idnits 2.17.1 draft-ietf-roll-enrollment-priority-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([I-D.ietf-6tisch-enrollment-enhanced-beacon], [I-D.ietf-6tisch-minimal-security]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 166 has weird spacing: '...riority a 7 b...' -- The document date (April 25, 2020) is 1462 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'I-D.ietf-6tisch-architecture' is defined on line 310, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-6tisch-terminology' is defined on line 320, but no explicit reference was found in the text == Unused Reference: 'RFC8137' is defined on line 331, but no explicit reference was found in the text == Unused Reference: 'RFC8366' is defined on line 335, but no explicit reference was found in the text == Outdated reference: A later version (-30) exists of draft-ietf-6tisch-architecture-28 == Outdated reference: A later version (-09) exists of draft-ietf-roll-capabilities-02 Summary: 1 error (**), 0 flaws (~~), 8 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ROLL Working Group M. Richardson 3 Internet-Draft Sandelman Software Works 4 Intended status: Informational April 25, 2020 5 Expires: October 27, 2020 7 Enabling secure network enrollment in RPL networks 8 draft-ietf-roll-enrollment-priority-02 10 Abstract 12 [I-D.ietf-6tisch-enrollment-enhanced-beacon] defines a method by 13 which a potential [I-D.ietf-6tisch-minimal-security] join proxy can 14 announce itself as a available for new Pledges to enroll on a 15 network. The announcement includes a priority for enrollment. This 16 document provides a mechanism by which a RPL DODAG root can disable 17 enrollment announcements, or adjust the base priority for enrollment 18 operation. 20 Status of This Memo 22 This Internet-Draft is submitted in full conformance with the 23 provisions of BCP 78 and BCP 79. 25 Internet-Drafts are working documents of the Internet Engineering 26 Task Force (IETF). Note that other groups may also distribute 27 working documents as Internet-Drafts. The list of current Internet- 28 Drafts is at https://datatracker.ietf.org/drafts/current/. 30 Internet-Drafts are draft documents valid for a maximum of six months 31 and may be updated, replaced, or obsoleted by other documents at any 32 time. It is inappropriate to use Internet-Drafts as reference 33 material or to cite them other than as "work in progress." 35 This Internet-Draft will expire on October 27, 2020. 37 Copyright Notice 39 Copyright (c) 2020 IETF Trust and the persons identified as the 40 document authors. All rights reserved. 42 This document is subject to BCP 78 and the IETF Trust's Legal 43 Provisions Relating to IETF Documents 44 (https://trustee.ietf.org/license-info) in effect on the date of 45 publication of this document. Please review these documents 46 carefully, as they describe your rights and restrictions with respect 47 to this document. Code Components extracted from this document must 48 include Simplified BSD License text as described in Section 4.e of 49 the Trust Legal Provisions and are provided without warranty as 50 described in the Simplified BSD License. 52 Table of Contents 54 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 55 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 56 2. Protocol Definition . . . . . . . . . . . . . . . . . . . . . 3 57 2.1. Upwards compatibility . . . . . . . . . . . . . . . . . . 4 58 3. Security Considerations . . . . . . . . . . . . . . . . . . . 5 59 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 60 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 61 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 62 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 63 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 64 7.2. Informative References . . . . . . . . . . . . . . . . . 7 65 Appendix A. Change history . . . . . . . . . . . . . . . . . . . 8 66 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 8 68 1. Introduction 70 [RFC7554] describes the use of the time-slotted channel hopping 71 (TSCH) mode of [ieee802154]. [I-D.ietf-6tisch-minimal-security] and 72 [I-D.ietf-6tisch-dtsecurity-secure-join] describe mechanisms by which 73 a new node (the "pledge)" can use a friendly router as a Join Proxy. 74 [I-D.ietf-6tisch-enrollment-enhanced-beacon] describes an extension 75 to the 802.15.4 Enhanced Beacon that is used by a Join Proxy to 76 announce its existence such that Pledges can find them. 78 The term (1)"Join" has been used in documents like 79 [I-D.ietf-6tisch-minimal-security] to denote the activity of a new 80 node authenticating itself to the network in order to obtain 81 authorization to become a member of the network. This typically 82 involves a cryptographic authentication protocol in which a network 83 credential is provided. 85 In the context of the [RFC6550] RPL protocol, the term (2)"Join" has 86 an alternate meaning: that of a node (already authenticating to the 87 network, and already authorized to be a member of the network), 88 deciding which part of the RPL DODAG to attach to. The term "Join" 89 has to do with parent selection processes. 91 In order to avoid the ambiguity of this term, this document refers to 92 the process (1)"Join" as enrollment, leaving the term "Join" to mean 93 (2)"Join". The term "onboarding" (or IoT Onboarding) is sometimes 94 used to describe this process. The term Join Proxy is retained with 95 it's meaning from [I-D.ietf-6tisch-minimal-security]. 