idnits 2.17.1 draft-ietf-roll-applicability-home-building-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- == It seems as if not all pages are separated by form feeds - found 0 form feeds but 35 pages Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (July 2, 2015) is 3221 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) ** Obsolete normative reference: RFC 4492 (Obsoleted by RFC 8422) ** Downref: Normative reference to an Experimental RFC: RFC 4764 ** Obsolete normative reference: RFC 5246 (Obsoleted by RFC 8446) ** Downref: Normative reference to an Informational RFC: RFC 5548 ** Downref: Normative reference to an Informational RFC: RFC 5673 ** Downref: Normative reference to an Informational RFC: RFC 5826 ** Downref: Normative reference to an Informational RFC: RFC 5867 ** Obsolete normative reference: RFC 5996 (Obsoleted by RFC 7296) ** Downref: Normative reference to an Experimental RFC: RFC 6997 ** Downref: Normative reference to an Experimental RFC: RFC 6998 ** Downref: Normative reference to an Informational RFC: RFC 7102 ** Downref: Normative reference to an Informational RFC: RFC 7251 ** Downref: Normative reference to an Informational RFC: RFC 7416 -- Possible downref: Non-RFC (?) normative reference: ref. 'IEEE802.15.4' -- Possible downref: Non-RFC (?) normative reference: ref. 'G.9959' Summary: 13 errors (**), 0 flaws (~~), 2 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Roll A. Brandt 3 Internet-Draft Sigma Designs 4 Intended status: Standards Track E. Baccelli 5 Expires: January 3, 2016 INRIA 6 R. Cragie 7 ARM Ltd. 8 P. van der Stok 9 Consultant 10 July 2, 2015 12 Applicability Statement: The use of the RPL protocol suite in Home 13 Automation and Building Control 14 draft-ietf-roll-applicability-home-building-11 16 Abstract 18 The purpose of this document is to provide guidance in the selection 19 and use of protocols from the RPL protocol suite to implement the 20 features required for control in building and home environments. 22 Status of This Memo 24 This Internet-Draft is submitted in full conformance with the 25 provisions of BCP 78 and BCP 79. 27 Internet-Drafts are working documents of the Internet Engineering 28 Task Force (IETF). Note that other groups may also distribute 29 working documents as Internet-Drafts. The list of current Internet- 30 Drafts is at http://datatracker.ietf.org/drafts/current/. 32 Internet-Drafts are draft documents valid for a maximum of six months 33 and may be updated, replaced, or obsoleted by other documents at any 34 time. It is inappropriate to use Internet-Drafts as reference 35 material or to cite them other than as "work in progress." 37 This Internet-Draft will expire on January 3, 2016. 39 Copyright Notice 41 Copyright (c) 2015 IETF Trust and the persons identified as the 42 document authors. All rights reserved. 44 This document is subject to BCP 78 and the IETF Trust's Legal 45 Provisions Relating to IETF Documents 46 (http://trustee.ietf.org/license-info) in effect on the date of 47 publication of this document. Please review these documents 48 carefully, as they describe your rights and restrictions with respect 49 to this document. Code Components extracted from this document must 50 include Simplified BSD License text as described in Section 4.e of 51 the Trust Legal Provisions and are provided without warranty as 52 described in the Simplified BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 57 1.1. Relationship to other documents . . . . . . . . . . . . . 4 58 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 4 59 1.3. Required Reading . . . . . . . . . . . . . . . . . . . . 5 60 1.4. Out of scope requirements . . . . . . . . . . . . . . . . 5 61 2. Deployment Scenario . . . . . . . . . . . . . . . . . . . . . 5 62 2.1. Network Topologies . . . . . . . . . . . . . . . . . . . 6 63 2.2. Traffic Characteristics . . . . . . . . . . . . . . . . . 7 64 2.2.1. General . . . . . . . . . . . . . . . . . . . . . . . 8 65 2.2.2. Source-sink (SS) communication paradigm . . . . . . . 8 66 2.2.3. Publish-subscribe (PS, or pub/sub)) communication 67 paradigm . . . . . . . . . . . . . . . . . . . . . . 9 68 2.2.4. Peer-to-peer (P2P) communication paradigm . . . . . . 9 69 2.2.5. Peer-to-multipeer (P2MP) communication paradigm . . . 10 70 2.2.6. Additional considerations: Duocast and N-cast . . . . 10 71 2.2.7. RPL applicability per communication paradigm . . . . 10 72 2.3. Layer-2 applicability . . . . . . . . . . . . . . . . . . 11 73 3. Using RPL to meet Functional Requirements . . . . . . . . . . 12 74 4. RPL Profile . . . . . . . . . . . . . . . . . . . . . . . . . 13 75 4.1. RPL Features . . . . . . . . . . . . . . . . . . . . . . 13 76 4.1.1. RPL Instances . . . . . . . . . . . . . . . . . . . . 13 77 4.1.2. Storing vs. Non-Storing Mode . . . . . . . . . . . . 14 78 4.1.3. DAO Policy . . . . . . . . . . . . . . . . . . . . . 14 79 4.1.4. Path Metrics . . . . . . . . . . . . . . . . . . . . 14 80 4.1.5. Objective Function . . . . . . . . . . . . . . . . . 14 81 4.1.6. DODAG Repair . . . . . . . . . . . . . . . . . . . . 14 82 4.1.7. Multicast . . . . . . . . . . . . . . . . . . . . . . 15 83 4.1.8. Security . . . . . . . . . . . . . . . . . . . . . . 16 84 4.1.9. P2P communications . . . . . . . . . . . . . . . . . 19 85 4.1.10. IPv6 address configuration . . . . . . . . . . . . . 19 86 4.2. Layer 2 features . . . . . . . . . . . . . . . . . . . . 19 87 4.2.1. Specifics about layer-2 . . . . . . . . . . . . . . . 19 88 4.2.2. Services provided at layer-2 . . . . . . . . . . . . 19 89 4.2.3. 6LowPAN options assumed . . . . . . . . . . . . . . . 19 90 4.2.4. Mesh Link Establishment (MLE) and other things . . . 19 91 4.3. Recommended Configuration Defaults and Ranges . . . . . . 19 92 4.3.1. Trickle parameters . . . . . . . . . . . . . . . . . 20 93 4.3.2. Other Parameters . . . . . . . . . . . . . . . . . . 20 94 5. MPL Profile . . . . . . . . . . . . . . . . . . . . . . . . . 21 95 5.1. Recommended configuration Defaults and Ranges . . . . . . 21 96 5.1.1. Real-Time optimizations . . . . . . . . . . . . . . . 21 97 5.1.2. Trickle parameters . . . . . . . . . . . . . . . . . 21 98 5.1.3. Other parameters . . . . . . . . . . . . . . . . . . 22 99 6. Manageability Considerations . . . . . . . . . . . . . . . . 22 100 7. Security Considerations . . . . . . . . . . . . . . . . . . . 23 101 7.1. Security considerations during initial deployment . . . . 23 102 7.2. Security Considerations during incremental deployment . . 24 103 7.3. Security Considerations for P2P uses . . . . . . . . . . 25 104 7.4. MPL routing . . . . . . . . . . . . . . . . . . . . . . . 25 105 7.5. RPL Security features . . . . . . . . . . . . . . . . . . 25 106 8. Other related protocols . . . . . . . . . . . . . . . . . . . 25 107 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 108 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 26 109 11. Changelog . . . . . . . . . . . . . . . . . . . . . . . . . . 26 110 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 28 111 12.1. Normative References . . . . . . . . . . . . . . . . . . 28 112 12.2. Informative References . . . . . . . . . . . . . . . . . 31 113 Appendix A. RPL shortcomings in home and building deployments . 32 114 A.1. Risk of undesired long P2P routes . . . . . . . . . . . . 32 115 A.1.1. Traffic concentration at the root . . . . . . . . . . 32 116 A.1.2. Excessive battery consumption in source nodes . . . . 33 117 A.2. Risk of delayed route repair . . . . . . . . . . . . . . 33 118 A.2.1. Broken service . . . . . . . . . . . . . . . . . . . 33 119 Appendix B. Communication failures . . . . . . . . . . . . . . . 34 120 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 35 122 1. Introduction 124 The primary purpose of this document is to give guidance in the use 125 of the Routing Protocol for Low power and lossy networks (RPL) 126 protocol suite in two application domains: 128 o Home automation 130 o Building automation 132 The guidance is based on the features required by the requirements 133 documents "Home Automation Routing Requirements in Low-Power and 134 Lossy Networks" [RFC5826] and "Building Automation Routing 135 Requirements in Low-Power and Lossy Networks" [RFC5867] respectively. 136 The Advanced Metering Infrastructure is also considered where 137 appropriate. The applicability domains distinguish themselves in the 138 way they are operated, their performance requirements, and the most 139 likely network structures. An abstract set of distinct communication 140 paradigms is then used to frame the applicability domains. 142 Home automation and building automation application domains share a 143 substantial number of properties: 145 o In both domains, the network can be disconnected from the ISP and 146 must still continue to provide control to the occupants of the 147 home/building. Routing needs to be possible independent of the 148 existence of a border router 150 o Both domains are subject to unreliable links but require instant 151 and very reliable reactions. This has impact on routing because 152 of timeliness and multipath routing. 154 The differences between the two application domains mostly appear in 155 commissioning, maintenance and the user interface, which do not 156 typically affect routing. Therefore, the focus of this applicability 157 document is on reliability, timeliness, and local routing. 159 It should be noted that adherence to the guidance does not 160 necessarily guarantee fully interoperable solutions in home 161 automation networks and building control networks and that additional 162 rigorous and managed programs will be needed to ensure 163 interoperability. 