Mališa Vučinić writes:
> For the upper-layer protocol, this seems to degrade performance in
> case a pledge generates a frame  *after* JP has already forwarded
> one packet from the pledge to the JRC and used Stateless-Proxy. In
> that case, pledge will need to do one L2 retransmission to get the
> packet processed by JP. Agreed?
> For CoJP, this will be the case for CoAP-layer (CoJP-layer to be
> precise) retransmissions. You are also worried for future extensions
> where pledge sends more than one *packet* (multiple L2 fragments are
> OK) before getting a response from the JP.
> The question now is when to remove the entry with secExempt for
> pledge at JP, once it was installed from Stateless-Proxy. From the
> security point of view, the easiest is to remove it immediately once
> L2 ACK from the pledge is received at JP, but this will degrade
> performance in case of future extensions where there are more
> messages in the protocol before join completes as the first
> corresponding frame from the pledge to the JP will need to be
> retransmitted. 
> What do you think?

Yes, I think it can be made to work, but I think it is quite a lot of
work and code just to be able to claim to be "stateless". 

> Yes, I see your point. This seems to be a performance vs security tradeoff, 
> i.e.:
> (A) do we want to degrade performance with one L2 retransmission of
> the first frame coming from the pledge when JP does not have an
> entry, in order to reduce DoS space at JP. 
> (B) keep this state at JP for the whole duration of the join process
> of a pledge.

I think B is much easier, as the JP most likely will want to limit
number of pledges going through it anyways. I.e., it might be easier
to configure JP so that it will have n (for example 3) slots for
joining nodes, and after it has that many pedges trying to join
through it it would simply not ACK on those packets at all.

Also does the join messages going from the pledge to JRC always
consists of exactly one L2 frame, meaning the size of messages is
limited to around 100 octets or so? If there is multiple L2 frames to
be sent and reassemebled in the JP, then that is definately a state
that is much bigger than storing secExempt flag (which is less than 20
bytes anyways in total).

> Consider that the DoS metric of importance is the number of pledges
> that can join over a single JP: N / T, where N is the number of
> insecure entries for pledges at JP, 
> and T is the time JP has to keep them. 
> - N is the same both in (A) and (B). 
> - In (A), T is the worst-case timeout in case of an attack where JP
> needs to expire the entry, because pledge did not send conformant
> traffic to JRC in due time. Say a couple of seconds.  
> - In (B), T is the duration of the join process of a pledge. Much
> greater than a couple of seconds with multiple hops to 6LBR, and JRC
> in the cloud. With multiple pledges joining and contending for the
> minimal cell, this is on the order of several minutes [1].

True, but in B the JP can also protect network and JRC, as it actually
KNOWS how many pledges have sent messages to JRC through it. In case
A, it will always forward messages, as it does not know how many
ongoing ones there still is. Of course it could use some kind of
statistics counters to limit that number, by saying only n joining
operations per minute, but that is again more code and complexity than
just saying that keep the 20 bytes of state for each pledge doing
joining process, and limit the number of those to fixed number of n.

> Finally, while I understand that there are vendors out there that
> sell closed implementations of 802.15.4 MAC where the behavior that
> you describe of having to reject a frame before adding an entry in
> the security table is set in stone, please note that there are also
> many implementations out there, e.g. Contiki, Contiki-NG, OpenWSN,
> RIOT, and also proprietary ones that I personally worked on, where
> this is easily implemented without *any* performance hits. With
> that, JP can process once the frame, see that it doesn't pass
> security processing, but add a special check if the join process is
> ongoing so that the frame should be passed to the upper layer.
> There, we get increased security without any performance hits.

Sure there can and will be such implementations, but that also makes
that pieces of code more complicated as it needs to do other things
than just what is needed for MAC. The reason people try to implement
standard interfaces is to make sure you can switch hardware and code
without rewriting everything.

Also it needs to do its decisions very quickly, as it needs to answer
to the ACK in very short time (typically withing one ms), and before
that it needs to do security processing (no decryption as this is
clear text frame, but policy checking etc), verify from some other
code that this frame needs to be passed up, even when there is no
secExempt flag for it, generate ack and send it out.

>     On the other hand blacklisting someone who has failed joining process
>     is also good idea, but this stateless method does not allow it and
>     then one joining node which have any kind of misconfuguration will
>     simply consume network resources all the time, with repeated tries to
>     join the network.
> While blacklisting does not add much in terms of security, as source
> addresses can be spoofed,  I agree that it's beneficial to have
> blacklisting as a feature in case of misconfiguration, for
> performance reasons. I think that the JRC should be the one who
> decides if a given address should be blacklisted, from the amount of
> traffic it receives and other information it possesses.

I assume this kind of misconfigurations will be much more common than
actual attacks... 

