< draft-ietf-roll-security-threats-05.txt   draft-ietf-roll-security-threats-06.txt >
Routing Over Low-Power and Lossy Networks T. Tsao Routing Over Low-Power and Lossy Networks T. Tsao
Internet-Draft R. Alexander Internet-Draft R. Alexander
Intended status: Informational Cooper Power Systems Intended status: Informational Cooper Power Systems
Expires: April 23, 2014 M. Dohler Expires: June 18, 2014 M. Dohler
CTTC CTTC
V. Daza V. Daza
A. Lozano A. Lozano
Universitat Pompeu Fabra Universitat Pompeu Fabra
M. Richardson M. Richardson
Sandelman Software Works Sandelman Software Works
October 20, 2013 December 15, 2013
A Security Threat Analysis for Routing over Low-Power and Lossy Networks A Security Threat Analysis for Routing Protocol for Low-power and lossy
draft-ietf-roll-security-threats-05 networks (RPL)
draft-ietf-roll-security-threats-06
Abstract Abstract
This document presents a security threat analysis for routing over This document presents a security threat analysis for the Routing
low-power and lossy networks (LLN). The development builds upon Protocol for Low-power and lossy networks (RPL, ROLL). The
previous work on routing security and adapts the assessments to the development builds upon previous work on routing security and adapts
issues and constraints specific to low-power and lossy networks. A the assessments to the issues and constraints specific to low-power
systematic approach is used in defining and evaluating the security and lossy networks. A systematic approach is used in defining and
threats. Applicable countermeasures are application specific and are evaluating the security threats. Applicable countermeasures are
addressed in relevant applicability statements. These assessments application specific and are addressed in relevant applicability
provide the basis of the security recommendations for incorporation statements.
into low-power, lossy network routing protocols.
Requirements Language Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC "OPTIONAL" in this document are to be interpreted as described in RFC
2119 [RFC2119]. 2119 [RFC2119].
Status of This Memo Status of This Memo
skipping to change at page 2, line 10 skipping to change at page 2, line 10
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 23, 2014. This Internet-Draft will expire on June 18, 2014.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Considerations on ROLL Security . . . . . . . . . . . . . . . 4 3. Considerations on RPL Security . . . . . . . . . . . . . . . 4
3.1. Routing Assets and Points of Access . . . . . . . . . . . 5 3.1. Routing Assets and Points of Access . . . . . . . . . . . 5
3.2. The ISO 7498-2 Security Reference Model . . . . . . . . . 7 3.2. The ISO 7498-2 Security Reference Model . . . . . . . . . 7
3.3. Issues Specific to or Amplified in LLNs . . . . . . . . . 8 3.3. Issues Specific to or Amplified in LLNs . . . . . . . . . 9
3.4. ROLL Security Objectives . . . . . . . . . . . . . . . . 11 3.4. RPL Security Objectives . . . . . . . . . . . . . . . . . 11
4. Threat Sources . . . . . . . . . . . . . . . . . . . . . . . 12 4. Threat Sources . . . . . . . . . . . . . . . . . . . . . . . 12
5. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 12 5. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 12
5.1. Threats due to failures to Authenticate . . . . . . . . . 13 5.1. Threats due to failures to Authenticate . . . . . . . . . 13
5.1.1. Node Impersonation . . . . . . . . . . . . . . . . . 13 5.1.1. Node Impersonation . . . . . . . . . . . . . . . . . 13
5.1.2. Dummy Node . . . . . . . . . . . . . . . . . . . . . 13 5.1.2. Dummy Node . . . . . . . . . . . . . . . . . . . . . 13
5.1.3. Node Resource Spam . . . . . . . . . . . . . . . . . 13 5.1.3. Node Resource Spam . . . . . . . . . . . . . . . . . 13
5.2. Threats and Attacks on Confidentiality . . . . . . . . . 13 5.2. Threats and Attacks on Confidentiality . . . . . . . . . 13
5.2.1. Routing Exchange Exposure . . . . . . . . . . . . . . 14 5.2.1. Routing Exchange Exposure . . . . . . . . . . . . . . 14
5.2.2. Routing Information (Routes and Network Topology) 5.2.2. Routing Information (Routes and Network Topology)
Exposure . . . . . . . . . . . . . . . . . . . . . . 14 Exposure . . . . . . . . . . . . . . . . . . . . . . 14
6. Threats and Attacks on Integrity . . . . . . . . . . . . . . 15 5.3. Threats and Attacks on Integrity . . . . . . . . . . . . 15
6.1. Routing Information Manipulation . . . . . . . . . . . . 15 5.3.1. Routing Information Manipulation . . . . . . . . . . 15
6.2. Node Identity Misappropriation . . . . . . . . . . . . . 15 5.3.2. Node Identity Misappropriation . . . . . . . . . . . 16
7. Threats and Attacks on Availability . . . . . . . . . . . . . 16 5.4. Threats and Attacks on Availability . . . . . . . . . . . 16
7.1. Routing Exchange Interference or Disruption . . . . . . . 16 5.4.1. Routing Exchange Interference or Disruption . . . . . 16
7.2. Network Traffic Forwarding Disruption . . . . . . . . . . 16 5.4.2. Network Traffic Forwarding Disruption . . . . . . . . 16
7.3. Communications Resource Disruption . . . . . . . . . . . 18 5.4.3. Communications Resource Disruption . . . . . . . . . 18
7.4. Node Resource Exhaustion . . . . . . . . . . . . . . . . 18 5.4.4. Node Resource Exhaustion . . . . . . . . . . . . . . 18
8. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 19 6. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 19
8.1. Confidentiality Attack Countermeasures . . . . . . . . . 19 6.1. Confidentiality Attack Countermeasures . . . . . . . . . 19
8.1.1. Countering Deliberate Exposure Attacks . . . . . . . 19 6.1.1. Countering Deliberate Exposure Attacks . . . . . . . 19
8.1.2. Countering Passive Wiretapping Attacks . . . . . . . 20 6.1.2. Countering Passive Wiretapping Attacks . . . . . . . 20
8.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 21 6.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 21
8.1.4. Countering Remote Device Access Attacks . . . . . . . 21 6.1.4. Countering Remote Device Access Attacks . . . . . . . 22
8.2. Integrity Attack Countermeasures . . . . . . . . . . . . 22 6.2. Integrity Attack Countermeasures . . . . . . . . . . . . 22
8.2.1. Countering Unauthorized Modification Attacks . . . . 22 6.2.1. Countering Unauthorized Modification Attacks . . . . 22
8.2.2. Countering Overclaiming and Misclaiming Attacks . . . 23 6.2.2. Countering Overclaiming and Misclaiming Attacks . . . 23
8.2.3. Countering Identity (including Sybil) Attacks . . . . 23 6.2.3. Countering Identity (including Sybil) Attacks . . . . 23
8.2.4. Countering Routing Information Replay Attacks . . . . 23 6.2.4. Countering Routing Information Replay Attacks . . . . 23
8.2.5. Countering Byzantine Routing Information Attacks . . 24 6.2.5. Countering Byzantine Routing Information Attacks . . 24
8.3. Availability Attack Countermeasures . . . . . . . . . . . 25 6.3. Availability Attack Countermeasures . . . . . . . . . . . 25
8.3.1. Countering HELLO Flood Attacks and ACK Spoofing 6.3.1. Countering HELLO Flood Attacks and ACK Spoofing
Attacks . . . . . . . . . . . . . . . . . . . . . . . 25 Attacks . . . . . . . . . . . . . . . . . . . . . . . 25
8.3.2. Countering Overload Attacks . . . . . . . . . . . . . 26 6.3.2. Countering Overload Attacks . . . . . . . . . . . . . 26
8.3.3. Countering Selective Forwarding Attacks . . . . . . . 27 6.3.3. Countering Selective Forwarding Attacks . . . . . . . 27
8.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 28 6.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 28
8.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 28 6.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 29
9. ROLL Security Features . . . . . . . . . . . . . . . . . . . 29 7. RPL Security Features . . . . . . . . . . . . . . . . . . . . 29
9.1. Confidentiality Features . . . . . . . . . . . . . . . . 30 7.1. Confidentiality Features . . . . . . . . . . . . . . . . 30
9.2. Integrity Features . . . . . . . . . . . . . . . . . . . 31 7.2. Integrity Features . . . . . . . . . . . . . . . . . . . 31
9.3. Availability Features . . . . . . . . . . . . . . . . . . 31 7.3. Availability Features . . . . . . . . . . . . . . . . . . 32
9.4. Key Management . . . . . . . . . . . . . . . . . . . . . 32 7.4. Key Management . . . . . . . . . . . . . . . . . . . . . 32
9.5. Consideration on Matching Application Domain Needs . . . 32 7.5. Consideration on Matching Application Domain Needs . . . 33
9.5.1. Security Architecture . . . . . . . . . . . . . . . . 32 7.5.1. Mechanisms and Operations . . . . . . . . . . . . . . 33
9.5.2. Mechanisms and Operations . . . . . . . . . . . . . . 35 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34
10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 37 9. Security Considerations . . . . . . . . . . . . . . . . . . . 34
11. Security Considerations . . . . . . . . . . . . . . . . . . . 37 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 34
12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 37 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 34
13. References . . . . . . . . . . . . . . . . . . . . . . . . . 38 11.1. Normative References . . . . . . . . . . . . . . . . . . 35
13.1. Normative References . . . . . . . . . . . . . . . . . . 38 11.2. Informative References . . . . . . . . . . . . . . . . . 35
13.2. Informative References . . . . . . . . . . . . . . . . . 38 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 42
1. Introduction 1. Introduction
In recent times, networked electronic devices have found an In recent times, networked electronic devices have found an
increasing number of applications in various fields. Yet, for increasing number of applications in various fields. Yet, for
reasons ranging from operational application to economics, these reasons ranging from operational application to economics, these
wired and wireless devices are often supplied with minimum physical wired and wireless devices are often supplied with minimum physical
resources; the constraints include those on computational resources resources; the constraints include those on computational resources
(RAM, clock speed, storage), communication resources (duty cycle, (RAM, clock speed, storage), communication resources (duty cycle,
packet size, etc.), but also form factors that may rule out user packet size, etc.), but also form factors that may rule out user
access interfaces (e.g., the housing of a small stick-on switch), or access interfaces (e.g., the housing of a small stick-on switch), or
simply safety considerations (e.g., with gas meters). As a simply safety considerations (e.g., with gas meters). As a
consequence, the resulting networks are more prone to loss of traffic consequence, the resulting networks are more prone to loss of traffic
and other vulnerabilities. The proliferation of these low-power and and other vulnerabilities. The proliferation of these low-power and
lossy networks (LLNs), however, are drawing efforts to examine and lossy networks (LLNs), however, are drawing efforts to examine and
address their potential networking challenges. Securing the address their potential networking challenges. Securing the
establishment and maintenance of network connectivity among these establishment and maintenance of network connectivity among these
deployed devices becomes one of these key challenges. deployed devices becomes one of these key challenges.
This document presents a threat analysis for securing Routing Over This document presents a threat analysis for securing the Routing
LLNs (ROLL) through an analysis that starts from the routing basics. Protocol for LLNs (RPL). The process requires two steps. First, the
The process requires two steps. First, the analysis will be used to analysis will be used to identify pertinent security issues. The
identify pertinent security issues. The second step is to identify second step is to identify necessary countermeasures to secure RPL.
necessary countermeasures to secure the ROLL protocols. As there are As there are multiple ways to solve the problem and the specific
multiple ways to solve the problem and the specific tradeoffs are tradeoffs are deployment specific, the specific countermeasure to be
deployment specific, the specific countermeasure to be used is used is detailed in applicatbility statements.
detailed in applicatbility statements.
This document uses [IS07498-2] model, which includes Authentication, This document uses [IS07498-2] model, which includes Authentication,
Access Control, Data Confidentiality, Data Integrity, and Non- Access Control, Data Confidentiality, Data Integrity, and Non-
Repudiation but to which Availability is added. Repudiation but to which Availability is added.
All of this document concerns itself with control plane traffic only. All of this document concerns itself with securing the control plane
traffic. As such it does not address authorization or authentication
of application traffic, nor does it deal with multicast traffic
controls. Mechanisms used to secure RPL traffic SHOULD be leveraged
to secure other protocols.
