IETF Logo Mail Archive

Re: [Dtls-iot] question on draft-kumar-dice-dtls-relay-01

"Kumar, Sandeep" <sandeep.kumar@philips.com> Wed, 28 May 2014 08:15 UTC

Return-Path: <sandeep.kumar@philips.com>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 32C3F1A0888 for <dtls-iot@ietfa.amsl.com>; Wed, 28 May 2014 01:15:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aRpfECfl3Egc for <dtls-iot@ietfa.amsl.com>; Wed, 28 May 2014 01:15:14 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe004.messaging.microsoft.com [216.32.181.184]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3D54E1A0887 for <dtls-iot@ietf.org>; Wed, 28 May 2014 01:15:11 -0700 (PDT)
Received: from mail54-ch1-R.bigfish.com (10.43.68.246) by CH1EHSOBE005.bigfish.com (10.43.70.55) with Microsoft SMTP Server id 14.1.225.22; Wed, 28 May 2014 08:15:06 +0000
Received: from mail54-ch1 (localhost [127.0.0.1]) by mail54-ch1-R.bigfish.com (Postfix) with ESMTP id C085B4046D; Wed, 28 May 2014 08:15:06 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:206.191.240.53; KIP:(null); UIP:(null); IPV:NLI; H:mail.philips.com; RD:error; EFVD:FOP
X-SpamScore: -23
X-BigFish: VPS-23(zz15d6I9371I542I1432I9251I7f52h217bIdd85kzz1f42h208ch1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6hzz1de098h1033IL8275bh8275dh1de097h186068hz2dh109h2a8h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah1b2fh2222h224fh1fb3h1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1fe8h1ff5h2216h22d0h2336h2438h2461h2487h24d7h2516h2545h255eh25f6h2605h262fh268bh26d3h27e2h28a1h)
Received: from mail54-ch1 (localhost.localdomain [127.0.0.1]) by mail54-ch1 (MessageSwitch) id 1401264905513406_13914; Wed, 28 May 2014 08:15:05 +0000 (UTC)
Received: from CH1EHSMHS004.bigfish.com (snatpool2.int.messaging.microsoft.com [10.43.68.232]) by mail54-ch1.bigfish.com (Postfix) with ESMTP id 6F66C2010A; Wed, 28 May 2014 08:15:05 +0000 (UTC)
Received: from mail.philips.com (206.191.240.53) by CH1EHSMHS004.bigfish.com (10.43.70.4) with Microsoft SMTP Server (TLS) id 14.16.227.3; Wed, 28 May 2014 08:14:52 +0000
Received: from DBXPRD9003MB059.MGDPHG.emi.philips.com ([169.254.7.68]) by DBXPRD9003HT002.MGDPHG.emi.philips.com ([141.251.25.207]) with mapi id 14.16.0453.000; Wed, 28 May 2014 08:14:19 +0000
From: "Kumar, Sandeep" <sandeep.kumar@philips.com>
To: Rene Struik <rstruik.ext@gmail.com>, "dtls-iot@ietf.org" <dtls-iot@ietf.org>
Thread-Topic: [Dtls-iot] question on draft-kumar-dice-dtls-relay-01
Thread-Index: AQHPee2eVkH9qMdWkUC/R7gJ3R2jLptU6AwAgAC156A=
Date: Wed, 28 May 2014 08:14:19 +0000
Message-ID: <BE6D13F6A4554947952B39008B0DC0153E79AB4A@DBXPRD9003MB059.MGDPHG.emi.philips.com>
References: <5384FB1C.60109@gmail.com> <5384FBB0.3040900@gmail.com>
In-Reply-To: <5384FBB0.3040900@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [194.171.252.106]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: philips.com
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/dtls-iot/-y2_UuEA1Inr-vHUOsssrlzS6kY
Subject: Re: [Dtls-iot] question on draft-kumar-dice-dtls-relay-01
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 May 2014 08:15:17 -0000

Hi Rene

The security considerations section is not completely baked yet. But to answer your questions, we were considering the following two threats:
- DoS where a large number of joining messages are sent by  rogue nodes either to flood the lowpan or drain the network manager
- misuse of the relay functionality to allow a rogue node to setup a DTLS session with a server which is not the network manager

