< draft-ietf-roll-enrollment-priority-02.txt   draft-ietf-roll-enrollment-priority-03.txt >
ROLL Working Group M. Richardson ROLL Working Group M. Richardson
Internet-Draft Sandelman Software Works Internet-Draft Sandelman Software Works
Intended status: Informational April 25, 2020 Intended status: Standards Track R. Jadhav
Expires: October 27, 2020 Expires: March 29, 2021 Huawei Tech
September 25, 2020
Enabling secure network enrollment in RPL networks Controlling Secure Network Enrollment in RPL networks
draft-ietf-roll-enrollment-priority-02 draft-ietf-roll-enrollment-priority-03
Abstract Abstract
[I-D.ietf-6tisch-enrollment-enhanced-beacon] defines a method by [I-D.ietf-6tisch-enrollment-enhanced-beacon] defines a method by
which a potential [I-D.ietf-6tisch-minimal-security] join proxy can which a potential [I-D.ietf-6tisch-minimal-security] enrollment proxy
announce itself as a available for new Pledges to enroll on a can announce itself as a available for new Pledges to enroll on a
network. The announcement includes a priority for enrollment. This network. The announcement includes a priority for enrollment. This
document provides a mechanism by which a RPL DODAG root can disable document provides a mechanism by which a RPL DODAG root can disable
enrollment announcements, or adjust the base priority for enrollment enrollment announcements, or adjust the base priority for enrollment
operation. operation.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 27, 2020. This Internet-Draft will expire on March 29, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3
2. Protocol Definition . . . . . . . . . . . . . . . . . . . . . 3 2. Protocol Definition . . . . . . . . . . . . . . . . . . . . . 4
2.1. Upwards compatibility . . . . . . . . . . . . . . . . . . 4 2.1. Upwards compatibility . . . . . . . . . . . . . . . . . . 4
3. Security Considerations . . . . . . . . . . . . . . . . . . . 5 3. Security Considerations . . . . . . . . . . . . . . . . . . . 5
4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6
7.1. Normative References . . . . . . . . . . . . . . . . . . 6 7.1. Normative References . . . . . . . . . . . . . . . . . . 6
7.2. Informative References . . . . . . . . . . . . . . . . . 7 7.2. Informative References . . . . . . . . . . . . . . . . . 7
Appendix A. Change history . . . . . . . . . . . . . . . . . . . 8 Appendix A. Change history . . . . . . . . . . . . . . . . . . . 8
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8
1. Introduction 1. Introduction
[RFC7554] describes the use of the time-slotted channel hopping [RFC7554] describes the use of the time-slotted channel hopping
(TSCH) mode of [ieee802154]. [I-D.ietf-6tisch-minimal-security] and (TSCH) mode of [ieee802154]. [I-D.ietf-6tisch-minimal-security] and
[I-D.ietf-6tisch-dtsecurity-secure-join] describe mechanisms by which [I-D.ietf-6tisch-dtsecurity-secure-join] describe mechanisms by which
a new node (the "pledge)" can use a friendly router as a Join Proxy. a new node (the "pledge)" can use a friendly router as a Join Proxy.
[I-D.ietf-6tisch-enrollment-enhanced-beacon] describes an extension [I-D.ietf-6tisch-enrollment-enhanced-beacon] describes an extension
to the 802.15.4 Enhanced Beacon that is used by a Join Proxy to to the 802.15.4 Enhanced Beacon that is used by a Join Proxy to
announce its existence such that Pledges can find them. announce its existence such that Pledges can find them.
skipping to change at page 2, line 43 skipping to change at page 2, line 44
The term (1)"Join" has been used in documents like The term (1)"Join" has been used in documents like
[I-D.ietf-6tisch-minimal-security] to denote the activity of a new [I-D.ietf-6tisch-minimal-security] to denote the activity of a new
node authenticating itself to the network in order to obtain node authenticating itself to the network in order to obtain
authorization to become a member of the network. This typically authorization to become a member of the network. This typically
involves a cryptographic authentication protocol in which a network involves a cryptographic authentication protocol in which a network
credential is provided. credential is provided.
In the context of the [RFC6550] RPL protocol, the term (2)"Join" has In the context of the [RFC6550] RPL protocol, the term (2)"Join" has
an alternate meaning: that of a node (already authenticating to the an alternate meaning: that of a node (already authenticating to the
network, and already authorized to be a member of the network), network, and already authorized to be a member of the network),
deciding which part of the RPL DODAG to attach to. The term "Join" deciding which part of the RPL DODAG to attach to. This term "Join"
has to do with parent selection processes. has to do with parent selection processes.
