Controlling Secure Network Enrollment in RPL networks
Sandelman Software Works
mcr+ietf@sandelman.ca
Huawei Tech
rahul.ietf@gmail.com
Cisco Systems
pthubert@cisco.com
Cisco Systems
hushe@cisco.com
Internet
ROLL Working Group
Internet-Draft
defines a method by which a
potential enrollment proxy can announce itself as a
available for new Pledges to enroll on a network.
The announcement includes a priority for enrollment.
This document provides a mechanism by which a RPL DODAG root can disable enrollment announcements, or adjust the base priority for enrollment operation.
Introduction
describes the use of the time-slotted channel
hopping (TSCH) mode of .
and describe mechanisms by which a new node (the "pledge)" can use a
friendly router as a Join Proxy.
describes an extension to
the 802.15.4 Enhanced Beacon that is used by a Join Proxy to announce its
existence such that Pledges can find them.
Motivation and Overview
It has become clear that not every routing member of the mesh ought to announce itself as a Join Proxy.
There are a variety of local reasons by which a 6LR might not want to provide the Join Proxy function.
They include available battery power, already committed network bandwidth, and also total available memory available for Neighbor Cache Entry slots.
There are other situations where the operator of the network would like to selective enable or disable the enrollment process in a particular DODAG.
As the enrollment process involves permitting unencrypted traffic into the best effort part of a (TSCH) network, it would be better to have the enrollment process off when no new nodes are expected.
A network operator might also be able to recognize when certain parts of the network are overloaded and can not accomodate additional enrollment traffic, and it would like to adjust the enrollment priority (the proxy priority field of ) among all nodes in the subtree of a congested link.
This document describes a RPL DIO option that can be used to announce a minimum enrollment priority. The minimum priority expresses the (lack of) willingness by the RPL DODAG globally to accept new joins. It may derive from multiple constaining factors, e.g., the size of the DODAG, the occupancy of the bandwidth at the Root, the memory capacity at the DODAG Root, or an administrative decision.
Each potential Join Proxy would this value as a base on which to add values relating to local conditions such as its Rank and number of pending joins, which would degrade even further the willingness to take more joins.
When a RPL domain is composed of multiple DODAGs, nodes at the edge of 2 DODAGs may not only join either DODAG but also move from one to the other in order to keep their relative sizes balanced. For this, the approximate knowledge of size of the DODAG is an essential metric. Depending on the network policy, the size of the DODAG may or may not affect the minimum enrollment priority. It would be limiting its value to enforce that one is proportional to the other. This is why the current size of the DODAG is advertised separately in the new option.
As explained in , higher values decrease the likelyhood of an unenrolled node sending enrollment traffic via this path.
A network operator can set this value to the maximum value allowed, effectively disable all new enrollment traffic.
Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 when, and only when, they
appear in all capitals, as shown here.
The term (1)"Join" has been used in documents like to denote the activity of a new node authenticating itself to the network in order to obtain authorization to become a member of the network.
In the context of the RPL protocol, the term (2)"Join" has an alternate meaning: that of a node (already authenticating to the network, and already authorized to be a member of the network), deciding which part of the RPL DODAG to attach to.
This term "Join" has to do with parent selection processes.
In order to avoid the ambiguity of this term, this document refers to the process (1)"Join" as enrollment, leaving the term "Join" to mean (2)"Join".
The term "onboarding" (or IoT Onboarding) is sometimes used to describe the enrollment process.
However, the term Join Proxy is retained with it's meaning from .
Protocol Definition
With this specification, the following option is defined for transmission in the DIO issued by the DODAG root and it MUST be propagated down the DODAG.
A 6LR which would otherwise be willing to act as a Join Proxy, will examine the minimum priority field, and to that number, add any additional local consideration (such as upstream congestion).
The Enrollment Priority can only be increased by each 6LR in value, to the maximum value of 0x7f.
The resulting priority, if less than 0x7f should enable the Join Proxy function.