2. Terminology 2. Terminology
This document adopts the terminology defined in [RFC6550], in This document adopts the terminology defined in [RFC6550], in
[RFC4949], and in [I-D.ietf-roll-terminology]. [RFC4949], and in [I-D.ietf-roll-terminology].
The terms control plane and forwarding plane are used consistently The terms control plane and forwarding plane are used consistently
with section 1 of [RFC6192]. with section 1 of [RFC6192].
3. Considerations on ROLL Security 3. Considerations on RPL Security
Routing security, in essence, ensures that the routing protocol Routing security, in essence, ensures that the routing protocol
operates correctly. It entails implementing measures to ensure operates correctly. It entails implementing measures to ensure
controlled state changes on devices and network elements, both based controlled state changes on devices and network elements, both based
on external inputs (received via communications) or internal inputs on external inputs (received via communications) or internal inputs
(physical security of device itself and parameters maintained by the (physical security of device itself and parameters maintained by the
device, including, e.g., clock). State changes would thereby involve device, including, e.g., clock). State changes would thereby involve
not only authorization of injector's actions, authentication of not only authorization of injector's actions, authentication of
injectors, and potentially confidentiality of routing data, but also injectors, and potentially confidentiality of routing data, but also
proper order of state changes through timeliness, since seriously proper order of state changes through timeliness, since seriously
skipping to change at page 5, line 15 skipping to change at page 5, line 17
This section sets the stage for the development of the analysis by This section sets the stage for the development of the analysis by
applying the systematic approach proposed in [Myagmar2005] to the applying the systematic approach proposed in [Myagmar2005] to the
routing security, while also drawing references from other reviews routing security, while also drawing references from other reviews
and assessments found in the literature, particularly, [RFC4593] and and assessments found in the literature, particularly, [RFC4593] and
[Karlof2003]. The subsequent subsections begin with a focus on the [Karlof2003]. The subsequent subsections begin with a focus on the
elements of a generic routing process that is used to establish elements of a generic routing process that is used to establish
routing assets and points of access to the routing functionality. routing assets and points of access to the routing functionality.
Next, the [ISO.7498-2.1988] security model is briefly described. Next, the [ISO.7498-2.1988] security model is briefly described.
Then, consideration is given to issues specific to or amplified in Then, consideration is given to issues specific to or amplified in
LLNs. This section concludes with the formulation of a set of LLNs. This section concludes with the formulation of a set of
security objectives for ROLL. security objectives for RPL.
3.1. Routing Assets and Points of Access 3.1. Routing Assets and Points of Access
An asset is an important system resource (including information, An asset is an important system resource (including information,
process, or physical resource), the access to, corruption or loss of process, or physical resource), the access to, corruption or loss of
which adversely affects the system. In the control plane context, an which adversely affects the system. In the control plane context, an
asset is information about the network, processes used to manage and asset is information about the network, processes used to manage and
manipulate this data, and the physical devices on which this data is manipulate this data, and the physical devices on which this data is
stored and manipulated. The corruption or loss of these assets may stored and manipulated. The corruption or loss of these assets may
adversely impact the control plane of the network. Within the same adversely impact the control plane of the network. Within the same
skipping to change at page 5, line 46 skipping to change at page 5, line 48
the model is to be as detailed as possible so that corresponding the model is to be as detailed as possible so that corresponding
assets, points of access, and process in an individual routing assets, points of access, and process in an individual routing
protocol can be readily identified. protocol can be readily identified.
Figure 1 shows that nodes participating in the routing process Figure 1 shows that nodes participating in the routing process
transmit messages to discover neighbors and to exchange routing transmit messages to discover neighbors and to exchange routing
information; routes are then generated and stored, which may be information; routes are then generated and stored, which may be
maintained in the form of the protocol forwarding table. The nodes maintained in the form of the protocol forwarding table. The nodes
use the derived routes for making forwarding decisions. use the derived routes for making forwarding decisions.
................................................... ...................................................
: : : :
: : : :
|Node_i|<------->(Routing Neighbor _________________ : |Node_i|<------->(Routing Neighbor _________________ :
: Discovery)------------>Neighbor Topology : : Discovery)------------>Neighbor Topology :
: -------+--------- : : -------+--------- :
: | : : | :
|Node_j|<------->(Route/Topology +--------+ : |Node_j|<------->(Route/Topology +--------+ :
: Exchange) | : : Exchange) | :
: | V ______ : : | V ______ :
: +---->(Route Generation)--->Routes : : +---->(Route Generation)--->Routes :
: ---+-- : : ---+-- :
: | : : | :
: Routing on a Node Node_k | : : Routing on a Node Node_k | :
................................................... ...................................................
| |
skipping to change at page 7, line 26 skipping to change at page 7, line 29
attempts to misrepresent routing topology. Indeed, the intention of attempts to misrepresent routing topology. Indeed, the intention of
the security threat analysis is to be comprehensive. Hence, some of the security threat analysis is to be comprehensive. Hence, some of
the discussion which follows is associated with assets and points of the discussion which follows is associated with assets and points of
access that are not directly related to routing protocol design but access that are not directly related to routing protocol design but
nonetheless provided for reference since they do have direct nonetheless provided for reference since they do have direct
consequences on the security of routing. consequences on the security of routing.
3.2. The ISO 7498-2 Security Reference Model 3.2. The ISO 7498-2 Security Reference Model
At the conceptual level, security within an information system in At the conceptual level, security within an information system in
general and applied to ROLL in particular is concerned with the general and applied to RPL in particular is concerned with the
primary issues of authentication, access control, data primary issues of authentication, access control, data
confidentiality, data integrity, and non-repudiation. In the context confidentiality, data integrity, and non-repudiation. In the context
of ROLL of RPL
Authentication Authentication
Authentication involves the mutual authentication of the Authentication involves the mutual authentication of the
routing peers prior to exchanging route information (i.e., peer routing peers prior to exchanging route information (i.e., peer
authentication) as well as ensuring that the source of the authentication) as well as ensuring that the source of the
route data is from the peer (i.e., data origin authentication). route data is from the peer (i.e., data origin authentication).
[RFC5548] points out that LLNs can be drained by [RFC5548] points out that LLNs can be drained by
unauthenticated peers before configuration. [RFC5673] requires unauthenticated peers before configuration. [RFC5673] requires
availability of open and untrusted side channels for new availability of open and untrusted side channels for new
joiners, and it requires strong and automated authentication so joiners, and it requires strong and automated authentication so
skipping to change at page 8, line 29 skipping to change at page 8, line 33
logging or other capture of on-going message exchanges and logging or other capture of on-going message exchanges and
signatures. Applied to routing, non-repudiation is not an signatures. Applied to routing, non-repudiation is not an
issue because it does not apply to routing protocols, which are issue because it does not apply to routing protocols, which are
machine-to-machine protocols. Further, with the LLN machine-to-machine protocols. Further, with the LLN
application domains as described in [RFC5867] and [RFC5548], application domains as described in [RFC5867] and [RFC5548],
proactive measures are much more critical than retrospective proactive measures are much more critical than retrospective
protections. Finally, given the significant practical limits protections. Finally, given the significant practical limits
to on-going routing transaction logging and storage and to on-going routing transaction logging and storage and
individual device digital signature verification for each individual device digital signature verification for each
exchange, non-repudiation in the context of routing is an exchange, non-repudiation in the context of routing is an
unsupportable burden that bears no further considered as a ROLL unsupportable burden that bears no further considered as an RPL
security issue. security issue.
It is recognized that, besides those security issues captured in the It is recognized that, besides those security issues captured in the
ISO 7498-2 model, availability, is a security requirement: ISO 7498-2 model, availability, is a security requirement:
Availability Availability
Availability ensures that routing information exchanges and Availability ensures that routing information exchanges and
forwarding services need to be available when they are required forwarding services need to be available when they are required
for the functioning of the serving network. Availability will for the functioning of the serving network. Availability will
apply to maintaining efficient and correct operation of routing apply to maintaining efficient and correct operation of routing
and neighbor discovery exchanges (including needed information) and neighbor discovery exchanges (including needed information)
and forwarding services so as not to impair or limit the and forwarding services so as not to impair or limit the
network's central traffic flow function network's central traffic flow function
It should be emphasized here that for ROLL security the above It should be emphasized here that for RPL security the above
requirements must be complemented by the proper security policies and requirements must be complemented by the proper security policies and
enforcement mechanisms to ensure that security objectives are met by enforcement mechanisms to ensure that security objectives are met by
a given ROLL implementation. a given RPL implementation.
3.3. Issues Specific to or Amplified in LLNs 3.3. Issues Specific to or Amplified in LLNs
The work [RFC5548], [RFC5673], [RFC5826], and [RFC5867] have The work [RFC5548], [RFC5673], [RFC5826], and [RFC5867] have
identified specific issues and constraints of routing in LLNs for the identified specific issues and constraints of routing in LLNs for the
urban, industrial, home automation, and building automation urban, industrial, home automation, and building automation
application domains, respectively. The following is a list of application domains, respectively. The following is a list of
observations and evaluation of their impact on routing security observations and evaluation of their impact on routing security
considerations. considerations.
Limited energy, memory, and processing node resources Limited energy, memory, and processing node resources
As a consequence of these constraints, there is an even more As a consequence of these constraints, there is an even more
critical need than usual for a careful study of trade-offs on critical need than usual for a careful study of trade-offs on
skipping to change at page 11, line 15 skipping to change at page 11, line 15
The above list considers how an LLN's physical constraints, size, The above list considers how an LLN's physical constraints, size,
operations, and variety of application areas may impact security. operations, and variety of application areas may impact security.
However, it is the combinations of these factors that particularly However, it is the combinations of these factors that particularly
stress the security concerns. For instance, securing routing for a stress the security concerns. For instance, securing routing for a
large number of autonomous devices that are left in unattended large number of autonomous devices that are left in unattended
locations with limited physical security presents challenges that are locations with limited physical security presents challenges that are
not found in the common circumstance of administered networked not found in the common circumstance of administered networked
routers. The following subsection sets up the security objectives routers. The following subsection sets up the security objectives
for the routing protocol designed by the ROLL WG. for the routing protocol designed by the ROLL WG.
3.4. ROLL Security Objectives 3.4. RPL Security Objectives
This subsection applies the ISO 7498-2 model to routing assets and This subsection applies the ISO 7498-2 model to routing assets and
access points, taking into account the LLN issues, to develop a set access points, taking into account the LLN issues, to develop a set
of ROLL security objectives. of RPL security objectives.
Since the fundamental function of a routing protocol is to build Since the fundamental function of a routing protocol is to build
routes for forwarding packets, it is essential to ensure that: routes for forwarding packets, it is essential to ensure that:
o routing/topology information iintegrity remains intact during o routing/topology information iintegrity remains intact during
transfer and in storage; transfer and in storage;
o routing/topology information is used by authorized entities; o routing/topology information is used by authorized entities;
o routing/topology information is available when needed. o routing/topology information is available when needed.
skipping to change at page 12, line 17 skipping to change at page 12, line 17
credentials. credentials.
The vulnerability brought forth by some special-function nodes, e.g., The vulnerability brought forth by some special-function nodes, e.g.,
LBRs, requires the assurance, particularly in a security context, LBRs, requires the assurance, particularly in a security context,
o of the availability of communication channels and node resources; o of the availability of communication channels and node resources;
o that the neighbor discovery process operates without undermining o that the neighbor discovery process operates without undermining
routing availability. routing availability.
There are other factors which are not part of a ROLL protocol but There are other factors which are not part of RPL but directly
directly affecting its function. These factors include weaker affecting its function. These factors include weaker barrier of
barrier of accessing the data or security material stored on the accessing the data or security material stored on the nodes through
nodes through physical means; therefore, the internal and external physical means; therefore, the internal and external interfaces of a
interfaces of a node need to be adequate for guarding the integrity, node need to be adequate for guarding the integrity, and possibly the
and possibly the confidentiality, of stored information, as well as confidentiality, of stored information, as well as the integrity of
the integrity of routing and route generation processes. routing and route generation processes.
