Network Working Group M. Richardson Internet-Draft SSW Intended status: Informational July 4, 2014 Expires: January 5, 2015 6tisch secure join using 6top draft-richardson-6tisch--security-6top-00 Abstract This document details a security architecture that permits a new 6tisch compliant node to join an 802.15.4e network. The process bootstraps the new node authenticating the node to the network, and the network to the node, and configuring the new node with the required 6tisch schedule. Any resemblance to WirelessHART/IEC62591 is entirely intentional. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 5, 2015. Copyright Notice Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved. Richardson Expires January 5, 2015 [Page 1] Internet-Draft 6tisch-6top July 2014 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Assumptions . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology and Roles . . . . . . . . . . . . . . . . . . . . 4 3. Architectural requirements of join protocol . . . . . . . . . 4 3.1. prefixes to use for join traffic . . . . . . . . . . . . 8 4. security requirements . . . . . . . . . . . . . . . . . . . . 8 4.1. threat model . . . . . . . . . . . . . . . . . . . . . . 8 4.2. implementation cost . . . . . . . . . . . . . . . . . . . 8 4.3. denial of service . . . . . . . . . . . . . . . . . . . . 8 5. protocol requirements/constraints/assumptions . . . . . . . . 8 5.1. inline/offline . . . . . . . . . . . . . . . . . . . . . 8 6. time sequence diagram . . . . . . . . . . . . . . . . . . . . 8 6.1. explanation of each step . . . . . . . . . . . . . . . . 9 6.1.1. step (1): enhanced beacon . . . . . . . . . . . . . . 10 6.1.2. step (1B): send router solicitation . . . . . . . . . 10 6.1.3. step (1C): receive router advertisement . . . . . . . 10 6.1.4. step (2): acquire authorizer key . . . . . . . . . . 10 6.1.5. step (3): receive authorizer key . . . . . . . . . . 10 6.1.6. step (4): join request . . . . . . . . . . . . . . . 11 6.1.7. step (5): NS duplicate address request (DAR) . . . . 11 6.1.8. step (7): 6LBR informs JCE of new node . . . . . . . 11 6.1.9. step (8): JCE informs/acks to 6LBR of new node . . . 11 6.1.10. step (9): NS duplicate address confirmation (DAC) . . 11 6.1.11. step (10): JCE initiates connection to joining node . 11 6.1.12. step (11): Join Assistant forwards packet to joining node . . . . . . . . . . . . . . . . . . . . . . . . 11 6.1.13. step (12): Joining node replies . . . . . . . . . . . 11 6.1.14. step (13): Join Assistant forwards reply to JCE . . . 11 6.2. size of each packet . . . . . . . . . . . . . . . . . . . 12 7. resulting security properties obtained from this process . . 12 8. deployment scenarios underlying protocol requirements . . . . 12 9. device identification . . . . . . . . . . . . . . . . . . . . 12 9.1. PCE/Proxy vs Node identification . . . . . . . . . . . . 12 9.2. Time source authentication / time validation . . . . . . 12 9.3. description of certificate contents . . . . . . . . . . . 12 9.4. privacy aspects . . . . . . . . . . . . . . . . . . . . . 12 Richardson Expires January 5, 2015 [Page 2] Internet-Draft 6tisch-6top July 2014 10. slotframes to be used during join . . . . . . . . . . . . . . 12 11. configuration aspects . . . . . . . . . . . . . . . . . . . . 12 12. authorization aspects . . . . . . . . . . . . . . . . . . . . 12 12.1. how to determine a proxy/PCE from a end node . . . . . . 12 12.2. security considerations . . . . . . . . . . . . . . . . 13 13. security architecture . . . . . . . . . . . . . . . . . . . . 13 14. Posture Maintenance . . . . . . . . . . . . . . . . . . . . . 13 15. Security Considerations . . . . . . . . . . . . . . . . . . . 13 16. Other Related Protocols . . . . . . . . . . . . . . . . . . . 13 17. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 18. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 13 19. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 19.1. Normative references . . . . . . . . . . . . . . . . . . 13 19.2. Informative references . . . . . . . . . . . . . . . . . 14 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 15 1. Introduction A challenging part with constructing an LLN with nodes from multiple vendors is providing enough security context to each node such that the network communication can form and remain secure. Most LLNs are small and have no operator interfaces at all, and even if they have debug interfaces (such as JTAG) with personnel trained to use that, doing any kind of interaction involving electrical connections in a dirty environment such as a factory or refinery is hopeless. It is necessary to have a way to introduce new nodes into a 6tisch network that does not involve any direct manipulation of the nodes themselves. This act has been called "zero-touch" provisioning, and it does not occur by chance, but requires coordination between the manufacturer of the node, the service operator running the LLN, and the installers actually taking the devices out of the shipping boxes. 