97 It has become clear that not every routing member of the mesh ought 98 to announce itself as a Join Proxy. There are a variety of local 99 reasons by which a 6LR might not want to provide the Join Proxy 100 function. They include available battery power, already committed 101 network bandwidth, and also total available memory available for Join 102 proxy neighbor cache slots. 104 There are other situations where the operator of the network would 105 like to selective enable or disable the enrollment process in a 106 particular DODAG. 108 As the enrollment process involves permitting unencrypted traffic 109 into the best effort part of a (TSCH) network, it would be better to 110 have the enrollment process off when no new nodes are expected. 112 A network operator might also be able to recognize when certain parts 113 of the network are overloaded and can not accomodate additional 114 enrollment traffic, and it would like to adjust the enrollment 115 priority (the proxy priority field of 116 [I-D.ietf-6tisch-enrollment-enhanced-beacon]) among all nodes in the 117 subtree of a congested link. 119 This document describes an RPL DIO option that can be used to 120 announce a minimum enrollment priority. Each potential Join Proxy 121 would this value as a base on which to add values relating to local 122 conditions. As explained in 123 [I-D.ietf-6tisch-enrollment-enhanced-beacon], higher values decrease 124 the likelyhood of an unenrolled node sending enrollment traffic via 125 this path. 127 A network operator can set this value to the maximum value allowed, 128 effectively disable all new enrollment traffic. 130 1.1. Terminology 132 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 133 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 134 "OPTIONAL" in this document are to be interpreted as described in 135 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 136 capitals, as shown here. 138 2. Protocol Definition 140 The following option is defined to transmission in the DIO issued by 141 the DODAG root. It may also be added by a router on part of the sub- 142 tree as a result of some (out of scope for this document) management 143 function. 145 6LRs that see this DIO Option SHOULD increment their minimum 146 enrollment priority if they observe congestion on the channel used 147 for join traffic. The exact mechanism is a local decision, and may 148 be the subject for future work. 150 A 6LR which would otherwise be willing to act as a Join Proxy, will 151 examine the minimum priority field, and to that number, add any 152 additional local consideration (such as upstream congestion). 154 The Join Priority can only be increased by each each 6LR in value, to 155 the maximum value of 0x7f. 157 The resulting priority, if less than 0x7f should enable the Join 158 Proxy function. 160 0 1 2 161 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 162 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 163 | Type = TBD01|Opt Length = 1|R| min. priority | 164 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 166 min.priority a 7 bit field which provides a base value for the 167 Enhanced Beacon Join priority. A value of 0x7f (127) disables the 168 Join Proxy function entirely. 170 R a reserved bit that SHOULD be set to 0 by senders, and MUST be 171 ignored by receivers. This reserved bit SHOULD be copied to 172 options created. 174 This document uses the extensions mechanism designed into [RFC6550]. 175 It does not need any mechanism to enable it. 177 Future work like [I-D.ietf-roll-capabilities] will enable collection 178 of capabilities such as this one in reports to the DODAG root. 180 2.1. Upwards compatibility 182 A 6LR which did not support this option would not act on it, or copy 183 it into it's DIO messages. Children and grandchildren nodes would 184 therefore not receive any telemetry via that path, and need to assume 185 a default value. 187 6LRs that support this option, but whose parent does not send it 188 SHOULD assume a value of 0x40 as their base value. The nodes then 189 adjust this base value based upon their observed congestion, emitting 190 their adjusted DIO value to their children. 192 A 6LR downstream of a 6LR where there was an interruption in the 193 telemetry could err in two directions: * if the value implied by the 194 base value of 0x40 was too low, then a 6LR might continue to attract 195 enrollment traffic when none should have been collected. This is a 196 stressor for the network, but this would also be what would occur 197 without this option at all. * if the value implied by the base value 198 of 0x40 was too high, then a 6LR might deflect enrollment traffic to 199 other parts of the DODAG tree, possibly refusing any enrollment 200 traffic at all. In order for this to happen, some significant 201 congestion must be seen in the sub-tree where the implied 0x40 was 202 introduced. The 0x40 is only the half-way point, so if such an 203 amount of congestion was present, then this sub-tree of the DODAG 204 simply winds up being more cautious than it needed to be. 206 It is possible that the temporal alternation of the above two 207 situations might introduce cycles of accepting and then rejecting 208 enrollment traffic. This is something an operator should consider if 209 when they incrementally deploy this option to an existing LLN. In 210 addition, an operator would be unable to turn off enrollment traffic 211 by sending a maximum value enrollment priority to the sub-tree. This 212 situation is unfortunately, but would be exactly the situation 213 without this option. 