IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-6tisch-architecture-21

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Wed, 26 June 2019 12:30 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 075FD12013A; Wed, 26 Jun 2019 05:30:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=SaOWejW3; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=BlhRdFzG
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QRLIRX2IOBZb; Wed, 26 Jun 2019 05:30:53 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EA701200A3; Wed, 26 Jun 2019 05:30:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1607; q=dns/txt; s=iport; t=1561552252; x=1562761852; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=coVxX2isCtiwckl1G2lev9Qy1c/bf4DUFrI/f04AwqE=; b=SaOWejW3+G9kMakzSlPxzO0PpIDQ445RhPYoThrLJrNmgl8Ll1s0f/mc MQdnU2AKiKVIAhS26joTC5Jzo6nCnKT7KjYs5KBjXCB5kUwx+S54RCnJa FBwjKwSsQxlZlVHBr3J22DYdOEozp6TMF45ugWLzg294fhg214jUAt4i5 w=;
IronPort-PHdr: 9a23:6b7xzxHMMXmiDMfEOwvESZ1GYnJ96bzpIg4Y7IYmgLtSc6Oluo7vJ1Hb+e4z1Q3SRYuO7fVChqKWqK3mVWEaqbe5+HEZON0pNVcejNkO2QkpAcqLE0r+eeb2bzEwEd5efFRk5Hq8d0NSHZW2ag==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0ATAADRZBNd/5BdJa1lGgEBAQEBAgEBAQEHAgEBAQGBVQMBAQEBCwGBQ1ADgT8gBAsoCodSA45aTIIPlz2BLoEkA1QJAQEBDAEBLQIBAYFLgnUCgn0jNgcOAQMBAQQBAQIBBW2KNwyFSgEBAQMBEi4BATcBBAsCAQgSBi4yFw4CBA4FCBEJhGsDDg8BAppPAoE4iF+CIoJ5AQEFhQUYghEJgTQBi10XgUA/gVeCTD6ERoM6giaOKZt3CQKCFpQLgiqVK40lgTSVaAIEAgQFAg4BAQWBVwEwgVhwFYMngkEJGoNNilNygSmNOAGBIAEB
X-IronPort-AV: E=Sophos;i="5.63,419,1557187200"; d="scan'208";a="495909111"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Jun 2019 12:30:51 +0000
Received: from XCH-RCD-015.cisco.com (xch-rcd-015.cisco.com [173.37.102.25]) by rcdn-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id x5QCUp7L007644 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 26 Jun 2019 12:30:51 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-015.cisco.com (173.37.102.25) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 26 Jun 2019 07:30:50 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 26 Jun 2019 07:30:50 -0500
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 26 Jun 2019 07:30:50 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=KTN8MOWwvEJkJNbvMphNHreraqdDZqenjdkrKGIX108=; b=BlhRdFzG2eHOzNfyD40mR4nAvYxp+0Mn2VjGWcqKvjeA2Qdahl9gVAAoFxfIU7aZR24/KRRf/N0NmEM6SIKmEEzDWQBKTFZ2sfKGt2oLLcOv2P+gO9kYDGCI1mmFyyuKadNgw44PVe71vcL529btdP5u65Iz9jOOdzMEyJOF/ro=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (20.178.250.159) by MN2PR11MB3664.namprd11.prod.outlook.com (20.178.252.76) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Wed, 26 Jun 2019 12:30:47 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::1ce9:1582:146c:c50a]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::1ce9:1582:146c:c50a%6]) with mapi id 15.20.2008.017; Wed, 26 Jun 2019 12:30:47 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: Tero Kivinen <kivinen@iki.fi>, David Mandelberg <david@mandelberg.org>, "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-6tisch-architecture.all@ietf.org" <draft-ietf-6tisch-architecture.all@ietf.org>, Thomas Watteyne <thomas.watteyne@inria.fr>, Mališa Vučinić <malisav@ac.me>
Thread-Topic: [secdir] secdir review of draft-ietf-6tisch-architecture-21
Thread-Index: AQHVKitVZAMqDsUZHEuS/CYS/vDUhKaqVH6wgAEk6YCAAHyKMIAAjgwAgAFa8pA=
Date: Wed, 26 Jun 2019 12:30:33 +0000
Deferred-Delivery: Wed, 26 Jun 2019 12:30:11 +0000
Message-ID: <MN2PR11MB356523D951AF96FF31143F34D8E20@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <2cced16c-d1df-88c2-eb21-7452b42f081a@mandelberg.org> <MN2PR11MB35651735463F27A247B4B0F0D8E00@MN2PR11MB3565.namprd11.prod.outlook.com> <23825.24715.882644.180316@fireball.acr.fi> <MN2PR11MB35655F77D328CD9B27029413D8E30@MN2PR11MB3565.namprd11.prod.outlook.com> <28910.1561477164@localhost>
In-Reply-To: <28910.1561477164@localhost>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pthubert@cisco.com;
x-originating-ip: [173.38.220.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 69a15d53-a48f-4089-3282-08d6fa321dea
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:MN2PR11MB3664;
x-ms-traffictypediagnostic: MN2PR11MB3664:
x-microsoft-antispam-prvs: <MN2PR11MB366495E9CFEB29537C12E95ED8E20@MN2PR11MB3664.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00808B16F3
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(366004)(376002)(346002)(39860400002)(136003)(189003)(199004)(7736002)(52536014)(2906002)(74316002)(102836004)(68736007)(256004)(86362001)(6506007)(64756008)(66556008)(66446008)(66946007)(66476007)(229853002)(5660300002)(305945005)(6436002)(76116006)(76176011)(478600001)(14444005)(55016002)(54906003)(9686003)(316002)(26005)(33656002)(4326008)(3846002)(8936002)(6116002)(14454004)(71200400001)(81166006)(8676002)(53936002)(66066001)(73956011)(446003)(6246003)(81156014)(71190400001)(7696005)(486006)(25786009)(186003)(6666004)(476003)(99286004)(11346002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3664; H:MN2PR11MB3565.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: KDsHVmJLAJjahb93/q6Cj5ZzNVKTShDa1PicaG9IkUMGfiSjF/09vIMjvOyJ61rQRS/65J4s2Ir/u2if0ncCQ63Sx1QVmiEZWQ4XWcEzieQca4/VUDX2GJlzdNHfB+JLjW6glc+6vW/yJfb9f9yYXtMg2At6tw954NFZpTShH2P7y3PVXSQnAkJ4cSZ66Ju6D8acaq1kbd8Jf0jl3N6HsIJfjsH4JhbVuCtf/Lzw0xmsJ2PPAVnGXDRwTCjQcynYLUkzYig8YKRcfmfQbJIPytHMN4egaIcAuAt946pmPY3yPKSjt9ukPPT86yHN5qhUAUT1RfjMohCjEeqV5Uk1ajuARh8UO5vMho7mRm1LaiM9UFpvL0N6ITVtE1d5OoQ3vq1GPtf9FE9/L811/I2zXhwac6Tj/C4O+gjZVNmJBgA=
Content-Type: text/plain; charset="iso-8859-2"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 69a15d53-a48f-4089-3282-08d6fa321dea
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jun 2019 12:30:47.5281 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pthubert@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3664
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.25, xch-rcd-015.cisco.com
X-Outbound-Node: rcdn-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/_l7Fpe_1QvHjI29wF2JcXMcTMNQ>
Subject: Re: [secdir] secdir review of draft-ietf-6tisch-architecture-21
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Jun 2019 12:30:55 -0000

