<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM 'rfc2629.dtd'[
<!ENTITY RFC2119 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC3411 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3411.xml">
<!ENTITY RFC3561 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3561.xml">
<!ENTITY RFC3748 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3748.xml">
<!ENTITY RFC4279 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4279.xml">
<!ENTITY RFC4492 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4492.xml">
<!ENTITY RFC4764 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4764.xml">
<!ENTITY RFC4868 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4868.xml">
<!ENTITY RFC4944 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4944.xml">
<!ENTITY RFC5116 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5116.xml">
<!ENTITY RFC5191 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5191.xml">
<!ENTITY RFC5216 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5216.xml">
<!ENTITY RFC5246 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5246.xml">
<!ENTITY RFC5288 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5288.xml">
<!ENTITY RFC5289 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5289.xml">
<!ENTITY RFC5487 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5487.xml">
<!ENTITY RFC5548 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5548.xml">
<!ENTITY RFC5673 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5673.xml">
<!ENTITY RFC5826 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5826.xml">
<!ENTITY RFC5867 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5867.xml">
<!ENTITY RFC5889 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5889.xml">
<!ENTITY RFC5996 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5996.xml">
<!ENTITY RFC6282 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6282.xml">
<!ENTITY RFC6345 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6345.xml">
<!ENTITY RFC6550 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6550.xml">
<!ENTITY RFC6551 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6551.xml">
<!ENTITY RFC6554 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6554.xml">
<!ENTITY RFC6655 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6655.xml">
<!ENTITY RFC6786 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6786.xml">
<!ENTITY RFC6997 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6997.xml">
<!ENTITY RFC6998 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6998.xml">
<!ENTITY RFC7102 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7102.xml">
<!ENTITY RFC7228 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7228.xml">
<!ENTITY RFC7251 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7251.xml">
<!ENTITY RFC7390 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7390.xml">
<!ENTITY RFC7416 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7416.xml">
<!ENTITY RFC7428 PUBLIC "" "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7428.xml">
<!ENTITY I-D.ietf-roll-trickle-mcast SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.ietf-roll-trickle-mcast.xml">
]>

<?rfc toc="yes" tocompact="yes" tocdepth="3" tocindent="yes" symrefs="yes" sortrefs="no" comments="yes" inline="yes" compact="yes" subcompact="no"?>
<?rfc symrefs="yes"?>
<rfc category="std" docName="draft-ietf-roll-applicability-home-building-11" ipr="trust200902">
  <front>
    <title abbrev="RPL in home and building">Applicability Statement:
    The use of the RPL protocol suite in Home Automation and Building
    Control</title>

    <author fullname="Anders Brandt" initials="A." surname="Brandt">
      <organization>Sigma Designs</organization>
      <address>
        <email>anders_Brandt@sigmadesigns.com</email>
      </address>
    </author>

    <author fullname="Emmanuel Baccelli" initials="E." surname="Baccelli">
      <organization>INRIA</organization>
      <address>
        <email>Emmanuel.Baccelli@inria.fr</email>
      </address>
    </author>

    <author fullname="Robert Cragie" initials="R." surname="Cragie">
      <organization>ARM Ltd.</organization>
      <address>
        <postal>
          <street>110 Fulbourn Road</street>
          <city>Cambridge</city>
          <code>CB1 9NJ</code>
          <country>UK</country>
        </postal>
        <email>robert.cragie@gridmerge.com</email>
      </address>
    </author>

    <author fullname="Peter van der Stok" initials="P." surname="van der Stok">
      <organization>Consultant</organization>
      <address>
        <email>consultancy@vanderstok.org</email>
      </address>
    </author>

    <date />

    <area>Routing Area</area>

    <workgroup>Roll</workgroup>

    <keyword>sensor network</keyword>
    <keyword>ad hoc network</keyword>
    <keyword>routing</keyword>
    <keyword>RPL</keyword>
    <keyword>applicability</keyword>
    <keyword>building control</keyword>
    <keyword>home automation</keyword>
    <keyword>IP networks</keyword>

    <abstract>
      <t>The purpose of this document is to provide guidance in the selection and use of protocols from the RPL protocol suite to implement the features required for control in building and home environments.</t>
    </abstract>
  </front>

  <middle>
    <section anchor="cid1" title="Introduction">
      <t>The primary purpose of this document is to give guidance in the use of the Routing Protocol for Low power and lossy networks (RPL) protocol suite in two application domains:</t>
      <t><list style="symbols">
        <t>Home automation</t>
        <t>Building automation</t>
      </list></t>
      <t>The guidance is based on the features required by the requirements documents "Home Automation Routing Requirements in Low-Power and Lossy Networks" <xref target="RFC5826"/> and "Building Automation Routing Requirements in Low-Power and Lossy Networks" <xref target="RFC5867"/> respectively. The Advanced Metering Infrastructure is also considered where appropriate. The applicability domains distinguish themselves in the way they are operated, their performance requirements, and the most likely network structures. An abstract set of distinct communication paradigms is then used to frame the applicability domains.</t>
      <t>Home automation and building automation application domains share a substantial number of properties:</t>    
      <t><list style="symbols">
        <t>In both domains, the network can be disconnected from the ISP and must still continue to provide control to the occupants of the home/building. Routing needs to be possible independent of the existence of a border router</t>
        <t>Both domains are subject to unreliable links but require instant and very reliable reactions. This has impact on routing because of timeliness and multipath routing.</t>
      </list></t>
      <t>The differences between the two application domains mostly appear in commissioning, maintenance and the user interface, which do not typically affect routing. Therefore, the focus of this applicability document is on reliability, timeliness, and local routing.</t>
      <t>It should be noted that adherence to the guidance does not necessarily guarantee fully interoperable solutions in home automation networks and building control networks and that additional rigorous and managed programs will be needed to ensure interoperability.</t>

      <section title="Relationship to other documents">
        <t>The Routing Over Low power and Lossy networks (ROLL) working group has specified a set of routing protocols for Low-Power and Lossy Networks (LLN) <xref target="RFC6550"/>. This applicability text describes a subset of those protocols and the conditions under which the subset is appropriate and provides recommendations and requirements for the accompanying parameter value ranges.</t>
        <t>In addition, an extension document has been produced specifically to provide a solution for reactive discovery of point-to-point routes in LLNs <xref target ="RFC6997"/>. The present applicability document provides recommendations and requirements for the accompanying parameter value ranges.</t>
        <t>A common set of security threats are described in <xref target="RFC7416"/>. The applicability statements complement the security threats document by describing preferred security settings and solutions within the applicability statement conditions. This applicability statement recommends lighter weight security solutions appropriate for home and building environments and indicates why these solutions are appropriate.</t>
      </section>
   
      <section title="Terminology">
        <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in <xref target="RFC2119"/>.</t>
        <t>Additionally, this document uses terminology from <xref target="RFC6997"/>, <xref target="I-D.ietf-roll-trickle-mcast"/>, <xref target="RFC7102"/>, <xref target="IEEE802.15.4"/>, and <xref target="RFC6550"/>.</t>
      </section>

      <section title="Required Reading">
        <t>Applicable requirements are described in <xref target="RFC5826"/> and <xref target="RFC5867"/>. A survey of the application field is described in <xref target="BCsurvey"/>.</t>
      </section>

      <section title="Out of scope requirements">
        <t>The considered network diameter is limited to a maximum diameter of 10 hops and a typical diameter of 5 hops, which captures the most common cases in home automation and building control networks.</t>
        <t>This document does not consider the applicability of  Routing Protocol for Low-Power and Lossy Networks (RPL)-related specifications for urban and industrial applications <xref target="RFC5548"/>, <xref target="RFC5673"/>, which may exhibit significantly larger network diameters.</t>
      </section>
    </section>

