idnits 2.17.1 draft-ietf-lwig-nbr-mgmt-policy-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (August 24, 2018) is 2069 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'REF' is mentioned on line 164, but not defined == Outdated reference: A later version (-30) exists of draft-ietf-6tisch-architecture-14 == Outdated reference: A later version (-15) exists of draft-ietf-6tisch-minimal-security-06 Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 LWIG R. Jadhav, Ed. 3 Internet-Draft R. Sahoo 4 Intended status: Informational Huawei 5 Expires: February 25, 2019 S. Duquennoy 6 Inria 7 J. Eriksson 8 Yanzi Networks 9 August 24, 2018 11 Neighbor Management Policy for 6LoWPAN 12 draft-ietf-lwig-nbr-mgmt-policy-02 14 Abstract 16 This document describes the problems associated with neighbor cache 17 management in multihop networks involving resource-constrained 18 devices. Thereafter, it also presents a sample neighbor management 19 policy that allows efficient cache management in multihop LLNs (low- 20 power and lossy networks such as LoWPAN) with resource-constrained 21 devices. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on February 25, 2019. 40 Copyright Notice 42 Copyright (c) 2018 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Requirements Language and Terminology . . . . . . . . . . 4 59 2. Neighbor Management . . . . . . . . . . . . . . . . . . . . . 5 60 2.1. Significance of Neighbor management policy . . . . . . . 5 61 2.2. Trivial neighbor management policies . . . . . . . . . . 6 62 2.3. Lifecycle of a NCE . . . . . . . . . . . . . . . . . . . 7 63 2.3.1. NCE Insertion . . . . . . . . . . . . . . . . . . . . 7 64 2.3.2. NCE Deletion . . . . . . . . . . . . . . . . . . . . 10 65 2.3.3. NCE Eviction . . . . . . . . . . . . . . . . . . . . 11 66 2.3.3.1. Eviction for directly connected routing entries . 11 67 2.3.4. NCE Reinforcement . . . . . . . . . . . . . . . . . . 12 68 2.4. Requirements of a good neighbor management policy . . . . 12 69 2.5. Approaches to neighbor management policy . . . . . . . . 13 70 2.5.1. Reactive Approach . . . . . . . . . . . . . . . . . . 13 71 2.5.2. Proactive Approach . . . . . . . . . . . . . . . . . 13 72 3. Reservation based Neighbor Management Policy . . . . . . . . 14 73 3.1. Limitations of such a policy . . . . . . . . . . . . . . 15 74 4. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 16 75 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 76 6. Security Considerations . . . . . . . . . . . . . . . . . . . 16 77 7. References . . . . . . . . . . . . . . . . . . . . . . . . . 17 78 7.1. Normative References . . . . . . . . . . . . . . . . . . 17 79 7.2. Informative References . . . . . . . . . . . . . . . . . 17 80 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 82 1. Introduction 84 In a wireless multihop LLN, the node densities (maximum nodes 85 reachable on the same hop) may vary significantly depending upon 86 deployments and scenarios. Examples of such networks is LoWPAN [REF] 87 networks. While there is some policy control possible with regards 88 to the network size in terms of maximum number of devices connected, 89 it is especially difficult to set a figure on what will be the 90 maximum node density given a deployment. For e.g. A network can put 91 an upper limit on max 1000 devices but it is impossible to state what 92 the node density will be in this 1000 node network. 94 A neighbor cache is used for populating neighboring one-hop connected 95 nodes information such as MAC address, link local IP address and 96 other reachability state information. Node density has direct 97 implications on the neighbor cache and in constrained network 98 scenario the size of the neighbor cache will be limited. Thus there 99 are chances that a node may not be able to fit all the neighboring 100 nodes in its cache in which case it has to prioritize entries and 101 thus needs a neighbor management policy. 103 This draft presents problems related to neighbor management policies 104 by considering a security-enabled multi-hop 6lo network. This 105 document considers RPL [RFC6550] as a routing protocol and PANA (EAP- 106 PANA) [RFC5191] as a network access protocol. For RPL, both the 107 storing and non-storing mode of operations are considered. We also 108 provide a sample neighbor management policy which can be used in such 109 networks and its limitations. The aim of such a policy is to retain 110 set of neighbor cache entries with high quality links such that 111 routing adjacencies are stablized. 