IETF Logo Mail Archive

Re: [secdir] [Roll] Secdir last call review of draft-ietf-roll-turnon-rfc8138-12

"Pascal Thubert (pthubert)" <pthubert@cisco.com> Mon, 07 September 2020 08:21 UTC

Return-Path: <pthubert@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 84EB83A08BB; Mon, 7 Sep 2020 01:21:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=aQGG0nPV; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=tJukb5AZ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dOKkABy1pO5D; Mon, 7 Sep 2020 01:21:48 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE9923A0816; Mon, 7 Sep 2020 01:21:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4106; q=dns/txt; s=iport; t=1599466907; x=1600676507; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=m8w/dw4JP5Q/DkS16IT+KHXEyJrDDb12REplQHT/cpo=; b=aQGG0nPVLLEQ4DelWGsjrf6uFjza4cA2lX0wM1hAq0PVilhdvqU2oKEg eCiMNFD3mDuNYqi9Eq+Dvj+R3Q96tE7dZ2bK5c2yIZTPtkC8he3JC3Xb8 U7JfYErkW4mP/D60p/l8yhRgLHqoLEQCuw4OrBKxbjYjFUdBeaz3GkL6u o=;
X-IPAS-Result: A0D3AABT7FVf/4sNJK1VCh0BAQEBCQESAQUFAUCBPQYBCwGBUVEHcFkvLIEvgwmDRgONb4Uok0mBLhSBEQNVCwEBAQwBASUIAgQBAQ+EPAIXgiECJDYHDgIDAQEBAwIDAQEBAQUBAQECAQYEbYVcDIVyAQEBAQIBEhERDAEBNwEPAgEIGAICJgICAjAVEAEBBA4FCBqDBYJLAw4gAQ6nXQKBOYhhdoEygwEBAQWBMwGDWRiCEAMGgQ4qAYJwgltLQoQGeIFTG4FBP4FUUYFOLj6CXAKBMhQKETYCgl0zgi2QLoJto1MKgmWIaJFrgwmJb5NeklGKTpBhgSSDBAIEAgQFAg4BAQWBWwopgVdwFYMkUBcCDVaNSQwXg06KVQF0CywCBgoBAQMJfIxBgkQBAQ
IronPort-PHdr: 9a23:6IRybhZw4H87p8bBB8D2lsz/LSx94ef9IxIV55w7irlHbqWk+dH4MVfC4el21QWRD57S7f5Jj+/ftebrUD9I7ZWAtSUEd5pBH18AhN4NlgMtSMiCFQXgLfHsYiB7eaYKVFJs83yhd0QAHsH4ag7Jq3u+4DoXExO5PgMmbujwE5TZ2sKw0e368pbPYgJO0Ty6Z746LBi/oQjL8McMho43IacqwRyPqXxNKOk=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.76,401,1592870400"; d="scan'208";a="528768617"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 07 Sep 2020 08:21:46 +0000
Received: from XCH-RCD-002.cisco.com (xch-rcd-002.cisco.com [173.37.102.12]) by alln-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id 0878LkIb031300 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 7 Sep 2020 08:21:46 GMT
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by XCH-RCD-002.cisco.com (173.37.102.12) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 7 Sep 2020 03:21:46 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 7 Sep 2020 03:21:46 -0500
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 7 Sep 2020 03:21:46 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FY4QjJs9XJRHAbfVJMRM/Q1Ua7G/yOZAzOA6R/ZJVae3iKdS6wi5O9h5RU7QtsFbkh72FesKzGW18Bp/+OZAn+UmnS25nYDM0L94ioaI1xhng3kHcZblcamNmqazw0vSEHh3/Binx0EDJ+HIpbWGBRlwsg6FcYLdNuy9GV85D+aO7X79+w8iDq3JxiQHjhStIW5QWGsT+XV+fVqeEmdJeVc9F4f43jLUNxsbLLSizOEkZQwRQfnlZBT+CW1UefOEhIDriioAHfyQvlMBfK0zr6OxazNgN77wiXfmHgjem+18CSwAAdvAJXHJuY/ie9S4U12mS4inzG0ZH5AdxiYCIA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=m8w/dw4JP5Q/DkS16IT+KHXEyJrDDb12REplQHT/cpo=; b=Ta+66Xv9YAx9gRRAqb4/8W3cJNuZUo3sFA1RJIpjybJsGhNDuN5XmxID5jFAUnNHIxrWOlsWT4Zv1FqZicLdKojaNfbfpQjt3rRMORy1HVGMv0yB0o+rQBWPSIpzbi+0V8MOlUZ3uaXURiatbE8PoSJFGM4qQckA+ktltcIylZQQQDe+oPgysFsXrc6W+JdrvO6WPuSGi02ZdeuMrCMzFgSQAzrZyQyFdecJi7kTQ4e0DiRN6JDJcskwsMIi2dpSnSxM/+DDq616TDJUhBsKhVWHNAGtEYuoSpLsKDgbv56VfnGDayLFIwIbIYGjVZLsdp/QFaXFEVTTJHF/l0ozjg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=m8w/dw4JP5Q/DkS16IT+KHXEyJrDDb12REplQHT/cpo=; b=tJukb5AZKYAGUSRdKPVkLg4oMl5X/PVjcC546uXd9znDEFxbc6T01TO/JUR0hWXZb5xSejRhlgyLIrP1qQOHQlTY9s3JniH6QXof4MUFhROIQmxObffAS+pBA+oPaWPFVYicBPEWdiAvK3z1Msr7FPLE4SIkNCR0fP8EHF28Nxs=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (2603:10b6:208:ea::31) by MN2PR11MB3776.namprd11.prod.outlook.com (2603:10b6:208:ee::28) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3348.16; Mon, 7 Sep 2020 08:21:45 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::119:f851:5860:da95]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::119:f851:5860:da95%4]) with mapi id 15.20.3348.019; Mon, 7 Sep 2020 08:21:45 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Routing Over Low power and Lossy networks <roll@ietf.org>
