idnits 2.17.1 draft-ietf-roll-enrollment-priority-03.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([I-D.ietf-6tisch-enrollment-enhanced-beacon], [I-D.ietf-6tisch-minimal-security]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 168 has weird spacing: '...riority a 7 b...' -- The document date (September 25, 2020) is 1281 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'I-D.ietf-6tisch-architecture' is defined on line 315, but no explicit reference was found in the text == Unused Reference: 'I-D.ietf-6tisch-terminology' is defined on line 325, but no explicit reference was found in the text == Unused Reference: 'RFC8137' is defined on line 336, but no explicit reference was found in the text == Unused Reference: 'RFC8366' is defined on line 340, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'ieee802154' ** Downref: Normative reference to an Informational RFC: RFC 7416 ** Downref: Normative reference to an Informational RFC: RFC 7554 == Outdated reference: A later version (-30) exists of draft-ietf-6tisch-architecture-29 == Outdated reference: A later version (-09) exists of draft-ietf-roll-capabilities-07 Summary: 3 errors (**), 0 flaws (~~), 8 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ROLL Working Group M. Richardson 3 Internet-Draft Sandelman Software Works 4 Intended status: Standards Track R. Jadhav 5 Expires: March 29, 2021 Huawei Tech 6 September 25, 2020 8 Controlling Secure Network Enrollment in RPL networks 9 draft-ietf-roll-enrollment-priority-03 11 Abstract 13 [I-D.ietf-6tisch-enrollment-enhanced-beacon] defines a method by 14 which a potential [I-D.ietf-6tisch-minimal-security] enrollment proxy 15 can announce itself as a available for new Pledges to enroll on a 16 network. The announcement includes a priority for enrollment. This 17 document provides a mechanism by which a RPL DODAG root can disable 18 enrollment announcements, or adjust the base priority for enrollment 19 operation. 21 Status of This Memo 23 This Internet-Draft is submitted in full conformance with the 24 provisions of BCP 78 and BCP 79. 26 Internet-Drafts are working documents of the Internet Engineering 27 Task Force (IETF). Note that other groups may also distribute 28 working documents as Internet-Drafts. The list of current Internet- 29 Drafts is at https://datatracker.ietf.org/drafts/current/. 31 Internet-Drafts are draft documents valid for a maximum of six months 32 and may be updated, replaced, or obsoleted by other documents at any 33 time. It is inappropriate to use Internet-Drafts as reference 34 material or to cite them other than as "work in progress." 36 This Internet-Draft will expire on March 29, 2021. 38 Copyright Notice 40 Copyright (c) 2020 IETF Trust and the persons identified as the 41 document authors. All rights reserved. 43 This document is subject to BCP 78 and the IETF Trust's Legal 44 Provisions Relating to IETF Documents 45 (https://trustee.ietf.org/license-info) in effect on the date of 46 publication of this document. Please review these documents 47 carefully, as they describe your rights and restrictions with respect 48 to this document. Code Components extracted from this document must 49 include Simplified BSD License text as described in Section 4.e of 50 the Trust Legal Provisions and are provided without warranty as 51 described in the Simplified BSD License. 53 Table of Contents 55 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 56 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 57 2. Protocol Definition . . . . . . . . . . . . . . . . . . . . . 4 58 2.1. Upwards compatibility . . . . . . . . . . . . . . . . . . 4 59 3. Security Considerations . . . . . . . . . . . . . . . . . . . 5 60 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 61 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 62 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6 63 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 6 64 7.1. Normative References . . . . . . . . . . . . . . . . . . 6 65 7.2. Informative References . . . . . . . . . . . . . . . . . 7 66 Appendix A. Change history . . . . . . . . . . . . . . . . . . . 