Re: [secdir] Secdir review of draft-ietf-6lo-deadline-time-03

Suresh Krishnan <> Wed, 02 January 2019 22:00 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9D06A126C01; Wed, 2 Jan 2019 14:00:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id GnXh8P7IUG1d; Wed, 2 Jan 2019 14:00:34 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id C29D11274D0; Wed, 2 Jan 2019 14:00:33 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=XOphyxmtHm+F5CKx3QvAveq8aE7Xs/qzJQjMoXhQ4Jo=; b=fwj7/s4JCIhuxl3qk7bCze2nNnadKuu8hppT6GQDyMW4OlB5iFie4MucfCudYkPAkQKyOuvCsEEogwUtUZbLddVpk3NG0svZTwtqIiBjHFbMdnJfZpnQXNEzttijbvvd+nUCe/jQxahSZgMDI5p0rGJJhBmi1u+ZKSFLfnLMzFw=
Received: from YTOPR0101MB1819.CANPRD01.PROD.OUTLOOK.COM ( by YTOPR0101MB1354.CANPRD01.PROD.OUTLOOK.COM ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1471.20; Wed, 2 Jan 2019 22:00:31 +0000
Received: from YTOPR0101MB1819.CANPRD01.PROD.OUTLOOK.COM ([fe80::2933:2dff:4d41:a673]) by YTOPR0101MB1819.CANPRD01.PROD.OUTLOOK.COM ([fe80::2933:2dff:4d41:a673%2]) with mapi id 15.20.1471.019; Wed, 2 Jan 2019 22:00:31 +0000
From: Suresh Krishnan <>
To: Charlie Kaufman <>, "" <>
CC: "" <>, "" <>
Thread-Topic: Secdir review of draft-ietf-6lo-deadline-time-03
Thread-Index: AQHUmz3wn28DKZa1QE+QITpNT8nKbaWclqyA
Date: Wed, 02 Jan 2019 22:00:31 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; YTOPR0101MB1354; 6:hEDKSzx2AsAYquU3cFewl8J3RVLBeoQPedidzqUTO/rSRqt0dHhyl/nQVD0rrZ7mlcKvdT6VDQEHXB/APizkiW2Eb5ymoou874QHhjhHI7xKVhWTBmPGhGv161HERWe3b6k5PyVzoMN9cD280HxVfTDiP/MjAk1VDOcoY61VBnRHhwhGKRzY3xTPiV7XrvMRas6R7yFIXFlPEPjo8fcOYQBulmcNONoduXh1DQ5fgSBV/w7Qqm+h76v4zXONKLTFjJYF5fykdlAO5r3cpqZMuD1TtO67OqOW7ouLL1tWmTLlZvZ9mhvW6TDZP8Q/+nBMsb+F70tntryugeDTvPeX34X+vL5KFy4PG1WFBmYfMkF8ObP1QP7khwhUmr0SJuLJJP2xRrMG5IdAXnmfeECTb83ZWzqOfU9FA9n68pFaPtty/B9QUIm8qj4YJaXQ/e55FqzZI/LUyqeNo79+1Apjnw==; 5:Ku/V/AJys8RLjC95I+vzuuaBpRxPYuTc+5ZaE/XJgsxCiDe8NNaPYYpvpcJT7tuebP3VGlHT45gUBM6cmKfgfKSVaCVSWF6le2HItFkWu5aInPCwI5OySArOiz18uKY/H9tAss9u9kZPhrZ/2o5SLphZauIaV+cbzkD/Tg2fA/A=; 7:mz0YYsl1YknqenTfjlWKNanAqygqN1Pxop6qcOGLKTHwj9fKuh0PrtcSsNZ6xz/+Jra5XEAMYBZXTP8wOUItaoEWOAD0Sxe5SskhakSopMqOttIii5EcPrTsdyjGj3UoC6tyQETV0zmYQ161y9Adiw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 5521cee1-b0aa-42b6-435d-08d670fdb6e9
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600109)(711020)(2017052603328)(7153060)(7193020); SRVR:YTOPR0101MB1354;
x-ms-traffictypediagnostic: YTOPR0101MB1354:
x-microsoft-antispam-prvs: <YTOPR0101MB13540E747257084260EF16B4B48C0@YTOPR0101MB1354.CANPRD01.PROD.OUTLOOK.COM>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(3230021)(908002)(999002)(5005026)(6040522)(8220060)(2401047)(8121501046)(3231475)(944501520)(52105112)(3002001)(93006095)(93001095)(10201501046)(6041310)(2016111802025)(20161123562045)(20161123560045)(20161123564045)(20161123558120)(6043046)(201708071742011)(7699051)(76991095); SRVR:YTOPR0101MB1354; BCL:0; PCL:0; RULEID:; SRVR:YTOPR0101MB1354;
x-forefront-prvs: 0905A6B2C7
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(396003)(366004)(346002)(39840400004)(376002)(136003)(199004)(189003)(5660300001)(81166006)(81156014)(68736007)(25786009)(26005)(39060400002)(508600001)(8936002)(8676002)(76176011)(110136005)(102836004)(83716004)(54906003)(6506007)(53546011)(45080400002)(99286004)(186003)(2501003)(316002)(4326008)(2906002)(7736002)(71200400001)(71190400001)(33656002)(106356001)(6486002)(105586002)(6512007)(236005)(11346002)(6116002)(66066001)(476003)(72206003)(256004)(14454004)(82746002)(229853002)(36756003)(97736004)(80792005)(486006)(86362001)(6436002)(3846002)(2616005)(14444005)(6246003)(54896002)(446003)(53936002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:YTOPR0101MB1354; H:YTOPR0101MB1819.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ti4C83z3zv1nUcrpeQ473+hESTv3LnQylqBgfsqTgP0e3iGscWSdkBRbYPrGJPYhviJwJa9nESaRQvSDfSUgvdrH134WtqpJIyQExaQN7v2JHBBwnSKKod86GoRrlYoOUKExiM9FXKH7N6s17qYZpkye5MF2pHRP4uDSGRXWAl+RHJCeVI8DLJ/24+Y2A7DMnGSa/Rukh+8jzSeNV0oeBM9MbHuhF57Q34QNmc66+K0YrYa8z0XJKWJ4Ucp1cU6ifzCQ83lG5Qch+7g8uUl6ZGvmN/j+J/Qf+wDMCyx4s+w/fiIh0C65S2r/W+CAQAhn
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_C810285DA26647CC86AFDA0807ABD059kaloomcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 5521cee1-b0aa-42b6-435d-08d670fdb6e9
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jan 2019 22:00:31.6187 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 47d58e26-f796-48e8-ac40-1c365c204513
X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTOPR0101MB1354
Archived-At: <>
Subject: Re: [secdir] Secdir review of draft-ietf-6lo-deadline-time-03
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 02 Jan 2019 22:00:37 -0000

