Re: [6tisch] Iotdir early review of draft-ietf-6tisch-6top-protocol-09

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear Alex,

Thanks so much for your constructive review. Let us answer inline your comments (XV:). We are taking them into account in the new draft version that will be published before the cut-off date.

regards
Xavi
----
Reviewer: Alexander Pelov
Review result: Ready with Issues

Hello all,

This is the review for the IoT Directorate.

Document: draft-ietf-6tisch-6top-protocol-09
Reviewer: Alexander Pelov
Date: 22 February 2018

The general feeling of the reviewer is that the document is a solid work.
Multiple examples are given and the document is easy to understand as a whole.
There are some nits, and some text that need to be clarifier.

The general feeling of the reviewer is that the document relies heavily on the
definition of an external Scheduling Function (SF). The recommended values seem
very reasonable to the reviewer and it is not clear what is the benefit of
anticipating that an SF can override the semantics of most of the fields. For
example, most of the fields are opaque to the 6P sublayer and only make sense
to the SF : CellOptions, Metadata, CellList. For one, in Wireshark, there will
be the need for separate disector for each SF.

XV: we aimed to support particular needs of an SF. For example the Metadata field can be used to indicate to what Slotframe Handle the 6P operation should be applied. However we think as well that a large set of SFs will use the fields as defined by 6P (celllist) for example.

A final point here is that there seem to be no readily available polished SF
that would help in the understanding of the concepts beyond what is already on
the 6P draft. 

XV: We think the MSF (https://tools.ietf.org/html/draft-chang-6tisch-msf-00) clearly maps to the requirements from 6P.


 For example, the SF0 draft (draft-ietf-6tisch-6top-sfx-00)
redefines quite heavily the behavior of CellList introducing notion of
WhiteList and BlackList of cells. The reviewer is aware that these are distinct
works, but it feels that there should be a minimum level of interoperability,
where an upper layer does not completely redefine what is happening on lower
layers. Having extension mechanisms may seem like a better way to solve
richness of proposals if this is necessary.

XV: We agree on that. We think however that most SFs can be developed without redefining the 6P fields. Note also that the SIGNAL command is designed to that aim. i.e., an SF issues SIGNALS which are opaque to 6P internals in order to transmit information to the other Node SF.

One point which remained unclear is how do the Minimal 6TiSCH and 6P interact?
It could be useful to provide a description on the bootstrap of 6P interaction
(how does a sender A initiate the first 6P Request - over Minimal
6TiSCH-managed cell?).

XV: This is detailed in the MSF draft for example. 6P defines the messaging structure and protocol interaction but does not define a particular behaviour.
The SF is the responsible of defining the behaviour at boot, what cells are used and how new cells are added. 6P Provides the l2 transport semantics for the 
SF to operate. 

 
How do they enter in play in case of de-synchronisation
? (e.g. A rescheduling all 6P cells, but B not getting the final L2 ACK, which
puts A's 6P cells on a completely different schedule than B's.. so B can't
signal back transaction rollback / CLEAR). Is this solved by 6TiSCH minimal or
through a different mechanism?

The Security section could be enriched. A notable example is the handling of
resource reservation, which could lead to DOS attacks.

XV: this has been clarified thanks to another reviewer comment. 
- - - - - - - - - - - - - - -

Section 3.2.3:
6P CellOptions - ends with the statement that it is an "Opaque set of bits",
which MAY be redefined by the SF (format, meaning). As pointed out earlier, if
there is a need to redefine this for each SF, maybe there are other ways of
defining such flexibility (e.g. TLVs).

XV: We enable an SF to redefine that field but we do not expect that most of the SFs redefine it. 

The table in Figure 7 provides the recommended meaning of the bitmap for 6P
COUNT and 6P LIST. What is the recommended meaning for 6P ADD/DELETE/RELOCATE?

XV: thanks, we clarify this in the text. We added Figure 8 with a table describing the 
behaviour of 6P when the different cellOPtions are present in ADD/DELETE/RELOCATE requests.