Each individual system's use and environment will dictate how the Each individual system's use and environment will dictate how the
above objectives are applied, including the choices of security above objectives are applied, including the choices of security
services as well as the strengths of the mechanisms that must be services as well as the strengths of the mechanisms that must be
implemented. The next two sections take a closer look at how the implemented. The next two sections take a closer look at how the RPL
ROLL security objectives may be compromised and how those potential security objectives may be compromised and how those potential
compromises can be countered. compromises can be countered.
4. Threat Sources 4. Threat Sources
[RFC4593] provides a detailed review of the threat sources: outsiders [RFC4593] provides a detailed review of the threat sources: outsiders
and byzantine. ROLL has the same threat sources. and byzantine. RPL has the same threat sources.
5. Threats and Attacks 5. Threats and Attacks
This section outlines general categories of threats under the ISO This section outlines general categories of threats under the ISO
7498-2 model and highlights the specific attacks in each of these 7498-2 model and highlights the specific attacks in each of these
categories for ROLL. As defined in [RFC4949], a threat is "a categories for RPL. As defined in [RFC4949], a threat is "a
potential for violation of security, which exists when there is a potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security circumstance, capability, action, or event that could breach security
and cause harm." and cause harm."
An attack is "an assault on system security that derives from an An attack is "an assault on system security that derives from an
intelligent threat, i.e., an intelligent act that is a deliberate intelligent threat, i.e., an intelligent act that is a deliberate
attempt (especially in the sense of a method or technique) to evade attempt (especially in the sense of a method or technique) to evade
security services and violate the security policy of a system." security services and violate the security policy of a system."
The subsequent subsections consider the threats and the attacks that The subsequent subsections consider the threats and the attacks that
skipping to change at page 13, line 47 skipping to change at page 14, line 4
that are facilitated by being able to direct traffic towards itself. that are facilitated by being able to direct traffic towards itself.
5.1.3. Node Resource Spam 5.1.3. Node Resource Spam
If an attacker can join a network with any identify, then it can If an attacker can join a network with any identify, then it can
continously do so, draining down the resources of the network to continously do so, draining down the resources of the network to
store identity and routing information, potentionally forcing store identity and routing information, potentionally forcing
legitimate nodes of the network. legitimate nodes of the network.
5.2. Threats and Attacks on Confidentiality 5.2. Threats and Attacks on Confidentiality
The assessment in Section 3.2 indicates that there are threat actions The assessment in Section 3.2 indicates that there are threat actions
against the confidentiality of routing information at all points of against the confidentiality of routing information at all points of
access. The confidentiality threat consequences is disclosure, see access. This threat results in disclosure, as described in
Section 3.1.2 of [RFC4593]. For ROLL this is the disclosure of Section 3.1.2 of [RFC4593], and it involves a disclosure of routing
routing information either by evesdropping on the communication
exchanges between routing nodes or by direct access of node's
information. information.
5.2.1. Routing Exchange Exposure 5.2.1. Routing Exchange Exposure
Routing exchanges include both routing information as well as Routing exchanges include both routing information as well as
information associated with the establishment and maintenance of information associated with the establishment and maintenance of
neighbor state information. As indicated in Section 3.1, the neighbor state information. As indicated in Section 3.1, the
associated routing information assets may also include device associated routing information assets may also include device
specific resource information, such as memory, remaining power, etc., specific resource information, such as memory, remaining power, etc.,
that may be metrics of the routing protocol. that may be metrics of the routing protocol.
skipping to change at page 14, line 48 skipping to change at page 14, line 50
The forms of attack that allow unauthorized access or disclosure of The forms of attack that allow unauthorized access or disclosure of
the routing information (other than occurring through explicit node the routing information (other than occurring through explicit node
exchanges) will include: exchanges) will include:
o Physical device compromise; o Physical device compromise;
o Remote device access attacks (including those occurring through o Remote device access attacks (including those occurring through
remote network management or software/field upgrade interfaces). remote network management or software/field upgrade interfaces).
Both of these attack vectors are considered a device specific issue, Both of these attack vectors are considered a device specific issue,
and are out of scope for the RPL protocol to defend against. In some and are out of scope for RPL to defend against. In some
applications, physical device compromise may be a real threat and it applications, physical device compromise may be a real threat and it
may be necessary to provide for other devices to react quickly to may be necessary to provide for other devices to react quickly to
exclude a compromised device. exclude a compromised device.
6. Threats and Attacks on Integrity 5.3. Threats and Attacks on Integrity
The assessment in Section 3.2 indicates that information and identity The assessment in Section 3.2 indicates that information and identity
assets are exposed to integrity threats from all points of access. assets are exposed to integrity threats from all points of access.
In other words, the integrity threat space is defined by the In other words, the integrity threat space is defined by the
potential for exploitation introduced by access to assets available potential for exploitation introduced by access to assets available
through routing exchanges and the on-device storage. through routing exchanges and the on-device storage.
6.1. Routing Information Manipulation 5.3.1. Routing Information Manipulation
Manipulation of routing information that range from neighbor states Manipulation of routing information that range from neighbor states
to derived routes will allow unauthorized sources to influence the to derived routes will allow unauthorized sources to influence the
operation and convergence of the routing protocols and ultimately operation and convergence of the routing protocols and ultimately
impact the forwarding decisions made in the network. impact the forwarding decisions made in the network.
Manipulation of topology and reachability information will allow Manipulation of topology and reachability information will allow
unauthorized sources to influence the nodes with which routing unauthorized sources to influence the nodes with which routing
information is exchanged and updated. The consequence of information is exchanged and updated. The consequence of
manipulating routing exchanges can thus lead to sub-optimality and manipulating routing exchanges can thus lead to sub-optimality and
skipping to change at page 15, line 49 skipping to change at page 16, line 5
o Routing information replay; o Routing information replay;
o Byzantine (internal) attacks that permit corruption of routing o Byzantine (internal) attacks that permit corruption of routing
information in the node even where the node continues to be a information in the node even where the node continues to be a
validated entity within the network (see, for example, [RFC4593] validated entity within the network (see, for example, [RFC4593]
for further discussions on Byzantine attacks); for further discussions on Byzantine attacks);
o Physical device compromise or remote device access attacks. o Physical device compromise or remote device access attacks.
6.2. Node Identity Misappropriation 5.3.2. Node Identity Misappropriation
Falsification or misappropriation of node identity between routing Falsification or misappropriation of node identity between routing
participants opens the door for other attacks; it can also cause participants opens the door for other attacks; it can also cause
incorrect routing relationships to form and/or topologies to emerge. incorrect routing relationships to form and/or topologies to emerge.
Routing attacks may also be mounted through less sophisticated node Routing attacks may also be mounted through less sophisticated node
identity misappropriation in which the valid information broadcast or identity misappropriation in which the valid information broadcast or
exchanged by a node is replayed without modification. The receipt of exchanged by a node is replayed without modification. The receipt of
seemingly valid information that is however no longer current can seemingly valid information that is however no longer current can
result in routing disruption, and instability (including failure to result in routing disruption, and instability (including failure to
converge). Without measures to authenticate the routing participants converge). Without measures to authenticate the routing participants
and to ensure the freshness and validity of the received information and to ensure the freshness and validity of the received information
the protocol operation can be compromised. The forms of attack that the protocol operation can be compromised. The forms of attack that
misuse node identity include misuse node identity include
o Identity attacks, including Sybil attacks in which a malicious o Identity attacks, including Sybil attacks in which a malicious
node illegitimately assumes multiple identities; node illegitimately assumes multiple identities;
o Routing information replay. o Routing information replay.
7. Threats and Attacks on Availability 5.4. Threats and Attacks on Availability
The assessment in Section 3.2 indicates that the process and The assessment in Section 3.2 indicates that the process and
resources assets are exposed to threats against availability; attacks resources assets are exposed to threats against availability; attacks
in this category may exploit directly or indirectly information in this category may exploit directly or indirectly information
exchange or forwarding (see [RFC4732] for a general discussion). exchange or forwarding (see [RFC4732] for a general discussion).
7.1. Routing Exchange Interference or Disruption 5.4.1. Routing Exchange Interference or Disruption
Interference is the threat action and disruption is threat Interference is the threat action and disruption is threat
consequence that allows attackers to influence the operation and consequence that allows attackers to influence the operation and
convergence of the routing protocols by impeding the routing convergence of the routing protocols by impeding the routing
information exchange. information exchange.
The forms of attack that allow interference or disruption of routing The forms of attack that allow interference or disruption of routing
exchange include: exchange include:
o Routing information replay; o Routing information replay;
o ACK spoofing; o ACK spoofing;
o Overload attacks. (Section 8.3.2) o Overload attacks. (Section 6.3.2)
In addition, attacks may also be directly conducted at the physical In addition, attacks may also be directly conducted at the physical
layer in the form of jamming or interfering. layer in the form of jamming or interfering.
7.2. Network Traffic Forwarding Disruption 5.4.2. Network Traffic Forwarding Disruption
The disruption of the network traffic forwarding capability will The disruption of the network traffic forwarding capability will
undermine the central function of network routers and the ability to undermine the central function of network routers and the ability to
handle user traffic. This affects the availability of the network handle user traffic. This affects the availability of the network
because of the potential to impair the primary capability of the because of the potential to impair the primary capability of the
network. network.
In addition to physical layer obstructions, the forms of attack that In addition to physical layer obstructions, the forms of attack that
allows disruption of network traffic forwarding include [Karlof2003] allows disruption of network traffic forwarding include [Karlof2003]
o Selective forwarding attacks; o Selective forwarding attacks;
|Node_1|--(msg1|msg2|msg3)-->|Attacker|--(msg1|msg3)-->|Node_2| |Node_1|--(msg1|msg2|msg3)-->|Attacker|--(msg1|msg3)-->|Node_2|
(a) Selective Forwarding
Figure 2: Selective Forwarding Figure 2: Selective Forwarding
o Wormhole attacks; o Wormhole attacks;
|Node_1|-------------Unreachable---------x|Node_2| |Node_1|-------------Unreachable---------x|Node_2|
| ^ | ^
| Private Link | | Private Link |
'-->|Attacker_1|===========>|Attacker_2|--' '-->|Attacker_1|===========>|Attacker_2|--'
(b) Wormhole
Figure 3: Wormhole Attacks Figure 3: Wormhole Attacks
o Sinkhole attacks. o Sinkhole attacks.
|Node_1| |Node_4| |Node_1| |Node_4|
| | | |
`--------. | `--------. |
Falsify as \ | Falsify as \ |
Good Link \ | | Good Link \ | |
To Node_5 \ | | To Node_5 \ | |
\ V V \ V V
|Node_2|-->|Attacker|--Not Forwarded---x|Node_5| |Node_2|-->|Attacker|--Not Forwarded---x|Node_5|
^ ^ \ ^ ^ \
| | \ Falsify as | | \ Falsify as
| | \Good Link | | \Good Link
/ | To Node_5 / | To Node_5
,-------' | ,-------' |
| | | |
|Node_3| |Node_i|
|Node_3| |Node_i|
(c) Sinkhole
Figure 4: Selective Forwarding, Wormhole, and Sinkhole Attacks Figure 4: Selective Forwarding, Wormhole, and Sinkhole Attacks
These attacks are generally done to both control plane and forwarding These attacks are generally done to both control plane and forwarding
plane traffic. A system that prevents control plane traffic (RPL plane traffic. A system that prevents control plane traffic (RPL
messages) from being diverted in these ways will also prevent actual messages) from being diverted in these ways will also prevent actual
data from being diverted. data from being diverted.
7.3. Communications Resource Disruption 5.4.3. Communications Resource Disruption
Attacks mounted against the communication channel resource assets Attacks mounted against the communication channel resource assets
needed by the routing protocol can be used as a means of disrupting needed by the routing protocol can be used as a means of disrupting
its operation. However, while various forms of Denial of Service its operation. However, while various forms of Denial of Service
(DoS) attacks on the underlying transport subsystem will affect (DoS) attacks on the underlying transport subsystem will affect
routing protocol exchanges and operation (for example physical layer routing protocol exchanges and operation (for example physical layer
RF jamming in a wireless network or link layer attacks), these RF jamming in a wireless network or link layer attacks), these
attacks cannot be countered by the routing protocol. As such, the attacks cannot be countered by the routing protocol. As such, the
threats to the underlying transport network that supports routing is threats to the underlying transport network that supports routing is
considered beyond the scope of the current document. Nonetheless, considered beyond the scope of the current document. Nonetheless,
attacks on the subsystem will affect routing operation and so must be attacks on the subsystem will affect routing operation and so must be
directly addressed within the underlying subsystem and its directly addressed within the underlying subsystem and its
implemented protocol layers. implemented protocol layers.