215 3. Security Considerations 217 As per [RFC7416], RPL control frames either run over a secured layer 218 2, or use the [RFC6550] Secure DIO methods. This option can be 219 placed into either a "clear" (layer-2 secured) DIO, or a layer-3 220 Secure DIO. As such this option will have both integrity and 221 confidentiality mechanisms applied to it. 223 A malicious node (that was part of the RPL control plane) could see 224 these options and could, based upon the observed minimal enrollment 225 priority signal a confederate that it was a good time to send 226 malicious join traffic. 228 A malicious node (that was part of the RPL control plane) could also 229 send DIOs with a different minimal enrollment priority which would 230 cause downstream mesh routers to change their Join Proxy behaviour. 231 Lower minimal priorities would cause downstream nodes to accept more 232 pledges than the network was expecting, and higher minimal priorities 233 cause the join process to stall. 235 The use of layer-2 or layer-3 security for RPL control messages 236 prevents the above two attacks, by preventing malicious nodes from 237 becoming part of the control plane. A node that is attacked and has 238 malware placed on it creates vulnerabilities in the same way such an 239 attack on any node involved in Internet routing protocol does. The 240 rekeying provisions of [I-D.ietf-6tisch-minimal-security] exist to 241 permit an operator to remove such nodes from the network. 243 4. Privacy Considerations 245 There are no new privacy issues caused by this extension. 247 5. IANA Considerations 249 Allocate a new number TBD01 from Registry RPL Control Message 250 Options. This entry should be called Minimum Enrollment Priority. 252 6. Acknowledgements 254 This has been reviewed by Pascal Thubert and Thomas Wattenye. 256 7. References 258 7.1. Normative References 260 [I-D.ietf-6tisch-enrollment-enhanced-beacon] 261 Dujovne, D. and M. Richardson, "IEEE 802.15.4 Information 262 Element encapsulation of 6TiSCH Join and Enrollment 263 Information", draft-ietf-6tisch-enrollment-enhanced- 264 beacon-14 (work in progress), February 2020. 266 [I-D.ietf-6tisch-minimal-security] 267 Vucinic, M., Simon, J., Pister, K., and M. Richardson, 268 "Constrained Join Protocol (CoJP) for 6TiSCH", draft-ietf- 269 6tisch-minimal-security-15 (work in progress), December 270 2019. 272 [ieee802154] 273 IEEE standard for Information Technology, ., "IEEE Std. 274 802.15.4, Part. 15.4: Wireless Medium Access Control (MAC) 275 and Physical Layer (PHY) Specifications for Low-Rate 276 Wireless Personal Area Networks", n.d., 277 . 280 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 281 Requirement Levels", BCP 14, RFC 2119, 282 DOI 10.17487/RFC2119, March 1997, 283 . 285 [RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J., 286 Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur, 287 JP., and R. Alexander, "RPL: IPv6 Routing Protocol for 288 Low-Power and Lossy Networks", RFC 6550, 289 DOI 10.17487/RFC6550, March 2012, 290 . 292 [RFC7416] Tsao, T., Alexander, R., Dohler, M., Daza, V., Lozano, A., 293 and M. Richardson, Ed., "A Security Threat Analysis for 294 the Routing Protocol for Low-Power and Lossy Networks 295 (RPLs)", RFC 7416, DOI 10.17487/RFC7416, January 2015, 296 . 298 [RFC7554] Watteyne, T., Ed., Palattella, M., and L. Grieco, "Using 299 IEEE 802.15.4e Time-Slotted Channel Hopping (TSCH) in the 300 Internet of Things (IoT): Problem Statement", RFC 7554, 301 DOI 10.17487/RFC7554, May 2015, 302 . 304 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 305 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 306 May 2017, . 308 7.2. Informative References 310 [I-D.ietf-6tisch-architecture] 311 Thubert, P., "An Architecture for IPv6 over the TSCH mode 312 of IEEE 802.15.4", draft-ietf-6tisch-architecture-28 (work 313 in progress), October 2019. 315 [I-D.ietf-6tisch-dtsecurity-secure-join] 316 Richardson, M., "6tisch Secure Join protocol", draft-ietf- 317 6tisch-dtsecurity-secure-join-01 (work in progress), 318 February 2017. 320 [I-D.ietf-6tisch-terminology] 321 Palattella, M., Thubert, P., Watteyne, T., and Q. Wang, 322 "Terms Used in IPv6 over the TSCH mode of IEEE 802.15.4e", 323 draft-ietf-6tisch-terminology-10 (work in progress), March 324 2018. 326 [I-D.ietf-roll-capabilities] 327 Jadhav, R., Thubert, P., Richardson, M., and R. Sahoo, 328 "RPL Capabilities", draft-ietf-roll-capabilities-02 (work 329 in progress), March 2020. 331 [RFC8137] Kivinen, T. and P. Kinney, "IEEE 802.15.4 Information 332 Element for the IETF", RFC 8137, DOI 10.17487/RFC8137, May 333 2017, . 335 [RFC8366] Watsen, K., Richardson, M., Pritikin, M., and T. Eckert, 336 "A Voucher Artifact for Bootstrapping Protocols", 337 RFC 8366, DOI 10.17487/RFC8366, May 2018, 338 . 340 Appendix A. Change history 342 version 00. 344 Author's Address 346 Michael Richardson 347 Sandelman Software Works 349 Email: mcr+ietf@sandelman.ca