idnits 2.17.1 draft-ietf-roll-enrollment-priority-04.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The abstract seems to contain references ([I-D.ietf-6tisch-enrollment-enhanced-beacon], [I-D.ietf-6tisch-minimal-security]), which it shouldn't. Please replace those with straight textual mentions of the documents in question. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == Line 193 has weird spacing: '... exp a 4 bi...' == Line 196 has weird spacing: '...AG_Size a 12 ...' == Line 200 has weird spacing: '...riority a 7 b...' -- The document date (7 February 2021) is 1146 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) -- Possible downref: Non-RFC (?) normative reference: ref. 'ieee802154' ** Downref: Normative reference to an Informational RFC: RFC 7416 ** Downref: Normative reference to an Informational RFC: RFC 7554 == Outdated reference: A later version (-09) exists of draft-ietf-roll-capabilities-07 Summary: 3 errors (**), 0 flaws (~~), 5 warnings (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 ROLL Working Group M. Richardson 3 Internet-Draft Sandelman Software Works 4 Intended status: Standards Track R.A. Jadhav 5 Expires: 11 August 2021 Huawei Tech 6 P. Thubert 7 H. She 8 Cisco Systems 9 7 February 2021 11 Controlling Secure Network Enrollment in RPL networks 12 draft-ietf-roll-enrollment-priority-04 14 Abstract 16 [I-D.ietf-6tisch-enrollment-enhanced-beacon] defines a method by 17 which a potential [I-D.ietf-6tisch-minimal-security] enrollment proxy 18 can announce itself as a available for new Pledges to enroll on a 19 network. The announcement includes a priority for enrollment. This 20 document provides a mechanism by which a RPL DODAG root can disable 21 enrollment announcements, or adjust the base priority for enrollment 22 operation. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on 11 August 2021. 41 Copyright Notice 43 Copyright (c) 2021 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 48 license-info) in effect on the date of publication of this document. 49 Please review these documents carefully, as they describe your rights 50 and restrictions with respect to this document. Code Components 51 extracted from this document must include Simplified BSD License text 52 as described in Section 4.e of the Trust Legal Provisions and are 53 provided without warranty as described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 59 2. Protocol Definition . . . . . . . . . . . . . . . . . . . . . 4 60 2.1. Upwards compatibility . . . . . . . . . . . . . . . . . . 5 61 3. Security Considerations . . . . . . . . . . . . . . . . . . . 6 62 4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 6 63 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 64 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 7 65 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 7 66 7.1. Normative References . . . . . . . . . . . . . . . . . . 7 67 7.2. Informative References . . . . . . . . . . . . . . . . . 8 68 Appendix A. Change history . . . . . . . . . . . . . . . . . . . 8 69 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 8 71 1. Introduction 73 [RFC7554] describes the use of the time-slotted channel hopping 74 (TSCH) mode of [ieee802154]. [I-D.ietf-6tisch-minimal-security] and 75 [I-D.ietf-6tisch-dtsecurity-secure-join] describe mechanisms by which 76 a new node (the "pledge)" can use a friendly router as a Join Proxy. 77 [I-D.ietf-6tisch-enrollment-enhanced-beacon] describes an extension 78 to the 802.15.4 Enhanced Beacon that is used by a Join Proxy to 79 announce its existence such that Pledges can find them. 81 The term (1)"Join" has been used in documents like 82 [I-D.ietf-6tisch-minimal-security] to denote the activity of a new 83 node authenticating itself to the network in order to obtain 84 authorization to become a member of the network. This typically 85 involves a cryptographic authentication protocol in which a network 86 credential is provided. 88 In the context of the [RFC6550] RPL protocol, the term (2)"Join" has 89 an alternate meaning: that of a node (already authenticating to the 90 network, and already authorized to be a member of the network), 91 deciding which part of the RPL DODAG to attach to. This term "Join" 92 has to do with parent selection processes. 94 In order to avoid the ambiguity of this term, this document refers to 95 the process (1)"Join" as enrollment, leaving the term "Join" to mean 96 (2)"Join". The term "onboarding" (or IoT Onboarding) is sometimes 97 used to describe the enrollment process. However, the term _Join 98 Proxy_ is retained with it's meaning from 99 [I-D.ietf-6tisch-minimal-security]. 101 It has become clear that not every routing member of the mesh ought 102 to announce itself as a _Join Proxy_. There are a variety of local 103 reasons by which a 6LR might not want to provide the _Join Proxy_ 104 function. They include available battery power, already committed 105 network bandwidth, and also total available memory available for 106 Neighbor Cache Entry slots. 108 There are other situations where the operator of the network would 109 like to selective enable or disable the enrollment process in a 110 particular DODAG. 112 As the enrollment process involves permitting unencrypted traffic 113 into the best effort part of a (TSCH) network, it would be better to 114 have the enrollment process off when no new nodes are expected. 