IETF Logo Mail Archive

Re: [Dtls-iot] question on draft-kumar-dice-dtls-relay-01

Robert Cragie <robert.cragie@gridmerge.com> Fri, 30 May 2014 17:43 UTC

Return-Path: <robert.cragie@gridmerge.com>
X-Original-To: dtls-iot@ietfa.amsl.com
Delivered-To: dtls-iot@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E06791A6FC2 for <dtls-iot@ietfa.amsl.com>; Fri, 30 May 2014 10:43:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XWWkIFjJ5BFf for <dtls-iot@ietfa.amsl.com>; Fri, 30 May 2014 10:43:32 -0700 (PDT)
Received: from mailscan1.extendcp.co.uk (mailscan26.extendcp.co.uk [176.32.226.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 604751A6FB6 for <dtls-iot@ietf.org>; Fri, 30 May 2014 10:43:31 -0700 (PDT)
Received: from lb1.hi.local ([10.0.1.197] helo=mailscan3.hi.local) by mailscan-g65.hi.local with esmtp (Exim 4.80.1) (envelope-from <robert.cragie@gridmerge.com>) id 1WqQpv-0004Pt-Jy; Fri, 30 May 2014 18:43:23 +0100
Received: from lb1.hi.local ([10.0.1.197] helo=mail41.extendcp.co.uk) by mailscan3.hi.local with esmtps (UNKNOWN:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.80.1) (envelope-from <robert.cragie@gridmerge.com>) id 1WqQpv-0000fm-3k; Fri, 30 May 2014 18:43:23 +0100
Received: from host86-147-26-221.range86-147.btcentralplus.com ([86.147.26.221] helo=[192.168.0.2]) by mail41.extendcp.com with esmtpsa (TLSv1:DHE-RSA-AES128-SHA:128) (Exim 4.80.1) id 1WqQps-0008Nk-Ol; Fri, 30 May 2014 18:43:21 +0100
Message-ID: <5388C384.90902@gridmerge.com>
Date: Fri, 30 May 2014 18:44:36 +0100
From: Robert Cragie <robert.cragie@gridmerge.com>
Organization: Gridmerge Ltd.
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0
MIME-Version: 1.0
To: Rene Struik <rstruik.ext@gmail.com>, "Kumar, Sandeep" <sandeep.kumar@philips.com>, "dtls-iot@ietf.org" <dtls-iot@ietf.org>
References: <5384FB1C.60109@gmail.com> <5384FBB0.3040900@gmail.com> <BE6D13F6A4554947952B39008B0DC0153E79AB4A@DBXPRD9003MB059.MGDPHG.emi.philips.com> <5385FC6C.8080102@gmail.com> <BE6D13F6A4554947952B39008B0DC0153E79AD5A@DBXPRD9003MB059.MGDPHG.emi.philips.com>, <53860BB5.8020908@gmail.com> <BE6D13F6A4554947952B39008B0DC0153E79AF4E@DBXPRD9003MB059.MGDPHG.emi.philips.com> <538639AF.4050900@gmail.com> <538770D9.2040103@gridmerge.com> <5387963C.3070304@gmail.com> <53885131.7080900@gridmerge.com> <538890C6.6080901@gmail.com> <53889442.7040404@gridmerge.com> <538895DA.70806@gmail.com>
In-Reply-To: <538895DA.70806@gmail.com>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms080809050205090806030605"
X-Authenticated-As: robert.cragie@gridmerge.com
X-Extend-Src: mailout
Archived-At: http://mailarchive.ietf.org/arch/msg/dtls-iot/KW1g7ym3IXVE-s-e30xaAb5-CnQ
Subject: Re: [Dtls-iot] question on draft-kumar-dice-dtls-relay-01
X-BeenThere: dtls-iot@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: robert.cragie@gridmerge.com
List-Id: DTLS for IoT discussion list <dtls-iot.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dtls-iot/>
List-Post: <mailto:dtls-iot@ietf.org>
List-Help: <mailto:dtls-iot-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dtls-iot>, <mailto:dtls-iot-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 May 2014 17:43:35 -0000

You need to be able to discover other networks if you are thinking of 
starting your own to make sure you don't collide. In this respect, you 
are an unauthenticated node to the other network. All I was saying is 
that the lock down mechanism is very commonly used and is a simple but 
effective way of preventing the ingress of unauthenticated data traffic 
(legitimate or otherwise) into the network.

