idnits 2.17.1 draft-ietf-roll-security-threats-06.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 15, 2013) is 3784 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'IS07498-2' is mentioned on line 155, but not defined == Unused Reference: 'RFC4107' is defined on line 1574, but no explicit reference was found in the text == Unused Reference: 'RFC4301' is defined on line 1577, but no explicit reference was found in the text == Unused Reference: 'FIPS197' is defined on line 1600, but no explicit reference was found in the text == Unused Reference: 'Huang2003' is defined on line 1604, but no explicit reference was found in the text == Unused Reference: 'I-D.alexander-roll-mikey-lln-key-mgmt' is defined on line 1612, but no explicit reference was found in the text == Unused Reference: 'IEEE1149.1' is defined on line 1629, but no explicit reference was found in the text == Unused Reference: 'Kasumi3gpp' is defined on line 1645, but no explicit reference was found in the text == Unused Reference: 'Messerges2003' is defined on line 1650, but no explicit reference was found in the text == Unused Reference: 'RFC2080' is defined on line 1671, but no explicit reference was found in the text == Unused Reference: 'RFC2453' is defined on line 1676, but no explicit reference was found in the text == Unused Reference: 'RFC3830' is defined on line 1682, but no explicit reference was found in the text == Unused Reference: 'RFC4046' is defined on line 1686, but no explicit reference was found in the text == Unused Reference: 'RFC5055' is defined on line 1699, but no explicit reference was found in the text == Unused Reference: 'RFC5197' is defined on line 1703, but no explicit reference was found in the text == Unused Reference: 'RFC5996' is defined on line 1727, but no explicit reference was found in the text == Unused Reference: 'RFC6574' is defined on line 1734, but no explicit reference was found in the text == Unused Reference: 'Szcze2008' is defined on line 1751, but no explicit reference was found in the text == Unused Reference: 'Wander2005' is defined on line 1764, but no explicit reference was found in the text == Outdated reference: A later version (-13) exists of draft-ietf-roll-terminology-04 == Outdated reference: A later version (-06) exists of draft-kelsey-intarea-mesh-link-establishment-05 -- Obsolete informational reference (is this intentional?): RFC 1142 (Obsoleted by RFC 7142) -- Obsolete informational reference (is this intentional?): RFC 5751 (Obsoleted by RFC 8551) -- Obsolete informational reference (is this intentional?): RFC 5996 (Obsoleted by RFC 7296) -- Obsolete informational reference (is this intentional?): RFC 6824 (Obsoleted by RFC 8684) Summary: 0 errors (**), 0 flaws (~~), 22 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Routing Over Low-Power and Lossy Networks T. Tsao 3 Internet-Draft R. Alexander 4 Intended status: Informational Cooper Power Systems 5 Expires: June 18, 2014 M. Dohler 6 CTTC 7 V. Daza 8 A. Lozano 9 Universitat Pompeu Fabra 10 M. Richardson 11 Sandelman Software Works 12 December 15, 2013 14 A Security Threat Analysis for Routing Protocol for Low-power and lossy 15 networks (RPL) 16 draft-ietf-roll-security-threats-06 18 Abstract 20 This document presents a security threat analysis for the Routing 21 Protocol for Low-power and lossy networks (RPL, ROLL). The 22 development builds upon previous work on routing security and adapts 23 the assessments to the issues and constraints specific to low-power 24 and lossy networks. A systematic approach is used in defining and 25 evaluating the security threats. Applicable countermeasures are 26 application specific and are addressed in relevant applicability 27 statements. 29 Requirements Language 31 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 32 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 33 "OPTIONAL" in this document are to be interpreted as described in RFC 34 2119 [RFC2119]. 36 Status of This Memo 38 This Internet-Draft is submitted in full conformance with the 39 provisions of BCP 78 and BCP 79. 41 Internet-Drafts are working documents of the Internet Engineering 42 Task Force (IETF). Note that other groups may also distribute 43 working documents as Internet-Drafts. The list of current Internet- 44 Drafts is at http://datatracker.ietf.org/drafts/current/. 46 Internet-Drafts are draft documents valid for a maximum of six months 47 and may be updated, replaced, or obsoleted by other documents at any 48 time. It is inappropriate to use Internet-Drafts as reference 49 material or to cite them other than as "work in progress." 51 This Internet-Draft will expire on June 18, 2014. 53 Copyright Notice 55 Copyright (c) 2013 IETF Trust and the persons identified as the 56 document authors. All rights reserved. 58 This document is subject to BCP 78 and the IETF Trust's Legal 59 Provisions Relating to IETF Documents 60 (http://trustee.ietf.org/license-info) in effect on the date of 61 publication of this document. Please review these documents 62 carefully, as they describe your rights and restrictions with respect 63 to this document. Code Components extracted from this document must 64 include Simplified BSD License text as described in Section 4.e of 65 the Trust Legal Provisions and are provided without warranty as 66 described in the Simplified BSD License. 68 Table of Contents 70 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 71 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 72 3. Considerations on RPL Security . . . . . . . . . . . . . . . 4 73 3.1. Routing Assets and Points of Access . . . . . . . . . . . 5 74 3.2. The ISO 7498-2 Security Reference Model . . . . . . . . . 7 75 3.3. Issues Specific to or Amplified in LLNs . . . . . . . . . 9 76 3.4. RPL Security Objectives . . . . . . . . . . . . . . . . . 11 77 4. Threat Sources . . . . . . . . . . . . . . . . . . . . . . . 12 78 5. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 12 79 5.1. Threats due to failures to Authenticate . . . . . . . . . 13 80 5.1.1. Node Impersonation . . . . . . . . . . . . . . . . . 13 81 5.1.2. Dummy Node . . . . . . . . . . . . . . . . . . . . . 13 82 5.1.3. Node Resource Spam . . . . . . . . . . . . . . . . . 13 83 5.2. Threats and Attacks on Confidentiality . . . . . . . . . 13 84 5.2.1. Routing Exchange Exposure . . . . . . . . . . . . . . 14 85 5.2.2. Routing Information (Routes and Network Topology) 86 Exposure . . . . . . . . . . . . . . . . . . . . . . 14 87 5.3. Threats and Attacks on Integrity . . . . . . . . . . . . 15 88 5.3.1. Routing Information Manipulation . . . . . . . . . . 15 89 5.3.2. Node Identity Misappropriation . . . . . . . . . . . 16 90 5.4. Threats and Attacks on Availability . . . . . . . . . . . 16 91 5.4.1. Routing Exchange Interference or Disruption . . . . . 16 92 5.4.2. Network Traffic Forwarding Disruption . . . . . . . . 16 93 5.4.3. Communications Resource Disruption . . . . . . . . . 18 94 5.4.4. Node Resource Exhaustion . . . . . . . . . . . . . . 18 95 6. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 19 96 6.1. Confidentiality Attack Countermeasures . . . . . . . . . 19 97 6.1.1. Countering Deliberate Exposure Attacks . . . . . . . 19 98 6.1.2. Countering Passive Wiretapping Attacks . . . . . . . 20 99 6.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 21 100 6.1.4. Countering Remote Device Access Attacks . . . . . . . 22 101 6.2. Integrity Attack Countermeasures . . . . . . . . . . . . 22 102 6.2.1. Countering Unauthorized Modification Attacks . . . . 22 103 6.2.2. Countering Overclaiming and Misclaiming Attacks . . . 23 104 6.2.3. Countering Identity (including Sybil) Attacks . . . . 23 105 6.2.4. Countering Routing Information Replay Attacks . . . . 23 106 6.2.5. Countering Byzantine Routing Information Attacks . . 24 107 6.3. Availability Attack Countermeasures . . . . . . . . . . . 25 108 6.3.1. Countering HELLO Flood Attacks and ACK Spoofing 109 Attacks . . . . . . . . . . . . . . . . . . . . . . . 25 110 6.3.2. Countering Overload Attacks . . . . . . . . . . . . . 26 111 6.3.3. Countering Selective Forwarding Attacks . . . . . . . 27 112 6.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 28 113 6.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 29 114 7. RPL Security Features . . . . . . . . . . . . . . . . . . . . 29 115 7.1. Confidentiality Features . . . . . . . . . . . . . . . . 30 116 7.2. Integrity Features . . . . . . . . . . . . . . . . . . . 31 117 7.3. Availability Features . . . . . . . . . . . . . . . . . . 32 118 7.4. Key Management . . . . . . . . . . . . . . . . . . . . . 