7.4. Node Resource Exhaustion 5.4.4. Node Resource Exhaustion
A potential threat consequence can arise from attempts to overload A potential threat consequence can arise from attempts to overload
the node resource asset by initiating exchanges that can lead to the the node resource asset by initiating exchanges that can lead to the
exhaustion of processing, memory, or energy resources. The exhaustion of processing, memory, or energy resources. The
establishment and maintenance of routing neighbors opens the routing establishment and maintenance of routing neighbors opens the routing
process to engagement and potential acceptance of multiple process to engagement and potential acceptance of multiple
neighboring peers. Association information must be stored for each neighboring peers. Association information must be stored for each
peer entity and for the wireless network operation provisions made to peer entity and for the wireless network operation provisions made to
periodically update and reassess the associations. An introduced periodically update and reassess the associations. An introduced
proliferation of apparent routing peers can therefore have a negative proliferation of apparent routing peers can therefore have a negative
skipping to change at page 19, line 9 skipping to change at page 19, line 21
disruption of communications channel resources, these consequences disruption of communications channel resources, these consequences
may be able to exhaust node resources only where the engagements are may be able to exhaust node resources only where the engagements are
able to proceed with the peer routing entities. Routing operation able to proceed with the peer routing entities. Routing operation
and network forwarding functions can thus be adversely impacted by and network forwarding functions can thus be adversely impacted by
node resources exhaustion that stems from attacks that include: node resources exhaustion that stems from attacks that include:
o Identity (including Sybil) attacks; o Identity (including Sybil) attacks;
o Routing information replay attacks; o Routing information replay attacks;
o HELLO flood attacks; o HELLO-type flood attacks;
o Overload attacks. (Section 8.3.2) o Overload attacks. (Section 6.3.2)
8. Countermeasures 6. Countermeasures
By recognizing the characteristics of LLNs that may impact routing, By recognizing the characteristics of LLNs that may impact routing,
this analysis provides the basis for developing capabilities within this analysis provides the basis for understanding the capabilities
ROLL protocols to deter the identified attacks and mitigate the within RPL used to deter the identified attacks and mitigate the
threats. The following subsections consider such countermeasures by threats. The following subsections consider such countermeasures by
grouping the attacks according to the classification of the ISO grouping the attacks according to the classification of the ISO
7498-2 model so that associations with the necessary security 7498-2 model so that associations with the necessary security
services are more readily visible. However, the considerations here services are more readily visible.
are more systematic than confined to means available only within
routing; the next section will then distill and make recommendations
appropriate for a secured ROLL protocol.
8.1. Confidentiality Attack Countermeasures 6.1. Confidentiality Attack Countermeasures
Attacks to disclosure routing information may be mounted at the level Attacks to disclosure routing information may be mounted at the level
of the routing information assets, at the points of access associated of the routing information assets, at the points of access associated
with routing exchanges between nodes, or through device interface with routing exchanges between nodes, or through device interface
access. To gain access to routing/topology information, the attacker access. To gain access to routing/topology information, the attacker
may rely on a compromised node that deliberately exposes the may rely on a compromised node that deliberately exposes the
information during the routing exchange process, may rely on passive information during the routing exchange process, may rely on passive
wiretapping or traffic analysis, or may attempt access through a wiretapping or traffic analysis, or may attempt access through a
component or device interface of a tampered routing node. component or device interface of a tampered routing node.
8.1.1. Countering Deliberate Exposure Attacks 6.1.1. Countering Deliberate Exposure Attacks
A deliberate exposure attack is one in which an entity that is party A deliberate exposure attack is one in which an entity that is party
to the routing process or topology exchange allows the routing/ to the routing process or topology exchange allows the routing/
topology information or generated route information to be exposed to topology information or generated route information to be exposed to
an unauthorized entity. an unauthorized entity.
For instance, due to mis-configuration or inappropriate enabling of a
diagnostic interface, an entity might be copying ("bridging") traffic
from a secured ESSID/PAN to an unsecured interface.
A prerequisite to countering this attack is to ensure that the A prerequisite to countering this attack is to ensure that the
communicating nodes are authenticated prior to data encryption communicating nodes are authenticated prior to data encryption
applied in the routing exchange. Authentication ensures that the applied in the routing exchange. Authentication ensures that the
nodes are who they claim to be even though it does not provide an nodes are who they claim to be even though it does not provide an
indication of whether the node has been compromised. indication of whether the node has been compromised.
To mitigate the risk of deliberate exposure, the process that To mitigate the risk of deliberate exposure, the process that
communicating nodes use to establish session keys must be peer-to- communicating nodes use to establish session keys must be peer-to-
peer (i.e., between the routing initiating and responding nodes). peer (i.e., between the routing initiating and responding nodes).
This helps ensure that neither node is exchaning routing information This helps ensure that neither node is exchaning routing information
with another peer without the knowledge of both communicating with another peer without the knowledge of both communicating peers.
peerscan. For a deliberate exposure attack to succeed, the comprised For a deliberate exposure attack to succeed, the comprised node will
node will need to more overt and take independent actions in order to need to be more overt and take independent actions in order to
disclose the routing information to 3rd party. disclose the routing information to 3rd party.
Note that the same measures which apply to securing routing/topology Note that the same measures which apply to securing routing/topology
exchanges between operational nodes must also extend to field tools exchanges between operational nodes must also extend to field tools
and other devices used in a deployed network where such devices can and other devices used in a deployed network where such devices can
be configured to participate in routing exchanges. be configured to participate in routing exchanges.
8.1.2. Countering Passive Wiretapping Attacks 6.1.2. Countering Passive Wiretapping Attacks
A passive wiretap attack seeks to breach routing confidentiality A passive wiretap attack seeks to breach routing confidentiality
through passive, direct analysis and processing of the information through passive, direct analysis and processing of the information
exchanges between nodes. exchanges between nodes.
Passive wiretap attacks can be directly countered through the use of Passive wiretap attacks can be directly countered through the use of
data encryption for all routing exchanges. Only when a validated and data encryption for all routing exchanges. Only when a validated and
authenticated node association is completed will routing exchange be authenticated node association is completed will routing exchange be
allowed to proceed using established session keys and an agreed allowed to proceed using established session keys and an agreed
encryption algorithm. The strength of the encryption algorithm and encryption algorithm. The mandatory to implement CCM mode AES-128
session key sizes will determine the minimum requirement for an method, is described in [RFC3610], and is believed to be secure
attacker mounting this passive security attack. The possibility of against a brute force attack by even the most well equiped adversary.
incorporating options for security level and algorithms is further
considered in Section 9.5. Because of the resource constraints of
LLN devices, symmetric (private) key encryption will provide the best
trade-off in terms of node and channel resource overhead and the
level of security achieved. This will of course not preclude the use
of asymmetric (public) key encryption during the session key
establishment phase.
As with the key establishment process, data encryption must include The significant challenge for RPL is in the provisioning of the key,
an authentication prerequisite to ensure that each node is which in some modes of RFC6550 is used network-wide. RFC6550 does
implementing a level of security that prevents deliberate or not solve this problem, and it is the subject of significant future
inadvertent exposure. The authenticated key establishment will work: see, for instance: [AceCharterProposal], [SolaceProposal],
ensure that confidentiality is not compromised by providing the [SmartObjectSecurityWorkshop].
information to an unauthorized entity (see also [Huang2003]).
Based on the current state of the art, a minimum 128-bit key length A number of deployments, such as [ZigBeeIP] specify no layer-3/RPL
should be applied where robust confidentiality is demanded for encryption or authentication and rely upon similiar security at
routing protection. This session key shall be applied in conjunction layer-2. These networks are immune to outside wiretapping attacks,
with an encryption algorithm that has been publicly vetted and where but are particularly vulnerable to passive (and active) attacks
applicable approved for the level of security desired. Algorithms through compromises of nodes.
such as the Advanced Encryption Standard (AES) [FIPS197], adopted by
the U.S. government, or Kasumi-Misty [Kasumi3gpp], adopted by the
3GPP 3rd generation wireless mobile consortium, are examples of
symmetric-key algorithms capable of ensuring robust confidentiality
for routing exchanges. The key length, algorithm and mode of
operation will be selected as part of the overall security trade-off
that also achieves a balance with the level of confidentiality
afforded by the physical device in protecting the routing assets.
As with any encryption algorithm, the use of ciphering Section 10.9 of [RFC6550] specifies AES-128 in CCM mode with a 32-bit
synchronization parameters and limitations to the usage duration of MAC.
established keys should be part of the security specification to
reduce the potential for brute force analysis.
8.1.3. Countering Traffic Analysis Section 5.6 Zigbee IP [ZigBeeIP] specifies use of CCM, with PANA and
EAP-TLS for key management.
6.1.3. Countering Traffic Analysis
Traffic analysis provides an indirect means of subverting Traffic analysis provides an indirect means of subverting
confidentiality and gaining access to routing information by allowing confidentiality and gaining access to routing information by allowing
an attacker to indirectly map the connectivity or flow patterns an attacker to indirectly map the connectivity or flow patterns
(including link-load) of the network from which other attacks can be (including link-load) of the network from which other attacks can be
mounted. The traffic analysis attack on an LLN, especially one mounted. The traffic analysis attack on an LLN, especially one
founded on shared medium, is passive and relies on the ability to founded on shared medium, is passive and relies on the ability to
read the immutable source/destination layer-3 routing information read the immutable source/destination layer-2 and/or layer-3 routing
that must remain unencrypted to permit network routing. information that must remain unencrypted to permit network routing.
One way in which passive traffic analysis attacks can be muted is One way in which passive traffic analysis attacks can be muted is
through the support of load balancing that allows traffic to a given through the support of load balancing that allows traffic to a given
destination to be sent along diverse routing paths. Where the destination to be sent along diverse routing paths. RPL does not
routing protocol supports load balancing along multiple links at each
node, the number of routing permutations in a wide area network
surges thus increasing the cost of traffic analysis. ROLL does not
generally support multi-path routing within a single DODAG. Multiple generally support multi-path routing within a single DODAG. Multiple
DODAGs are supported in the protocol, but few deployments will have DODAGs are supported in the protocol, and an implementation could
space for more than half a dozen, and there are at present no clear make use of that. RPL does not have any inherent or standard way to
ways to multiplex traffic for a single application across multiple guarantee that the different DODAGs would have significantly diverse
DODAGs. paths. Having the diverse DODAGs routed at different border routers
might work in some instances, and this could be combined with a
multipath technology like MPTCP ([RFC6824]. It is unlikely that it
will be affordable in many LLNs, as few deployments will have memory
space for more than a few sets of DODAG tables.
Another approach to countering passive traffic analysis could be for Another approach to countering passive traffic analysis could be for
nodes to maintain constant amount of traffic to different nodes to maintain constant amount of traffic to different
destinations through the generation of arbitrary traffic flows; the destinations through the generation of arbitrary traffic flows; the
drawback of course would be the consequent overhead. drawback of course would be the consequent overhead and energy
expenditure.
The only means of fully countering a traffic analysis attack is The only means of fully countering a traffic analysis attack is
through the use of tunneling (encapsulation) where encryption is through the use of tunneling (encapsulation) where encryption is
applied across the entirety of the original packet source/destination applied across the entirety of the original packet source/destination
addresses. Deployments which use layer-2 security that includes addresses. Deployments which use layer-2 security that includes
encryption already do this for all traffic. encryption already do this for all traffic.