165 1.1. Relationship to other documents 167 The Routing Over Low power and Lossy networks (ROLL) working group 168 has specified a set of routing protocols for Low-Power and Lossy 169 Networks (LLN) [RFC6550]. This applicability text describes a subset 170 of those protocols and the conditions under which the subset is 171 appropriate and provides recommendations and requirements for the 172 accompanying parameter value ranges. 174 In addition, an extension document has been produced specifically to 175 provide a solution for reactive discovery of point-to-point routes in 176 LLNs [RFC6997]. The present applicability document provides 177 recommendations and requirements for the accompanying parameter value 178 ranges. 180 A common set of security threats are described in [RFC7416]. The 181 applicability statements complement the security threats document by 182 describing preferred security settings and solutions within the 183 applicability statement conditions. This applicability statement 184 recommends lighter weight security solutions appropriate for home and 185 building environments and indicates why these solutions are 186 appropriate. 188 1.2. Terminology 190 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 191 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 192 document are to be interpreted as described in [RFC2119]. 194 Additionally, this document uses terminology from [RFC6997], 195 [I-D.ietf-roll-trickle-mcast], [RFC7102], [IEEE802.15.4], and 196 [RFC6550]. 198 1.3. Required Reading 200 Applicable requirements are described in [RFC5826] and [RFC5867]. A 201 survey of the application field is described in [BCsurvey]. 203 1.4. Out of scope requirements 205 The considered network diameter is limited to a maximum diameter of 206 10 hops and a typical diameter of 5 hops, which captures the most 207 common cases in home automation and building control networks. 209 This document does not consider the applicability of Routing Protocol 210 for Low-Power and Lossy Networks (RPL)-related specifications for 211 urban and industrial applications [RFC5548], [RFC5673], which may 212 exhibit significantly larger network diameters. 214 2. Deployment Scenario 216 The use of communications networks in buildings is essential to 217 satisfy energy saving regulations. Environmental conditions of 218 buildings can be adapted to suit the comfort of the individuals 219 present inside. Consequently when no one is present, energy 220 consumption can be reduced. Cost is the main driving factor behind 221 deployment of wireless networking in buildings, especially in the 222 case of retrofitting, where wireless connectivity saves costs 223 incurred due to cabling and building modifications. 225 A typical home automation network is comprised of less than 100 226 nodes. Large building deployments may span 10,000 nodes but to 227 ensure uninterrupted service of light and air conditioning systems in 228 individual zones of the building, nodes are typically organized in 229 sub-networks. Each sub-network in a building automation deployment 230 typically contains tens to hundreds of nodes, and for critical 231 operations may operate independently from the other sub-networks. 233 The main purpose of the home or building automation network is to 234 provide control over light and heating/cooling resources. User 235 intervention via wall controllers is combined with movement, light 236 and temperature sensors to enable automatic adjustment of window 237 blinds, reduction of room temperature, etc. In general, the sensors 238 and actuators in a home or building typically have fixed physical 239 locations and will remain in the same home or building automation 240 network. 242 People expect an immediate and reliable response to their presence or 243 actions. For example, a light not switching on after entry into a 244 room may lead to confusion and a profound dissatisfaction with the 245 lighting product. 247 Monitoring of functional correctness is at least as important as 248 timely responses. Devices typically communicate their status 249 regularly and send alarm messages notifying a malfunction of 250 controlled equipment or network. 252 In building control, the infrastructure of the building management 253 network can be shared with the security/access, the Internet Protocol 254 (IP) telephony, and the fire/alarm networks. This approach has a 255 positive impact on the operation and cost of the network; however, 256 care should be taken to ensure that the availability of the building 257 management network does not become compromised beyond the ability for 258 critical functions to perform adequately. 260 In homes, the entertainment network for audio/video streaming and 261 gaming has different requirements, where the most important 262 requirement is the need for high bandwidth not typically needed for 263 home or building control. It is therefore expected that the 264 entertainment network in the home will mostly be separate from the 265 control network, which also lessens the impact on availability of the 266 control network 268 2.1. Network Topologies 270 In general, the home automation network or building control network 271 consists of wired and wireless sub-networks. In large buildings 272 especially, the wireless sub-networks can be connected to an IP 273 backbone network where all infrastructure services are located, such 274 as Domain Name System (DNS), automation servers, etc. 276 The wireless sub-network can be configured according to any of the 277 following topologies: 279 o A stand-alone network of 10-100 nodes without border router. This 280 typically occurs in the home with a stand-alone control network, 281 in low cost buildings, and during installation of high end control 282 systems in buildings. 284 o A connected network with one border router. This configuration 285 will happen in homes where home appliances are controlled from 286 outside the home, possibly via a smart phone, and in many building 287 control scenarios. 289 o A connected network with multiple border routers. This will 290 typically happen in installations of large buildings. 292 Many of the nodes are battery-powered and may be sleeping nodes which 293 wake up according to clock signals or external events. 295 In a building control network, for a large installation with multiple 296 border routers, sub-networks often overlap both geographically and 297 from a wireless coverage perspective. Due to two purposes of the 298 network, (i) direct control and (ii) monitoring, there may exist two 299 types of routing topologies in a given sub-network: (i) a tree-shaped 300 collection of routes spanning from a central building controller via 301 the border router, on to destination nodes in the sub-network; and/or 302 (ii) a flat, un-directed collection of intra-network routes between 303 functionally related nodes in the sub-network. 305 The majority of nodes in home and building automation networks are 306 typically class 0 devices [RFC7228], such as individual wall 307 switches. Only a few nodes (such as multi-purpose remote controls) 308 are more expensive Class 1 devices, which can afford more memory 309 capacity. 311 2.2. Traffic Characteristics 313 Traffic may enter the network originating from a central controller 314 or it may originate from an intra-network node. The majority of 315 traffic is light-weight point-to-point control style; e.g. Put-Ack 316 or Get-Response. There are however exceptions. Bulk data transfer 317 is used for firmware update and logging, where firmware updates enter 318 the network and logs leave the network. Group communication is used 319 for service discovery or to control groups of nodes, such as light 320 fixtures. 322 Often, there is a direct physical relation between a controlling 323 sensor and the controlled equipment. For example the temperature 324 sensor and room controller are located in the same room sharing the 325 same climate conditions. Consequently, the bulk of senders and 326 receivers are separated by a distance that allows one-hop direct path 327 communication. A graph of the communication will show several fully 328 connected subsets of nodes. However, due to interference, multipath 329 fading, reflection and other transmission mechanisms, the one-hop 330 direct path may be temporally disconnected. For reliability 331 purposes, it is therefore essential that alternative n-hop 332 communication routes exist for quick error recovery. (See Appendix B 333 for motivation.) 335 Looking over time periods of a day, the networks are very lightly 336 loaded. However, bursts of traffic can be generated by e.g. 338 incessant pushing of the button of a remote control, the occurrence 339 of a defect, and other unforeseen events. Under those conditions, 340 the timeliness must nevertheless be maintained. Therefore, measures 341 are necessary to remove any unnecessary traffic. Short routes are 342 preferred. Long multi-hop routes via the border router, should be 343 avoided whenever possible. 345 Group communication is essential for lighting control. For example, 346 once the presence of a person is detected in a given room, lighting 347 control applies to that room only and no other lights should be 348 dimmed, or switched on/off. In many cases, this means that a 349 multicast message with a 1-hop and 2-hop radius would suffice to 350 control the required lights. The same argument holds for Heating, 351 Ventilating, and Air Conditioning (HVAC) and other climate control 352 devices. To reduce network load, it is advisable that messages to 353 the lights in a room are not distributed any further in the mesh than 354 necessary based on intended receivers. 