Re: [secdir] Secdir last call review of draft-ietf-roll-useofrplinfo-25

Michael Richardson <> Thu, 11 April 2019 00:25 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 57C601203D2; Wed, 10 Apr 2019 17:25:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NK-7FTbjnSqZ; Wed, 10 Apr 2019 17:25:31 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 6B20F1200A0; Wed, 10 Apr 2019 17:25:28 -0700 (PDT)
Received: from (unknown []) by (Postfix) with ESMTPS id 9F82B1F482; Thu, 11 Apr 2019 00:25:25 +0000 (UTC)
Received: by (Postfix, from userid 179) id 1FFC84289; Thu, 11 Apr 2019 01:31:13 +0200 (CEST)
From: Michael Richardson <>
To: Daniel Migault <>
In-reply-to: <>
References: <>
Comments: In-reply-to Daniel Migault via Datatracker <> message dated "Wed, 10 Apr 2019 12:01:36 -0700."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Wed, 10 Apr 2019 19:31:13 -0400
Message-ID: <>
Archived-At: <>
Subject: Re: [secdir] Secdir last call review of draft-ietf-roll-useofrplinfo-25
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 11 Apr 2019 00:25:42 -0000

Thank you for the review Daniel.
I'm unclear if there are any changes you want, given that you've given it a
Some replies/clarifications to your comments.

Daniel Migault via Datatracker <> wrote:
    >    RPL (IPv6 Routing Protocol for Low-Power and Lossy Networks)
    > [RFC6550] is a routing protocol for constrained networks.  RFC 6553
    > [RFC6553] defines the "RPL option" (RPI), carried within the IPv6
    > Hop-by-Hop header to quickly identify inconsistencies (loops) in the
    > routing topology.  RFC 6554 [RFC6554] defines the "RPL Source Route
    > Header" (RH3), an IPv6 Extension Header to deliver datagrams within a

    > <mglt> There is certainly a reason for the RH3 spelling, but from 6554
    > it seems to me that the abbreviation of Source Routing Header is SRH.
    > </mglt>

It's SRH type 3.  The use of "RHx" is common in many documents, including
6554, so it would be wrong for us to change that, I think.

    >    RPL routing domain, particularly in non-storing mode.

    > <mglt> For my personal knowledge, I do not understand why this is
    > specific to non-storing mode. Is the reason that in non-storing modes
    > nodes S steer datagram D via the root node R. The IPv6 packet (S,D) is
    > tunneled from S to R and then from R to D. The first tunnel from S to R
    > does not need SRH as nodes are able to steer this to the root (upward
    > routing), while downward routing needs SRH extension.

    > In a storing mode *regular* routing tables are able to steer the
    > traffic from S, to D. There is no need of tunnel and SRH extension.

    > Am I correct, or I am missing something? I apology in advance for the
    > noise.  </mglt>

Yes, that's correct.

    >    Based on that, if an IPv6 (intermediate) node (RPL-not-capable)
    > receives a packet with an RPL Option, it should ignore the HBH RPL
    > option (skip over this option and continue processing the header).
    > This is relevant, as it was mentioned previously, in the case that
    > there is a flow from RPL-aware-leaf to Internet (see Section 6.2.1).

    > <mglt> I might miss something, but it seems to me that 2460 would end
    > up in the discard of packets with the RPL Option. 8200 introduces some
    > instability. Typically, packets may reach their destination depending
    > on the configuration of the intermediary nodes. In both cases
    > communication between RPL-aware and not-RPL-aware nodes needs to relax
    > the status of the RPL Option. It seems independent to the update of
    > 2460.  </mglt>

2460 says that you have to examine all options, and discard if you do not
understand. 8200 says that you examine options you are configured to examine.
8200 gives us additional options and removes the need for some IPIP tunnels,
as we do not need to remove the option.

    >    NOTE: There is some possible security risk when the RPI information
    > is released to the Internet.  At this point this is a theoretical
    > situation; no clear attack has been described.  At worst, it is clear
    > that the RPI option would waste some network bandwidth when it escapes.
    > This is traded off against the savings in the LLN by not having to
    > encapsulate the packet in order to remove the artifact.

    > <mglt> I believe that worst means minimal here. One of the risk is at
    > least marking the packet as originating to/from a LLN. It may reveal
    > the type of the information carried by the packet in addition to the
    > information contained in the RPI. Possible information leaked may be
    > related to the topology of the LLN, but I am not familiar enough to
    > define clearly how this could be exploited. The information may also
    > reveals information about the stability of the LLN by observing the
    > rate. IF that is correct this could eventually provide indication an
    > attack is effective or not.

    > My understanding is that with 63 the packet is dropped after the first
    > non aware router, while this is not the case with 23.

Correct.  We picked 63 back in the day, so that packets that "escaped" would
never reveal anything.  But that was just too restrictive, and basically many
assumed that they could just add/remove extension headers whenever they wanted.

    > Now that I have been through the security consideration section, I
    > believe a sinple reference to the security consideration woudl be
    > sufficient.  </mglt>

I personally do not like writing text in SC that is new, I prefer to refer
back to normative text in the Security Considerations, because non-security
people do not read Security Considerations.

    >    [RFC2473] suggests that tunnel entry and exit points can be secured,
    > via the "Use IPsec".  The suggested solution has all the problems that
    > [RFC5406] goes into.  In an LLN such a solution would degenerate into
    > every node having a tunnel with every other node.  It would provide a
    > small amount of origin address authentication at a very high cost;
    > doing BCP38 at every node (linking layer-3 addresses to layer-2
    > addresses, and to already present layer-2 cryptographic mechanisms)
    > would be cheaper should RPL be run in an environment where hostile
    > nodes are likely to be a part of the LLN.

    > <mglt> My understanding is that IPsec SA will be needed between each
    > parent - children and that a hop-by-hop decapsulation/encapsulation is
    > happening.  If that is correct, we may avoid the situation where each
    > node deals with 2 * n *(n-1) SA. However without any transit devices
    > IPsec provides no obvious advantages over L2 security. It might be god
    > to recommend that one or the other layer implements security.  In
    > addition, I am also wondering if the use of IPsec would not be
    > recommended as an alternative when LLN are involving communication over
    > the Internet.  <mglt>

A recommendation for End to End IPsec or End to End OSCORE/EDHOC or End to
End DTLS for application data is certainly reasonably, but seems out of scope
for this document.

There are cases where we insert IPIP headers between nodes which are not
parent-child.  For instance, from root to leaf in the non-storing downward
direction (because we add RH3).  If we were to "Use IPsec", then we'd need
more tunnels.

In the cases where an RPL-aware 6LR adds an RPI header (in storing mode),
for an RPL-unaware-leaf, and then sends it to some other leaf, we'd need an
IPsec tunnel from two random nodes in order to secure the IPIP.
So while we don't need 2*n*(n-1) SAs in every case, that is the worst case
(btw: I think that there are some non-constrained, non-LLN uses of RPL where
that actually might be worth doing)

Michael Richardson <>, Sandelman Software Works
 -= IPv6 IoT consulting =-