Mališa Vučinić writes: > Pascal, > > Before the pledge selects a JP, the text from RFC8180 that is relevant seems > to be (Section > 6.2): > > When a node joins a network, it may hear EBs sent by different nodes > already in the network. The decision of which neighbor to > synchronize to (e.g., which neighbor becomes the node's initial time- > source neighbor) is implementation specific. For example, after > having received the first EB, a node MAY listen for at most > MAX_EB_DELAY seconds until it has received EBs from > NUM_NEIGHBOURS_TO_WAIT distinct neighbors. Recommended values for > MAX_EB_DELAY and NUM_NEIGHBOURS_TO_WAIT are defined in Figure 5. > When receiving EBs from distinct neighbors, the node MAY use the Join > Metric field in each EB to select the initial time-source neighbor, > as described in Section 6.3.6 of IEEE Std 802.15.4 [IEEE.802.15.4]. > > To me, this text is ambiguous on whether the pledge should duty > cycle its radio according to the schedule found in the first > received EB.
When I asked this from 802.15.4 experts they said that normally nodes start listening on channel 1 and stays there for some time, and then move to channel 2 and so on, but usually only limits themselfs to first n channels, as going through all channels to find beacons takes very long time. Normal parameters means that 10 ms * 100 slots = shared slot every second on some channel, with EB_PERIOD of 3 or so, means there will be beacon every 3 seconds, and with 16 channels there will be beacon on channel 1 every 48 seconds. If we would want the system to work even if we miss two beacons then we would need to stay on channel 1 for 144 seconds to be sure that there is no beacons there. Then we would move to channel 2, and repeat. To repeat this process for 16 channels takes 38 minutes... The reason we might not hear anything from channel 1 is because it might be omitted from the hopping sequence as there might be interference on it. Thats why you need to try more than one channel, but there is no need to listen all 16 channels, as if most of the channels have too much interference to cause them not be used, then that network is no longer functional... > In case the pledge does not duty cycle its radio upon receiving the > first EB that happens to be a replay, the attacker cannot really > desync the pledge due to its radio being on 100% of the time waiting > for additional beacons. I think pledge should never do that. It should always stay for same few channels when finding beacons as otherwise attacker sending beacon to pledge can throw it completely out of sync, and single packet can cause join to fail. > Eventually, as Michael noted, one fresh EB will arrive from a > legitimate node with a higher ASN, at which point it becomes > critical for the pledge to select the JP with the largest available > ASN for a given advertised PAN ID. I believe this text deserves > expanded discussion in the Security Considerations of > minimal-security but I am not convinced on the need for a special > mechanism to exchange/sign the ASN. This only works if pedge stays on the same channel while listening beacons, otherwise it will never hear any other beacons after it received attackers beacon (which attacker can send all the time, making sure this is the beacon pledge will hear, and attacker can send it on first channel always, as that is most likely where the pledge starts listening first. But yes, listening on the same channel for multiple beacons, after you hear first one should be ok, with EB_PERIOD of 3 you should get another beacon 48 seconds later, so if you stay for that channel for 180 seconds you should 3-4 beacons. -- [email protected] _______________________________________________ 6tisch mailing list [email protected] https://www.ietf.org/mailman/listinfo/6tisch