8 67 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 69 1. Introduction 71 [RFC7554] describes the use of the time-slotted channel hopping 72 (TSCH) mode of [ieee802154]. [I-D.ietf-6tisch-minimal-security] and 73 [I-D.ietf-6tisch-dtsecurity-secure-join] describe mechanisms by which 74 a new node (the "pledge)" can use a friendly router as a Join Proxy. 75 [I-D.ietf-6tisch-enrollment-enhanced-beacon] describes an extension 76 to the 802.15.4 Enhanced Beacon that is used by a Join Proxy to 77 announce its existence such that Pledges can find them. 79 The term (1)"Join" has been used in documents like 80 [I-D.ietf-6tisch-minimal-security] to denote the activity of a new 81 node authenticating itself to the network in order to obtain 82 authorization to become a member of the network. This typically 83 involves a cryptographic authentication protocol in which a network 84 credential is provided. 86 In the context of the [RFC6550] RPL protocol, the term (2)"Join" has 87 an alternate meaning: that of a node (already authenticating to the 88 network, and already authorized to be a member of the network), 89 deciding which part of the RPL DODAG to attach to. This term "Join" 90 has to do with parent selection processes. 92 In order to avoid the ambiguity of this term, this document refers to 93 the process (1)"Join" as enrollment, leaving the term "Join" to mean 94 (2)"Join". The term "onboarding" (or IoT Onboarding) is sometimes 95 used to describe the enrollment process. However, the term _Join 96 Proxy_ is retained with it's meaning from 97 [I-D.ietf-6tisch-minimal-security]. 99 It has become clear that not every routing member of the mesh ought 100 to announce itself as a _Join Proxy_. There are a variety of local 101 reasons by which a 6LR might not want to provide the _Join Proxy_ 102 function. They include available battery power, already committed 103 network bandwidth, and also total available memory available for 104 Neighbor Cache Entry slots. 106 There are other situations where the operator of the network would 107 like to selective enable or disable the enrollment process in a 108 particular DODAG. 110 As the enrollment process involves permitting unencrypted traffic 111 into the best effort part of a (TSCH) network, it would be better to 112 have the enrollment process off when no new nodes are expected. 114 A network operator might also be able to recognize when certain parts 115 of the network are overloaded and can not accomodate additional 116 enrollment traffic, and it would like to adjust the enrollment 117 priority (the proxy priority field of 118 [I-D.ietf-6tisch-enrollment-enhanced-beacon]) among all nodes in the 119 subtree of a congested link. 121 This document describes an RPL DIO option that can be used to 122 announce a minimum enrollment priority. Each potential _Join Proxy_ 123 would this value as a base on which to add values relating to local 124 conditions. As explained in 125 [I-D.ietf-6tisch-enrollment-enhanced-beacon], higher values decrease 126 the likelyhood of an unenrolled node sending enrollment traffic via 127 this path. 129 A network operator can set this value to the maximum value allowed, 130 effectively disable all new enrollment traffic. 132 1.1. Terminology 134 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 135 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 136 "OPTIONAL" in this document are to be interpreted as described in 137 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 138 capitals, as shown here. 140 2. Protocol Definition 142 The following option is defined to transmission in the DIO issued by 143 the DODAG root. It may also be added by a router on part of the sub- 144 tree as a result of some (out of scope for this document) management 145 function. 147 6LRs that see this DIO Option SHOULD increment their minimum 148 enrollment priority if they observe congestion on the channel used 149 for enrollment traffic. The exact mechanism is a local decision, and 150 may be the subject for future work. 152 A 6LR which would otherwise be willing to act as a _Join Proxy_, will 153 examine the minimum priority field, and to that number, add any 154 additional local consideration (such as upstream congestion). 