32 119 7.5. Consideration on Matching Application Domain Needs . . . 33 120 7.5.1. Mechanisms and Operations . . . . . . . . . . . . . . 33 121 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 122 9. Security Considerations . . . . . . . . . . . . . . . . . . . 34 123 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 34 124 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 125 11.1. Normative References . . . . . . . . . . . . . . . . . . 35 126 11.2. Informative References . . . . . . . . . . . . . . . . . 35 127 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 129 1. Introduction 131 In recent times, networked electronic devices have found an 132 increasing number of applications in various fields. Yet, for 133 reasons ranging from operational application to economics, these 134 wired and wireless devices are often supplied with minimum physical 135 resources; the constraints include those on computational resources 136 (RAM, clock speed, storage), communication resources (duty cycle, 137 packet size, etc.), but also form factors that may rule out user 138 access interfaces (e.g., the housing of a small stick-on switch), or 139 simply safety considerations (e.g., with gas meters). As a 140 consequence, the resulting networks are more prone to loss of traffic 141 and other vulnerabilities. The proliferation of these low-power and 142 lossy networks (LLNs), however, are drawing efforts to examine and 143 address their potential networking challenges. Securing the 144 establishment and maintenance of network connectivity among these 145 deployed devices becomes one of these key challenges. 147 This document presents a threat analysis for securing the Routing 148 Protocol for LLNs (RPL). The process requires two steps. First, the 149 analysis will be used to identify pertinent security issues. The 150 second step is to identify necessary countermeasures to secure RPL. 151 As there are multiple ways to solve the problem and the specific 152 tradeoffs are deployment specific, the specific countermeasure to be 153 used is detailed in applicatbility statements. 155 This document uses [IS07498-2] model, which includes Authentication, 156 Access Control, Data Confidentiality, Data Integrity, and Non- 157 Repudiation but to which Availability is added. 159 All of this document concerns itself with securing the control plane 160 traffic. As such it does not address authorization or authentication 161 of application traffic, nor does it deal with multicast traffic 162 controls. Mechanisms used to secure RPL traffic SHOULD be leveraged 163 to secure other protocols. 165 2. Terminology 167 This document adopts the terminology defined in [RFC6550], in 168 [RFC4949], and in [I-D.ietf-roll-terminology]. 170 The terms control plane and forwarding plane are used consistently 171 with section 1 of [RFC6192]. 173 3. Considerations on RPL Security 175 Routing security, in essence, ensures that the routing protocol 176 operates correctly. It entails implementing measures to ensure 177 controlled state changes on devices and network elements, both based 178 on external inputs (received via communications) or internal inputs 179 (physical security of device itself and parameters maintained by the 180 device, including, e.g., clock). State changes would thereby involve 181 not only authorization of injector's actions, authentication of 182 injectors, and potentially confidentiality of routing data, but also 183 proper order of state changes through timeliness, since seriously 184 delayed state changes, such as commands or updates of routing tables, 185 may negatively impact system operation. A security assesment can 186 therefore begin with a focus on the assets [RFC4949] that may be the 187 target of the state changes and the access points in terms of 188 interfaces and protocol exchanges through which such changes may 189 occur. In the case of routing security the focus is directed towards 190 the elements associated with the establishment and maintenance of 191 network connectivity. 193 This section sets the stage for the development of the analysis by 194 applying the systematic approach proposed in [Myagmar2005] to the 195 routing security, while also drawing references from other reviews 196 and assessments found in the literature, particularly, [RFC4593] and 197 [Karlof2003]. The subsequent subsections begin with a focus on the 198 elements of a generic routing process that is used to establish 199 routing assets and points of access to the routing functionality. 200 Next, the [ISO.7498-2.1988] security model is briefly described. 201 Then, consideration is given to issues specific to or amplified in 202 LLNs. This section concludes with the formulation of a set of 203 security objectives for RPL. 205 3.1. Routing Assets and Points of Access 207 An asset is an important system resource (including information, 208 process, or physical resource), the access to, corruption or loss of 209 which adversely affects the system. In the control plane context, an 210 asset is information about the network, processes used to manage and 211 manipulate this data, and the physical devices on which this data is 212 stored and manipulated. The corruption or loss of these assets may 213 adversely impact the control plane of the network. Within the same 214 context, a point of access is an interface or protocol that 215 facilitates interaction between control plane components. 216 Identifying these assets and points of access will provide a basis 217 for enumerating the attack surface of the control plane. 219 A level-0 data flow diagram [Yourdon1979] is used here to identify 220 the assets and points of access within a generic routing process. 221 The use of a data flow diagram allows for a clear and concise model 222 of the way in which routing nodes interact and process information, 223 and hence provides a context for threats and attacks. The goal of 224 the model is to be as detailed as possible so that corresponding 225 assets, points of access, and process in an individual routing 226 protocol can be readily identified. 228 Figure 1 shows that nodes participating in the routing process 229 transmit messages to discover neighbors and to exchange routing 230 information; routes are then generated and stored, which may be 231 maintained in the form of the protocol forwarding table. The nodes 232 use the derived routes for making forwarding decisions. 234 ................................................... 235 : : 236 : : 238 |Node_i|<------->(Routing Neighbor _________________ : 239 : Discovery)------------>Neighbor Topology : 240 : -------+--------- : 241 : | : 242 |Node_j|<------->(Route/Topology +--------+ : 243 : Exchange) | : 244 : | V ______ : 245 : +---->(Route Generation)--->Routes : 246 : ---+-- : 247 : | : 248 : Routing on a Node Node_k | : 249 ................................................... 250 | 251 |Forwarding | 252 |On Node_l|<-------------------------------------------+ 254 Notation: 256 (Proc) A process Proc 258 ________ 259 topology A structure storing neighbor adjacency (parent/child) 260 -------- 261 ________ 262 routes A structure storing the forwarding information base (FIB) 263 -------- 265 |Node_n| An external entity Node_n 267 -------> Data flow 269 Figure 1: Data Flow Diagram of a Generic Routing Process 271 It is seen from Figure 1 that 273 o Assets include 275 * routing and/or topology information; 277 * route generation process; 279 * communication channel resources (bandwidth); 281 * node resources (computing capacity, memory, and remaining 282 energy); 284 * node identifiers (including node identity and ascribed 285 attributes such as relative or absolute node location). 287 o Points of access include 289 * neighbor discovery; 291 * route/topology exchange; 293 * node physical interfaces (including access to data storage). 295 A focus on the above list of assets and points of access enables a 296 more directed assessment of routing security; for example, it is 297 readily understood that some routing attacks are in the form of 298 attempts to misrepresent routing topology. Indeed, the intention of 299 the security threat analysis is to be comprehensive. Hence, some of 300 the discussion which follows is associated with assets and points of 301 access that are not directly related to routing protocol design but 302 nonetheless provided for reference since they do have direct 303 consequences on the security of routing. 