IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-6tisch-architecture-21

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 14 July 2019 21:21 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DB0C1200A3; Sun, 14 Jul 2019 14:21:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NxA84qeQ3--i; Sun, 14 Jul 2019 14:21:29 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E533912003E; Sun, 14 Jul 2019 14:21:28 -0700 (PDT)
Received: from dooku.sandelman.ca (CPE788a207f397a-CMbc4dfb96bb50.cpe.net.cable.rogers.com [174.116.121.43]) by relay.sandelman.ca (Postfix) with ESMTPS id 7982D1F44C; Sun, 14 Jul 2019 21:21:26 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 164171301; Sun, 14 Jul 2019 17:21:45 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Tero Kivinen <kivinen@iki.fi>
cc: "Pascal Thubert (pthubert)" <pthubert@cisco.com>, malisav@ac.me, "draft-ietf-6tisch-architecture.all@ietf.org" <draft-ietf-6tisch-architecture.all@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, Thomas Watteyne <thomas.watteyne@inria.fr>, David Mandelberg <david@mandelberg.org>
In-reply-to: <23847.47989.166847.374951@fireball.acr.fi>
References: <2cced16c-d1df-88c2-eb21-7452b42f081a@mandelberg.org> <MN2PR11MB35651735463F27A247B4B0F0D8E00@MN2PR11MB3565.namprd11.prod.outlook.com> <23825.24715.882644.180316@fireball.acr.fi> <MN2PR11MB35655F77D328CD9B27029413D8E30@MN2PR11MB3565.namprd11.prod.outlook.com> <23846.21029.236657.158497@fireball.acr.fi> <23847.47989.166847.374951@fireball.acr.fi>
Comments: In-reply-to Tero Kivinen <kivinen@iki.fi> message dated "Fri, 12 Jul 2019 01:43:01 +0300."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Sun, 14 Jul 2019 17:21:45 -0400
Message-ID: <8391.1563139305@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/_dtpJNmO2WFzMIunUnAq9LWl4MQ>
Subject: Re: [secdir] secdir review of draft-ietf-6tisch-architecture-21
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jul 2019 21:21:31 -0000

Tero Kivinen <kivinen@iki.fi> wrote:
    > Then it sends a beacon with ASN of x, where x is close to the ASN of
    > packet it wants to attack. JN then packet out to JRC with ASN of x +
    > n1, the attacker can ack it, and then take that packet and replay that
    > to the JRC at ASN of y (where x != y, and y > x). When JRC sends reply
    > packet at y + m, the attacker can reply it back to JN with ASN x + n2
    > and JN will accept it. Now JN has properly rejoined the network (both
    > JN and JRC have authenticated themselves) and JN has keys K1, but
    > thinks ASN is x instead of y. Next packet it sends will be encrypted
    > with K1 and with ASN of x + n3. If x + n3 happens to be the ASN of z
    > the attacker gets two frames encrypted with same key k1 and nonce
    > generated from ASN z. If first try goes wrong it can allow JN to replay
    > until x + n3 > z, and then it can start over again and adjust the
    > starting value of x so it is better guess of how long JN will take when
    > sending frames out...

I'm gonna have to draw this this to get it all, but I think that I see the
point.  If I understood correctly, the attacker can get the JN to be behind
in the ASN game such that it can now see a packet encrypted by the JP and JN
using the same ASN.  It does this by storing legitimate EBs, and replaying
them at a time such that the JN is offset, and the attacker relays the packets.

    > So I do not think we can do anything in the JN <-> JRC protocol to
    > protect against this, the only real way to protect against this, is to
    > send L2 authenticated (but not encrypted) frame after authentication
    > phase from the JN to JRC containing random cookie, and require that JRC
    > to echo it back to JN in similar authenticated but not encrypted frame.

I think maybe somewhere here you mean JP rather than JRC, as the JN and
the JRC are not connected at L2, except via the JN.

    > I.e., make sure the joining process is (I leave out acks in this
    > picture):

"security level X" <--- this is an IEEE802.15.4 thing, not a new creation,
right?

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email