113 The problem statement and the proposed solution described is also 114 relevant to other multihop constrained scenarios such as 6TiSCH 115 [I-D.ietf-6tisch-architecture]. [I-D.ietf-6tisch-minimal-security] 116 talks about a pledge (new joinee) node authenticating via a Join 117 Proxy. The considerations mentioned in this document are applicable 118 for such networks as well. 120 +--------+ 121 | PAA/ | 122 +------| Auth | 123 | | Server | 124 | +--------+ 125 +------------|-------------+ 126 | | | 127 | (BR) | 128 | / \ | 129 | / \ | 130 | / \ | 131 | (N1) (N2) | 132 | / : / \ | 133 | / : / \ | 134 | / : / \ | 135 | (N8) (N3) (N4) | 136 | : / \ : | 137 | : / \ : | 138 | : / \ : | 139 | (N5) (New) | 140 | / \ | 141 | / \ | 142 | / \ | 143 | (N6) (N7) | 144 | | 145 | 6Lo Network | 146 +--------------------------+ 148 Figure 1: Sample Topology 150 1.1. Requirements Language and Terminology 152 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 153 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 154 document are to be interpreted as described in RFC 2119 [RFC2119]. 156 NDP: Neighbor Discovery protocol [REF] 158 NS: Neighbor Solicitation 160 NA: Neighbor Advertisement 162 LLN: Low Power and Lossy Networks 164 RPL: Routing Protocol for LLNs [REF] 166 DAO: DODAG Advertisement Object 167 DIO: DODAG Information Object 169 ARO: Address Registration Option defined as part of IPv6 NDP 171 PaC (PANA Client): New joining node which is yet to be authenticated. 173 PRE (PANA Relay Element): An already authenticated and network joined 174 node which is willing to act as a relay element for PaCs to complete 175 their authentication procedure on multi-hop networks. [RFC6345] 176 describes the details of PRE. 178 PAA (PANA Auth Agent): Auth server which hosts the credentials 179 database. PaC will handshake with PAA to complete authentication 180 procedure. 182 PCI: PANA Client Initiation is the first message sent by the PaC 183 which initiates the authentication procedure 185 Routing Child: A downstream node who is part of the routing table of 186 the parent. For e.g. in the sample topology above N5 is the directly 187 connected routing child for N3. N6 and N7 are also part of N3 188 routing table, they are routing child nodes but not directly 189 connected. For N6 and N7 the document might alternatively use a term 190 grand-child. 192 Routing Parent: In Figure 1, N1 and N2 are possible routing parents 193 for N3. 195 Neighbor Cache Entry (NCE): A neighbor entry managed on behalf of 196 directly connected peer. 198 This document also uses terminology described in [RFC6550] and 199 [RFC6775]. 201 2. Neighbor Management 203 2.1. Significance of Neighbor management policy 205 Multihop mesh networks present unique challenges to neighbor 206 management especially with resource constrained nodes. In cases 207 where the node density is higher that the neighbor cache size, the 208 entries have to be prioritized. [Woo_et_al] and [Dawans_et_al] talk 209 about prioritization of neighbor entries by using link quality 210 estimation techniques. But prioritization alone may not necessarily 211 be optimal in all cases. The reason or function why neighbor entry 212 was added also needs to be taken in consideration. For example, 213 evicting a routing direct child might have a ripple effect in turn 214 impacting all the sub-childs as well. 216 In case of key management protocols deployed above MAC layer in 217 multihop network, the neighbor management kicks in early even before 218 the routing adjacencies are established. Since a new joining node 219 needs to discover/attach to a relay element for completing its 220 authentication procedure, the neighbor cache entries have to be 221 appropriately populated both on a PaC and on the PRE. If a neighbor 222 entry whose authentication is in progress is evicted, it will 223 negatively impact the authentication procedure. 225 Another important consideration is that with increased node density, 226 the prioritization based on link estimation parameters might not help 227 since there might be more well connected peers. In dense deployments 228 the number of directly attached neighbors with good quality links 229 might still be higher than the max entries in neighbor cache size. 231 2.2. Trivial neighbor management policies 233 This section investigates policies which are used by most of the 234 current operating systems for constrained nodes. While such policies 235 are trivial to implement they may not be able to deal with the 236 constrained network scenario. Note that such policies can still be 237 used if it is known apriori that the neighbor cache can hold entries 238 for maximum node density. 240 a. First Come First Serve (FCFS) policy 242 b. Least Recently Used (LRU) policy 244 The primary distinction between these policies is how it treats a new 245 entry when the neighbor cache is full. In case of FCFS policy, the 246 new entry is simply rejected while with LRU, the new entry replaces 247 the least recently used entry. 249 RPL works by initiating a downstream multicast DIO to establish 250 upstream network path. Subsequently DAO messages might be sent by 251 the nodes to establish downstream paths to the nodes. Thus the 252 network is flooded with multicast DIO messages initially and 253 similarly there are chances that the same node is ended up been 254 selected as a preferred parent by most of the child nodes and thus 255 receives a DAO message from all these child nodes. Note that once a 256 node establishes a parent entry or a routing entry on behalf of a 257 directly connected node then it has to also provision a neighbor 258 cache entry for it for subsequent unicast traffic. 260 In case of FCFS policy, a node might end up hosting all the neighbor 261 entries based on DIO or DAO messages. Once the cache is full all the 262 subsequent attempts to add an NCE will fail. 264 In case of LRU policy, a node might end up churning lot of neighbor 265 entries because once the cache gets full and there is a request for 266 new entry, it would result in evicting the least recently used (but 267 active) entry. If at later point of time, there is a traffic for the 268 evicted entry then the old entry has to be reinstated using IPv6 NDP 269 procedure. This would mean reinstating the entry by evicting another 270 least recently used entry. If the node density is very high, then 271 this churn would be substantially high to extent that it would 272 disrupt any routing adjacencies to be established in the network in a 273 stable way. 275 2.3. Lifecycle of a NCE 277 2.3.1. NCE Insertion 279 IPv6 NDP [RFC6775] defines signaling involved in resolving the IPv6 280 addresses to its corresponding MAC addresses which gets populated in 281 the neighbor cache. In case of constrained network, it is desired 282 that such control traffic is minimized and thus the neighbor cache 283 entries are populated as part of existing messaging. One example 284 would be when the node receives a DAO message from its immediate 285 child node, it not only makes an addition to the routing table but 286 also creates a neighbor cache entry for the node. Thus it eliminates 287 need for additional IPv6 NDP NS/NA messaging involved to resolve MAC 288 address. Similar hueristic is used to add neighbor entries in other 289 cases as well. Section 10.3.2 of [RFC6775] describes update and 290 addition of such NCEs based on roting information packets. 292 Following are the possible signaling scenarios in which case a 293 neighbor entry may get added. 295 Node Joining procedure: A new joinee node discovers a relay element 296 to initiate its auth procedure. At the end of the discovery phase 297 the new joinee node would have known the link local IP address of the 298 relay element. The joinee node will send an unsecured-NS to the 299 relay element to solicit its NA. The PRE may send a NA with the 300 suitable status code as defined in section 6.5.3 of [RFC6775]. 302 RPL 303 PaC PRE Parent PAA 304 | | | | 305 | PRE Disc | | | 306 |<----------->| | | 307 | | | | 308 | UNSEC-NS | | | 309 |------------>| | | 310 | | | | 311 | addNCE(new,reason=PANA)| | 312 | | | | 313 | UNSEC-NA(status) | | 314 |<------------| | | 315 | | | | 316 addNCE(PRE,reason=PANA) | | 317 | | | | 318 | PCI | | | 319 |------------>| | | 320 | | | | 321 | | AUTHPROC | | 322 |<===========>|<=======================>| 323 | | | | 325 Figure 2: NCE creation between PaC and PRE during relay discovery 326 process 328 Relay element does not hold any state information on behalf of the 329 new joinee node except for its neighbor cache entry. Thus in the 330 Figure 1 the new joinee node may select node N3 as its PRE, in which 331 case N3 has to add a neighbor entry on behalf of the new joinee node. 333 Post authentication the node enters into network discovery phase. 334 The node selects one or more of its neighboring peer as its preferred 335 parent based on the DIO received from these peers. Note that the 336 node's selected relay element and its preferred parent may not be 337 same. The preferred parent serves as a default router node to which 338 all its upstream traffic is directed. Thus an NCE on behalf of 339 preferred parent needs to be added. In Figure 1 node N5 selects N3 340 as its preferred parent. N5 needs to add neighbor entry on behalf of 341 N3 which is its directly connected RPL preferred parent. 343 In case of RPL storing MOP (mode of operation), the node may send a 344 DAO message containing its reachability information to its preferred 345 parent. The parent node in turn may pass this information upstream 346 to its parent by generating a DAO retaining the child node's 347 reachability information, establishing a downstream routing path 348 towards the node who originated the DAO. The preferred parent has to 349 maintain a neighbor entry on behalf of the directly connected child 350 node. For example, in the Figure 1, node N3 needs to maintain a 351 neighbor entry on behalf of N5 which is its directly connected child 352 node. Nodes N6 and N7 are grand-child nodes for node N3 for whom no 353 neighbor entry is required. 355 As mentioned in Section 10.3.2 of [RFC6775], the NCEs on parent and 356 child can be added directly as a result of RPL DIO/DAO signalling 357 without any explicit NS/NA messaging. 359 RPL 360 PaC PRE Parent PAA 361 | | | | 362 | | AuthProc | | 363 |<----------->|<----------------------->| 364 | | | | 365 | | RPL-DIO | | 366 |<-------------------------| | 367 | | | | 368 addNCE(parent,reason=PARENT) | | 369 | | | | 370 | | RPL-DAO | | 371 |------------------------->| | 372 | | | | 373 | | addNCE(new,reason=CHILD) 374 | | | | 376 Figure 3: NCE creation call Flow for RPL storing MOP 378 In case of non-storing MOP, the parent node needs to know the global 379 IPv6 address of the immediate child nodes. This is needed since the 380 source routing header carries the global addresses and thus the NCE 381 of the child node should contain the global address. Secondly, the 382 RPL DAO is addressed directly to the root node in case of non-storing 383 mode. Thus RPL messaging cannot be used for creating NCE entries on 384 parent and child, unlike storing MOP. The child node may send a 385 secure unicast NS with ARO option containing its global address to be 386 registered on the parent node. The child node can still use RPL DIO 387 to create an NCE on behalf of the parent node. 389 RPL 390 PaC PRE Parent Root 391 | | | | 392 | | AuthProc | | 393 |<----------->|<----------------------->| 394 | | | | 395 | | RPL-DIO | | 396 |<-------------------------| | 397 | | | | 398 addNCE(parent,reason=PARENT) | | 399 | | | | 400 | sec-NS(ARO=GlobalIPv6) | | 401 |------------------------->| | 402 | | | | 403 | | addNCE(new,reason=CHILD) 404 | sec-NA(status) | | 405 |<-------------------------| | 406 | | | | 407 | | RPL-DAO | | 408 |-------------------------------------->| 409 | | | | 411 Figure 4: NCE creation call Flow for non-storing MOP 413 This document expects the neighbor management policy to remember the 414 reason why the neighbor entry is inserted. Secondly, the router may 415 remember whether the NS received was secured or unsecured and 416 accordingly use it to prioritize eviction entries. As described in 417 the next sections, this reason will help the policy to prioritize the 418 entries in case an eviction is required. 420 2.3.2. NCE Deletion 422 It is imperative that an unwanted neighbor entry be removed as soon 423 as possible. This section talks about different cases in which 424 neighbor entry can be deleted. 426 Route Invalidation: In case of storing MOP, when the child node 427 decides to switch its preferred parent, the RPL specifications allows 428 the node to send a no-path DAO message to invalidate the route along 429 the previous path(s). A directly connected parent node can use this 430 message to clear the NCE. While the entry can be immediately 431 cleared, usually the implementations choose to wait a small amount of 432 time before clearing the entry. This is to avoid any impact on the 433 in-transit traffic. Thus this also establishes the importance of 434 route invalidation to achieve optimized neighbor cache utilization. 436 In case of non-storing mode, the no-path DAO cannot be not employed 437 since the previous parent does not having any routing information to 438 be invalidated. But the previous parent may still contain the NCE on 439 behalf of the child node. This document recommends use of [RFC6775] 440 section 6.5.3. which allows sending a zero lifetime ARO option in NS 441 for deregistering the corresponding neighbor entry. 443 [RFC6775], ND optimizations for 6LoWPANs, section 5.5.3. talks about 444 deleting the entries in case the NUD (neighbor unreachability 445 detection) fails either due to no response to NS messages or due to 446 failure response. NCEs in such cases should be deleted. An example 447 where NUD NS would fail because of no response is the case where the 448 child node switches its parent due to link unavailability. The 449 parent in such a case would not receive the no-path DAO message or 450 any other traffic from the child node. Thus on NCE lifetime expiry, 451 the parent node would send NS which would fail with no response, thus 452 triggering entry deletion. 454 2.3.3. NCE Eviction 456 The eviction rules have a major impact on the neighbor management 457 policy. Eviction rules are used when the policy has to forcibly 458 remove an active neighbor entry from the cache to make space for the 459 new (hopefully higher priority) entry. The eviction policy may take 460 into account several considerations such as the reason why the entry 461 was made, is the entry in active use currently, how good (for e.g., 462 based on link estimation) the entry currently is. 464 2.3.3.1. Eviction for directly connected routing entries 466 This section talks about implications of an eviction in which a 467 parent node decides of evicting a directly connected routing child 468 NCE. In the sample topology Figure 1, lets assume N3 needs to evict 469 N5 from its neighbor cache. In case of RPL's storing MOP, eviction 470 of directly connected routing child NCE also has impact on all the 471 sub-children. Thus not only will it result in impacting N5 but also 472 nodes N6 and N7. It is important to note that such an eviction has 473 less impact on RPL's non-storing MOP i.e. in case of non-storing mode 474 N5 might end up selecting alternate parent N8 and does not result in 475 any additional control overhead for node N6 and N7. 477 Thus RPL's non-storing MOP provides additional eviction flexibility 478 for a neighbor management policy in terms evicting directly connected 479 child entries. 481 2.3.4. NCE Reinforcement 483 It is expected that the latest reachability state and metric 484 information be maintained in context to the NCE. With wireless 485 networks, the neighbor cache entries prioritization may change over a 486 period of time especially the link quality estimation parameters or 487 the routing metrics. Reinforcement refers to updating the parameters 488 in context to the NCEs which helps in prioritizing the entries when 489 it comes to handling eviction. In wireless networks, on reception of 490 incoming packet, the receiver node's physical and MAC layer may 491 derive certain signal reception parameters (such as RSSI, LQI) which 492 can be considered for reinforcement purpose if the corresponding 493 transmitter/source entry in neighbor cache is found. It should be 494 noted that the signal quality parameters may have high variance in 495 6lo networks and thus statistical techniques (such as weighted 496 averaging) are usually employed for deciding about a link quality 497 over a period of time. Reinforcement can be achieved using one or 498 more of the following techniques: 500 Passive Monitoring: Reinforcing the quality parameters using packets 501 received from the source. Trickled DIO, periodic beacons, 502 application traffic etc can be used for such monitoring. 504 Active Probing: A node may select subset of entries for active 505 probing wherein it sends a message to the neighbor entry's target 506 and can expect a response message back. An example of such 507 probing is [CONTIKI] where unicast DIS is sent to solicit a 508 unicast DIO without impacting the trickle timers. Though it adds 509 a control overhead on the link, periodic probing can help to 510 ascertain connectivity in the absence of any other traffic from 511 the neighboring node. 513 2.4. Requirements of a good neighbor management policy 515 Route Stability: Stable NCEs will result in stable routing 516 adjacencies. Thus it is important to avoid unnecessary NCE churn 517 for routing path stability. 519 Control overhead: A neighbor management policy may have to use 520 signalling messages for policy handling (such as rejection of 521 NCE). It is required that such overhead be kept as low as 522 possible. 524 Scalability: Scalability with respect to large and uneven node 525 densities in the network. 527 2.5. Approaches to neighbor management policy 529 Neighbor management policy depends upon the neighbor cache space 530 availability and the same can be advertised proactively or can be 531 handled reactively. 533 2.5.1. Reactive Approach 535 In this approach, the nodes select their RPL parent or the relay 536 element purely based on link metrics and subsequently when they try 537 to allocate their NCE in the target node, it may fail due to 538 unavailability of the cache space. The failure can be communicated 539 depending upon the signaling involved: 541 NS failure: Section 6.5.3 of [RFC6775] defines a procedure for NS 542 failure handling in case the router's neighbor cache is full. It 543 results in a unicast NA with ARO status field set to two. 545 DAO NACK: Section 9.3 of RPL [RFC6550] specifies on how can the 546 parent node react to DAOs from child. In case the parent could 547 not make a NCE on behalf of the child node, a negative ACK with 548 status (between 127-255) should be sent to the child node. The 549 natural reaction of the child node would be to switch to an 550 alternate parent. 552 PANA Failure: PaC's auth session starts with a PaC discovering a 553 PRE. The discovery procedure is not standardized and can be based 554 upon various factors including signal strength of discovery 555 messages from PRE. Post discovery, the PaC needs to send an 556 unsecured unicast NS message with an ARO containings its link- 557 local IPv6 address. NS helps to determine whether the PRE can 558 allocate an NCE for the PaC. PRE accordingly sends a NA response 559 with appropriate status field. 561 2.5.2. Proactive Approach 563 Neighbor cache availability could be proactively advertised by the 564 parent nodes in the DIO messages and in the PRE discovery messages. 565 A child RPL node may additionally use this information from DIO as 566 part of parent selection process. In case of new joinee node, the 567 node may use PRE discovery messages with space availability 568 information to select an appropriate PRE. Proactive signaling of 569 neighbor cache space availability will help the nodes to select the 570 parent node or relay node such that the failure signaling due to 571 cache full event can be reduced. 573 Currently there is no standard way of signaling such neighbor cache 574 space availability information. RPL's DIO messages carry metric 575 information and can be augmented with neighbor cache space as an 576 additional metric. In case of PRE discovery however there is no 577 standard way of defining this information since the PRE discovery 578 procedure itself is not standardized. 580 In a wireless or shared bus network, a multicast DIO metric 581 advertisement may reach several child nodes eventually everyone 582 responding by selecting the same parent node causing neighbor cache 583 to be exhausted. Thus the failure handling approaches defined in the 584 Reactive Approach section applies here as well. But importantly the 585 failure signaling will be significantly reduced because of proactive 586 advertisement. 588 3. Reservation based Neighbor Management Policy 590 This section defines a sample neighbor management policy, with the 591 primary objective to reduce NCE churn and to ensure stability of 592 routing adjacencies. The scheme uses a reservation based policy to 593 reserve NCEs for: 595 +-----------------------------+----------------------------+--------+ 596 | NCE Entry for | MAX count | Reason | 597 +-----------------------------+----------------------------+--------+ 598 | Routing Parent | MAX_ROUTING_PARENT_NCE_NUM | PARENT | 599 | | | | 600 | Routing child | MAX_ROUTING_CHILD_NCE_NUM | CHILD | 601 | | | | 602 | Others such as pre-auth | MAX_OTHER_NCE_NUM | OTHER | 603 | sessions | | | 604 +-----------------------------+----------------------------+--------+ 606 Table 1: Neighbor Cache Entry reservation 608 Table 1 denotes that the NCEs are reserved dependending upon the 609 reason for its addition. MAX_ROUTING_PARENT_NCE_NUM specifies 610 maximum number of parent entries a node should allow. 611 MAX_ROUTING_CHILD_NCE_NUM specifies maximum number of child entries 612 that are allowed after which the node SHOULD decline the DAO 613 signalling. MAX_OTHER_NCE_NUM specifies any other entries that might 614 be created. Pre-auth session entries are usually short-lived and 615 should be considered part of this category. 617 Note that reservation policy depends upon identification of the 618 reason behind making an NCE . In case of pre-auth sessions, the 619 corresponding NCE is created based on unsecured NS/NA. In case of 620 storing MOP, CHILD NCEs are created either based on DAO (as shown in 621 Figure 3) or based on secured NS/NA messaging (as shown in Figure 4). 623 In case of non-storing MOP, a secured NS/NA messaging as shown in 624 Figure 4 needs to be used. 626 <- - - - - - - - - - - Routing Parents - - - - - - - - - - - - -> 627 +---------------------------------------------------------------+ 628 | | | | 629 +-----------------------------------------------------+---------+ 630 Routing Child Routing Parents Other 632 Figure 5: Reservation of NCEs in neighbor table 634 As shown in the Figure 5, the neighbor cache is partitioned into 635 different entry types. The routing parents can possibly occupy any 636 entry type if found vacant since in case an eviction is sought the 637 non-preferred routing parent could be evicted without much impact on 638 the functioning or on the control traffic. The eviction could be 639 done based on reasons specified in Section 2.3.3. 641 Routing Child entries are made in context to directly connected peers 642 and these entries are not deleted unless they are unreacable or there 643 is any reason for the parent node to believe that it is no longer the 644 preferred parent for the child node. Deletion may happen based on 645 reasons mentioned in Section 2.3.2. 647 Other entries (OTHER) may be made in response to temporary 648 requirement of making an NCE. One such case is the pre 649 authentication phase where in the relay node makes an entry of the 650 PaC temporarily till the time the authentication phase is completed. 651 The NCE made thus is garbage collected at the end of the lifetime. 652 Also an implementation may choose to keep a lower lifetime for such 653 NCEs depending upon the time taken to complete the authentication 654 process. 656 3.1. Limitations of such a policy 658 The reservation based policy mentioned in this section may result in 659 sub-optimal path selection due to lack of NCE resource on the parent 660 nodes. Also the restriction of maximum pre-auth sessions in the form 661 of MAX_OTHER_NCE_NUM limits the maximum relay sessions that can be 662 supported on the relay node. 664 The reservation policy allows the parent node to reject the child 665 node's DAO or NS. But the child node cannot remember this rejection 666 and may reattempt the same parent after some time depending upon 667 triggers such as reception of DIO from the same parent who rejected 668 it previously. One of the only way to stop the child node from 669 reattempting such parent selection would be to also include a 670 proactive approach wherein the parent node signals its resource 671 availability in the DIO message as mentioned in Section 2.5.2. Such 672 a scheme of signalling parent node's resource availability is 673 currently not standardized. 675 RPL's storing MOP imposes additional restrictions. One such case is 676 where a child node may have a given parent node as its only parent 677 and that parent node's NCE are all used up. In such a case, the 678 child node would keep on retrying and failing to send a DAO through 679 the parent node. Ideally the parent node could have evicted a least 680 used child node or a child node who has an alternate parent 681 available. Evicting such a child node is a complex process and may 682 increase the control overhead as described in Section 2.3.3.1. Thus 683 the reservation based policy requires that the minimum node density 684 is sufficiently high so that every child finds a parent node in its 685 vicinity with enough resources. 687 4. Acknowledgements 689 Thanks to Mohit Sethi for the review and feedback. Thanks to Malisa 690 Vucinic for pointing towards security aspects of un-authenticated 691 nodes neighbor cache management. 693 5. IANA Considerations 695 This memo includes no request to IANA. 697 6. Security Considerations 699 The Join Relay or the PANA Relay Element allows the un-authenticated 700 nodes to join the network. Since the NS/NA signaling is unencrypted, 701 it is possible that a malicious node may try to spoof and occupy all 702 the entries. This draft explains the use of reservation based policy 703 for managing such entries. Following points try to reduce the impact 704 of such attacks: 706 a. Only a subset of entries are reserved for un-authenticated nodes 707 doing plain-text NS/NA. 709 b. It is recommended that NCE timeout be configured a lower value to 710 evict such entries as soon as possible. New joining nodes are 711 supposed to use these entries and thus are only needed during the 712 time the authentication is in progress. Thus a short-duration 713 NCE timeout will help reduce the impact of DoS attacks. 715 7. References 717 7.1. Normative References 719 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 720 Requirement Levels", BCP 14, RFC 2119, 721 DOI 10.17487/RFC2119, March 1997, 722 . 724 [RFC6550] Winter, T., Ed., Thubert, P., Ed., Brandt, A., Hui, J., 725 Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur, 726 JP., and R. Alexander, "RPL: IPv6 Routing Protocol for 727 Low-Power and Lossy Networks", RFC 6550, 728 DOI 10.17487/RFC6550, March 2012, 729 . 731 [RFC6775] Shelby, Z., Ed., Chakrabarti, S., Nordmark, E., and C. 732 Bormann, "Neighbor Discovery Optimization for IPv6 over 733 Low-Power Wireless Personal Area Networks (6LoWPANs)", 734 RFC 6775, DOI 10.17487/RFC6775, November 2012, 735 . 737 7.2. Informative References 739 [CONTIKI] Thingsquare, "Contiki: The Open Source OS for IoT", 2012, 740 . 742 [Dawans_et_al] 743 Dawans, S., Duquennoy, S., and O. Bonaventure, "On Link 744 Estimation in Dense RPL Deployments", 2012. 746 [I-D.ietf-6tisch-architecture] 747 Thubert, P., "An Architecture for IPv6 over the TSCH mode 748 of IEEE 802.15.4", draft-ietf-6tisch-architecture-14 (work 749 in progress), April 2018. 751 [I-D.ietf-6tisch-minimal-security] 752 Vucinic, M., Simon, J., Pister, K., and M. Richardson, 753 "Minimal Security Framework for 6TiSCH", draft-ietf- 754 6tisch-minimal-security-06 (work in progress), May 2018. 756 [RFC5191] Forsberg, D., Ohba, Y., Ed., Patil, B., Tschofenig, H., 757 and A. Yegin, "Protocol for Carrying Authentication for 758 Network Access (PANA)", RFC 5191, DOI 10.17487/RFC5191, 759 May 2008, . 761 [RFC6345] Duffy, P., Chakrabarti, S., Cragie, R., Ohba, Y., Ed., and 762 A. Yegin, "Protocol for Carrying Authentication for 763 Network Access (PANA) Relay Element", RFC 6345, 764 DOI 10.17487/RFC6345, August 2011, 765 . 767 [Woo_et_al] 768 Woo, A., Tong, T., and D. Culler, "Taming the Underlying 769 Challenges of Reliable Multihop Routing in Sensor 770 Networks", 2003. 772 Authors' Addresses 774 Rahul Arvind Jadhav (editor) 775 Huawei 776 Kundalahalli Village, Whitefield, 777 Bangalore, Karnataka 560037 778 India 780 Phone: +91-080-49160700 781 Email: rahul.ietf@gmail.com 783 Rabi Narayan Sahoo 784 Huawei 785 Kundalahalli Village, Whitefield, 786 Bangalore, Karnataka 560037 787 India 789 Phone: +91-080-49160700 790 Email: rabinarayans@huawei.com 792 Simon Duquennoy 793 Inria 794 40 Avenue Halley 795 Building A 796 Villeneuve d'Ascq 797 France 799 Phone: +33 768227731 800 Email: simon.duquennoy@inria.fr 802 Joakim Eriksson 803 Yanzi Networks 805 Email: joakime@sics.se