156 The Enrollment Priority can only be increased by each 6LR in value, 157 to the maximum value of 0x7f. 159 The resulting priority, if less than 0x7f should enable the _Join 160 Proxy_ function. 162 0 1 2 163 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 164 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 165 | Type = TBD01|Opt Length = 1|R| min. priority | 166 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 168 min.priority a 7 bit field which provides a base value for the 169 Enhanced Beacon Join priority. A value of 0x7f (127) disables the 170 _Join Proxy_ function entirely. 172 R a reserved bit that SHOULD be set to 0 by senders, and MUST be 173 ignored by receivers. This reserved bit SHOULD be copied to 174 options created. 176 This document uses the extensions mechanism designed into [RFC6550]. 177 It does not need any mechanism to enable it. 179 Future work like [I-D.ietf-roll-capabilities] will enable collection 180 of capabilities such as this one in reports to the DODAG root. 182 2.1. Upwards compatibility 184 A 6LR which did not support this option would not act on it, or copy 185 it into it's DIO messages. Children and grandchildren nodes would 186 therefore not receive any telemetry via that path, and need to assume 187 a default value. 189 6LRs that support this option, but whose parent does not send it 190 SHOULD assume a value of 0x40 as their base value. The nodes then 191 adjust this base value based upon their observed congestion, emitting 192 their adjusted DIO value to their children. 194 A 6LR downstream of a 6LR where there was an interruption in the 195 telemetry could err in two directions: * if the value implied by the 196 base value of 0x40 was too low, then a 6LR might continue to attract 197 enrollment traffic when none should have been collected. This is a 198 stressor for the network, but this would also be what would occur 199 without this option at all. * if the value implied by the base value 200 of 0x40 was too high, then a 6LR might deflect enrollment traffic to 201 other parts of the DODAG tree, possibly refusing any enrollment 202 traffic at all. In order for this to happen, some significant 203 congestion must be seen in the sub-tree where the implied 0x40 was 204 introduced. The 0x40 is only the half-way point, so if such an 205 amount of congestion was present, then this sub-tree of the DODAG 206 simply winds up being more cautious than it needed to be. 208 It is possible that the temporal alternation of the above two 209 situations might introduce cycles of accepting and then rejecting 210 enrollment traffic. This is something an operator should consider if 211 when they incrementally deploy this option to an existing LLN. In 212 addition, an operator would be unable to turn off enrollment traffic 213 by sending a maximum value enrollment priority to the sub-tree. This 214 situation is unfortunate, but without this option, the the situation 215 would occur all over the DODAG, rather than just in the sub-tree 216 where the option was omitted. 218 3. Security Considerations 220 As per [RFC7416], RPL control frames either run over a secured layer 221 2, or use the [RFC6550] Secure DIO methods. This option can be 222 placed into either a "clear" (layer-2 secured) DIO, or a layer-3 223 Secure DIO. As such this option will have both integrity and 224 confidentiality mechanisms applied to it. 226 A malicious node (that was part of the RPL control plane) could see 227 these options and could, based upon the observed minimal enrollment 228 priority signal a confederate that it was a good time to send 229 malicious join traffic. 231 Such as a malicious node, being already part of the RPL control 232 plane, could also send DIOs with a different minimal enrollment 233 priority which would cause downstream mesh routers to change their 234 _Join Proxy_ behaviour. 236 Lower minimal priorities would cause downstream nodes to accept more 237 pledges than the network was expecting, and higher minimal priorities 238 cause the enrollment process to stall. 