Re: [Last-Call] Rtgdir last call review of draft-ietf-roll-turnon-rfc8138-10

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Stewart

 

Many thanks for your review! I will need your help and suggestion to progress on your major point below.

 

 

>    In particular it is not the

>    intention to undo the setting of the "T" flag.  Though it is possible

>    to roll back (see Section 5.3), adding nodes that do not support

>    [RFC8138] after a roll back may be problematic if the roll back did

>    not fully complete.

 

> SB> I see this as quite problematic. There are a number of reasons why

> SB> you might need to roll back: network merging, legacy nodes, bugs in the

> implementation. I would think that you needed to be able to go backwards

> and forwards, without difficulty and yet you give the impression that it really

> is a one-way trip. I think that could be operationally problematic.

 

We have to look at where we come form and where we're going.

 

1) RPL is used in very large networks, e.g., smart grid with (tens of) thousands of nodes. RFC 8138 was concerned with the technology not the deployment. As written it requires a flag day. Now, this is really, really operationally problematic in the above networks.

=> We're looking for a feasible improvement to enable RFC 8138 in a brown field.

 

2) RFC 8138 will me a mandated function in RPLv2, MOP >= 7, and the flag will be implicitly on at that time. RPLv2 will have capability exchanges. The work has started (draft-ietf-roll-capabilities). But it is complex, not something we can retrofit in RPLv1 like this flag. Think about doing something like the diffusion algorithm but on unreliable links, and with possibly a number of nodes that are dead or unreachable for a while. As it goes, we will not need a capability for RFC 8138 since it is an implicit part of being RPLv2.

=> we are looking for a simple and short term solution for RPLv1, not a toggle that will be used repeatedly, not a capability that will remain exposed forever.

 

Now, we all know of short term solutions that kept existing for many years, so I agree with the desire to be cautious and do whatever to allow roll back. Any suggestion from your part will be appreciated, let's see below

 

> ========

>

> A node

>    that cannot do so may remain connected to the network as a RUL, but

>    how the node is modified to turn into a RUL is out of scope.

> SB> That is quite worrying in practical deployments that this is not specified.

 

Well it is elsewhere, suggestion to turn this into:

 

"A node that cannot do so may remain connected to the network as a RUL

as described in [draft-ietf-roll-unaware-leaves]."

 

 

> =======

>

>    To ensure that a packet is forwarded across the RPL DODAG in the form

>    in which it was generated, it is required that all the RPL nodes

>    support [RFC8138] at the time of the switch.

> SB> I am not sure if it is possible to implement the feature, but a safe

> implementation would have them report that they support it and use that to

> inhibit the setting of the T bit.

 

Absolutely. We initially considered the upcoming capabilities work for that, but that's too complicated for a retrofit.

So we defer to network management. A managed deployment needs to manage the level of software of the devices I the network, and upgrade them.

So we came up with this text:

"

     The idea is to use the flag to maintain the compression inactive during

      the migration phase. When the migration is complete (e.g., as known by

      network management and/or inventory), the flag is set and the compression

      is globally activated in the whole DODAG.

"

Should we add something?

 

 

> ========

>    When turning [RFC8138] compression off in the network, the Network

>    Administrator MUST wait until all nodes have converged to the "T"

>    flag reset before allowing nodes that do not support the compression

>    in the network.

> SB> How does it know that this has happened?

 

Then again we rely on network management.

Proposal to add the last sentence in the following paragraph in section

5.3.  Rolling Back

"

   When turning [RFC8138] compression off in the network, the Network

   Administrator MUST wait until all nodes have converged to the "T"

   flag reset before allowing nodes that do not support the compression

   in the network.  To that effect, whether the compression is active in

   a node SHOULD be exposed the node's management interface.

"

 

 

>

> =========

>

> 7.  Security Considerations

>

>    First of all, it is worth noting that with [RFC6550], every node in

>    the LLN that is RPL-aware can inject any RPL-based attack in the

>    network.  A trust model has to be put in place in an effort to

>    exclude rogue nodes from participating to the RPL and the 6LoWPAN

>    signaling, as well as from the data packet exchange.  This trust

>    model could be at a minimum based on a Layer-2 Secure joining and the

>    Link-Layer security.  This is a generic RPL and 6LoWPAN requirement,

>    see Req5.1 in Appendix of [RFC8505].

> SB> I am surprised there is not a MUST in the above considering the

> vulnerability.

True, changing to

"

A trust model is REQUIRED in an effort to exclude rogue nodes...

"

 

>

> ======

>

>    An attacker in the middle of the network may reset the "T" flag to

>    cause extra energy spending in its subDAG.  Conversely it may set the

>    "T" flag, so that nodes located downstream would compress when that

>    it is not desired, potentially resulting in the loss of packets.  In

>    a tree structure, the attacker would be in position to drop the

>    packets from and to the attacked nodes.  So the attacks above would

>    be more complex and more visible than simply dropping selected

>    packets.  The downstream node may have other parents and see both

>    settings, which could raise attention.