8.1.4. Countering Remote Device Access Attacks 6.1.4. Countering Remote Device Access Attacks
Where LLN nodes are deployed in the field, measures are introduced to Where LLN nodes are deployed in the field, measures are introduced to
allow for remote retrieval of routing data and for software or field allow for remote retrieval of routing data and for software or field
upgrades. These paths create the potential for a device to be upgrades. These paths create the potential for a device to be
remotely accessed across the network or through a provided field remotely accessed across the network or through a provided field
tool. In the case of network management a node can be directly tool. In the case of network management a node can be directly
requested to provide routing tables and neighbor information. requested to provide routing tables and neighbor information.
To ensure confidentiality of the node routing information against To ensure confidentiality of the node routing information against
attacks through remote access, any local or remote device requesting attacks through remote access, any local or remote device requesting
routing information must be authenticated to ensure authorized routing information must be authenticated, and must be authorized for
access. Since remote access is not invoked as part of a routing that access. Since remote access is not invoked as part of a routing
protocol security of routing information stored on the node against protocol security of routing information stored on the node against
remote access will not be addressable as part of the routing remote access will not be addressable as part of the routing
protocol. protocol.
8.2. Integrity Attack Countermeasures 6.2. Integrity Attack Countermeasures
Integrity attack countermeasures address routing information Integrity attack countermeasures address routing information
manipulation, as well as node identity and routing information manipulation, as well as node identity and routing information
misuse. Manipulation can occur in the form of falsification attack misuse. Manipulation can occur in the form of falsification attack
and physical compromise. To be effective, the following development and physical compromise. To be effective, the following development
considers the two aspects of falsification, namely, the unauthorized considers the two aspects of falsification, namely, the unauthorized
modifications and the overclaiming and misclaiming content. The modifications and the overclaiming and misclaiming content. The
countering of physical compromise was considered in the previous countering of physical compromise was considered in the previous
section and is not repeated here. With regard to misuse, there are section and is not repeated here. With regard to misuse, there are
two types of attacks to be deterred, identity attacks and replay two types of attacks to be deterred, identity attacks and replay
attacks. attacks.
8.2.1. Countering Unauthorized Modification Attacks 6.2.1. Countering Unauthorized Modification Attacks
Unauthorized modifications may occur in the form of altering the Unauthorized modifications may occur in the form of altering the
message being transferred or the data stored. Therefore, it is message being transferred or the data stored. Therefore, it is
necessary to ensure that only authorized nodes can change the portion necessary to ensure that only authorized nodes can change the portion
of the information that is allowed to be mutable, while the integrity of the information that is allowed to be mutable, while the integrity
of the rest of the information is protected, e.g., through well- of the rest of the information is protected, e.g., through well-
studied cryptographic mechanisms. studied cryptographic mechanisms.
Unauthorized modifications may also occur in the form of insertion or Unauthorized modifications may also occur in the form of insertion or
deletion of messages during protocol changes. Therefore, the deletion of messages during protocol changes. Therefore, the
skipping to change at page 22, line 47 skipping to change at page 23, line 4
studied cryptographic mechanisms. studied cryptographic mechanisms.
Unauthorized modifications may also occur in the form of insertion or Unauthorized modifications may also occur in the form of insertion or
deletion of messages during protocol changes. Therefore, the deletion of messages during protocol changes. Therefore, the
protocol needs to ensure the integrity of the sequence of the protocol needs to ensure the integrity of the sequence of the
exchange sequence. exchange sequence.
The countermeasure to unauthorized modifications needs to: The countermeasure to unauthorized modifications needs to:
o implement access control on storage; o implement access control on storage;
o provide data integrity service to transferred messages and stored o provide data integrity service to transferred messages and stored
data; data;
o include sequence number under integrity protection. o include sequence number under integrity protection.
8.2.2. Countering Overclaiming and Misclaiming Attacks 6.2.2. Countering Overclaiming and Misclaiming Attacks
Both overclaiming and misclaiming aim to introduce false routes or Both overclaiming and misclaiming aim to introduce false routes or
topology that would not be generated by the network otherwise, while topology that would not be generated by the network otherwise, while
there are not necessarily unauthorized modifications to the routing there are not necessarily unauthorized modifications to the routing
messages or information. The requisite for a counter is the messages or information. In order to counter overclaiming, the
capability to determine unreasonable routes or topology. capability to determine unreasonable routes or topology is required.
The counter to overclaiming and misclaiming may employ: The counter to overclaiming and misclaiming may employ:
o comparison with historical routing/topology data; o comparison with historical routing/topology data;
o designs which restrict realizable network topologies. o designs which restrict realizable network topologies.
8.2.3. Countering Identity (including Sybil) Attacks RPL includes no specific mechanisms in the protocol to counter
overlaims. An implementation could have specific heuristics
implemented locally.
6.2.3. Countering Identity (including Sybil) Attacks
Identity attacks, sometimes simply called spoofing, seek to gain or Identity attacks, sometimes simply called spoofing, seek to gain or
damage assets whose access is controlled through identity. In damage assets whose access is controlled through identity. In
routing, an identity attacker can illegitimately participate in routing, an identity attacker can illegitimately participate in
routing exchanges, distribute false routing information, or cause an routing exchanges, distribute false routing information, or cause an
invalid outcome of a routing process. invalid outcome of a routing process.
A perpetrator of Sybil attacks assumes multiple identities. The A perpetrator of Sybil attacks assumes multiple identities. The
result is not only an amplification of the damage to routing, but result is not only an amplification of the damage to routing, but
extension to new areas, e.g., where geographic distribution is extension to new areas, e.g., where geographic distribution is
explicitly or implicitly an asset to an application running on the explicitly or implicitly an asset to an application running on the
LLN, for example, the LBR in a P2MP or MP2P LLN. LLN, for example, the LBR in a P2MP or MP2P LLN.
8.2.4. Countering Routing Information Replay Attacks RPL includes specific public key based authentication at layer-3 that
provide for authorization. Many deployments use layer-2 security
that includes admission controls at layer-2 using mechanisms such as
PANA.
6.2.4. Countering Routing Information Replay Attacks
In many routing protocols, message replay can result in false In many routing protocols, message replay can result in false
topology and/or routes. This is often counted with some kind of topology and/or routes. This is often counted with some kind of
counter to ensure the freshness of the message. Replay of a current, counter to ensure the freshness of the message. Replay of a current,
literal RPL message are in general idempotent to the topology. An literal RPL message are in general idempotent to the topology. An
older (lower DODAGVersionNumber) message, if replayed would be older (lower DODAGVersionNumber) message, if replayed would be
rejected as being stale. The trickle algorithm further dampens the rejected as being stale. The trickle algorithm further dampens the
affect of any such replay, as if the message was current, then it affect of any such replay, as if the message was current, then it
would contain the same information as before, and it would cause no would contain the same information as before, and it would cause no
network changes. network changes.
skipping to change at page 24, line 8 skipping to change at page 24, line 22
must be assumed to occur naturally. must be assumed to occur naturally.
Note that for there to be no affect at all, the replay must be done Note that for there to be no affect at all, the replay must be done
with the same apparent power for all nodes receiving the replay. A with the same apparent power for all nodes receiving the replay. A
change in apparent power might change the metrics through changes to change in apparent power might change the metrics through changes to
the ETX and therefore might affect the routing even though the the ETX and therefore might affect the routing even though the
contents of the packet were never changed. Any replay which appears contents of the packet were never changed. Any replay which appears
to be different should be analyzed as a Selective Forwarding Attack, to be different should be analyzed as a Selective Forwarding Attack,
Sinkhole Attack or Wormhole Attack. Sinkhole Attack or Wormhole Attack.
8.2.5. Countering Byzantine Routing Information Attacks 6.2.5. Countering Byzantine Routing Information Attacks
Where a node is captured or compromised but continues to operate for Where a node is captured or compromised but continues to operate for
a period with valid network security credentials, the potential a period with valid network security credentials, the potential
exists for routing information to be manipulated. This compromise of exists for routing information to be manipulated. This compromise of
the routing information could thus exist in spite of security the routing information could thus exist in spite of security
countermeasures that operate between the peer routing devices. countermeasures that operate between the peer routing devices.
Consistent with the end-to-end principle of communications, such an Consistent with the end-to-end principle of communications, such an
attack can only be fully addressed through measures operating attack can only be fully addressed through measures operating
directly between the routing entities themselves or by means of directly between the routing entities themselves or by means of
skipping to change at page 24, line 33 skipping to change at page 24, line 47
For link state routing protocols where information is flooded with, For link state routing protocols where information is flooded with,
for example, areas (OSPF [RFC2328]) or levels (ISIS [RFC1142]), for example, areas (OSPF [RFC2328]) or levels (ISIS [RFC1142]),
countermeasures can be directly applied by the routing entities countermeasures can be directly applied by the routing entities
through the processing and comparison of link state information through the processing and comparison of link state information
received from different peers. By comparing the link information received from different peers. By comparing the link information
from multiple sources decisions can be made by a routing node or from multiple sources decisions can be made by a routing node or
external entity with regard to routing information validity; see external entity with regard to routing information validity; see
Chapter 2 of [Perlman1988] for a discussion on flooding attacks. Chapter 2 of [Perlman1988] for a discussion on flooding attacks.
For distance vector protocols where information is aggregated at each For distance vector protocols, such as RPL, where information is
routing node it is not possible for nodes to directly detect aggregated at each routing node it is not possible for nodes to
Byzantine information manipulation attacks from the routing directly detect Byzantine information manipulation attacks from the
information exchange. In such cases, the routing protocol must routing information exchange. In such cases, the routing protocol
include and support indirect communications exchanges between non- must include and support indirect communications exchanges between
adjacent routing peers to provide a secondary channel for performing non-adjacent routing peers to provide a secondary channel for
routing information validation. S-RIP [Wan2004] is an example of the performing routing information validation. S-RIP [Wan2004] is an
implementation of this type of dedicated routing protocol security example of the implementation of this type of dedicated routing
where the correctness of aggregate distance vector information can protocol security where the correctness of aggregate distance vector
only be validated by initiating confirmation exchanges directly information can only be validated by initiating confirmation
between nodes that are not routing neighbors. exchanges directly between nodes that are not routing neighbors.
Alternatively, an entity external to the routing protocol would be RPL does not provide any direct mechanisms like S-RIP. It does
required to collect and audit routing information exchanges to detect listen to multiple parents, and may switch parents if it begins to
the Byzantine attack. In the context of the current security suspect that it is being lied to.
analysis, any protection against Byzantine routing information
attacks will need to be directly included within the mechanisms of
the ROLL routing protocol.
8.3. Availability Attack Countermeasures 6.3. Availability Attack Countermeasures
As alluded to before, availability requires that routing information As alluded to before, availability requires that routing information
exchanges and forwarding mechanisms be available when needed so as to exchanges and forwarding mechanisms be available when needed so as to
guarantee proper functioning of the network. This may, e.g., include guarantee proper functioning of the network. This may, e.g., include
the correct operation of routing information and neighbor state the correct operation of routing information and neighbor state
information exchanges, among others. We will highlight the key information exchanges, among others. We will highlight the key
features of the security threats along with typical countermeasures features of the security threats along with typical countermeasures
to prevent or at least mitigate them. We will also note that an to prevent or at least mitigate them. We will also note that an
availability attack may be facilitated by an identity attack as well availability attack may be facilitated by an identity attack as well
as a replay attack, as was addressed in Section 8.2.3 and as a replay attack, as was addressed in Section 6.2.3 and
Section 8.2.4, respectively. Section 6.2.4, respectively.
8.3.1. Countering HELLO Flood Attacks and ACK Spoofing Attacks 6.3.1. Countering HELLO Flood Attacks and ACK Spoofing Attacks
HELLO Flood [Karlof2003],[I-D.suhopark-hello-wsn] and ACK Spoofing HELLO Flood [Karlof2003],[I-D.suhopark-hello-wsn] and ACK Spoofing
attacks are different but highly related forms of attacking an LLN. attacks are different but highly related forms of attacking an LLN.
They essentially lead nodes to believe that suitable routes are They essentially lead nodes to believe that suitable routes are
available even though they are not and hence constitute a serious available even though they are not and hence constitute a serious
availability attack. availability attack.
