B?TWFsacWhYSBWdcSNaW5pxIc=?= <malisav@ac.me>, Tero Kivinen <kivinen@iki.fi>, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-6tisch-architecture.all@ietf.org" <draft-ietf-6tisch-architecture.all@ietf.org>
In-Reply-To: <MN2PR11MB3565575DA39BCA11E00233B5D8E30@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <2cced16c-d1df-88c2-eb21-7452b42f081a@mandelberg.org> <MN2PR11MB3565575DA39BCA11E00233B5D8E30@MN2PR11MB3565.namprd11.prod.outlook.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 25 Jun 2019 11:45:09 -0400
Message-ID: <30360.1561477509@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Yfey3aeAvGPe6WMMNFhs_6-l2_o>
Subject: Re: [secdir] secdir review of draft-ietf-6tisch-architecture-21
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2019 15:45:14 -0000
Pascal Thubert (pthubert) <pthubert@cisco.com> wrote: > the following. Michael, Malisa and Tero please confirm that it looks > good / help me fix it : ) ... > In a TSCH network as specified by IEEE Std. 802.15.4 [IEEE802154], > the nonce that is used to secure Link-Layer exchanges includes an > address of the source and the ASN. The ASN itself is supposed to be > distributed securely by other means. If the ASN is compromised and a > short address is reused, then a nonce-reuse attack becomes possible. > With 6TiSCH, the pledge discovers a tentative ASN in beacons sent by > nodes that have already joined the network. As the pledge is not in > possession of Link-Layer keys for the visited network, it cannot verify > the message integrity code (MIC) authenticating the beacon. - Even if it - did have the keys, it still could not verify the beacon as it could be - a replay by an attacker and thus could still announce an ASN that - represents a time in the past. That time would match a valid timeslot - it if is correct modulo the number of channels used for hopping. + Even after the join process, when it does have the keys, it still could not + verify the freshness of the the beacon as it could be + a replay by an attacker and thus could still announce an ASN that + represents a time in the past. That time would match a valid timeslot + it if is correct modulo the number of channels used for hopping. > This authentication steps must be such that they cannot be replayed + by an attacker, and it must not depend on the tentative ASN being valid. > Note that IEEE std. 802.15.4 TSCH does not provide replay protection at > all, and that for instance attacker can cause a legitimate node to - retransmit a previous message by destroying an ack. It results and + retransmit a previous message by destroying an ack. If this results an > upper layer protocol must provide a way to detect replayed messages and > cope with them. > During the authentication the keying material that the pledge > obtains from the JRC does NOT provide protection against spoofed ASN. > Once the pledge has obtained the keys to use in the network, it still > needs to verify the ASN. If the nonce used in the Layer-2 security > derives from the extended (MAC-64) address, then replaying the ASN > alone cannot enable a nonce-reuse attack unless the same node is > attacked twice and loses all state in-between. But if the nonce > derives from the short address (e.g., assigned by the JRC) then the > nonce-reuse attacks are possible, and the JRC must ensure that it never > assigns short addresses that were already given to this or other nodes > with the same keys. I think that in this place, the note about rekeying the network must occur before running out of short addresses. > At that point, an additional step may be required to ensure that the > ASN is correct. For instance, the pledge could perform a first > exchange with a peer node that is trusted and has already joined, e.g., > its RPL time parent, and the message should not be encrypted but only > authenticated at the Link-Layer. The request from the pledge should > contain a nonce with a random part that is not ASN, and the > authenticated response should contain the current ASN and echo the > nonce. I think that we need to be explicit, not "for instance" {please forgive me being behind on email. Summer cold and family responsabilities} -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [secdir] secdir review of draft-ietf-6tisch-archi… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Pascal Thubert (pthubert)
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-6tisch-a… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-6tisch-a… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Pascal Thubert (pthubert)
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Pascal Thubert (pthubert)
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Pascal Thubert (pthubert)
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Michael Richardson
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Michael Richardson
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Michael Richardson
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Pascal Thubert (pthubert)
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Pascal Thubert (pthubert)
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Michael Richardson
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Michael Richardson
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Pascal Thubert (pthubert)
- Re: [secdir] secdir review of draft-ietf-6tisch-a… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Pascal Thubert (pthubert)
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Mališa Vučinić
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Michael Richardson
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Michael Richardson
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Tero Kivinen