356 An example of an office surface is shown in [office-light], and the 357 current use of wireless lighting control products is shown in 358 [occuswitch]. 360 2.2.1. General 362 Whilst air conditioning and other environmental-control applications 363 may accept response delays of tens of seconds or longer, alarm and 364 light control applications may be regarded as soft real-time systems. 365 A slight delay is acceptable, but the perceived quality of service 366 degrades significantly if response times exceed 250 ms. If the light 367 does not turn on at short notice, a user may activate the controls 368 again, thus causing a sequence of commands such as 369 Light{on,off,on,off,..} or Volume{up,up,up,up,up,...}. In addition 370 the repetitive sending of commands creates an unnecessary loading of 371 the network, which in turn increases the bad responsiveness of the 372 network. 374 2.2.2. Source-sink (SS) communication paradigm 376 This paradigm translates to many sources sending messages to the same 377 sink, sometimes reachable via the border router. As such, source- 378 sink (SS) traffic can be present in home and building networks. The 379 traffic may be generated by environmental sensors (often present in a 380 wireless sub-network) which push periodic readings to a central 381 server. The readings may be used for pure logging, or more often, 382 processed to adjust light, heating and ventilation. Alarm sensors 383 may also generate SS style traffic. The central server in a home 384 automation network will be connected mostly to a wired network 385 segment of the home network, although it is likely that cloud 386 services will also be used. The central server in a building 387 automation network may be connected to a backbone or be placed 388 outside the building. 390 With regards to message latency, most SS transmissions can tolerate 391 worst-case delays measured in tens of seconds. Fire detectors, 392 however, represent an exception; For example, special provisions with 393 respect to the location of the Fire detectors and the smoke dampers 394 need to be put in place to meet the stringent delay requirements 395 measured in seconds. 397 2.2.3. Publish-subscribe (PS, or pub/sub)) communication paradigm 399 This paradigm translates to a number of devices expressing their 400 interest for a service provided by a server device. For example, a 401 server device can be a sensor delivering temperature readings on the 402 basis of delivery criteria, like changes in acquisition value or age 403 of the latest acquisition. In building automation networks, this 404 paradigm may be closely related to the SS paradigm given that 405 servers, which are connected to the backbone or outside the building, 406 can subscribe to data collectors that are present at strategic places 407 in the building automation network. The use of PS will probably 408 differ significantly from installation to installation. 410 2.2.4. Peer-to-peer (P2P) communication paradigm 412 This paradigm translates to a device transferring data to another 413 device often connected to the same sub-network. Peer-to-peer (P2P) 414 traffic is a common traffic type in home automation networks. Most 415 building automation networks rely on P2P traffic, described in the 416 next paragraph. Other building automation networks rely on P2P 417 control traffic between controls and a local controller box for 418 advanced group control. A local controller box can be further 419 connected to service control boxes, thus generating more SS or PS 420 traffic. 422 P2P traffic is typically generated by remote controls and wall 423 controllers which push control messages directly to light or heat 424 sources. P2P traffic has a stringent requirement for low latency 425 since P2P traffic often carries application messages that are invoked 426 by humans. As mentioned in Section 2.2.1, application messages 427 should be delivered within a few hundred milliseconds - even when 428 connections fail momentarily. 430 2.2.5. Peer-to-multipeer (P2MP) communication paradigm 432 This paradigm translates to a device sending a message as many times 433 as there are destination devices. Peer-to-multipeer (P2MP) traffic 434 is common in home and building automation networks. Often, a 435 thermostat in a living room responds to temperature changes by 436 sending temperature acquisitions to several fans and valves 437 consecutively. This paradigm is also closely related to the PS 438 paradigm in the case where a single server device has multiple 439 subscribers. 441 2.2.6. Additional considerations: Duocast and N-cast 443 This paradigm translates to a device sending a message to many 444 destinations in one network transfer invocation. Multicast is well 445 suited for lighting where a presence sensor sends a presence message 446 to a set of lighting devices. Multicast increases the probability 447 that the message is delivered within the strict time constraints. 448 The recommended multicast algorithm (e.g. 449 [I-D.ietf-roll-trickle-mcast]) assures that messages are delivered to 450 ALL intended destinations. 452 2.2.7. RPL applicability per communication paradigm 454 In the case of the SS paradigm applied to a wireless sub-network to a 455 server reachable via a border router, the use of RPL [RFC6550] in 456 non-storing mode is appropriate. Given the low resources of the 457 devices, source routing will be used from the border router to the 458 destination in the wireless sub-network for messages generated 459 outside the mesh network. No specific timing constraints are 460 associated with the SS type messages so network repair does not 461 violate the operational constraints. When no SS traffic takes place, 462 it is good practice to load only RPL code enabling P2P mode of 463 operation [RFC6997] to reduce the code size and satisfy memory 464 requirements. 466 P2P-RPL [RFC6997] is required for all P2P and P2MP traffic taking 467 place between nodes within a wireless sub-network (excluding the 468 border router) to assure responsiveness. Source and destination 469 devices are typically physically close based on room layout. 470 Consequently, most P2P and P2MP traffic is 1-hop or 2-hop traffic. 471 Appendix A explains why P2P-RPL is preferable to RPL for this type of 472 communication. Appendix B explains why reliability measures such as 473 multi-path routing are necessary even when 1-hop communication 474 dominates. 476 Additional advantages of P2P-RPL for home and building automation 477 networks are, for example: 479 o Individual wall switches are typically inexpensive class 0 devices 480 [RFC7228] with extremely low memory capacities. Multi-purpose 481 remote controls for use in a home environment typically have more 482 memory but such devices are asleep when there is no user activity. 483 P2P-RPL reactive discovery allows a node to wake up and find new 484 routes within a few seconds while memory constrained nodes only 485 have to keep routes to relevant targets. 487 o The reactive discovery features of P2P-RPL ensure that commands 488 are normally delivered within the 250 ms time window. When 489 connectivity needs to be restored, discovery is typically 490 completed within seconds. In most cases, an alternative (earlier 491 discovered) route will work and route rediscovery is not 492 necessary. 494 o Broadcast storms typically associated with route discovery for Ad 495 hoc On-Demand Distance Vector (AODV) [RFC3561] are less disruptive 496 for P2P-RPL. P2P-RPL has a "STOP" bit which is set by the target 497 of a route discovery to notify all other nodes that no more 498 Directed Acyclic Graph (DAG) Information Option (DIO) messages 499 should be forwarded for this temporary DAG. Something looking 500 like a broadcast storm may happen when no target is responding 501 however, in this case, the Trickle suppression mechanism kicks in, 502 limiting the number of DIO forwards in dense networks. 504 Due to the limited memory of the majority of devices, P2P-RPL SHOULD 505 be deployed with source routing in non-storing mode as explained in 506 Section 4.1.2. 508 Multicast with Multicast Protocol for Low power and Lossy Networks 509 (MPL) [I-D.ietf-roll-trickle-mcast] is preferably deployed for N-cast 510 over the wireless network. Configuration constraints that are 511 necessary to meet reliability and timeliness with MPL are discussed 512 in Section 4.1.7. 514 2.3. Layer-2 applicability 516 This document applies to [IEEE802.15.4] and [G.9959] which are 517 adapted to IPv6 by the adaption layers [RFC4944] and [RFC7428]. 518 Other layer-2 technologies, accompanied by an "IP over Foo" 519 specification, are also relevant provided there is no frame size 520 issue, and there are link layer acknowledgements. 522 The above mentioned adaptation layers leverage on the compression 523 capabilities of [RFC6554] and [RFC6282]. Header compression allows 524 small IP packets to fit into a single layer 2 frame even when source 525 routing is used. A network diameter limited to 5 hops helps to 526 achieve this even while using source routing. 528 Dropped packets are often experienced in the targeted environments. 