    <section title="Deployment Scenario">
      <t>The use of communications networks in buildings is essential to satisfy energy saving regulations. Environmental conditions of buildings can be adapted to suit the comfort of the individuals present inside. Consequently when no one is present, energy consumption can be reduced.
      Cost is the main driving factor behind deployment of wireless networking in buildings, especially in the case of retrofitting, where wireless connectivity saves costs incurred due to cabling and building modifications.</t>
      <t>A typical home automation network is comprised of less than 100 nodes. Large building deployments may span 10,000 nodes but to ensure uninterrupted service of light and air conditioning systems in individual zones of the building, nodes are typically organized in sub-networks. Each sub-network in a building automation deployment typically contains tens to hundreds of nodes, and for critical operations may operate independently from the other sub-networks.</t>
      <t>The main purpose of the home or building automation network is to provide control over light and heating/cooling resources. User intervention via wall controllers is combined with movement, light and temperature sensors to enable automatic adjustment of window blinds, reduction of room temperature, etc. In general, the sensors and actuators in a home or building typically have fixed physical locations and will remain in the same home or building automation network.</t>
      <t>People expect an immediate and reliable response to their presence or actions. For example, a light not switching on after entry into a room may lead to confusion and a profound dissatisfaction with the lighting product.</t>
      <t>Monitoring of functional correctness is at least as important as timely responses. Devices typically communicate their status regularly and send alarm messages
      notifying a malfunction of controlled equipment or network.</t>
      <t>In building control, the infrastructure of the building management network can be shared with the security/access, the Internet Protocol (IP) telephony, and the fire/alarm networks. This approach has a positive impact on the operation and cost of the network; however, care should be taken to ensure that the availability of the building management network does not become compromised beyond the ability for critical functions to perform adequately.</t>
      <t>In homes, the entertainment network for audio/video streaming and gaming has different requirements, where the most important requirement is the need for high bandwidth not typically needed for home or building control. It is therefore expected that the entertainment network in the home will mostly be separate from the control network, which also lessens the impact on availability of the control network</t>

      <section title="Network Topologies">
        <t>In general, the home automation network or building control network consists of wired and wireless sub-networks. In large buildings especially, the wireless sub-networks can be connected to an IP backbone network where all infrastructure services are located, such as Domain Name System (DNS), automation servers, etc.</t>
        <t>The wireless sub-network can be configured according to any of the following topologies:</t>
        <t><list style="symbols">
          <t>A stand-alone network of 10-100 nodes without border router. This typically occurs in the home with a stand-alone control network, in low cost buildings, and during installation of high end control systems in buildings.</t>
          <t>A connected network with one border router. This configuration will happen in homes where home appliances are controlled from outside the home, possibly via a smart phone, and in many building control scenarios.</t>
          <t>A connected network with multiple border routers. This will typically happen in installations of large buildings.</t>
        </list></t>
        <t>Many of the nodes are battery-powered and may be sleeping nodes which wake up according to clock signals or external events.</t>
        <t>In a building control network, for a large installation with multiple border routers, sub-networks often overlap both geographically and from a wireless coverage perspective. Due to two purposes of the network, (i) direct control and (ii) monitoring, there may exist two types of routing topologies in a given sub-network: (i) a tree-shaped collection of routes spanning from a central building controller via the border router, on to destination nodes in the sub-network; and/or (ii) a flat, un-directed collection of intra-network routes between functionally related nodes in the sub-network.</t>
        <t>The majority of nodes in home and building automation networks are typically class 0 devices <xref target="RFC7228"/>, such as individual wall switches. Only a few nodes (such as multi-purpose remote controls) are more expensive Class 1 devices, which can afford more memory capacity.</t>
      </section>

      <section title="Traffic Characteristics">
        <t>Traffic may enter the network originating from a central controller or it may originate from an intra-network node. The majority of traffic is light-weight point-to-point control style; e.g. Put-Ack or Get-Response. There are however exceptions. Bulk data transfer is used for firmware update and logging, where firmware updates enter the network and logs leave the network. Group communication is used for service discovery or to control groups of nodes, such as light fixtures.</t>
        <t>Often, there is a direct physical relation between a controlling sensor and the controlled equipment. For example the temperature sensor and room controller are located in the same room sharing the same climate conditions. Consequently, the bulk of senders and receivers are separated by a distance that allows one-hop direct path communication. A graph of the communication will show several fully connected subsets of nodes. However, due to interference, multipath fading, reflection and other transmission mechanisms, the one-hop direct path may be temporally disconnected. For reliability purposes, it is therefore essential that alternative n-hop communication routes exist for quick error recovery. (See <xref target="com-fail"/> for motivation.)</t>
        <t> Looking over time periods of a day, the networks are very lightly loaded. However, bursts of traffic can be generated by e.g. incessant pushing of the button of a remote control, the occurrence of a defect, and other unforeseen events. Under those conditions, the timeliness must nevertheless be maintained. Therefore, measures are
        necessary to remove any unnecessary traffic. Short routes are preferred. Long multi-hop routes via the border router, should be avoided whenever possible.</t>
        <t>Group communication is essential for lighting control. For example, once the presence of a person is detected in a given room, lighting control applies to that room only and no other lights should be dimmed, or switched on/off. In many cases, this means that a multicast message with a 1-hop and 2-hop radius would suffice to control the required lights. The same argument holds for Heating, Ventilating, and Air Conditioning (HVAC) and other climate control devices. To reduce network load, it is advisable that messages to the lights in a room are not distributed any further in the mesh than necessary based on intended receivers.</t>
        <t>An example of an office surface is shown in <xref target="office-light"/>, and the current use of wireless lighting control products is shown in <xref target="occuswitch"/>.</t>

        <section anchor="SEC_General" title="General">
          <t>Whilst air conditioning and other environmental-control applications may accept response delays of tens of seconds or longer, alarm and light control applications may be regarded as soft real-time systems. A slight delay is acceptable, but the perceived quality of service degrades significantly if response times exceed 250 ms. If the light does not turn on at short notice, a user may activate the controls again, thus causing a sequence of commands such as Light{on,off,on,off,..} or Volume{up,up,up,up,up,...}. In addition the repetitive sending of commands creates an unnecessary loading of the network, which in turn increases the bad responsiveness of the network.</t>
        </section>

        <section title="Source-sink (SS) communication paradigm">
          <t>This paradigm translates to many sources sending messages to the same sink, sometimes reachable via the border router. As such, source-sink (SS) traffic can be present in home and building networks. The traffic may be generated by environmental sensors (often present in a wireless sub-network) which push periodic readings to a central server. The readings may be used for pure logging, or more often, processed to adjust light, heating and ventilation. Alarm sensors may also generate SS style traffic. The central server in a home automation network will be connected mostly to a wired network segment of the home network, although it is likely that cloud services will also be used. The central server in a building automation network may be connected to a backbone or be placed outside the building.</t>
          <t>With regards to message latency, most SS transmissions can tolerate worst-case delays measured in tens of seconds. Fire detectors, however, represent an exception; For example, special provisions with respect to the location of the Fire detectors and the smoke dampers need to be put in place to meet the stringent delay requirements measured in seconds.</t>
        </section>

        <section anchor="SEC_PubSubCommunication" title="Publish-subscribe (PS, or pub/sub)) communication paradigm">
          <t>This paradigm translates to a number of devices expressing their interest for a service provided by a server device. For example, a server device can be a sensor delivering temperature readings on the basis of delivery criteria, like changes in acquisition value or age of the latest acquisition. In building automation networks, this paradigm may be closely related to the SS paradigm given that servers, which are connected to the backbone or outside the building, can subscribe to data collectors that are present at strategic places in the building automation network. The use of PS will probably differ significantly from installation to installation.</t>
        </section>

        <section anchor="SEC_PeerToPeerCommunication" title="Peer-to-peer (P2P) communication paradigm">
          <t> This paradigm translates to a device transferring data to another device often connected to the same sub-network. Peer-to-peer (P2P) traffic is a common traffic type in home automation networks. Most building automation networks rely on P2P traffic, described in the next paragraph. Other building automation networks rely on P2P control traffic between controls and a local controller box for advanced group control. A local controller box can be further connected to service control boxes, thus generating more SS or PS traffic.</t>
          <t>P2P traffic is typically generated by remote controls and wall controllers which push control messages directly to light or heat sources. P2P traffic has a stringent requirement for low latency since P2P traffic often carries application messages that are invoked by humans. As mentioned in <xref target="SEC_General"/>, application messages should be delivered within a few hundred milliseconds - even when connections fail momentarily.</t>
        </section>