Thanks a lot for your review Charlie. Authors, can you please respond to this review with proposed resolutions.


On Dec 23, 2018, at 11:08 PM, Charlie Kaufman <<>> wrote:

I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG.  These comments were written primarily for the benefit of the security area directors.  Document editors and WG chairs should treat these comments just like any other last call comments.

This document specifies a new optional extension in 6LoRHE headers to be used to do fine grained time tracking of packets traversing a network. It supports two functions: tracking the timing of transiting packets for the purpose of performance analysis and diagnostics, and delivery deadline enforcement where the source instructs the network to drop a packet if it cannot be delivered within a specified time bound. This avoids network congestion by quickly discarding packets that are going to be useless by the time they are delivered.

One of the challenges facing this design is maintaining tight clock synchronization between packet forwarding devices. The design assumes that sets of such devices are held in tight synchronization through unspecified mechanisms. These groupings are called "time zones". It also calls for the origination time and delivery deadline fields be updated when a packet transitions between "time zones" (which assumes that packet forwarding devices on separating two time zones be aware of the time difference between them so that it can update those fields).

The issues raised below may be covered in companion documents, but they are what occurred to me while reviewing this one.

Security issues:

Section 6 specifies that when one of these packets is encapsulated and sent through an IPv6 in IPv6 tunnel, and tunnel exit the time fields must be copied from the outer header to the inner header before the packet is forwarded on. This would be true of any form of encapsulation, in particular including IPsec tunnelling.

Many time synchronization protocols - particularly those that target subsecond synchronization - assume they are running on a secure network (or that attackers would not be motivated to mess up time synchronization). If the time synchronization between the packet forwarding devices were to be broken such that there was substantial drift between the devices, that could be used as a denial of service attack if that could be used to cause most or all data packets to be discarded as expired.

Non-security issues:

The length of the time fields is specified in the OTL and DTL headers to have a length of between 1 and 8 octets. I could not tell from the spec whether it was intended that the sender was supposed to pick a size big enough to represent the entire time field or whether it was OK to pick a smaller size and place the low order bits of the time in the field. Placing the low order bits there would normally work, though it makes size comparisons more complex (particularly in cases where there are just barely enough bits to avoid wrapping before the packet expires).
I was initially confused by the presence of two fields OT and DT when one should be sufficient to enforce packet expiration. Reading between the lines of the spec, I eventually concluded that only the DT field was intended to be used for this purpose and the OT field was intended to be used to track delivery performance and is not used in the calculation of packet lifetime. Assuming I have that right, it would be good if it were more explicit in the document.

The bit bummer in me was offended by the fact that the TU and EXP fields had two different ways of representing 1 second time granularity (TU=00/EXP=110 and TU=01/EXP=000). Given that time granularity greater than 10 seconds is never likely to be needed, the need for the TU=01 code point is questionable, but at the least perhaps the spec should say which is the preferred encoding. I also could not tell whether the encoding was expected to be constant within a Time Zone (in which case the fields would not be necessary in every packet) or whether packet relay nodes were expected to canonicalize the time representation whenever it parses a packet. But this is only a matter of taste.