116 A network operator might also be able to recognize when certain parts 117 of the network are overloaded and can not accomodate additional 118 enrollment traffic, and it would like to adjust the enrollment 119 priority (the proxy priority field of 120 [I-D.ietf-6tisch-enrollment-enhanced-beacon]) among all nodes in the 121 subtree of a congested link. 123 This document describes a RPL DIO option that can be used to announce 124 a minimum enrollment priority. The minimum priority expresses the 125 (lack of) willingness by the RPL DODAG globally to accept new joins. 126 It may derive from multiple constaining factors, e.g., the size of 127 the DODAG, the occupancy of the bandwidth at the Root, the memory 128 capacity at the DODAG Root, or an administrative decision. 130 Each potential _Join Proxy_ would this value as a base on which to 131 add values relating to local conditions such as its Rank and number 132 of pending joins, which would degrade even further the willingness to 133 take more joins. 135 When a RPL domain is composed of multiple DODAGs, nodes at the edge 136 of 2 DODAGs may not only join either DODAG but also move from one to 137 the other in order to keep their relative sizes balanced. For this, 138 the approximate knowledge of size of the DODAG is an essential 139 metric. Depending on the network policy, the size of the DODAG may 140 or may not affect the minimum enrollment priority. It would be 141 limiting its value to enforce that one is proportional to the other. 142 This is why the current size of the DODAG is advertised separately in 143 the new option. 145 As explained in [I-D.ietf-6tisch-enrollment-enhanced-beacon], higher 146 values decrease the likelyhood of an unenrolled node sending 147 enrollment traffic via this path. 149 A network operator can set this value to the maximum value allowed, 150 effectively disable all new enrollment traffic. 152 1.1. Terminology 154 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 155 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 156 "OPTIONAL" in this document are to be interpreted as described in 157 BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all 158 capitals, as shown here. 160 2. Protocol Definition 162 The size of the DODAG is measured by the Root based one the DAO 163 activity. It represents a number of routes not a number of nodes, 164 and can only be used to infer a load in an homogeneous network where 165 each node advertises the same number of addresses and generates 166 roughly the same amount of traffic. The size may slightly change 167 between a DIO and the next, so the value transmitted must be 168 considered as an approxmation. 170 With this specification, the following option is defined for 171 transmission in the DIO issued by the DODAG root and it MUST be 172 propagated down the DODAG without modification. 174 A 6LR which would otherwise be willing to act as a _Join Proxy_, will 175 examine the minimum priority field, and to that number, add any 176 additional local consideration (such as upstream congestion). 178 The Enrollment Priority can only be increased by each 6LR in value, 179 to the maximum value of 0x7f. 181 The resulting priority, if less than 0x7f should enable the _Join 182 Proxy_ function. 184 0 1 2 3 185 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 186 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 187 | Type |Opt Length = 3 | exp | DODAG_Size | 188 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 189 |R| min priority| 190 +-+-+-+-+-+-+-+-+ 192 Type To be assigned by IANA 193 exp a 4 bit unsigned integer, indicating the power of 2 that defines 194 the unit of the DODAG Size, such that (unit=2^exp). 196 DODAG_Size a 12 bit unsigned integer, expressing the size of the 197 DODAG in units that depend on the exp field. The size of the 198 DODAG is computed as (DAG_Size*2^exp). 200 min.priority a 7 bit field which provides a base value for the 201 Enhanced Beacon Join priority. A value of 0x7f (127) disables the 202 _Join Proxy_ function entirely. 204 R a reserved bit that SHOULD be set to 0 by senders, and MUST be 205 ignored by receivers. This reserved bit SHOULD be copied to 206 options created. 208 This document uses the extensions mechanism designed into [RFC6550]. 209 It does not need any mechanism to enable it. 211 Future work like [I-D.ietf-roll-capabilities] will enable collection 212 of capabilities such as this one in reports to the DODAG root. 214 2.1. Upwards compatibility 216 A 6LR which did not support this option would not act on it, or copy 217 it into it's DIO messages. Children and grandchildren nodes would 218 therefore not receive any telemetry via that path, and need to assume 219 a default value. 221 6LRs that support this option, but whose parent does not send it 222 SHOULD assume a value of 0x40 as their base value. The nodes then 223 adjust this base value based upon their observed congestion, emitting 224 their adjusted DIO value to their children. 