> SB> I am worried that there are no real mitigations to this. The attack

> SB> may be a bug.

 

True enough. Setting the bits in a mixed network is what hurts most since otherwise all we are getting is uncompressed packets when they could be compressed. I'm trying to figure a mitigation but do not see one without a lot of additional complexity. But as you say that's a bug that needs to be found and fixed.

For in path attacks, the attacker that passed the link layer security can do that and a lot more.

 

 

>

> =========

>

> Minor Issues

>

>    The suggested bit position of the "T" flag is indicated in Section 6.

> SB> I know that you need to go through the IANA process, but future

> SB> readers will find the text a lot easier to follow if the bit is

> SB> included in Fig 1 above.

 

True. There are other specs competing for flags, see https://tools.ietf.org/html/draft-ietf-roll-useofrplinfo-40 so I wanted to make sure IANA would grant the proposed bit. Just got confirm from IANA and modified as follows (sorry if renders inadequately with your font:

 

0                   1                   2                   3

0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

|   Type = 0x04 |Opt Length = 14| | |T| |A|       ...           |

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+                     +

|                               <- Flags ->       ...           |

 

 

> SB> Presumably the base spec sends with the T bit clear and thus the

> SB> feature is disabled. It might not hurt to remind the reader of this

> SB> as it is what gives you the backwards compatibility.

 

Yes. Proposed change (now that IANA conformed position 2 for us):

"

   This specification defines a new flag "Enable RFC8138 Compression"

   (T).  The "T" flag is set to turn-on the use of the compression of

   RPL artifacts with [RFC8138] within the DODAG.  The new "T" flag is

   encoded in position 2 of the reserved Flags field in the RPL DODAG

   Configuration Option, and set to 0 in legacy implementations as

   specified in Section 6.7.6 of [RFC6550].

"

 

> ========

>

>    A router MUST uncompress a packet that is to be forwarded to an

>    external target.

> SB> Is there not a config option to retain compression to a consenting

> SB> external party?

 

We had one that we removed very recently to simplify the code.

Point is, RFC 8138 is very specific to compress RPL artifacts, so it makes sense within a RPL domain but not that much outside. For instance, the compression requires a knowledge of the RPL Root as a compression reference of the prefix.

 

> ========

>

> 6.  IANA Considerations

>

> It would be clearer if there were an IANA/Editor request to also edit Fig 1

 

Since I made the edition, I added commented text indicating that if the flag position is changed then fig 1 and the text below are impacted.

>

> ========

>

> Nits/Editorials

>

> Otherwise, a non-capable node acting as leaf-only would fail to

> SB> would be clearer as non-RPL-capable

 

Actually the referred capability was the compression. Reworded the section as

"

   The packet compression technique defined in [RFC8138] can only be

   activated in a RPL [RFC6550] network when all the nodes support it.

   Otherwise, if acting as a leaf, a node that does not support the

   compression would fail to communicate; if acting as a router it would

   drop the compressed packets and black-hole a portion of the network.

"

 

 

> ========

>

>    communicate, and acting as a router it would drop the compressed

> SB> Perhaps:  and if acting

 

Incorporated in the above change.

 

> ========

>

>    The idea is to use the flag to maintain the compression inactive

> SB> Perhaps : The flag is cleared to maintain the compression inactive

> SB> state

Done

 

> =========

>

>    A node SHOULD source packets in the compressed form using [RFC8138]

> SB> source or send?

 

What about generate? We mean, as opposed to forward, afraid that send could be confusing.

 

 

 

> ==========

>

>    The decision of using [RFC8138] is made by the originator of the

> SB> the decision to use

Done

 

> ==========

>

> A router that encapsulates a packet is the

>    originator of the resulting packet and is responsible to compress the

SB> for compressing

 

Done

 

> ==========

>

> In most cases, packets from and to an external target are

> SB> "to and from" is more conventional English

 

Done

 

> ==========

>

> Enabling the [RFC8138] compression

>    without a turn-on signaling requires a "flag day"; all nodes must be

>    upgraded, and then the network can be rebooted with the [RFC8138]

>    compression turned on.

>

> SB> I am not sure my English is any better below, but the text could use

> SB> a

> little polish

 

My Polish is even worse than my English...

 

>

> Enabling the [RFC8138] compression without a turn-on signaling method

> requires a "flag day"; by which time all nodes must be upgraded, and at which

> point the network can be rebooted with the [RFC8138] compression turned on.

>

 

I picked your formulation, many thanks : )

 

The temporary changes for the proposed modifications are visible here:

https://github.com/roll-wg/roll-turnon-rfc8138/commit/2be6077441ecb3cdb3fba33303413c57fc9a78a8

 

Please let me know if we need more work here.

 

Again, many thanks Stewart!

 

Keep safe,

 

Pascal

 

 

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux