A Security Threat Analysis for the Routing Protocol for Low-Power and Lossy Networks (RPLs)
draft-ietf-roll-security-threats-11
Discuss
Yes
No Objection
(Gonzalo Camarillo)
(Martin Stiemerling)
(Richard Barnes)
(Ted Lemon)
Note: This ballot was opened for revision 01 and is now closed.
Sean Turner Former IESG member
Discuss
Discuss
[Treat as non-blocking comment]
(2013-03-27 for -01)
Unknown
I have a whole bunch of problems with this draft, but understand that this is part of way to get out of the current not so great situation. Many of my comments lined up with the secdir review, but since Stewart called it out in his discuss I'll support him. Here's some of my own: 0) This draft boils down to this paragraph if I'm not mistaken: A ROLL protocol MUST be made flexible by a design that offers the configuration facility so that the user (network administrator) can choose the security settings that match the application's needs. Furthermore, in the case of LLNs, that flexibility SHOULD extend to allowing the routing protocol security requirements to be met by measures applied at different protocol layers, provided the identified requirements are collectively met. I'm absolutely fine with the first sentence. I'm even okay with the second sentence it gets done at the application layer all the time, but at the application layer they can all point to something that's all specified up and has MTI etc (think TLS). If we end up doing that here then something similar needs to end up happening. If use cases are so broad that they can't possibly pick an underlying security mechanism then you need to try again but with a smaller net. 1) s3.2: Adding "misuse" in the integrity strikes me as wrong. It's about determining whether data has changed. The examples used are about delayed or replayed messages which seem to be better characterized as availability. 2) s3.2: How on is non-repudiation going to apply to these tiny little assets? I see how I, a person, can repudiate that I sent a message and I can see how you, as a person, can repudiate something else. Are two nodes going to be claiming one sent something while the other will say no I didn't? I hear all the time we can't do this and we can't do that because these are so constrained but you're going to log and capture on-going messages - color me confused? I think you should say non-repudiation applies to people not to device-to-device/automated communications. 4) s3.4: Not this one is likely to be cleared after an email exchange or two because there's not much for the authors to do… This made my head pop because I thought the only security defined in the RFC 6550 has confidentiality baked in. So are we dumping the security solution in rpl? With regard to confidentiality, protecting the routing/topology information from eavesdropping or unauthorized exposure may be desirable in certain cases but is in itself less pertinent in general to the routing function.
Stephen Farrell Former IESG member
Discuss
Discuss
[Treat as non-blocking comment]
(2013-03-28 for -01)
Unknown
I think this will be a hugely useful RFC but does have a few things that could be improved. My discuss points are small, and perhaps easily fixed, but also I think important since they relate to why we're still here after a couple of years. (1) 6.4 says that consistency with BCP107 is a SHOULD. That's a MUST, (regardless of how you define MUST:-) Note that BCP107 does say when you do not need automated key managment, and when you do. So if you really don't need AKM then you are still consistent with the BCP. It is not however ok to be inconsistent with BCP107. (2) 6.5.1 says: "This protocol-specific security mechanism SHOULD be made optional within the protocol allowing it to be invoked according to the given routing protocol and application domain and as selected by the system user. " If you mean optional-to-use, that's ok, but please say so. If you mean optional-to-implement, that's not clearly ok and I have more questions. Do you mean optional-to-use? If not, then BCP61 comes into play for me unless the quoted text only relates to some mechanisms that counter Byzantine attacks, in which case you need to be clear that you're not saying that all integrity mechanisms are optional-to-implement.
Stewart Bryant Former IESG member
Discuss
Discuss
[Treat as non-blocking comment]
(2013-03-27 for -01)
Unknown
From a routing point of view I thought that this was well written, but I am concerned that the security reviewer had considerable comments which appear to be currently unresolved. Adrian points to: http://www.ietf.org/mail-archive/web/secdir/current/msg03848.html However this indirectly refers to a larger body of issues posted here: http://www.ietf.org/mail-archive/web/secdir/current/msg03712.html and the security reviewer only re-lists a subset of these in note 03848 noting that only the typos were addressed in the -01 version of the text.
