--- 1/draft-ietf-roll-enrollment-priority-02.txt 2020-09-25 15:13:09.372585484 -0700 +++ 2/draft-ietf-roll-enrollment-priority-03.txt 2020-09-25 15:13:09.388585710 -0700 @@ -1,76 +1,77 @@ ROLL Working Group M. Richardson Internet-Draft Sandelman Software Works -Intended status: Informational April 25, 2020 -Expires: October 27, 2020 +Intended status: Standards Track R. Jadhav +Expires: March 29, 2021 Huawei Tech + September 25, 2020 - Enabling secure network enrollment in RPL networks - draft-ietf-roll-enrollment-priority-02 + Controlling Secure Network Enrollment in RPL networks + draft-ietf-roll-enrollment-priority-03 Abstract [I-D.ietf-6tisch-enrollment-enhanced-beacon] defines a method by - which a potential [I-D.ietf-6tisch-minimal-security] join proxy can - announce itself as a available for new Pledges to enroll on a + which a potential [I-D.ietf-6tisch-minimal-security] enrollment proxy + can announce itself as a available for new Pledges to enroll on a network. The announcement includes a priority for enrollment. This document provides a mechanism by which a RPL DODAG root can disable enrollment announcements, or adjust the base priority for enrollment operation. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on October 27, 2020. + This Internet-Draft will expire on March 29, 2021. Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 - 2. Protocol Definition . . . . . . . . . . . . . . . . . . . . . 3 + 2. Protocol Definition . . . . . . . . . . . . . . . . . . . . . 4 2.1. Upwards compatibility . . . . . . . . . . . . . . . . . . 4 3. Security Considerations . . . . . . . . . . . . . . . . . . . 5 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 7.2. Informative References . . . . . . . . . . . . . . . . . 7 Appendix A. Change history . . . . . . . . . . . . . . . . . . . 8 - Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 1. Introduction [RFC7554] describes the use of the time-slotted channel hopping (TSCH) mode of [ieee802154]. [I-D.ietf-6tisch-minimal-security] and [I-D.ietf-6tisch-dtsecurity-secure-join] describe mechanisms by which a new node (the "pledge)" can use a friendly router as a Join Proxy. [I-D.ietf-6tisch-enrollment-enhanced-beacon] describes an extension to the 802.15.4 Enhanced Beacon that is used by a Join Proxy to announce its existence such that Pledges can find them. @@ -78,53 +79,54 @@ The term (1)"Join" has been used in documents like [I-D.ietf-6tisch-minimal-security] to denote the activity of a new node authenticating itself to the network in order to obtain authorization to become a member of the network. This typically involves a cryptographic authentication protocol in which a network credential is provided. In the context of the [RFC6550] RPL protocol, the term (2)"Join" has an alternate meaning: that of a node (already authenticating to the network, and already authorized to be a member of the network), - deciding which part of the RPL DODAG to attach to. The term "Join" + deciding which part of the RPL DODAG to attach to. This term "Join" has to do with parent selection processes. In order to avoid the ambiguity of this term, this document refers to the process (1)"Join" as enrollment, leaving the term "Join" to mean (2)"Join". The term "onboarding" (or IoT Onboarding) is sometimes - used to describe this process. The term Join Proxy is retained with - it's meaning from [I-D.ietf-6tisch-minimal-security]. + used to describe the enrollment process. However, the term _Join + Proxy_ is retained with it's meaning from + [I-D.ietf-6tisch-minimal-security]. It has become clear that not every routing member of the mesh ought - to announce itself as a Join Proxy. There are a variety of local - reasons by which a 6LR might not want to provide the Join Proxy + to announce itself as a _Join Proxy_. There are a variety of local + reasons by which a 6LR might not want to provide the _Join Proxy_ function. They include available battery power, already committed - network bandwidth, and also total available memory available for Join - proxy neighbor cache slots. + network bandwidth, and also total available memory available for + Neighbor Cache Entry slots. There are other situations where the operator of the network would like to selective enable or disable the enrollment process in a particular DODAG. As the enrollment process involves permitting unencrypted traffic into the best effort part of a (TSCH) network, it would be better to have the enrollment process off when no new nodes are expected. A network operator might also be able to recognize when certain parts of the network are overloaded and can not accomodate additional enrollment traffic, and it would like to adjust the enrollment priority (the proxy priority field of [I-D.ietf-6tisch-enrollment-enhanced-beacon]) among all nodes in the subtree of a congested link. This document describes an RPL DIO option that can be used to - announce a minimum enrollment priority. Each potential Join Proxy + announce a minimum enrollment priority. Each potential _Join Proxy_ would this value as a base on which to add values relating to local conditions. As explained in [I-D.ietf-6tisch-enrollment-enhanced-beacon], higher values decrease the likelyhood of an unenrolled node sending enrollment traffic via this path. A network operator can set this value to the maximum value allowed, effectively disable all new enrollment traffic. 1.1. Terminology @@ -137,42 +139,42 @@ 2. Protocol Definition The following option is defined to transmission in the DIO issued by the DODAG root. It may also be added by a router on part of the sub- tree as a result of some (out of scope for this document) management function. 