226 A 6LR downstream of a 6LR where there was an interruption in the 227 telemetry could err in two directions: * if the value implied by the 228 base value of 0x40 was too low, then a 6LR might continue to attract 229 enrollment traffic when none should have been collected. This is a 230 stressor for the network, but this would also be what would occur 231 without this option at all. * if the value implied by the base value 232 of 0x40 was too high, then a 6LR might deflect enrollment traffic to 233 other parts of the DODAG tree, possibly refusing any enrollment 234 traffic at all. In order for this to happen, some significant 235 congestion must be seen in the sub-tree where the implied 0x40 was 236 introduced. The 0x40 is only the half-way point, so if such an 237 amount of congestion was present, then this sub-tree of the DODAG 238 simply winds up being more cautious than it needed to be. 240 It is possible that the temporal alternation of the above two 241 situations might introduce cycles of accepting and then rejecting 242 enrollment traffic. This is something an operator should consider if 243 when they incrementally deploy this option to an existing LLN. In 244 addition, an operator would be unable to turn off enrollment traffic 245 by sending a maximum value enrollment priority to the sub-tree. This 246 situation is unfortunate, but without this option, the the situation 247 would occur all over the DODAG, rather than just in the sub-tree 248 where the option was omitted. 250 3. Security Considerations 252 As per [RFC7416], RPL control frames either run over a secured layer 253 2, or use the [RFC6550] Secure DIO methods. This option can be 254 placed into either a "clear" (layer-2 secured) DIO, or a layer-3 255 Secure DIO. As such this option will have both integrity and 256 confidentiality mechanisms applied to it. 258 A malicious node (that was part of the RPL control plane) could see 259 these options and could, based upon the observed minimal enrollment 260 priority signal a confederate that it was a good time to send 261 malicious join traffic. 263 Such as a malicious node, being already part of the RPL control 264 plane, could also send DIOs with a different minimal enrollment 265 priority which would cause downstream mesh routers to change their 266 _Join Proxy_ behaviour. 268 Lower minimal priorities would cause downstream nodes to accept more 269 pledges than the network was expecting, and higher minimal priorities 270 cause the enrollment process to stall. 272 The use of layer-2 or layer-3 security for RPL control messages 273 prevents the above two attacks, by preventing malicious nodes from 274 becoming part of the control plane. A node that is attacked and has 275 malware placed on it creates vulnerabilities in the same way such an 276 attack on any node involved in Internet routing protocol does. The 277 rekeying provisions of [I-D.ietf-6tisch-minimal-security] exist to 278 permit an operator to remove such nodes from the network easily. 280 4. Privacy Considerations 282 There are no new privacy issues caused by this extension. 284 5. IANA Considerations 286 Allocate a new number TBD01 from Registry RPL Control Message 287 Options. This entry should be called Minimum Enrollment Priority. 289 6. Acknowledgements 291 This has been reviewed by Pascal Thubert and Thomas Wattenye. 293 7. References 295 7.1. Normative References 297 [I-D.ietf-6tisch-enrollment-enhanced-beacon] 298 Dujovne, D. and M. Richardson, "IEEE 802.15.4 Information 299 Element encapsulation of 6TiSCH Join and Enrollment 300 Information", Work in Progress, Internet-Draft, draft- 301 ietf-6tisch-enrollment-enhanced-beacon-14, 21 February 302 2020, . 305 [I-D.ietf-6tisch-minimal-security] 306 Vucinic, M., Simon, J., Pister, K., and M. Richardson, 307 "Constrained Join Protocol (CoJP) for 6TiSCH", Work in 308 Progress, Internet-Draft, draft-ietf-6tisch-minimal- 309 security-15, 10 December 2019, . 313 [ieee802154] 314 IEEE standard for Information Technology, ., "IEEE Std. 315 802.15.4, Part. 15.4: Wireless Medium Access Control (MAC) 316 and Physical Layer (PHY) Specifications for Low-Rate 317 Wireless Personal Area Networks", n.d., 318 . 321 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 322 Requirement Levels", BCP 14, RFC 2119, 323 DOI 10.17487/RFC2119, March 1997, 324 . 326 [RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J., 327 Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur, 328 JP., and R. Alexander, "RPL: IPv6 Routing Protocol for 329 Low-Power and Lossy Networks", RFC 6550, 330 DOI 10.17487/RFC6550, March 2012, 331 . 333 [RFC7416] Tsao, T., Alexander, R., Dohler, M., Daza, V., Lozano, A., 334 and M. Richardson, Ed., "A Security Threat Analysis for 335 the Routing Protocol for Low-Power and Lossy Networks 336 (RPLs)", RFC 7416, DOI 10.17487/RFC7416, January 2015, 337 . 339 [RFC7554] Watteyne, T., Ed., Palattella, M., and L. Grieco, "Using 340 IEEE 802.15.4e Time-Slotted Channel Hopping (TSCH) in the 341 Internet of Things (IoT): Problem Statement", RFC 7554, 342 DOI 10.17487/RFC7554, May 2015, 343 . 345 [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 346 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, 347 May 2017, . 349 7.2. Informative References 351 [I-D.ietf-6tisch-dtsecurity-secure-join] 352 Richardson, M., "6tisch Secure Join protocol", Work in 353 Progress, Internet-Draft, draft-ietf-6tisch-dtsecurity- 354 secure-join-01, 25 February 2017, . 358 [I-D.ietf-roll-capabilities] 359 Jadhav, R., Thubert, P., Richardson, M., and R. Sahoo, 360 "RPL Capabilities", Work in Progress, Internet-Draft, 361 draft-ietf-roll-capabilities-07, 17 September 2020, 362 . 365 Appendix A. Change history 367 version 00. 369 Authors' Addresses 371 Michael Richardson 372 Sandelman Software Works 374 Email: mcr+ietf@sandelman.ca 376 Rahul Arvind Jadhav 377 Huawei Tech 379 Email: rahul.ietf@gmail.com 380 Pascal Thubert 381 Cisco Systems 383 Email: pthubert@cisco.com 385 Huimin She 386 Cisco Systems 388 Email: hushe@cisco.com