Re: [6tisch] 802.15.4 "change" that will affect 6TiSCH.
Tero Kivinen <kivinen@iki.fi> Sat, 04 April 2015 01:34 UTC
Return-Path: <kivinen@iki.fi>
X-Original-To: 6tisch@ietfa.amsl.com
Delivered-To: 6tisch@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E41C1A1BFA for <6tisch@ietfa.amsl.com>; Fri, 3 Apr 2015 18:34:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.131
X-Spam-Level:
X-Spam-Status: No, score=-1.131 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_NEUTRAL=0.779, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TMcFFx5ErcRx for <6tisch@ietfa.amsl.com>; Fri, 3 Apr 2015 18:34:32 -0700 (PDT)
Received: from mail.kivinen.iki.fi (fireball.kivinen.iki.fi [IPv6:2001:1bc8:100d::2]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5AB51A1BDD for <6tisch@ietf.org>; Fri, 3 Apr 2015 18:34:31 -0700 (PDT)
Received: from fireball.kivinen.iki.fi (localhost [127.0.0.1]) by mail.kivinen.iki.fi (8.14.8/8.14.8) with ESMTP id t341YIHo007133 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sat, 4 Apr 2015 04:34:18 +0300 (EEST)
Received: (from kivinen@localhost) by fireball.kivinen.iki.fi (8.14.8/8.14.8/Submit) id t341YHuE011004; Sat, 4 Apr 2015 04:34:17 +0300 (EEST)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-ID: <21791.16281.379853.507473@fireball.kivinen.iki.fi>
Date: Sat, 04 Apr 2015 04:34:17 +0300
From: Tero Kivinen <kivinen@iki.fi>
To: Kristofer PISTER <ksjp@berkeley.edu>
In-Reply-To: <CALb6MQUQ3ozKowzstfqGGvBg-bJfdZ1GsKKMnZg0XCwA+sS3nw@mail.gmail.com>
References: <21789.50294.884554.24962@fireball.kivinen.iki.fi> <CALb6MQUQ3ozKowzstfqGGvBg-bJfdZ1GsKKMnZg0XCwA+sS3nw@mail.gmail.com>
X-Mailer: VM 8.2.0b under 24.3.1 (x86_64--netbsd)
X-Edit-Time: 39 min
X-Total-Time: 48 min
Archived-At: <http://mailarchive.ietf.org/arch/msg/6tisch/Yp6AsAx9h88SVk-4g5IOPeuewIU>
Cc: "6tisch@ietf.org" <6tisch@ietf.org>
Subject: Re: [6tisch] 802.15.4 "change" that will affect 6TiSCH.
X-BeenThere: 6tisch@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "Discuss link layer model for Deterministic IPv6 over the TSCH mode of IEEE 802.15.4e, and impacts on RPL and 6LoWPAN such as resource allocation" <6tisch.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/6tisch>, <mailto:6tisch-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/6tisch/>
List-Post: <mailto:6tisch@ietf.org>
List-Help: <mailto:6tisch-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/6tisch>, <mailto:6tisch-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 04 Apr 2015 01:34:34 -0000
Kristofer PISTER writes: > Can you say more about the reasoning behind "Disallow short > addresses in Nonce generation" ? Short addresses are not defined to be unique. The 802.15.4 says that how short addresses are chosen is outside the scope of this standard. I.e. it is completely valid for PAN coordinator to allocate duplicate short addresses for different devices, if it feels things will still work. I.e. if they are for example in such schedule that their neighbors will know which one is which. Also PAN coordinator can allocate duplicate short addresses to devices which are so far away from each other that they cannot hear each other (or their neighbors). In practice the PAN coordinator will not allocate duplicate short addresses for the same PAN, but for example some other networks might do that, for example when they derive short addresses from somewhere else like from IP-address... Also even if short addresses are unique within the PAN, they most likely will not be unique across different PANs. If you have cluster tree network like in figure figure 2 in 802.15.4-2011 you notice that there is multiple devices having same short address in different PANs. The whole cluster tree network might still use same TSCH schedule system and coordinated ASN and the same keys, so different PAN coordinators for different clusters can talk to neighbor clusters. As the 7.3.2 of the 802.15.4e-2012 did not use PAN id along with short address in the Source Address field, this could cause duplicate nonces (i.e. two devices from different PANs using same short address sends message using same ASN (on same channel on shared slot, or on different channels). This means nonce is no longer unique, and that will break the security. There are much