At the interim today, we discussed the need of tagging join traffic at the Join Proxy (JP). The problem is that JP forwards into the network traffic that originates from untrusted pledges, which can cause the exchange of 6P commands at intermediate nodes on the path from JP to 6LBR.
A malicious pledge is therefore able to affect scheduling of intermediate nodes in the network which could potentially result in resource exhaustion. A bandwidth cap at JP, that is currently recommended in minimal-security draft, limits but doesn’t completely solve the problem. An attacker with access to multiple JPs could inject enough traffic to disturb the network. Pascal proposed using ToS bits in the IPv6 header to tag join traffic. As part of the JP behavior in minimal-security draft, we would specify that each forwarded packet must be tagged. Then, it would be up to individual SFs to determine what to do with this traffic. Thoughts? Mališa _______________________________________________ 6tisch mailing list [email protected] https://www.ietf.org/mailman/listinfo/6tisch