The "on/off switch" is just one option for the DoS where the network manager can detect too many failed requests and issue a multicast management message (e.g. a CoAP request to a resource) to stop or further throttle joining messages being accepted by relay nodes for a limited time. Of course as you mentioned, this will be delayed until the third flow of the DTLS protocol, but the DTLS cookie should provide some additional resistance initially. In other scenarios, the timing of a joining device is known (e.g. within a home) and the relays can be asked to switched on and later switched off to restrict the window of opportunity to the attacker.

The idea is that the new device gets the configuration info within the DTLS session that is created (e.g. as a CoAP request to a resource). How and format needs to be defined (either here or somewhere else more generally).

There could be more threats and possible countermeasures, let me know if you have more ideas.

Regards
Sandeep

> -----Original Message-----
> From: dtls-iot [mailto:dtls-iot-bounces@ietf.org] On Behalf Of Rene Struik
> Sent: Tuesday, May 27, 2014 10:55 PM
> To: dtls-iot@ietf.org
> Subject: [Dtls-iot] question on draft-kumar-dice-dtls-relay-01
>
> Dear Sandeep, Oscar, Sye Loong:
>
> I read draft-kumar-dice-dtls-relay-01 a few days ago. In the security
> considerations section of that draft, you allude to potential denial of services
> attacks in the context where a one-hop neighbor of a joining node facilitates
> messaging between that joining node and the network manager potentially
> many hops away, where the joining node and the network manager act as
> DTLS Client and DTLS Server, respectively, and where the one-hop neighbor
> acts as DTLS Relay. You also suggest some measures to thwart/limit denial of
> service attack risk.
>
> I would be curious as to whether you could provide some more insight as to
> what type of denial of service attack you counter and how the DTLS Relay
> "on/off switch" would work in practice. How would one detect a potential
> DoS attack and turn on the "DTLS Relay on/off" knobs to counter an influx of
> bogus join protocol messages that could be amplified if this would travel to
> the network manager (in a scenario where both are many hops away from
> each other)? Since with DTLS, client authentication only happens in the third
> protocol flow, it seems that by necessity one has to allow three subsequent
> message flows (key establishment messages from client to server and back,
> key confirmation message from client to server), without the DTLS Relay
> element having a mechanism (except for throttling) to cryptographically
> arbitrage these flows.
>
> When does the newbee device get configuration info and, e.g., a routable
> address assigned?
>
> If you could expand on this scenario, that would be great.
>
> Best regards, Rene
>
>
>
> [excerpt from draft-kumar-dice-dtls-relay-01] 5. Security Considerations
> Additional security considerations need to be taken into account about
> forwarding of messages from devices through a network to which it has not
> yet been admitted. This can lead to denial-of-service attacks or misuse of
> network resources without proper authentication. One way to overcome any
> large scale misuse of the network is to have a management message from
> the Controller that initiates already authenticated devices in the network to
> enter into a DTLS Relay mode. The devices can stay such a Relay mode for a
> fixed period of time or until the Controller sends a new management
> message blocking the DTLS Relay mode in all devices in the network. This is
> often possible since the administrator of the network can be aware when
> new devices join the network either because of the "Introduction" phase or
> commissioning phase. Other mechanisms based on IP destination filtering
> can be applied by the controller to all Relay nodes to avoid misuse of the
> network resources.
>
> --
> email: rstruik.ext@gmail.com | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
>
>
>
>
> _______________________________________________
> dtls-iot mailing list
> dtls-iot@ietf.org
> https://www.ietf.org/mailman/listinfo/dtls-iot

________________________________
The information contained in this message may be confidential and legally protected under applicable law. The message is intended solely for the addressee(s). If you are not the intended recipient, you are hereby notified that any use, forwarding, dissemination, or reproduction of this message is strictly prohibited and may be unlawful. If you are not the intended recipient, please contact the sender by return e-mail and destroy all copies of the original message.

v2.23.0 | Report a Bug | By Email