Robert

On 30/05/2014 3:29 PM, Rene Struik wrote:
> Well, if you only allow devices to discover networks but not to join 
> them, this sounds like "window shopping", without a network ever being 
> able to form or expand.
>
> You seem to suggest that you always want to lock down the network 
> (join permit flag glued to the off position), the scenario I did not 
> bring up in my original email.
>
> On 5/30/2014 10:22 AM, Robert Cragie wrote:
>> Hi Rene,
>>
>> Comments inline.
>>
>> Robert
>>
>> On 30/05/2014 3:08 PM, Rene Struik wrote:
>>> Hi Robert:
>>>
>>> Obviously, when the network is locked down and does not allow newly 
>>> joining devices (the scenario where the relay on/off switch is stuck 
>>> in the OFF position), my initial question on relaying of messages 
>>> received from newly joining devices does not play. This would also 
>>> be the less interesting scenario, though, since this would not allow 
>>> devices to discover and join the network by themselves.
>> <RCC>It would potentially allow devices to discover networks but not 
>> to join them</RCC>
>>>
>>> BTW - even with stateless relay, the state of a relaying station may 
>>> change (e.g., due to impact of sending a MAC frame on MAC state); it 
>>> just does not accumulate state related to the newbee device. When 
>>> one uses TSCH, other MAC state may need to be introduced that may 
>>> relate to the newbee node, e.g., to synchronize timeslots during 
>>> which the newbee device and the relaying station can communicate. 
>>> So, the notion of "stateless" may be somewhat a misnomer, at least 
>>> for sleepy networks. In all cases, as already said, each relay of 
>>> end-to-end traffic may trigger amplified network traffic, so comes 
>>> at a price (network latency, consumed energy, capacity use, 
>>> intra-device computational latency). It is here where denial of 
>>> service attacks on the network may come into play.
>> <RCC>Of course, but the point is not to introduce any additional 
>> state through the relay mechanism itself, i.e. the net state change 
>> before and after the relay operation only. Beyond that anything can 
>> happen. DoS is a tricky subject to explore and can happen at various 
>> layers , for example, swamping a channel with noise is quite an 
>> effective localised DoS attack (PHY layer) or continuously sending a 
>> beacon request (MAC layer). What you describe above falls outside of 
>> the scope of the relay description and is specific to a certain type 
>> of network.</RCC>
>>>
>>> So, I am still interested in getting more insight as to how the 
>>> relay on/off switch would work in practice (which was the question 
>>> in my original email of Tue [snippet copied below]). A description 
>>> of device join operations would help (say, with operational network 
>>> of 1000 nodes with diameter 20 hops, where one wishes to add a 
>>> newbee node A at neighbor B, where B is 10 hops away from network 
>>> manager T).
>> <RCC>This only makes sense when a) considering a specific type of 
>> network, as you have done above and b) widening the scope of the 
>> discussion beyond just the relaying. Is that what you are proposing? 
>> If so, there need to be some bounds or else it could end up being a 
>> very long security considerations section.</RCC>
>>>
>>> I hope this helps.
>>>
>>> Rene
>>>
>>> [excerpt of my email as of Tue May 27, 2014, 4:55pm EDT]
>>> >>>> I would be curious as to whether you could provide some more 
>>> insight
>>> >>>> as to what type of denial of service attack you counter and how the
>>> >>>> DTLS Relay "on/off switch" would work in practice
>>>
>> [snip] 
>
>
> -- 
> email:rstruik.ext@gmail.com  | Skype: rstruik
> cell: +1 (647) 867-5658 | US: +1 (415) 690-7363
>
>
> _______________________________________________
> dtls-iot mailing list
> dtls-iot@ietf.org
> https://www.ietf.org/mailman/listinfo/dtls-iot

v2.23.0 | Report a Bug | By Email