6LRs that see this DIO Option SHOULD increment their minimum enrollment priority if they observe congestion on the channel used - for join traffic. The exact mechanism is a local decision, and may - be the subject for future work. + for enrollment traffic. The exact mechanism is a local decision, and + may be the subject for future work. - A 6LR which would otherwise be willing to act as a Join Proxy, will + A 6LR which would otherwise be willing to act as a _Join Proxy_, will examine the minimum priority field, and to that number, add any additional local consideration (such as upstream congestion). - The Join Priority can only be increased by each each 6LR in value, to - the maximum value of 0x7f. + The Enrollment Priority can only be increased by each 6LR in value, + to the maximum value of 0x7f. - The resulting priority, if less than 0x7f should enable the Join - Proxy function. + The resulting priority, if less than 0x7f should enable the _Join + Proxy_ function. 0 1 2 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type = TBD01|Opt Length = 1|R| min. priority | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ min.priority a 7 bit field which provides a base value for the Enhanced Beacon Join priority. A value of 0x7f (127) disables the - Join Proxy function entirely. + _Join Proxy_ function entirely. R a reserved bit that SHOULD be set to 0 by senders, and MUST be ignored by receivers. This reserved bit SHOULD be copied to options created. This document uses the extensions mechanism designed into [RFC6550]. It does not need any mechanism to enable it. Future work like [I-D.ietf-roll-capabilities] will enable collection of capabilities such as this one in reports to the DODAG root. @@ -202,50 +204,53 @@ introduced. The 0x40 is only the half-way point, so if such an amount of congestion was present, then this sub-tree of the DODAG simply winds up being more cautious than it needed to be. It is possible that the temporal alternation of the above two situations might introduce cycles of accepting and then rejecting enrollment traffic. This is something an operator should consider if when they incrementally deploy this option to an existing LLN. In addition, an operator would be unable to turn off enrollment traffic by sending a maximum value enrollment priority to the sub-tree. This - situation is unfortunately, but would be exactly the situation - without this option. + situation is unfortunate, but without this option, the the situation + would occur all over the DODAG, rather than just in the sub-tree + where the option was omitted. 3. Security Considerations As per [RFC7416], RPL control frames either run over a secured layer 2, or use the [RFC6550] Secure DIO methods. This option can be placed into either a "clear" (layer-2 secured) DIO, or a layer-3 Secure DIO. As such this option will have both integrity and confidentiality mechanisms applied to it. A malicious node (that was part of the RPL control plane) could see these options and could, based upon the observed minimal enrollment priority signal a confederate that it was a good time to send malicious join traffic. - A malicious node (that was part of the RPL control plane) could also - send DIOs with a different minimal enrollment priority which would - cause downstream mesh routers to change their Join Proxy behaviour. + Such as a malicious node, being already part of the RPL control + plane, could also send DIOs with a different minimal enrollment + priority which would cause downstream mesh routers to change their + _Join Proxy_ behaviour. + Lower minimal priorities would cause downstream nodes to accept more pledges than the network was expecting, and higher minimal priorities - cause the join process to stall. + cause the enrollment process to stall. The use of layer-2 or layer-3 security for RPL control messages prevents the above two attacks, by preventing malicious nodes from becoming part of the control plane. A node that is attacked and has malware placed on it creates vulnerabilities in the same way such an attack on any node involved in Internet routing protocol does. The rekeying provisions of [I-D.ietf-6tisch-minimal-security] exist to - permit an operator to remove such nodes from the network. + permit an operator to remove such nodes from the network easily. 4. Privacy Considerations There are no new privacy issues caused by this extension. 5. IANA Considerations Allocate a new number TBD01 from Registry RPL Control Message Options. This entry should be called Minimum Enrollment Priority. @@ -302,48 +307,53 @@ . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . 7.2. Informative References [I-D.ietf-6tisch-architecture] Thubert, P., "An Architecture for IPv6 over the TSCH mode - of IEEE 802.15.4", draft-ietf-6tisch-architecture-28 (work - in progress), October 2019. + of IEEE 802.15.4", draft-ietf-6tisch-architecture-29 (work + in progress), August 2020. [I-D.ietf-6tisch-dtsecurity-secure-join] Richardson, M., "6tisch Secure Join protocol", draft-ietf- 6tisch-dtsecurity-secure-join-01 (work in progress), February 2017. [I-D.ietf-6tisch-terminology] Palattella, M., Thubert, P., Watteyne, T., and Q. Wang, "Terms Used in IPv6 over the TSCH mode of IEEE 802.15.4e", draft-ietf-6tisch-terminology-10 (work in progress), March 2018. [I-D.ietf-roll-capabilities] Jadhav, R., Thubert, P., Richardson, M., and R. Sahoo, - "RPL Capabilities", draft-ietf-roll-capabilities-02 (work - in progress), March 2020. + "RPL Capabilities", draft-ietf-roll-capabilities-07 (work + in progress), September 2020. [RFC8137] Kivinen, T. and P. Kinney, "IEEE 802.15.4 Information Element for the IETF", RFC 8137, DOI 10.17487/RFC8137, May 2017, . [RFC8366] Watsen, K., Richardson, M., Pritikin, M., and T. Eckert, "A Voucher Artifact for Bootstrapping Protocols", RFC 8366, DOI 10.17487/RFC8366, May 2018, . Appendix A. Change history version 00. -Author's Address +Authors' Addresses Michael Richardson Sandelman Software Works Email: mcr+ietf@sandelman.ca + + Rahul Arvind Jadhav + Huawei Tech + + Email: rahul.ietf@gmail.com