240 The use of layer-2 or layer-3 security for RPL control messages 241 prevents the above two attacks, by preventing malicious nodes from 242 becoming part of the control plane. A node that is attacked and has 243 malware placed on it creates vulnerabilities in the same way such an 244 attack on any node involved in Internet routing protocol does. The 245 rekeying provisions of [I-D.ietf-6tisch-minimal-security] exist to 246 permit an operator to remove such nodes from the network easily. 248 4. Privacy Considerations 250 There are no new privacy issues caused by this extension. 252 5. IANA Considerations 254 Allocate a new number TBD01 from Registry RPL Control Message 255 Options. This entry should be called Minimum Enrollment Priority. 257 6. Acknowledgements 259 This has been reviewed by Pascal Thubert and Thomas Wattenye. 261 7. References 263 7.1. Normative References 265 [I-D.ietf-6tisch-enrollment-enhanced-beacon] 266 Dujovne, D. and M. Richardson, "IEEE 802.15.4 Information 267 Element encapsulation of 6TiSCH Join and Enrollment 268 Information", draft-ietf-6tisch-enrollment-enhanced- 269 beacon-14 (work in progress), February 2020. 271 [I-D.ietf-6tisch-minimal-security] 272 Vucinic, M., Simon, J., Pister, K., and M. Richardson, 273 "Constrained Join Protocol (CoJP) for 6TiSCH", draft-ietf- 274 6tisch-minimal-security-15 (work in progress), December 275 2019. 277 [ieee802154] 278 IEEE standard for Information Technology, ., "IEEE Std. 279 802.15.4, Part. 15.4: Wireless Medium Access Control (MAC) 280 and Physical Layer (PHY) Specifications for Low-Rate 281 Wireless Personal Area Networks", n.d., 282 . 285 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 286 Requirement Levels", BCP 14, RFC 2119, 287 DOI 10.17487/RFC2119, March 1997, 288 . 290 [RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J., 291 Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur, 292 JP., and R. Alexander, "RPL: IPv6 Routing Protocol for 293 Low-Power and Lossy Networks", RFC 6550, 294 DOI 10.17487/RFC6550, March 2012, 295 . 297 [RFC7416] Tsao, T., Alexander, R., Dohler, M., Daza, V., Lozano, A., 298 and M. Richardson, Ed., "A Security Threat Analysis for 299 the Routing Protocol for Low-Power and Lossy Networks 300 (RPLs)", RFC 7416, DOI 10.17487/RFC7416, January 2015, 301 . 303 [RFC7554] Watteyne, T., Ed., Palattella, M., and L. Grieco, "Using 304 IEEE 802.15.4e Time-Slotted Channel Hopping (TSCH) in the 305 Internet of Things (IoT): Problem Statement", RFC 7554, 306 DOI 10.17487/RFC7554, May 2015, 307 . 309 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 310 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 311 May 2017, . 313 7.2. Informative References 315 [I-D.ietf-6tisch-architecture] 316 Thubert, P., "An Architecture for IPv6 over the TSCH mode 317 of IEEE 802.15.4", draft-ietf-6tisch-architecture-29 (work 318 in progress), August 2020. 320 [I-D.ietf-6tisch-dtsecurity-secure-join] 321 Richardson, M., "6tisch Secure Join protocol", draft-ietf- 322 6tisch-dtsecurity-secure-join-01 (work in progress), 323 February 2017. 325 [I-D.ietf-6tisch-terminology] 326 Palattella, M., Thubert, P., Watteyne, T., and Q. Wang, 327 "Terms Used in IPv6 over the TSCH mode of IEEE 802.15.4e", 328 draft-ietf-6tisch-terminology-10 (work in progress), March 329 2018. 331 [I-D.ietf-roll-capabilities] 332 Jadhav, R., Thubert, P., Richardson, M., and R. Sahoo, 333 "RPL Capabilities", draft-ietf-roll-capabilities-07 (work 334 in progress), September 2020. 336 [RFC8137] Kivinen, T. and P. Kinney, "IEEE 802.15.4 Information 337 Element for the IETF", RFC 8137, DOI 10.17487/RFC8137, May 338 2017, . 340 [RFC8366] Watsen, K., Richardson, M., Pritikin, M., and T. Eckert, 341 "A Voucher Artifact for Bootstrapping Protocols", 342 RFC 8366, DOI 10.17487/RFC8366, May 2018, 343 . 345 Appendix A. Change history 347 version 00. 349 Authors' Addresses 351 Michael Richardson 352 Sandelman Software Works 354 Email: mcr+ietf@sandelman.ca 356 Rahul Arvind Jadhav 357 Huawei Tech 359 Email: rahul.ietf@gmail.com