        <section title="Peer-to-multipeer (P2MP) communication paradigm">
          <t> This paradigm translates to a device sending a message as many times as there are destination devices. Peer-to-multipeer (P2MP) traffic is common in home and building automation networks. Often, a thermostat in a living room responds to temperature changes by sending temperature acquisitions to several fans and valves consecutively. This paradigm is also closely related to the PS paradigm in the case where a single server device has multiple subscribers.</t>
        </section>

        <section title="Additional considerations: Duocast and N-cast">
          <t>This paradigm translates to a device sending a message to many destinations in one network transfer invocation. Multicast is well suited for lighting where a presence sensor sends a presence message to a set of lighting devices. Multicast increases the probability that the message is delivered within the strict time constraints. The recommended multicast algorithm (e.g. <xref target="I-D.ietf-roll-trickle-mcast"/>) assures that messages are delivered to ALL intended destinations.</t>
        </section>

        <section title="RPL applicability per communication paradigm">
          <t> In the case of the SS paradigm applied to a wireless sub-network to a server reachable via a border router, the use of RPL <xref target="RFC6550"/> in non-storing mode is appropriate. Given the low resources of the devices, source routing will be used from the border router to the destination in the wireless sub-network for messages generated outside the mesh network. No specific timing constraints are associated with the SS type messages so network repair does not violate the operational constraints. When no SS traffic takes place, it is good practice to load only RPL code enabling P2P mode of operation <xref target="RFC6997"/> to reduce the code size and satisfy memory requirements. </t>
          <t>P2P-RPL <xref target="RFC6997"/> is required for all P2P and P2MP traffic taking place between nodes within a wireless sub-network (excluding the border router) to assure responsiveness. Source and destination devices are typically physically close based on room layout. Consequently, most P2P and P2MP traffic is 1-hop or 2-hop traffic. <xref target="RPL_shortcomings"/> explains why P2P-RPL is preferable to RPL for this type of communication. <xref target="com-fail"/> explains why reliability measures such as multi-path routing are necessary even when 1-hop communication dominates.</t>
          <t>Additional advantages of P2P-RPL for home and building automation networks are, for example:</t>
          <t><list style="symbols">
            <t>Individual wall switches are typically inexpensive class 0 devices <xref target="RFC7228"/> with extremely low memory capacities. Multi-purpose remote controls for use in a home environment typically have more memory but such devices are asleep when there is no user activity. P2P-RPL reactive discovery allows a node to wake up and find new routes within a few seconds while memory constrained nodes only have to keep routes to relevant targets.</t>
            <t>The reactive discovery features of P2P-RPL ensure that commands are normally delivered within the 250 ms time window. When connectivity needs to be restored, discovery is typically completed within seconds. In most cases, an alternative (earlier discovered) route will work and route rediscovery is not necessary.</t>
            <t>Broadcast storms typically associated with route discovery for Ad hoc On-Demand Distance Vector (AODV) <xref target="RFC3561"/> are less disruptive for P2P-RPL. P2P-RPL has a "STOP" bit which is set by the target of a route discovery to notify all other nodes that no more Directed Acyclic Graph (DAG) Information Option (DIO) messages should be forwarded for this temporary DAG. Something looking like a broadcast storm may happen when no target is responding however, in this case, the Trickle suppression mechanism kicks in, limiting the number of DIO forwards in dense networks.</t>
          </list></t>
          <t>Due to the limited memory of the majority of devices, P2P-RPL SHOULD be deployed with source routing in non-storing mode as explained in <xref target="sec-storing"/>.</t> 
          <t>Multicast with Multicast Protocol for Low power and Lossy Networks (MPL) <xref target="I-D.ietf-roll-trickle-mcast"/> is preferably deployed for N-cast over the wireless network. Configuration constraints that are necessary to meet reliability and timeliness with MPL are discussed in <xref target="sec-multicast"/>.</t>
        </section>
      </section>

      <section anchor="L2-app" title="Layer-2 applicability">
        <t>This document applies to <xref target="IEEE802.15.4"/> and <xref target="G.9959"/> which are adapted to IPv6 by the adaption layers <xref target="RFC4944"/> and <xref target="RFC7428"/>. Other layer-2 technologies, accompanied by an "IP over Foo" specification, are also relevant provided there is no frame size issue, and there are link layer acknowledgements.</t>
        <t>The above mentioned adaptation layers leverage on the compression capabilities of <xref target="RFC6554"/> and <xref target="RFC6282"/>. Header compression allows small IP packets to fit into a single layer 2 frame even when source routing is used. A network diameter limited to 5 hops helps to achieve this even while using source routing.</t>
        <t>Dropped packets are often experienced in the targeted environments. Internet Control Message Protocol (ICMP),  User Datagram Protocol (UDP) and even  Transmission Control Protocol (TCP) flows may benefit from link layer unicast acknowledgments and retransmissions. Link layer unicast acknowledgments SHOULD be enabled when <xref target="IEEE802.15.4"/> or <xref target="G.9959"/> is used with RPL and P2P-RPL.</t>
      </section>
    </section>

    <section title="Using RPL to meet Functional Requirements">
      <t>Several features required by <xref target="RFC5826"/>, <xref target="RFC5867"/> challenge the P2P paths provided by RPL. <xref target="RPL_shortcomings"/> reviews these challenges. In some cases, a node may need to spontaneously initiate the discovery of a path towards a desired destination that is neither the root of a DAG, nor a destination originating Destination Advertisement Object (DAO) signalling. Furthermore, P2P paths provided by RPL are not satisfactory in all cases because they involve too many intermediate nodes before reaching the destination.</t>
      <t>P2P-RPL <xref target="RFC6997"/> SHOULD be used in home automation and building control networks, as point-to-point style traffic is substantial and route repair needs to be completed within seconds. P2P-RPL provides a reactive mechanism for quick, efficient and root-independent route discovery/repair. The use of P2P-RPL furthermore allows data traffic to avoid having to go through a central region around the root of the tree, and drastically reduces path length <xref target="SOFT11"/> <xref target="INTEROP12"/>. These characteristics are desirable in home and building automation networks because they substantially decrease unnecessary network congestion around the root of the tree.</t>
      <t> When more reliability is required, P2P-RPL enables the establishment of multiple independent paths. For 1-hop destinations this means that one 1-hop communication and a second 2-hop communication take place via a neighbouring node. Such a pair of redundant communication paths can be achieved by using MPL where the source is a MPL forwarder, while a second MPL forwarder is 1 hop away from both the source and the destination node. When the source multicasts the message, it may be received by both the destination and the 2nd forwarder. The 2nd forwarder forwards the message to the destination, thus providing two routes from sender to destination.</t>
      <t>To provide more reliability with multiple paths, P2P-RPL can maintain two independent P2P source routes per destination, at the source. Good practice is to use the paths alternately to assess their existence. When one P2P path has failed (possibly only temporarily), as described in <xref target="com-fail"/>, the alternative P2P path can be used without discarding the failed path. The failed P2P path, unless proven to work again, can be safely discarded after a timeout (typically 15 minutes). A new route discovery is done when the number of P2P paths is exhausted due to persistent link failures.</t>
    </section>

    <section title="RPL Profile">
      <t>P2P-RPL SHOULD be used in home automation and building control networks. Its reactive discovery allows for low application response times even when on-the-fly route repair is needed. Non-storing mode SHOULD be used to reduce memory consumption in repeaters with constrained memory when source routing is used.</t>