305 3.2. The ISO 7498-2 Security Reference Model 307 At the conceptual level, security within an information system in 308 general and applied to RPL in particular is concerned with the 309 primary issues of authentication, access control, data 310 confidentiality, data integrity, and non-repudiation. In the context 311 of RPL 313 Authentication 314 Authentication involves the mutual authentication of the 315 routing peers prior to exchanging route information (i.e., peer 316 authentication) as well as ensuring that the source of the 317 route data is from the peer (i.e., data origin authentication). 318 [RFC5548] points out that LLNs can be drained by 319 unauthenticated peers before configuration. [RFC5673] requires 320 availability of open and untrusted side channels for new 321 joiners, and it requires strong and automated authentication so 322 that networks can automatically accept or reject new joiners. 324 Access Control 325 Access Control provides protection against unauthorized use of 326 the asset, and deals with the authorization of a node. 328 Confidentiality 329 Confidentiality involves the protection of routing information 330 as well as routing neighbor maintenance exchanges so that only 331 authorized and intended network entities may view or access it. 333 Because LLNs are most commonly found on a publicly accessible 334 shared medium, e.g., air or wiring in a building, and sometimes 335 formed ad hoc, confidentiality also extends to the neighbor 336 state and database information within the routing device since 337 the deployment of the network creates the potential for 338 unauthorized access to the physical devices themselves. 340 Integrity 341 Integrity entails the protection of routing information and 342 routing neighbor maintenance exchanges, as well as derived 343 information maintained in the database, from unauthorized 344 modification, insertions, deletions or replays. to be addressed 345 beyond the routing protocol. 347 Non-repudiation 348 Non-repudiation is the assurance that the transmission and/or 349 reception of a message cannot later be denied. The service of 350 non-repudiation applies after-the-fact and thus relies on the 351 logging or other capture of on-going message exchanges and 352 signatures. Applied to routing, non-repudiation is not an 353 issue because it does not apply to routing protocols, which are 354 machine-to-machine protocols. Further, with the LLN 355 application domains as described in [RFC5867] and [RFC5548], 356 proactive measures are much more critical than retrospective 357 protections. Finally, given the significant practical limits 358 to on-going routing transaction logging and storage and 359 individual device digital signature verification for each 360 exchange, non-repudiation in the context of routing is an 361 unsupportable burden that bears no further considered as an RPL 362 security issue. 364 It is recognized that, besides those security issues captured in the 365 ISO 7498-2 model, availability, is a security requirement: 367 Availability 368 Availability ensures that routing information exchanges and 369 forwarding services need to be available when they are required 370 for the functioning of the serving network. Availability will 371 apply to maintaining efficient and correct operation of routing 372 and neighbor discovery exchanges (including needed information) 373 and forwarding services so as not to impair or limit the 374 network's central traffic flow function 376 It should be emphasized here that for RPL security the above 377 requirements must be complemented by the proper security policies and 378 enforcement mechanisms to ensure that security objectives are met by 379 a given RPL implementation. 381 3.3. Issues Specific to or Amplified in LLNs 383 The work [RFC5548], [RFC5673], [RFC5826], and [RFC5867] have 384 identified specific issues and constraints of routing in LLNs for the 385 urban, industrial, home automation, and building automation 386 application domains, respectively. The following is a list of 387 observations and evaluation of their impact on routing security 388 considerations. 390 Limited energy, memory, and processing node resources 391 As a consequence of these constraints, there is an even more 392 critical need than usual for a careful study of trade-offs on 393 which and what level of security services are to be afforded 394 during the system design process. The chosen security 395 mechanisms also needs to work within these constraints. 396 Synchronization of security states with sleepy nodes is yet 397 another issue. 399 Large scale of rolled out network 400 The possibly numerous nodes to be deployed make manual on-site 401 configuration unlikely. For example, an urban deployment can 402 see several hundreds of thousands of nodes being installed by 403 many installers with a low level of expertise. Nodes may be 404 installed and not activated for many years, and additional 405 nodes may be added later on, which may be from old inventory. 406 The lifetime of the network is measured in decades, and this 407 complicates the operation of key management. 409 Autonomous operations 410 Self-forming and self-organizing are commonly prescribed 411 requirements of LLNs. In other words, a routing protocol 412 designed for LLNs needs to contain elements of ad hoc 413 networking and in most cases cannot rely on manual 414 configuration for initialization or local filtering rules. 415 Network topology/ownership changes, partitioning or merging, as 416 well as node replacement, can all contribute to complicating 417 the operations of key management. 419 Highly directional traffic 420 Some types of LLNs see a high percentage of their total traffic 421 traverse between the nodes and the LLN Border Routers (LBRs) 422 where the LLNs connect to non-LLNs. The special routing status 423 of and the greater volume of traffic near the LBRs have routing 424 security consequences as a higher valued attack target. In 425 fact, when Point-to-MultiPoint (P2MP) and MultiPoint-to-Point 426 (MP2P) traffic represents a majority of the traffic, routing 427 attacks consisting of advertising incorrect preferred routes 428 can cause serious damage. 430 While it might seem that nodes higher up in the cyclic graph 431 (i.e. those with lower rank) should be secured in a stronger 432 fashion, it is not in general easy to predict which nodes will 433 occupy those positions until after deployment. Issues of 434 redundancy and inventory control suggests that any node might 435 wind up in such a sensitive attack position, so all nodes need 436 to be equally secure. 438 In addition, even if it were possible to predict which nodes 439 will occupy positions of lower rank and provision them with 440 stronger security mechanisms, in the absense of a strong 441 authorization model, any node could advertise an incorrect 442 preferred route. 444 Unattended locations and limited physical security 445 Many applications have the nodes deployed in unattended or 446 remote locations; furthermore, the nodes themselves are often 447 built with minimal physical protection. These constraints 448 lower the barrier of accessing the data or security material 449 stored on the nodes through physical means. 451 Support for mobility 452 On the one hand, only a limited number of applications require 453 the support of mobile nodes, e.g., a home LLN that includes 454 nodes on wearable health care devices or an industry LLN that 455 includes nodes on cranes and vehicles. On the other hand, if a 456 routing protocol is indeed used in such applications, it will 457 clearly need to have corresponding security mechanisms. 459 Additionally nodes may appear to move from one side of a wall 460 to another without any actual motion involved, the result of 461 changes to electromagnetic properties, such as opening and 462 closing of a metal door. 464 Support for multicast and anycast 465 Support for multicast and anycast is called out chiefly for 466 large-scale networks. Since application of these routing 467 mechanisms in autonomous operations of many nodes is new, the 468 consequence on security requires careful consideration. 470 The above list considers how an LLN's physical constraints, size, 471 operations, and variety of application areas may impact security. 472 However, it is the combinations of these factors that particularly 473 stress the security concerns. For instance, securing routing for a 474 large number of autonomous devices that are left in unattended 475 locations with limited physical security presents challenges that are 476 not found in the common circumstance of administered networked 477 routers. The following subsection sets up the security objectives 478 for the routing protocol designed by the ROLL WG. 480 3.4. RPL Security Objectives 482 This subsection applies the ISO 7498-2 model to routing assets and 483 access points, taking into account the LLN issues, to develop a set 484 of RPL security objectives. 486 Since the fundamental function of a routing protocol is to build 487 routes for forwarding packets, it is essential to ensure that: 489 o routing/topology information iintegrity remains intact during 490 transfer and in storage; 492 o routing/topology information is used by authorized entities; 494 o routing/topology information is available when needed. 496 In conjunction, it is necessary to be assured that 498 o authorized peers authenticate themselves during the routing 499 neighbor discovery process; 501 o the routing/topology information received is generated according 502 to the protocol design. 504 However, when trust cannot be fully vested through authentication of 505 the principals alone, i.e., concerns of insider attack, assurance of 506 the truthfulness and timeliness of the received routing/topology 507 information is necessary. With regard to confidentiality, protecting 508 the routing/topology information from unauthorized exposure may be 509 desirable in certain cases but is in itself less pertinent in general 510 to the routing function. 512 One of the main problems of synchronizing security states of sleepy 513 nodes, as listed in the last subsection, lies in difficulties in 514 authentication; these nodes may not have received in time the most 515 recent update of security material. Similarly, the issues of minimal 516 manual configuration, prolonged rollout and delayed addition of 517 nodes, and network topology changes also complicate key management. 519 Hence, routing in LLNs needs to bootstrap the authentication process 520 and allow for flexible expiration scheme of authentication 521 credentials. 523 The vulnerability brought forth by some special-function nodes, e.g., 524 LBRs, requires the assurance, particularly in a security context, 526 o of the availability of communication channels and node resources; 528 o that the neighbor discovery process operates without undermining 529 routing availability. 531 There are other factors which are not part of RPL but directly 532 affecting its function. These factors include weaker barrier of 533 accessing the data or security material stored on the nodes through 534 physical means; therefore, the internal and external interfaces of a 535 node need to be adequate for guarding the integrity, and possibly the 536 confidentiality, of stored information, as well as the integrity of 537 routing and route generation processes. 539 Each individual system's use and environment will dictate how the 540 above objectives are applied, including the choices of security 541 services as well as the strengths of the mechanisms that must be 542 implemented. The next two sections take a closer look at how the RPL 543 security objectives may be compromised and how those potential 544 compromises can be countered. 546 4. Threat Sources 548 [RFC4593] provides a detailed review of the threat sources: outsiders 549 and byzantine. RPL has the same threat sources. 551 5. Threats and Attacks 553 This section outlines general categories of threats under the ISO 554 7498-2 model and highlights the specific attacks in each of these 555 categories for RPL. As defined in [RFC4949], a threat is "a 556 potential for violation of security, which exists when there is a 557 circumstance, capability, action, or event that could breach security 558 and cause harm." 560 An attack is "an assault on system security that derives from an 561 intelligent threat, i.e., an intelligent act that is a deliberate 562 attempt (especially in the sense of a method or technique) to evade 563 security services and violate the security policy of a system." 565 The subsequent subsections consider the threats and the attacks that 566 can cause security breaches under the ISO 7498-2 model to the routing 567 assets and via the routing points of access identified in 568 Section 3.1. The assessment steps through the security concerns of 569 each routing asset and looks at the attacks that can exploit routing 570 points of access. The threats and attacks identified are based on 571 the routing model analysis and associated review of the existing 572 literature. The source of the attacks is assumed to be from either 573 inside or outside attackers. The capability these attackes may be 574 limited to node-equivalent, but also to more sophisticated computing 575 platforms. 577 5.1. Threats due to failures to Authenticate 579 5.1.1. Node Impersonation 581 If an attacker can join a network with any identify, then it may be 582 able to assume the role of a legitimate (and existing node). It may 583 be able to report false readings (in metering applications), or 584 provide inappropriate control messages (in control systems involving 585 actuators) if the security of the application is leveraged from the 586 security of the routing system. 588 In other systems where there is separate application layer security, 589 the ability to impersonate a node would permit an attacker to direct 590 traffic to itself, which facilitates on-path attacks including 591 replaying, delaying, or duplicating control messages. 593 5.1.2. Dummy Node 595 If an attacker can join a network with any identify, then it can 596 pretend to be a legitimate node, receiving any service legitimate 597 nodes receive. It may also be able to report false readings (in 598 metering applications), or provide inappropriate authorizations (in 599 control systems involving actuators), or perform any other attacks 600 that are facilitated by being able to direct traffic towards itself. 602 5.1.3. Node Resource Spam 604 If an attacker can join a network with any identify, then it can 605 continously do so, draining down the resources of the network to 606 store identity and routing information, potentionally forcing 607 legitimate nodes of the network. 609 5.2. Threats and Attacks on Confidentiality 610 The assessment in Section 3.2 indicates that there are threat actions 611 against the confidentiality of routing information at all points of 612 access. This threat results in disclosure, as described in 613 Section 3.1.2 of [RFC4593], and it involves a disclosure of routing 614 information. 616 5.2.1. Routing Exchange Exposure 618 Routing exchanges include both routing information as well as 619 information associated with the establishment and maintenance of 620 neighbor state information. As indicated in Section 3.1, the 621 associated routing information assets may also include device 622 specific resource information, such as memory, remaining power, etc., 623 that may be metrics of the routing protocol. 625 The routing exchanges will contain reachability information, which 626 would identify the relative importance of different nodes in the 627 network. Nodes higher up in the DODAG, to which more streams of 628 information flow, would be more interesting targets for other 629 attacks, and routing exchange exposures can identify them. 631 5.2.2. Routing Information (Routes and Network Topology) Exposure 633 Routes (which may be maintained in the form of the protocol 634 forwarding table) and neighbor topology information are the products 635 of the routing process that are stored within the node device 636 databases. 638 The exposure of this information will allow attachers to gain direct 639 access to the configuration and connectivity of the network thereby 640 exposing routing to targeted attacks on key nodes or links. Since 641 routes and neighbor topology information is stored within the node 642 device, threats or attacks on the confidentiality of the information 643 will apply to the physical device including specified and unspecified 644 internal and external interfaces. 646 The forms of attack that allow unauthorized access or disclosure of 647 the routing information (other than occurring through explicit node 648 exchanges) will include: 650 o Physical device compromise; 652 o Remote device access attacks (including those occurring through 653 remote network management or software/field upgrade interfaces). 655 Both of these attack vectors are considered a device specific issue, 656 and are out of scope for RPL to defend against. In some 657 applications, physical device compromise may be a real threat and it 658 may be necessary to provide for other devices to react quickly to 659 exclude a compromised device. 