Re: [secdir] secdir review of draft-ietf-6tisch-architecture-21
"Pascal Thubert (pthubert)" <pthubert@cisco.com> Tue, 25 June 2019 07:05 UTC
Return-Path: <pthubert@cisco.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 570F9120232; Tue, 25 Jun 2019 00:05:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=hpUuBhsz; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=k01D5Guq
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A6eZ-F5VjJnp; Tue, 25 Jun 2019 00:05:12 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDE4E1200FB; Tue, 25 Jun 2019 00:05:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8782; q=dns/txt; s=iport; t=1561446311; x=1562655911; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=nqmJY8D5UhT4bRLV0dXkf254lEf5aAydL4kEeYiFCkM=; b=hpUuBhszpI11RBiZMXtFMimfUsALht2mO5hUAajkkZQGtgkdqx6eBRJ1 bdC3EtIvojzPxQRoD5DwctGtbyXZ4nPDyD9OrFn2MaCuYaIV8clCdIp/g LF00mOpvW9bExh3q4l1pBaO6mL+M+XEyQ6QIp0cBl6szFv3JaXElsbLiT Y=;
IronPort-PHdr: 9a23:8sMVpRFZ6EXdm0dshwn1op1GYnJ96bzpIg4Y7IYmgLtSc6Oluo7vJ1Hb+e4z1Q3SRYuO7fVChqKWqK3mVWEaqbe5+HEZON0pNVcejNkO2QkpAcqLE0r+eeb2bzEwEd5efFRk5Hq8d0NSHZW2ag==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0B7AAAAxxFd/5BdJa1lGQEBAQEBAQEBAQEBAQcBAQEBAQGBZ4FEKScDgT8gBAsohBaDRwOOYUyCD5c4glIDVAkBAQEMAQEtAgEBhEACF4JbIzgTAQMBAQQBAQIBBW2KNwyFSgEBAQEDEhEEDQwBATcBCwQCAQgRAQMBAQECAiYCAgIwFQIGCAIEAQ0FCBqCNYI2Ax0BApl0AoE4iF9xfjOCeQEBBYUCGIIRCYEMKIRxhCR2gTYdF4FAP4ERRoFOfj6ERoMIMoImi3kMgk6HIJM+ZQkCghSLMYhRl0qNKJcLAgQCBAUCDgEBBYFnIYFYcBWDJ4JBDBeDTYpTcoEpjCICAyEHgiUBAQ
X-IronPort-AV: E=Sophos;i="5.63,415,1557187200"; d="scan'208";a="579748425"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 25 Jun 2019 07:05:08 +0000
Received: from xch-rcd-011.cisco.com (xch-rcd-011.cisco.com [173.37.102.21]) by rcdn-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id x5P758MT006389 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 25 Jun 2019 07:05:08 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-RCD-011.cisco.com (173.37.102.21) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 25 Jun 2019 02:05:07 -0500
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 25 Jun 2019 03:05:07 -0400
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 25 Jun 2019 02:05:07 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nqmJY8D5UhT4bRLV0dXkf254lEf5aAydL4kEeYiFCkM=; b=k01D5GuqMYs4uoFcfvple2HE0Ea5sexnKJjvhLIKsw5YeiELlzIHvCvNlpRPvOLKqR382DFmDXiZLzbqcpvtjrcjzM4HdPDGNrQipZVWTttWViTjMxIx3uPgB7c8f4cBjzCR+EdusTlrrglDneMv7TobftvLUmp1OL9xITc+wLE=
Received: from MN2PR11MB3565.namprd11.prod.outlook.com (20.178.250.159) by MN2PR11MB3552.namprd11.prod.outlook.com (20.178.251.97) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2008.16; Tue, 25 Jun 2019 07:05:06 +0000
Received: from MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::1ce9:1582:146c:c50a]) by MN2PR11MB3565.namprd11.prod.outlook.com ([fe80::1ce9:1582:146c:c50a%6]) with mapi id 15.20.2008.014; Tue, 25 Jun 2019 07:05:06 +0000
From: "Pascal Thubert (pthubert)" <pthubert@cisco.com>
To: David Mandelberg <david@mandelberg.org>, Tero Kivinen <kivinen@iki.fi>
CC: "secdir@ietf.org" <secdir@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "draft-ietf-6tisch-architecture.all@ietf.org" <draft-ietf-6tisch-architecture.all@ietf.org>, Thomas Watteyne <thomas.watteyne@inria.fr>, Michael Richardson <mcr+ietf@sandelman.ca>, Mališa Vučinić <malisav@ac.me>
Thread-Topic: [secdir] secdir review of draft-ietf-6tisch-architecture-21
Thread-Index: AQHVKitVZAMqDsUZHEuS/CYS/vDUhKaqVH6wgAEk6YCAAAywAIAAbXDg
Date: Tue, 25 Jun 2019 07:04:38 +0000
Deferred-Delivery: Tue, 25 Jun 2019 07:04:11 +0000
Message-ID: <MN2PR11MB35654D7658F0EEB05443F2ABD8E30@MN2PR11MB3565.namprd11.prod.outlook.com>
References: <2cced16c-d1df-88c2-eb21-7452b42f081a@mandelberg.org> <MN2PR11MB35651735463F27A247B4B0F0D8E00@MN2PR11MB3565.namprd11.prod.outlook.com> <23825.24715.882644.180316@fireball.acr.fi> <5229f400-076c-80e3-e0dc-a7cf3998abed@mandelberg.org>
In-Reply-To: <5229f400-076c-80e3-e0dc-a7cf3998abed@mandelberg.org>
Accept-Language: fr-FR, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pthubert@cisco.com;
x-originating-ip: [2001:420:44f3:1300:552f:ff32:b86:aad7]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8e037d64-4ff1-4411-a882-08d6f93b73df
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:MN2PR11MB3552;
x-ms-traffictypediagnostic: MN2PR11MB3552:
x-microsoft-antispam-prvs: <MN2PR11MB3552DF2BF99FF00C8F5024BDD8E30@MN2PR11MB3552.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0079056367