A HELLO attack mounted against RPL would involve sending out (or A HELLO attack mounted against RPL would involve sending out (or
replaying) DIO messages by the attacker. Lower power LLN nodes might replaying) DIO messages by the attacker. Lower power LLN nodes might
then attempt to join the DODAG at a lower rank than they would then attempt to join the DODAG at a lower rank than they would
skipping to change at page 26, line 5 skipping to change at page 26, line 18
As discussed in section 5.1, [I-D.suhopark-hello-wsn] a receiver with As discussed in section 5.1, [I-D.suhopark-hello-wsn] a receiver with
a sensitive receiver could well hear the DAOs, and even send DAO-ACKs a sensitive receiver could well hear the DAOs, and even send DAO-ACKs
as well. Such a node is a form of WormHole attack. as well. Such a node is a form of WormHole attack.
These attacks are also all easily defended against using either These attacks are also all easily defended against using either
layer-2 or layer-3 authentication. Such an attack could only be made layer-2 or layer-3 authentication. Such an attack could only be made
against a completely open network (such as might be used for against a completely open network (such as might be used for
provisioning new nodes), or by a compromised node. provisioning new nodes), or by a compromised node.
8.3.2. Countering Overload Attacks 6.3.2. Countering Overload Attacks
Overload attacks are a form of DoS attack in that a malicious node Overload attacks are a form of DoS attack in that a malicious node
overloads the network with irrelevant traffic, thereby draining the overloads the network with irrelevant traffic, thereby draining the
nodes' energy store more quickly, when the nodes rely on batteries or nodes' energy store more quickly, when the nodes rely on batteries or
energy scavenging. It thus significantly shortens the lifetime of energy scavenging. It thus significantly shortens the lifetime of
networks of energy-constrained nodes and constitutes another serious networks of energy-constrained nodes and constitutes another serious
availability attack. availability attack.
With energy being one of the most precious assets of LLNs, targeting With energy being one of the most precious assets of LLNs, targeting
its availability is a fairly obvious attack. Another way of its availability is a fairly obvious attack. Another way of
skipping to change at page 27, line 12 skipping to change at page 27, line 27
encrypt messages need to be cautious of cryptographic processing encrypt messages need to be cautious of cryptographic processing
usage when validating signatures and encrypting messages. Where usage when validating signatures and encrypting messages. Where
feasible, certificates should be validated prior to use of the feasible, certificates should be validated prior to use of the
associated keys to counter potential resource overloading attacks. associated keys to counter potential resource overloading attacks.
The associated design decision needs to also consider that the The associated design decision needs to also consider that the
validation process requires resources and thus itself could be validation process requires resources and thus itself could be
exploited for attacks. Alternatively, resource management limits can exploited for attacks. Alternatively, resource management limits can
be placed on routing security processing events (see the comment in be placed on routing security processing events (see the comment in
Section 6, paragraph 4, of [RFC5751]). Section 6, paragraph 4, of [RFC5751]).
8.3.3. Countering Selective Forwarding Attacks 6.3.3. Countering Selective Forwarding Attacks
Selective forwarding attacks are a form of DoS attack which impacts Selective forwarding attacks are a form of DoS attack which impacts
the availability of the generated routing paths. the availability of the generated routing paths.
A selective forwarding attack may be done by a node involved with the A selective forwarding attack may be done by a node involved with the
routing process, or it may be done by what otherwise appears to be a routing process, or it may be done by what otherwise appears to be a
passive antenna or other RF feature or device, but is in fact an passive antenna or other RF feature or device, but is in fact an
active (and selective) device. An RF antenna/repeater which is not active (and selective) device. An RF antenna/repeater which is not
selective, is not a threat. selective, is not a threat.
skipping to change at page 27, line 37 skipping to change at page 28, line 4
if coupled with sinkhole attacks since inherently a large amount of if coupled with sinkhole attacks since inherently a large amount of
traffic is attracted to the malicious node and thereby causing traffic is attracted to the malicious node and thereby causing
significant damage. In a shared medium, an outside malicious node significant damage. In a shared medium, an outside malicious node
would selectively jam overheard data flows, where the thus caused would selectively jam overheard data flows, where the thus caused
collisions incur selective forwarding. collisions incur selective forwarding.
Selective Forwarding attacks can be countered by deploying a series Selective Forwarding attacks can be countered by deploying a series
of mutually non-exclusive security measures: of mutually non-exclusive security measures:
o multipath routing of the same message over disjoint paths; o multipath routing of the same message over disjoint paths;
o dynamically selecting the next hop from a set of candidates. o dynamically selecting the next hop from a set of candidates.
The first measure basically guarantees that if a message gets lost on The first measure basically guarantees that if a message gets lost on
a particular routing path due to a malicious selective forwarding a particular routing path due to a malicious selective forwarding
attack, there will be another route which successfully delivers the attack, there will be another route which successfully delivers the
data. Such a method is inherently suboptimal from an energy data. Such a method is inherently suboptimal from an energy
consumption point of view; it is also suboptimal from a network consumption point of view; it is also suboptimal from a network
utilization perspective. The second method basically involves a utilization perspective. The second method basically involves a
constantly changing routing topology in that next-hop routers are constantly changing routing topology in that next-hop routers are
chosen from a dynamic set in the hope that the number of malicious chosen from a dynamic set in the hope that the number of malicious
nodes in this set is negligible. A routing protocol that allows for nodes in this set is negligible. A routing protocol that allows for
disjoint routing paths may also be useful. disjoint routing paths may also be useful.
8.3.4. Countering Sinkhole Attacks 6.3.4. Countering Sinkhole Attacks
In sinkhole attacks, the malicious node manages to attract a lot of In sinkhole attacks, the malicious node manages to attract a lot of
traffic mainly by advertising the availability of high-quality links traffic mainly by advertising the availability of high-quality links
even though there are none [Karlof2003]. It hence constitutes a even though there are none [Karlof2003]. It hence constitutes a
serious attack on availability. serious attack on availability.
The malicious node creates a sinkhole by attracting a large amount The malicious node creates a sinkhole by attracting a large amount
of, if not all, traffic from surrounding neighbors by advertising in of, if not all, traffic from surrounding neighbors by advertising in
and outwards links of superior quality. Affected nodes hence eagerly and outwards links of superior quality. Affected nodes hence eagerly
route their traffic via the malicious node which, if coupled with route their traffic via the malicious node which, if coupled with
skipping to change at page 28, line 44 skipping to change at page 29, line 8
solving triangulation equations from radio delay calculations, such solving triangulation equations from radio delay calculations, such
calculations could in theory be subverted by a sinkhole that calculations could in theory be subverted by a sinkhole that
transmitted at precisely the right power in a node to node fashion. transmitted at precisely the right power in a node to node fashion.
While geographic knowledge could help assure that traffic always went While geographic knowledge could help assure that traffic always went
in the physical direction desired, it would not assure that the in the physical direction desired, it would not assure that the
traffic was taking the most efficient route, as the lowest cost real traffic was taking the most efficient route, as the lowest cost real
route might be match the physical topology; such as when different route might be match the physical topology; such as when different
parts of an LLN are connected by high-speed wired networks. parts of an LLN are connected by high-speed wired networks.
8.3.5. Countering Wormhole Attacks 6.3.5. Countering Wormhole Attacks
In wormhole attacks at least two malicious nodes claim to have a In wormhole attacks at least two malicious nodes claim to have a
short path between themselves [Karlof2003]. This changes the short path between themselves [Karlof2003]. This changes the
availability of certain routing paths and hence constitutes a serious availability of certain routing paths and hence constitutes a serious
security breach. security breach.
Essentially, two malicious insider nodes use another, more powerful, Essentially, two malicious insider nodes use another, more powerful,
transmitter to communicate with each other and thereby distort the transmitter to communicate with each other and thereby distort the
would-be-agreed routing path. This distortion could involve would-be-agreed routing path. This distortion could involve
shortcutting and hence paralyzing a large part of the network; it shortcutting and hence paralyzing a large part of the network; it
skipping to change at page 29, line 28 skipping to change at page 29, line 41
in which there is nothing adverse that occurs to the traffic, would in which there is nothing adverse that occurs to the traffic, would
be difficult to call an attack. The worst thing that a benign be difficult to call an attack. The worst thing that a benign
wormhole can do in such a situation is to cease to operate (become wormhole can do in such a situation is to cease to operate (become
unstable), causing the network to have to recalculate routes. unstable), causing the network to have to recalculate routes.
A highly unstable wormhole is no different than a radio opaque (i.e. A highly unstable wormhole is no different than a radio opaque (i.e.
metal) door that opens and closes a lot. RPL includes hystersis in metal) door that opens and closes a lot. RPL includes hystersis in
its objective functions [RFC6719] in an attempt to deal with frequent its objective functions [RFC6719] in an attempt to deal with frequent
changes to the ETX between nodes. changes to the ETX between nodes.
9. ROLL Security Features 7. RPL Security Features
The assessments and analysis in Section 5 examined all areas of The assessments and analysis in Section 5 examined all areas of
threats and attacks that could impact routing, and the threats and attacks that could impact routing, and the
countermeasures presented in Section 8 were reached without confining countermeasures presented in Section 6 were reached without confining
the consideration to means only available to routing. This section the consideration to means only available to routing. This section
puts the results into perspective and provides a framework for puts the results into perspective and provides a framework for
addressing the derived set of security objectives that must be met by addressing the derived set of security objectives that must be met by
the routing protocol(s) specified by the ROLL Working Group. It the routing protocol(s) specified by the RPL Working Group. It bears
bears emphasizing that the target here is a generic, universal form emphasizing that the target here is a generic, universal form of the
of the protocol(s) specified and the normative keywords are mainly to protocol(s) specified and the normative keywords are mainly to convey
convey the relative level of importance or urgency of the features the relative level of importance or urgency of the features
specified. specified.
In this view, 'MUST' is used to define the requirements that are In this view, 'MUST' is used to define the requirements that are
specific to the routing protocol and that are essential for an LLN specific to the routing protocol and that are essential for an LLN
routing protocol to ensure that routing operation can be maintained. routing protocol to ensure that routing operation can be maintained.
Adherence to MUST requirements is needed to directly counter attacks Adherence to MUST requirements is needed to directly counter attacks
that can affect the routing operation (such as those that can impact that can affect the routing operation (such as those that can impact
maintained or derived routing/forwarding tables). 'SHOULD' is used maintained or derived routing/forwarding tables). 'SHOULD' is used
to define requirements that counter indirect routing attacks where to define requirements that counter indirect routing attacks where
such attacks do not of themselves affect routing but can assist an such attacks do not of themselves affect routing but can assist an
attacker in focusing its attack resources to impact network operation attacker in focusing its attack resources to impact network operation
(such as DoS targeting of key forwarding nodes). 'MAY' covers (such as DoS targeting of key forwarding nodes). 'MAY' covers
optional requirements that can further enhance security by increasing optional requirements that can further enhance security by increasing
the space over which an attacker must operate or the resources that the space over which an attacker must operate or the resources that
must be applied. While in support of routing security, where must be applied. While in support of routing security, where
appropriate, these requirements may also be addressed beyond the appropriate, these requirements may also be addressed beyond the
network routing protocol at other system communications layers. network routing protocol at other system communications layers.
The first part of this section, Section 9.1 to Section 9.3, is a The first part of this section, Section 7.1 to Section 7.3, is a
prescription of ROLL security features of measures that can be prescription of RPL security features of measures that can be
addressed as part of the routing protocol itself. As routing is one addressed as part of the routing protocol itself. As routing is one
component of an LLN system, the actual strength of the security component of an LLN system, the actual strength of the security
services afforded to it should be made to conform to each system's services afforded to it should be made to conform to each system's
security policy; how a design may address the needs of the urban, security policy; how a design may address the needs of the urban,
industrial, home automation, and building automation application industrial, home automation, and building automation application
domains also needs to be considered. The second part of this domains also needs to be considered. The second part of this
section, Section 9.4 and Section 9.5, discusses system security section, Section 7.4 and Section 7.5, discusses system security
aspects that may impact routing but that also require considerations aspects that may impact routing but that also require considerations
beyond the routing protocol, as well as potential approaches. beyond the routing protocol, as well as potential approaches.
