< draft-tsao-roll-security-framework-01.txt   draft-tsao-roll-security-framework-02.txt >
Networking Working Group T. Tsao, Ed. Networking Working Group T. Tsao, Ed.
Internet-Draft R. Alexander, Ed. Internet-Draft R. Alexander, Ed.
Intended status: Informational Eka Systems Intended status: Informational Eka Systems
Expires: March 24, 2010 M. Dohler, Ed. Expires: September 9, 2010 M. Dohler, Ed.
CTTC CTTC
V. Daza, Ed. V. Daza, Ed.
A. Lozano, Ed. A. Lozano, Ed.
Universitat Pompeu Fabra Universitat Pompeu Fabra
September 20, 2009 March 8, 2010
A Security Framework for Routing over Low Power and Lossy Networks A Security Framework for Routing over Low Power and Lossy Networks
draft-tsao-roll-security-framework-01 draft-tsao-roll-security-framework-02
Abstract
This document presents a security framework for routing over low
power and lossy networks. The development builds upon previous work
on routing security and adapts the assessments to the issues and
constraints specific to low power and lossy networks. A systematic
approach is used in defining and evaluating the security threats and
identifying applicable countermeasures. These assessments provide
the basis of the security recommendations for incorporation into low
power, lossy network routing protocols. As an illustration, this
framework is applied to RPL.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC
2119 [RFC2119].
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
skipping to change at page 1, line 30 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on March 24, 2010. This Internet-Draft will expire on September 9, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents
publication of this document (http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Abstract include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
This document presents a security framework for routing over low described in the BSD License.
power and lossy networks. The development of the framework builds
upon previous work on routing security and adapts the security
assessments to the issues and constraints specific to low power and
lossy networks. A systematic approach is used in defining and
assessing the security threats and identifying applicable
countermeasures. These assessments provide the basis of the security
recommendations for incorporation into low power, lossy network
routing protocols.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Table of Contents Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Considerations on ROLL Security . . . . . . . . . . . . . . . 5 3. Considerations on ROLL Security . . . . . . . . . . . . . . . 5
3.1. Routing Assets and Points of Access . . . . . . . . . . . 6 3.1. Routing Assets and Points of Access . . . . . . . . . . . 6
3.2. The CIA Security Reference Model . . . . . . . . . . . . . 8 3.2. The CIA Security Reference Model . . . . . . . . . . . . . 8
3.3. Issues Specific to or Magnified in LLNs . . . . . . . . . 10 3.3. Issues Specific to or Amplified in LLNs . . . . . . . . . 9
4. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 11 3.4. ROLL Security Objectives . . . . . . . . . . . . . . . . . 11
4. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 12
4.1. Threats and Attacks on Confidentiality . . . . . . . . . . 12 4.1. Threats and Attacks on Confidentiality . . . . . . . . . . 12
4.1.1. Routing Exchange Exposure . . . . . . . . . . . . . . 12 4.1.1. Routing Exchange Exposure . . . . . . . . . . . . . . 12
4.1.2. Routing Information (Routes and Network Topology) 4.1.2. Routing Information (Routes and Network Topology)
Exposure . . . . . . . . . . . . . . . . . . . . . . . 12 Exposure . . . . . . . . . . . . . . . . . . . . . . . 13
4.2. Threats and Attacks on Integrity . . . . . . . . . . . . . 13 4.2. Threats and Attacks on Integrity . . . . . . . . . . . . . 13
4.2.1. Routing Information Manipulation . . . . . . . . . . . 13 4.2.1. Routing Information Manipulation . . . . . . . . . . . 14
4.2.2. Node Identity Misappropriation . . . . . . . . . . . . 13 4.2.2. Node Identity Misappropriation . . . . . . . . . . . . 14
4.3. Threats and Attacks on Availability . . . . . . . . . . . 14 4.3. Threats and Attacks on Availability . . . . . . . . . . . 15
4.3.1. Routing Exchange Interference or Disruption . . . . . 14 4.3.1. Routing Exchange Interference or Disruption . . . . . 15
4.3.2. Network Traffic Forwarding Disruption . . . . . . . . 14 4.3.2. Network Traffic Forwarding Disruption . . . . . . . . 15
4.3.3. Communications Resource Disruption . . . . . . . . . . 15 4.3.3. Communications Resource Disruption . . . . . . . . . . 15
4.3.4. Node Resource Exhaustion . . . . . . . . . . . . . . . 15 4.3.4. Node Resource Exhaustion . . . . . . . . . . . . . . . 16
5. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 16 5. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 16
5.1. Confidentiality Attack Countermeasures . . . . . . . . . . 16 5.1. Confidentiality Attack Countermeasures . . . . . . . . . . 17
5.1.1. Countering Deliberate Exposure Attacks . . . . . . . . 16 5.1.1. Countering Deliberate Exposure Attacks . . . . . . . . 17
5.1.2. Countering Sniffing Attacks . . . . . . . . . . . . . 17 5.1.2. Countering Sniffing Attacks . . . . . . . . . . . . . 17
5.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 18 5.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 19
5.1.4. Countering Physical Device Compromise . . . . . . . . 18 5.1.4. Countering Physical Device Compromise . . . . . . . . 19
5.1.5. Countering Remote Device Access Attacks . . . . . . . 20 5.1.5. Countering Remote Device Access Attacks . . . . . . . 21
5.2. Integrity Attack Countermeasures . . . . . . . . . . . . . 20 5.2. Integrity Attack Countermeasures . . . . . . . . . . . . . 21
5.2.1. Countering Tampering Attacks . . . . . . . . . . . . . 21 5.2.1. Countering Tampering Attacks . . . . . . . . . . . . . 22
5.2.2. Countering Overclaiming and Misclaiming Attacks . . . 21 5.2.2. Countering Overclaiming and Misclaiming Attacks . . . 22
5.2.3. Countering Identity (including Sybil) Attacks . . . . 21 5.2.3. Countering Identity (including Sybil) Attacks . . . . 22
5.2.4. Countering Routing Information Replay Attacks . . . . 22 5.2.4. Countering Routing Information Replay Attacks . . . . 23
5.3. Availability Attack Countermeasures . . . . . . . . . . . 22 5.2.5. Countering Byzantine Routing Information Attacks . . . 23
5.3. Availability Attack Countermeasures . . . . . . . . . . . 24
5.3.1. Countering HELLO Flood Attacks and ACK Spoofing 5.3.1. Countering HELLO Flood Attacks and ACK Spoofing
Attacks . . . . . . . . . . . . . . . . . . . . . . . 22 Attacks . . . . . . . . . . . . . . . . . . . . . . . 24
5.3.2. Countering Overload Attacks . . . . . . . . . . . . . 24 5.3.2. Countering Overload Attacks . . . . . . . . . . . . . 26
5.3.3. Countering Selective Forwarding Attacks . . . . . . . 25 5.3.3. Countering Selective Forwarding Attacks . . . . . . . 27
5.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 25 5.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 27
5.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 26 5.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 28
6. ROLL Security Features . . . . . . . . . . . . . . . . . . . . 27 6. ROLL Security Features . . . . . . . . . . . . . . . . . . . . 28
6.1. Confidentiality Features . . . . . . . . . . . . . . . . . 27 6.1. Confidentiality Features . . . . . . . . . . . . . . . . . 29
6.2. Integrity Features . . . . . . . . . . . . . . . . . . . . 27 6.2. Integrity Features . . . . . . . . . . . . . . . . . . . . 30
6.3. Availability Features . . . . . . . . . . . . . . . . . . 27 6.3. Availability Features . . . . . . . . . . . . . . . . . . 31
6.4. Additional Related Features . . . . . . . . . . . . . . . 28 6.4. Additional Related Features . . . . . . . . . . . . . . . 31
6.5. Consideration on Matching Application Domain Needs . . . . 28 6.5. Consideration on Matching Application Domain Needs . . . . 31
6.5.1. Architecture . . . . . . . . . . . . . . . . . . . . . 28 6.5.1. Security Architecture . . . . . . . . . . . . . . . . 32
6.5.2. Mechanisms and Operations . . . . . . . . . . . . . . 29 6.5.2. Mechanisms and Operations . . . . . . . . . . . . . . 34
7. Application of ROLL Security Framework to RPL . . . . . . . . 36
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 30 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38
8. Security Considerations . . . . . . . . . . . . . . . . . . . 30 9. Security Considerations . . . . . . . . . . . . . . . . . . . 38
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 30 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 38
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 38
10.1. Normative References . . . . . . . . . . . . . . . . . . . 30 11.1. Normative References . . . . . . . . . . . . . . . . . . . 38
10.2. Informative References . . . . . . . . . . . . . . . . . . 31 11.2. Informative References . . . . . . . . . . . . . . . . . . 39
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 40
1. Terminology 1. Terminology
This document conforms to the terminology defined in This document conforms to the terminology defined in
[I-D.ietf-roll-terminology], with the following additions. [I-D.ietf-roll-terminology].