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(136003)(396003)(376002)(346002)(366004)(13464003)(199004)(189003)(11346002)(256004)(478600001)(6246003)(66574012)(74316002)(73956011)(53936002)(14444005)(102836004)(305945005)(86362001)(5660300002)(110136005)(316002)(6436002)(486006)(186003)(446003)(55016002)(229853002)(9686003)(6116002)(25786009)(54906003)(68736007)(476003)(7736002)(66476007)(53546011)(52536014)(46003)(4326008)(66446008)(7696005)(14454004)(71200400001)(71190400001)(8676002)(81156014)(8936002)(81166006)(6666004)(66556008)(6506007)(64756008)(76176011)(2906002)(99286004)(76116006)(33656002)(66946007); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3552; H:MN2PR11MB3565.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: rIHRnJtdP0ctWH0dxDVmV7G+S1QHcgQ2NgNYfpzqPaka5LFVEOsUlmvTPqovP8xMsnDn6bERqML94u06Y5DwmsEibAbvl7XuUfN9jZvzNqcntKkJkMKjpLDZWGC9hoKqRh9PluUTSr0oBJPAjUpidnqu4wo3/YlDcBO/QxcZX9BUsMEuDN4HpVbuXMAWAV07l4RGxX8FT1+UTQms2USLV0lwr6xuupKwhgs7tgqdY0zMoPMQaVAaqDTOz8QFhSNYYcpQ5pKQER+f8ASO3BTRst8uHRfH2afWPHv9seZFxDwGaxzN2Fiky6a62QNHSDxWZ80cMAD0lecbr/nNm5uwB3V7vULtIbo7s6vIesigALSksKvX0mMkcszKa0p8cLvJBQmYHtrV0Hx/hWFwjGWDD/ZWoYqgxbOTKMqwYK6z77k=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 8e037d64-4ff1-4411-a882-08d6f93b73df
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Jun 2019 07:05:05.9729 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pthubert@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3552
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.21, xch-rcd-011.cisco.com
X-Outbound-Node: rcdn-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/tYRPLU76fYIR78yAt64Yv-7-KjI>
Subject: Re: [secdir] secdir review of draft-ietf-6tisch-architecture-21
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Jun 2019 07:05:15 -0000
This is great and concise information; I'd be happy to add it in the security section even if it is available elsewhere... All the best, Pascal > -----Original Message----- > From: David Mandelberg <david@mandelberg.org> > Sent: mardi 25 juin 2019 02:31 > To: Tero Kivinen <kivinen@iki.fi>; Pascal Thubert (pthubert) > <pthubert@cisco.com> > Cc: secdir@ietf.org; iesg@ietf.org; draft-ietf-6tisch-architecture.all@ietf.org; > Thomas Watteyne <thomas.watteyne@inria.fr>; Michael Richardson > <mcr+ietf@sandelman.ca>; Mališa Vučinić <malisav@ac.me> > Subject: Re: [secdir] secdir review of draft-ietf-6tisch-architecture-21 > > > > On 6/24/19 7:45 PM, Tero Kivinen wrote: > > Pascal Thubert (pthubert) writes: > >> Hello David: > >> > >> Many thanks for your review. I do hope that you found it interesting. > >> > >>> Sections 4.2.1 and 4.3.4 talk about the security of joining a > >>> network, and time synchronization, respectively. Do any of the > >>> security mechanisms in 4.2.1 rely on having an accurate clock? > >>> (E.g., to distrust old/expired keys.) Is time synchronization done > >>> before the join process, and is there any way to exploit time > >>> synchronization in order to cause a node to join a malicious > >>> network? > >> > >> This is really a MAC layer question for IEEE. I'm cc'ing Thomas who > >> was one of the inventors of TSCH, as well as Michael and Malisa who > >> led the join process study. > >> > >> Time synchronization (date): > >> -------------------------------------- > >> For all I know, the time sync is about giving a epoch time from which > >> an Absolute Slot Number (ASN, expressed in slot duration e.g., > >> 10ms) is derived. ASN plays a key role as it is used in NONCE. An > >> attack that one could think of would be to fool the new node into > >> thinking that ASN is earlier. This could happen before the keys are > >> exchanged, or if an authorized peer is compromised. For the former, > >> I'll defer to the others to answer fully how we protect the new > >> comer. For the latter, 6TiSCH provides an additional protection since > >> we derive time from a RPL parent. RPL has its own protections, some > >> of them in the standard itself, some of them in zerotrust papers that > >> need publishing. > > > > In normal TSCH in 802.15.4 the joining node will listen to beacons > > sent by the nodes already part of the network, and they will find out > > the ASN from there. As they do not yet have keys for the network they > > cannot verify the message integrity code authenticating the beacon, > > and even if they did have the keys, they still cannot verify it as it > > could be replay by attacker. > > > > After they find out the ASN, they need to authenticate themself to the > > network using some mechanism outside the 802.15.4. This authentication > > step must be such that it cannot be replayed by attacker, i.e., they > > must not trust ASN giving them any protection. > > > > Note, that in general 802.15.4 TSCH DOES NOT provide replay protection > > at all. I.e., attacker can cause legimite node to retransmit its > > previous message