If an LLN employs multicast and/or anycast, these alternative If an LLN employs multicast and/or anycast, these alternative
communications modes MUST be secured with the same routing security communications modes MUST be secured with the same routing security
services specified in this section. Furthermore, irrespective of the services specified in this section. Furthermore, irrespective of the
modes of communication, nodes MUST provide adequate physical tamper modes of communication, nodes MUST provide adequate physical tamper
resistance commensurate with the particular application domain resistance commensurate with the particular application domain
environment to ensure the confidentiality, integrity, and environment to ensure the confidentiality, integrity, and
availability of stored routing information. availability of stored routing information.
9.1. Confidentiality Features 7.1. Confidentiality Features
With regard to confidentiality, protecting the routing/topology With regard to confidentiality, protecting the routing/topology
information from unauthorized disclosure is not directly essential to information from unauthorized disclosure is not directly essential to
maintaining the routing function. Breaches of confidentiality may maintaining the routing function. Breaches of confidentiality may
lead to other attacks or the focusing of an attacker's resources (see lead to other attacks or the focusing of an attacker's resources (see
Section 5.2) but does not of itself directly undermine the operation Section 5.2) but does not of itself directly undermine the operation
of the routing function. However, to protect against, and reduce of the routing function. However, to protect against, and reduce
consequences from other more direct attacks, routing information consequences from other more direct attacks, routing information
should be protected. Thus, a secured ROLL protocol: should be protected. Thus, a secured RPL protocol:
o MUST implement payload encryption; o MUST implement payload encryption;
o MAY provide tunneling; o MAY provide tunneling;
o MAY provide load balancing. o MAY provide load balancing.
Where confidentiality is incorporated into the routing exchanges, Where confidentiality is incorporated into the routing exchanges,
encryption algorithms and key lengths need to be specified in encryption algorithms and key lengths need to be specified in
accordance with the level of protection dictated by the routing accordance with the level of protection dictated by the routing
skipping to change at page 31, line 13 skipping to change at page 31, line 33
terms of the life time of the keys, the opportunity to periodically terms of the life time of the keys, the opportunity to periodically
change the encryption key increases the offered level of security for change the encryption key increases the offered level of security for
any given implementation. However, where strong cryptography is any given implementation. However, where strong cryptography is
employed, physical, procedural, and logical data access protection employed, physical, procedural, and logical data access protection
considerations may have more significant impact on cryptoperiod considerations may have more significant impact on cryptoperiod
selection than algorithm and key size factors. Nevertheless, in selection than algorithm and key size factors. Nevertheless, in
general, shorter cryptoperiods, during which a single key is applied, general, shorter cryptoperiods, during which a single key is applied,
will enhance security. will enhance security.
Given the mandatory protocol requirement to implement routing node Given the mandatory protocol requirement to implement routing node
authentication as part of routing integrity (see Section 9.2), key authentication as part of routing integrity (see Section 7.2), key
exchanges may be coordinated as part of the integrity verification exchanges may be coordinated as part of the integrity verification
process. This provides an opportunity to increase the frequency of process. This provides an opportunity to increase the frequency of
key exchange and shorten the cryptoperiod as a complement to the key key exchange and shorten the cryptoperiod as a complement to the key
length and encryption algorithm required for a given application length and encryption algorithm required for a given application
domain. For LLNs, the coordination of confidentiality key management domain. For LLNs, the coordination of confidentiality key management
with the implementation of node device authentication can thus reduce with the implementation of node device authentication can thus reduce
the overhead associated with supporting data confidentiality. If a the overhead associated with supporting data confidentiality. If a
new ciphering key is concurrently generated or updated in conjunction new ciphering key is concurrently generated or updated in conjunction
with the mandatory authentication exchange occurring with each with the mandatory authentication exchange occurring with each
routing peer association, signaling exchange overhead can be reduced. routing peer association, signaling exchange overhead can be reduced.
9.2. Integrity Features 7.2. Integrity Features
The integrity of routing information provides the basis for ensuring The integrity of routing information provides the basis for ensuring
that the function of the routing protocol is achieved and maintained. that the function of the routing protocol is achieved and maintained.
To protect integrity, RPL must either run using only the Secure To protect integrity, RPL must either run using only the Secure
versions of the messages, or must run over a layer-2 that uses versions of the messages, or must run over a layer-2 that uses
channel binding between node identity and transmissions. (i.e.: a channel binding between node identity and transmissions. (i.e.: a
layer-2 which has an identical network-wide transmission key can not layer-2 which has an identical network-wide transmission key can not
defend against many attacks) defend against many attacks)
XXX. Logging is critical, but presently impossible. While logging is critical, it is often impossible.
9.3. Availability Features 7.3. Availability Features
Availability of routing information is linked to system and network Availability of routing information is linked to system and network
availability which in the case of LLNs require a broader security availability which in the case of LLNs require a broader security
view beyond the requirements of the routing entities (see view beyond the requirements of the routing entities (see
Section 9.5). Where availability of the network is compromised, Section 7.5). Where availability of the network is compromised,
routing information availability will be accordingly affected. routing information availability will be accordingly affected.
However, to specifically assist in protecting routing availability: However, to specifically assist in protecting routing availability:
o MAY restrict neighborhood cardinality; o MAY restrict neighborhood cardinality;
o MAY use multiple paths; o MAY use multiple paths;
o MAY use multiple destinations; o MAY use multiple destinations;
o MAY choose randomly if multiple paths are available; o MAY choose randomly if multiple paths are available;
o MAY set quotas to limit transmit or receive volume; o MAY set quotas to limit transmit or receive volume;
o MAY use geographic information for flow control. o MAY use geographic information for flow control.
9.4. Key Management 7.4. Key Management
The functioning of the routing security services requires keys and The functioning of the routing security services requires keys and
credentials. Therefore, even though not directly a ROLL security credentials. Therefore, even though not directly a RPL security
requirement, an LLN MUST have a process for initial key and requirement, an LLN MUST have a process for initial key and
credential configuration, as well as secure storage within the credential configuration, as well as secure storage within the
associated devices. Anti-tampering SHOULD be a consideration in associated devices. Anti-tampering SHOULD be a consideration in
physical design. Beyond initial credential configuration, an LLN is physical design. Beyond initial credential configuration, an LLN is
also encouraged to have automatic procedures for the revocation and also encouraged to have automatic procedures for the revocation and
replacement of the maintained security credentials. replacement of the maintained security credentials.
While RPL has secure modes, but some modes are impractical without While RPL has secure modes, but some modes are impractical without
use of public key cryptography believed to be too expensive by many. use of public key cryptography believed to be too expensive by many.
RPL layer-3 security will often depend upon existing LLN layer-2 RPL layer-3 security will often depend upon existing LLN layer-2
security mechanisms, which provides for node authentication, but security mechanisms, which provides for node authentication, but
little in the way of node authorization. little in the way of node authorization.
9.5. Consideration on Matching Application Domain Needs 7.5. Consideration on Matching Application Domain Needs
Providing security within an LLN requires considerations that extend Providing security within an LLN requires considerations that extend
beyond routing security to the broader LLN application domain beyond routing security to the broader LLN application domain
security implementation. In other words, as routing is one component security implementation. In other words, as routing is one component
of an LLN system, the actual strength of the implemented security of an LLN system, the actual strength of the implemented security
algorithms for the routing protocol MUST be made to conform to the algorithms for the routing protocol MUST be made to conform to the
system's target level of security. The development so far takes into system's target level of security. The development so far takes into
account collectively the impacts of the issues gathered from account collectively the impacts of the issues gathered from
[RFC5548], [RFC5673], [RFC5826], and [RFC5867]. The following two [RFC5548], [RFC5673], [RFC5826], and [RFC5867]. The following two
subsections first consider from an architectural perspective how the subsections first consider from an architectural perspective how the
security design of a ROLL protocol may be made to adapt to the four security design of a RPL protocol may be made to adapt to the four
application domains, and then examine mechanisms and protocol application domains, and then examine mechanisms and protocol
operations issues. operations issues.
9.5.1. Security Architecture 7.5.1. Mechanisms and Operations
The first challenge for a ROLL protocol security design is to have an
architecture that can adequately address a set of very diverse needs.
It is mainly a consequence of the fact that there are both common and
non-overlapping requirements from the four application domains,
while, conceivably, each individual application will present yet its
own unique constraints.
For a ROLL protocol, the security requirements defined in Section 9.1
to Section 9.4 can be addressed at two levels: 1) through measures
implemented directly within the routing protocol itself and initiated
and controlled by the routing protocol entities; or 2) through
measures invoked on behalf of the routing protocol entities but
implemented within the part of the network over which the protocol
exchanges occur.
Where security is directly implemented as part of the routing
protocol the security requirements configured by the user (system
administrator) will operate independently of the lower layers.
OSPFv2 [RFC2328] is an example of such an approach in which security
parameters are exchanged and assessed within the routing protocol
messages. In this case, the mechanism may be, e.g., a header
containing security material of configurable security primitives in
the fashion of OSPFv2 or RIPv2 [RFC2453]. Where IPsec [RFC4301] is
employed to secure the network, the included protocol-specific (OSPF
or RIP) security elements are in addition to and independent of those
at the network layer. In the case of LLNs or other networks where
system security mandates protective mechanisms at other lower layers
of the network, security measures implemented as part of the routing
protocol will be redundant to security measures implemented elsewhere
as part of the protocol stack.
Security mechanisms built into the routing protocol can ensure that
all desired countermeasures can be directly addressed by the protocol
all the way to the endpoint of the routing exchange. In particular,
routing protocol Byzantine attacks by a compromised node that retains
valid network security credentials can only be detected at the level
of the information exchanged within the routing protocol. Such
attacks aimed at the manipulation of the routing information can only
be fully addressed through measures operating directly between the
routing entities themselves or external entities able to access and
analyze the routing information (see discussion in Section 8.2.5).
On the other hand, it is more desirable from an LLN device
perspective that the ROLL protocol is integrated into the framework
of an overall system architecture where the security facility may be
shared by different applications and/or across layers for efficiency,
and where security policy and configurations can be consistently
specified. See, for example, considerations made in RIPng [RFC2080]
or the approach presented in [Messerges2003].
Where the routing protocol is able to rely on security measures
configured within other layers of the protocol stack, greater system
efficiency can be realized by avoiding potentially redundant
security. Relying on an open trust model [Messerges2003], the
security requirements of the routing protocol can be more flexibly
met at different layers of the transport network; measures that must
be applied to protect the communications network are concurrently
able to provide the needed routing protocol protection.
For example, where a given security encryption scheme is deemed the
appropriate standard for network confidentiality of data exchanges at
the link layer, that level of security is directly provided to
routing protocol exchanges across the local link. Similarly, where a
given authentication procedure is stipulated as part of the standard
required for authenticating network traffic, that security provision
can then meet the requirement needed for authentication of routing
exchanges. In addition, in the context of the different LLN
application domains, the level of security specified for routing can
and should be consistent with that considered appropriate for
protecting the network within the given environment.
A ROLL protocol MUST be made flexible by a design that offers the
configuration facility so that the user (network administrator) can
choose the security settings that match the application's needs.
Furthermore, in the case of LLNs, that flexibility SHOULD extend to
allowing the routing protocol security requirements to be met by
measures applied at different protocol layers, provided the
identified requirements are collectively met.
Since Byzantine attackers that can affect the validity of the
information content exchanged between routing entities can only be
directly countered at the routing protocol level, the ROLL protocol
MAY support mechanisms for verifying routing data validity that
extend beyond the chain of trust created through device
authentication. This protocol-specific security mechanism SHOULD be
made optional within the protocol allowing it to be invoked according
to the given routing protocol and application domain and as selected
by the system user. All other ROLL security mechanisms needed to
meet the above identified routing security requirements can be
flexibly implemented within the transport network (at the IP network
layer or higher or lower protocol layers(s)) according to the
particular application domain and user network configuration.
Based on device capabilities and the spectrum of operating
environments it would be difficult for a single fixed security design
to be applied to address the diversified needs of the urban,
industrial, home, and building ROLL application domains, and
foreseeable others, without forcing a very low common denominator set
of requirements. On the other hand, providing four individual domain
designs that attempt to a priori match each individual domain is also
very unlikely to provide a suitable answer given the degree of
network variability even within a given domain; furthermore, the type
of link layers in use within each domain also influences the overall
security.