> How about we add a CoJP parameter "blacklist" that can be signaled
> in Parameter Update Request messages that carries a list of
> blacklisted addresses. The JRC sends this at any time to JP(s) over
> their secure channel, and JP can then filter these frames in
> hardware for example, since many chips support this already. What do
> you think?  

Sounds good. So this would not be part of joining message, but
completely separate message from JRC to JP directly?

>     > JP does not need to match the long address of a given pledge to the
>     > newly assigned short address. The L2 nonce is constructed from the
>     > short address and PAN ID, no?
>     Nonce can be constructed using short address, but security tables do
>     require extended address also. See table 9-14 of the 802.15.4-2015.
>     I.e., extended address is always needed, short address can have value
>     0xfffe or 0xffff if they are not used or known.
>     There is no text in the 802.15.4 that would lift that requirement for
>     the TSCH, i.e. extended address is always needed for security. That is
>     the primary key for the node. The table 9-14 is used to map the short
>     address to extended address (think it as arp table).
> Consider nodes A and B, neighbors, both are aware of each other's
> short addresses. Group security keys used, i.e. index mode.
> You are essentially saying that even though nodes A and B do not
> need each other's extended addresses for any interoperability or
> security relevant reason, they need to store this information in
> their memory. Not ideal.. 

Yes, 802.15.4 do require them. As I said TSCH is just one mode in
802.15.4, and it can be enabled and disabled, and the security still
needs to work even if you do that. Note, that in theory there can
already be nonce collision between TSCH frames and non-TSCH frames
using the same key, as the other uses ASN and other uses Frame
counters. I practice I think 802.15.4 networks turn TSCH on, and keep
it on, and does not send any secured frames without TSCH ever (or at
least I hope so).

Perhaps we need to add comment about that to the 802.15.4 revision to
make it sure.

And of course there will be lots of implementations that works fine
with just short addresses, and never care about the extended
addresses, but we cannot guarantee that all hardware implementations
allows using just short addresses as it is not something that is
really allowed by 802.15.4...

>     Note, that TSCH mode is a mode than can be turned on/off in the
>     802.15.4 device, and the security still needs to be work, so even if
>     the node would be able to do security with only short addresses when
>     TschMode is turned on, it cannot do that when TschMode is turned off.
>     The security is written so it works regardless whether TschMode is on
>     or off. 
>     On the other hand there is nonce collision possibility if same key is
>     used when TschMode is off and TschMode is on, as TschMode on uses ASN
>     in nonce and TschMode off uses frame counter and security level. In
>     theory there could be combination that causes collision, so there
>     might be need to add text to the 802.15.4 that says that node shall
>     not use same keys for both modes.
> I am not sure I fully understand how this would work. Network A is a
> TSCH network. Pledge joins network A. Pledge decides to switch off
> TSCH mode. Won't it need to join another network (i.e.
> beacon-enabled, CSMA), with a completely different set of keys then?

I would expect it to happen other way around. The node starts up, and
joins non-TSCH configuration network it can see near by (or perhaps
send active beacon request to "hidden" configuration network assuming
the configuration device to respond to it). Over this 802.15.4 link
(without TSCH) it will fetch its configuration, and after it has
finished this, it will turn on TSCH as it now have enough
configuration to know how to join the TSCH network.

Finding non-TSCH configuration network is much faster and easier than
TSCH network. Finding TSCH network can take several minutes or even an
hour depending how many channels you have.

I.e., on 16 channel TSCH network using 10 ms, 100 slots setting, with
beacon interval of 5, and allowing 3 missed beacons means that node
needs to listen 0.01 * 100 * 3 * 5 * 16 seconds = 240 seconds.

What I understood that most implementions do not even try to find the
TSCH network on all channels, they just try first n (3?) or something
and if they do not find beacon on them they will give up. Note, that
you cannot just assume that first channel etc is used, as it might
have been blocked up in the network by hopping sequence because there
might be some other network running on that channel instead causing

Anyways hopefully the non-TSCH and TSCH networks will use different
keys, but knowing that most IoT vendors do not care or understand
security, my guess is that if non-TSCH network is using any security
it is using same keys than TSCH network.

>     No. I think privacy concerns are so hard that we cannot solve them. We
>     can help them by doing things we do here, i.e., assigning short
>     addresses which are transmitted in encrypted format, but that does not
>     solve the problem, it just makes it harder. I think that is only thing
>     we can do, but we should not try to claim this solves the problem.
> If I rephrase the Privacy Considerations text adding something like:
>  "Note that an eavesdropper with access to the radio medium during
> the join process is able to correlate the assigned short address
> with the extended address based on timing information with a
> non-negligable probability. This probability decreases with an
> increasing number of pledges joining concurrently."

Sounds fine.

> and relax the statement that the assignment of short addresses
> "mitigates" the risks to "reduces", would that be OK for you?


6tisch mailing list

Reply via email to