      <section title="RPL Features">
        <t> An important constraint on the application of RPL is the presence of sleeping nodes.</t>
        <t>For example, in a stand-alone network, the master node (or coordinator) providing the logical layer-2 identifier and unique node identifiers to connected nodes may be a remote control which returns to sleep once new nodes have been added. Due to the absence of the border router, there may be no global routable prefixes at all. Likewise, there may be no authoritative always-on root node since there is no border router to host this function.</t>
        <t>In a network with a border router and many sleeping nodes, there may be battery powered sensors and wall controllers configured to contact other nodes in response to events and then return to sleep. Such nodes may never detect the announcement of new prefixes via multicast.</t>
        <t>In each of the above mentioned constrained deployments, a link layer node (e.g. coordinator or master) SHOULD assume the role of authoritative root node, transmitting unicast  Router Advertisement (RA) messages with a  Unique Local Address (ULA) prefix information option to nodes during the joining process to prepare the nodes for a later operational phase, where a border router is added.</t>
        <t>A border router SHOULD be designed to be aware of sleeping nodes in order to support the distribution of updated global prefixes to such sleeping nodes.</t>

        <section title="RPL Instances">
          <t>When operating P2P-RPL on a stand-alone basis, there is no authoritative root node maintaining a permanent RPL Direction-Oriented Directed Acyclic Graph (DODAG). A node MUST be able to join at least one RPL instance, as a new, temporary instance is created during each P2P-RPL route discovery operation. A node MAY be designed to join multiple RPL instances.</t>
        </section>

        <section anchor="sec-storing" title="Storing vs. Non-Storing Mode">
          <t>Non-storing mode MUST be used to cope with the extremely constrained memory of a majority of nodes in the network (such as individual light switches).</t>
        </section>

        <section title="DAO Policy">
          <t>Nodes send DAO messages to establish downward paths from the root to themselves. DAO messages are not acknowledged in networks composed of battery operated field devices in order to minimize the power consumption overhead associated with path discovery. The DAO messages build up a source route because the nodes MUST be in non-storing mode.</t>
          <t>If devices in LLNs participate in multiple RPL instances and DODAGs, both the RPLInstance ID and the DODAGID SHOULD be included in the DAO.</t>
        </section>

        <section title="Path Metrics">
          <t>Expected Transmission Count (ETX) is the RECOMMENDED metric. <xref target="RFC6551"/> provides other options.</t>
          <t> Packets from asymmetric and/or unstable links SHOULD be deleted at layer 2.</t>
        </section>

        <section title="Objective Function">
          <t>Objective Function 0 (OF0) MUST be the Objective Function. Other Objective Functions MAY be used when dictated by circumstances.</t>
        </section>

        <section title="DODAG Repair">
          <t>Since P2P-RPL only creates DODAGs on a temporary basis during route repair or route discovery, there is no need to repair DODAGs.</t>
          <t>For SS traffic, local repair is sufficient. The accompanying process is known as poisoning and is described in Section 8.2.2.5 of <xref target="RFC6550"/>. Given that the majority of nodes in the building do not physically move around, creating new DODAGs should not happen frequently.</t>
        </section>

        <section anchor="sec-multicast" title="Multicast">
          <t>Commercial lighting deployments may have a need for multicast to distribute commands to a group of lights in a timely fashion. Several mechanisms exist for achieving such functionality; <xref target="I-D.ietf-roll-trickle-mcast"/> is the RECOMMENDED protocol for home and building deployments. This section relies heavily on the conclusions of <xref target="RT-MPL"/>.</t>
          <t>At reception of a packet, the MPL forwarder starts a series of consecutive trickle timer intervals, where the first interval has a minimum size of Imin. Each consecutive interval is twice as long as the former with a maximum value of Imax. There is a maximum number of intervals given by max_expiration. For each interval of length I, a time t is randomly chosen in the period [I/2, I]. For a given packet, p, MPL counts the number of times it receives p during the period [0, t] in a counter c. At time t, MPL re-broadcasts p when c &lt; k, where k is a predefined constant with a value k &gt; 0.</t>
          <t>The density of forwarders and the frequency of message generation are important aspects to obtain timeliness during control operations. A high frequency of message generation can be expected when a remote control button is incessantly pressed, or when alarm situations arise.</t>
          <t>Guaranteeing timeliness is intimately related to the density of the MPL routers. In ideal circumstances the message is propagated as a single wave through the network, such that the maximum delay is related to the number of hops times the smallest repetition interval of MPL. Each forwarder that receives the message passes the message on to the next hop by repeating the message. When several copies of a message reach the forwarder, it is specified that the copy need not be repeated. Repetition of the message can be inhibited by a small value of k. To assure timeliness, the value of k should be chosen high enough to make sure that messages are repeated at the first arrival of the message in the forwarder. However, a network that is too dense leads to a saturation of the medium that can only be prevented by selecting a low value of k. Consequently, timeliness is assured by choosing a relatively high value of k but assuring at the same time a low enough density of forwarders to reduce the risk of medium saturation. Depending on the reliability of the network links, it is advisable to choose the network such that at least 2 forwarders per hop repeat messages to the same set of destinations.</t>
          <t>There are no rules about selecting forwarders for MPL. In buildings with central management tools, the forwarders can be selected, but in the home is not possible to automatically configure the forwarder topology at the time of writing this document.</t>
        </section>