CC: "secdir@ietf.org" <secdir@ietf.org>, "draft-ietf-roll-turnon-rfc8138.all@ietf.org" <draft-ietf-roll-turnon-rfc8138.all@ietf.org>
Thread-Topic: [Roll] Secdir last call review of draft-ietf-roll-turnon-rfc8138-12
Thread-Index: AdaDbUeaqdHV2jK6QYKG8VqxeX1QTwA/l14AAB9ma/A=
Date: Mon, 07 Sep 2020 08:21:36 +0000
Deferred-Delivery: Mon, 7 Sep 2020 08:21:03 +0000
Message-ID: <MN2PR11MB35655203344583049108AAC3D8280@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <MWHPR16MB15352A9604389BC647A87A5FEA2A0@MWHPR16MB1535.namprd16.prod.outlook.com> <1440.1599410092@localhost>
In-Reply-To: <1440.1599410092@localhost>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [2a01:cb1d:4ec:2200:dc20:a9e9:3036:821a]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: e7320352-fdc6-42d7-7f87-08d853070ee2
x-ms-traffictypediagnostic: MN2PR11MB3776:
x-microsoft-antispam-prvs: <MN2PR11MB3776778A53F11A79DC950B31D8280@MN2PR11MB3776.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: UGpTpSVln0fltMq8xb8KHmanpYRPXqCVutXqKs6QE7ADzfzfrTRYfVQV/mz0DX/i0YWwBm9EsAMhDS/Rsq+LXD0199h3PBhP4xAJO2xNcFpD0v72TqTM9HpQbbn35efWZi17mApy4L1XHW+G7FkdFlk0qIXyv6ppiPdJfhtultn2ngMEMYZdkqJzsKC7ZJFgxvL38sa+26+/QX2fWJA0rmg0BWmd6QQE/7mC8XXGtUcgSmRPsnZmkTTIpPsj+GIFaQTw29cGTzVYtZy3IruZ08WvT+4LXyq85ItOSVaAs7atUQT9fgYB4uXoH8oXgl7oWqNXqmbDixaQuRh2jlWgcRsEGvoxzA36MDyJHKwY0sz8M8eSU14z6Lo2w1dJyN9OwfVRrnkc9GZtKrn2Nem0Eg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB3565.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(376002)(39860400002)(346002)(396003)(366004)(9686003)(2906002)(54906003)(8936002)(110136005)(6506007)(7696005)(316002)(186003)(8676002)(966005)(478600001)(55016002)(4326008)(52536014)(64756008)(33656002)(66476007)(76116006)(66446008)(66556008)(66946007)(66574015)(83380400001)(5660300002)(86362001)(71200400001)(6666004); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: pdZRCfTTp7N7JiZV6k2cz4OGXIxkYH5NixMGYwVazNVjv863v7GUJSpe2/zpzS5kNs7By6eJ8aRDettbl6EpEJp3osj/hn5OsFwInjyZxjP71mOcSIQI4GFHfmwG9/iptraMEBeDHH0SYlqT6dFuZot5Bns2grHiZiXGfVCE2pCD2Q+9iyDmNT7Mn/38z9W7/gOPLmT5JONAHFDSQ0QGjxrKw/HuEVW6vZnOQoH1GY3prOWlIIUkcUR5hnL8aiYzXrA+MHrxR7aYvj/c3EUDtxZ9xMjFz9rIrSkcbwCL2BfucN8YeiWIXg7YFzVksT0ASjJObxHnPSeP1eHzZmUm3Asx4tjxeaEHOMlAyql6+8oY7Ej+xzVUYfQF00P8P43C5w6zgkydtvUFRcOqzpxR3RYFz4pXI7zsYZoel178GCwvU712OxVYYVzBHb6Bh1O5Ol19LdpOvexYA6FaiIaYZ00xj3GL4r6O4pFJxVEP3NVvDuiBhnD4MY2Ua9FQsRq8WFEdagBV21+hzHfvvVn/oODTERcFOAehP7ngzhtmBfiQB8z4MuAE53SNaU2bRQJ0aBAKQ52dW3XJgX+lKBRxxiwXETuYop/dAvb11yqK8mLRqTlI1V0Tdg/wh4LFCE4INdklk3HWtsg2wrs3lc4mReEHY5CRu88XvqKXmFzOb9/sSVupAIObOp1A2yGnOrZJFRTut5XYGOVOrAiBuFkOAQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: MN2PR11MB3565.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: e7320352-fdc6-42d7-7f87-08d853070ee2
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Sep 2020 08:21:45.0037 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: cEUtd8KhO7kLt1I4GtoN7g5YJoFbEE6RPrNGheHP4QNH197M574Zeo0a5+ncGVdOw8tFz/yIPgqfP80ei/qJcA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3776
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.12, xch-rcd-002.cisco.com
X-Outbound-Node: alln-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/koyOWHptoBiuLI6iv3OrLpcdhWE>
Subject: Re: [secdir] [Roll] Secdir last call review of draft-ietf-roll-turnon-rfc8138-12
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Sep 2020 08:21:50 -0000