Instead, the framework implementation approach recommended is for
optional, routing protocol-specific measures that can be applied
separately from, or together with, flexible transport network
mechanisms. Protocol-specific measures include the specification of
valid parameter ranges, increments and/or event frequencies that can
be verified by individual routing devices. In addition to deliberate
attacks this allows basic protocol sanity checks against
unintentional mis-configuration. Transport network mechanisms would
include out-of-band communications that may be defined to allow an
external entity to request and process individual device information
as a means to effecting an external verification of the derived
network routing information to identify the existence of intentional
or unintentional network anomalies.
This approach allows countermeasures against byzantine attackers to
be applied in environments where applicable threats exist. At the
same time, it allows routing protocol security to be supported
through measures implemented within the transport network that are
consistent with available system resources and commensurate and
consistent with the security level and strength applied in the
particular application domain networks.
9.5.2. Mechanisms and Operations
With an architecture allowing different configurations to meet the
application domain needs, the task is then to find suitable
mechanisms. For example, one of the main problems of synchronizing
security states of sleepy nodes lies in difficulties in
authentication; these nodes may not have received in time the most
recent update of security material. Similarly, the issues of minimal
manual configuration, prolonged rollout and delayed addition of
nodes, and network topology changes also complicate security
management. In many cases the ROLL protocol may need to bootstrap
the authentication process and allow for a flexible expiration scheme
of authentication credentials. This exemplifies the need for the
coordination and interoperation between the requirements of the ROLL
routing protocol and that of the system security elements.
Similarly, the vulnerability brought forth by some special-function
nodes, e.g., LBRs requires the assurance, particularly, of the
availability of communication channels and node resources, or that
the neighbor discovery process operates without undermining routing
availability.
There are other factors which are not part of a ROLL routing protocol
but which can still affect its operation. These include elements
such as weaker barrier to accessing the data or security material
stored on the nodes through physical means; therefore, the internal
and external interfaces of a node need to be adequate for guarding
the integrity, and possibly the confidentiality, of stored
information, as well as the integrity of routing and route generation
processes.
Figure 5 provides an overview of the larger context of system Figure 5 provides an overview of the larger context of system
security and the relationship between ROLL requirements and measures security and the relationship between RPL requirements and measures
and those that relate to the LLN system. and those that relate to the LLN system.
Security Services for Security Services for
ROLL-Addressable RPL-Addressable
Security Requirements Security Requirements
| | | |
+---+ +---+ +---+ +---+
Node_i | | Node_j Node_i | | Node_j
_____v___ ___v_____ _____v___ ___v_____
Specify Security / \ / \ Specify Security Specify Security / \ / \ Specify Security
Requirements | Routing | | Routing | Requirements Requirements | Routing | | Routing | Requirements
+---------| Protocol| | Protocol|---------+ +---------| Protocol| | Protocol|---------+
| | Entity | | Entity | | | | Entity | | Entity | |
| \_________/ \_________/ | | \_________/ \_________/ |
| | | | | | | |
|ROLL-Specified | | ROLL-Specified| |RPL-Specified | | RPL-Specified|
---Interface | | Interface--- ---Interface | | Interface---
| ...................................... | | ...................................... |
| : | | : | | : | | : |
| : +-----+----+ +----+-----+ : | | : +-----+----+ +----+-----+ : |
| : |Transport/| |Transport/| : | | : |Transport/| |Transport/| : |
____v___ : +>|Network | |Network |<+ : ___v____ ____v___ : +>|Network | |Network |<+ : ___v____
/ \ : | +-----+----+ +----+-----+ | : / \ / \ : | +-----+----+ +----+-----+ | : / \
| |-:-+ | | +-:-| | | |-:-+ | | +-:-| |
|Security| : +-----+----+ +----+-----+ : |Security| |Security| : +-----+----+ +----+-----+ : |Security|
+->|Services|-:-->| Link | | Link |<--:-|Services|<-+ +->|Services|-:-->| Link | | Link |<--:-|Services|<-+
skipping to change at page 37, line 27 skipping to change at page 34, line 14
| \________/ : | +-----+----+ +----+-----+ | : \________/ | | \________/ : | +-----+----+ +----+-----+ | : \________/ |
| : +>| Physical | | Physical |<+ : | | : +>| Physical | | Physical |<+ : |
Application : +-----+----+ +----+-----+ : Application Application : +-----+----+ +----+-----+ : Application
Domain User : | | : Domain User Domain User : | | : Domain User
Configuration : |__Comm. Channel_| : Configuration Configuration : |__Comm. Channel_| : Configuration
: : : :
...Protocol Stack..................... ...Protocol Stack.....................
Figure 5: LLN Device Security Model Figure 5: LLN Device Security Model
10. IANA Considerations 8. IANA Considerations
This memo includes no request to IANA. This memo includes no request to IANA.
11. Security Considerations 9. Security Considerations
The analysis presented in this document provides security analysis The analysis presented in this document provides security analysis
and design guidelines with a scope limited to ROLL. Security and design guidelines with a scope limited to RPL. Security services
services are identified as requirements for securing ROLL. The are identified as requirements for securing RPL. The specific
specific mechanisms to be used to deal with each threat is specified mechanisms to be used to deal with each threat is specified in link-
in link-layer and deployment specific applicability statements. layer and deployment specific applicability statements.
12. Acknowledgments 10. Acknowledgments
The authors would like to acknowledge the review and comments from The authors would like to acknowledge the review and comments from
Rene Struik and JP Vasseur. The authors would also like to Rene Struik and JP Vasseur. The authors would also like to
acknowledge the guidance and input provided by the ROLL Chairs, David acknowledge the guidance and input provided by the RPL Chairs, David
Culler, and JP Vasseur, and the Area Director Adrian Farrel. Culler, and JP Vasseur, and the Area Director Adrian Farrel.
This document started out as a combined threat and solutions This document started out as a combined threat and solutions
document. As a result of security review, the document was split up document. As a result of security review, the document was split up
by ROLL co-Chair Michael Richardson and security Area Director Sean by RPL co-Chair Michael Richardson and security Area Director Sean
Turner as it went through the IETF publication process. The Turner as it went through the IETF publication process. The
solutions to the threads are application and layer-2 specific, and solutions to the threads are application and layer-2 specific, and
have therefore been moved to the relevant applicability statements. have therefore been moved to the relevant applicability statements.
Ines Robles kept track of the many issues that were raised during the Ines Robles kept track of the many issues that were raised during the
development of this document development of this document
13. References 11. References
11.1. Normative References
13.1. Normative References
[I-D.ietf-roll-terminology] [I-D.ietf-roll-terminology]
Vasseur, J., "Terminology in Low power And Lossy Vasseur, J., "Terminology in Low power And Lossy
Networks", draft-ietf-roll-terminology-04 (work in Networks", draft-ietf-roll-terminology-04 (work in
progress), September 2010. progress), September 2010.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic
skipping to change at page 38, line 41 skipping to change at page 35, line 28
Internet Protocol", RFC 4301, December 2005. Internet Protocol", RFC 4301, December 2005.
[RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R., [RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R.,
Levis, P., Pister, K., Struik, R., Vasseur, JP., and R. Levis, P., Pister, K., Struik, R., Vasseur, JP., and R.
Alexander, "RPL: IPv6 Routing Protocol for Low-Power and Alexander, "RPL: IPv6 Routing Protocol for Low-Power and
Lossy Networks", RFC 6550, March 2012. Lossy Networks", RFC 6550, March 2012.
[RFC6719] Gnawali, O. and P. Levis, "The Minimum Rank with [RFC6719] Gnawali, O. and P. Levis, "The Minimum Rank with
Hysteresis Objective Function", RFC 6719, September 2012. Hysteresis Objective Function", RFC 6719, September 2012.
13.2. Informative References [ZigBeeIP]
ZigBee Public Document 15-002r00, "ZigBee IP
Specification", 2013.
11.2. Informative References
[AceCharterProposal]
Kepeng, L., Ed., "Authentication and Authorization for
Constrained Environment Charter (work-in-progress)",
December 2013, <http://www.ietf.org/mail-archive/web/ace/
current/msg00007.html>.
[FIPS197] , "Federal Information Processing Standards Publication [FIPS197] , "Federal Information Processing Standards Publication
197: Advanced Encryption Standard (AES)", US National 197: Advanced Encryption Standard (AES)", US National
Institute of Standards and Technology, Nov. 26 2001. Institute of Standards and Technology, Nov. 26 2001.
[Huang2003] [Huang2003]
Huang, Q., Cukier, J., Kobayashi, H., Liu, B., and J. Huang, Q., Cukier, J., Kobayashi, H., Liu, B., and J.
Zhang, "Fast Authenticated Key Establishment Protocols for Zhang, "Fast Authenticated Key Establishment Protocols for
Self-Organizing Sensor Networks", in Proceedings of the Self-Organizing Sensor Networks", in Proceedings of the
2nd ACM International Conference on Wireless Sensor 2nd ACM International Conference on Wireless Sensor
skipping to change at page 40, line 30 skipping to change at page 37, line 23
1142, February 1990. 1142, February 1990.
[RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080, [RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080,
January 1997. January 1997.
[RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998. [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998.
[RFC2453] Malkin, G., "RIP Version 2", STD 56, RFC 2453, November [RFC2453] Malkin, G., "RIP Version 2", STD 56, RFC 2453, November
1998. 1998.
[RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with
CBC-MAC (CCM)", RFC 3610, September 2003.
[RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K.
Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830,
August 2004. August 2004.
[RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm,
"Multicast Security (MSEC) Group Key Management "Multicast Security (MSEC) Group Key Management
Architecture", RFC 4046, April 2005. Architecture", RFC 4046, April 2005.
[RFC4593] Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to [RFC4593] Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to
Routing Protocols", RFC 4593, October 2006. Routing Protocols", RFC 4593, October 2006.
skipping to change at page 41, line 36 skipping to change at page 38, line 32
"Building Automation Routing Requirements in Low-Power and "Building Automation Routing Requirements in Low-Power and
Lossy Networks", RFC 5867, June 2010. Lossy Networks", RFC 5867, June 2010.
[RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen,
"Internet Key Exchange Protocol Version 2 (IKEv2)", RFC "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC
5996, September 2010. 5996, September 2010.
[RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
Router Control Plane", RFC 6192, March 2011. Router Control Plane", RFC 6192, March 2011.
[RFC6574] Tschofenig, H. and J. Arkko, "Report from the Smart Object
Workshop", RFC 6574, April 2012.
[RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure,
"TCP Extensions for Multipath Operation with Multiple
Addresses", RFC 6824, January 2013.
[SmartObjectSecurityWorkshop]
Klausen, T., Ed., "Workshop on Smart Object Security",
March 2012, <http://www.lix.polytechnique.fr/hipercom/
SmartObjectSecurity>.
[SolaceProposal]
Bormann, C., Ed., "Notes from the SOLACE ad-hoc at IETF85
(work-in-progress)", November 2012, <http://www.ietf.org/
mail-archive/web/solace/current/msg00015.html>.
[Szcze2008] [Szcze2008]
Szczechowiak1, P., Oliveira, L., Scott, M., Collier, M., Szczechowiak1, P., Oliveira, L., Scott, M., Collier, M.,
and R. Dahab, "NanoECC: testing the limits of elliptic and R. Dahab, "NanoECC: testing the limits of elliptic
curve cryptography in sensor networks", pp. 324-328, 2008, curve cryptography in sensor networks", pp. 324-328, 2008,
<http://www.ic.unicamp.br/~leob/publications/ewsn/ <http://www.ic.unicamp.br/~leob/publications/ewsn/
NanoECC.pdf>. NanoECC.pdf>.
[Wan2004] Wan, T., Kranakis, E., and PC. van Oorschot, "S-RIP: A [Wan2004] Wan, T., Kranakis, E., and PC. van Oorschot, "S-RIP: A
Secure Distance Vector Routing Protocol", in Proceedings Secure Distance Vector Routing Protocol", in Proceedings
of the 2nd International Conference on Applied of the 2nd International Conference on Applied
 End of changes. 115 change blocks. 
427 lines changed or deleted 282 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/