In order to avoid the ambiguity of this term, this document refers to In order to avoid the ambiguity of this term, this document refers to
the process (1)"Join" as enrollment, leaving the term "Join" to mean the process (1)"Join" as enrollment, leaving the term "Join" to mean
(2)"Join". The term "onboarding" (or IoT Onboarding) is sometimes (2)"Join". The term "onboarding" (or IoT Onboarding) is sometimes
used to describe this process. The term Join Proxy is retained with used to describe the enrollment process. However, the term _Join
it's meaning from [I-D.ietf-6tisch-minimal-security]. Proxy_ is retained with it's meaning from
[I-D.ietf-6tisch-minimal-security].
It has become clear that not every routing member of the mesh ought It has become clear that not every routing member of the mesh ought
to announce itself as a Join Proxy. There are a variety of local to announce itself as a _Join Proxy_. There are a variety of local
reasons by which a 6LR might not want to provide the Join Proxy reasons by which a 6LR might not want to provide the _Join Proxy_
function. They include available battery power, already committed function. They include available battery power, already committed
network bandwidth, and also total available memory available for Join network bandwidth, and also total available memory available for
proxy neighbor cache slots. Neighbor Cache Entry slots.
There are other situations where the operator of the network would There are other situations where the operator of the network would
like to selective enable or disable the enrollment process in a like to selective enable or disable the enrollment process in a
particular DODAG. particular DODAG.
As the enrollment process involves permitting unencrypted traffic As the enrollment process involves permitting unencrypted traffic
into the best effort part of a (TSCH) network, it would be better to into the best effort part of a (TSCH) network, it would be better to
have the enrollment process off when no new nodes are expected. have the enrollment process off when no new nodes are expected.
A network operator might also be able to recognize when certain parts A network operator might also be able to recognize when certain parts
of the network are overloaded and can not accomodate additional of the network are overloaded and can not accomodate additional
enrollment traffic, and it would like to adjust the enrollment enrollment traffic, and it would like to adjust the enrollment
priority (the proxy priority field of priority (the proxy priority field of
[I-D.ietf-6tisch-enrollment-enhanced-beacon]) among all nodes in the [I-D.ietf-6tisch-enrollment-enhanced-beacon]) among all nodes in the
subtree of a congested link. subtree of a congested link.
This document describes an RPL DIO option that can be used to This document describes an RPL DIO option that can be used to
announce a minimum enrollment priority. Each potential Join Proxy announce a minimum enrollment priority. Each potential _Join Proxy_
would this value as a base on which to add values relating to local would this value as a base on which to add values relating to local
conditions. As explained in conditions. As explained in
[I-D.ietf-6tisch-enrollment-enhanced-beacon], higher values decrease [I-D.ietf-6tisch-enrollment-enhanced-beacon], higher values decrease
the likelyhood of an unenrolled node sending enrollment traffic via the likelyhood of an unenrolled node sending enrollment traffic via
this path. this path.
A network operator can set this value to the maximum value allowed, A network operator can set this value to the maximum value allowed,
effectively disable all new enrollment traffic. effectively disable all new enrollment traffic.
1.1. Terminology 1.1. Terminology
skipping to change at page 4, line 7 skipping to change at page 4, line 14
2. Protocol Definition 2. Protocol Definition
The following option is defined to transmission in the DIO issued by The following option is defined to transmission in the DIO issued by
the DODAG root. It may also be added by a router on part of the sub- the DODAG root. It may also be added by a router on part of the sub-
tree as a result of some (out of scope for this document) management tree as a result of some (out of scope for this document) management
function. function.
6LRs that see this DIO Option SHOULD increment their minimum 6LRs that see this DIO Option SHOULD increment their minimum
enrollment priority if they observe congestion on the channel used enrollment priority if they observe congestion on the channel used
for join traffic. The exact mechanism is a local decision, and may for enrollment traffic. The exact mechanism is a local decision, and
be the subject for future work. may be the subject for future work.
A 6LR which would otherwise be willing to act as a Join Proxy, will A 6LR which would otherwise be willing to act as a _Join Proxy_, will
examine the minimum priority field, and to that number, add any examine the minimum priority field, and to that number, add any
additional local consideration (such as upstream congestion). additional local consideration (such as upstream congestion).
The Join Priority can only be increased by each each 6LR in value, to The Enrollment Priority can only be increased by each 6LR in value,
the maximum value of 0x7f. to the maximum value of 0x7f.
The resulting priority, if less than 0x7f should enable the Join The resulting priority, if less than 0x7f should enable the _Join
Proxy function. Proxy_ function.
0 1 2 0 1 2
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type = TBD01|Opt Length = 1|R| min. priority | | Type = TBD01|Opt Length = 1|R| min. priority |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
min.priority a 7 bit field which provides a base value for the min.priority a 7 bit field which provides a base value for the
Enhanced Beacon Join priority. A value of 0x7f (127) disables the Enhanced Beacon Join priority. A value of 0x7f (127) disables the
Join Proxy function entirely. _Join Proxy_ function entirely.
R a reserved bit that SHOULD be set to 0 by senders, and MUST be R a reserved bit that SHOULD be set to 0 by senders, and MUST be
ignored by receivers. This reserved bit SHOULD be copied to ignored by receivers. This reserved bit SHOULD be copied to
options created. options created.
This document uses the extensions mechanism designed into [RFC6550]. This document uses the extensions mechanism designed into [RFC6550].
It does not need any mechanism to enable it. It does not need any mechanism to enable it.
Future work like [I-D.ietf-roll-capabilities] will enable collection Future work like [I-D.ietf-roll-capabilities] will enable collection
of capabilities such as this one in reports to the DODAG root. of capabilities such as this one in reports to the DODAG root.
skipping to change at page 5, line 25 skipping to change at page 5, line 30
introduced. The 0x40 is only the half-way point, so if such an introduced. The 0x40 is only the half-way point, so if such an
amount of congestion was present, then this sub-tree of the DODAG amount of congestion was present, then this sub-tree of the DODAG
simply winds up being more cautious than it needed to be. simply winds up being more cautious than it needed to be.
It is possible that the temporal alternation of the above two It is possible that the temporal alternation of the above two
situations might introduce cycles of accepting and then rejecting situations might introduce cycles of accepting and then rejecting
enrollment traffic. This is something an operator should consider if enrollment traffic. This is something an operator should consider if
when they incrementally deploy this option to an existing LLN. In when they incrementally deploy this option to an existing LLN. In
addition, an operator would be unable to turn off enrollment traffic addition, an operator would be unable to turn off enrollment traffic
by sending a maximum value enrollment priority to the sub-tree. This by sending a maximum value enrollment priority to the sub-tree. This
situation is unfortunately, but would be exactly the situation situation is unfortunate, but without this option, the the situation
without this option. would occur all over the DODAG, rather than just in the sub-tree
where the option was omitted.
3. Security Considerations 3. Security Considerations
As per [RFC7416], RPL control frames either run over a secured layer As per [RFC7416], RPL control frames either run over a secured layer
2, or use the [RFC6550] Secure DIO methods. This option can be 2, or use the [RFC6550] Secure DIO methods. This option can be
placed into either a "clear" (layer-2 secured) DIO, or a layer-3 placed into either a "clear" (layer-2 secured) DIO, or a layer-3
Secure DIO. As such this option will have both integrity and Secure DIO. As such this option will have both integrity and
confidentiality mechanisms applied to it. confidentiality mechanisms applied to it.
A malicious node (that was part of the RPL control plane) could see A malicious node (that was part of the RPL control plane) could see
these options and could, based upon the observed minimal enrollment these options and could, based upon the observed minimal enrollment
priority signal a confederate that it was a good time to send priority signal a confederate that it was a good time to send
malicious join traffic. malicious join traffic.
A malicious node (that was part of the RPL control plane) could also Such as a malicious node, being already part of the RPL control
send DIOs with a different minimal enrollment priority which would plane, could also send DIOs with a different minimal enrollment
cause downstream mesh routers to change their Join Proxy behaviour. priority which would cause downstream mesh routers to change their
_Join Proxy_ behaviour.
Lower minimal priorities would cause downstream nodes to accept more Lower minimal priorities would cause downstream nodes to accept more
pledges than the network was expecting, and higher minimal priorities pledges than the network was expecting, and higher minimal priorities
cause the join process to stall. cause the enrollment process to stall.
The use of layer-2 or layer-3 security for RPL control messages The use of layer-2 or layer-3 security for RPL control messages
prevents the above two attacks, by preventing malicious nodes from prevents the above two attacks, by preventing malicious nodes from
becoming part of the control plane. A node that is attacked and has becoming part of the control plane. A node that is attacked and has
malware placed on it creates vulnerabilities in the same way such an malware placed on it creates vulnerabilities in the same way such an
attack on any node involved in Internet routing protocol does. The attack on any node involved in Internet routing protocol does. The
rekeying provisions of [I-D.ietf-6tisch-minimal-security] exist to rekeying provisions of [I-D.ietf-6tisch-minimal-security] exist to
permit an operator to remove such nodes from the network. permit an operator to remove such nodes from the network easily.