Link Cost A quantification of chosen characteristics of a link.
Node A base unit of a network, e.g., a router or a host on a low
power and lossy network.
Routing Metric A function of link costs along routes, whose value
gives rise to preference of routing choices.
2. Introduction 2. Introduction
In recent times, networked wireless devices have found an increasing In recent times, networked wireless devices have found an increasing
number of applications in various fields. Yet, for reasons ranging number of applications in various fields. Yet, for reasons ranging
from operational application to economics, these wireless devices are from operational application to economics, these wireless devices are
often supplied with minimum physical resources, e.g., limited power often supplied with minimum physical resources, e.g., limited power
reserve, slow speed or low capability computation, or small memory reserve, slow speed or low capability computation, or small memory
size. As a consequence, the resulting networks are more prone to size. As a consequence, the resulting networks are more prone to
loss of traffic and other vulnerabilities. The proliferation of loss of traffic and other vulnerabilities. The proliferation of
skipping to change at page 5, line 44 skipping to change at page 5, line 36
facilitate both the assessment of a protocol's security threats and facilitate both the assessment of a protocol's security threats and
the identification of the necessary features for development of the identification of the necessary features for development of
secure protocols for ROLL. secure protocols for ROLL.
The approach adopted in this effort proceeds in four steps, to The approach adopted in this effort proceeds in four steps, to
examine ROLL security issues, to analyze threats and attacks, to examine ROLL security issues, to analyze threats and attacks, to
consider the countermeasures, and then to make recommendations for consider the countermeasures, and then to make recommendations for
securing ROLL. The basis is found on identifying the assets and securing ROLL. The basis is found on identifying the assets and
points of access of routing and evaluating their security needs based points of access of routing and evaluating their security needs based
on the Confidentiality, Integrity, and Availability (CIA) model in on the Confidentiality, Integrity, and Availability (CIA) model in
the context of LLN. the context of LLN. The utility of this framework is demonstrated
with an application to RPL [I-D.ietf-roll-rpl].
3. Considerations on ROLL Security 3. Considerations on ROLL Security
This section sets the stage for the development of the framework by This section sets the stage for the development of the framework by
applying the systematic approach proposed in [Myagmar2005] to the applying the systematic approach proposed in [Myagmar2005] to the
routing security problem, while also drawing references from other routing security problem, while also drawing references from other
reviews and assessments found in the literature, particularly, reviews and assessments found in the literature, particularly,
[RFC4593] and [Karlof2003]. The subsequent subsections begin with a [RFC4593] and [Karlof2003]. The subsequent subsections begin with a
focus on the elements of a generic routing process that is used to focus on the elements of a generic routing process that is used to
establish routing assets and points of access of the routing establish routing assets and points of access of the routing
functionality. Next, the CIA security model is briefly described. functionality. Next, the CIA security model is briefly described.
Then, consideration is given to issues specific to or magnified in Then, consideration is given to issues specific to or amplified in
LLNs. LLNs. This section concludes with the formulation of a set of
security objectives for ROLL.
3.1. Routing Assets and Points of Access 3.1. Routing Assets and Points of Access
An asset implies important system component (including information, An asset implies important system component (including information,
process, or physical resource), the access to, corruption or loss of process, or physical resource), the access to, corruption or loss of
which adversely affects the system. In network routing, assets lie which adversely affects the system. In network routing, assets lie
in the routing information, routing process, and node's physical in the routing information, routing process, and node's physical
resources. That is, the access to, corruption, or loss of these resources. That is, the access to, corruption, or loss of these
elements adversely affects system routing. In network routing, a elements adversely affects system routing. In network routing, a
point of access refers to the point of entry facilitating point of access refers to the point of entry facilitating
skipping to change at page 7, line 14 skipping to change at page 7, line 9
node will get the route/topology information relayed from others. It node will get the route/topology information relayed from others. It
is likely that a node will store some or all of the routes and is likely that a node will store some or all of the routes and
topology information according to tradeoffs of node resources and topology information according to tradeoffs of node resources and
latency associated with the particular routing protocol. The nodes latency associated with the particular routing protocol. The nodes
use the derived routes for making forwarding decisions. use the derived routes for making forwarding decisions.
................................................... ...................................................
: : : :
: _________________ : : _________________ :
|Node_i|<------->(Neighbor Discovery)--->Neighbor Topology : |Node_i|<------->(Neighbor Discovery)--->Neighbor Topology :
: ----------------- : : -------+--------- :
: | : : | :
|Node_j|<------->(Route/Topology +--------+ : |Node_j|<------->(Route/Topology +--------+ :
: Exchange ) | : : Exchange) | :
: | V ______ : : | V ______ :
: +---->(Route Generation)--->Routes : : +---->(Route Generation)--->Routes :
: ------ : : ---+-- :
: | : : | :
: Routing on a Node Node_k | : : Routing on a Node Node_k | :
................................................... ...................................................
| |
|Forwarding | |Forwarding |
On Node_k |<------------------------------------------+ On Node_l|<-------------------------------------------+
Notation: Notation:
(Proc) A process Proc (Proc) A process Proc
________ ________
DataBase A data storage DataBase DataBase A data storage DataBase
-------- --------
|Node_n| An external entity Node_n |Node_n| An external entity Node_n
skipping to change at page 9, line 16 skipping to change at page 9, line 8
Availability Availability
Availability ensures that routing information exchanges and Availability ensures that routing information exchanges and
forwarding services need to be available when they are required forwarding services need to be available when they are required
for the functioning of the serving network. Availability will for the functioning of the serving network. Availability will
apply to maintaining efficient and correct operation of routing apply to maintaining efficient and correct operation of routing
and neighbor discovery exchanges (including needed information) and neighbor discovery exchanges (including needed information)
and forwarding services so as not to impair or limit the and forwarding services so as not to impair or limit the
network's central traffic flow function. network's central traffic flow function.
It is noted that, besides those captured in the CIA model, non- It is noted that, besides those captured in the CIA model, non-
repudiation is another security concern evaluated. With respect to repudiation is a security interest under certain circumstances. With
routing, non-repudiation will involve providing some ability to allow respect to routing, non-repudiation will involve providing some
traceability or network management review of participants of the ability to allow traceability or network management review of
routing process including the ability to determine the events and participants of the routing process including the ability to
actions leading to a particular routing state. Non-repudiation determine the events and actions leading to a particular routing
implies after the fact and thus relies on the logging or other state. Non-repudiation implies after the fact and thus relies on the
capture of on-going routing exchanges. Given the limited resources logging or other capture of on-going routing exchanges. Given the
of a node and potentially the communication channel, and considering limited resources of a node and potentially the communication
the operating mode associated with LLNs, routing transaction logging channel, and considering the operating mode associated with LLNs,
or auditing process communication overhead will not be practical; as routing transaction logging or auditing process communication
such, non-repudiation is not further considered as a relevant ROLL overhead will not be practical; as such, non-repudiation is not
security issue. further considered as a relevant ROLL security issue.
Based upon the CIA model, a high-level assessment of the security
needs of the assets found in Section 3.1 shows that
o routing/topology information needs to be integrity protected,
maintained with confidentiality, and prevented from unauthorized
use;
o neighbor discovery process needs to operate without undermining
routing availability;
o routing/topology exchange process needs to ensure that the
participants are authenticated, the communication of information
is integrity protected and confidential;
o communication channels and node resources need to have their
availability maintained;
o the internal and external interfaces of a node need to be
protected to ensure that integrity and confidentiality of stored
information is maintained as well as the integrity of routing and
route generation processes is assured.
Each individual system's use and environment will dictate how the
above general assessments are applied, including the choices of
security services as well as the strengths of the mechanisms that
must be implemented. The next subsection brings LLN-related issues
to light.
3.3. Issues Specific to or Magnified in LLNs 3.3. Issues Specific to or Amplified in LLNs
The work [RFC5548], as well as three other ongoing efforts, The work [RFC5548] and [RFC5673], as well as two other ongoing
[I-D.ietf-roll-indus-routing-reqs], efforts, [I-D.ietf-roll-home-routing-reqs] and
[I-D.ietf-roll-home-routing-reqs], and
[I-D.ietf-roll-building-routing-reqs], have identified ROLL specific [I-D.ietf-roll-building-routing-reqs], have identified ROLL specific
requirements and constraints for the urban, industrial, home requirements and constraints for the urban, industrial, home
automation, and building automation application domains, automation, and building automation application domains,
respectively. The following is a list of observations and evaluation respectively. The following is a list of observations and evaluation
of their impact on routing security considerations. of their impact on routing security considerations.
Limited energy reserve, memory, and processing resources Limited energy reserve, memory, and processing resources
As a consequence of these constraints, there is an even more As a consequence of these constraints, there is an even more
critical need than usual for a careful trade study on which and critical need than usual for a careful trade study on which and
what level of security services are to be afforded during the what level of security services are to be afforded during the
system design process. In addition, routing schemes based on system design process. In addition, the choices of security
various metrics have been proposed, e.g., geographic location. mechanisms are more stringent. Synchronization of security
Transmission and exchanging such metrics may have security states with sleepy nodes is yet another issues.
and/or privacy concerns.
Large scale of rolled out network Large scale of rolled out network
The possibly numerous nodes to be deployed, as well as the The possibly numerous nodes to be deployed, as well as the
general level of expertise of the installers, make manual on- general level of expertise of the installers, make manual on-
site configuration unlikely. Prolonged rollout and delayed site configuration unlikely. Prolonged rollout and delayed
addition of nodes, which may be from old inventory, over the addition of nodes, which may be from old inventory, over the
lifetime of the network, also complicate the operations of key lifetime of the network, also complicate the operations of key
management. management.
Autonomous operations Autonomous operations
Self-forming and self-organizing are commonly prescribed Self-forming and self-organizing are commonly prescribed
requirements of ROLL. In other words, a ROLL protocol needs to requirements of ROLL. In other words, a ROLL protocol needs to
contain elements of ad hoc networking and cannot rely on manual contain elements of ad hoc networking and cannot rely on manual
configuration for initialization or local filtering rules. configuration for initialization or local filtering rules.
Network topology/ownership changes, partitioning or merging, as
well as node replacement, can all contribute to key management
issues.
Highly directional traffic Highly directional traffic
Some types of LLNs see a high percentage of their total traffic Some types of LLNs see a high percentage of their total traffic
traverse between the nodes and the gateways where the LLNs traverse between the nodes and the gateways where the LLNs
connect to wired networks. The special routing status of and connect to wired networks. The special routing status of and
the greater volume of traffic near the gateways have routing the greater volume of traffic near the gateways/sinks have
security consequences. routing security consequences.
Unattended locations and limited physical security Unattended locations and limited physical security
Many applications have the nodes deployed in unattended or Many applications have the nodes deployed in unattended or
remote locations; furthermore, the nodes themselves are often remote locations; furthermore, the nodes themselves are often
built with minimal physical protection. These constraints built with minimal physical protection. These constraints
lower the barrier of accessing the data or security material lower the barrier of accessing the data or security material
stored on the nodes through physical means. stored on the nodes through physical means.
Support for mobility Support for mobility
On the one hand, only a number of applications require the On the one hand, only a number of applications require the
support of mobile nodes, e.g., a home LLN that includes nodes support of mobile nodes, e.g., a home LLN that includes nodes
on wearable health care devices or an industry LLN that on wearable health care devices or an industry LLN that
includes nodes on cranes and vehicles. On the other hand, if a includes nodes on cranes and vehicles. On the other hand, if a
routing protocol is indeed used in such applications, it will routing protocol is indeed used in such applications, it will
clearly need to have corresponding security mechanisms. clearly need to have corresponding security mechanisms.
Support for multicast and anycast Support for multicast and anycast
ROLL support for multicast and anycast is called out chiefly Support for multicast and anycast is called out chiefly for
for large-scale networks. As these are relatively new routing large-scale networks. As these are relatively new routing
technologies, there has been an ongoing effort devoted to their technologies, there has been an ongoing effort devoted to their
security mechanisms, e.g., from the IETF Multicast Security security mechanisms, e.g., from the IETF Multicast Security
working group. However, the threat model and attack analysis working group. However, inclusion of such mechanisms in a
are still areas not fully evaluated, and hence their impact is routing protocol, and consequently their security analysis, are
not yet fully understood, whether in a wired, wireless, or LLN. still areas not fully developed or their impact entirely
understood, whether in a more traditional wired or wireless
network, or LLN.
The above list considers how a LLN's physical constraints, size, The above list considers how a LLN's physical constraints, size,
operations, and varieties of application areas may impact security. operations, and varieties of application areas may impact security.
It is noted here also that LLNs commonly have the majority, if not It is noted here also that LLNs commonly have the majority, if not
all, of their nodes equipped to route. One of the consequences is all, of their nodes equipped to route. One of the consequences is
that the distinction between the link and network layers become that the distinction between the link and network layers become
artificial in some respects. Similarly, the distinction between a artificial in some respects. Similarly, the distinction between a
host and a router is blurred, especially when the set of applications host and a router is blurred, especially when the set of applications
running on a node is small. The continued evolution of ROLL and its running on a node is small. The continued evolution of ROLL and its
security functionality requirements need close attention. security functionality requirements need close attention.
3.4. ROLL Security Objectives
This subsection applies the CIA model to the routing assets and
access points, taking into account the LLN issues, to develop a set
of ROLL security objectives.
Since the fundament function of a routing protocol is to build routes
for forwarding packets, it is essential to ensure that
o routing/topology information is not tampered during transfer and
in storage;
o routing/topology information is not misappropriated;
o routing/topology information is available when needed.
In conjunction, it is necessary to be assured of
o the authenticity and legitimacy of the participants of the
neighbor discovery process;
o the routing/topology information received was faithfully generated
according to the protocol design.
However, when trust cannot be fully vested through authentication of
the principals alone, i.e., concerns of insider attack, assurance of
the truthfulness and timeliness of the received routing/topology
information is necessary. With regard to confidentiality, protecting
the routing/topology information from eavesdropping or unauthorized
exposure is in itself less pertinent in general to the routing
function.
One of the main problems of synchronizing security states of sleepy
nodes, as listed in the last subsection, lies in difficulties in
authentication; these nodes may not have received in time the most
recent update of security material. Similarly, the issues of minimal
manual configuration, prolonged rollout and delayed addition of
nodes, and network topology changes also complicate key management.
Hence, ROLL needs to bootstrap the authentication process and allow
for flexible expiration scheme of authentication credentials.
The vulnerability brought forth by some special-function nodes, e.g.,
gateways/sinks requires the assurance, particularly,
o of the availability of communication channels and node resources;
o that the neighbor discovery process operates without undermining
routing availability.
There are other factors which are not part of a ROLL protocol but
directly affecting its function. These factors include weaker
barrier of accessing the data or security material stored on the
nodes through physical means; therefore, the internal and external
interfaces of a node need to be adequate for guarding the integrity,
and possibly the confidentiality, of stored information, as well as
the integrity of routing and route generation processes.
Each individual system's use and environment will dictate how the
above objectives are applied, including the choices of security
services as well as the strengths of the mechanisms that must be
implemented. The next two sections give a closer look at how the
ROLL security objectives may be compromised and countered,
respectively.
4. Threats and Attacks 4. Threats and Attacks
This section outlines general categories of threats under the CIA This section outlines general categories of threats under the CIA
model and highlights the specific attacks in each of these categories model and highlights the specific attacks in each of these categories
for ROLL. As defined in [RFC4949], a threat is "a potential for for ROLL. As defined in [RFC4949], a threat is "a potential for
violation of security, which exists when there is a circumstance, violation of security, which exists when there is a circumstance,
capability, action, or event that could breach security and cause capability, action, or event that could breach security and cause
harm." An attack is "an assault on system security that derives from harm." An attack is "an assault on system security that derives from
an intelligent threat, i.e., an intelligent act that is a deliberate an intelligent threat, i.e., an intelligent act that is a deliberate
attempt (especially in the sense of a method or technique) to evade attempt (especially in the sense of a method or technique) to evade
skipping to change at page 13, line 36 skipping to change at page 14, line 18
to influence the operation and convergence of the routing protocols to influence the operation and convergence of the routing protocols
and ultimately impact the forwarding decisions made in the network. and ultimately impact the forwarding decisions made in the network.
Manipulation of neighbor state (topology) information will allow Manipulation of neighbor state (topology) information will allow
unauthorized sources to influence the nodes with which routing unauthorized sources to influence the nodes with which routing
information is exchanged and updated. The consequence of information is exchanged and updated. The consequence of
manipulating routing exchanges can thus lead to sub-optimality and manipulating routing exchanges can thus lead to sub-optimality and
fragmentation or partitioning of the network by restricting the fragmentation or partitioning of the network by restricting the
universe of routers with which associations can be established and universe of routers with which associations can be established and
maintained. maintained.
The forms of attack that allow manipulation of routing information The forms of attack that allow manipulation to compromise the content
include and validity of routing information include
o Falsification, including overclaiming and misclaiming; o Falsification, including overclaiming and misclaiming;
o Routing information replay; o Routing information replay;
o Byzantine (internal) attacks that permit corruption of routing
information in the node even where the node continues to be a
validated entity within the network;
o Physical device compromise. o Physical device compromise.
4.2.2. Node Identity Misappropriation 4.2.2. Node Identity Misappropriation
Falsification or misappropriation of node identity between routing Falsification or misappropriation of node identity between routing
participants opens the door for other attacks; it can also cause participants opens the door for other attacks; it can also cause
incorrect routing relationships to form and/or topologies to emerge. incorrect routing relationships to form and/or topologies to emerge.
Routing attacks may also be mounted through less sophisticated node Routing attacks may also be mounted through less sophisticated node
identity misappropriation in which the valid information broadcast or identity misappropriation in which the valid information broadcast or
exchanged by a node is replayed without modification. The receipt of exchanged by a node is replayed without modification. The receipt of
skipping to change at page 16, line 4 skipping to change at page 16, line 39
engagements are able to proceed with the peer routing entities. engagements are able to proceed with the peer routing entities.
Routing operation and network forwarding functions can thus be Routing operation and network forwarding functions can thus be
adversely impacted by node resources exhaustion that stems from adversely impacted by node resources exhaustion that stems from
attacks that include attacks that include
o Identity (including Sybil) attacks; o Identity (including Sybil) attacks;
o Routing information replay attacks; o Routing information replay attacks;
o HELLO flood attacks and ACK spoofing; o HELLO flood attacks and ACK spoofing;
o Overload attacks. o Overload attacks.
5. Countermeasures 5. Countermeasures
By recognizing the characteristics of LLNs that may impact routing By recognizing the characteristics of LLNs that may impact routing
and identifying potential countermeasures, this framework provides and identifying potential countermeasures, this framework provides
the basis for developing capabilities within ROLL protocols to deter the basis for developing capabilities within ROLL protocols to deter
the identified attacks and mitigate the threats. The following the identified attacks and mitigate the threats. The following
subsections consider such countermeasures by grouping the attacks subsections consider such countermeasures by grouping the attacks
according to the classification of the CIA model so that associations according to the classification of the CIA model so that associations
with the necessary security services are more readily visible. with the necessary security services are more readily visible.
However, the considerations here are more systematic than confined to
means available only within routing; the next section will then
distill and make recommendations appropriate for a secured ROLL
protocol.
5.1. Confidentiality Attack Countermeasures 5.1. Confidentiality Attack Countermeasures
Attacks on confidentiality may be mounted at the level of the routing Attacks on confidentiality may be mounted at the level of the routing
information assets, at the points of access associated with routing information assets, at the points of access associated with routing
exchanges between nodes, or through device interface access. To gain exchanges between nodes, or through device interface access. To gain
access to routing/topology information, the attacker may rely on a access to routing/topology information, the attacker may rely on a
compromised node that deliberately exposes the information during the compromised node that deliberately exposes the information during the
routing exchange process, may rely on passive sniffing or analysis of routing exchange process, may rely on passive sniffing or analysis of
routing traffic, or may attempt access through a component or device routing traffic, or may attempt access through a component or device
interface of a tampered routing node. interface of a tampered routing node.
skipping to change at page 22, line 13 skipping to change at page 23, line 8
routing, an identity attacker can illegitimately participate in routing, an identity attacker can illegitimately participate in
routing exchanges, distribute false routing information, or cause an routing exchanges, distribute false routing information, or cause an
invalid outcome of a routing process. invalid outcome of a routing process.
A perpetrator of Sybil attacks assumes multiple identities. The A perpetrator of Sybil attacks assumes multiple identities. The
result is not only an amplification of the damage to routing, but result is not only an amplification of the damage to routing, but
extension to new areas, e.g., where geographic distribution is extension to new areas, e.g., where geographic distribution is
explicit or implicit an asset to an application running on the LLN. explicit or implicit an asset to an application running on the LLN.
The counter of identity attacks need to ensure the authenticity and The counter of identity attacks need to ensure the authenticity and
liveness of the parties of a message exchange; the measure may use liveliness of the parties of a message exchange; the measure may use
shared key or public key based authentication scheme. On the one shared key or public key based authentication scheme. On the one
hand, the large-scale nature of the LLNs makes the network-wide hand, the large-scale nature of the LLNs makes the network-wide
shared key scheme undesirable from a security perspective; on the shared key scheme undesirable from a security perspective; on the
other hand, public-key based approaches generally require more other hand, public-key based approaches generally require more
computational resources. Each system will need to make trade-off computational resources. Each system will need to make trade-off
decisions based on its security requirements. decisions based on its security requirements.
5.2.4. Countering Routing Information Replay Attacks 5.2.4. Countering Routing Information Replay Attacks
In routing, message replay can result in false topology and/or In routing, message replay can result in false topology and/or
routes. The counter of replay attacks need to ensure the freshness routes. The counter of replay attacks need to ensure the freshness
of the message. On the one hand, there are a number of mechanisms of the message. On the one hand, there are a number of mechanisms
commonly used for countering replay. On the other hand, the choice commonly used for countering replay. On the other hand, the choice
should take into account how a particular mechanism is made available should take into account how a particular mechanism is made available
in a LLN. For example, many LLNs have a central source of time and in a LLN. For example, many LLNs have a central source of time and
have it distributed by relaying, such that secured time distribution have it distributed by relaying, such that secured time distribution
becomes a prerequisite of using timestamping to counter replay. becomes a prerequisite of using timestamping to counter replay.
5.2.5. Countering Byzantine Routing Information Attacks
Where a node is captured or compromized but continues to operate for
a period with valid network security credentials, the potential
exists for routing information to be manipulated. This compromise of
the routing information could thus exist in spite of security
countermeasures that operate between the peer routing devices.
Consistent with the end-to-end principle of communications, such an
attack can only be fully addressed through measures operating
directly between the routing entities themselves or by means of
external entities able to access and independently analyze the
routing information. Verification of the authenticity and liveliness
of the routing principals can therefore only provide a limited
counter against internal (Byzantine) node attacks.
For link state routing protocols where information is flooded
countermeasures can be directly applied by the routing entities
through the processing and comparison of link state information
received from different peers. By comparing the link information
from multiple sources decisions can be made by a routing node or
external entity with regard to routing information validity.
For distance vector protocols where information is aggregated at each
routing node it is not possible for nodes to directly detect
Byzantine information manipulation attacks from the routing
information exchange. In such cases, the routing protocol must
include and support indirect communications exchanges between non-
adjacent routing peers to provide a secondary channel for performing
routing information validation. S-RIP [Wan2004] is an example of the
implementation of this type of dedicated routing protocol security
where the correctness of aggregate distance vector information can
only be validated by initiating confirmation exchanges directly
between nodes that are not routing neighbors.
Alternatively, an entity external to the routing protocol would be
required to collect and audit routing information exchanges to detect
the Byzantine attack. In the context of the current security
framework, any protection against Byzantine routing information
attacks will need to be directly included within the mechanisms of
the ROLL routing protocol. This can be implemented where such an
attack is considered relevant even within the physical device
protections discussed in Section 5.1.4
5.3. Availability Attack Countermeasures 5.3. Availability Attack Countermeasures
As alluded to before, availability requires that routing information As alluded to before, availability requires that routing information
exchanges and forwarding mechanisms be available when needed so as to exchanges and forwarding mechanisms be available when needed so as to
guarantee a proper functioning of the network. This may, e.g., guarantee a proper functioning of the network. This may, e.g.,
include the correct operation of routing information and neighbor include the correct operation of routing information and neighbor
state information exchanges, among others. We will highlight the key state information exchanges, among others. We will highlight the key
features of the security threats along with typical countermeasures features of the security threats along with typical countermeasures
to prevent or at least mitigate them. We will also note that an to prevent or at least mitigate them. We will also note that an
availability attack may be facilitated by an identity attack as well availability attack may be facilitated by an identity attack as well
skipping to change at page 27, line 7 skipping to change at page 28, line 48
selective forwarding, wormhole attacks can create race conditions selective forwarding, wormhole attacks can create race conditions
which impact topology maintenance, routing protocols as well as any which impact topology maintenance, routing protocols as well as any
security suits built on "time of check" and "time of use". security suits built on "time of check" and "time of use".
Wormhole attacks are very difficult to detect in general but can be Wormhole attacks are very difficult to detect in general but can be
mitigated using similar strategies as already outlined above in the mitigated using similar strategies as already outlined above in the
context of sinkhole attacks. context of sinkhole attacks.
6. ROLL Security Features 6. ROLL Security Features
The issues discussed in Section 4, together with the countermeasures The assessments and analysis in Section 4 examined all areas of
described in Section 5, provide the basis for the requirements of the threats and attacks that could impact routing, and the
following ROLL security features. Still, it bears emphasizing that countermeasures presented in Section 5 were reached without confining
the target here is a generic ROLL protocol and the normative keywords the consideration to means only available to routing. This section
are mainly to convey the relative level of urgency of the features puts the results into perspective and provides a framework for
specified. As routing is one component of a LLN system, the actual addressing the derived set of security objectives that must be met by
strength of the security services afforded to it should be made to the ROLL protocol. It bears emphasizing that the target here is a
conform to each system's security policy; how a design may address generic ROLL protocol and the normative keywords are mainly to convey
the needs of the urban, industrial, home automation, and building the relative level of urgency of the features specified.
automation application domains is considered in Section 6.5.
The first part of this section, Section 6.1 to Section 6.3, is a
prescription of ROLL security features of measures that can be
addressed as part of the routing protocol itself. As routing is one
component of a LLN system, the actual strength of the security
services afforded to it should be made to conform to each system's
security policy; how a design may address the needs of the urban,
industrial, home automation, and building automation application
domains also needs to be considered. The second part of this
section, Section 6.4 and Section 6.5, discusses system security
aspects that may impact routing but that also require considerations
beyond the routing protocol, as well as potential approaches.
6.1. Confidentiality Features 6.1. Confidentiality Features
To protect confidentiality, a secured ROLL protocol With regard to confidentiality, protecting the routing/topology
information from eavesdropping or unauthorized exposure is not
directly essential to maintaining the routing function. Breaches of
confidentiality may lead to other attacks or the focusing of an
attacker's resources (see Section 4.1) but does not of itself
directly undermine the operation of the routing function. However,
to protect against, and improve vulnerability against other more
direct attacks, routing information confidentiality should be
protected. Thus, a secured ROLL protocol
o SHOULD provide payload encryption; o SHOULD provide payload encryption;
o MAY provide tunneling; o MAY provide tunneling;
o MAY provide load balancing; o MAY provide load balancing;
o SHOULD provide privacy, e.g., when geographic information is used. o SHOULD provide privacy, e.g., when geographic information is used.
Where confidentiality is incorporated into the routing exchanges,
encryption algorithms and key lengths need to be specified in
accordance of the level of protection dictated by the routing
protocol and the associated application domain transport network. In
terms of the life time of the keys, the opportunity to periodically
change the encryption key increases the offered level of security for
any given implementation. However, where strong cryptography is
employed, physical, procedural, and logical data access protection
considerations may have more significant impact on cryptoperiod
selection than algorithm and key size factors. Nevertheless, in
general, shorter cryptoperiods, during which a single key is applied,
will enhance security.
Given the mandatory protocol requirement to implement routing node
authentication as part of routing integrity (see Section 6.2), key
exchanges may be coordinated as part of the integrity verification
process. This provides an opportunity to increase the frequency of
key exchange and shorten the cryptoperiod as a compliment to the key
length and encryption algorithm required for a given application
domain. For LLNs, the coordination of confidentiality key management
with the implementation of node device authentication can thus reduce
the overhead associated with supporting data confidentiality. A new
ciphering key may therefore be concurrently generated or updated in
conjunction with the mandatory authentication exchange occurring with
each routing peer association.
6.2. Integrity Features 6.2. Integrity Features
The integrity of routing information provides the basis for ensuring
that the function of the routing protocol is achieved and maintained.
To protect integrity, a secured ROLL protocol To protect integrity, a secured ROLL protocol
o MUST verify the liveliness of both principals of a connection; o MUST verify message integrity;
o MUST verify message freshness; o MUST verify the authenticity and liveliness of both principals of
a connection;
o MUST verify message sequence and integrity; o MUST verify message sequence.
Depending on the nature of the routing protocol, e.g., distance
vector or link state, additional measures may be necessary when the
validity of the routing information is of concern. Specifically,
verification of routing peer authenticity and liveliness can be used
to build a "chain of trust" along the path the routing information
flows, such that network-wide information is validated through the
concatenation of trust established at each individual routing peer
exchange. This is particularly important in the case of distance
vector-based routing protocols, where information is updated at
intermediate nodes, In such cases, there are no direct means within
routing for a receiver to verify the validity of the routing
information beyond the current exchange; as such, nodes would need to
be able to communicate and request information from non-adjacent
peers (see [Wan2004]) to provide information integrity assurances.
With link state-based protocols, on the other hand, routing
information can be signed at the source thus providing a means for
validating information that originates beyond a routing peer.
Therefore, where necessary, a secured ROLL protocol
o MAY use security auditing mechanisms that are external to routing
to verify the validity of the routing information content
exchanged among routing peers.
6.3. Availability Features 6.3. Availability Features
To protect availability, a secured ROLL protocol Availability of routing information is linked to system and network
availability which in the case of LLNs require a broader security
view beyond the requirements of the routing entities (see
Section 6.5). Where availability of the network is compromised,
routing information availability will be accordingly affected.
However, to specifically assist in protecting routing availability
o MAY restrict neighborhood cardinality; o MAY restrict neighborhood cardinality;
o MAY use multiple paths; o MAY use multiple paths;
o MAY use multiple destinations; o MAY use multiple destinations;
o MAY choose randomly if multiple paths are available; o MAY choose randomly if multiple paths are available;
o MAY set quotas to limit transmit or receive volume; o MAY set quotas to limit transmit or receive volume;
o MAY use geographic insights for flow control. o MAY use geographic insights for flow control.
6.4. Additional Related Features 6.4. Additional Related Features
If a LLN employs multicast and/or anycast, it MUST secure these If a LLN employs multicast and/or anycast, it MUST secure these
protocols with the services listed in this sections. Furthermore, protocols with the services listed in this sections. Furthermore,
the nodes MUST provide adequate physical tamper resistance to ensure the nodes MUST provide adequate physical tamper resistance to ensure
the integrity of stored routing information. the integrity of stored routing information.
The functioning of the security services requires keys and The functioning of the security services requires keys and
credentials. Therefore, even though not directly a ROLL security credentials. Therefore, even though not directly a ROLL security
requirement, a LLN must include a process for key and credential requirement, a LLN must include a process for key and credential
distribution; a LLN is encouraged to have procedures for their distribution; a LLN is encouraged to have procedures for their
revocation and replacement. revocation and replacement.
6.5. Consideration on Matching Application Domain Needs 6.5. Consideration on Matching Application Domain Needs
As routing is one component of a LLN system, the actual strength of
the security services afforded to it should be made to conform to
each system's security policy; how a design may address the needs of
the urban, industrial, home automation, and building automation
application domains is considered as part of the security
architecture in Section 6.5.1.
The development so far takes into account collectively the impacts of The development so far takes into account collectively the impacts of
the issues gathered from [RFC5548], the issues gathered from [RFC5548], [RFC5673],
[I-D.ietf-roll-indus-routing-reqs],
[I-D.ietf-roll-home-routing-reqs], and [I-D.ietf-roll-home-routing-reqs], and
[I-D.ietf-roll-building-routing-reqs]. The following two subsections [I-D.ietf-roll-building-routing-reqs]. The following two subsections
first consider from an architectural perspective how the security first consider from an architectural perspective how the security
design of a ROLL protocol may be made to adapt to the four design of a ROLL protocol may be made to adapt to the four
application domains, and then examine mechanism and protocol application domains, and then examine mechanism and protocol
operations issues. operations issues.
6.5.1. Architecture 6.5.1. Security Architecture
The first challenge for a ROLL protocol security design is to have an The first challenge for a ROLL protocol security design is to have an
architecture that can adequately address a set of very diversified architecture that can adequately address a set of very diversified
needs. It is mainly a consequence of the fact that there are both needs. It is mainly a consequence of the fact that there are both
common and non-overlapping requirements from the four application common and non-overlapping requirements from the four application
domains, while, conceivably, each individual application will present domains, while, conceivably, each individual application will present
yet its own unique constraints. yet its own unique constraints.
A ROLL protocol MUST be made flexible with a design which allows the For a ROLL protocol, the security requirements defined in Section 6.1
user to choose the security configurations that match the to Section 6.4 can be addressed at two levels: 1) through measures
application's needs. The construct may be, e.g., a header containing implemented directly within the routing protocol itself and initiated
security material of configurable security primitives in the fashion and controlled by the routing protocol entities; or 2) through
of OSPFv2 [RFC2328] or RIPv2 [RFC2453]. On the other hand, it is measures invoked on behalf of the routing protocol entities but
more desirable from a LLN device perspective that the ROLL protocol implemented within the transport network over which the protocol
specifies the necessity of an overall system architecture in which exchanges occur.
security facility may be shared by different applications and/or
across layers for efficiency, while security policy and settings can Where security is directly implemented as part of the routing
be consistently made, e.g., RIPng [RFC2080] or the approach presented protocol the security requirements configured by the user (system
in [Messerges2003]. administrator) will operate independent of the underlying transport
network. OSPFv2 [RFC2328] is an example of such an approach in which
security parameters are exchanged and assessed within the routing
protocol messages. In this case, the mechanism may be, e.g., a
header containing security material of configurable security
primitives in the fashion of OSPFv2 or RIPv2 [RFC2453]. Where IPsec
[RFC4301] is employed to secure the network, the included protocol-
specific (OSPF or RIP) security elements are in addition to and
independent of those at the network layer. In the case of LLNs or
other networks where system security mandates protective mechanisms
at other lower layers of the transport network, security measures
implemented as part of the routing protocol will be redundant to
security measures implemented elsewhere as part of the transport
network.
Security mechanisms built into the routing protocol can ensure that
all desired countermeasures can be directly addressed by the protocol
all the way to the endpoint of the routing exchange. In particular,
routing protocol Byzantine attacks by a compromised node that retains
valid network security credentials can only be detected at the level
of the information exchanged within the routing protocol. Such
attacks aimed the manipulation of the routing information can only be
fully addressed through measures operating directly between the
routing entities themselves or external entities able to access and
analyze the routing information (see discussion in Section 5.2.5).
On the other hand, it is more desirable from a LLN device perspective
that the ROLL protocol is integrated into the framework of an overall
system architecture where the security facility may be shared by
different applications and/or across layers for efficiency, and where
security policy and configurations can be consistently specified.
See, for example, considerations made in RIPng [RFC2080] or the
approach presented in [Messerges2003].
Where the routing protocol is able to rely on security measures
configured with the transport network, greater system efficiency can
be realized by avoiding potentially redundant security. Relying on
an open trust model [Messerges2003], the security requirements of the
routing protocol can be more flexibly met at different layers of the
transport network; measures that must be applied to protect the
communications network are concurrently able to provide the needed
routing protocol protection.
In addition, in the context of the different application domains, it
allows the level of security applied for routing to be consistent
with that needed for protecting the network itself. For example,
where AES-128 is deemed the appropriate standard for network
confidentiality of data exchanges at the link layer, that level of
security is automatically afforded to routing protocol exchanges.
Similarly, where SHA-1 is stipulated as the standard required for
authenticating routing protocol peers, the use of SHA-1 at the
network layer between communicating routing devices automatically
meets the routing protocol security requirement within the context of
open trust across layers within the device.
A ROLL protocol MUST be made flexible by a design that offers the
configuration facility so that the user (network administrator) can
choose the security settings that match the application's needs.
Furthermore, in the case of LLNs that flexibility should extend to
allowing the routing protocol security requirements to be met by
measures applied at different protocol layers, provided the
identified requirements are collectively met.
Since Byzantine attacks that can affect the validity of the
information content exchanged between routing entities can only be
directly countered at the routing protocol level, the ROLL protocol
may support mechanisms for verifying routing data validity that
extends beyond the chain of trust created through device
authentication. This protocol-specific security mechanism should be
made optional within the protocol allowing it to be invoked according
to the given routing protocol and application domain and as selected
by the system user. All other ROLL security mechanisms needed to
meet the above identified routing security requirements should be
flexibly implemented within the transport network (at the IP network
layer or higher or lower protocol layers(s)) according to the
particular application domain and user network configuration.
Based on device capabilities and the spectrum of operating
environments it would be difficult for a single fixed security design
to be applied to address the diversified needs of the four ROLL
application domains without forcing a very low common denominator set
of requirements. On the other hand, providing four individual domain
designs that attempt to a priori match each individual domain is also
very likely to provide a suitable answer given the degree of network
variability even within a given domain. Instead, the framework
implementation approach recommended for optional, routing protocol-
specific measures together with flexible transport network mechanisms
can be the most effective. This approach allows countermeasures
against internal attacks to be applied in environments where
applicable threats exist. At the same time, it allows routing
protocol security to be configured through measures implemented
within the transport network that is commensurate and consistent with
the level and strength applied in the particular application domain
networks.
6.5.2. Mechanisms and Operations 6.5.2. Mechanisms and Operations
With an architecture allowing different configurations to meet the With an architecture allowing different configurations to meet the
application domain needs, the task is then to find suitable application domain needs, the task is then to find suitable
mechanisms. This subsection considers the security properties of a mechanisms. For example, one of the main problems of synchronizing
number of mechanisms found in widely employed routing protocols, as security states of sleepy nodes, as listed in the last subsection,
well as how some of their protocol operations affect security. The lies in difficulties in authentication; these nodes may not have
discussion is based on analyses found in the open literature. The received in time the most recent update of security material.
intention is to offer a stepping stone for the security design of a Similarly, the issues of minimal manual configuration, prolonged
ROLL protocol, as well as to be useful for preventing oversights, but rollout and delayed addition of nodes, and network topology changes
not an exhaustive in-depth survey also complicate security management. In such case the ROLL protocol
may need to bootstrap the authentication process and allow for
flexible expiration scheme of authentication credentials. This
exemplifies the need for the coordination and interoperation between
the requirements of the ROLL routing protocol and that of the system
security elements.
There has been quite an amount of effort applied to the assessment of Similarly, the vulnerability brought forth by some special-function
the security of routing protocols, e.g., Section 2 of [Wan2004] and nodes, e.g., gateways/sinks requires the assurance, particularly, of
Section 2 of [Babakhouya2006] consider the security properties of RIP the availability of communication channels and node resources, or
as well as distance vector protocols in general. There are two that the neighbor discovery process operates without undermining
issues worth taking note. routing availability.
Authentication There and other factors which are not part of a ROLL routing protocol
The current version of RIP allows two options of can still affect its operation. This includes elements such as
authentication, i.e., clear-text password and cryptographic weaker barrier to accessing the data or security material stored on
authentication, which includes keyed-MD5 [RFC4822]. On the one the nodes through physical means; therefore, the internal and
hand, transporting clear-text passwords without protection is external interfaces of a node need to be adequate for guarding the
ineffective for authentication. On the other hand, the key for integrity, and possibly the confidentiality, of stored information,
the MD5 operation is in a suffix position only and as such the as well as the integrity of routing and route generation processes.
key may be vulnerable to cryptanalysis [Kaliski1995].
Information Aggregation Figure 2 provides an overview of the larger context of system
Distance vector routers periodically exchange route updates security and the relationship between ROLL requirements and measures
that is the output of a computation on information gathered and those that relate to the LLN system.
locally, making it difficult for the receiver to verify the
correctness or resolve the sources of the information that went
into the updates.
There are also plenty of analyses on link state based protocols, Security Services for
especially on OSPF, e.g., [Wang1998] and [I-D.ietf-rpsec-ospf-vuln] ROLL-Addressable
are both entirely on this protocol. The following issues about OSPF Security Requirements
are of interest. | |
+---+ +---+
Node_i | | Node_j
_____v___ ___v_____
Specify Security / \ / \ Specify Security
Requirements | Routing | | Routing | Requirements
+---------| Protocol| | Protocol|---------+
| | Entity | | Entity | |
| \_________/ \_________/ |
| | | |
|ROLL-Specified | | ROLL-Specified|
---Interface | | Interface---
| ...................................... |
| : | | : |
| : +-----+----+ +----+-----+ : |
| : |Transport/| |Transport/| : |
____v___ : +>|Network | |Network |<+ : ___v____
/ \ : | +-----+----+ +----+-----+ | : / \
| |-:-+ | | +-:-| |
|Security| : +-----+----+ +----+-----+ : |Security|
+->|Services|-:-->| Link | | Link |<--:-|Services|<-+
| |Entity | : +-----+----+ +----+-----+ : |Entity | |
| | |-:-+ | | +-:-| | |
| \________/ : | +-----+----+ +----+-----+ | : \________/ |
| : +>| Physical | | Physical |<+ : |
Application : +-----+----+ +----+-----+ : Application
Domain User : | | : Domain User
Configuration : |__Comm. Channel_| : Configuration
: :
...Transport Network..................
The Age Field Figure 2: LLN Device Security Model
The Age field in the Link State Advertisement (LSA) is updated
by each receiver; it is not covered by the integrity protection
mechanism in OSPFv2 and so is exposed to forgery. OSPFv3
[RFC5340] relegates security services to the underlying IPv6's
security mechanisms.
LSA Flooding 7. Application of ROLL Security Framework to RPL
LSAs are disseminated through flooding. The router
corresponding to the claimed advertiser of a LSA can either
flush or update to correct inconsistencies. However, this
mechanism may be defeated by a persistent attacker
[I-D.ietf-rpsec-ospf-vuln], is ineffective when the legitimate
owner does not receive the altered LSA, or the claimed
advertiser does not exist.
Hierarchical Routing This section applies the assessments given in Section 6 to RPL as an
Partitioning of the autonomous system into areas facilitates illustration of the application of the LLN security framework.
scaling and also helps the containment of incorrect information
to within an area. On the other hand, routing information from
autonomous system border routers are flooded throughout the
autonomous system and thus have significant security
consequences.
The foregoing discussion has been based on widely employed routing Specializing the approach used in Section 3.1, Figure 3 gives a
protocols for the many studies they received can contribute to level-1 data flow diagram representation of RPL to show the routing
informed design decisions. In addition, the attention was limited to "assets" and "points of access" that may be vulnerable and need to be
those elements that are more relevant to a potential ROLL protocol protected.
design.
7. IANA Considerations .............................................
: :
|Multicast : :
Group_i or : :
Node_i|<------->(DIO/DIS/DAO)<--------------+ :
: ^ | :
: | ______V______ :
: | Candidate :
: V Neighbor List :
: (RPL Control incl. ------+------ :
: Trickle Timer, | :
: Loop Avoidance) V :
: ^ (Route Generation) :
: | | :
: | ______V______ :
: +-------+ Routing Table :
: | ------+------ :
: | | :
: RPL on Node_j | | :
...................|.............|...........
| |
|Forwarding V |
To/From Node_k|<------>(Read/Write |
Flow Label)<--------+
Figure 3: Data Flow Diagram of RPL
From Figure 3, it is seen that threats to the proper operation of RPL
are realized through attacks on its DIO, DIS, and DAO messages, as
well as on the information the protocol places on the IPv6 Flow
Labels. As set forth in Section 6.1 to Section 6.4, the base
security requirements concern message integrity, authenticity and
liveliness of the principals of a connection, and protection against
message replay; message encryption may be desirable. The security
objectives for RPL are therefore to ensure that
1. participants of the DIO, DIS, and DAO message exchanges are
authentic;
2. the received DIO, DIS, and DAO messages are not modified during
transportation;
3. the received DIO, DIS, and DAO messages are not retransmissions
of previous messages;
4. the content of the DIO, DIS, and DAO messages may be made legible
to only authorized entities.
In meeting the above objectives, RPL also needs to provide tunable
mechanisms both to allow matching the security afforded to the
application domain requirements and to enable efficient use of system
resources, as discussed in Section 6.5.1 and Section 6.5.2.
The functions of the different RPL messages and information placed
within the user data plane Flow Labels are factors that can be taken
into account when deciding the optional security features and levels
of strength to be afforded. For example, the DIO messages build
routes to roots while the DAO messages support the building of
downward routes to leaf nodes. Consequently, there may be
application environments in which the directions of the routes have
different importance and thus warrant the use of different security
features and/or strength. In other words, it may be desirable to
have an RPL security design that extends the tunability of the
security features and strengths to message types. The use of a per-
message security specification will allow flexibility in permitting
application-domain security choices as well as overall tunability.
8. IANA Considerations
This memo includes no request to IANA. This memo includes no request to IANA.
8. Security Considerations 9. Security Considerations
The framework presented in this document provides security analysis The framework presented in this document provides security analysis
and design guidelines with a scope limited to ROLL. The and design guidelines with a scope limited to ROLL. Security
investigation is at a high-level and not specific to a particular services are identified as requirements for securing ROLL. The
protocol. Security services, but not mechanisms, are identified as results are applied to RPL, with consequent recommendations.
requirements for securing ROLL.
9. Acknowledgments 10. Acknowledgments
10. References The authors would like to acknowledge the review and comments from
Rene Struik.
10.1. Normative References 11. References
11.1. Normative References
[RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080, [RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080,
January 1997. January 1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998. [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998.
[RFC2453] Malkin, G., "RIP Version 2", STD 56, RFC 2453, [RFC2453] Malkin, G., "RIP Version 2", STD 56, RFC 2453,
November 1998. November 1998.
[RFC4822] Atkinson, R. and M. Fanto, "RIPv2 Cryptographic [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Authentication", RFC 4822, February 2007. Internet Protocol", RFC 4301, December 2005.
[RFC5340] Coltun, R., Ferguson, D., Moy, J., and A. Lindem, "OSPF
for IPv6", RFC 5340, July 2008.
10.2. Informative References
[Babakhouya2006] 11.2. Informative References
Babakhouya, A., Challal, Y., Bouabdallah, M., and S.
Gharout, "SDV: A New Approach to Secure Distance Vector
Routing Protocols", IEEE Securecomm and
Workshops, Baltimore, MD, USA, pp. 1-10, Aug. 28-Sept.
1 2006.
[Huang2003] [Huang2003]
Huang, Q., Cukier, J., Kobayashi, H., Liu, B., and J. Huang, Q., Cukier, J., Kobayashi, H., Liu, B., and J.
Zhang, "Fast Authenticated Key Establishment Protocols for Zhang, "Fast Authenticated Key Establishment Protocols for
Self-Organizing Sensor Networks", in Proceedings of the Self-Organizing Sensor Networks", in Proceedings of the
2nd ACM International Conference on Wireless Sensor 2nd ACM International Conference on Wireless Sensor
Networks and Applications, San Diego, CA, USA, pp. 141- Networks and Applications, San Diego, CA, USA, pp. 141-
150, Sept. 19 2003. 150, Sept. 19 2003.
[I-D.ietf-roll-building-routing-reqs] [I-D.ietf-roll-building-routing-reqs]
Martocci, J., Riou, N., Mil, P., and W. Vermeylen, Martocci, J., Riou, N., Mil, P., and W. Vermeylen,
"Building Automation Routing Requirements in Low Power and "Building Automation Routing Requirements in Low Power and
Lossy Networks", draft-ietf-roll-building-routing-reqs-07 Lossy Networks", draft-ietf-roll-building-routing-reqs-08
(work in progress), September 2009. (work in progress), December 2009.
[I-D.ietf-roll-home-routing-reqs] [I-D.ietf-roll-home-routing-reqs]
Brandt, A., Buron, J., and G. Porcu, "Home Automation Brandt, A. and J. Buron, "Home Automation Routing
Routing Requirements in Low Power and Lossy Networks", Requirements in Low Power and Lossy Networks",
draft-ietf-roll-home-routing-reqs-08 (work in progress), draft-ietf-roll-home-routing-reqs-10 (work in progress),
September 2009. January 2010.
[I-D.ietf-roll-indus-routing-reqs] [I-D.ietf-roll-rpl]
Networks, D., Thubert, P., Dwars, S., and T. Phinney, Winter, T., Thubert, P., and R. Team, "RPL: IPv6 Routing
"Industrial Routing Requirements in Low Power and Lossy Protocol for Low power and Lossy Networks",
Networks", draft-ietf-roll-indus-routing-reqs-06 (work in draft-ietf-roll-rpl-06 (work in progress), February 2010.
progress), June 2009.
[I-D.ietf-roll-terminology] [I-D.ietf-roll-terminology]
Vasseur, J., "Terminology in Low power And Lossy Vasseur, J., "Terminology in Low power And Lossy
Networks", draft-ietf-roll-terminology-01 (work in Networks", draft-ietf-roll-terminology-02 (work in
progress), May 2009. progress), October 2009.
[I-D.ietf-rpsec-ospf-vuln]
Jones, E. and O. Moigne, "OSPF Security Vulnerabilities
Analysis", draft-ietf-rpsec-ospf-vuln-02 (work in
progress), June 2006.
[I-D.suhopark-hello-wsn] [I-D.suhopark-hello-wsn]
Park, S., "Routing Security in Sensor Network: HELLO Flood Park, S., "Routing Security in Sensor Network: HELLO Flood
Attack and Defense", draft-suhopark-hello-wsn-00 (work in Attack and Defense", draft-suhopark-hello-wsn-00 (work in
progress), December 2005. progress), December 2005.
[Kaliski1995]
Kaliski, B. and M. Robshaw, "Message Authentication with
MD5", RSA Labs' CryptoBytes, 1(1):5-8, 1995.
[Karlof2003] [Karlof2003]
Karlof, C. and D. Wagner, "Secure routing in wireless Karlof, C. and D. Wagner, "Secure routing in wireless
sensor networks: attacks and countermeasures", Elsevier sensor networks: attacks and countermeasures", Elsevier
AdHoc Networks Journal, Special Issue on Sensor Network AdHoc Networks Journal, Special Issue on Sensor Network
Applications and Protocols, 1(2):293-315, September 2003. Applications and Protocols, 1(2):293-315, September 2003.
[Messerges2003] [Messerges2003]
Messerges, T., Cukier, J., Kevenaar, T., Puhl, L., Struik, Messerges, T., Cukier, J., Kevenaar, T., Puhl, L., Struik,
R., and E. Callaway, "Low-Power Security for Wireless R., and E. Callaway, "Low-Power Security for Wireless
Sensor Networks", in Proceedings of the 1st ACM Workshop Sensor Networks", in Proceedings of the 1st ACM Workshop
skipping to change at page 33, line 5 skipping to change at page 40, line 31
[RFC4593] Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to [RFC4593] Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to
Routing Protocols", RFC 4593, October 2006. Routing Protocols", RFC 4593, October 2006.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
RFC 4949, August 2007. RFC 4949, August 2007.
[RFC5548] Dohler, M., Watteyne, T., Winter, T., and D. Barthel, [RFC5548] Dohler, M., Watteyne, T., Winter, T., and D. Barthel,
"Routing Requirements for Urban Low-Power and Lossy "Routing Requirements for Urban Low-Power and Lossy
Networks", RFC 5548, May 2009. Networks", RFC 5548, May 2009.
[RFC5673] Pister, K., Thubert, P., Dwars, S., and T. Phinney,
"Industrial Routing Requirements in Low-Power and Lossy
Networks", RFC 5673, October 2009.
[Wan2004] Wan, T., Kranakis, E., and PC. van Oorschot, "S-RIP: A [Wan2004] Wan, T., Kranakis, E., and PC. van Oorschot, "S-RIP: A
Secure Distance Vector Routing Protocol", in Proceedings Secure Distance Vector Routing Protocol", in Proceedings
of the 2nd International Conference on Applied of the 2nd International Conference on Applied
Cryptography and Network Security, Yellow Mountain, China, Cryptography and Network Security, Yellow Mountain, China,
pp. 103-119, Jun. 8-11 2004. pp. 103-119, Jun. 8-11 2004.
[Wang1998]
Wang, F. and SF. Wu, "On the Vulnerabilities and
Protection of OSPF Routing Protocol", in Proceedings of
the 7th International Conference on Computer
Communications and Networks, Lafayette, LA, USA, pp. 148-
152, Oct. 12-15 1998.
Authors' Addresses Authors' Addresses
Tzeta Tsao (editor) Tzeta Tsao (editor)
Eka Systems Eka Systems
20201 Century Blvd. Suite 250 20201 Century Blvd. Suite 250
Germantown, Maryland 20874 Germantown, Maryland 20874
USA USA
Email: tzeta.tsao@ekasystems.com Email: tzeta.tsao@ekasystems.com
Roger K. Alexander (editor) Roger K. Alexander (editor)
Eka Systems Eka Systems
20201 Century Blvd. Suite 250 20201 Century Blvd. Suite 250
Germantown, Maryland 20874 Germantown, Maryland 20874
USA USA
Email: roger.alexander@ekasystems.com Email: roger.alexander@ekasystems.com
Mischa Dohler (editor) Mischa Dohler (editor)
CTTC CTTC
 End of changes. 74 change blocks. 
280 lines changed or deleted 606 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/