        <section title="Security">
          <t>RPL MAY use unsecured messages to reduce message size. If there is a single node that uses unsecured RPL messages, link-layer security MUST be present. In both cases, a symmetric key is used to secure a message. The symmetric key MUST be distributed or established in a secure fashion.</t>
          <section title="Symmetric key distribution" anchor="SYM">		
            <t>The scope of the symmetric key distribution MUST be no greater than the network itself, i.e. a group key. This document describes what needs to be implemented to meet this requirement. The scope of the symmetric key distribution MAY be smaller than the network, for example:</t>
            <t><list style="symbols">
              <t>A pairwise symmetric key between two peers.</t>
              <t>A group key shared between a subset of nodes in the network.</t>
            </list></t>
          </section>
          <section title="Symmetric key distribution mechanism">
            <t>The authentication mechanism as described in Section 6.9 of <xref target="ZigBeeIP"/> SHALL be used to securely distribute a network-wide symmetric key.</t>
            <t>The purpose of the authentication procedure is to provide mutual authentication resulting in:</t>
            <t><list style="symbols">
              <t>Preventing untrusted nodes without appropriate credentials from joining the trusted network.</t>
              <t>Preventing trusted nodes with appropriate credentials from joining an untrusted network.</t>
            </list></t>
            <t>There is an Authentication Server, which is responsible for authenticating the nodes on the network. If the authentication is successful, the Authentication Server sends the network security material to the joining node through the PANA protocol (<xref target="RFC5191"/>, <xref target="RFC6345"/>). The joining node becomes a full participating node in the network and is able to apply layer 2 security to RPL messages using the distributed network key.</t>
            <t>The joining node does not initially have access to the network security material. Therefore, it is not able to apply layer 2 security for the packets exchanged during the authentication process. The enforcement point rules at the edge of the network ensure that the packets involved in the PANA authentication are processed even though they are unsecured at MAC layer. The rules also ensure that any other incoming traffic that is not secured at the MAC layer is discarded and is not forwarded.</t>
            <section title="Authentication Stack" anchor="AUTH">
            <t>Authentication can be viewed as a protocol stack as a layer encapsulates the layers above it.
            <list style="symbols">
              <t>TLS <xref target="RFC5246"/> MUST be used at the highest layer of the authentication stack and carries the authentication exchange. There is one cipher suite based on pre-shared key <xref target="RFC6655"/> and one cipher suite based on ECC <xref target="RFC7251"/>.</t>
              <t>EAP-TLS <xref target="RFC5216"/> MUST be used at the next layer to carry the TLS records for the authentication protocol.</t>
              <t>The Extensible Authentication Protocol <xref target="RFC3748"/> MUST be used to provide the mechanisms for mutual authentication. EAP requires a way to transport EAP packets between the joining node and the node on which the Authentication Server resides. These nodes are not necessarily in radio range of each other, so it is necessary to have multi-hop support in the EAP transport method. The PANA protocol <xref target="RFC5191"/>, <xref target="RFC6345"/>, which operates over UDP, MUST be used for this purpose. <xref target="RFC3748"/> specifies the derivation of a session key using the EAP key hierarchy; only the EAP Master Session Key shall be derived, as <xref target="RFC5191"/> specifies that it is used to set up keys for PANA authentication and encryption.</t>
              <t>PANA <xref target="RFC5191"/> and PANA relay <xref target="RFC6345"/> MUST be used at the next layer:
              <list style="symbols">
                <t>The joining node MUST act as the PANA Client (PaC)</t>
                <t>The parent edge router node MUST act as a PANA relay (PRE) according to <xref target="RFC6345"/>, unless it is also the Authentication Server. All routers at the edge of the network MUST be capable of functioning in the PRE role.</t>
                <t>The Authentication Server node MUST act as the PANA Authentication Agent (PAA). The Authentication Server MUST be able to handle packets relayed according to <xref target="RFC6345"/>.</t>
              </list></t>
            </list></t>
            <t>This network authentication process uses link-local IPv6 addresses for transport between the new node and its parent. If the parent is not the Authentication Server, it MUST then relay packets from the joining node to the Authentication Server and vice-versa using PANA relay mechanism <xref target="RFC6345"/>.  The joining node MUST use a link-local address based on its EUI-64 as the source address for initial PANA authentication message exchanges.</t>
          </section>
          <section title="Applicability Statements">
            <t>The applicability statements describe the relationship between the various specifications.</t>
            <section title="Applicability Statement for PSK TLS">
              <t><xref target="RFC6655"/> contains AEAD TLS cipher suites that are very similar to <xref target="RFC5487"/> whose AEAD part is detailed in <xref target="RFC5116"/>. <xref target="RFC5487"/> references both <xref target="RFC5288"/> and the original PSK cipher suite document <xref target="RFC4279"/>, which references <xref target="RFC5246"/>, which defines the TLS 1.2 messages.</t>
            </section>
            <section title="Applicability Statement for ECC TLS">
              <t><xref target="RFC7251"/> contains AEAD TLS cipher suites that are very similar to <xref target="RFC5289"/> whose AEAD part is detailed in <xref target="RFC5116"/>. <xref target="RFC5289"/> references the original ECC cipher suite document <xref target="RFC4492"/>, which references <xref target="RFC5246"/>, which defines the TLS 1.2 messages.</t>
            </section>
            <section title="Applicability Statement for EAP-TLS and PANA">
              <t><xref target="RFC5216"/> specifies how <xref target="RFC3748"/> is used to package <xref target="RFC5246"/> TLS records into EAP packets. <xref target="RFC5191"/> provides transportation for the EAP packets and the network-wide key carried in an encrypted AVP specified in <xref target="RFC6786"/>. The proposed PRF and AUTH hashes based on SHA-256 are represented as in <xref target="RFC5996"/> and detailed in <xref target="RFC4868"/>.</t>
            </section>
          </section>
          <section title="Security using RPL message security">
            <t>If RPL is used with secured messages <xref target="RFC6550"/>, the following RPL security parameter values SHOULD be used:
            <list style="symbols">
              <t>Counter Time Flag (T) = 0: Do not use timestamp in the Counter Field. Counters based on timestamps are typically more applicable to industrial networks where strict timing synchronization between nodes is often implemented. Home and building networks typically do not implement such strict timing synchronization therefore a monotonically increasing counter is more appropriate.</t>
              <t>Algorithm = 0: Use Counter with Cipher Block Chaining Message Authentication Code (CBC-MAC Mode) (CCM) with Advanced Encryption Standard (AES)-128. This is the only assigned mode at present.</t>
              <t>Key Identifier Mode (KIM) = 10: Use group key, Key Source present,
              Key Index present. Given the relatively confined perimeter of a home or building network, a group key is usually sufficient to protect RPL messages sent between nodes. The use of the Key Source field allows multiple group keys to be used within the network.</t>
              <t>Security Level (LVL) = 0: Use MAC-32. This is recommended as integrity protection for RPL messages is the basic requirement. Encryption is unlikely to be necessary given the relatively non-confidential nature of RPL message payloads.</t>
            </list></t>
            </section>
          </section>
        </section>

        <section title="P2P communications">
          <t><xref target="RFC6997"/> MUST be used to accommodate P2P traffic, which is typically substantial in home and building automation networks.</t>
        </section>

        <section title="IPv6 address configuration">
          <t>Assigned IP addresses MUST be routable and unique within the routing domain <xref target="RFC5889"/>.</t>
        </section>
      </section>

      <section title="Layer 2 features">
        <t>No particular requirements exist for layer 2 but for the ones cited in the IP over Foo RFCs (see <xref target="L2-app"/>).</t>

      <section title="Specifics about layer-2">
          <t>Not applicable</t>
        </section>

        <section title="Services provided at layer-2">
          <t>Not applicable</t>
        </section>

        <section title="6LowPAN options assumed">
          <t>Not applicable</t>
        </section>

        <section title="Mesh Link Establishment (MLE) and other things">
          <t>Not applicable</t>
        </section>
      </section>

      <section title="Recommended Configuration Defaults and Ranges ">
        <t>The following sections describe the recommended parameter values for P2P-RPL and Trickle. </t>

        <section title="Trickle parameters">
          <t>Trickle is used to distribute network parameter values to all nodes without stringent time restrictions. The recommended Trickle parameter values are:
          <list style="symbols">
            <t>DIOIntervalMin 4 = 16 ms</t>
            <t>DIOIntervalDoublings 14</t>
            <t>DIORedundancyConstant 1</t>
          </list></t>
          <t>When a node sends a changed DIO, this is an inconsistency and forces the receiving node to respond within Imin. So when something happens which affects the DIO, the change is ideally communicated to a node, n hops away, within n times Imin. Often, dependent on the node density, packets are lost, or not sent, leading to larger delays.</t>
          <t>In general we can expect DIO changes to propagate within 1 to 3 seconds within the envisaged networks.</t>
          <t>When nothing happens, the DIO sending interval increases to 4.37 minutes, thus drastically reducing the network load. When a node does not receive DIO messages during more than 10 minutes it can safely conclude the connection with other nodes has been lost.</t>
        </section>

        <section title ="Other Parameters">
          <t> This section discusses the P2P-RPL parameters.</t>
          <t>P2P-RPL <xref target="RFC6997"/> provides the features requested by <xref target="RFC5826"/> and <xref target="RFC5867"/>. P2P-RPL uses a subset of the frame formats and features defined for RPL <xref target="RFC6550"/> but may be combined with RPL frame flows in advanced deployments.</t>
          <t>The recommended parameter values for P2P-RPL are:
          <list style="symbols">
            <t>MinHopRankIncrease 1</t>
            <t>MaxRankIncrease 0</t>
            <t>MaxRank 6</t>
            <t>Objective function: OF0</t>
          </list></t>
        </section>
      </section>
    </section>

    <section title="MPL Profile">
      <t>MPL is used to distribute values to groups of devices. Using MPL, based on the Trickle algorithm, timeliness should also be guaranteed. A deadline of 200 ms needs to be met when human action is followed by an immediately observable action such as switching on lights. The deadline needs to be met in a building where the number of hops from seed to destination varies between 1 and 10.</t>

      <section title= "Recommended configuration Defaults and Ranges">
        <section title="Real-Time optimizations">
          <t>When the network is heavily loaded, MAC delays contribute significantly to the end to end delays when MPL intervals between 10 to 100 ms are used to meet the 200 ms deadline. It is possible to set the number of buffers in the MAC to 1 and set the number of Back-off repetitions to 1. The number of MPL repetitions compensates for the reduced probability of transmission per MAC invocation <xref target="RT-MPL"/>.</t>
          <t>In addition, end to end delays and message losses are reduced, by adding a real-time layer between MPL and MAC to throw away the earliest messages (exploiting the MPL message numbering) and favour the most recent ones.</t>
        </section>