Adrian Farrel Former IESG member
Yes
Yes
(2013-03-12 for -01)
Unknown
The authors are working on the SecDir review by Stephen Kent and expect to address the issues before the document appears on a telechat. http://www.ietf.org/mail-archive/web/secdir/current/msg03848.html
Barry Leiba Former IESG member
No Objection
No Objection
(2013-03-27 for -01)
Unknown
This is one of those "I trust others" ballots: I trust the Sec ADs to be especially thorough on this document, and on a quick run-through I'm happy to let them handle the main issues. I also have to agree with Brian that using SHOULD and MAY in Section 6 in a way that varies from the meaning in RFC 2119 is, though it's explained, likely to lead to some level of confusion. That said, given what this document is describing and the fact that strict interpretation according to 2119 doesn't make sense, I think it will work well enough, and, in the end, I'm OK with it.
Brian Haberman Former IESG member
No Objection
No Objection
(2013-03-26 for -01)
Unknown
This is strictly a non-blocking comment... I am not a fan of the way that 2119 keywords are cannibalized in sections 6.x.
Gonzalo Camarillo Former IESG member
No Objection
No Objection
(for -01)
Unknown
Jari Arkko Former IESG member
No Objection
No Objection
(2013-03-27 for -01)
Unknown
Thanks for a well written and important document. I particularly liked the fact that you treated byzantine attacks and key management as a part of the analysis. A couple of small comments, however: Section 6.5.1 (Architecture) misses a few aspects on the comparison lower layer vs. routing protocol layer security. Everything that you say about it is correct, but one thing you do not talk about are the problems of providing the exact security services to upper layers that they need. Some of the typical issues include the need to access security information at the routing layer that may be unaware of the exact security parameters, peer identifiers, and other aspects that happened at a lower layer. Similarly, some applications may need security policies that are not easily expressed in crude lower-layer policy models (such as packet filter patterns). A lower-layer mechanism may be run hop-by-hop, whereas the routing layer mechanism may be end-to-end or even secure data objects rather than packets. The document also touches very little on deployment aspects of the potential security models. In my view, those are often the hardest to solve in a satisfactory manner. I liked the few words that Section 6.4 said about credential configuration, however.
Joel Jaeggli Former IESG member
No Objection
No Objection
(2013-03-26 for -01)
Unknown
while the disclaimer on 2119 language in section six is fairly clear I'd rather see it simply not use it. e.g. switch to lower case leave the disclaimer more or less intanct.
Martin Stiemerling Former IESG member
No Objection
No Objection
(for -01)
Unknown
Pete Resnick Former IESG member
No Objection
No Objection
(2013-03-27 for -01)
Unknown
History is sometimes amusing: I see that all of the capitalized words in section 6 were due to a comment made by Peter Saint Andre during evaluation of draft-ietf-roll-security-framework saying that things should be capitalized. Now you have ADs saying they shouldn't be. Isn't that wonderful? I don't think you need to go back to lowercase, but I think you do need to make one change: One way or the other, you need to remove the reference to 2119 at the top of the document. What you're doing in section 6 is not 2119 usage, and you've explained in section 6 what you are doing with those capitalized terms, so the reference to 2119 (and the template text at the top of the document) are just wrong. Yes, the idnits checker will complain. There is no requirement that your document pass idnits. You just tell the RFC Editor that this document is not using 2119 and you intended not to include the reference; end of story. I'm not going to bother putting a DISCUSS on the document for this unless Adrian really insists; I trust that you all can just take care of it. Now, that leaves Barry, Brian, and Joel's question about whether to capitalize it all. Like Barry, I'm not convinced it matters. You explained how you're using the terms, and I think that's fine. It may reduce confusion if you lowercase or choose other "magic" words, but I think that choice is entirely up to the WG.
Richard Barnes Former IESG member
No Objection
No Objection
(for -01)
Unknown
Ted Lemon Former IESG member
No Objection
No Objection
(for -01)
Unknown