Nits: there seems to be errors in Figure 7: examples of "all cells are marked
as RX" and "all cells are marked as TX" seem inverted (same for TX=1,RX=0,S=1
and TX=0,RX=1,S=1).

XV: no, this is correct :). The request is issued by node A, saying for example COUNT TX cells to B. B responds with the list of cells marked as RX in its schedule for neighbor A. (as in A they are marked as TX).

- - - - - - - - - - - - - - -

Section 3.3.1:
How does the sender/receiver know the size of CellList? (infer from packet
size?)

XV: the IE header contains the size of the 6top IE. The header field sizes are known and hence the celllist length can be determined from that. 


The candidate cells (a total of NumCandidate) are presumably provided by the
SF. However, it is up to 6P to handle the case when they do not fit in the
packet size. The text specifies that this should be handled in more than one 6P
ADD requests - which is OK on the conceptual level, but seems underspecified
for an implementation. 

What if NumCells is smaller than the number of candidate
cells that can fit in a single transaction - should they be also split in two
transactions?

XV: NumCells tells how many cells need to be added/deleted/relocated. I think you refer to the 6P list command instead. 
In a 6P LIST Command we use MaxNumCells which indicate an upper bound of the cells to be listed (lique in SQL when we do LIMIT).
If in a 6p LIST the number of returned cells is smaller than MaxNumCells, then the issuer may send another LIST with an specific 
offset (e.g the number of cells received) in order to get the remaining cells. 
This is how "pagination works" indeed.


 What happens if the first 6P ADD is successful, but the second
one fails? Should the sender 6P DELETE the successfully added first batch of
cells?

XV:If you refer to an ADD Request where numcells is larger than the number of cells that fit in a packet, then this should be handled by the SF, splitting the request
in multiple ADD operations. If one fails a node can retray later.  


Can allocation of 0 cells be considered as partial success?

NOALLOC return code is not defined.

XV: Why someone wants to do a 0 cell ADD request? I think that the response in this case can be RC_SUCCESS, indicating that 0 cells have been scheduled.

- - - - - - - - - - - - - - -

Section 3.3.3.
Figure 17 - it seems counterintuitive to have RC_SUCCESS on failed relocation.
Could NOALLOC be used in this case?

XV: We had long discussions about this while we wrote the specification. Our consensus was that the return code indicates that the 6P transaction worked (RC_SUCCESS)
and that the celllist length tells us the result in terms of cells relocated. So no strong arguments in both sides I guess but we agreed to take that approach.

In both Relocation and Allocation 3-step 6P transaction there is the risk of a
security attack. If a malicious node constantly renews 3-step requests and
never acknowledges, the neighboring node will be keeping the proposed cells as
"reserved" and not allocate them to other nodes, thus provoding a DOS attack.
Probably a way to limit repeated requests could be useful for this case.

XV: We know that any 3-step transaction/protocol can be subject to a DoS attack as long as one of the messages is 
not replayed (same happens with TCP handshake attacks). We do not want to introduce policies to handle that for a particular 
situation but we think that this needs to be clarified in the security considerations section. 
To this aim we indicated the following: 
We added a consideration in the security section. 

The 6P protocol does not provide protection against DOS attacks. This is relevant in 3-step transactions when a confirmation message could not be sent
in purpose by the attacker. Such situations SHOULD be handled by an appropiate policy such as blacklisting the attacker after several attempts.
Other DoS attacks are possible by sending unmeaningful requests to nodes. The effect to the overall network can be minimal as communication between attacked node
and attacker happen in dedicated cells. DoS then only limits that cells. Yet, this can be avoided by blacklisting the node after several attempts. When to blacklist 
is policy specific and SHOULD be addressed by the SF. 

- - - - - - - - - - - - - - -

Section 3.3.5.
"To retrieve the list of scheduled cells at B" - all cells scheduled at B? Or
the cells scheduled for A? (could be clarified)

XV: We rephrased like this:
 To retrieve a list of scheduled cells at B, node A issues a 6P LIST command.
 