661 5.3. Threats and Attacks on Integrity 663 The assessment in Section 3.2 indicates that information and identity 664 assets are exposed to integrity threats from all points of access. 665 In other words, the integrity threat space is defined by the 666 potential for exploitation introduced by access to assets available 667 through routing exchanges and the on-device storage. 669 5.3.1. Routing Information Manipulation 671 Manipulation of routing information that range from neighbor states 672 to derived routes will allow unauthorized sources to influence the 673 operation and convergence of the routing protocols and ultimately 674 impact the forwarding decisions made in the network. 676 Manipulation of topology and reachability information will allow 677 unauthorized sources to influence the nodes with which routing 678 information is exchanged and updated. The consequence of 679 manipulating routing exchanges can thus lead to sub-optimality and 680 fragmentation or partitioning of the network by restricting the 681 universe of routers with which associations can be established and 682 maintained. 684 A sub-optimal network may use too much power and/or may congest some 685 routes leading to premature failure of a node, and a denial of 686 service on the entire network. 688 In addition, being able to attract network traffic can make a 689 blackhole attack more damaging. 691 The forms of attack that allow manipulation to compromise the content 692 and validity of routing information include 694 o Falsification, including overclaiming and misclaiming; 696 o Routing information replay; 698 o Byzantine (internal) attacks that permit corruption of routing 699 information in the node even where the node continues to be a 700 validated entity within the network (see, for example, [RFC4593] 701 for further discussions on Byzantine attacks); 703 o Physical device compromise or remote device access attacks. 705 5.3.2. Node Identity Misappropriation 707 Falsification or misappropriation of node identity between routing 708 participants opens the door for other attacks; it can also cause 709 incorrect routing relationships to form and/or topologies to emerge. 710 Routing attacks may also be mounted through less sophisticated node 711 identity misappropriation in which the valid information broadcast or 712 exchanged by a node is replayed without modification. The receipt of 713 seemingly valid information that is however no longer current can 714 result in routing disruption, and instability (including failure to 715 converge). Without measures to authenticate the routing participants 716 and to ensure the freshness and validity of the received information 717 the protocol operation can be compromised. The forms of attack that 718 misuse node identity include 720 o Identity attacks, including Sybil attacks in which a malicious 721 node illegitimately assumes multiple identities; 723 o Routing information replay. 725 5.4. Threats and Attacks on Availability 727 The assessment in Section 3.2 indicates that the process and 728 resources assets are exposed to threats against availability; attacks 729 in this category may exploit directly or indirectly information 730 exchange or forwarding (see [RFC4732] for a general discussion). 732 5.4.1. Routing Exchange Interference or Disruption 734 Interference is the threat action and disruption is threat 735 consequence that allows attackers to influence the operation and 736 convergence of the routing protocols by impeding the routing 737 information exchange. 739 The forms of attack that allow interference or disruption of routing 740 exchange include: 742 o Routing information replay; 744 o ACK spoofing; 746 o Overload attacks. (Section 6.3.2) 748 In addition, attacks may also be directly conducted at the physical 749 layer in the form of jamming or interfering. 751 5.4.2. Network Traffic Forwarding Disruption 752 The disruption of the network traffic forwarding capability will 753 undermine the central function of network routers and the ability to 754 handle user traffic. This affects the availability of the network 755 because of the potential to impair the primary capability of the 756 network. 758 In addition to physical layer obstructions, the forms of attack that 759 allows disruption of network traffic forwarding include [Karlof2003] 761 o Selective forwarding attacks; 763 |Node_1|--(msg1|msg2|msg3)-->|Attacker|--(msg1|msg3)-->|Node_2| 765 Figure 2: Selective Forwarding 767 o Wormhole attacks; 769 |Node_1|-------------Unreachable---------x|Node_2| 770 | ^ 771 | Private Link | 772 '-->|Attacker_1|===========>|Attacker_2|--' 774 Figure 3: Wormhole Attacks 776 o Sinkhole attacks. 778 |Node_1| |Node_4| 779 | | 780 `--------. | 781 Falsify as \ | 782 Good Link \ | | 783 To Node_5 \ | | 784 \ V V 785 |Node_2|-->|Attacker|--Not Forwarded---x|Node_5| 786 ^ ^ \ 787 | | \ Falsify as 788 | | \Good Link 789 / | To Node_5 790 ,-------' | 791 | | 792 |Node_3| |Node_i| 794 Figure 4: Selective Forwarding, Wormhole, and Sinkhole Attacks 796 These attacks are generally done to both control plane and forwarding 797 plane traffic. A system that prevents control plane traffic (RPL 798 messages) from being diverted in these ways will also prevent actual 799 data from being diverted. 801 5.4.3. Communications Resource Disruption 803 Attacks mounted against the communication channel resource assets 804 needed by the routing protocol can be used as a means of disrupting 805 its operation. However, while various forms of Denial of Service 806 (DoS) attacks on the underlying transport subsystem will affect 807 routing protocol exchanges and operation (for example physical layer 808 RF jamming in a wireless network or link layer attacks), these 809 attacks cannot be countered by the routing protocol. As such, the 810 threats to the underlying transport network that supports routing is 811 considered beyond the scope of the current document. Nonetheless, 812 attacks on the subsystem will affect routing operation and so must be 813 directly addressed within the underlying subsystem and its 814 implemented protocol layers. 816 5.4.4. Node Resource Exhaustion 818 A potential threat consequence can arise from attempts to overload 819 the node resource asset by initiating exchanges that can lead to the 820 exhaustion of processing, memory, or energy resources. The 821 establishment and maintenance of routing neighbors opens the routing 822 process to engagement and potential acceptance of multiple 823 neighboring peers. Association information must be stored for each 824 peer entity and for the wireless network operation provisions made to 825 periodically update and reassess the associations. An introduced 826 proliferation of apparent routing peers can therefore have a negative 827 impact on node resources. 829 Node resources may also be unduly consumed by attackers attempting 830 uncontrolled topology peering or routing exchanges, routing replays, 831 or the generating of other data traffic floods. Beyond the 832 disruption of communications channel resources, these consequences 833 may be able to exhaust node resources only where the engagements are 834 able to proceed with the peer routing entities. Routing operation 835 and network forwarding functions can thus be adversely impacted by 836 node resources exhaustion that stems from attacks that include: 838 o Identity (including Sybil) attacks; 840 o Routing information replay attacks; 842 o HELLO-type flood attacks; 844 o Overload attacks. (Section 6.3.2) 846 6. Countermeasures 848 By recognizing the characteristics of LLNs that may impact routing, 849 this analysis provides the basis for understanding the capabilities 850 within RPL used to deter the identified attacks and mitigate the 851 threats. The following subsections consider such countermeasures by 852 grouping the attacks according to the classification of the ISO 853 7498-2 model so that associations with the necessary security 854 services are more readily visible. 856 6.1. Confidentiality Attack Countermeasures 858 Attacks to disclosure routing information may be mounted at the level 859 of the routing information assets, at the points of access associated 860 with routing exchanges between nodes, or through device interface 861 access. To gain access to routing/topology information, the attacker 862 may rely on a compromised node that deliberately exposes the 863 information during the routing exchange process, may rely on passive 864 wiretapping or traffic analysis, or may attempt access through a 865 component or device interface of a tampered routing node. 867 6.1.1. Countering Deliberate Exposure Attacks 869 A deliberate exposure attack is one in which an entity that is party 870 to the routing process or topology exchange allows the routing/ 871 topology information or generated route information to be exposed to 872 an unauthorized entity. 874 For instance, due to mis-configuration or inappropriate enabling of a 875 diagnostic interface, an entity might be copying ("bridging") traffic 876 from a secured ESSID/PAN to an unsecured interface. 878 A prerequisite to countering this attack is to ensure that the 879 communicating nodes are authenticated prior to data encryption 880 applied in the routing exchange. Authentication ensures that the 881 nodes are who they claim to be even though it does not provide an 882 indication of whether the node has been compromised. 884 To mitigate the risk of deliberate exposure, the process that 885 communicating nodes use to establish session keys must be peer-to- 886 peer (i.e., between the routing initiating and responding nodes). 887 This helps ensure that neither node is exchaning routing information 888 with another peer without the knowledge of both communicating peers. 889 For a deliberate exposure attack to succeed, the comprised node will 890 need to be more overt and take independent actions in order to 891 disclose the routing information to 3rd party. 893 Note that the same measures which apply to securing routing/topology 894 exchanges between operational nodes must also extend to field tools 895 and other devices used in a deployed network where such devices can 896 be configured to participate in routing exchanges. 898 6.1.2. Countering Passive Wiretapping Attacks 900 A passive wiretap attack seeks to breach routing confidentiality 901 through passive, direct analysis and processing of the information 902 exchanges between nodes. 904 Passive wiretap attacks can be directly countered through the use of 905 data encryption for all routing exchanges. Only when a validated and 906 authenticated node association is completed will routing exchange be 907 allowed to proceed using established session keys and an agreed 908 encryption algorithm. The mandatory to implement CCM mode AES-128 909 method, is described in [RFC3610], and is believed to be secure 910 against a brute force attack by even the most well equiped adversary. 912 The significant challenge for RPL is in the provisioning of the key, 913 which in some modes of RFC6550 is used network-wide. RFC6550 does 914 not solve this problem, and it is the subject of significant future 915 work: see, for instance: [AceCharterProposal], [SolaceProposal], 916 [SmartObjectSecurityWorkshop]. 918 A number of deployments, such as [ZigBeeIP] specify no layer-3/RPL 919 encryption or authentication and rely upon similiar security at 920 layer-2. These networks are immune to outside wiretapping attacks, 921 but are particularly vulnerable to passive (and active) attacks 922 through compromises of nodes. 924 Section 10.9 of [RFC6550] specifies AES-128 in CCM mode with a 32-bit 925 MAC. 927 Section 5.6 Zigbee IP [ZigBeeIP] specifies use of CCM, with PANA and 928 EAP-TLS for key management. 930 6.1.3. Countering Traffic Analysis 932 Traffic analysis provides an indirect means of subverting 933 confidentiality and gaining access to routing information by allowing 934 an attacker to indirectly map the connectivity or flow patterns 935 (including link-load) of the network from which other attacks can be 936 mounted. The traffic analysis attack on an LLN, especially one 937 founded on shared medium, is passive and relies on the ability to 938 read the immutable source/destination layer-2 and/or layer-3 routing 939 information that must remain unencrypted to permit network routing. 941 One way in which passive traffic analysis attacks can be muted is 942 through the support of load balancing that allows traffic to a given 943 destination to be sent along diverse routing paths. RPL does not 944 generally support multi-path routing within a single DODAG. Multiple 945 DODAGs are supported in the protocol, and an implementation could 946 make use of that. RPL does not have any inherent or standard way to 947 guarantee that the different DODAGs would have significantly diverse 948 paths. Having the diverse DODAGs routed at different border routers 949 might work in some instances, and this could be combined with a 950 multipath technology like MPTCP ([RFC6824]. It is unlikely that it 951 will be affordable in many LLNs, as few deployments will have memory 952 space for more than a few sets of DODAG tables. 954 Another approach to countering passive traffic analysis could be for 955 nodes to maintain constant amount of traffic to different 956 destinations through the generation of arbitrary traffic flows; the 957 drawback of course would be the consequent overhead and energy 958 expenditure. 960 The only means of fully countering a traffic analysis attack is 961 through the use of tunneling (encapsulation) where encryption is 962 applied across the entirety of the original packet source/destination 963 addresses. Deployments which use layer-2 security that includes 964 encryption already do this for all traffic. 966 6.1.4. Countering Remote Device Access Attacks 968 Where LLN nodes are deployed in the field, measures are introduced to 969 allow for remote retrieval of routing data and for software or field 970 upgrades. These paths create the potential for a device to be 971 remotely accessed across the network or through a provided field 972 tool. In the case of network management a node can be directly 973 requested to provide routing tables and neighbor information. 975 To ensure confidentiality of the node routing information against 976 attacks through remote access, any local or remote device requesting 977 routing information must be authenticated, and must be authorized for 978 that access. Since remote access is not invoked as part of a routing 979 protocol security of routing information stored on the node against 980 remote access will not be addressable as part of the routing 981 protocol. 983 6.2. Integrity Attack Countermeasures 985 Integrity attack countermeasures address routing information 986 manipulation, as well as node identity and routing information 987 misuse. Manipulation can occur in the form of falsification attack 988 and physical compromise. To be effective, the following development 989 considers the two aspects of falsification, namely, the unauthorized 990 modifications and the overclaiming and misclaiming content. The 991 countering of physical compromise was considered in the previous 992 section and is not repeated here. With regard to misuse, there are 993 two types of attacks to be deterred, identity attacks and replay 994 attacks. 996 6.2.1. Countering Unauthorized Modification Attacks 998 Unauthorized modifications may occur in the form of altering the 999 message being transferred or the data stored. Therefore, it is 1000 necessary to ensure that only authorized nodes can change the portion 1001 of the information that is allowed to be mutable, while the integrity 1002 of the rest of the information is protected, e.g., through well- 1003 studied cryptographic mechanisms. 1005 Unauthorized modifications may also occur in the form of insertion or 1006 deletion of messages during protocol changes. Therefore, the 1007 protocol needs to ensure the integrity of the sequence of the 1008 exchange sequence. 1010 The countermeasure to unauthorized modifications needs to: 1012 o implement access control on storage; 1013 o provide data integrity service to transferred messages and stored 1014 data; 1016 o include sequence number under integrity protection. 1018 6.2.2. Countering Overclaiming and Misclaiming Attacks 1020 Both overclaiming and misclaiming aim to introduce false routes or 1021 topology that would not be generated by the network otherwise, while 1022 there are not necessarily unauthorized modifications to the routing 1023 messages or information. In order to counter overclaiming, the 1024 capability to determine unreasonable routes or topology is required. 1026 The counter to overclaiming and misclaiming may employ: 1028 o comparison with historical routing/topology data; 1030 o designs which restrict realizable network topologies. 1032 RPL includes no specific mechanisms in the protocol to counter 1033 overlaims. An implementation could have specific heuristics 1034 implemented locally. 1036 6.2.3. Countering Identity (including Sybil) Attacks 1038 Identity attacks, sometimes simply called spoofing, seek to gain or 1039 damage assets whose access is controlled through identity. In 1040 routing, an identity attacker can illegitimately participate in 1041 routing exchanges, distribute false routing information, or cause an 1042 invalid outcome of a routing process. 1044 A perpetrator of Sybil attacks assumes multiple identities. The 1045 result is not only an amplification of the damage to routing, but 1046 extension to new areas, e.g., where geographic distribution is 1047 explicitly or implicitly an asset to an application running on the 1048 LLN, for example, the LBR in a P2MP or MP2P LLN. 1050 RPL includes specific public key based authentication at layer-3 that 1051 provide for authorization. Many deployments use layer-2 security 1052 that includes admission controls at layer-2 using mechanisms such as 1053 PANA. 1055 6.2.4. Countering Routing Information Replay Attacks 1057 In many routing protocols, message replay can result in false 1058 topology and/or routes. This is often counted with some kind of 1059 counter to ensure the freshness of the message. Replay of a current, 1060 literal RPL message are in general idempotent to the topology. An 1061 older (lower DODAGVersionNumber) message, if replayed would be 1062 rejected as being stale. The trickle algorithm further dampens the 1063 affect of any such replay, as if the message was current, then it 1064 would contain the same information as before, and it would cause no 1065 network changes. 1067 Replays may well occur in some radio technologies (not very likely, 1068 802.15.4) as a result of echos or reflections, and so some replays 1069 must be assumed to occur naturally. 1071 Note that for there to be no affect at all, the replay must be done 1072 with the same apparent power for all nodes receiving the replay. A 1073 change in apparent power might change the metrics through changes to 1074 the ETX and therefore might affect the routing even though the 1075 contents of the packet were never changed. Any replay which appears 1076 to be different should be analyzed as a Selective Forwarding Attack, 1077 Sinkhole Attack or Wormhole Attack. 1079 6.2.5. Countering Byzantine Routing Information Attacks 1081 Where a node is captured or compromised but continues to operate for 1082 a period with valid network security credentials, the potential 1083 exists for routing information to be manipulated. This compromise of 1084 the routing information could thus exist in spite of security 1085 countermeasures that operate between the peer routing devices. 1087 Consistent with the end-to-end principle of communications, such an 1088 attack can only be fully addressed through measures operating 1089 directly between the routing entities themselves or by means of 1090 external entities able to access and independently analyze the 1091 routing information. Verification of the authenticity and liveliness 1092 of the routing entities can therefore only provide a limited counter 1093 against internal (Byzantine) node attacks. 1095 For link state routing protocols where information is flooded with, 1096 for example, areas (OSPF [RFC2328]) or levels (ISIS [RFC1142]), 1097 countermeasures can be directly applied by the routing entities 1098 through the processing and comparison of link state information 1099 received from different peers. By comparing the link information 1100 from multiple sources decisions can be made by a routing node or 1101 external entity with regard to routing information validity; see 1102 Chapter 2 of [Perlman1988] for a discussion on flooding attacks. 1104 For distance vector protocols, such as RPL, where information is 1105 aggregated at each routing node it is not possible for nodes to 1106 directly detect Byzantine information manipulation attacks from the 1107 routing information exchange. In such cases, the routing protocol 1108 must include and support indirect communications exchanges between 1109 non-adjacent routing peers to provide a secondary channel for 1110 performing routing information validation. S-RIP [Wan2004] is an 1111 example of the implementation of this type of dedicated routing 1112 protocol security where the correctness of aggregate distance vector 1113 information can only be validated by initiating confirmation 1114 exchanges directly between nodes that are not routing neighbors. 1116 RPL does not provide any direct mechanisms like S-RIP. It does 1117 listen to multiple parents, and may switch parents if it begins to 1118 suspect that it is being lied to. 1120 6.3. Availability Attack Countermeasures 1122 As alluded to before, availability requires that routing information 1123 exchanges and forwarding mechanisms be available when needed so as to 1124 guarantee proper functioning of the network. This may, e.g., include 1125 the correct operation of routing information and neighbor state 1126 information exchanges, among others. We will highlight the key 1127 features of the security threats along with typical countermeasures 1128 to prevent or at least mitigate them. We will also note that an 1129 availability attack may be facilitated by an identity attack as well 1130 as a replay attack, as was addressed in Section 6.2.3 and 1131 Section 6.2.4, respectively. 1133 6.3.1. Countering HELLO Flood Attacks and ACK Spoofing Attacks 1135 HELLO Flood [Karlof2003],[I-D.suhopark-hello-wsn] and ACK Spoofing 1136 attacks are different but highly related forms of attacking an LLN. 1137 They essentially lead nodes to believe that suitable routes are 1138 available even though they are not and hence constitute a serious 1139 availability attack. 1141 A HELLO attack mounted against RPL would involve sending out (or 1142 replaying) DIO messages by the attacker. Lower power LLN nodes might 1143 then attempt to join the DODAG at a lower rank than they would 1144 otherwise. 1146 The most effective method from [I-D.suhopark-hello-wsn] is the verify 1147 bidirectionality. A number of layer-2 links are arranged in 1148 controller/spoke arrangements, and continuously are validating 1149 connectivity at layer 2. 1151 In addition, in order to calculate metrics, the ETX must be computed, 1152 and this involves, in general, sending a number of messages between 1153 nodes which are believed to be adjacent. 1154 [I-D.kelsey-intarea-mesh-link-establishment] is one such protocol. 1156 In order to join the DODAG, a DAO message is sent upwards. In RPL 1157 the DAO is acknowledged by the DAO-ACK message. This clearly checks 1158 bidirectionality at the control plane. 1160 As discussed in section 5.1, [I-D.suhopark-hello-wsn] a receiver with 1161 a sensitive receiver could well hear the DAOs, and even send DAO-ACKs 1162 as well. Such a node is a form of WormHole attack. 1164 These attacks are also all easily defended against using either 1165 layer-2 or layer-3 authentication. Such an attack could only be made 1166 against a completely open network (such as might be used for 1167 provisioning new nodes), or by a compromised node. 1169 6.3.2. Countering Overload Attacks 1171 Overload attacks are a form of DoS attack in that a malicious node 1172 overloads the network with irrelevant traffic, thereby draining the 1173 nodes' energy store more quickly, when the nodes rely on batteries or 1174 energy scavenging. It thus significantly shortens the lifetime of 1175 networks of energy-constrained nodes and constitutes another serious 1176 availability attack. 1178 With energy being one of the most precious assets of LLNs, targeting 1179 its availability is a fairly obvious attack. Another way of 1180 depleting the energy of an LLN node is to have the malicious node 1181 overload the network with irrelevant traffic. This impacts 1182 availability since certain routes get congested which: 1184 o renders them useless for affected nodes and data can hence not be 1185 delivered; 1187 o makes routes longer as shortest path algorithms work with the 1188 congested network; 1190 o depletes battery and energy scavenging nodes more quickly and thus 1191 shortens the network's availability at large. 1193 Overload attacks can be countered by deploying a series of mutually 1194 non-exclusive security measures: 1196 o introduce quotas on the traffic rate each node is allowed to send; 1198 o isolate nodes which send traffic above a certain threshold based 1199 on system operation characteristics; 1201 o allow only trusted data to be received and forwarded. 