1.1. Assumptions For the process described in this document to work, some assumptions about available infrastructure are made. These are perhaps more than assumptions, but rather architectural requirements; the exact operation of said infrastructure to be defined in a subsequent document. In the diagrams and text that follows entities are named (and defined in the terminology section). Unless otherwise stated these are roles, not actual machines/systems. The roles are seperated by network protocols in order that they roles can be performed by different systems, not because they have to be. Different deployments will have different scaling requirements for those entities. Smaller deployments might co-located many roles together Richardson Expires January 5, 2015 [Page 3] Internet-Draft 6tisch-6top July 2014 into a single ruggedized platform, while other deployments might operate all of the roles on distinct, multiply-redundant server classes located in a fully equipped datacentre. 2. Terminology and Roles Most terminology should be taken from [I-D.ietf-6tisch-architecture] and from [I-D.ietf-6tisch-6top-interface] and [I-D.wang-6tisch-6top-sublayer]. As well, many terms are taken from [RFC6775]. The following roles/things are defined: PCE the Path Computation Engine. This entity reaches out to each of the nodes in the LLN, and configures an appropriate schedule using 6top. Authz Server/ACE the Authorization Server. This offloads calculation of access control lists and other access control decisions for constrainted nodes. See [I-D.seitz-ace-problem-description] JCE the Join Coordination Entity. This acronym is chosen to parallel the PCE. 802.1AR a certificate created according the specification in [IEEE.802.1AR] joining node The newly unboxed constrained node that needs to join a network. join assistant A constrained node near the joining node that will act as it's first 6LR, and will relay traffic to/from the joining node. join network A 802.15.4e network whose encryption and authentication key is "JOIN6TISCH". production network A 802.15.4e network whose encryption/ authentication keys are determined by some algorithm. There may have network-wide group keys, or per-link keys. 3. Architectural requirements of join protocol This section works from the ultimate goal, and goes backwards to prerequisit actions. Section 6 presents the protocol from beginning to end order. Richardson Expires January 5, 2015 [Page 4] Internet-Draft 6tisch-6top July 2014 The ultimate goal of the join protocol is to provide a new node with enough locally significant security credentials that it is able to take part in the network directly. The credentials may vary by deployment. They can be: 1) a network-wide shared symmetric key 2) a locally significant (one-level only) 802.11AR type DevID certificate Given one of the the above, there are a number of possible protocols that can be used to generate layer-2 sessions keys for the node, including: 1) Mesh Link Exchange [I-D.kelsey-intarea-mesh-link-establishment] 2) work in 802.15.9 3) Security Framework and Key Management Protocol Requirements for 6TiSCH [I-D.ohba-6tisch-security] (this document provides the phase 0 required) 4) Layer-2 security aspects for the IEEE 802.15.4e MAC [I-D.piro-6tisch-security-issues] The intermediate goal of the join protocol is to enable a Join Coordination Entity (JCE) to reach out to the new node, and install the credentials detailed above. The JCE must authenticate itself to the joining node so that the joining node will know that it has joined the correct network, and the joining node must authenticate itself to the JCE so that the JCE will know that this node belongs in the network. This two way authentication occurs in the 6top/CoAP/ DTLS session that is established between the JCE and the joining node. [I-D.ietf-6tisch-6top-interface] presents a way to interface to a 6top MIB. [I-D.ietf-6tisch-coap] explains how to access that MIB using CoAP. That model is to be extended to include security attributes for the network. The JCE would therefore reach out to the joining node and simply provision appropriate security properties into the joining node, much like the PCE will provision schedules. This 6top-based secure join protocol has defined a push model for security provisioning by the JCE. This has been done for three reasons: 1) 6tisch nodes already have to have a 6top CoAP server for schedule provising Richardson Expires January 5, 2015 [Page 5] Internet-Draft 6tisch-6top July 2014 2) this permits the JCE to manage how many nodes are trying to join at the same time, and limit how much bandwidth/energy is used for the join operation, and also for the JCE to prioritize the join order for nodes. 3) making the JCE initiate the DTLS connection significantly simplies the certificate chains that must be exchanged as the most constrained side (the joining node) provides it's credentials first, and lets the much richer JCE figure out what kind of certificate chain will be required to authenticate the JCE. In EAP-TLS/802.1x situations, the TLS channel is created in the opposite direction, and it would have to complete in a tentative way, and then further authorization occur in-band. In order for a 6top/DTLS/CoAP connection to occur between the JCE and the joining node, there needs to be end-to-end IPv6 connectivity between those two entities. The joining node will not participate in the route-over RPL mesh, but rather will be seen by the network as being a 6lowpan only leaf-node. There are some alternatives to having full end to end connectivity which are discussed in the security considerations section. The specific mechanism to enable end to end connectivity with the JCE are still open but will consist of one of: (1) IPIP tunnel between Join Assistant and JCE (2) using straight RPL routing: the Join Assistant sends a DAO (3) using a separate RPL DODAG for join traffic (4) establishing a specific multi-hop 6tisch track for join traffic for each Join Assistant Of these mechanisms, the only one which does not require additional state on the Join Assistant (which is also a constrained device) is (1) and (2). Mechanism (2) additionally requires no specific state on the Join Assistant. Mechanism (2), in a non-storing DODAG requires additional state on the DODAG root (6LBR) only; while mechanism (1) requires a similar amount of state on the JCE. For deployments where the JCE is part of the 6LBR, the amount of state is similar, but in any case, the 6LBR is assumed to be a non-constrained node. As long as the Join Assistant does not do any kind of stateful firewalling, the IPIP tunnel and the DAO (2) method can be done by the Join Assistant statelessly. Upward traffic from the Join Network Richardson Expires January 5, 2015 [Page 6] Internet-Draft 6tisch-6top July 2014 must be restricted to a 6tisch slotframe(s) to which join traffic is welcome, no tunnelling is necessary as the upwards routes are all in place. A destination address ACL on traffic from the Join Network restricts the Joining Nodes to sending traffic only to the address of the JCE. (If JCE and 6LBR are colocated, then this is the address in the ABRO, if they are not colocated, then this address needs to have been provisioning in the Join Assistant when it joined, or could be carried in a new RA option) When using option (2), networks that have storing mode DODAGs will consume routing resources on all intermediate nodes between the Join Assistant and the DODAG root. This resource will be depleted without any authentication, and this threat is detailed below. Continuing to work backwards, in order the JCE reach out to provision the Joining Node, it needs to know that the new node is present. This is done by taking advantage of the 6lowPAN Address Resolution Option (ARO) (section 4.1 [RFC6775]). The ARO causes the new address to also be sent up to the 6LBR for duplicate detection using the DAR/ DAC mechanism. The 6LBR simply needs to tell the JCE about this using a protocol that needs to be defined, but could be either DAR or NS. In addition to needing to know the joining devices address from the DAR/NS, the JCE also needs to know the joining node' IDevID. If the IDevID is less than 64 bits, then it is possible that it could be placed into the EUI-64 option of the ARO, or the OUI of the [I-D.thubert-6lowpan-backbone-router] EARO. The JCE needs to know the joining node's IDevID to know if this is device that it should even attempt to provision; and if so, it may need to retrieve an appropriate certificate chain (see [I-D.richardson-6tisch-idevid-cert]) from the Factory in order for the JCE to prove it is the legitimate owner of the joining node. Prior to being able to announce itself in a NS, the joining node needs to find the Join Network. This is done by listening to an extended beacon which are broadcast in designated slotframes by Join Assistants. The Extended Beacon provides a way for the Joining Node to synchronize itself to the overall timeslot schedule and provides an Aloha period in which the Joining Node can send a Router Soliticiation, and receive an appropriate Router Advertisement giving the Joining Node a prefix and default route to which to send join traffic. It may be possible to eliminate a message exchange if space for a Router Advertisement can be found as part of the Join Network Extended Beacon. This Enhanced Beacon would be distinct to the Join Network, and would be encrypted with the well-known Join Network key. Richardson Expires January 5, 2015 [Page 7] Internet-Draft 6tisch-6top July 2014 3.1. prefixes to use for join traffic What prefix would the joining node for communication? There are three options: (1) just use link-local addresses (requires all traffic be tunneled) (2) use a prefix specifically for join traffic (may be easier with a join-only DODAG) (3) use the same prefix as the rest of the traffic (may require more complex ACLs, and leaks information to attackers) 4. security requirements 4.1. threat model There are three kinds of threats that a join process must deal with: a joining 4.2. implementation cost (storage of security material, computational cost) 4.3. denial of service other communication impacts of security protocol mechanics 5. protocol requirements/constraints/assumptions 5.1. inline/offline dependencies on centralized or external functionality, inline and offline 6. time sequence diagram Richardson Expires January 5, 2015 [Page 8] Internet-Draft 6tisch-6top July 2014 +-----+ +------+ +----------+ +-----------+ | | | | | JOIN | | Joining | | JCE | | 6LBR | | Assistant| | Node | +-----+ +------+ | (proxy) | | | | | +----------+ +-----------+ | | | | | | |-------BEACON (1)---------->| | | | | | | |<----Router Solicitation----| | | |---Router Advertisement---->| | | | | | | |<------CERTIFICATE----------| | | | REQUEST (2) | | | | | | | | | | | |-------CERTIFICATE--------->| | | | RESPONSE (multiple) | | | | (packets) | | | | | | | |<-----JOIN REQUEST (4) -----| | | | (NS w/ARO ) | | | | | | |<---NS (DAR) (5)-----| | |<--??(6)-| | | | | | | |--??(7)->| | | | | | | | |----NS (DAC)-(8)---->| | | | +------+ | | | || | | | ACK +------+ | | | | |-------JOIN ACK (9)-------->| | | | | | | | | |================(10)==========>|----------6top----(11)----->| | | | DTLS | |<===============(13)===========|<---------CoAP----(12)------| | | | (many packets) | Figure 1: Message sequence for JOIN message 6.1. explanation of each step Richardson Expires January 5, 2015 [Page 9] Internet-Draft 6tisch-6top July 2014 6.1.1. step (1): enhanced beacon A 6tisch join/synchronization beacon is broadcast periodically, and is authenticated with a symmetric "beacon key": well known JOIN key, such "JOIN6TISCH" another key, provisioned in advance (OOB) a shared symmetric key derived from public part of top level certificate (a closely held "secret") The purpose of this key is not to provide a high level of assurance, but rather to filter out 6tisch traffic from another random traffic that may be sharing the same radio frequencies. These beacons are used for JOIN purpose only, and are not related to the Enhanced Beacons used in the rest of 6tisch. 6.1.2. step (1B): send router solicitation The joining node sends a router solicitation during the Aloha period of the beacon. 6.1.3. step (1C): receive router advertisement The joining node receives a router advertisement from the Join Assistant. It could include 6CO options to help compress packets, and should contain a prefix appropriate for join traffic. 6.1.4. step (2): acquire authorizer key Step (4) will involve doing a public key encryption to node performing the authorization management role. In order to do this, the new node needs to know the public key of the manager, and so in this step it requests that certificate from the neighbour that that it received the beacon from. This step is optional, and it's benefit has not been demonstrated by a real world use case, but has been retained for now 6.1.5. step (3): receive authorizer key the proxy neighbour sends the key in one or more messages, along with the address of the authorizing server. The address of the authorization server could be an attribute of the certificate that is received. Richardson Expires January 5, 2015 [Page 10] Internet-Draft 6tisch-6top July 2014 6.1.6. step (4): join request A regular Neighbour Solicitation is sent. This should contain an ARO (or EARO) option containing the Joining Nodes' IDevID. The ARO/EARO will be proxied by the Join Assistant as part of normal 6LowPAN processing for leaf nodes (non-RPL nodes) upwards to the 6LBR 6.1.7. step (5): NS duplicate address request (DAR) 6.1.8. step (7): 6LBR informs JCE of new node 6.1.9. step (8): JCE informs/acks to 6LBR of new node The JCE could reply in the negative, and this would cause a DAC failure, TBD 6.1.10. step (9): NS duplicate address confirmation (DAC) 6.1.11. step (10): JCE initiates connection to joining node The double lines indicate that an IPIP tunnel operation may be required. If a straight DAO or seperate Join DODAG is used, then this is just a straight forwarding root to leaf node forwarding operation, and involves either using source routes (non-storing), or just forwarding for storing DODAGs. A specific bandwidth allocation would be used for this join traffic The production network encryption keys would be used for the join traffic 6.1.12. step (11): Join Assistant forwards packet to joining node The JOIN Assistant would forward traffic to the Joining Node. Recognizing that this traffic the JOIN Network, the JOIN Assistant would use the JOIN Network key. 6.1.13. step (12): Joining node replies The joining node replies, using JOIN Network key. 6.1.14. step (13): Join Assistant forwards reply to JCE The JOIN Assistant, recognizing that the traffic came from the JOIN Network, restricts the destination that can be reached to the the JCE only. It can do this in a stateless way, and it does NOT need to track the traffic at (10) to open pinhole, etc. Richardson Expires January 5, 2015 [Page 11] Internet-Draft 6tisch-6top July 2014 Recognizing that the traffic came from the JOIN Network, the traffic would be placed into a bandwidth allocation (track?) that allows such traffic. 6.2. size of each packet and number of frames needed to contain it. 7. resulting security properties obtained from this process 8. deployment scenarios underlying protocol requirements 9. device identification The JCE authenticates the joining node using a certificate chain provided inline during the DTLS negotiation. The certificate chain is rooted in a vendor certificate that the JCE must have preloaded, and is a statement as to the node's 802.1AR IDevID. The joining node authenticates the 9.1. PCE/Proxy vs Node identification 9.2. Time source authentication / time validation Note: RPL Root authentication is a chartered item 9.3. description of certificate contents 9.4. privacy aspects 10. slotframes to be used during join how is this communicated in the (extended) beacon. 11. configuration aspects (allocation of slotframes after join, network statistics, neighboetc.) 12. authorization aspects lifecycle (key management, trust management) 12.1. how to determine a proxy/PCE from a end node Richardson Expires January 5, 2015 [Page 12] Internet-Draft 6tisch-6top July 2014 12.2. security considerations what prevents a node from transmitting when it is not their turn (part one: jamming) can a node successfully communicate with a peer at a time when not supposed to, may be tied to link layer security, or will it be policed by receiver? 13. security architecture security architecture and fit of e.g. join protocol and provisioning into this 14. Posture Maintenance (SACM related work) 15. Security Considerations 16. Other Related Protocols 17. IANA Considerations 18. Acknowledgements 19. References 19.1. Normative references [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. [RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur, JP., and R. Alexander, "RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks", RFC 6550, March 2012. [RFC6775] Shelby, Z., Chakrabarti, S., Nordmark, E., and C. Bormann, "Neighbor Discovery Optimization for IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs)", RFC 6775, November 2012. [IEEE.802.1AR] Institute of Electrical and Electronics Engineers, "Secure Device Identity", IEEE 802.1AR, 2009, . Richardson Expires January 5, 2015 [Page 13] Internet-Draft 6tisch-6top July 2014 [I-D.ietf-6tisch-coap] Sudhaakar, R. and P. Zand, "6TiSCH Resource Management and Interaction using CoAP", draft-ietf-6tisch-coap-00 (work in progress), May 2014. [I-D.ietf-6tisch-6top-interface] Wang, Q., Vilajosana, X., and T. Watteyne, "6TiSCH Operation Sublayer (6top) Interface", draft-ietf-6tisch- 6top-interface-00 (work in progress), March 2014. [I-D.ietf-6tisch-architecture] Thubert, P., Watteyne, T., and R. Assimiti, "An Architecture for IPv6 over the TSCH mode of IEEE 802.15.4e", draft-ietf-6tisch-architecture-01 (work in progress), February 2014. [I-D.seitz-ace-problem-description] Seitz, L. and G. Selander, "Problem Description for Authorization in Constrained Environments", draft-seitz- ace-problem-description-00 (work in progress), May 2014. [I-D.richardson-6tisch-idevid-cert] Richardson, M., "X509.v3 certificate extension for authorization of device ownership", draft-richardson- 6tisch-idevid-cert-00 (work in progress), May 2014. [I-D.wang-6tisch-6top-sublayer] Wang, Q., Vilajosana, X., and T. Watteyne, "6TiSCH Operation Sublayer (6top)", draft-wang-6tisch-6top- sublayer-00 (work in progress), February 2014. 19.2. Informative references [I-D.thubert-6lowpan-backbone-router] Thubert, P., "LoWPAN Backbone Router", draft-thubert- 6lowpan-backbone-router-00 (work in progress), March 2008. [I-D.kelsey-intarea-mesh-link-establishment] Kelsey, R., "Mesh Link Establishment", draft-kelsey- intarea-mesh-link-establishment-05 (work in progress), February 2013. [I-D.ohba-6tisch-security] Chasko, S., Das, S., Lopez, R., Ohba, Y., Thubert, P., and A. Yegin, "Security Framework and Key Management Protocol Requirements for 6TiSCH", draft-ohba-6tisch-security-01 (work in progress), March 2014. Richardson Expires January 5, 2015 [Page 14] Internet-Draft 6tisch-6top July 2014 [I-D.piro-6tisch-security-issues] Piro, G., Boggia, G., and L. Grieco, "Layer-2 security aspects for the IEEE 802.15.4e MAC", draft-piro-6tisch- security-issues-02 (work in progress), June 2014. Author's Address Michael C. Richardson Sandelman Software Works 470 Dawson Avenue Ottawa, ON K1Z 5V7 CA Email: mcr+ietf@sandelman.ca URI: http://www.sandelman.ca/ Richardson Expires January 5, 2015 [Page 15]