Nits: Node B MAY returns -> Node B MAY return
XV: Thanks. we fixed that.

- - - - - - - - - - - - - - -

Section 3.3.6.
There may be two parallel transactions: 1) A->B and 2) B->A. If a 6P CLEAR is
issued on one, how does this affect the other? (presumably clear both?)

XV: A transaction is not applied until the transaction is committed, this is the Confirmation message is received on one side and the L2 ACK is received at the other side.
In a particular slot a node may be only receiving or sending a packet at a time and hence this B->A A->B transaction cannot happen unless they use 2 radios.
In case of using 2 radios this may lead to an inconsistency in the schedules that will be resolved in the next message thanks to the SeqNum set to 0 in the side that cleared.
 
How does this affect separate SF? If there is a state kept by each SF, are all
SFs cleared? Are statistics also cleared for SFs? (probably SF-dependent, out
of the scope)

XV: the commands use an SFID that maps the action to a particular SF. Hence if a clear happens in the cells scheduled by one SF other cells scheduled by another SF won't be affected.

- - - - - - - - - - - - - - -

Section 3.4.6.
Figure 27: "Clear or Reset" - Reset could be ambiguous (device has restarted vs
transaction failed, RC_RESET)

XV: We clarified with:
Clear or After device Reset

- - - - - - - - - - - - - - -

Section 6.2.5.
Consider having Specification required for the range SFID 128-255.
XV: Expert review is a well understood term.

- - - - - - - - - - - - - - -

Section 6.2.4.
It would have seem more readable to have RC_ERR_ prefix for errors. It may not
be outright evident that RC_CELLLIST or RC_VERSION is an error.

XV:Thanks for this comment. We renamed them as indicated.
- - - - - - - - - - - - - - -

Overall a rich document, with probably some minor changes to be made.

Best,
Alexander


2018-02-23 1:35 GMT+01:00 Alexander Pelov <a@xxxxxxx>:
Reviewer: Alexander Pelov
Review result: Ready with Issues

Hello all,

This is the review for the IoT Directorate.

Document: draft-ietf-6tisch-6top-protocol-09
Reviewer: Alexander Pelov
Date: 22 February 2018

The general feeling of the reviewer is that the document is a solid work.
Multiple examples are given and the document is easy to understand as a whole.
There are some nits, and some text that need to be clarifier.

The general feeling of the reviewer is that the document relies heavily on the
definition of an external Scheduling Function (SF). The recommended values seem
very reasonable to the reviewer and it is not clear what is the benefit of
anticipating that an SF can override the semantics of most of the fields. For
example, most of the fields are opaque to the 6P sublayer and only make sense
to the SF : CellOptions, Metadata, CellList. For one, in Wireshark, there will
be the need for separate disector for each SF.

A final point here is that there seem to be no readily available polished SF
that would help in the understanding of the concepts beyond what is already on
the 6P draft.  For example, the SF0 draft (draft-ietf-6tisch-6top-sfx-00)
redefines quite heavily the behavior of CellList introducing notion of
WhiteList and BlackList of cells. The reviewer is aware that these are distinct
works, but it feels that there should be a minimum level of interoperability,
where an upper layer does not completely redefine what is happening on lower
layers. Having extension mechanisms may seem like a better way to solve
richness of proposals if this is necessary.

One point which remained unclear is how do the Minimal 6TiSCH and 6P interact?
It could be useful to provide a description on the bootstrap of 6P interaction
(how does a sender A initiate the first 6P Request - over Minimal
6TiSCH-managed cell?). How do they enter in play in case of de-synchronisation
? (e.g. A rescheduling all 6P cells, but B not getting the final L2 ACK, which
puts A's 6P cells on a completely different schedule than B's.. so B can't
signal back transaction rollback / CLEAR). Is this solved by 6TiSCH minimal or
through a different mechanism?

The Security section could be enriched. A notable example is the handling of
resource reservation, which could lead to DOS attacks.

- - - - - - - - - - - - - - -

Section 3.2.3:
6P CellOptions - ends with the statement that it is an "Opaque set of bits",
which MAY be redefined by the SF (format, meaning). As pointed out earlier, if
there is a need to redefine this for each SF, maybe there are other ways of
defining such flexibility (e.g. TLVs).

The table in Figure 7 provides the recommended meaning of the bitmap for 6P
COUNT and 6P LIST. What is the recommended meaning for 6P ADD/DELETE/RELOCATE?

Nits: there seems to be errors in Figure 7: examples of "all cells are marked
as RX" and "all cells are marked as TX" seem inverted (same for TX=1,RX=0,S=1
and TX=0,RX=1,S=1).

- - - - - - - - - - - - - - -

Section 3.3.1:
How does the sender/receiver know the size of CellList? (infer from packet
size?)

The candidate cells (a total of NumCandidate) are presumably provided by the
SF. However, it is up to 6P to handle the case when they do not fit in the
packet size. The text specifies that this should be handled in more than one 6P
ADD requests - which is OK on the conceptual level, but seems underspecified
for an implementation. What if NumCells is smaller than the number of candidate
cells that can fit in a single transaction - should they be also split in two
transactions? What happens if the first 6P ADD is successful, but the second
one fails? Should the sender 6P DELETE the successfully added first batch of
cells?

Can allocation of 0 cells be considered as partial success?

NOALLOC return code is not defined.

- - - - - - - - - - - - - - -

Section 3.3.3.
Figure 17 - it seems counterintuitive to have RC_SUCCESS on failed relocation.
Could NOALLOC be used in this case?

In both Relocation and Allocation 3-step 6P transaction there is the risk of a
security attack. If a malicious node constantly renews 3-step requests and
never acknowledges, the neighboring node will be keeping the proposed cells as
"reserved" and not allocate them to other nodes, thus provoding a DOS attack.
Probably a way to limit repeated requests could be useful for this case.

- - - - - - - - - - - - - - -

Section 3.3.5.
"To retrieve the list of scheduled cells at B" - all cells scheduled at B? Or
the cells scheduled for A? (could be clarified)

Nits: Node B MAY returns -> Node B MAY return

- - - - - - - - - - - - - - -

Section 3.3.6.
There may be two parallel transactions: 1) A->B and 2) B->A. If a 6P CLEAR is
issued on one, how does this affect the other? (presumably clear both?)

How does this affect separate SF? If there is a state kept by each SF, are all
SFs cleared? Are statistics also cleared for SFs? (probably SF-dependent, out
of the scope)

- - - - - - - - - - - - - - -

Section 3.4.6.
Figure 27: "Clear or Reset" - Reset could be ambiguous (device has restarted vs
transaction failed, RC_RESET)

- - - - - - - - - - - - - - -

Section 6.2.5.
Consider having Specification required for the range SFID 128-255.

- - - - - - - - - - - - - - -

Section 6.2.4.
It would have seem more readable to have RC_ERR_ prefix for errors. It may not
be outright evident that RC_CELLLIST or RC_VERSION is an error.

- - - - - - - - - - - - - - -

Overall a rich document, with probably some minor changes to be made.

Best,
Alexander


_______________________________________________
6tisch mailing list
6tisch@xxxxxxxx
https://www.ietf.org/mailman/listinfo/6tisch



--
Dr. Xavier Vilajosana
Wireless Networks Lab
Internet Interdisciplinary Institute (IN3)
Professor

(+34) 646 633 681
xvilajosana@uoc.edu
http://xvilajosana.org
http://wine.rdi.uoc.edu
Parc Mediterrani de la Tecnologia 
Av Carl Friedrich Gauss 5, B3 Building
08860 Castelldefels (Barcelona). Catalonia. Spain
Universitat Oberta de Catalunya  
­

[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux