Re: [secdir] [Roll] Secdir last call review of draft-ietf-roll-turnon-rfc8138-12
"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Mon, 07 September 2020 06:24 UTC
Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 800AE3A15AC for <secdir@ietfa.amsl.com>; Sun, 6 Sep 2020 23:24:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O6fU7C-oKcI7 for <secdir@ietfa.amsl.com>; Sun, 6 Sep 2020 23:24:21 -0700 (PDT)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [63.128.21.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BC2193A15AB for <secdir@ietf.org>; Sun, 6 Sep 2020 23:24:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1599459860; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=RzoMIbHxk6nWZR5ygJJhG1CBjaaYZDHVIX95zWqwKPs=; b=DwfkXlzPjj90KMFTwCCGfRTnuralAJA2v6oX4/MA+gaRHjqD+960bBLP3rGSLbDEBrjRLo PKw7dZaOZwTpZwh2WNse3YQNE/ezJT4of7vCsrfqOIFTTkUcI6fiY7C0liBZOENwPhLlgX HkZyDiKt6BJPelZ1AD/knGxU0b4gD9Y=
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11lp2174.outbound.protection.outlook.com [104.47.58.174]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-204-A52VRWzMN2aWKHBU0_JtDw-1; Mon, 07 Sep 2020 02:24:18 -0400
X-MC-Unique: A52VRWzMN2aWKHBU0_JtDw-1
Received: from MWHPR16MB1535.namprd16.prod.outlook.com (2603:10b6:320:27::22) by MWHPR1601MB1181.namprd16.prod.outlook.com (2603:10b6:300:eb::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.16; Mon, 7 Sep 2020 06:24:17 +0000
Received: from MWHPR16MB1535.namprd16.prod.outlook.com ([fe80::2c6f:d09b:e22a:4a47]) by MWHPR16MB1535.namprd16.prod.outlook.com ([fe80::2c6f:d09b:e22a:4a47%11]) with mapi id 15.20.3348.019; Mon, 7 Sep 2020 06:24:17 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Routing Over Low power and Lossy networks <roll@ietf.org>
CC: "draft-ietf-roll-turnon-rfc8138.all@ietf.org" <draft-ietf-roll-turnon-rfc8138.all@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: [secdir] [Roll] Secdir last call review of draft-ietf-roll-turnon-rfc8138-12
Thread-Index: AdaDbUeaqdHV2jK6QYKG8VqxeX1QTwA/l14AABwPsvA=
Date: Mon, 07 Sep 2020 06:24:17 +0000
Message-ID: <MWHPR16MB15357DAE2C99DCB5242F744BEA280@MWHPR16MB1535.namprd16.prod.outlook.com>
References: <MWHPR16MB15352A9604389BC647A87A5FEA2A0@MWHPR16MB1535.namprd16.prod.outlook.com> <1440.1599410092@localhost>
In-Reply-To: <1440.1599410092@localhost>
Accept-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.5.0.60
dlp-reaction: no-action
x-originating-ip: [49.37.200.126]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2a5ceeae-74a0-4049-9962-08d852f6a5f4
x-ms-traffictypediagnostic: MWHPR1601MB1181:
x-microsoft-antispam-prvs: <MWHPR1601MB1181778351D816576EBC8410EA280@MWHPR1601MB1181.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2lwu/nN0tYcyhZp+TXFG0Sq8e+UFX5g4bm4C4dCXgMcf460gfFtSUq8zi/m5aSK+TcJkN6xwseVkEVHNAP9ry5cQq7+wtf/JRp43Yw1DXUZn/AZ6h/kuAkZdFaYyBKZPvDmYrO+xhBy/O+XKGFI2ffTPAJqybqE4saRIHBOMobbzEIjKdJjVDR/FMDzyN9g7PCLQSSVthDpJZLt0wgxL1StkTLift6oaZDk06uXEl9ZL6Yqs/hgxvWp01KOor2gtJKakA52s68/NzbGGLTRKMdqsAo1A5W8OR07jYlNOAlk8M1kLdfCdsijG1NTEY3E3KKvAi07r2GAHUd7dkbQLv9hyziII/43UmmRN/sqP8LbSIuaMUst96ehFTonCozQN0FEt6xV2EqYIn2G4D8mpsA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MWHPR16MB1535.namprd16.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(376002)(136003)(346002)(39860400002)(396003)(366004)(32952001)(9686003)(8676002)(7696005)(55016002)(66946007)(186003)(2906002)(76116006)(66476007)(66556008)(64756008)(66446008)(8936002)(5660300002)(6506007)(53546011)(52536014)(110136005)(316002)(478600001)(26005)(54906003)(86362001)(66574015)(4326008)(33656002)(83380400001)(71200400001)(85282002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: aLvBnW0YzYEpjagCT7X1cmI/++ACBTu6ckzUhYQrsIO8u5HJcHpvV8HWwIp5rsTry0ZUNxUGcLEfQxbX9xSPJ/FL03XCWRcbY8pQPiZ6ArFWGWZ5imJVxkXRCExX+j1vQpuQrltKAO1zqmRyY+MjQVKmR1sQwUAJ8MENSi07El3PoOpcmOzr7MxVHVkCO4JberBzQHCDVc3uoj9x8L2+hV57/oyCnGmQHKktUDUE1qfVu11tQ4mDKSQbcwgK5jKiCN0g+qopeWxW3bYo7OJSy9p40PhjTXVD/Og54O36MhwWAaJt6wZDK/oHzOxmIRQsp0BH6XZv1zLkX3KlWVm3ErFLS6dqGlnYCRgUGH9lLQSfkiV7JyacF/8I51lQRikc56grClMlQZ8bC1hsg442hFZDaGF5+9iFcUZVltbyVx/qUlI25pHU/mK/Bp1H1gqoa897uv4mh+SzyMVEKKNlQVtkfpnduVuo1m+yAv3i4IO8dNoQrTR/MbhdA53bahgkKD6UeaFoV0r7dA3gOb9kfikk+kaKNMUrWKl7Hi0pGp3VFOkHobTd6XEzM6ZZ3asJvIpuSW/+oMKW7fx/OC+ov02DTTfiDUUhSgMpdJN8NS25vUSRufASDmrvPmj90uutqFtv0WON7cxDAL3wMaeuiQ==