4. Privacy Considerations 4. Privacy Considerations
There are no new privacy issues caused by this extension. There are no new privacy issues caused by this extension.
5. IANA Considerations 5. IANA Considerations
Allocate a new number TBD01 from Registry RPL Control Message Allocate a new number TBD01 from Registry RPL Control Message
Options. This entry should be called Minimum Enrollment Priority. Options. This entry should be called Minimum Enrollment Priority.
skipping to change at page 7, line 32 skipping to change at page 7, line 37
<https://www.rfc-editor.org/info/rfc7554>. <https://www.rfc-editor.org/info/rfc7554>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>. May 2017, <https://www.rfc-editor.org/info/rfc8174>.
7.2. Informative References 7.2. Informative References
[I-D.ietf-6tisch-architecture] [I-D.ietf-6tisch-architecture]
Thubert, P., "An Architecture for IPv6 over the TSCH mode Thubert, P., "An Architecture for IPv6 over the TSCH mode
of IEEE 802.15.4", draft-ietf-6tisch-architecture-28 (work of IEEE 802.15.4", draft-ietf-6tisch-architecture-29 (work
in progress), October 2019. in progress), August 2020.
[I-D.ietf-6tisch-dtsecurity-secure-join] [I-D.ietf-6tisch-dtsecurity-secure-join]
Richardson, M., "6tisch Secure Join protocol", draft-ietf- Richardson, M., "6tisch Secure Join protocol", draft-ietf-
6tisch-dtsecurity-secure-join-01 (work in progress), 6tisch-dtsecurity-secure-join-01 (work in progress),
February 2017. February 2017.
[I-D.ietf-6tisch-terminology] [I-D.ietf-6tisch-terminology]
Palattella, M., Thubert, P., Watteyne, T., and Q. Wang, Palattella, M., Thubert, P., Watteyne, T., and Q. Wang,
"Terms Used in IPv6 over the TSCH mode of IEEE 802.15.4e", "Terms Used in IPv6 over the TSCH mode of IEEE 802.15.4e",
draft-ietf-6tisch-terminology-10 (work in progress), March draft-ietf-6tisch-terminology-10 (work in progress), March
2018. 2018.
[I-D.ietf-roll-capabilities] [I-D.ietf-roll-capabilities]
Jadhav, R., Thubert, P., Richardson, M., and R. Sahoo, Jadhav, R., Thubert, P., Richardson, M., and R. Sahoo,
"RPL Capabilities", draft-ietf-roll-capabilities-02 (work "RPL Capabilities", draft-ietf-roll-capabilities-07 (work
in progress), March 2020. in progress), September 2020.
[RFC8137] Kivinen, T. and P. Kinney, "IEEE 802.15.4 Information [RFC8137] Kivinen, T. and P. Kinney, "IEEE 802.15.4 Information
Element for the IETF", RFC 8137, DOI 10.17487/RFC8137, May Element for the IETF", RFC 8137, DOI 10.17487/RFC8137, May
2017, <https://www.rfc-editor.org/info/rfc8137>. 2017, <https://www.rfc-editor.org/info/rfc8137>.
[RFC8366] Watsen, K., Richardson, M., Pritikin, M., and T. Eckert, [RFC8366] Watsen, K., Richardson, M., Pritikin, M., and T. Eckert,
"A Voucher Artifact for Bootstrapping Protocols", "A Voucher Artifact for Bootstrapping Protocols",
RFC 8366, DOI 10.17487/RFC8366, May 2018, RFC 8366, DOI 10.17487/RFC8366, May 2018,
<https://www.rfc-editor.org/info/rfc8366>. <https://www.rfc-editor.org/info/rfc8366>.
Appendix A. Change history Appendix A. Change history
version 00. version 00.
Author's Address Authors' Addresses
Michael Richardson Michael Richardson
Sandelman Software Works Sandelman Software Works
Email: mcr+ietf@sandelman.ca Email: mcr+ietf@sandelman.ca
Rahul Arvind Jadhav
Huawei Tech
Email: rahul.ietf@gmail.com
 End of changes. 24 change blocks. 
37 lines changed or deleted 42 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/