> 
> Tero:
>     >> Note, that attacker might be able to replay valid ACKs for the frame
>     >> sent by the JN, provided that the JRC (or whoever JN sent the message
>     >> to) happened to ack message using the same ASN attacker faked for JN.
> 
> Pascal Thubert (pthubert) <pthubert@cisco.com> wrote:
>     > Your mean that the faked ASN is only slightly in the future, so the
>     > attacker can repeat messages from the pledge after that delay?
> 
> The faked ASN is always in the past.

Do you mean the replayed ones? When the pledge does not have the keys, the attacker can forge the beacon with any ASN, and place random bytes in the MIC, can't it?
If the attacker fakes an ASN that is tomorrow and intercepts a join request, it could make the pledge seem to appear now on the network tomorrow even if the real pledge is long gone.

> So the L2-ACKs can be faked, was the point.

I can see that an ACK can be replayed. But the ACK that was stored in advance can only work if the attacked node speaks on the very ASN for which the attacker intercepted an ACK in the past. The attacker is not in control of that and that makes its life harder.

> 
> The best scenario would be to distribute the ASN within the JRC reply (CoJP),
> but (as Malisa has pointed out) that also has the problem that it requires the
> JRC to get ASN coordination/update messages from the 6LBR if they are not
> co-located.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works  -
> = IPv6 IoT consulting =-
> 
>

v2.23.0 | Report a Bug | By Email