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MWHPR16MB1535.namprd16.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 2a5ceeae-74a0-4049-9962-08d852f6a5f4
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Sep 2020 06:24:17.1548 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: nNHA+IVHanad/F2pGbpPqTBPMTLFNH/5zaf1VngQkwRYNM2WMBCmUdj40PkktK/hiIXY4MGTT9HrfmwgvuTgARdm/+GoPCzLFYLzXJADPwu2G/yMN+T69z10AFDc2I0y
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR1601MB1181
Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA40A35 smtp.mailfrom=tirumaleswarreddy_konda@mcafee.com
X-Mimecast-Spam-Score: 0.004
X-Mimecast-Originator: mcafee.com
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: base64
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/we0QJyLwdX_MeupoBx_YP1KeWhU>
Subject: Re: [secdir] [Roll] Secdir last call review of draft-ietf-roll-turnon-rfc8138-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Sep 2020 06:24:24 -0000
> -----Original Message----- > From: secdir <secdir-bounces@ietf.org> On Behalf Of Michael Richardson > Sent: Sunday, September 6, 2020 10:05 PM > To: Routing Over Low power and Lossy networks <roll@ietf.org> > Cc: draft-ietf-roll-turnon-rfc8138.all@ietf.org; secdir@ietf.org > Subject: Re: [secdir] [Roll] Secdir last call review of draft-ietf-roll-turnon- > rfc8138-12 > > > Thank you for the review. > > Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com> > wrote: > > [1] You may want to clarify how the attacker manages to modify a > > protected configuration including the "T" flag introduced in this > > spec. > > Every router within every routing protocol can do wrong things :-) RPL is an > IGP, so all routers are within the same security control, and at the same level. > > An attacker would have to introduce malware into the device to modify data. > RFC7416 lays out all of these threats: they are no different for the T-bit than > other bits. Got it. A reference to RFC7416 will be helpful to understand the threat model. > > > [2] Is it possible to identify the attacker (or compromised router) who > > set the "T" flag to remediation measures ? > > Maybe. Probably not. > There are few things we can do within any routing protocol to identify mis- > behaving routers. Please add a reference to the techniques that can be used to detect mis-behaving routers. > > > [3] If due to an human error one or more of the on-path routers are not > > upgraded or if the router sees both settings, I presume an alert could > > be sent to the network management for troubleshooting. You may want > to > > add text to discuss the same. > > At present, RPL does not include a standard off-path alerting mechanism. > This remains a todo item for the WG. > Some use NETCONF or HTTP to collect statistics in a proprietary way. I think a proprietary way can also be discussed to showcase the current practices for troubleshooting. > We can send ICMPs, but since the affects how the packets are encoded, we > likely can't send an ICMP to a relevant router, just one hop in the direction it > came from. > > [4] What do you mean by "subDAG" (I don't see any definition in this > spec and RFC8138) ? > > It's a sub-portion of a DAG. A sub-tree. Okay, you may want to expand "subDAG". -Tiru > > > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > >
- [secdir] Secdir last call review of draft-ietf-ro… Konda, Tirumaleswar Reddy
- Re: [secdir] [Roll] Secdir last call review of dr… Michael Richardson
- Re: [secdir] [Roll] Secdir last call review of dr… Konda, Tirumaleswar Reddy
- Re: [secdir] [Roll] Secdir last call review of dr… Pascal Thubert (pthubert)
- Re: [secdir] [Roll] Secdir last call review of dr… Konda, Tirumaleswar Reddy