- Type
-
To be assigned by IANA
- exp
-
a 4 bit unsigned integer, indicating the power of 2 that defines the unit of the DODAG Size, such that (unit=2^exp).
- DODAG_Size
-
a 12 bit unsigned integer, expressing the size of the DODAG in units that depend on the exp field. The size of the DODAG is computed as (DAG_Size*2^exp).
- min.priority
-
a 7 bit field which provides a base value for the Enhanced Beacon Join priority. A value of 0x7f (127) disables the Join Proxy function entirely.
- R
-
a reserved bit that SHOULD be set to 0 by senders, and MUST be ignored by receivers.
This reserved bit SHOULD be copied to options created.
This document uses the extensions mechanism designed into .
It does not need any mechanism to enable it.
The size of the DODAG is measured by the Root based one the DAO activity.
It represents a number of routes not a number of nodes, and can only be used to infer a load in an homogeneous network where each node advertises the same number of addresses and generates roughly the same amount of traffic.
The size may slightly change between a DIO and the next, so the value transmitted must be considered as an approxmation.
Future work like will enable collection of capabilities such as this one in reports to the DODAG root.
Upwards compatibility
A 6LR which did not support this option would not act on it, or copy it into it's DIO messages.
Children and grandchildren nodes would therefore not receive any telemetry via that path, and need to assume a default value.
6LRs that support this option, but whose parent does not send it SHOULD assume a value of 0x40 as their base value.
The nodes then adjust this base value based upon their observed congestion, emitting their adjusted DIO value to their children.
A 6LR downstream of a 6LR where there was an interruption in the telemetry could err in two directions:
- if the value implied by the base value of 0x40 was too low, then a 6LR might continue to attract enrollment traffic when none should have been collected. This is a stressor for the network, but this would also be what would occur without this option at all.
- if the value implied by the base value of 0x40 was too high, then a 6LR might deflect enrollment traffic to other parts of the DODAG tree, possibly refusing any enrollment traffic at all. In order for this to happen, some significant congestion must be seen in the sub-tree where the implied 0x40 was introduced.
The 0x40 is only the half-way point, so if such an amount of congestion was present, then this sub-tree of the DODAG simply winds up being more cautious than it needed to be.
It is possible that the temporal alternation of the above two situations might introduce cycles of accepting and then rejecting enrollment traffic.
This is something an operator should consider if when they incrementally deploy this option to an existing LLN.
In addition, an operator would be unable to turn off enrollment traffic by sending a maximum value enrollment priority to the sub-tree.
This situation is unfortunate, but without this option, the the situation would occur all over the DODAG, rather than just in the sub-tree where the option was omitted.
Security Considerations
As per , RPL control frames either run over a secured layer 2, or use the Secure DIO methods.
This option can be placed into either a "clear" (layer-2 secured) DIO, or a layer-3 Secure DIO. As such this option will have both integrity and confidentiality mechanisms applied to it.
A malicious node (that was part of the RPL control plane) could see these options and could, based upon the observed minimal enrollment priority signal a confederate that it was a good time to send malicious join traffic.
Such as a malicious node, being already part of the RPL control plane, could also send DIOs with a different minimal enrollment priority which would cause downstream mesh routers to change their Join Proxy behaviour.
Lower minimal priorities would cause downstream nodes to accept more pledges than the network was
expecting, and higher minimal priorities cause the enrollment process to stall.
The use of layer-2 or layer-3 security for RPL control messages prevents the above two attacks, by preventing malicious nodes from becoming part of the control plane.
A node that is attacked and has malware placed on it creates vulnerabilities in the same way such an attack on any node involved in Internet routing protocol does.
The rekeying provisions of exist to permit an operator to remove such nodes from the network easily.
Privacy Considerations
There are no new privacy issues caused by this extension.
IANA Considerations
Allocate a new number TBD01 from Registry RPL Control Message Options.
This entry should be called Minimum Enrollment Priority.
Acknowledgements
This has been reviewed by Konrad Iwanicki and Thomas Wattenye.
References
Normative References
Key words for use in RFCs to Indicate Requirement Levels
In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.