529 Internet Control Message Protocol (ICMP), User Datagram Protocol 530 (UDP) and even Transmission Control Protocol (TCP) flows may benefit 531 from link layer unicast acknowledgments and retransmissions. Link 532 layer unicast acknowledgments SHOULD be enabled when [IEEE802.15.4] 533 or [G.9959] is used with RPL and P2P-RPL. 535 3. Using RPL to meet Functional Requirements 537 Several features required by [RFC5826], [RFC5867] challenge the P2P 538 paths provided by RPL. Appendix A reviews these challenges. In some 539 cases, a node may need to spontaneously initiate the discovery of a 540 path towards a desired destination that is neither the root of a DAG, 541 nor a destination originating Destination Advertisement Object (DAO) 542 signalling. Furthermore, P2P paths provided by RPL are not 543 satisfactory in all cases because they involve too many intermediate 544 nodes before reaching the destination. 546 P2P-RPL [RFC6997] SHOULD be used in home automation and building 547 control networks, as point-to-point style traffic is substantial and 548 route repair needs to be completed within seconds. P2P-RPL provides 549 a reactive mechanism for quick, efficient and root-independent route 550 discovery/repair. The use of P2P-RPL furthermore allows data traffic 551 to avoid having to go through a central region around the root of the 552 tree, and drastically reduces path length [SOFT11] [INTEROP12]. 553 These characteristics are desirable in home and building automation 554 networks because they substantially decrease unnecessary network 555 congestion around the root of the tree. 557 When more reliability is required, P2P-RPL enables the establishment 558 of multiple independent paths. For 1-hop destinations this means 559 that one 1-hop communication and a second 2-hop communication take 560 place via a neighbouring node. Such a pair of redundant 561 communication paths can be achieved by using MPL where the source is 562 a MPL forwarder, while a second MPL forwarder is 1 hop away from both 563 the source and the destination node. When the source multicasts the 564 message, it may be received by both the destination and the 2nd 565 forwarder. The 2nd forwarder forwards the message to the 566 destination, thus providing two routes from sender to destination. 568 To provide more reliability with multiple paths, P2P-RPL can maintain 569 two independent P2P source routes per destination, at the source. 570 Good practice is to use the paths alternately to assess their 571 existence. When one P2P path has failed (possibly only temporarily), 572 as described in Appendix B, the alternative P2P path can be used 573 without discarding the failed path. The failed P2P path, unless 574 proven to work again, can be safely discarded after a timeout 575 (typically 15 minutes). A new route discovery is done when the 576 number of P2P paths is exhausted due to persistent link failures. 578 4. RPL Profile 580 P2P-RPL SHOULD be used in home automation and building control 581 networks. Its reactive discovery allows for low application response 582 times even when on-the-fly route repair is needed. Non-storing mode 583 SHOULD be used to reduce memory consumption in repeaters with 584 constrained memory when source routing is used. 586 4.1. RPL Features 588 An important constraint on the application of RPL is the presence of 589 sleeping nodes. 591 For example, in a stand-alone network, the master node (or 592 coordinator) providing the logical layer-2 identifier and unique node 593 identifiers to connected nodes may be a remote control which returns 594 to sleep once new nodes have been added. Due to the absence of the 595 border router, there may be no global routable prefixes at all. 596 Likewise, there may be no authoritative always-on root node since 597 there is no border router to host this function. 599 In a network with a border router and many sleeping nodes, there may 600 be battery powered sensors and wall controllers configured to contact 601 other nodes in response to events and then return to sleep. Such 602 nodes may never detect the announcement of new prefixes via 603 multicast. 605 In each of the above mentioned constrained deployments, a link layer 606 node (e.g. coordinator or master) SHOULD assume the role of 607 authoritative root node, transmitting unicast Router Advertisement 608 (RA) messages with a Unique Local Address (ULA) prefix information 609 option to nodes during the joining process to prepare the nodes for a 610 later operational phase, where a border router is added. 612 A border router SHOULD be designed to be aware of sleeping nodes in 613 order to support the distribution of updated global prefixes to such 614 sleeping nodes. 616 4.1.1. RPL Instances 618 When operating P2P-RPL on a stand-alone basis, there is no 619 authoritative root node maintaining a permanent RPL Direction- 620 Oriented Directed Acyclic Graph (DODAG). A node MUST be able to join 621 at least one RPL instance, as a new, temporary instance is created 622 during each P2P-RPL route discovery operation. A node MAY be 623 designed to join multiple RPL instances. 625 4.1.2. Storing vs. Non-Storing Mode 627 Non-storing mode MUST be used to cope with the extremely constrained 628 memory of a majority of nodes in the network (such as individual 629 light switches). 631 4.1.3. DAO Policy 633 Nodes send DAO messages to establish downward paths from the root to 634 themselves. DAO messages are not acknowledged in networks composed 635 of battery operated field devices in order to minimize the power 636 consumption overhead associated with path discovery. The DAO 637 messages build up a source route because the nodes MUST be in non- 638 storing mode. 640 If devices in LLNs participate in multiple RPL instances and DODAGs, 641 both the RPLInstance ID and the DODAGID SHOULD be included in the 642 DAO. 644 4.1.4. Path Metrics 646 Expected Transmission Count (ETX) is the RECOMMENDED metric. 647 [RFC6551] provides other options. 649 Packets from asymmetric and/or unstable links SHOULD be deleted at 650 layer 2. 652 4.1.5. Objective Function 654 Objective Function 0 (OF0) MUST be the Objective Function. Other 655 Objective Functions MAY be used when dictated by circumstances. 657 4.1.6. DODAG Repair 659 Since P2P-RPL only creates DODAGs on a temporary basis during route 660 repair or route discovery, there is no need to repair DODAGs. 662 For SS traffic, local repair is sufficient. The accompanying process 663 is known as poisoning and is described in Section 8.2.2.5 of 664 [RFC6550]. Given that the majority of nodes in the building do not 665 physically move around, creating new DODAGs should not happen 666 frequently. 668 4.1.7. Multicast 670 Commercial lighting deployments may have a need for multicast to 671 distribute commands to a group of lights in a timely fashion. 672 Several mechanisms exist for achieving such functionality; 673 [I-D.ietf-roll-trickle-mcast] is the RECOMMENDED protocol for home 674 and building deployments. This section relies heavily on the 675 conclusions of [RT-MPL]. 677 At reception of a packet, the MPL forwarder starts a series of 678 consecutive trickle timer intervals, where the first interval has a 679 minimum size of Imin. Each consecutive interval is twice as long as 680 the former with a maximum value of Imax. There is a maximum number 681 of intervals given by max_expiration. For each interval of length I, 682 a time t is randomly chosen in the period [I/2, I]. For a given 683 packet, p, MPL counts the number of times it receives p during the 684 period [0, t] in a counter c. At time t, MPL re-broadcasts p when c 685 < k, where k is a predefined constant with a value k > 0. 687 The density of forwarders and the frequency of message generation are 688 important aspects to obtain timeliness during control operations. A 689 high frequency of message generation can be expected when a remote 690 control button is incessantly pressed, or when alarm situations 691 arise. 693 Guaranteeing timeliness is intimately related to the density of the 694 MPL routers. In ideal circumstances the message is propagated as a 695 single wave through the network, such that the maximum delay is 696 related to the number of hops times the smallest repetition interval 697 of MPL. Each forwarder that receives the message passes the message 698 on to the next hop by repeating the message. When several copies of 699 a message reach the forwarder, it is specified that the copy need not 700 be repeated. Repetition of the message can be inhibited by a small 701 value of k. To assure timeliness, the value of k should be chosen 702 high enough to make sure that messages are repeated at the first 703 arrival of the message in the forwarder. However, a network that is 704 too dense leads to a saturation of the medium that can only be 705 prevented by selecting a low value of k. Consequently, timeliness is 706 assured by choosing a relatively high value of k but assuring at the 707 same time a low enough density of forwarders to reduce the risk of 708 medium saturation. Depending on the reliability of the network 709 links, it is advisable to choose the network such that at least 2 710 forwarders per hop repeat messages to the same set of destinations. 712 There are no rules about selecting forwarders for MPL. In buildings 713 with central management tools, the forwarders can be selected, but in 714 the home is not possible to automatically configure the forwarder 715 topology at the time of writing this document. 717 4.1.8. Security 719 RPL MAY use unsecured messages to reduce message size. If there is a 720 single node that uses unsecured RPL messages, link-layer security 721 MUST be present. In both cases, a symmetric key is used to secure a 722 message. The symmetric key MUST be distributed or established in a 723 secure fashion. 725 4.1.8.1. Symmetric key distribution 727 The scope of the symmetric key distribution MUST be no greater than 728 the network itself, i.e. a group key. This document describes what 729 needs to be implemented to meet this requirement. The scope of the 730 symmetric key distribution MAY be smaller than the network, for 731 example: 733 o A pairwise symmetric key between two peers. 