        <section title="Trickle parameters">
          <t>This section proposes values for the Trickle parameters used by MPL for the distribution of packets that need to meet a 200 ms deadline. The probability of meeting the deadline is increased by (1) choosing a small Imin value,(2) reducing the number of MPL intervals thus reducing the load, and (3) reducing the number of MPL forwarders to also reduce the load.</t>
          <t>The consequence of this approach is that the value of k can be larger than 1 because network load reduction is already guaranteed by the network configuration.</t>
          <t>Under the condition that the density of MPL repeaters can be limited, it is possible to choose low MPL repeat intervals (Imin) connected to k values such that k>1. The minimum value of k is related to:
          <list style="symbols">
            <t>Value of Imin. The length of Imin determines the number of packets that can be received within the listening period of Imin.</t>
            <t>Number of repeaters receiving the broadcast message from the same forwarder or seed. These repeaters repeat within the same Imin interval, thus increasing the c counter.</t>
          </list></t>
          <t>Within the first MPL interval a limited number, q, of messages can be transmitted. Assuming a 3 ms transmission interval, q is given by q = Imin/3. Assuming that at most q message copies can reach a given forwarder within the first repeat interval of length Imin, the related MPL parameter values are suggested in the following sections.</t>

          <section title="Imin">
            <t>The recommended value is Imin = 10 to 50 ms.</t>
            <t>When Imin is chosen much smaller, the interference between the copies leads to significant losses given that q is much smaller than the number of repeated packets. With much larger intervals the probability that the deadline will be met decreases with increasing hop count.</t>
          </section>

          <section title="Imax">
            <t>The recommended value is Imax = 100 to 400 ms. </t>
            <t>The value of Imax is less important than the value of max_expiration. Given an Imin value of 10 ms, the 3rd MPL interval has a value of 10*2*2 = 40 ms. When Imin has a value of 40 ms, the 3rd interval has a value of 160 ms. Given that more than 3 intervals are unnecessary, the Imax does not contribute much to the performance.</t>
          </section>
        </section>

        <section title="Other parameters">
          <t>Other parameters are the k parameter and the max_expiration parameter.</t>
          <t>k &gt; q (see condition above). Under this condition and for small Imin, a value of k=2 or k=3 is usually sufficient to minimize the losses of packets in the first repeat interval.</t>
          <t>max_expiration = 2 - 4. Higher values lead to more network load while generating copies which will probably not meet their deadline.</t>
        </section>
      </section>
    </section>

    <section title="Manageability Considerations">
      <t>At this moment it is not clear how homenets will be managed. Consequently it is not clear which tools will be used and which parameters must be exposed for management.</t>
      <t>In building control, management is mandatory. It is expected that installations will be managed using the set of currently available tools(including IETF tools like Management Information Base (MIB) modules, NETCONF modules, Dynamic Host Configuration Protocol (DHCP) and others) with large differences between the ways an installation is managed.</t>
    </section>

    <section anchor="SEC-CON" title="Security Considerations">
      <t>This section refers to the security considerations of <xref target="RFC6997"/>, <xref target="RFC6550"/>, <xref target="I-D.ietf-roll-trickle-mcast"/>, and the counter measures discussed in sections 6 and 7 of <xref target="RFC7416"/>.</t>
      <t>Communications network security is based on providing integrity protection and encryption to messages. This can be applied at various layers in the network protocol stack based on using various credentials and a network identity.</t>
      <t>The credentials which are relevant in the case of RPL are: (i) the credential used at the link layer in the case where link layer security is applied (see <xref target="SEC-LINK"/>) or (ii) the credential used for securing RPL messages. In both cases, the assumption is that the credential is a shared key. Therefore, there MUST be a mechanism in place which allows secure distribution of a shared key and configuration of network identity. Both MAY be done using: (i) pre-installation using an out-of-band method, (ii) delivered securely when a device is introduced into the network or (iii) delivered securely by a trusted neighbouring device as described in <xref target="SYM"/>. The shared key MUST be stored in a secure fashion which makes it difficult to be read by an unauthorized party.</t>
      <t>This document mandates that a layer-2 mechanism be used during initial and incremental deployment. Please see the following sections.</t>

      <section anchor="SEC-LINK"  title="Security considerations during initial deployment">
        <t>Wireless mesh networks are typically secured at the link layer in order to prevent unauthorized parties from accessing the information exchanged over the links. It is a basic practice to create a network of nodes which share the same keys for link layer security and exclude nodes sending unsecured messages. With per-message data origin authentication, it is possible to prevent unauthorized nodes joining the mesh.</t>
        <t>At initial deployment the network is secured by consecutively securing nodes at the link layer, thus building a network of secured nodes. The Protocol for carrying Authentication for Network Access (PANA) <xref target="RFC5191"/> <xref target="RFC6345"/> with an Extensible Authentication Protocol (EAP) provides a framework for network access and delivery of common link keys. Several versions of EAP exist. ZigBee specifies the use of EAP-TLS <xref target="RFC5216"/> (see section 5 of <xref target="ZigBeeIP"/>), which is also recommended in <xref target="AUTH"/>. Wi-SUN HAN (Home Area Network) uses EAP-PSK <xref target="RFC4764"/> (see section 5.6 of <xref target="WI-SUN"/>), which also looks promising for  building control at this moment.</t>
        <t>This document does not specify a multicast security solution. Networks deployed with this specification will depend upon layer-2 security to prevent outsiders from sending multicast traffic. It is recognized that this does not protect this control traffic from impersonation by already trusted devices. This is an area for a future specification.</t>
        <t>For building control an installer will use an installation tool that establishes a secure communication path with the joining node. It is recognized that the recommendations for initial deployment of <xref target="SEC-CON"/> and <xref target="SEC-LINK"/> do not cover all building requirements such as selecting the node-to-secure independent of network topology.</t>
        <t> It is expected that a set of protocol combinations will evolve within currently existing alliances of building control manufacturers. Each set satisfies the installation requirements of installers, operators, and manufacturers of building control networks in a given installation context, e.g lighting deployment in offices, HVAC installation, incremental addition of equipment in homes, and others.</t>
        <t>In the home, nodes can be visually inspected by the home owner and a simple procedure, e.g. pushing buttons simultaneously on an already secured device and an unsecured joining device is usually sufficient to ensure that the unsecured joining device is authenticated and configured securely, and paired appropriately.</t>
        <t>This recommendation is in line with the countermeasures described in section 6.1.1 of <xref target="RFC7416"/>.</t>
      </section>

      <section anchor="SEC-DIST" title="Security Considerations during incremental deployment">
        <t>Once a network is operational, new nodes need to be added, or nodes fail and need to be replaced. When a new node needs to be added to the network, the new node is joined to the network via an assisting node in the manner described in <xref target="SEC-LINK"/>.</t>
        <t> On detection of a compromised node, all trusted nodes need to be re-keyed, and the trusted network is built up as described in <xref target="SEC-LINK"/>.</t>
      </section>

      <section title="Security Considerations for P2P uses">
        <t>Refer to the security considerations of <xref target="RFC6997"/>.</t>
      </section>

      <section title="MPL routing">
        <t>The routing of MPL is determined by the enabling of the interfaces for specified Multicast addresses. The specification of these addresses can be done via a Constrained Application Protocol (CoAP) application as specified in <xref target="RFC7390"/>. An alternative is the creation of a MPL MIB and use of Simple Network Management Protocol (SNMP)v3 <xref target="RFC3411"/> or equivalent techniques to specify the Multicast addresses in the MIB. The application of security measures for the specification of the multicast addresses assures that the routing of MPL packets is secured.</t>
      </section>

