< draft-thubert-6lo-rfc6775-update-reqs-04.txt   draft-thubert-6lo-rfc6775-update-reqs-05.txt >
6Lo P. Thubert, Ed. 6Lo P. Thubert, Ed.
Internet-Draft cisco Internet-Draft cisco
Intended status: Standards Track August 22, 2014 Intended status: Standards Track October 27, 2014
Expires: February 21, 2015 Expires: April 28, 2015
Requirements for an update to 6LoWPAN ND Requirements for an update to 6LoWPAN ND
draft-thubert-6lo-rfc6775-update-reqs-04 draft-thubert-6lo-rfc6775-update-reqs-05
Abstract Abstract
Work presented at the ROLL, 6lo, 6TiSCH and 6MAN Working Groups Work presented at the ROLL, 6lo, 6TiSCH and 6MAN Working Groups
suggest that enhancements to the 6LoWPAN ND mechanism are now needed. suggest that enhancements to the 6LoWPAN ND mechanism are now needed.
This document elaborates on those requirements and suggests This document elaborates on those requirements and suggests
approaches to serve them. approaches to serve them.
Status of this Memo Status of this Memo
skipping to change at page 1, line 33 skipping to change at page 1, line 33
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on February 21, 2015. This Internet-Draft will expire on April 28, 2015.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the Copyright (c) 2014 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (http://trustee.ietf.org/ Provisions Relating to IETF Documents (http://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components and restrictions with respect to this document. Code Components
extracted from this document must include Simplified BSD License text extracted from this document must include Simplified BSD License text
as described in Section 4.e of the Trust Legal Provisions and are as described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Simplified BSD License. provided without warranty as described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
3.1. RPL Leaf Support in 6LoWPAN ND . . . . . . . . . . . . . . 5 4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 5
3.2. registration Failures Due to Movement . . . . . . . . . . 6 4.1. Requirements Related to Mobility . . . . . . . . . . . . . 5
3.3. Proxy registration . . . . . . . . . . . . . . . . . . . . 6 4.2. Requirements Related to Routing Protocols . . . . . . . . 6
3.4. Target Registration . . . . . . . . . . . . . . . . . . . 6 4.3. Requirements Related to the Variety of Low-Power Link types 6
3.5. RPL root vs. 6LBR . . . . . . . . . . . . . . . . . . . . 7 4.4. Requirements Related to Proxy Operations . . . . . . . . . 7
3.6. Securing the Registration . . . . . . . . . . . . . . . . 7 4.5. Requirements Related to Security . . . . . . . . . . . . . 7
4. Requirements . . . . . . . . . . . . . . . . . . . . . . . . . 8 4.6. Requirements Related to Low-Power devices . . . . . . . . 8
4.1. Requirements Related to Mobility . . . . . . . . . . . . . 8 4.7. Requirements Related to Scalability . . . . . . . . . . . 8
4.2. Requirements Related to Routing Protocols . . . . . . . . 9 5. Security Considerations . . . . . . . . . . . . . . . . . . . 9
4.3. Requirements Related to the Variety of Low-Power Link types 9 6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 9
4.4. Requirements Related to Proxy Operations . . . . . . . . . 10 7. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 9
4.5. Requirements Related to Security . . . . . . . . . . . . . 10 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 9
4.6. Requirements Related to Low-Power devices . . . . . . . . 11 8.1. Normative References . . . . . . . . . . . . . . . . . . . 9
5. Suggested Changes to Protocol Elements . . . . . . . . . . . . 11 8.2. Informative References . . . . . . . . . . . . . . . . . . 10
5.1. ND Neighbor Solicitation (NS) . . . . . . . . . . . . . . 11 Appendix A. Suggested Changes to Protocol Elements . . . . . . . . 12
5.2. ND Router Advertisement (RA) . . . . . . . . . . . . . . . 12 Appendix A.1. ND Neighbor Solicitation (NS) . . . . . . . . . . 12
5.3. RPL DODAG Information Object (DIO) . . . . . . . . . . . . 12 Appendix A.2. ND Router Advertisement (RA) . . . . . . . . . . 12
5.4. ND Enhanced Address Registration Option (EARO) . . . . . . 12 Appendix A.3. RPL DODAG Information Object (DIO) . . . . . . . 13
6. Security Considerations . . . . . . . . . . . . . . . . . . . 13 Appendix A.4. ND Enhanced Address Registration Option (EARO) . 13
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 14
8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14
9. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
9.1. Normative References . . . . . . . . . . . . . . . . . . . 14
9.2. Informative References . . . . . . . . . . . . . . . . . . 15
Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
A number of use cases, including the Industrial Internet, require a A number of use cases, including the Industrial Internet, require a
large scale deployment of sensors that can not be realized with wires large scale deployment of sensors that can not be realized with wires
and is only feasible over wireless Low power and Lossy Network (LLN) and is only feasible over wireless Low power and Lossy Network (LLN)
technologies. When simpler hub-and-spoke topologies are not technologies. When simpler hub-and-spoke topologies are not
sufficient for the expected throughput and density, mesh networks sufficient for the expected throughput and density, mesh networks
must be deployed, which implies the concepts of hosts and routers, must be deployed, which implies the concepts of hosts and routers,
whether operated at Layer-2 or Layer-3. whether operated at Layer-2 or Layer-3.
skipping to change at page 5, line 37 skipping to change at page 5, line 31
| | |<--------------| | | |<--------------|
| | DAC | | | | DAC | |
| |<--------------| | | |<--------------| |
| NA(ARO) | | | | NA(ARO) | | |
|<--------------| | | |<--------------| | |
As the network builds up, a node should start as a leaf to join the As the network builds up, a node should start as a leaf to join the
RPL network, and may later turn into both a RPL-capable router and a RPL network, and may later turn into both a RPL-capable router and a
6LR, so as to accept leaf nodes to recursively join the network. 6LR, so as to accept leaf nodes to recursively join the network.
3.1. RPL Leaf Support in 6LoWPAN ND Section 5 of the 6TiSCH architecture [I-D.ietf-6tisch-architecture]
provides more information on the need to update the protocols that
RPL needs a set of information in order to advertise a leaf node sustain the requirements in the next section.
through a DAO message and establish reachability.
At the bare minimum the leaf device must provide a sequence number
that matches the RPL specification in section 7. [I-D.chakrabarti-
nordmark-6man-efficient-nd] section "4.1. Address Registration
Option" (ARO) already incorporates that addition with a new field in
the option called the Transaction ID.
If for some reason the node is aware of RPL topologies, then
providing the RPL InstanceID for the instances to which the node
wishes to participate would be a welcome addition. In the absence of
such information, the RPL router must infer the proper instanceID
from external rules and policies.
On the backbone, the InstanceID is expected to be mapped onto a
VLANID. Neither WiFi nor Efficient ND do provide a mapping to
VLANIDs, and it is unclear, when a wireless node attaches to a
backbone where VLANs are defined, which VLAN the wireless device
attaches to. Considering that a VLAN is effectively the IP link on
the backbone, adding the InstanceID to both specifications could be a
welcome addition.
3.2. registration Failures Due to Movement
Registration to the 6LBR through DAR/DAC messages [RFC6775] may
percolate slowly through an LLN mesh, and it might happen that in the
meantime, the 6LoWPAN node moves and registers somewhere else. Both
RPL and 6LoWPAN ND lack the capability to indicate that the same node
is registered elsewhere, so as to invalidate states down the
deprecated path.
In its current expression and functionality, 6LoWPAN ND considers
that the registration is used for the purpose of DAD only as opposed
to that of achieving reachability, and as long as the same node
registers the IPv6 address, the protocol is functional. In order to
act as a RPL leaf registration protocol and achieve reachability, the
device must use the same TID for all its concurrent registrations,
and registrations with a past TID should be declined. The state for
an obsolete registration in the 6LR, as well as the RPL routers on
the way, should be invalidated. This can only be achieved with the
addition of a new Status in the DAC message, and a new error/clean-up
flow in RPL.
3.3. Proxy registration
The 6BBR provides the capability to defend an address that is owned
by a 6LoWPAN Node, and attract packets to that address, whether it is
done by proxying ND over a MultiLink Subnet, redistributing the
address in a routing protocol or advertising it through an alternate
proxy registration such as the Locator/ID Separation Protocol
[RFC6830] (LISP) or Mobility Support in IPv6 [RFC6275] (MIPv6). In a
LLN, it makes sense to piggyback the request to proxy/defend an
address with its registration.
3.4. Target Registration
In their current incarnations, both 6LoWPAN ND and Efficient ND
expect that the address being registered is the source of the NS(ARO)
message and thus impose that a Source Link-Layer Address (SLLA)
option be present in the message. In a mesh scenario where the 6LBR
is physically separated from the 6LoWPAN Node, the 6LBR does not own
the address being registered. This suggests that [I-D.chakrabarti-
nordmark-6man-efficient-nd] should evolve to register the Target of
the NS message as opposed to the Source Address. From another
perspective, it may happen, in the use case of a Star topology, that
the 6LR, 6LBR and 6BBR are effectively collapsed and should support
6LoWPAN ND clients. The convergence of efficient ND and 6LoWPAN ND
into a single protocol is thus highly desirable.
In any case, as long as the DAD process is not complete for the
address used as source of the packet, it is against the current
practice to advertise the SLLA, since this may corrupt the ND cache
of the destination node, as discussed in the Optimistic DAD
specification [RFC4429] with regards to the TENTATIVE state.
This may look like a chicken and an egg problem, but in fact 6LoWPAN
ND acknowledges that the Link-Local Address that is based on an
EUI-64 address of a LLN node may be autoconfigured without the need
for DAD. It results that a node could use that Address as source,
with an SSLA option in the message if required, to register any other
addresses, either Global or Unique-Local Addresses, which would be
indicated in the Target.
The suggested change is to register the target of the NS message, and
use Target Link-Layer Address (TLLA) in the NS as opposed to the SLLA
in order to install a Neighbor Cache Entry. This would apply to both
Efficient ND and 6LoWPAN ND in a very same manner, with the caveat
that depending on the nature of the link between the 6LBR and the
6BBR, the 6LBR may resort to classical ND or DHCPv6 to obtain the
address that it uses to source the NS registration messages, whether
for itself or on behalf of LLN nodes.
3.5. RPL root vs. 6LBR
6LoWPAN ND is unclear on how the 6LBR is discovered, and how the
liveliness of the 6LBR is asserted over time. On the other hand, the
discovery and liveliness of the RPL root are obtained through the RPL
protocol.
When 6LoWPAN ND is coupled with RPL, it makes sense to collocate the
6LBR and the RPL root functionalities. The DAR/DAC exchange becomes
a preamble to the DAO messages that are used from then on to
reconfirm the registration, thus eliminating a duplication of
functionality between DAO and DAR messages.
3.6. Securing the Registration
A typical attack against IPv6 ND is address spoofing, whereby a rogue
node claims the IPv6 Address of another node in and hijacks its
traffic.
SEcure Neighbor Discovery (SEND) [RFC3971] is designed to protect
each individual ND lookup/advertisement in a peer to peer model where
each lookup may be between different parties. This is not the case
in a 6LoWPAN ND LLN where, as illustrated in Figure 2, the 6LBR
terminates all the flows and may store security information for later
validation.
Additionally SEND requires considerably enlarged ND messages to carry
cryptographic material, and requires that each protected address is
generated cryptographically, which implies the computation of a
different key for each Cryptographically Generated Address (CGA).
SEND as defined in [RFC3971] is thus largely unsuitable for
application in a LLN.
Once an Address is registered, the 6LBR maintains a state for that
Address and is in position to bind securely the first registration
with the Node that placed it, whether the Address is CGA or not. It
should thus be possible to protect the ownership of all the addresses
of a 6LoWPAN Node with a single key, and there should not be a need
to carry the cryptographic material more than once to the 6LBR.
The energy constraint is usually a foremost factor, and attention
should be paid to minimize the burden on the CPU. Hardware-assisted
support of variants of the Counter with CBC-MAC [RFC3610] (CCM)
authenticated encryption block cipher mode such as CCM* are common in
LowPower ship-set implementations, and 6LoWPAN ND security mechanism
should be capable to reuse them when applicable.
Finally, the code footprint in the device being also an issue, the
capability to reuse not only hardware-assist mechanisms but also
software across layers has to be considered. For instance, if code
has to be present for upper-layer operations, e.g AES-CCM Cipher
Suites for Transport Layer Security (TLS) [RFC6655], then the
capability to reuse that code should be considered.
4. Requirements 4. Requirements
4.1. Requirements Related to Mobility 4.1. Requirements Related to Mobility
Due to the nature of LLN networks, even a fixed 6LoWPAN Node may Due to the nature of LLN networks, even a fixed 6LoWPAN Node may
change its point of attachment (a 6LR) and may not be able to notify change its point of attachment (a 6LR) and may not be able to notify
the 6LR that it has disconnected from. It results that the previous the 6LR that it has disconnected from. It results that the previous
6LR may still attract traffic that it cannot deliver any more. When 6LR may still attract traffic that it cannot deliver any more. When
the 6LR changes, there is thus a need to identify stale states and the 6LR changes, there is thus a need to identify stale states and
skipping to change at page 9, line 45 skipping to change at page 6, line 39
Req2.2: The Address Registration Option that is used in the ND Req2.2: The Address Registration Option that is used in the ND
registration SHOULD be extended to carry enough information to registration SHOULD be extended to carry enough information to
generate a DAO message as specified in [RFC6550] section 6.4, in generate a DAO message as specified in [RFC6550] section 6.4, in
particular the capability to compute a DAOSequence and, as an option, particular the capability to compute a DAOSequence and, as an option,
a RPLInstanceID. a RPLInstanceID.
Req2.3: Depending on their applicability to LLNs, other standard mesh Req2.3: Depending on their applicability to LLNs, other standard mesh
/MANET protocols MAY be considered as well. /MANET protocols MAY be considered as well.
4.3. Requirements Related to the Variety of Low-Power Link types Req2.4: Multicast operations SHOULD be supported and optimized.
Groups MAY be formed by device type (e.g. routers, street lamps),
location (Geography, RPL sub-tree), or both. RPL already has the
capability to advertise multicast groups; whether ND is appropriate
for the registration to the 6BBR is to be defined, considering the
additional burden of supporting the Multicast Listener Discovery
Version 2 [RFC3810] (MLDv2) for IPv6.
4.3. Requirements Related to the Variety of Low-Power Link types
6LoWPAN ND [RFC6775] was defined with a focus on IEEE802.15.4 and in 6LoWPAN ND [RFC6775] was defined with a focus on IEEE802.15.4 and in
particular the capability to derive a unique Identifier from a particular the capability to derive a unique Identifier from a
globally unique MAC-64 address. At this point, the 6lo Working Group globally unique MAC-64 address. At this point, the 6lo Working Group
is extending the 6LoWPAN Header Compression (HC) [RFC6282] technique is extending the 6LoWPAN Header Compression (HC) [RFC6282] technique
to other link types ITU-T G.9959 [I-D.brandt-6man-lowpanz], Master- to other link types ITU-T G.9959 [I-D.brandt-6man-lowpanz], Master-
Slave/Token-Passing [I-D.ietf-6lo-6lobac], DECT Ultra Low Energy [I-D Slave/Token-Passing [I-D.ietf-6lo-6lobac], DECT Ultra Low Energy [I-D
.ietf-6lo-dect-ule], Near Field Communication [I-D.hong-6lo-ipv6 .ietf-6lo-dect-ule], Near Field Communication [I-D.hong-6lo-ipv6
-over-nfc], as well as IEEE1901.2 Narrowband Powerline Communication -over-nfc], as well as IEEE1901.2 Narrowband Powerline Communication
Networks [I-D.popa-6lo-6loplc-ipv6-over-ieee19012-networks] and Networks [I-D.popa-6lo-6loplc-ipv6-over-ieee19012-networks] and
BLUETOOTH(R) Low Energy [I-D.ietf-6lo-btle]. BLUETOOTH(R) Low Energy [I-D.ietf-6lo-btle].
skipping to change at page 11, line 48 skipping to change at page 8, line 52
devices, and in particular enable duty-cycled devices that are devices, and in particular enable duty-cycled devices that are
sleeping most of the time and not capable to defend their own sleeping most of the time and not capable to defend their own
Addresses against always-on devices. Addresses against always-on devices.
Related requirements are: Related requirements are:
Req6.1: The registration mechanism SHOULD be applicable to a Low- Req6.1: The registration mechanism SHOULD be applicable to a Low-
Power device regardless of the link type, and enable a 6BBR to Power device regardless of the link type, and enable a 6BBR to
operate as a proxy to defend the registered Addresses on its behalf. operate as a proxy to defend the registered Addresses on its behalf.
5. Suggested Changes to Protocol Elements Req6.2: The registration mechanism SHOULD enable long sleep
durations, in the order of multiple days to a month, for devices
5.1. ND Neighbor Solicitation (NS) capable of operating over the course of ten or more years without the
need to recharge or replace the batteries.
The NS message used for registration should use a source address that
respects the rules in [RFC6775], [RFC4861], and [RFC4429] for DAD.
The SLLA Option may be present but only if the address passed DAD,
and it is used to allow the 6LR to respond as opposed to as a
registration mechanism.
The address that is being registered is the target address in the NS
message and the TLLA Option must be present.
5.2. ND Router Advertisement (RA)
[I-D.chakrabarti-nordmark-6man-efficient-nd] adds an 'E' bit in the
Router Advertisement flag, as well as a new Registrar Address Option
(RAO). These fields are probably pertinent to LLNs inclusion into a
revised 6LoWPAN ND should be studied. If the new 6LoWPAN flows
require a change of behaviour (e.g. registering the Target of the NS
message) then the RA must indicate that the router supports the new
capability, and the NS must indicate that the Target is registered as
opposed to the Source in an unequivocal fashion.
There is some amount of duplication between the options in the RPL
DIO [RFC6550] and the options in the ND RA messages. At the same
time, there are a number of options, including the 6LoWPAN Context
Option (6CO) [RFC6775], the MTU and the SLLA Options [RFC4861] that
can only be found in the RA messages. Considering that these options
are useful for a joining node, the recommendation would be to
associate the RA messages to the join beacon, and make them rare when
the network is stable. On the other hand, the DIO message is to be
used as the propagated heartbeat of the RPL network and provide the
sense of time and liveliness.
RAs should also be issued and the information therein propagated when
a change occurs in the information therein, such as a router or a
prefix lifetime.
5.3. RPL DODAG Information Object (DIO)
If the RPL root serves as 6LBR, it makes sense to add at least a bit
of information in the DIO to signal so. A Registrar Address Option
(RAO) may also be considered for addition.
5.4. ND Enhanced Address Registration Option (EARO)
The ARO option contains a Unique ID that is supposed to identify the
device across multiple registrations. It is envisioned that the
device could form a single CGA-based Unique Interface ID (CUID) to
securely bind all of its addresses. The CUID would be used as Unique
Interface Identifier in the ARO option and to form a Link-Local
address that would be deemed unique regardless of the Link type.
Provided that the relevant cryptographic material is passed to the
6LBR upon the first registration or on-demand at a later time, the
6LBR can validate that a Node is effectively the owner of a CUID, and
ensure that the ownership of an Address stays with the CUID that
registered it first.
This option is designed to be used with standard NS and NA messages
between backbone Routers as well as between nodes and 6LRs over the
LLN and between the 6LBR and the 6BBR over whatever IP link they use
to communicate.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Status | RPLInstanceID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Res|P|N| IDS |T| TID | Registration Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Unique Interface Identifier (variable length) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The representation above is based on [I-D.chakrabarti-nordmark-6man-
efficient-nd]. Only the proposed changes from that specification are
discussed below but the expectation is that 6LoWPAN ND and Efficient
ND converge on the ARO format.
Status: 8-bit integer. A new value of 3 is suggested to indicate a 4.7. Requirements Related to Scalability
rejection due to an obsolete TID, typically an indication of a Use cases from Automatic Meter Reading (AMR, collection tree
movement. operations) and Advanced Metering Infrastructure (AMI, bi-directional
communication to the meters) indicate the needs for a large number of
LLN nodes pertaining to a single RPL DODAG (e.g. 5000) and connected
to the 6LBR over a large number of LLN hops (e.g. 15).
RPLInstanceID: 8-bit integer. This field is set to 0 when unused. Related requirements are:
Otherwise it contains the RPLInstanceID for which this address is
registered, as specified in RPL [RFC6550], and discussed in
particular in section 3.1.2.
P: One bit flag. When the bit is set, the address being registered Req7.1: The registration mechanism SHOULD enable a single 6LBR to
is Target of the NS as opposed to the Source, for instance to register multiple thousands of devices.
enable ND proxy operation.
N: One bit flag. Set if the device moved. If not set, the 6BBR will Req7.2: The timing of the registration operation should allow for a
refrain from sending gratuitous NA(O) or other form of distributed large latency such as found in LLNs with ten and more hops.
ND cache clean-up over the backbone. For instance, the flag
should be reset after the DAD operation upon address formation.
6. Security Considerations 5. Security Considerations
This specification expects that the link layer is sufficiently This specification expects that the link layer is sufficiently
protected, either by means of physical or IP security for the protected, either by means of physical or IP security for the
Backbone Link or MAC sublayer cryptography. In particular, it is Backbone Link or MAC sublayer cryptography. In particular, it is
expected that the LLN MAC provides secure unicast to/from the expected that the LLN MAC provides secure unicast to/from the
Backbone Router and secure broadcast from the Backbone Router in a Backbone Router and secure broadcast from the Backbone Router in a
way that prevents tempering with or replaying the RA messages. way that prevents tempering with or replaying the RA messages.
Still, Section 4.5 has a requirement for a mutual authentication and Still, Section 4.5 has a requirement for a mutual authentication and
authorization for a role for 6LRs, 6LBRs and 6BBRs. authorization for a role for 6LRs, 6LBRs and 6BBRs.
This documents also suggests in Section 5.4 that a 6LoWPAN Node could This documents also suggests in Appendix Appendix A.4 that a 6LoWPAN
form a single Unique Interface ID (CUID) based on cryptographic Node could form a single Unique Interface ID (CUID) based on
techniques similar to CGA. The CUID would be used as Unique cryptographic techniques similar to CGA. The CUID would be used as
Interface Identifier in the ARO option and new Secure ND procedures Unique Interface Identifier in the ARO option and new Secure ND
would be proposed to use it as opposed to the source IPv6 address to procedures would be proposed to use it as opposed to the source IPv6
secure the binding between an Address and its owning Node, and address to secure the binding between an Address and its owning Node,
enforce First/Come-First/Serve at the 6LBR. and enforce First/Come-First/Serve at the 6LBR.
7. IANA Considerations 6. IANA Considerations
A new type is requested for an ND option. This draft does not require an IANA action.
8. Acknowledgments 7. Acknowledgments
The author wishes acknowledge the contributions by Samita The author wishes acknowledge the contributions by Samita
Chakrabarti, Erik Normark, JP Vasseur, Eric Levy-Abegnoli, Patrick Chakrabarti, Erik Normark, JP Vasseur, Eric Levy-Abegnoli, Patrick
Wetterwald, Thomas Watteyne, and Behcet Sarikaya. Wetterwald, Thomas Watteyne, and Behcet Sarikaya.
9. References 8. References
9.1. Normative References 8.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2460] Deering, S.E. and R.M. Hinden, "Internet Protocol, Version [RFC2460] Deering, S.E. and R.M. Hinden, "Internet Protocol, Version
6 (IPv6) Specification", RFC 2460, December 1998. 6 (IPv6) Specification", RFC 2460, December 1998.
[RFC3775] Johnson, D., Perkins, C. and J. Arkko, "Mobility Support [RFC3775] Johnson, D., Perkins, C. and J. Arkko, "Mobility Support
in IPv6", RFC 3775, June 2004. in IPv6", RFC 3775, June 2004.
[RFC3810] Vida, R. and L. Costa, "Multicast Listener Discovery
Version 2 (MLDv2) for IPv6", RFC 3810, June 2004.
[RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing [RFC4291] Hinden, R. and S. Deering, "IP Version 6 Addressing
Architecture", RFC 4291, February 2006. Architecture", RFC 4291, February 2006.
[RFC4429] Moore, N., "Optimistic Duplicate Address Detection (DAD) [RFC4429] Moore, N., "Optimistic Duplicate Address Detection (DAD)
for IPv6", RFC 4429, April 2006. for IPv6", RFC 4429, April 2006.
[RFC4443] Conta, A., Deering, S. and M. Gupta, "Internet Control [RFC4443] Conta, A., Deering, S. and M. Gupta, "Internet Control
Message Protocol (ICMPv6) for the Internet Protocol Message Protocol (ICMPv6) for the Internet Protocol
Version 6 (IPv6) Specification", RFC 4443, March 2006. Version 6 (IPv6) Specification", RFC 4443, March 2006.
skipping to change at page 15, line 29 skipping to change at page 10, line 56
[RFC6775] Shelby, Z., Chakrabarti, S., Nordmark, E. and C. Bormann, [RFC6775] Shelby, Z., Chakrabarti, S., Nordmark, E. and C. Bormann,
"Neighbor Discovery Optimization for IPv6 over Low-Power "Neighbor Discovery Optimization for IPv6 over Low-Power
Wireless Personal Area Networks (6LoWPANs)", RFC 6775, Wireless Personal Area Networks (6LoWPANs)", RFC 6775,
November 2012. November 2012.
[RFC6830] Farinacci, D., Fuller, V., Meyer, D. and D. Lewis, "The [RFC6830] Farinacci, D., Fuller, V., Meyer, D. and D. Lewis, "The
Locator/ID Separation Protocol (LISP)", RFC 6830, January Locator/ID Separation Protocol (LISP)", RFC 6830, January
2013. 2013.
9.2. Informative References 8.2. Informative References
[I-D.brandt-6man-lowpanz] [I-D.brandt-6man-lowpanz]
Brandt, A. and J. Buron, "Transmission of IPv6 packets Brandt, A. and J. Buron, "Transmission of IPv6 packets
over ITU-T G.9959 Networks", Internet-Draft draft-brandt- over ITU-T G.9959 Networks", Internet-Draft draft-brandt-
6man-lowpanz-02, June 2013. 6man-lowpanz-02, June 2013.
[I-D.chakrabarti-nordmark-6man-efficient-nd] [I-D.chakrabarti-nordmark-6man-efficient-nd]
Chakrabarti, S., Nordmark, E., Thubert, P. and M. Chakrabarti, S., Nordmark, E., Thubert, P. and M.
Wasserman, "Wired and Wireless IPv6 Neighbor Discovery Wasserman, "Wired and Wireless IPv6 Neighbor Discovery
Optimizations", Internet-Draft draft-chakrabarti-nordmark- Optimizations", Internet-Draft draft-chakrabarti-nordmark-
skipping to change at page 16, line 53 skipping to change at page 12, line 29
Proxies (ND Proxy)", RFC 4389, April 2006. Proxies (ND Proxy)", RFC 4389, April 2006.
[RFC4919] Kushalnagar, N., Montenegro, G. and C. Schumacher, "IPv6 [RFC4919] Kushalnagar, N., Montenegro, G. and C. Schumacher, "IPv6
over Low-Power Wireless Personal Area Networks (6LoWPANs): over Low-Power Wireless Personal Area Networks (6LoWPANs):
Overview, Assumptions, Problem Statement, and Goals", RFC Overview, Assumptions, Problem Statement, and Goals", RFC
4919, August 2007. 4919, August 2007.
[RFC7102] Vasseur, JP., "Terms Used in Routing for Low-Power and [RFC7102] Vasseur, JP., "Terms Used in Routing for Low-Power and
Lossy Networks", RFC 7102, January 2014. Lossy Networks", RFC 7102, January 2014.
Appendix A. Suggested Changes to Protocol Elements
Appendix A.1. ND Neighbor Solicitation (NS)
The NS message used for registration should use a source address that
respects the rules in [RFC6775], [RFC4861], and [RFC4429] for DAD.
The SLLA Option may be present but only if the address passed DAD,
and it is used to allow the 6LR to respond as opposed to as a
registration mechanism.
The address that is being registered is the target address in the NS
message and the TLLA Option must be present.
Appendix A.2. ND Router Advertisement (RA)
[I-D.chakrabarti-nordmark-6man-efficient-nd] adds an 'E' bit in the
Router Advertisement flag, as well as a new Registrar Address Option
(RAO). These fields are probably pertinent to LLNs inclusion into a
revised 6LoWPAN ND should be studied. If the new 6LoWPAN flows
require a change of behaviour (e.g. registering the Target of the NS
message) then the RA must indicate that the router supports the new
capability, and the NS must indicate that the Target is registered as
opposed to the Source in an unequivocal fashion.
There is some amount of duplication between the options in the RPL
DIO [RFC6550] and the options in the ND RA messages. At the same
time, there are a number of options, including the 6LoWPAN Context
Option (6CO) [RFC6775], the MTU and the SLLA Options [RFC4861] that
can only be found in the RA messages. Considering that these options
are useful for a joining node, the recommendation would be to
associate the RA messages to the join beacon, and make them rare when
the network is stable. On the other hand, the DIO message is to be
used as the propagated heartbeat of the RPL network and provide the
sense of time and liveliness.
RAs should also be issued and the information therein propagated when
a change occurs in the information therein, such as a router or a
prefix lifetime.
Appendix A.3. RPL DODAG Information Object (DIO)
If the RPL root serves as 6LBR, it makes sense to add at least a bit
of information in the DIO to signal so. A Registrar Address Option
(RAO) may also be considered for addition.
Appendix A.4. ND Enhanced Address Registration Option (EARO)
The ARO option contains a Unique ID that is supposed to identify the
device across multiple registrations. It is envisioned that the
device could form a single CGA-based Unique Interface ID (CUID) to
securely bind all of its addresses. The CUID would be used as Unique
Interface Identifier in the ARO option and to form a Link-Local
address that would be deemed unique regardless of the Link type.
Provided that the relevant cryptographic material is passed to the
6LBR upon the first registration or on-demand at a later time, the
6LBR can validate that a Node is effectively the owner of a CUID, and
ensure that the ownership of an Address stays with the CUID that
registered it first.
This option is designed to be used with standard NS and NA messages
between backbone Routers as well as between nodes and 6LRs over the
LLN and between the 6LBR and the 6BBR over whatever IP link they use
to communicate.
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| Type | Length | Status | RPLInstanceID |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|Res|P|N| IDS |T| TID | Registration Lifetime |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| |
~ Unique Interface Identifier (variable length) ~
| |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
The representation above is based on [I-D.chakrabarti-nordmark-6man-
efficient-nd]. Only the proposed changes from that specification are
discussed below but the expectation is that 6LoWPAN ND and Efficient
ND converge on the ARO format.
Status: 8-bit integer. A new value of 3 is suggested to indicate a
rejection due to an obsolete TID, typically an indication of a
movement.
RPLInstanceID: 8-bit integer. This field is set to 0 when unused.
Otherwise it contains the RPLInstanceID for which this address is
registered, as specified in RPL [RFC6550], and discussed in
particular in section 3.1.2.
P: One bit flag. When the bit is set, the address being registered
is Target of the NS as opposed to the Source, for instance to
enable ND proxy operation.
N: One bit flag. Set if the device moved. If not set, the 6BBR will
refrain from sending gratuitous NA(O) or other form of distributed
ND cache clean-up over the backbone. For instance, the flag
should be reset after the DAD operation upon address formation.
Author's Address Author's Address
Pascal Thubert, editor Pascal Thubert, editor
Cisco Systems, Inc Cisco Systems, Inc
Building D Building D
45 Allee des Ormes - BP1200 45 Allee des Ormes - BP1200
MOUGINS - Sophia Antipolis, 06254 MOUGINS - Sophia Antipolis, 06254
FRANCE FRANCE
Phone: +33 497 23 26 34 Phone: +33 497 23 26 34
Email: pthubert@cisco.com Email: pthubert@cisco.com
 End of changes. 23 change blocks. 
284 lines changed or deleted 167 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/