by destroying ack, and upper layer protocol must > > provide way to detect replays and cope with them. > > > > During the authentication the JRC needs to provide the keying material > > to the joining node, but that does NOT provide protection against > > spoofed ASN. After the node has actual keys used in the network it > > still needs to verify the ASN by sending some message to JRC using > > authentication and verify that JRC replies to that. > > > > If this 2nd step is omitted attacker do following attack: > > > > Joining node (JN) attacker JRC > > <- beacon for ASN=23 <- beacon for ASN=44 > > See beacon > > from attacker, > > assume ASN=23. > > > > Auth->JRC > > (no security) Check authentication > > Return keys > > keys->JN > > > > Receive keys > > send first > > frame using > > keys using ASN=23-> > > > > > > Now, if JN is using extended address to generate nonce, the nonce will > > be different for all other nonces ever used, even the ASN is faked, > > and has been used before. On the other hand if JN also receives short > > address assignment from the JRC, JRC needs to make sure that short > > address has not been assigned to anybody else before, as if it was > > used by someone else, and frame sent by JN is encrypted, then attacker > > will now have two packets with same ASN, and short address, meaning > > same nonce, and it can now decrypt packets. > > Is this discussion of nonce reuse in any relevant documents already, or is it > something that should be added somewhere? > > > Note, that attacker might be able to replay valid ACKs for the frame > > sent by the JN, provided that the JRC (or whoever JN sent the message > > to) happened to ack message using the same ASN attacker faked for JN. > > > > If JN sends message to JRC which only JRC can reply, and uses wrong > > ASN, the JRC will not be able to decrypt/validate that frame because > > of wrong ASN in nonce, and will drop it silently, so if JN uses wrong > > ASN it might be getting ACKs, but it will not get any real reply > > frames back from real participants in the network. After it will not > > receive confirmation from JRC that it has proper keys and ASN, it > > knows something went wrong. > > > > > >> Time synthonization (precise tic, hourless) > >> -------------------------------------------------------- > >> This is the process whereby a node corrects its tic to realign with > >> the parent. ASN is not changed but the drift of crystals is > >> compensated. An attacker could try to inject a sense of time that it > >> slightly shifted to the point that the node lose sync with the rest > >> of the network (the guard time is like an event horizon). Then again, > >> RPL provides an additional protection on top of the MAC provisions. > > > > Those time syncronization IEs are also protected by MAC level > > authentication, so attackers who do not know the keys cannot generate > > them. Attackers who do know keys can do whatever they like anyways... > > > > Btw, I will be leaving for vacation tomorrow, so I might not be able > > to reply any messages related to this until I get back end of next > > week. > >
- [secdir] secdir review of draft-ietf-6tisch-archi… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Pascal Thubert (pthubert)
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-6tisch-a… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-6tisch-a… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Pascal Thubert (pthubert)
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Pascal Thubert (pthubert)
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Pascal Thubert (pthubert)
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Michael Richardson
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Michael Richardson
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Michael Richardson
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Pascal Thubert (pthubert)
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Pascal Thubert (pthubert)
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Michael Richardson
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Michael Richardson
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Pascal Thubert (pthubert)
- Re: [secdir] secdir review of draft-ietf-6tisch-a… David Mandelberg
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Pascal Thubert (pthubert)
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Mališa Vučinić
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Michael Richardson
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Michael Richardson
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Tero Kivinen
- Re: [secdir] secdir review of draft-ietf-6tisch-a… Tero Kivinen