Re: [secdir] secdir review of draft-ietf-6tisch-architecture-21

Michael Richardson <> Sun, 14 July 2019 21:21 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 1DB0C1200A3; Sun, 14 Jul 2019 14:21:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NxA84qeQ3--i; Sun, 14 Jul 2019 14:21:29 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E533912003E; Sun, 14 Jul 2019 14:21:28 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTPS id 7982D1F44C; Sun, 14 Jul 2019 21:21:26 +0000 (UTC)
Received: by (Postfix, from userid 179) id 164171301; Sun, 14 Jul 2019 17:21:45 -0400 (EDT)
From: Michael Richardson <>
To: Tero Kivinen <>
cc: "Pascal Thubert (pthubert)" <>,, "" <>, "" <>, "" <>, Thomas Watteyne <>, David Mandelberg <>
In-reply-to: <>
References: <> <> <> <> <> <>
Comments: In-reply-to Tero Kivinen <> message dated "Fri, 12 Jul 2019 01:43:01 +0300."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Sun, 14 Jul 2019 17:21:45 -0400
Message-ID: <>
Archived-At: <>
Subject: Re: [secdir] secdir review of draft-ietf-6tisch-architecture-21
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 14 Jul 2019 21:21:31 -0000

Tero Kivinen <> wrote:
    > Then it sends a beacon with ASN of x, where x is close to the ASN of
    > packet it wants to attack. JN then packet out to JRC with ASN of x +
    > n1, the attacker can ack it, and then take that packet and replay that
    > to the JRC at ASN of y (where x != y, and y > x). When JRC sends reply
    > packet at y + m, the attacker can reply it back to JN with ASN x + n2
    > and JN will accept it. Now JN has properly rejoined the network (both
    > JN and JRC have authenticated themselves) and JN has keys K1, but
    > thinks ASN is x instead of y. Next packet it sends will be encrypted
    > with K1 and with ASN of x + n3. If x + n3 happens to be the ASN of z
    > the attacker gets two frames encrypted with same key k1 and nonce
    > generated from ASN z. If first try goes wrong it can allow JN to replay
    > until x + n3 > z, and then it can start over again and adjust the
    > starting value of x so it is better guess of how long JN will take when
    > sending frames out...

I'm gonna have to draw this this to get it all, but I think that I see the
point.  If I understood correctly, the attacker can get the JN to be behind
in the ASN game such that it can now see a packet encrypted by the JP and JN
using the same ASN.  It does this by storing legitimate EBs, and replaying
them at a time such that the JN is offset, and the attacker relays the packets.

    > So I do not think we can do anything in the JN <-> JRC protocol to
    > protect against this, the only real way to protect against this, is to
    > send L2 authenticated (but not encrypted) frame after authentication
    > phase from the JN to JRC containing random cookie, and require that JRC
    > to echo it back to JN in similar authenticated but not encrypted frame.

I think maybe somewhere here you mean JP rather than JRC, as the JN and
the JRC are not connected at L2, except via the JN.

    > I.e., make sure the joining process is (I leave out acks in this
    > picture):

"security level X" <--- this is an IEEE802.15.4 thing, not a new creation,

]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]        |   ruby on rails    [