Hello Tiru and Michael:

Many thanks for your time, your review and your help.

Let's explore how we can improve the text to reduce the reader's puzzlements.


> 
> Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
> wrote:
>     > [1] You may want to clarify how the attacker manages to modify a
>     > protected configuration including the "T" flag introduced in this
>     > spec.
> 
> Every router within every routing protocol can do wrong things :-) RPL is an
> IGP, so all routers are within the same security control, and at the same level.
> 
> An attacker would have to introduce malware into the device to modify data.
> RFC7416 lays out all of these threats: they are no different for the T-bit than
> other bits.
> 

Good point, I will add an informative ref to RFC7416:
"
   It is worth noting that in RPL [RFC6550], every node in the LLN that
   is RPL-aware and has access to the RPL domain can inject any RPL-
   based attack in the network, more in [RFC7416].  

"


>     > [2] Is it possible to identify the attacker (or compromised router) who
>     > set the "T" flag to remediation measures ?
> 
> Maybe. Probably not.
> There are few things we can do within any routing protocol to identify mis-
> behaving routers.

And during a transition there will be parents that advertise a different setting. 
As Michael said, this is true for any other information as well, so the art of debunking applies.

>     > [3] If due to an human error one or more of the on-path routers are not
>     > upgraded or if the router sees both settings, I presume an alert could
>     > be sent to the network management for troubleshooting. You may want to
>     > add text to discuss the same.
> 
> At present, RPL does not include a standard off-path alerting mechanism.
> This remains a todo item for the WG.
> Some use NETCONF or HTTP to collect statistics in a proprietary way.
> We can send ICMPs, but since the affects how the packets are encoded, we
> likely can't send an ICMP to a relevant router, just one hop in the direction it
> came from.

Agreed. In addition, I would not add code in a constrained router to detect this mistake, though. 
Either you know your network (through management) and you can do the live upgrade, or, for a small network you do the flag day alternative and check everything is back up.



> 
>     > [4] What do you mean by "subDAG" (I don't see any definition in this spec
> and RFC8138) ?
> 
> It's a sub-portion of a DAG. A sub-tree.

I made a small clarifying change:
"
   An attacker in the middle of the network may reset the "T" flag to
   cause extra energy spending in the subset of the DODAG formed by its
   descendants (its subDAG).
"

The diffs are visible here: https://github.com/roll-wg/roll-turnon-rfc8138/commit/889faccec19038b2b68685bb0e31e9cb91d4da62

Again, many thanks!

Please let us know if you see we need to do more.

Keep safe

Pascal

v2.23.0 | Report a Bug | By Email