      <section title="RPL Security features">
        <t>This section follows the structure of section 7, "RPL security features" of <xref target="RFC7416"/>, where a thorough analysis of security threats and proposed counter measures relevant to RPL and MPL are done.</t>
        <t>In accordance with section 7.1 of <xref target="RFC7416"/>, "Confidentiality features", a secured RPL protocol implements payload protection, as explained in <xref target="SEC-CON"/> of this document. The attributes key-length and life-time of the keys depend on operational conditions, maintenance and installation procedures.</t>
        <t><xref target="SEC-LINK"/> and <xref target="SEC-DIST"/> of this document recommend link-layer measures to assure integrity in accordance with section 7.2 of <xref target="RFC7416"/>, "Integrity features".</t>
        <t>The provision of multiple paths recommended in section 7.3 "Availability features" of <xref target="RFC7416"/> is also recommended from a reliability point of view. Randomly choosing paths MAY be supported.</t>
        <t>Key management discussed in section 7.4, "Key Management" of <xref target="RFC7416"/>, is not standardized and discussions continue.</t>
        <t>Section 7.5, "Considerations on Matching Application Domain Needs" of <xref target="RFC7416"/> applies as such.</t>
      </section>
    </section>

    <section title="Other related protocols">
      <t>Application and transport protocols used in home and building automation domains are expected to mostly consist in CoAP over UDP, or equivalents. Typically, UDP is used for IP transport to keep down the application response time and bandwidth overhead. CoAP is used at the application layer to reduce memory footprint and bandwidth requirements.</t>
    </section>

    <section title="IANA Considerations">
      <t>No considerations for IANA pertain to this document.</t>
    </section>

    <section title="Acknowledgements">
      <t>This document reflects discussions and remarks from several individuals including (in alphabetical order): Stephen Farrell, Mukul Goyal, Sandeep Kumar, Jerry Martocci, Catherine Meadows, Yoshira Ohba, Charles Perkins, Yvonne-Anne Pignolet, Michael Richardson, Ines Robles, Zach Shelby, and Meral Sherazipour.</t>
    </section>

    <section title="Changelog">
      <t>RFC editor, please delete this section before publication.</t>
      <t>Changes from version 0 to version 1.
      <list style="symbols">
        <t>Adapted section structure to template. </t>
        <t>Standardized the reference syntax.</t>
        <t>Section 2.2, moved everything concerning algorithms to section 2.2.7, and adapted text in 2.2.1-2.2.6.</t>
        <t>Added MPL parameter text to section 4.1.7 and section 4.3.1.</t>
        <t>Replaced all TODO sections with text. </t>
        <t>Consistent use of border router, monitoring, home- and building network. </t>
        <t>Reformulated security aspects with references to other publications. </t>
        <t>MPL and RPL parameter values introduced.</t>
      </list></t>
      <t>Changes from version 1 to version 2.
      <list style="symbols">
        <t>Clarified common characteristics of control in home and building.</t>
        <t>Clarified failure behaviour of point to point communication in appendix. </t>
        <t>Changed examples, more hvac and less lighting.</t>
        <t>Clarified network topologies. </t>
        <t>replaced reference to smart_object paper by reference to I-D.roll-security-threats</t>
        <t>Added a concise definition of secure delivery and secure storage </t>
        <t>Text about securing network with PANA </t>
      </list></t>
      <t>Changes from version 2 to version 3.
      <list style="symbols">
        <t>Changed security section to follow the structure of security threats draft.</t>
        <t>Added text to DODAG repair sub-section </t>
      </list></t>
      <t>Changes from version 3 to version 4.
      <list style="symbols">
        <t>Renumbered sections and moved text to conform to applicability template</t>
        <t>Extended MPL parameter value text </t>
        <t>Added references to building control products </t>
      </list></t>
      <t>Changes from version 4 to version 5.
      <list style="symbols">
        <t>Large editing effort to streamline text </t>
        <t>Rearranged Normative and Informative references </t>
        <t>Replaced RFC2119 terminology by non-normative terminology </t>
        <t>Rearranged text of section 7, 7.1, and 7.2 to agree with the intention of section 7.2 </t>
      </list></t>
      <t>Changes from version 5 to version 6.
      <list style="symbols">
        <t>Issues #162 - #166 addressed </t>
      </list></t>
      <t>Changes from version 6 to version 7.
      <list style="symbols">
        <t>Text of section 7.1 edited for better security coverage. </t>
      </list></t>
    </section>
  </middle>

  <back>
    <references title="Normative References">
      &RFC2119;
      &RFC3748;
      &RFC4279;
      &RFC4492;
      &RFC4764;
      &RFC4868;
      &RFC4944;
      &RFC5116;
      &RFC5191;
      &RFC5216;
      &RFC5246;
      &RFC5288;
      &RFC5289;
      &RFC5487;
      &RFC5548;
      &RFC5673;
      &RFC5826;
      &RFC5867;
      &RFC5996;
      &RFC6282;
      &RFC6345;
      &RFC6550;
      &RFC6551;
      &RFC6554;
      &RFC6655;
      &RFC6786;
      &RFC6997;
      &RFC6998;
      &RFC7102;
      &RFC7251;
      &RFC7416;
      &I-D.ietf-roll-trickle-mcast;

      <reference anchor="IEEE802.15.4" target="IEEE Standard 802.15.4">
        <front>
          <title>IEEE 802.15.4 - Standard for Local and metropolitan area networks -- Part 15.4: Low-Rate Wireless Personal Area Networks</title>
          <author fullname="IEEE Computer Society" initials="" surname="">
            <organization />
          </author>
          <date />
        </front>
      </reference>

      <reference anchor="G.9959" target="ITU-T G.9959">
        <front>
          <title>ITU-T G.9959 Short range narrow-band digital radiocommunication transceivers - PHY and MAC layer specifications</title>
          <author fullname="ITU-T SG 15" initials="" surname="">
            <organization />
          </author>
          <date />
        </front>
      </reference>
    </references>

    <references title="Informative References">
      &RFC3411;
      &RFC3561;
      &RFC5889;
      &RFC7228;
      &RFC7390;
      &RFC7428;

      <reference anchor="SOFT11">
        <front>
          <title>The P2P-RPL Routing Protocol for IPv6 Sensor Networks: Testbed Experiments</title>
          <author fullname="E. Baccelli" initials="E." surname="Baccelli"/>
          <author fullname="M. Philipp" initials="M." surname="Phillip"/>
          <author fullname="M.Goyal" initials="M." surname="Goyal"/>
          <date day="8" month="September" year="2011"/>
        </front>
        <seriesInfo name="" value="Proceedings of the Conference on Software Telecommunications and Computer Networks, Split, Croatia,"/>
      </reference>

      <reference anchor="INTEROP12">
        <front>
          <title>Report on P2P-RPL Interoperability Testing</title>
          <author fullname="E. Baccelli" initials="E." surname="Baccelli"/>
          <author fullname="M. Philipp" initials="M." surname="Phillip"/>
          <author fullname="A. Brandt" initials="A." surname="Brandt"/>
          <author fullname="H. Valev " initials="H." surname="Valev "/>
          <author fullname="J. Buron " initials="J." surname="Buron "/>
          <date day="20" month="January" year="2012"/>
        </front>
        <seriesInfo name="RR-7864" value="INRIA Research Report RR-7864"/>
      </reference>

      <reference anchor="RT-MPL">
        <front>
          <title>Real-Time multicast for wireless mesh networks using MPL</title>
          <author fullname="P. van der Stok" initials="P." surname="van der Stok"/>
          <date month="April" year="2014"/>
        </front>
        <seriesInfo name="White paper, " value="http://www.vanderstok.org/papers/Real-time-MPL.pdf"/>
      </reference>

      <reference anchor="occuswitch">
        <front>
          <title>OccuSwitch wireless</title>
          <author fullname="Philips lighting" initials="Philips" surname="Lighting"/>
          <date month="May" year="2012"/>
        </front>
        <seriesInfo name="Brochure, " value="http://www.philipslightingcontrols.com/assets/cms/uploads/files/osw/MK_OSWNETBROC_5.pdf"/>
      </reference>