Using IEEE 802.15.4e Time-Slotted Channel Hopping (TSCH) in the Internet of Things (IoT): Problem Statement
This document describes the environment, problem statement, and goals for using the Time-Slotted Channel Hopping (TSCH) Medium Access Control (MAC) protocol of IEEE 802.14.4e in the context of Low-Power and Lossy Networks (LLNs). The set of goals enumerated in this document form an initial set only.
RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks
Low-Power and Lossy Networks (LLNs) are a class of network in which both the routers and their interconnect are constrained. LLN routers typically operate with constraints on processing power, memory, and energy (battery power). Their interconnects are characterized by high loss rates, low data rates, and instability. LLNs are comprised of anything from a few dozen to thousands of routers. Supported traffic flows include point-to-point (between devices inside the LLN), point-to-multipoint (from a central control point to a subset of devices inside the LLN), and multipoint-to-point (from devices inside the LLN towards a central control point). This document specifies the IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL), which provides a mechanism whereby multipoint-to-point traffic from devices inside the LLN towards a central control point as well as point-to-multipoint traffic from the central control point to the devices inside the LLN are supported. Support for point-to-point traffic is also available. [STANDARDS-TRACK]
Encapsulation of 6TiSCH Join and Enrollment Information Elements
Universidad Diego Portales
Sandelman Software Works
In the Time-Slotted Channel Hopping (TSCH) mode of IEEE Std 802.15.4, opportunities for broadcasts are limited to specific times and specific channels. Routers in a TSCH network transmit Enhanced Beacon (EB) frames to announce the presence of the network. This document provides a mechanism by which additional information critical for new nodes (pledges) and long-sleeping nodes may be carried within the EB in order to conserve use of broadcast opportunities.
Constrained Join Protocol (CoJP) for 6TiSCH
Inria
Analog Devices
University of California Berkeley
Sandelman Software Works
This document describes the minimal framework required for a new device, called a "pledge", to securely join a 6TiSCH (IPv6 over the Time-Slotted Channel Hopping mode of IEEE 802.15.4) network. The framework requires that the pledge and the JRC (Join Registrar/Coordinator, a central entity), share a symmetric key. How this key is provisioned is out of scope of this document. Through a single CoAP (Constrained Application Protocol) request-response exchange secured by OSCORE (Object Security for Constrained RESTful Environments), the pledge requests admission into the network, and the JRC configures it with link-layer keying material and other parameters. The JRC may at any time update the parameters through another request-response exchange secured by OSCORE. This specification defines the Constrained Join Protocol and its CBOR (Concise Binary Object Representation) data structures, and it describes how to configure the rest of the 6TiSCH communication stack for this join process to occur in a secure manner. Additional security mechanisms may be added on top of this minimal framework.
IEEE Std. 802.15.4, Part. 15.4: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Low-Rate Wireless Personal Area Networks
n.d.
Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words
RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.
A Security Threat Analysis for the Routing Protocol for Low-Power and Lossy Networks (RPLs)
This document presents a security threat analysis for the Routing Protocol for Low-Power and Lossy Networks (RPLs). The development builds upon previous work on routing security and adapts the assessments to the issues and constraints specific to low-power and lossy networks. A systematic approach is used in defining and evaluating the security threats. Applicable countermeasures are application specific and are addressed in relevant applicability statements.
Informative References
6tisch Secure Join protocol
This document describes a zero-touch mechanism to enroll a new device
(the "pledge") into a IEEE802.15.4 TSCH network using the 6tisch
signaling mechanisms. The resulting device will obtain a domain
specific credential that can be used with either 802.15.9 per-host
pair keying protocols, or to obtain the network-wide key from a
coordinator. The mechanism describe her is an augmentation to the
one-touch mechanism described in [I-D.ietf-6tisch-minimal-security].
RPL Capabilities
Cisco Systems, Inc
Sandelman Software Works
Juniper
This draft enables the discovery, advertisement and query of
capabilities for RPL nodes.
Change history
version 00.