<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM 'rfc2629.dtd'[
<!ENTITY RFC2119 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC3411 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3411.xml">
<!ENTITY RFC4944 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4944.xml">
<!ENTITY RFC5191 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5191.xml">
<!ENTITY RFC5246 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml">
<!ENTITY RFC5548 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5548.xml">
<!ENTITY RFC5673 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5673.xml">
<!ENTITY RFC5826 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5826.xml">
<!ENTITY RFC5867 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5867.xml">
<!ENTITY RFC6282 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6282.xml">
<!ENTITY RFC6345 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6345.xml">
<!ENTITY RFC6347 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6347.xml">
<!ENTITY RFC6550 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6550.xml">
<!ENTITY RFC6551 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6551.xml">
<!ENTITY RFC6554 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6554.xml">
<!ENTITY RFC6997 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6997.xml">
<!ENTITY I-D.ietf-6lo-lowpanz SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-6lo-lowpanz.xml">
<!ENTITY I-D.ietf-roll-trickle-mcast SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-roll-trickle-mcast.xml">
<!ENTITY I-D.ietf-roll-security-threats SYSTEM
"http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-roll-security-threats.xml">
<!ENTITY I-D.ietf-dice-profile SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-dice-profile.xml">
<!ENTITY I-D.keoh-dice-multicast-security SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.keoh-dice-multicast-security.xml">
<!ENTITY I-D.kumar-dice-dtls-relay SYSTEM
"http://xml.resource.org/public/rfc/bibxml3/reference.I-D.kumar-dice-dtls-relay.xml">
<!ENTITY I-D.ietf-core-groupcomm SYSTEM
"http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-core-groupcomm.xml">
<!ENTITY I-D.vanderstok-core-comi SYSTEM
"http://xml.resource.org/public/rfc/bibxml3/reference.I-D.vanderstok-core-comi.xml">
]>

<?rfc toc="yes" tocompact="yes" tocdepth="3" tocindent="yes" symrefs="yes" sortrefs="no" comments="yes" inline="yes" compact="yes" subcompact="no"?>
<?rfc symrefs="yes"?>
<rfc category="info" docName="draft-ietf-roll-applicability-home-building-03"
     ipr="trust200902">
  <front>
    <title abbrev="RPL in home and building">Applicability Statement:
    The use of the RPL protocol set in Home Automation and Building
    Control</title>

    <author fullname="Anders Brandt" initials="A." surname="Brandt">
      <organization>Sigma Designs</organization>

      <address>
        <email>abr@sdesigns.dk</email>
      </address>
    </author>

    <author fullname="Emmanuel Baccelli" initials="E." surname="Baccelli">
      <organization>INRIA</organization>

      <address>
        <email>Emmanuel.Baccelli@inria.fr</email>
      </address>
    </author>

    <author fullname="Robert Cragie" initials="R." surname="Cragie">
      <organization>Gridmerge</organization>

      <address>
        <email>robert.cragie@gridmerge.com</email>
      </address>
    </author>

    <author fullname="Peter van der Stok" initials="P." surname="van der Stok">
      <organization>Consultant</organization>

      <address>
        <email>consultancy@vanderstok.org</email>
      </address>
    </author>

    <date day="12" month="May" year="2014"/>

    <area>Routing Area</area>

    <workgroup>Roll</workgroup>

    <keyword>sensor network</keyword>

    <keyword>ad hoc network</keyword>

    <keyword>routing</keyword>

    <keyword>RPL</keyword>

    <keyword>applicability</keyword>

    <keyword>routing</keyword>

    <keyword>IP networks</keyword>

    <abstract>
      <t>The purpose of this document is to provide guidance in the selection
      and use of RPL protocols to implement the features required for control in building
      and home environments.</t>
    </abstract>
  </front>

  <middle>
    <section anchor="cid1" title="Introduction">

      <t>Home automation and building control application spaces share a
      substantial number of properties.		
<list style="symbols">
<t>Both (home and building) can be disconnected from the ISP and they will (must) continue to provide control to the occupants of the home c.q. building. This has an impact on routing because most control communication does (must) not pass via the border routers.</t>
<t> Both are confronted with unreliable links and want instant very reliable reactions. This has impact on routing because of timeliness and multipath routing. </t>
<t> The difference between the two mostly appears in the commissioning, maintenance and user interface which does not affect the routing.</t>
</list>
 So the focus of this applicability document is control in buildings and home, involving: reliability, timeliness, and local routing.
</t>
 <t>The purpose of this document is to
      give guidance in the use of the RPL protocol suite to provide the features required by
      the requirements documents "Home Automation Routing Requirements in
      Low-Power and Lossy Networks" <xref target="RFC5826"/> and "Building
      Automation Routing Requirements in Low-Power and Lossy Networks" <xref
      target="RFC5867"/>.</t>

<section title="Relationship to other documents">
<t>
ROLL has specified a set of routing protocols for Lossy and Low-
   resource Networks (LLN) <xref target="RFC6550"/>.  This applicability text describes
   a subset of these protocols and the conditions which make the subset
   the correct choice.  The text recommends and motivates the
   accompanying parameter value ranges.  Multiple applicability domains
   are recognized including: Building and Home, and Advanced Metering
   Infrastructure.  The applicability domains distinguish themselves in
   the way they are operated, their performance requirements, and the
   most probable network structures.  Each applicability statement
   identifies the distinguishing properties according to a common set of
   subjects described in as many sections.
</t><t>
   A common set of security threats are described in
   <xref target="I-D.ietf-roll-security-threats"/>.  The applicability statements
   complement the security threats document by describing preferred
   security settings and solutions within the applicability statement
   conditions.  This applicability statements may recommend more light
   weight security solutions and specify the conditions under which
   these solutions are appropriate.
</t>
</section>

 	<section title="Terminology">
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
        "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
        document are to be interpreted as described in <xref target="RFC2119"/>.</t>
	<t>Additionally, this document uses terminology from <xref target="RFC6997"/>, 
	<xref target="I-D.ietf-roll-trickle-mcast"/>, and <xref target="RFC6550"/>.
	</t>
      </section>


      <section title="Required Reading">
        <t>Applicable requirements are described in <xref target="RFC5826"/>
        and <xref target="RFC5867"/>.</t>
      </section>

      <section title="Out of scope requirements">
        <t>The considered network diameter is limited to a max diameter of 10
        hops and a typical diameter of 5 hops, which captures the most common
        cases in home automation and building control networks.</t>

        <t>This document does not consider the applicability of RPL-related
        specifications for urban and industrial applications <xref
        target="RFC5548"/>, <xref target="RFC5673"/>, which may exhibit
        significantly larger network diameters.</t>
      </section>
    </section>

    <section title="Deployment Scenario">
      <t>The use of communications networks in buildings is essential to satisfy the energy saving
      regulations. Environmental conditions of buildings can be adapted to suit the comfort of the individuals  present. Consequently when no one is present, energy consumption can be reduced.
      Cost is the main driving factor behind utilizing wireless networking in buildings.
      Especially for retrofit, wireless connectivity saves cabling costs.</t>

      <t>A typical home automation network is comprised of less than 100 nodes. Large
      building deployments may span 10,000 nodes but to ensure uninterrupted
      service of light and air conditioning systems in individual zones of the
      building, nodes are typically organized in sub-networks. Each sub-network in a
      building automation deployment typically contains tens to
      hundreds of nodes.</t>

      <t>The main purpose of the home or building automation network is to provide control over light and
      heating/cooling resources. User intervention may be enabled via wall
      controllers combined with movement, light and temperature sensors to
      enable automatic adjustment of window blinds, reduction of room
      temperature, etc. In general, the sensors and actuators in a home or building
	 typically have fixed physical locations and will remain in the 
	same home- or building automation network.</t>

      <t>People expect an immediate and reliable response to their presence or
      actions. A light not switching on after entry into a room may lead to
      confusion and a profound dissatisfaction with the lighting product.</t>

      <t>Monitoring of functional correctness is at least as important.
      Devices typically communicate their status regularly and send alarm messages
      notifying a malfunction of equipment or network.</t>

      <t>In building control, the infrastructure of the building management network can be shared with the security/access, the IP telephony, and the fire/alarm networks.  This approach has a positive impact on the operation and cost of the network; however, care should be taken to ensure that the availability of the building management network does not become compromised beyond the ability for critical functions to perform adequately.
</t><t>
In homes, the network for audio/video streaming and gaming has different requirements, where the most important one is the high need in bandwidth for entertainment not needed for control.  It is expected that the entertainment network in the home will mostly be separate from the control network, which also lessens the impact on availability of the control network</t>

      <section title="Network Topologies">
        <t>In general, The home automation network or building control network
        consists of wired and wireless sub-networks.
        In large buildings especially, the wireless sub-networks can be connected to an
        IP backbone network where all infrastructure services are located,
        such as DNS, automation servers, etc. 
</t><t>
The wireless sub-network can be configured according to any of the following topologies:
<list style="symbols">
<t> A stand-alone network of 10-100 nodes without border router. This typically occurs in the home with a stand-alone control network, in low cost buildings, and during installation of high end control systems in buildings. </t>
<t> A connected network with one border router. This configuration will happen in homes where home appliances are controlled from outside the home or via the telephone, and in many building control scenarios. </t>
<t> A connected network with multiple border routers. This will typically happen in installations of large buildings.</t>
</list>
Many of the nodes are baery-powered and may be sleeping nodes which wake-up according to clock signals or external events.</t>

        <t>In a building control network, for large installation with multiple border routers, sub-networks often overlap geographically
        and from a wireless coverage perspective. Due to two purposes of the
        network, (i) direct control and (ii) monitoring, there may exist two
        types of routing topologies in a given sub-network: (i) a tree-shaped
        collection of routes spanning from a central building controller via
        the border router, on to destination nodes in the sub-network; and/or
        (ii) a flat, un-directed collection of intra-network routes between
        functionally related nodes in the sub-network.</t>

        <t>The majority of nodes in home and building automation networks are typically
        devices with very low memory capacity, such as individual
        wall switches. Only a few nodes (such as multi-purpose remote
        controls) are more expensive devices, which can afford more memory
        capacity.</t>
      </section>

      <section title="Traffic Characteristics">
        <t>Traffic may enter the network originating from a central controller or it may
        originate from an intra-network node. The majority of traffic is
        light-weight point-to-point control style; e.g. Put-Ack or
        Get-Response. There are however exceptions. Bulk data transfer is used
        for firmware update and logging, where firmware updates enter the network
        and logs leave the network. Group communication is used for service
        discovery or to control groups of nodes, such as light fixtures.
</t><t>
        Often, there is a direct physical relation between a controlling sensor and the
        controlled equipment. For example the temperature sensor and thermostat are located in the same room sharing the same climate conditions. Consequently, the bulk of senders and receivers are separated
        by a distance that allows one-hop direct path communication. A graph
        of the communication will show several fully connected subsets of
        nodes. However, due to interference, multipath fading, reflection and
        other transmission mechanisms, the one-hop direct path may be
        temporally disconnected. For reliability purposes, it is therefore
        essential that alternative n-hop communication routes exist for quick
        error recovery. (See <xref target="com-fail"/> for motivation.)
</t><t> Looking over time periods of a day, the networks are
        very lightly loaded. However, bursts of traffic can be generated by
        pushing permanently the button of a remote control, the occurrence of a
        defect, and other unforeseen events. Under those conditions, the
        timeliness must nevertheless be maintained. Therefore, measures are
        necessary to remove any unnecessary traffic. Short routes are
        preferred. Long multi-hop routes via the border router, should be
        avoided whenever possible. 
</t><t>
	  Group communication is essential for
        lighting control. For example, once the presence of a person is
        detected in a given room, lighting control applies to that room only and no other
        lights should be dimmed, or switched on/off. In many cases,
	    this means that a multicast message with a 1-hop and 2-hop radius would
        suffice to control the required lights. The same argument holds for HVAC and other climate control devices. To reduce network load, it is
        advisable that messages to the lights in a room are not distributed
        any further in the mesh than necessary based on intended receivers.</t>

        <section anchor="SEC_General"
                 title="General">
          <t>Whilst air conditioning and other environmental-control
          applications may accept response delays of tens of seconds or longer, alarm and light
          control applications may be regarded as soft real-time systems. A
          slight delay is acceptable, but the perceived quality of service
          degrades significantly if response times exceed 250 msec. If the
          light does not turn on at short notice, a user may activate the
          controls again, thus causing a sequence of commands such as
          Light{on,off,on,off,..} or Volume{up,up,up,up,up,...}. In addition the repetitive sending of commands creates an unnecessary loading of the network, which in turn increases the bad responsiveness of the network.</t>

         
        </section>

        <section title="Source-sink (SS) communication paradigm">
          <t>This paradigm translates to many sources sending messages to the
	    same sink, sometimes reachable via the border router.
	    As such, source-sink (SS) traffic can be present in home and
          building networks. The traffic is generated by environmental sensors
	    (often present in a wireless sub-network)
          which push periodic readings to a central server. The readings may
          be used for pure logging, or more often, processed to adjust light, heating
          and ventilation. Alarm sensors also generate SS style traffic.
	    The central server in a home automation network will be connected mostly to a wired sub-network, although it is suspected that cloud services will become available.
	    The central server in a building automation network may be connected to a backbone or
	    be placed outside the building.</t>

          <t>With regards to message latency, most SS transmissions can
          tolerate worst-case delays measured in tens of seconds. Alarm
          sensors, however, represent an exception. Special provisions with 
	    respect to the location of the Alarm server(s) need to be put in place to respect the specified delays.</t>
        </section>

	  <section title="Publish-subscribe (PS, or pub/sub)) communication paradigm">
          <t>This paradigm translates to a number of devices expressing their interest
	    for a service provided by a server device. For example, a server device can be a sensor
	    delivering temperature readings on the basis of delivery criteria, like changes in acquisition value
	    or age of the latest acquisition. In building automation networks, this paradigm may be closely related
	    to the SS paradigm given that servers, which are connected to the backbone or outside the building,
	    can subscribe to data collectors that are present at
	    strategic places in the building automation network. The use of PS will probably
	    differ significantly from installation to installation.</t>
        </section>

        <section anchor="SEC_PeerToPeerCommunication"
                 title="Peer-to-peer (P2P) communication paradigm">
	    <t> This paradigm translates to a device transferring data to another device
	    often connected to the same sub-network.
          Peer-to-peer (P2P) traffic is a common traffic type in home
          automation networks. Some building automation networks also rely on P2P traffic while
          others send all control traffic to a local controller box for
          advanced scene and group control. The latter controller boxes can be connected
	    to service control boxes thus generating more SS or PS traffic.</t>

          <t>P2P traffic is typically generated by remote controls and wall
          controllers which push control messages directly to light or heat
          sources. P2P traffic has a strong requirement for low latency since
          P2P traffic often carries application messages that are invoked by
          humans. As mentioned in <xref target="SEC_General"/>
          application messages should be delivered within a few hundred milliseconds -
          even when connections fail momentarily.</t>
        </section>

        <section title="Peer-to-multipeer (P2MP) communication paradigm">
          
	    <t> This paradigm translates to a device sending a message as many times
	    as there are destination devices.
	    Peer-to-multipeer (P2MP) traffic is common in home and building automation
          networks. Often, a thermostat in a living room responds to temperature changes
          by sending temperature acquisitions to several fans and valves 
          consecutively.</t>
        </section>

	  <section title="N-cast communication paradigm">
          
	  <t>This paradigm translates to a device sending a message to many destinations in one network transfer invocation.
	   Multicast is well suited for lighting where a presence sensor sends 
	   a presence message to a set of lighting devices. Multicast increases the probability that
	   the message is delivered within the strict time constraints. The chosen multicast algorithm
	  (e.g. <xref target="I-D.ietf-roll-trickle-mcast"/>) assures that messages are delivered to ALL destinations.</t>
        </section>

        <section title="RPL applicability per communication paradigm">

	    <t> In the case of SS over a wireless sub-network to a server reachable via a border router,
	 	the use of RPL <xref target="RFC6550"/> is recommended. Given the low resources of
	    the devices, source routing will be used for messages from outside the wireless
	    sub-network to the destination in the wireless sub-network. No specific timing constraints
	    are associated with the SS type messages so network repair does not violate the operational constraints.
	    When no SS traffic takes place, it is recommended to load only RPL-P2P code into the network stack to satisfy memory
	    requirements by reducing code. </t>

	    <t>All P2P and P2MP traffic, taking place within a wireless sub-network, requires P2P-RPL <xref target="RFC6997"/>
		to assure responsiveness. Source and destination are typically close together
		to satisfy the living conditions of one room. Consequently, most P2P and P2MP traffic is 1-hop
		or 2-hop traffic. <xref target="RPL_shortcomings"/> explains why RPL-P2P is preferable to RPL for this
		type of communication. <xref target="com-fail"/> explains why reliability measures such as multi-path routing are necessary even when 1-hop communication dominates.</t>
	    
	    <t>Additional advantages of RPL-P2P for home and building automation networks are, for example:
		<list style="symbols">
		<t>Individual wall switches are typically inexpensive devices with
          extremely low memory capacities. Multi-purpose remote controls for
          use in a home environment typically have more memory but such
          devices are asleep when there is no user activity. RPL-P2P reactive
          discovery allows a node to wake up and find new routes within a few
          seconds while memory constrained nodes only have to keep routes to
          relevant targets.</t>
 
	    <t>The reactive discovery features of RPL-P2P ensure that commands
          are normally delivered within the 250 msec time window and when
          connectivity needs to be restored, it is typically completed within
          seconds. In most cases an alternative (earlier discovered) route will work. 
	    Thus, route rediscovery is not even necessary.</t>
<t>Broadcast storms as happening during road discovery for AODV is less disruptive for P2P-RPL. P2P-RPL has a "STOP" bit which is set by the target of a route discovery to notify all other nodes that no more DIOs should be forwarded for this temporary DAG. Something looking like a broadcast storm may happen when no target is responding. And in this case, the Trickle suppression mechanism kicks in; limiting the number of DIO forwards in dense networks. </t>

		</list>

 
	  Due to the limited memory of the majority of devices, RPL-P2P MUST be used with source routing in
        non-storing mode as explained in <xref target="sec-storing"/>.</t> 

         <t>N-cast over the wireless network will be done using multicast with MPL <xref target="I-D.ietf-roll-trickle-mcast"/>. Configuration constraints
	    that are necessary to meet reliability and timeliness with MPL are discussed in <xref target="sec-multicast"/>.
		</t>

        </section>
      </section>

      <section title="Layer-2 applicability">
        <t>This document applies to <xref target="IEEE802.15.4"/> and <xref
        target="G.9959"/> which are adapted to IPv6 by the adaption layers
        <xref target="RFC4944"/> and <xref target="I-D.ietf-6lo-lowpanz"/>.</t>

        <t>The above mentioned adaptation layers leverage on the
        compression capabilities of <xref target="RFC6554"/> and <xref
        target="RFC6282"/>. Header compression allows small IP packets to fit
        into a single layer 2 frame even when source routing is used. A
        network diameter limited to 5 hops helps to achieve this.</t>

        <t>Dropped packets are often experienced in the targeted environments.
        ICMP, UDP and even TCP flows may benefit from link layer unicast
        acknowledgments and retransmissions. Link layer unicast
        acknowledgments MUST be enabled when <xref target="IEEE802.15.4"/> or
        <xref target="G.9959"/> is used with RPL and RPL-P2P.</t>
      </section>
    </section>

    <section title="Using RPL to meet Functional Requirements">
      <t>RPL-P2P MUST be present in home automation and building control networks, as
      point-to-point style traffic is substantial and route repair needs to be
      completed within seconds. RPL-P2P provides a reactive mechanism for
      quick, efficient and root-independent route discovery/repair. The use
      of RPL-P2P furthermore allows data traffic to avoid having to go through
      a central region around the root of the tree, and drastically reduces
      path length <xref target="SOFT11"/> <xref target="INTEROP12"/>. These
      characteristics are desirable in home and building automation networks
      because they substantially decrease unnecessary network congestion
      around the root of the tree.</t>
	<t> When reliability is required, multiple independent paths are used with
	RPL-P2P. For 1-hop destinations this means that one 1-hop communication and
	a second 2-hop communication take place via a neighboring node. The same
	reliability can be achieved by using MPL where the seed is a repeater and
	a second repeater is 1 hop removed from the seed and the destination node.
	</t>
<t>RPL-P2P is recommended to keep two independent paths per destination in the source. When one path is temporarily impossible, as described in <xref target="com-fail"/>, the alternative can be used without throwing away the temporarily failing path. The blocked path can be safely thrown away after 15 minutes. A new route discovery is done when the number of paths is exhausted, or when a path needs to abandoned because it fails over a too long period.</t>

    </section>

    <section title="RPL Profile">
      <t>RPL-P2P MUST be used in home automation and building control networks. Non-storing mode
      allows for constrained memory in repeaters when source routing is used.
      Reactive discovery allows for low application response times even when
      on-the-fly route repair is needed.</t>

      <section title="RPL Features">

        <t> An important constraint on the application of RPL is the presence of sleeping nodes.
</t><t>
For example in the stand-alone network, the link layer node (master node, or coordinator)handing
        out the logical network identifier and unique node identifiers may be
        a remote control which returns to sleep once new nodes have been
        added. Due to the absence of the border router there may be no global routable prefixes at all. Likewise,
        there may be no authoritative always-on root node since there is no
        border router to host this function.</t>

        <t>In a network with a border router and many sleeping nodes, there may be battery powered
        sensors and wall controllers configured to contact other nodes in
        response to events and then return to sleep. Such nodes may never
        detect the announcement of new prefixes via multicast.</t>

        <t>In each of the above mentioned constrained deployments, a link
        layer node (e.g. coordinator or master) SHOULD assume the role as authoritative root node,
        transmitting singlecast RAs with a ULA prefix information option to
        nodes during the inclusion process to prepare the nodes for a later
        operational phase, where a border router is added.</t>

        <t>A border router SHOULD be designed to be aware of sleeping nodes in
        order to support the distribution of updated global prefixes to such
        sleeping nodes.</t>

        <t>One COULD implement gateway-centric tree-based routing and global
        prefix distribution as defined by [RFC6550]. This would however only
        work for always-on nodes.</t>

        <section title="RPL Instances">
          <t>When operating P2P-RPL on a stand-alone basis, there is no
          authoritative root node maintaining a permanent RPL DODAG. A node
          MUST be able to join one RPL instance as an instance is created
          during each P2P-RPL route discovery operation. A node MAY be
          designed to join multiple RPL instances.</t>
        </section>

        <section anchor="sec-storing" title="Storing vs. Non-Storing Mode">
          <t>Non-storing mode MUST be used to cope with the extremely
          constrained memory of a majority of nodes in the network (such as
          individual light switches).</t>
        </section>

        <section title="DAO Policy">
          <t>A node MAY be
          designed to join multiple RPL instances; in that case DAO policies may be needed.</t>
		<t> DAO policy is out of scope for this applicability statement. </t>
        </section>

        <section title="Path Metrics">
          <t>OF0 is RECOMMENDED. <xref target="RFC6551"/> provides other options. Using other objective functions
	  than OF0 may affect inter-operability.</t>
        </section>

        <section title="Objective Function">
          <t>OF0 MUST be supported and is the RECOMMENDED Objective Function to use. Other
          Objective Functions MAY be used as well.</t>
        </section>

        <section title="DODAG Repair">
          <t>Since RPL-P2P only creates DODAGs on a temporary basis during
          route repair, there is no need to repair DODAGs.
</t><t>In general for the SS case, handling of time-varying link characteristics and
   availability, local repair is sufficient.  The accompanying process is known as poisoning and is described in
   Section 8.2.2.5 of <xref target="RFC6550"/>. Given that the plurality of nodes in the building does not move around, creating new DODAGs will not happen frequently.
</t>
        </section>

        <section anchor="sec-multicast" title="Multicast">
          <t>Commercial light deployments may have a need for multicast to distribute commands to a group of lights in a timely fashion. 
	    Several mechanisms exist for achieving such functionality; <xref target="I-D.ietf-roll-trickle-mcast"/>
          is RECOMMENDED for home and building deployments. This section relies heavily on the conclusions of <xref target="RT-MPL"/>.
</t><t> 
The density of forwarders and the frequency of message generation are important aspects to control to obtain timeliness. A high frequency of message generation can be expected when a remote control button is constantly pressed, or when alarm situations arise. In <xref target="RT-MPL"/> it is shown that short circuiting the buffering and retries in the IEEE 802.15.4 MAC reduces packet delays. Message loss is reduced by adding a real-time packet selection procedure before submitting a packet to the MAC. 

</t><t>
Guaranteeing timeliness is intimately related to the density of the MPL routers.
	    In ideal circumstances the message is propagated as a single wave through the network, such
	    that the maximum delay is related to the number of hops times the smallest repetition interval of MPL.
	    Each forwarder that receives the message, passes the message on to the next hop by repeating the 
	    message. When several copies of a message reach the forwarder, it is specified that the copy need not be repeated. Repetition of the message can be inhibited by a small value of k. To assure timeliness, the value of k
	    should be chosen high enough to make sure that messages are repeated at the first arrival of the message in the forwarder.
	    However, a network that is too dense leads to a saturation of the medium that can only be prevented by selecting a
	    low value of k. Consequently, timeliness is assured by choosing a relatively high value of k
	    but assuring at the same time a low enough density of forwarders to reduce the risk of medium saturation.
	    Depending on the reliability of the network channels, it is advisable to choose the network such
	    that at least 2 forwarders (one forwarder located on the seed) can repeat messages to the same set of destinations.</t>

	    	<t>There are no rules about selecting forwarders for MPL. In buildings with central management tools, the forwarders can be selected,
	but in the home is not possible to automatically configure the forwarder topology at this moment.
	    </t>
        </section>

        <section title="Security">
          <t>In order to support low-cost devices and devices running on
          battery, RPL MAY use either unsecured messages or secured messages.  If RPL is used with unsecured messages, link layer security SHOULD be used (see <xref target="SEC-CON"/>).  If RPL is used with secured messages, the following RPL security parameter values SHOULD be used:</t>

          <t><list style="symbols">
              <t>T = &lsquo;0&rsquo;: Do not use timestamp in the Counter
              Field.</t>

              <t>Algorithm = &lsquo;0&rsquo;: Use CCM with AES-128</t>

              <t>KIM = &lsquo;10&rsquo;: Use group key, Key Source present,
              Key Index present</t>

              <t>LVL = 0: Use MAC-32</t>
            </list></t>
        </section>

        <section title="P2P communications">
          <t><xref target="RFC6997"/> MUST be used to accommodate
          P2P traffic, which is typically substantial in home and building
          automation networks.</t>
        </section>

        <section title="IPv6 address configuration">
          <t>Assigned IP addresses MUST be routable and unique within the routing domain.</t>
        </section>
      </section>

      <section title="Layer 2 features">
        <t>No particular requirements exist for layer 2 but for the ones cited in the IP over Foo RFCs.</t>

        <!--
      <section title="Specifics about layer-2">
          <t>Not applicable</t>
        </section>

        <section title="Services provided at layer-2">
          <t>Not applicable</t>
        </section>

        <section title="6LowPAN options assumed">
          <t>Not applicable</t>
        </section>
-->
      </section>

      <section title="Recommended Configuration Defaults and Ranges ">
        <t>The following sections describe the recommended parameter values for RPL-P2P, Trickle, and MPL. </t>

	   <section title="RPL-P2P parameters">
	    <t>RPL-P2P <xref target="RFC6997"/> provides the features requested by
      <xref target="RFC5826"/> and <xref target="RFC5867"/>. RPL-P2P uses a
      subset of the frame formats and features defined for RPL <xref
      target="RFC6550"/> but may be combined with RPL frame flows in advanced
      deployments.</t>
	<t>Parameter values for RPL-P2P are:
 <list style="symbols">
	<t>MinHopRankIncrease 1</t>
	<t>MaxRankIncrease 0</t>
	<t>MaxRank 6</t>
	<t>Objective function: OF0</t>
</list> </t>

	  </section>


	  <section title="Trickle parameters">
	    <t>Trickle is used to distribute network parameter values to all nodes without stringent
	    time restrictions. Trickle parameter values are:
 <list style="symbols">
	<t>DIOIntervalMin 4 = 16 ms</t>
	<t>DIOIntervalDoublings 14</t>
	<t>DIORedundancyConstant 1</t>
	</list>
	    </t>
	  </section>

	  <section title="MPL parameters">
	    <t>MPL is used to distribute values to groups of devices. In MPL, based on Trickle algorithm, also timeliness should be guaranteed.
	    Under the condition that the density of MPL repeaters can be limited, it is possible to choose low
	    MPL repeat intervals (Imin) connected to k values such that k>2. The minimum value of k is related to:
	    <list style="symbols">
	    <t>Value of Imin. The length of Imin determines the number of packets that can be received within the listening period of Imin.</t>
	    <t>Number of repeaters repeating the same 1-hop broadcast message. 
	    These repeaters repeat within the same Imin interval, thus increasing the c counter.</t>
	    </list>
	    Assuming that at most q message copies can reach a given forwarder within the first repeat interval of length Imin, the following MPL parameter values are suggested:
	<list style="symbols">
		<t> I_min = 10 - 50.</t>
		<t> I_max = 200 - 400. </t>
		<t> k > q (see condition above). </t>
		<t> max_expiration = 2 - 4. </t>
	</list>
	    </t>
	  </section>


      </section>
    </section>

    <section title="Manageability Considerations">
      <t>Manageability is out of scope for home network scenarios. In building automation scenarios, central control should be applied based on MIBs.</t>
    </section>


    <section title="Security Considerations">
      <t>Refer to the security considerations of <xref target="RFC6997"/>, <xref target="RFC6550"/>,
	 <xref target="I-D.ietf-roll-trickle-mcast"/>, and the counter measures discussed in sections 6 and 7 of <xref target="I-D.ietf-roll-security-threats"/>.
</t>

<section anchor="SEC-CON" title="Security context considerations">
<t>
Wireless networks are typically secured at the link-layer in order to prevent unauthorized parties to access the information exchanged over the links. In mesh networks, it is good practice to create a network of nodes which share the same keys for link layer encryptions and exclude nodes sending non encrypted messages. Together with authentication of the sources, it is possible to prevent unauthorized nodes joining the mesh. This is ensured with the Protocol for carrying
Authentication for Network Access (PANA) Relay Element <xref target="RFC6345"/> with the use of PANA <xref target="RFC5191"/> for network access. A new DTLS based protocol is proposed in <xref target="I-D.kumar-dice-dtls-relay"/>.
</t><t>
This recommendation is in line with the coutermeasures described in section 6.1.1 of <xref target="I-D.ietf-roll-security-threats"/>
</t><t>
Unauthorized nodes can access the nodes of the mesh via a router. End-to-end security between applications is recommended by using DTLS <xref target="RFC6347"/> or TLS <xref target="RFC5246"/>. 
</t>
</section>

<section title="MPL routing">
<t>
The routing of MPL is determined by the enabling of the interfaces for specified Multicast addresses. The specification of these addresses can be done via a CoAP application as specified in 
<xref target="I-D.ietf-core-groupcomm"/>. An alternative is the creation of a MPL MIB and use of SNMPv3 <xref target="RFC3411"/> or CoMI <xref target="I-D.vanderstok-core-comi"/> to specify the Multicast addresses in the MIB. The application of security measures for the specification of the multicast addresses assures that the routing of MPL packets is secured.
</t>
</section>

      <section anchor="SEC-DIST" title="Security Considerations for distribution of credentials required for RPL">
        <t>Communications network security is based on providing integrity protection and 
        encryption to messages. This can be applied at various layers in the network protocol
        stack based on using various credentials and a network identity.</t>
        <t>The credentials which are relevant in the case of RPL are: (i) the credential used
        at the link layer in the case where link layer security is applied (see <xref target="SEC-CON"/>) or (ii) the credential
        used for securing RPL messages. In both cases, the assumption is that the credential is a
        shared key. Therefore, there MUST be a mechanism in place which allows secure distribution 
        of a shared key and configuration of network identity. Both MAY be done using (i) pre-installation using an out-of-band method,
        (ii) delivered securely when a device is introduced into the network or (iii) delivered
        securely by a trusted neighboring device. The shared key MUST be stored in a secure fashion which makes
        it difficult to be read by an unauthorized party.
</t>
        <t>
Securely delivering a key means that the delivery mechanism MUST have data origin authentication, confidentiality and integrity protection. On reception of the delivered key, freshness of the delivered key MUST be ensured.Securely storing a key means that the storage mechanism MUST have confidentiality and integrity protection and MUST only be accessible by an authorized party.</t> 
      </section>

      <section title="Security Considerations for P2P and P2MP uses">
        <t>Refer to the security considerations of <xref target="RFC6997"/>. Many initiatives are under way to provide light weight security such as: <xref target="I-D.ietf-dice-profile"/> and <xref target="I-D.keoh-dice-multicast-security"/>.  </t>
      </section>

<section title="RPL Security features">
<t>
This section follows the structure of section 7, "RPL security features" of <xref target="I-D.ietf-roll-security-threats"/>, where a thorough analysis of security threats and proposed counter measures relevant to RPL and MPL is done. 
</t><t>
In accordance with section 7.1 of <xref target="I-D.ietf-roll-security-threats"/>, "Confidentiality features", a secured RPL protocol must implement payload protection, as explained in <xref target="SEC-CON"/> of this document. The attributes key-length and life-time of the keys depend on operational conditions, maintenance and installation procedures.
</t><t>
<xref target="SEC-DIST"/> of this document recommends measures to assure integrity in accordance with section 7.2 of <xref target="I-D.ietf-roll-security-threats"/>, "Integrity features".
</t><t>
The provision of multiple paths recommended in section 7.3 "Availability features" of <xref target="I-D.ietf-roll-security-threats"/> is also recommended from a reliability point of view. Randomly choosing paths MAY be supported.
</t><t>
Key management discussed in section 7.4, "Key Management" of <xref target="I-D.ietf-roll-security-threats"/>, is not standardized and discussions continue.
</t><t>
Section 7.5, "Considerations on Matching Application Domain Needs" of <xref target="I-D.ietf-roll-security-threats"/> applies as such.
</t>
</section>

    </section>

    <section title="Other related protocols">
      <t>Application transport protocols may be CoAP over UDP or equivalents.
      Typically, UDP is used for IP transport to keep down the application
      response time and bandwidth overhead.</t>

      <t>Several features required by <xref target="RFC5826"/>, <xref
      target="RFC5867"/> challenge the P2P paths provided by RPL. <xref
      target="RPL_shortcomings"/> reviews these challenges. In some cases, a
      node may need to spontaneously initiate the discovery of a path towards
      a desired destination that is neither the root of a DAG, nor a
      destination originating DAO signalling. Furthermore, P2P paths provided
      by RPL are not satisfactory in all cases because they involve too many
      intermediate nodes before reaching the destination.</t>

      
    </section>

    <section title="IANA Considerations">
      <t> No considerations for IANA pertain to this document. </t>
    </section>

    <section title="Acknowledgements">
      <t>This document reflects discussions and remarks from several
      individuals including (in alphabetical order): Mukul
      Goyal, Sandeep Kumar, Jerry Martocci, Charles Perkins, Michael Richardson, and Zach Shelby</t>
    </section>

	<section title="Changelog">
	<t>
	Changes from version 0 to version 1.
	<list style="symbols">
	<t>Adapted section structure to template. </t>
	<t>Standardized the reference syntax.</t>
	<t>Section 2.2, moved everything concerning algorithms to section 2.2.7, and adapted text in 2.2.1-2.2.6.</t>
	<t>Added MPL parameter text to section 4.1.7 and section 4.3.1.</t>
	<t> Replaced all TODO sections with text. </t>
	<t> Consistent use of border router, monitoring, home- and building network. </t>
	<t> Reformulated security aspects with references to other publications. </t>
	<t> MPL and RPL parameter values introduced.</t>
	</list>
	</t><t>
	Changes from version 1 to version 2.
<list style="symbols">
<t> Clarified common characteristics of control in home and building.</t>
<t> Clarified failure behavior of point to point communication in appendix. </t>
<t> Changed examples, more hvac and less lighting.</t>
<t> Clarified network topologies. </t>
<t> replaced reference to smart_object paper by reference to I-D.roll-security-threats</t>
<t> Added a concise definition of secure delivery and secure storage </t>
<t> text about securing network with PANA </t>
</list>
Changes from version 2 to version 3.
<list style="symbols">
<t> Changed security section to follow the structure of security threats draft.</t>
<t> Added text to DODAG repair sub-section </t>
</list>

	</t>
	</section>

  </middle>

  <back>
    <references title="Normative References">
	&RFC2119;
	&RFC3411;
	&RFC4944;
	&RFC5191;
	&RFC5246;
	&RFC5548;
	&RFC5673;
	&RFC5826;
	&RFC5867;
	&RFC6282;
	&RFC6345;
	&RFC6347;
	&RFC6550;
	&RFC6551;
	&RFC6554;
	&RFC6997;
	&I-D.ietf-6lo-lowpanz;
	&I-D.ietf-roll-trickle-mcast;
	&I-D.ietf-roll-security-threats;
	&I-D.ietf-dice-profile;
	&I-D.keoh-dice-multicast-security;
	&I-D.kumar-dice-dtls-relay;
	&I-D.ietf-core-groupcomm;
	&I-D.vanderstok-core-comi;

      <reference anchor="IEEE802.15.4" target="IEEE Standard 802.15.4">
        <front>
          <title>IEEE 802.15.4 - Standard for Local and metropolitan area
          networks -- Part 15.4: Low-Rate Wireless Personal Area
          Networks</title>

          <author fullname="IEEE Computer Society" initials="" surname="">
            <organization/>
          </author>

          <date/>
        </front>
      </reference>

      <reference anchor="G.9959" target="ITU-T G.9959">
        <front>
          <title>ITU-T G.9959 Short range narrow-band digital
          radiocommunication transceivers - PHY and MAC layer
          specifications</title>

          <author fullname="ITU-T SG 15" initials="" surname="">
            <organization/>
          </author>

          <date/>
        </front>
      </reference>

      
    </references>

    <references title="Informative References">
      <reference anchor="SOFT11">
        <front>
          <title>The P2P-RPL Routing Protocol for IPv6 Sensor Networks:
          Testbed Experiments</title>

          <author fullname="E. Baccelli" initials="E." surname="Baccelli"/>

          <author fullname="M. Philipp" initials="M." surname="Phillip"/>

          <author fullname="M.Goyal" initials="M." surname="Goyal"/>

          <date day="8" month="September" year="2011"/>
        </front>

        <seriesInfo name=""
                    value="Proceedings of the Conference on Software Telecommunications and Computer Networks, Split, Croatia,"/>
      </reference>

      <reference anchor="INTEROP12">
        <front>
          <title>Report on P2P-RPL Interoperability Testing</title>

          <author fullname="E. Baccelli" initials="E." surname="Baccelli"/>

          <author fullname="M. Philipp" initials="M." surname="Phillip"/>

          <author fullname="A. Brandt" initials="A." surname="Brandt"/>

          <author fullname="H. Valev " initials="H." surname="Valev "/>

          <author fullname="J. Buron " initials="J." surname="Buron "/>

          <date day="20" month="January" year="2012"/>
        </front>

        <seriesInfo name="RR-7864" value="INRIA Research Report RR-7864"/>
      </reference>

<reference anchor="RT-MPL">
        <front>
          <title>Real-Time multicast for wireless mesh networks using MPL</title>

          <author fullname="P. van der Stok" initials="P." surname="van der Stok"/>
          <date month="April" year="2014"/>
        </front>

        <seriesInfo name="White paper, "
                    value="http://www.vanderstok.org/papers/Real-time-MPL.pdf"/>
      </reference>

<reference anchor="RTN2011">
        <front>
          <title>Real-time routing for low-latency 802.15.4 control networks</title>
<author fullname="K. Holtman" initials="K." surname="Holtman"/>

          <author fullname="P. van der Stok" initials="P." surname="van der Stok"/>
          <date day="5" month="July" year="2011"/>
        </front>

        <seriesInfo name="International Workshop on Real-Time Networks;"
                    value="Euromicro Conference on Real-Time Systems"/>
      </reference>

<reference anchor="MEAS">
        <front>
          <title>Connectivity loss in large scale IEEE 802.15.4 network</title>
<author fullname="K. Holtman" initials="K." surname="Holtman"/>
          <date month="November" year="2013"/>
        </front>

        <seriesInfo name=""
                    value="Private Communication"/>
      </reference>


    </references>

    <section anchor="RPL_shortcomings"
             title="RPL shortcomings in home and building deployments">

      <section title="Risk of undesired long P2P routes ">
        <t>The DAG, being a tree structure is formed from a root. If nodes
        residing in different branches have a need for communicating
        internally, DAG mechanisms provided in RPL <xref target="RFC6550"/>
        will propagate traffic towards the root, potentially all the way to
        the root, and down along another branch. In a typical example two
        nodes could reach each other via just two router nodes but in
        unfortunate cases, RPL may send traffic three hops up and three hops
        down again. This leads to several undesired phenomena described in the
        following sections</t>

        <section title="Traffic concentration at the root ">
          <t>If many P2P data flows have to move up towards the root to get
          down again in another branch there is an increased risk of
          congestion the nearer to the root of the DAG the data flows. Due to
          the broadcast nature of RF systems any child node of the root is not
          just directing RF power downwards its sub-tree but just as much
          upwards towards the root; potentially jamming other MP2P traffic
          leaving the tree or preventing the root of the DAG from sending P2MP
          traffic into the DAG because the listen-before-talk link-layer
          protection kicks in.</t>
        </section>

        <section title="Excessive battery consumption in source nodes ">
          <t>Battery-powered nodes originating P2P traffic depend on the route
          length. Long routes cause source nodes to stay awake for longer
          periods before returning to sleep. Thus, a longer route translates
          proportionally (more or less) into higher battery consumption.</t>
        </section>
      </section>

      <section title="Risk of delayed route repair ">
        <t>The RPL DAG mechanism uses DIO and DAO messages to monitor the
        health of the DAG. In rare occasions, changed radio conditions may
        render routes unusable just after a destination node has returned a
        DAO indicating that the destination is reachable. Given enough time,
        the next Trickle timer-controlled DIO/DAO update will eventually repair
        the broken routes, however this may not occur in a timely manner appropriate to the application. In
        an apparently stable DAG, Trickle-timer dynamics may reduce the update
        rate to a few times every hour. If a user issues an actuator command,
        e.g. light on in the time interval between the last DAO message was
        issued the destination module and the time one of the parents sends
        the next DIO, the destination cannot be reached. There is no mechanism in RPL to
        initiate restoration of connectivity in a reactive fashion. The consequence is a
        broken service in home and building applications.</t>

        <section title="Broken service">
          <t>Experience from the telecom industry shows that if the voice
          delay exceeds 250ms, users start getting confused, frustrated and/or
          annoyed. In the same way, if the light does not turn on within the
          same period of time, a home control user will activate the controls
          again, causing a sequence of commands such as
          Light{on,off,off,on,off,..} or Volume{up,up,up,up,up,...}. Whether
          the outcome is nothing or some unintended response this is
          unacceptable. A controlling system must be able to restore
          connectivity to recover from the error situation. Waiting for an
          unknown period of time is not an option. While this issue was
          identified during the P2P analysis, it applies just as well to
          application scenarios where an IP application outside the LLN
          controls actuators, lights, etc.</t>
        </section>
      </section>
    </section>

<section anchor="com-fail" title="Communication failures">
<t>
Measurements on the connectivity between neigbouring nodes are discussed in <xref target="RTN2011"/> and <xref target="MEAS"/>.
</t><t>
The work is motivated by the measurements in literature which affirm that the range of an antenna is not circle symmetric but that the signal strength of a given level follows an intricate pattern around the antenna, and there may be holes within the area delineated by an iso-strength line. It is reported that communication is not symmetric: reception of messages from node A by node B does not imply reception of messages from node B by node A. The quality of the signal fluctuates over time, and also the the height of the antenna within a room can have consequences for the range. As function of the distance from the source, three regions are generally recognized: (1) a clear region with excellent signal quality, (2) a region with fluctuating signal quality, (3) a region without reception. In the text below it is shown that installation of meshes with neigbours in the clear region is not sufficient. 
</t><t>
<xref target="RTN2011"/> extends existing work by: 
<list style="symbols">
<t>Observations over periods of at least a week, </t>
<t>Testing links that are in the clear region, </t>
<t>Observation in an office building during working hours, </t>
<t>Concentrating on one-hop and two-hop routes. </t>
</list>
Eight nodes were distributed over a surface of 30m2. All nodes are at one hop distance from each other and are situated in the clear region of each other. Each node sends messages to each of its neigbours, and repeats the message until it arrives. The latency of the message was measured over periods of at least a week. It is noticed that latencies longer than a second ocurred without apparent reasons, but only during working days and never in the weekends. Bad periods could last for minutes. By sending messages via two paths: (1) one hop path directly, and (2) two hop path via random neigbour, the probability of delays larger than 100 ms decreased significantly.
</t><t> The conclusion is that even for 1-hop communication between not too distant "Line of Sight" nodes, there are periods of low reception in which communication deadlines of 200 ms are exceeded. It pays to send a second message over a 2-hop path to increase the reliability of timely message transfer.
</t><t>
<xref target="MEAS"/> confirms that temporary bad reception by close neigbours can occur within other types of areas. Nodes were installed on the ceiling in a grid with a distance of 30-50 cm between nodes. 200 nodes were distributed over an area of 10m x 5m. It clearly transpired that with increasing distance the probability of reception decreases. At the same time a few nodes furthest away from the sender had a high probability of message reception, while some close neigbours of the sender did not receive messages. The patterns of clear reception nodes evolved over time.
</t>
<t>
The conclusion is that even for direct neighbours reception can temporarily be bad during periods of several minutes. For a reliable and timely communication it is imperative to have at least two communication paths available (e.g. two hop paths next to the 1-hop path for direct neigbours).
</t>
</section>
  </back>
</rfc>