      <reference anchor="office-light">
        <front>
          <title>A Life Cycle Cost Evaluation of Multiple Lighting Control Strategies </title>
          <author fullname="Clanton and Associates, Inc." initials="." surname="Clanton and Associates"/>
          <date month="February" year="2014"/>
        </front>
        <seriesInfo name="Wireless Lighting Control, " value="http://www.daintree.net/wp-content/uploads/2014/02/clanton_lighting_control_report_0411.pdf"/>
      </reference>

      <reference anchor="RTN2011">
        <front>
          <title>Real-time routing for low-latency 802.15.4 control networks</title>
          <author fullname="K. Holtman" initials="K." surname="Holtman"/>
          <author fullname="P. van der Stok" initials="P." surname="van der Stok"/>
          <date day="5" month="July" year="2011"/>
        </front>
        <seriesInfo name="International Workshop on Real-Time Networks;" value="Euromicro Conference on Real-Time Systems"/>
      </reference>

      <reference anchor="MEAS">
        <front>
          <title>Connectivity loss in large scale IEEE 802.15.4 network</title>
          <author fullname="K. Holtman" initials="K." surname="Holtman"/>
          <date month="November" year="2013"/>
        </front>
        <seriesInfo name="" value="Private Communication"/>
      </reference>

      <reference anchor="BCsurvey">
        <front>
          <title>Communication Systems for Building Automation and Control</title>
          <author fullname="Wolfgang Kastner" initials="W." surname="Kastner"/>
          <author fullname="Georg Neugschwandtner" initials="G." surname="Neugschwandtner"/>
          <author fullname="Stefan Soucek" initials="S." surname="Soucek"/>
          <author fullname="Michael Newman" initials="H.M." surname="Newman"/>
          <date day="6" month="June" year="2005"/>
        </front>
        <seriesInfo name="Proceedings of the IEEE " value="Vol 93, No 6"/>
      </reference>

      <reference anchor="ZigBeeIP">
        <front>
          <title>ZigBee IP specification</title>
          <author fullname="ZigBee Alliance" initials="." surname="ZigBee Alliance"/>
          <date month="March" year="2014"/>
        </front>
        <seriesInfo name="ZigBee document" value="095023r34"/>
      </reference>

      <reference anchor="WI-SUN">
        <front>
          <title>Home network Communication Interface for ECHONET Lite (IEEE802.15.4/4e/4g 920MHz-band Wireless)</title>
          <author fullname="ECHONET Lite" initials="." surname="ECHONET Lite"/>
          <date day="22" month="May" year="2014"/>
        </front>
        <seriesInfo name="Japanese TTC standard" value="JJ-300.10"/>
      </reference>
    </references>

    <section anchor="RPL_shortcomings" title="RPL shortcomings in home and building deployments">
      <section title="Risk of undesired long P2P routes ">
        <t>The DAG, being a tree structure is formed from a root. If nodes residing in different branches have a need for communicating internally, DAG mechanisms provided in RPL <xref target="RFC6550"/> will propagate traffic towards the root, potentially all the way to the root, and down along another branch <xref target="RFC6998"/>. In a typical example two nodes could reach each other via just two router nodes but in unfortunate cases, RPL may send traffic three hops up and three hops down again. This leads to several undesired phenomena described in the following sections.</t>

        <section title="Traffic concentration at the root ">
          <t>If many P2P data flows have to move up towards the root to get down again in another branch there is an increased risk of congestion the nearer to the root of the DAG the data flows. Due to the broadcast nature of RF systems any child node of the root is not just directing RF power downwards its sub-tree but just as much upwards towards the root; potentially jamming other MP2P traffic leaving the tree or preventing the root of the DAG from sending P2MP traffic into the DAG because the listen-before-talk link-layer protection kicks in.</t>
        </section>

        <section title="Excessive battery consumption in source nodes ">
          <t>Battery-powered nodes originating P2P traffic depend on the route length. Long routes cause source nodes to stay awake for longer periods before returning to sleep. Thus, a longer route translates proportionally (more or less) into higher battery consumption.</t>
        </section>
      </section>

      <section title="Risk of delayed route repair ">
        <t>The RPL DAG mechanism uses DIO and DAO messages to monitor the health of the DAG. In rare occasions, changed radio conditions may render routes unusable just after a destination node has returned a DAO indicating that the destination is reachable. Given enough time, the next Trickle timer-controlled DIO/DAO update will eventually repair the broken routes, however this may not occur in a timely manner appropriate to the application. In an apparently stable DAG, Trickle-timer dynamics may reduce the update rate to a few times every hour. If a user issues an actuator command, e.g. light on in the time interval between the last DAO message was issued the destination module and the time one of the parents sends the next DIO, the destination cannot be reached. There is no mechanism in RPL to initiate restoration of connectivity in a reactive fashion. The consequence is a broken service in home and building applications.</t>

        <section title="Broken service">
          <t>Experience from the telecom industry shows that if the voice delay exceeds 250ms, users start getting confused, frustrated and/or annoyed. In the same way, if the light does not turn on within the same period of time, a home control user will activate the controls again, causing a sequence of commands such as Light{on,off,off,on,off,..} or Volume{up,up,up,up,up,...}. Whether the outcome is nothing or some unintended response this is unacceptable. A controlling system must be able to restore connectivity to recover from the error situation. Waiting for an unknown period of time is not an option. While this issue was identified during the P2P analysis, it applies just as well to application scenarios where an IP application outside the LLN controls actuators, lights, etc.</t>
        </section>
      </section>
    </section>

    <section anchor="com-fail" title="Communication failures">
      <t>Measurements on the connectivity between neighbouring nodes are discussed in <xref target="RTN2011"/> and <xref target="MEAS"/>.</t>
      <t>The work is motivated by the measurements in literature which affirm that the range of an antenna is not circle symmetric but that the signal strength of a given level follows an intricate pattern around the antenna, and there may be holes within the area delineated by an iso-strength line. It is reported that communication is not symmetric: reception of messages from node A by node B does not imply reception of messages from node B by node A. The quality of the signal fluctuates over time, and also the height of the antenna within a room can have consequences for the range. As function of the distance from the source, three regions are generally recognized: (1) a clear region with excellent signal quality, (2) a region with fluctuating signal quality, (3) a region without reception. In the text below it is shown that installation of meshes with neighbours in the clear region is not sufficient.</t>
      <t><xref target="RTN2011"/> extends existing work by:</t>
      <t><list style="symbols">
        <t>Observations over periods of at least a week, </t>
        <t>Testing links that are in the clear region, </t>
        <t>Observation in an office building during working hours, </t>
        <t>Concentrating on one-hop and two-hop routes. </t>
      </list></t>
      <t>Eight nodes were distributed over a surface of 30m2. All nodes are at one hop distance from each other and are situated in the clear region of each other. Each node sends messages to each of its neighbours, and repeats the message until it arrives. The latency of the message was measured over periods of at least a week. It is noticed that latencies longer than a second occurred without apparent reasons, but only during working days and never in the weekends. Bad periods could last for minutes. By sending messages via two paths: (1) one hop path directly, and (2) two hop path via a randomly chosen neighbour, the probability of delays larger than 100 ms decreased significantly.</t>
      <t>The conclusion is that even for 1-hop communication between not too distant "Line of Sight" nodes, there are periods of low reception in which communication deadlines of 200 ms are exceeded. It pays to send a second message over a 2-hop path to increase the reliability of timely message transfer.</t>
      <t><xref target="MEAS"/> confirms that temporary bad reception by close neighbours can occur within other types of areas. Nodes were installed on the ceiling in a grid with a distance of 30-50 cm between nodes. 200 nodes were distributed over an area of 10m x 5m. It clearly transpired that with increasing distance the probability of reception decreases. At the same time a few nodes furthest away from the sender had a high probability of message reception, while some close neighbours of the sender did not receive messages. The patterns of clear reception nodes evolved over time.</t>
      <t>The conclusion is that even for direct neighbours reception can temporarily be bad during periods of several minutes. For a reliable and timely communication it is imperative to have at least two communication paths available (e.g. two hop paths next to the 1-hop path for direct neighbours).</t>
    </section>
  </back>
</rfc>