735 o A group key shared between a subset of nodes in the network. 737 4.1.8.2. Symmetric key distribution mechanism 739 The authentication mechanism as described in Section 6.9 of 740 [ZigBeeIP] SHALL be used to securely distribute a network-wide 741 symmetric key. 743 The purpose of the authentication procedure is to provide mutual 744 authentication resulting in: 746 o Preventing untrusted nodes without appropriate credentials from 747 joining the trusted network. 749 o Preventing trusted nodes with appropriate credentials from joining 750 an untrusted network. 752 There is an Authentication Server, which is responsible for 753 authenticating the nodes on the network. If the authentication is 754 successful, the Authentication Server sends the network security 755 material to the joining node through the PANA protocol ([RFC5191], 756 [RFC6345]). The joining node becomes a full participating node in 757 the network and is able to apply layer 2 security to RPL messages 758 using the distributed network key. 760 The joining node does not initially have access to the network 761 security material. Therefore, it is not able to apply layer 2 762 security for the packets exchanged during the authentication process. 763 The enforcement point rules at the edge of the network ensure that 764 the packets involved in the PANA authentication are processed even 765 though they are unsecured at MAC layer. The rules also ensure that 766 any other incoming traffic that is not secured at the MAC layer is 767 discarded and is not forwarded. 769 4.1.8.2.1. Authentication Stack 771 Authentication can be viewed as a protocol stack as a layer 772 encapsulates the layers above it. 774 o TLS [RFC5246] MUST be used at the highest layer of the 775 authentication stack and carries the authentication exchange. 776 There is one cipher suite based on pre-shared key [RFC6655] and 777 one cipher suite based on ECC [RFC7251]. 779 o EAP-TLS [RFC5216] MUST be used at the next layer to carry the TLS 780 records for the authentication protocol. 782 o The Extensible Authentication Protocol [RFC3748] MUST be used to 783 provide the mechanisms for mutual authentication. EAP requires a 784 way to transport EAP packets between the joining node and the node 785 on which the Authentication Server resides. These nodes are not 786 necessarily in radio range of each other, so it is necessary to 787 have multi-hop support in the EAP transport method. The PANA 788 protocol [RFC5191], [RFC6345], which operates over UDP, MUST be 789 used for this purpose. [RFC3748] specifies the derivation of a 790 session key using the EAP key hierarchy; only the EAP Master 791 Session Key shall be derived, as [RFC5191] specifies that it is 792 used to set up keys for PANA authentication and encryption. 794 o PANA [RFC5191] and PANA relay [RFC6345] MUST be used at the next 795 layer: 797 * The joining node MUST act as the PANA Client (PaC) 799 * The parent edge router node MUST act as a PANA relay (PRE) 800 according to [RFC6345], unless it is also the Authentication 801 Server. All routers at the edge of the network MUST be capable 802 of functioning in the PRE role. 804 * The Authentication Server node MUST act as the PANA 805 Authentication Agent (PAA). The Authentication Server MUST be 806 able to handle packets relayed according to [RFC6345]. 808 This network authentication process uses link-local IPv6 addresses 809 for transport between the new node and its parent. If the parent is 810 not the Authentication Server, it MUST then relay packets from the 811 joining node to the Authentication Server and vice-versa using PANA 812 relay mechanism [RFC6345]. The joining node MUST use a link-local 813 address based on its EUI-64 as the source address for initial PANA 814 authentication message exchanges. 816 4.1.8.2.2. Applicability Statements 818 The applicability statements describe the relationship between the 819 various specifications. 821 4.1.8.2.2.1. Applicability Statement for PSK TLS 823 [RFC6655] contains AEAD TLS cipher suites that are very similar to 824 [RFC5487] whose AEAD part is detailed in [RFC5116]. [RFC5487] 825 references both [RFC5288] and the original PSK cipher suite document 826 [RFC4279], which references [RFC5246], which defines the TLS 1.2 827 messages. 829 4.1.8.2.2.2. Applicability Statement for ECC TLS 831 [RFC7251] contains AEAD TLS cipher suites that are very similar to 832 [RFC5289] whose AEAD part is detailed in [RFC5116]. [RFC5289] 833 references the original ECC cipher suite document [RFC4492], which 834 references [RFC5246], which defines the TLS 1.2 messages. 836 4.1.8.2.2.3. Applicability Statement for EAP-TLS and PANA 838 [RFC5216] specifies how [RFC3748] is used to package [RFC5246] TLS 839 records into EAP packets. [RFC5191] provides transportation for the 840 EAP packets and the network-wide key carried in an encrypted AVP 841 specified in [RFC6786]. The proposed PRF and AUTH hashes based on 842 SHA-256 are represented as in [RFC5996] and detailed in [RFC4868]. 844 4.1.8.2.3. Security using RPL message security 846 If RPL is used with secured messages [RFC6550], the following RPL 847 security parameter values SHOULD be used: 849 o Counter Time Flag (T) = 0: Do not use timestamp in the Counter 850 Field. Counters based on timestamps are typically more applicable 851 to industrial networks where strict timing synchronization between 852 nodes is often implemented. Home and building networks typically 853 do not implement such strict timing synchronization therefore a 854 monotonically increasing counter is more appropriate. 856 o Algorithm = 0: Use Counter with Cipher Block Chaining Message 857 Authentication Code (CBC-MAC Mode) (CCM) with Advanced Encryption 858 Standard (AES)-128. This is the only assigned mode at present. 860 o Key Identifier Mode (KIM) = 10: Use group key, Key Source present, 861 Key Index present. Given the relatively confined perimeter of a 862 home or building network, a group key is usually sufficient to 863 protect RPL messages sent between nodes. The use of the Key 864 Source field allows multiple group keys to be used within the 865 network. 867 o Security Level (LVL) = 0: Use MAC-32. This is recommended as 868 integrity protection for RPL messages is the basic requirement. 869 Encryption is unlikely to be necessary given the relatively non- 870 confidential nature of RPL message payloads. 872 4.1.9. P2P communications 874 [RFC6997] MUST be used to accommodate P2P traffic, which is typically 875 substantial in home and building automation networks. 877 4.1.10. IPv6 address configuration 879 Assigned IP addresses MUST be routable and unique within the routing 880 domain [RFC5889]. 882 4.2. Layer 2 features 884 No particular requirements exist for layer 2 but for the ones cited 885 in the IP over Foo RFCs (see Section 2.3). 887 4.2.1. Specifics about layer-2 889 Not applicable 891 4.2.2. Services provided at layer-2 893 Not applicable 895 4.2.3. 6LowPAN options assumed 897 Not applicable 899 4.2.4. Mesh Link Establishment (MLE) and other things 901 Not applicable 903 4.3. Recommended Configuration Defaults and Ranges 905 The following sections describe the recommended parameter values for 906 P2P-RPL and Trickle. 908 4.3.1. Trickle parameters 910 Trickle is used to distribute network parameter values to all nodes 911 without stringent time restrictions. The recommended Trickle 912 parameter values are: 914 o DIOIntervalMin 4 = 16 ms 916 o DIOIntervalDoublings 14 918 o DIORedundancyConstant 1 920 When a node sends a changed DIO, this is an inconsistency and forces 921 the receiving node to respond within Imin. So when something happens 922 which affects the DIO, the change is ideally communicated to a node, 923 n hops away, within n times Imin. Often, dependent on the node 924 density, packets are lost, or not sent, leading to larger delays. 926 In general we can expect DIO changes to propagate within 1 to 3 927 seconds within the envisaged networks. 929 When nothing happens, the DIO sending interval increases to 4.37 930 minutes, thus drastically reducing the network load. When a node 931 does not receive DIO messages during more than 10 minutes it can 932 safely conclude the connection with other nodes has been lost. 934 4.3.2. Other Parameters 936 This section discusses the P2P-RPL parameters. 938 P2P-RPL [RFC6997] provides the features requested by [RFC5826] and 939 [RFC5867]. P2P-RPL uses a subset of the frame formats and features 940 defined for RPL [RFC6550] but may be combined with RPL frame flows in 941 advanced deployments. 943 The recommended parameter values for P2P-RPL are: 945 o MinHopRankIncrease 1 947 o MaxRankIncrease 0 949 o MaxRank 6 951 o Objective function: OF0 953 5. MPL Profile 955 MPL is used to distribute values to groups of devices. Using MPL, 956 based on the Trickle algorithm, timeliness should also be guaranteed. 957 A deadline of 200 ms needs to be met when human action is followed by 958 an immediately observable action such as switching on lights. The 959 deadline needs to be met in a building where the number of hops from 960 seed to destination varies between 1 and 10. 962 5.1. Recommended configuration Defaults and Ranges 964 5.1.1. Real-Time optimizations 966 When the network is heavily loaded, MAC delays contribute 967 significantly to the end to end delays when MPL intervals between 10 968 to 100 ms are used to meet the 200 ms deadline. It is possible to 969 set the number of buffers in the MAC to 1 and set the number of Back- 970 off repetitions to 1. The number of MPL repetitions compensates for 971 the reduced probability of transmission per MAC invocation [RT-MPL]. 973 In addition, end to end delays and message losses are reduced, by 974 adding a real-time layer between MPL and MAC to throw away the 975 earliest messages (exploiting the MPL message numbering) and favour 976 the most recent ones. 978 5.1.2. Trickle parameters 980 This section proposes values for the Trickle parameters used by MPL 981 for the distribution of packets that need to meet a 200 ms deadline. 982 The probability of meeting the deadline is increased by (1) choosing 983 a small Imin value,(2) reducing the number of MPL intervals thus 984 reducing the load, and (3) reducing the number of MPL forwarders to 985 also reduce the load. 987 The consequence of this approach is that the value of k can be larger 988 than 1 because network load reduction is already guaranteed by the 989 network configuration. 991 Under the condition that the density of MPL repeaters can be limited, 992 it is possible to choose low MPL repeat intervals (Imin) connected to 993 k values such that k>1. The minimum value of k is related to: 995 o Value of Imin. The length of Imin determines the number of 996 packets that can be received within the listening period of Imin. 998 o Number of repeaters receiving the broadcast message from the same 999 forwarder or seed. These repeaters repeat within the same Imin 1000 interval, thus increasing the c counter. 1002 Within the first MPL interval a limited number, q, of messages can be 1003 transmitted. Assuming a 3 ms transmission interval, q is given by q 1004 = Imin/3. Assuming that at most q message copies can reach a given 1005 forwarder within the first repeat interval of length Imin, the 1006 related MPL parameter values are suggested in the following sections. 1008 5.1.2.1. Imin 1010 The recommended value is Imin = 10 to 50 ms. 1012 When Imin is chosen much smaller, the interference between the copies 1013 leads to significant losses given that q is much smaller than the 1014 number of repeated packets. With much larger intervals the 1015 probability that the deadline will be met decreases with increasing 1016 hop count. 1018 5.1.2.2. Imax 1020 The recommended value is Imax = 100 to 400 ms. 1022 The value of Imax is less important than the value of max_expiration. 1023 Given an Imin value of 10 ms, the 3rd MPL interval has a value of 1024 10*2*2 = 40 ms. When Imin has a value of 40 ms, the 3rd interval has 1025 a value of 160 ms. Given that more than 3 intervals are unnecessary, 1026 the Imax does not contribute much to the performance. 1028 5.1.3. Other parameters 1030 Other parameters are the k parameter and the max_expiration 1031 parameter. 1033 k > q (see condition above). Under this condition and for small 1034 Imin, a value of k=2 or k=3 is usually sufficient to minimize the 1035 losses of packets in the first repeat interval. 1037 max_expiration = 2 - 4. Higher values lead to more network load 1038 while generating copies which will probably not meet their deadline. 1040 6. Manageability Considerations 1042 At this moment it is not clear how homenets will be managed. 1043 Consequently it is not clear which tools will be used and which 1044 parameters must be exposed for management. 1046 In building control, management is mandatory. It is expected that 1047 installations will be managed using the set of currently available 1048 tools(including IETF tools like Management Information Base (MIB) 1049 modules, NETCONF modules, Dynamic Host Configuration Protocol (DHCP) 1050 and others) with large differences between the ways an installation 1051 is managed. 1053 7. Security Considerations 1055 This section refers to the security considerations of [RFC6997], 1056 [RFC6550], [I-D.ietf-roll-trickle-mcast], and the counter measures 1057 discussed in sections 6 and 7 of [RFC7416]. 1059 Communications network security is based on providing integrity 1060 protection and encryption to messages. This can be applied at 1061 various layers in the network protocol stack based on using various 1062 credentials and a network identity. 1064 The credentials which are relevant in the case of RPL are: (i) the 1065 credential used at the link layer in the case where link layer 1066 security is applied (see Section 7.1) or (ii) the credential used for 1067 securing RPL messages. In both cases, the assumption is that the 1068 credential is a shared key. Therefore, there MUST be a mechanism in 1069 place which allows secure distribution of a shared key and 1070 configuration of network identity. Both MAY be done using: (i) pre- 1071 installation using an out-of-band method, (ii) delivered securely 1072 when a device is introduced into the network or (iii) delivered 1073 securely by a trusted neighbouring device as described in 1074 Section 4.1.8.1. The shared key MUST be stored in a secure fashion 1075 which makes it difficult to be read by an unauthorized party. 1077 This document mandates that a layer-2 mechanism be used during 1078 initial and incremental deployment. Please see the following 1079 sections. 1081 7.1. Security considerations during initial deployment 1083 Wireless mesh networks are typically secured at the link layer in 1084 order to prevent unauthorized parties from accessing the information 1085 exchanged over the links. It is a basic practice to create a network 1086 of nodes which share the same keys for link layer security and 1087 exclude nodes sending unsecured messages. With per-message data 1088 origin authentication, it is possible to prevent unauthorized nodes 1089 joining the mesh. 1091 At initial deployment the network is secured by consecutively 1092 securing nodes at the link layer, thus building a network of secured 1093 nodes. The Protocol for carrying Authentication for Network Access 1094 (PANA) [RFC5191] [RFC6345] with an Extensible Authentication Protocol 1095 (EAP) provides a framework for network access and delivery of common 1096 link keys. Several versions of EAP exist. ZigBee specifies the use 1097 of EAP-TLS [RFC5216] (see section 5 of [ZigBeeIP]), which is also 1098 recommended in Section 4.1.8.2.1. Wi-SUN HAN (Home Area Network) 1099 uses EAP-PSK [RFC4764] (see section 5.6 of [WI-SUN]), which also 1100 looks promising for building control at this moment. 1102 This document does not specify a multicast security solution. 1103 Networks deployed with this specification will depend upon layer-2 1104 security to prevent outsiders from sending multicast traffic. It is 1105 recognized that this does not protect this control traffic from 1106 impersonation by already trusted devices. This is an area for a 1107 future specification. 1109 For building control an installer will use an installation tool that 1110 establishes a secure communication path with the joining node. It is 1111 recognized that the recommendations for initial deployment of 1112 Section 7 and Section 7.1 do not cover all building requirements such 1113 as selecting the node-to-secure independent of network topology. 1115 It is expected that a set of protocol combinations will evolve within 1116 currently existing alliances of building control manufacturers. Each 1117 set satisfies the installation requirements of installers, operators, 1118 and manufacturers of building control networks in a given 1119 installation context, e.g lighting deployment in offices, HVAC 1120 installation, incremental addition of equipment in homes, and others. 1122 In the home, nodes can be visually inspected by the home owner and a 1123 simple procedure, e.g. pushing buttons simultaneously on an already 1124 secured device and an unsecured joining device is usually sufficient 1125 to ensure that the unsecured joining device is authenticated and 1126 configured securely, and paired appropriately. 1128 This recommendation is in line with the countermeasures described in 1129 section 6.1.1 of [RFC7416]. 1131 7.2. Security Considerations during incremental deployment 1133 Once a network is operational, new nodes need to be added, or nodes 1134 fail and need to be replaced. When a new node needs to be added to 1135 the network, the new node is joined to the network via an assisting 1136 node in the manner described in Section 7.1. 1138 On detection of a compromised node, all trusted nodes need to be re- 1139 keyed, and the trusted network is built up as described in 1140 Section 7.1. 1142 7.3. Security Considerations for P2P uses 1144 Refer to the security considerations of [RFC6997]. 1146 7.4. MPL routing 1148 The routing of MPL is determined by the enabling of the interfaces 1149 for specified Multicast addresses. The specification of these 1150 addresses can be done via a Constrained Application Protocol (CoAP) 1151 application as specified in [RFC7390]. An alternative is the 1152 creation of a MPL MIB and use of Simple Network Management Protocol 1153 (SNMP)v3 [RFC3411] or equivalent techniques to specify the Multicast 1154 addresses in the MIB. The application of security measures for the 1155 specification of the multicast addresses assures that the routing of 1156 MPL packets is secured. 1158 7.5. RPL Security features 1160 This section follows the structure of section 7, "RPL security 1161 features" of [RFC7416], where a thorough analysis of security threats 1162 and proposed counter measures relevant to RPL and MPL are done. 1164 In accordance with section 7.1 of [RFC7416], "Confidentiality 1165 features", a secured RPL protocol implements payload protection, as 1166 explained in Section 7 of this document. The attributes key-length 1167 and life-time of the keys depend on operational conditions, 1168 maintenance and installation procedures. 1170 Section 7.1 and Section 7.2 of this document recommend link-layer 1171 measures to assure integrity in accordance with section 7.2 of 1172 [RFC7416], "Integrity features". 1174 The provision of multiple paths recommended in section 7.3 1175 "Availability features" of [RFC7416] is also recommended from a 1176 reliability point of view. Randomly choosing paths MAY be supported. 1178 Key management discussed in section 7.4, "Key Management" of 1179 [RFC7416], is not standardized and discussions continue. 1181 Section 7.5, "Considerations on Matching Application Domain Needs" of 1182 [RFC7416] applies as such. 1184 8. Other related protocols 1186 Application and transport protocols used in home and building 1187 automation domains are expected to mostly consist in CoAP over UDP, 1188 or equivalents. Typically, UDP is used for IP transport to keep down 1189 the application response time and bandwidth overhead. CoAP is used 1190 at the application layer to reduce memory footprint and bandwidth 1191 requirements. 1193 9. IANA Considerations 1195 No considerations for IANA pertain to this document. 1197 10. Acknowledgements 1199 This document reflects discussions and remarks from several 1200 individuals including (in alphabetical order): Stephen Farrell, Mukul 1201 Goyal, Sandeep Kumar, Jerry Martocci, Catherine Meadows, Yoshira 1202 Ohba, Charles Perkins, Yvonne-Anne Pignolet, Michael Richardson, Ines 1203 Robles, Zach Shelby, and Meral Sherazipour. 1205 11. Changelog 1207 RFC editor, please delete this section before publication. 1209 Changes from version 0 to version 1. 1211 o Adapted section structure to template. 1213 o Standardized the reference syntax. 1215 o Section 2.2, moved everything concerning algorithms to section 1216 2.2.7, and adapted text in 2.2.1-2.2.6. 1218 o Added MPL parameter text to section 4.1.7 and section 4.3.1. 1220 o Replaced all TODO sections with text. 1222 o Consistent use of border router, monitoring, home- and building 1223 network. 1225 o Reformulated security aspects with references to other 1226 publications. 1228 o MPL and RPL parameter values introduced. 1230 Changes from version 1 to version 2. 1232 o Clarified common characteristics of control in home and building. 1234 o Clarified failure behaviour of point to point communication in 1235 appendix. 1237 o Changed examples, more hvac and less lighting. 1239 o Clarified network topologies. 1241 o replaced reference to smart_object paper by reference to I-D.roll- 1242 security-threats 1244 o Added a concise definition of secure delivery and secure storage 1246 o Text about securing network with PANA 1248 Changes from version 2 to version 3. 1250 o Changed security section to follow the structure of security 1251 threats draft. 1253 o Added text to DODAG repair sub-section 1255 Changes from version 3 to version 4. 1257 o Renumbered sections and moved text to conform to applicability 1258 template 1260 o Extended MPL parameter value text 1262 o Added references to building control products 1264 Changes from version 4 to version 5. 1266 o Large editing effort to streamline text 1268 o Rearranged Normative and Informative references 1270 o Replaced RFC2119 terminology by non-normative terminology 1272 o Rearranged text of section 7, 7.1, and 7.2 to agree with the 1273 intention of section 7.2 1275 Changes from version 5 to version 6. 1277 o Issues #162 - #166 addressed 1279 Changes from version 6 to version 7. 1281 o Text of section 7.1 edited for better security coverage. 1283 12. References 1285 12.1. Normative References 1287 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1288 Requirement Levels", BCP 14, RFC 2119, March 1997. 1290 [RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and H. 1291 Levkowetz, "Extensible Authentication Protocol (EAP)", RFC 1292 3748, June 2004. 1294 [RFC4279] Eronen, P. and H. Tschofenig, "Pre-Shared Key Ciphersuites 1295 for Transport Layer Security (TLS)", RFC 4279, December 1296 2005. 1298 [RFC4492] Blake-Wilson, S., Bolyard, N., Gupta, V., Hawk, C., and B. 1299 Moeller, "Elliptic Curve Cryptography (ECC) Cipher Suites 1300 for Transport Layer Security (TLS)", RFC 4492, May 2006. 1302 [RFC4764] Bersani, F. and H. Tschofenig, "The EAP-PSK Protocol: A 1303 Pre-Shared Key Extensible Authentication Protocol (EAP) 1304 Method", RFC 4764, January 2007. 1306 [RFC4868] Kelly, S. and S. Frankel, "Using HMAC-SHA-256, HMAC-SHA- 1307 384, and HMAC-SHA-512 with IPsec", RFC 4868, May 2007. 1309 [RFC4944] Montenegro, G., Kushalnagar, N., Hui, J., and D. Culler, 1310 "Transmission of IPv6 Packets over IEEE 802.15.4 1311 Networks", RFC 4944, September 2007. 1313 [RFC5116] McGrew, D., "An Interface and Algorithms for Authenticated 1314 Encryption", RFC 5116, January 2008. 1316 [RFC5191] Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., and A. 1317 Yegin, "Protocol for Carrying Authentication for Network 1318 Access (PANA)", RFC 5191, May 2008. 1320 [RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS 1321 Authentication Protocol", RFC 5216, March 2008. 1323 [RFC5246] Dierks, T. and E. Rescorla, "The Transport Layer Security 1324 (TLS) Protocol Version 1.2", RFC 5246, August 2008. 1326 [RFC5288] Salowey, J., Choudhury, A., and D. McGrew, "AES Galois 1327 Counter Mode (GCM) Cipher Suites for TLS", RFC 5288, 1328 August 2008. 1330 [RFC5289] Rescorla, E., "TLS Elliptic Curve Cipher Suites with SHA- 1331 256/384 and AES Galois Counter Mode (GCM)", RFC 5289, 1332 August 2008. 1334 [RFC5487] Badra, M., "Pre-Shared Key Cipher Suites for TLS with SHA- 1335 256/384 and AES Galois Counter Mode", RFC 5487, March 1336 2009. 1338 [RFC5548] Dohler, M., Watteyne, T., Winter, T., and D. Barthel, 1339 "Routing Requirements for Urban Low-Power and Lossy 1340 Networks", RFC 5548, May 2009. 1342 [RFC5673] Pister, K., Thubert, P., Dwars, S., and T. Phinney, 1343 "Industrial Routing Requirements in Low-Power and Lossy 1344 Networks", RFC 5673, October 2009. 1346 [RFC5826] Brandt, A., Buron, J., and G. Porcu, "Home Automation 1347 Routing Requirements in Low-Power and Lossy Networks", RFC 1348 5826, April 2010. 1350 [RFC5867] Martocci, J., De Mil, P., Riou, N., and W. Vermeylen, 1351 "Building Automation Routing Requirements in Low-Power and 1352 Lossy Networks", RFC 5867, June 2010. 1354 [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, 1355 "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 1356 5996, September 2010. 1358 [RFC6282] Hui, J. and P. Thubert, "Compression Format for IPv6 1359 Datagrams over IEEE 802.15.4-Based Networks", RFC 6282, 1360 September 2011. 1362 [RFC6345] Duffy, P., Chakrabarti, S., Cragie, R., Ohba, Y., and A. 1363 Yegin, "Protocol for Carrying Authentication for Network 1364 Access (PANA) Relay Element", RFC 6345, August 2011. 1366 [RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R., 1367 Levis, P., Pister, K., Struik, R., Vasseur, JP., and R. 1368 Alexander, "RPL: IPv6 Routing Protocol for Low-Power and 1369 Lossy Networks", RFC 6550, March 2012. 1371 [RFC6551] Vasseur, JP., Kim, M., Pister, K., Dejean, N., and D. 1372 Barthel, "Routing Metrics Used for Path Calculation in 1373 Low-Power and Lossy Networks", RFC 6551, March 2012. 1375 [RFC6554] Hui, J., Vasseur, JP., Culler, D., and V. Manral, "An IPv6 1376 Routing Header for Source Routes with the Routing Protocol 1377 for Low-Power and Lossy Networks (RPL)", RFC 6554, March 1378 2012. 1380 [RFC6655] McGrew, D. and D. Bailey, "AES-CCM Cipher Suites for 1381 Transport Layer Security (TLS)", RFC 6655, July 2012. 1383 [RFC6786] Yegin, A. and R. Cragie, "Encrypting the Protocol for 1384 Carrying Authentication for Network Access (PANA) 1385 Attribute-Value Pairs", RFC 6786, November 2012. 1387 [RFC6997] Goyal, M., Baccelli, E., Philipp, M., Brandt, A., and J. 1388 Martocci, "Reactive Discovery of Point-to-Point Routes in 1389 Low-Power and Lossy Networks", RFC 6997, August 2013. 1391 [RFC6998] Goyal, M., Baccelli, E., Brandt, A., and J. Martocci, "A 1392 Mechanism to Measure the Routing Metrics along a Point-to- 1393 Point Route in a Low-Power and Lossy Network", RFC 6998, 1394 August 2013. 1396 [RFC7102] Vasseur, JP., "Terms Used in Routing for Low-Power and 1397 Lossy Networks", RFC 7102, January 2014. 1399 [RFC7251] McGrew, D., Bailey, D., Campagna, M., and R. Dugal, "AES- 1400 CCM Elliptic Curve Cryptography (ECC) Cipher Suites for 1401 TLS", RFC 7251, June 2014. 1403 [RFC7416] Tsao, T., Alexander, R., Dohler, M., Daza, V., Lozano, A., 1404 and M. Richardson, "A Security Threat Analysis for the 1405 Routing Protocol for Low-Power and Lossy Networks (RPLs)", 1406 RFC 7416, January 2015. 1408 [I-D.ietf-roll-trickle-mcast] 1409 Hui, J. and R. Kelsey, "Multicast Protocol for Low power 1410 and Lossy Networks (MPL)", draft-ietf-roll-trickle- 1411 mcast-12 (work in progress), June 2015. 1413 [IEEE802.15.4] 1414 "IEEE 802.15.4 - Standard for Local and metropolitan area 1415 networks -- Part 15.4: Low-Rate Wireless Personal Area 1416 Networks", . 1418 [G.9959] "ITU-T G.9959 Short range narrow-band digital 1419 radiocommunication transceivers - PHY and MAC layer 1420 specifications", . 1422 12.2. Informative References 1424 [RFC3411] Harrington, D., Presuhn, R., and B. Wijnen, "An 1425 Architecture for Describing Simple Network Management 1426 Protocol (SNMP) Management Frameworks", STD 62, RFC 3411, 1427 December 2002. 1429 [RFC3561] Perkins, C., Belding-Royer, E., and S. Das, "Ad hoc On- 1430 Demand Distance Vector (AODV) Routing", RFC 3561, July 1431 2003. 1433 [RFC5889] Baccelli, E. and M. Townsley, "IP Addressing Model in Ad 1434 Hoc Networks", RFC 5889, September 2010. 1436 [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for 1437 Constrained-Node Networks", RFC 7228, May 2014. 1439 [RFC7390] Rahman, A. and E. Dijk, "Group Communication for the 1440 Constrained Application Protocol (CoAP)", RFC 7390, 1441 October 2014. 1443 [RFC7428] Brandt, A. and J. Buron, "Transmission of IPv6 Packets 1444 over ITU-T G.9959 Networks", RFC 7428, February 2015. 1446 [SOFT11] Baccelli, E., Phillip, M., and M. Goyal, "The P2P-RPL 1447 Routing Protocol for IPv6 Sensor Networks: Testbed 1448 Experiments", Proceedings of the Conference on Software 1449 Telecommunications and Computer Networks, Split, Croatia,, 1450 September 2011. 1452 [INTEROP12] 1453 Baccelli, E., Phillip, M., Brandt, A., Valev , H., and J. 1454 Buron , "Report on P2P-RPL Interoperability Testing", 1455 RR-7864 INRIA Research Report RR-7864, January 2012. 1457 [RT-MPL] van der Stok, P., "Real-Time multicast for wireless mesh 1458 networks using MPL", White paper, 1459 http://www.vanderstok.org/papers/Real-time-MPL.pdf, April 1460 2014. 1462 [occuswitch] 1463 Lighting, Philips., "OccuSwitch wireless", Brochure, http: 1464 //www.philipslightingcontrols.com/assets/cms/uploads/files 1465 /osw/MK_OSWNETBROC_5.pdf, May 2012. 1467 [office-light] 1468 Clanton and Associates, ., "A Life Cycle Cost Evaluation 1469 of Multiple Lighting Control Strategies", Wireless 1470 Lighting Control, http://www.daintree.net/wp- 1471 content/uploads/2014/02/ 1472 clanton_lighting_control_report_0411.pdf, February 2014. 1474 [RTN2011] Holtman, K. and P. van der Stok, "Real-time routing for 1475 low-latency 802.15.4 control networks", International 1476 Workshop on Real-Time Networks; Euromicro Conference on 1477 Real-Time Systems, July 2011. 1479 [MEAS] Holtman, K., "Connectivity loss in large scale IEEE 1480 802.15.4 network", Private Communication, November 2013. 1482 [BCsurvey] 1483 Kastner, W., Neugschwandtner, G., Soucek, S., and H. 1484 Newman, "Communication Systems for Building Automation and 1485 Control", Proceedings of the IEEE Vol 93, No 6, June 2005. 1487 [ZigBeeIP] 1488 ZigBee Alliance, ., "ZigBee IP specification", ZigBee 1489 document 095023r34, March 2014. 1491 [WI-SUN] ECHONET Lite, ., "Home network Communication Interface for 1492 ECHONET Lite (IEEE802.15.4/4e/4g 920MHz-band Wireless)", 1493 Japanese TTC standard JJ-300.10, May 2014. 1495 Appendix A. RPL shortcomings in home and building deployments 1497 A.1. Risk of undesired long P2P routes 1499 The DAG, being a tree structure is formed from a root. If nodes 1500 residing in different branches have a need for communicating 1501 internally, DAG mechanisms provided in RPL [RFC6550] will propagate 1502 traffic towards the root, potentially all the way to the root, and 1503 down along another branch [RFC6998]. In a typical example two nodes 1504 could reach each other via just two router nodes but in unfortunate 1505 cases, RPL may send traffic three hops up and three hops down again. 1506 This leads to several undesired phenomena described in the following 1507 sections. 1509 A.1.1. Traffic concentration at the root 1511 If many P2P data flows have to move up towards the root to get down 1512 again in another branch there is an increased risk of congestion the 1513 nearer to the root of the DAG the data flows. Due to the broadcast 1514 nature of RF systems any child node of the root is not just directing 1515 RF power downwards its sub-tree but just as much upwards towards the 1516 root; potentially jamming other MP2P traffic leaving the tree or 1517 preventing the root of the DAG from sending P2MP traffic into the DAG 1518 because the listen-before-talk link-layer protection kicks in. 1520 A.1.2. Excessive battery consumption in source nodes 1522 Battery-powered nodes originating P2P traffic depend on the route 1523 length. Long routes cause source nodes to stay awake for longer 1524 periods before returning to sleep. Thus, a longer route translates 1525 proportionally (more or less) into higher battery consumption. 1527 A.2. Risk of delayed route repair 1529 The RPL DAG mechanism uses DIO and DAO messages to monitor the health 1530 of the DAG. In rare occasions, changed radio conditions may render 1531 routes unusable just after a destination node has returned a DAO 1532 indicating that the destination is reachable. Given enough time, the 1533 next Trickle timer-controlled DIO/DAO update will eventually repair 1534 the broken routes, however this may not occur in a timely manner 1535 appropriate to the application. In an apparently stable DAG, 1536 Trickle-timer dynamics may reduce the update rate to a few times 1537 every hour. If a user issues an actuator command, e.g. light on in 1538 the time interval between the last DAO message was issued the 1539 destination module and the time one of the parents sends the next 1540 DIO, the destination cannot be reached. There is no mechanism in RPL 1541 to initiate restoration of connectivity in a reactive fashion. The 1542 consequence is a broken service in home and building applications. 1544 A.2.1. Broken service 1546 Experience from the telecom industry shows that if the voice delay 1547 exceeds 250ms, users start getting confused, frustrated and/or 1548 annoyed. In the same way, if the light does not turn on within the 1549 same period of time, a home control user will activate the controls 1550 again, causing a sequence of commands such as 1551 Light{on,off,off,on,off,..} or Volume{up,up,up,up,up,...}. Whether 1552 the outcome is nothing or some unintended response this is 1553 unacceptable. A controlling system must be able to restore 1554 connectivity to recover from the error situation. Waiting for an 1555 unknown period of time is not an option. While this issue was 1556 identified during the P2P analysis, it applies just as well to 1557 application scenarios where an IP application outside the LLN 1558 controls actuators, lights, etc. 1560 Appendix B. Communication failures 1562 Measurements on the connectivity between neighbouring nodes are 1563 discussed in [RTN2011] and [MEAS]. 1565 The work is motivated by the measurements in literature which affirm 1566 that the range of an antenna is not circle symmetric but that the 1567 signal strength of a given level follows an intricate pattern around 1568 the antenna, and there may be holes within the area delineated by an 1569 iso-strength line. It is reported that communication is not 1570 symmetric: reception of messages from node A by node B does not imply 1571 reception of messages from node B by node A. The quality of the 1572 signal fluctuates over time, and also the height of the antenna 1573 within a room can have consequences for the range. As function of 1574 the distance from the source, three regions are generally recognized: 1575 (1) a clear region with excellent signal quality, (2) a region with 1576 fluctuating signal quality, (3) a region without reception. In the 1577 text below it is shown that installation of meshes with neighbours in 1578 the clear region is not sufficient. 1580 [RTN2011] extends existing work by: 1582 o Observations over periods of at least a week, 1584 o Testing links that are in the clear region, 1586 o Observation in an office building during working hours, 1588 o Concentrating on one-hop and two-hop routes. 1590 Eight nodes were distributed over a surface of 30m2. All nodes are 1591 at one hop distance from each other and are situated in the clear 1592 region of each other. Each node sends messages to each of its 1593 neighbours, and repeats the message until it arrives. The latency of 1594 the message was measured over periods of at least a week. It is 1595 noticed that latencies longer than a second occurred without apparent 1596 reasons, but only during working days and never in the weekends. Bad 1597 periods could last for minutes. By sending messages via two paths: 1598 (1) one hop path directly, and (2) two hop path via a randomly chosen 1599 neighbour, the probability of delays larger than 100 ms decreased 1600 significantly. 1602 The conclusion is that even for 1-hop communication between not too 1603 distant "Line of Sight" nodes, there are periods of low reception in 1604 which communication deadlines of 200 ms are exceeded. It pays to 1605 send a second message over a 2-hop path to increase the reliability 1606 of timely message transfer. 1608 [MEAS] confirms that temporary bad reception by close neighbours can 1609 occur within other types of areas. Nodes were installed on the 1610 ceiling in a grid with a distance of 30-50 cm between nodes. 200 1611 nodes were distributed over an area of 10m x 5m. It clearly 1612 transpired that with increasing distance the probability of reception 1613 decreases. At the same time a few nodes furthest away from the 1614 sender had a high probability of message reception, while some close 1615 neighbours of the sender did not receive messages. The patterns of 1616 clear reception nodes evolved over time. 1618 The conclusion is that even for direct neighbours reception can 1619 temporarily be bad during periods of several minutes. For a reliable 1620 and timely communication it is imperative to have at least two 1621 communication paths available (e.g. two hop paths next to the 1-hop 1622 path for direct neighbours). 1624 Authors' Addresses 1626 Anders Brandt 1627 Sigma Designs 1629 Email: anders_Brandt@sigmadesigns.com 1631 Emmanuel Baccelli 1632 INRIA 1634 Email: Emmanuel.Baccelli@inria.fr 1636 Robert Cragie 1637 ARM Ltd. 1638 110 Fulbourn Road 1639 Cambridge CB1 9NJ 1640 UK 1642 Email: robert.cragie@gridmerge.com 1644 Peter van der Stok 1645 Consultant 1647 Email: consultancy@vanderstok.org