IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-6tisch-architecture-21

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 25 June 2019 15:45 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5553D12065B; Tue, 25 Jun 2019 08:45:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id J2QzRPOFzP42; Tue, 25 Jun 2019 08:45:11 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 70DA212067A; Tue, 25 Jun 2019 08:45:10 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 97F033808A; Tue, 25 Jun 2019 11:43:27 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id A79E6109C; Tue, 25 Jun 2019 11:45:09 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id A538BDF1; Tue, 25 Jun 2019 11:45:09 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
cc: David Mandelberg <david@mandelberg.org>, =?utf-8?B?TWFsacWhYSBWdcSNaW5pxIc=?= <malisav@ac.me>, Tero Kivinen <kivinen@iki.fi>, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-6tisch-architecture.all@ietf.org" <draft-ietf-6tisch-architecture.all@ietf.org>
In-Reply-To: <MN2PR11MB3565575DA39BCA11E00233B5D8E30@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <2cced16c-d1df-88c2-eb21-7452b42f081a@mandelberg.org> <MN2PR11MB3565575DA39BCA11E00233B5D8E30@MN2PR11MB3565.namprd11.prod.outlook.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 25 Jun 2019 11:45:09 -0400
Message-ID: <30360.1561477509@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/Yfey3aeAvGPe6WMMNFhs_6-l2_o>
Subject: Re: [secdir] secdir review of draft-ietf-6tisch-architecture-21
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2019 15:45:14 -0000

Pascal Thubert (pthubert) <pthubert@cisco.com> wrote:
    > the following.  Michael, Malisa and Tero please confirm that it looks
    > good / help me fix it : )

...

    >    In a TSCH network as specified by IEEE Std. 802.15.4 [IEEE802154],
    > the nonce that is used to secure Link-Layer exchanges includes an
    > address of the source and the ASN.  The ASN itself is supposed to be
    > distributed securely by other means.  If the ASN is compromised and a
    > short address is reused, then a nonce-reuse attack becomes possible.

    >    With 6TiSCH, the pledge discovers a tentative ASN in beacons sent by
    > nodes that have already joined the network.  As the pledge is not in
    > possession of Link-Layer keys for the visited network, it cannot verify
    > the message integrity code (MIC) authenticating the beacon.


- Even if it
- did have the keys, it still could not verify the beacon as it could be
- a replay by an attacker and thus could still announce an ASN that
- represents a time in the past.  That time would match a valid timeslot
- it if is correct modulo the number of channels used for hopping.

+ Even after the join process, when it does have the keys, it still could not
+ verify the freshness of the the beacon as it could be
+ a replay by an attacker and thus could still announce an ASN that
+ represents a time in the past.  That time would match a valid timeslot
+ it if is correct modulo the number of channels used for hopping.


    >    This authentication steps must be such that they cannot be replayed
    + by an attacker, and it must not depend on the tentative ASN being valid.
    > Note that IEEE std. 802.15.4 TSCH does not provide replay protection at
    > all, and that for instance attacker can cause a legitimate node to

    - retransmit a previous message by destroying an ack. It results and
    + retransmit a previous message by destroying an ack. If this results an

    > upper layer protocol must provide a way to detect replayed messages and
    > cope with them.

    >    During the authentication the keying material that the pledge
    > obtains from the JRC does NOT provide protection against spoofed ASN.
    > Once the pledge has obtained the keys to use in the network, it still
    > needs to verify the ASN.  If the nonce used in the Layer-2 security
    > derives from the extended (MAC-64) address, then replaying the ASN
    > alone cannot enable a nonce-reuse attack unless the same node is
    > attacked twice and loses all state in-between.  But if the nonce
    > derives from the short address (e.g., assigned by the JRC) then the
    > nonce-reuse attacks are possible, and the JRC must ensure that it never
    > assigns short addresses that were already given to this or other nodes
    > with the same keys.

I think that in this place, the note about rekeying the network must occur
before running out of short addresses.

    >    At that point, an additional step may be required to ensure that the
    > ASN is correct.  For instance, the pledge could perform a first
    > exchange with a peer node that is trusted and has already joined, e.g.,
    > its RPL time parent, and the message should not be encrypted but only
    > authenticated at the Link-Layer.  The request from the pledge should
    > contain a nonce with a random part that is not ASN, and the
    > authenticated response should contain the current ASN and echo the
    > nonce.

I think that we need to be explicit, not "for instance"

{please forgive me being behind on email. Summer cold and family responsabilities}
--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email