bigger problems if ASN is not used, i.e. when using non-TSCH mode, and where normal frame counter is used. In that case every single device starting with frame counter 0, and getting some short address that has already ben used in the network will cause nonce collision. Also the 7.3.2 does not specify how the 16-bit short address is put in to the Source Address field. One could assume source address is string and put the short address as first 2 bytes of the source address, but what values to put to rest of the source address field. They must be same in both sender and receiver. Most likely it should be filled with zeroes. On the other hand the macShortAddress is integer, so it cannot be stored in the string directly wihtout endness problems (extended address is string and it can be stored there without problems). Section 7.3.1 defines integer representation format for the section 7.3, and it says that format of B.2 is used, and B.2.2 says integers shall be represented as octect strings in most-significat-octet-first. This means that if we encode short address 0x1234 as 16-bit integer, and pad with zeros we get nonce value of 12 34 00 00 00 00 00 00 On the other if we assume that source address field is 64-bit integer, and we just store the 16-bit integer there then value will be: 00 00 00 00 00 00 12 34 On the other hand if implementation uses the same format that was used when sending the Source Address in MAC, then the value would be: 34 12 00 00 00 00 00 00 So the text in 7.3.2 is unclear which format should be used, thus causing interoperability issues. Note, that all complient 802.15.4 devices must know the mapping from the short address to extended address, so there is no reason why the device cannot use the extended address in nonce. The security section table 64 (of 802.15.4-2011) describing elements of the DeviceDescriptor contains the mapping from short address to extended address. Short address is optional in the DeviceDescriptor, but extebded address is not optional, it must be there, and it is used in incoming frame security procedure in 7.2.3. So there is no reason to use short addresses in the nonce generation, as it just causes security issues, and complient 802.15.4 devices must already know the extended addresses of their neighbors so there is no point of not using it. Frame addressing fields can of course use short addresses, and extended address is only used internally in the nonce generation regardless what was in the addressing fields, so there is no expansion of the frame size when using extended addresses in the nonce generation. If you have network where the receiver do not know the mapping from the short address to extended address for the sender when receiving secured frame, then that is not complient with 802.15.4, and 6tisch do not need to care about it... -- kivinen@iki.fi
- [6tisch] 802.15.4 "change" that will affect 6TiSC… Tero Kivinen
- Re: [6tisch] 802.15.4 "change" that will affect 6… Kristofer PISTER
- Re: [6tisch] 802.15.4 "change" that will affect 6… Tero Kivinen
- Re: [6tisch] 802.15.4 "change" that will affect 6… Tero Kivinen
- Re: [6tisch] 802.15.4 "change" that will affect 6… Kris Pister
- Re: [6tisch] 802.15.4 "change" that will affect 6… Tero Kivinen
- Re: [6tisch] 802.15.4 "change" that will affect 6… Kris Pister
- Re: [6tisch] 802.15.4 "change" that will affect 6… Tero Kivinen
- Re: [6tisch] 802.15.4 "change" that will affect 6… Michael Richardson
- Re: [6tisch] 802.15.4 "change" that will affect 6… Kris Pister
- Re: [6tisch] 802.15.4 "change" that will affect 6… Tero Kivinen
- Re: [6tisch] 802.15.4 "change" that will affect 6… Tero Kivinen
- Re: [6tisch] 802.15.4 "change" that will affect 6… Michael Richardson
- Re: [6tisch] 802.15.4 "change" that will affect 6… Kris Pister
- Re: [6tisch] 802.15.4 "change" that will affect 6… Kris Pister
- Re: [6tisch] 802.15.4 "change" that will affect 6… Michael Richardson
- Re: [6tisch] 802.15.4 "change" that will affect 6… Kris Pister
- Re: [6tisch] 802.15.4 "change" that will affect 6… Prof. Diego Dujovne
- Re: [6tisch] 802.15.4 "change" that will affect 6… Tero Kivinen
- Re: [6tisch] 802.15.4 "change" that will affect 6… Tero Kivinen
- Re: [6tisch] 802.15.4 "change" that will affect 6… Kris Pister