1203 As for the first one, a simple approach to minimize the harmful 1204 impact of an overload attack is to introduce traffic quotas. This 1205 prevents a malicious node from injecting a large amount of traffic 1206 into the network, even though it does not prevent said node from 1207 injecting irrelevant traffic at all. Another method is to isolate 1208 nodes from the network at the network layer once it has been detected 1209 that more traffic is injected into the network than allowed by a 1210 prior set or dynamically adjusted threshold. Finally, if 1211 communication is sufficiently secured, only trusted nodes can receive 1212 and forward traffic which also lowers the risk of an overload attack. 1214 Receiving nodes that validate signatures and sending nodes that 1215 encrypt messages need to be cautious of cryptographic processing 1216 usage when validating signatures and encrypting messages. Where 1217 feasible, certificates should be validated prior to use of the 1218 associated keys to counter potential resource overloading attacks. 1219 The associated design decision needs to also consider that the 1220 validation process requires resources and thus itself could be 1221 exploited for attacks. Alternatively, resource management limits can 1222 be placed on routing security processing events (see the comment in 1223 Section 6, paragraph 4, of [RFC5751]). 1225 6.3.3. Countering Selective Forwarding Attacks 1227 Selective forwarding attacks are a form of DoS attack which impacts 1228 the availability of the generated routing paths. 1230 A selective forwarding attack may be done by a node involved with the 1231 routing process, or it may be done by what otherwise appears to be a 1232 passive antenna or other RF feature or device, but is in fact an 1233 active (and selective) device. An RF antenna/repeater which is not 1234 selective, is not a threat. 1236 An insider malicious node basically blends neatly in with the network 1237 but then may decide to forward and/or manipulate certain packets. If 1238 all packets are dropped, then this attacker is also often referred to 1239 as a "black hole". Such a form of attack is particularly dangerous 1240 if coupled with sinkhole attacks since inherently a large amount of 1241 traffic is attracted to the malicious node and thereby causing 1242 significant damage. In a shared medium, an outside malicious node 1243 would selectively jam overheard data flows, where the thus caused 1244 collisions incur selective forwarding. 1246 Selective Forwarding attacks can be countered by deploying a series 1247 of mutually non-exclusive security measures: 1249 o multipath routing of the same message over disjoint paths; 1250 o dynamically selecting the next hop from a set of candidates. 1252 The first measure basically guarantees that if a message gets lost on 1253 a particular routing path due to a malicious selective forwarding 1254 attack, there will be another route which successfully delivers the 1255 data. Such a method is inherently suboptimal from an energy 1256 consumption point of view; it is also suboptimal from a network 1257 utilization perspective. The second method basically involves a 1258 constantly changing routing topology in that next-hop routers are 1259 chosen from a dynamic set in the hope that the number of malicious 1260 nodes in this set is negligible. A routing protocol that allows for 1261 disjoint routing paths may also be useful. 1263 6.3.4. Countering Sinkhole Attacks 1265 In sinkhole attacks, the malicious node manages to attract a lot of 1266 traffic mainly by advertising the availability of high-quality links 1267 even though there are none [Karlof2003]. It hence constitutes a 1268 serious attack on availability. 1270 The malicious node creates a sinkhole by attracting a large amount 1271 of, if not all, traffic from surrounding neighbors by advertising in 1272 and outwards links of superior quality. Affected nodes hence eagerly 1273 route their traffic via the malicious node which, if coupled with 1274 other attacks such as selective forwarding, may lead to serious 1275 availability and security breaches. Such an attack can only be 1276 executed by an inside malicious node and is generally very difficult 1277 to detect. An ongoing attack has a profound impact on the network 1278 topology and essentially becomes a problem of flow control. 1280 Sinkhole attacks can be countered by deploying a series of mutually 1281 non-exclusive security measures: 1283 o use geographical insights for flow control; 1285 o isolate nodes which receive traffic above a certain threshold; 1287 o dynamically pick up next hop from set of candidates; 1289 o allow only trusted data to be received and forwarded. 1291 Some LLNs may provide for geolocation services, often derived from 1292 solving triangulation equations from radio delay calculations, such 1293 calculations could in theory be subverted by a sinkhole that 1294 transmitted at precisely the right power in a node to node fashion. 1296 While geographic knowledge could help assure that traffic always went 1297 in the physical direction desired, it would not assure that the 1298 traffic was taking the most efficient route, as the lowest cost real 1299 route might be match the physical topology; such as when different 1300 parts of an LLN are connected by high-speed wired networks. 1302 6.3.5. Countering Wormhole Attacks 1304 In wormhole attacks at least two malicious nodes claim to have a 1305 short path between themselves [Karlof2003]. This changes the 1306 availability of certain routing paths and hence constitutes a serious 1307 security breach. 1309 Essentially, two malicious insider nodes use another, more powerful, 1310 transmitter to communicate with each other and thereby distort the 1311 would-be-agreed routing path. This distortion could involve 1312 shortcutting and hence paralyzing a large part of the network; it 1313 could also involve tunneling the information to another region of the 1314 network where there are, e.g., more malicious nodes available to aid 1315 the intrusion or where messages are replayed, etc. 1317 In conjunction with selective forwarding, wormhole attacks can create 1318 race conditions which impact topology maintenance, routing protocols 1319 as well as any security suits built on "time of check" and "time of 1320 use". 1322 A pure Wormhole attack is nearly impossible to detect. A wormhole 1323 which is used in order to subsequently mount another kind of attack 1324 would be defeated by defeating the other attack. A perfect wormhole, 1325 in which there is nothing adverse that occurs to the traffic, would 1326 be difficult to call an attack. The worst thing that a benign 1327 wormhole can do in such a situation is to cease to operate (become 1328 unstable), causing the network to have to recalculate routes. 1330 A highly unstable wormhole is no different than a radio opaque (i.e. 1331 metal) door that opens and closes a lot. RPL includes hystersis in 1332 its objective functions [RFC6719] in an attempt to deal with frequent 1333 changes to the ETX between nodes. 1335 7. RPL Security Features 1337 The assessments and analysis in Section 5 examined all areas of 1338 threats and attacks that could impact routing, and the 1339 countermeasures presented in Section 6 were reached without confining 1340 the consideration to means only available to routing. This section 1341 puts the results into perspective and provides a framework for 1342 addressing the derived set of security objectives that must be met by 1343 the routing protocol(s) specified by the RPL Working Group. It bears 1344 emphasizing that the target here is a generic, universal form of the 1345 protocol(s) specified and the normative keywords are mainly to convey 1346 the relative level of importance or urgency of the features 1347 specified. 1349 In this view, 'MUST' is used to define the requirements that are 1350 specific to the routing protocol and that are essential for an LLN 1351 routing protocol to ensure that routing operation can be maintained. 1352 Adherence to MUST requirements is needed to directly counter attacks 1353 that can affect the routing operation (such as those that can impact 1354 maintained or derived routing/forwarding tables). 'SHOULD' is used 1355 to define requirements that counter indirect routing attacks where 1356 such attacks do not of themselves affect routing but can assist an 1357 attacker in focusing its attack resources to impact network operation 1358 (such as DoS targeting of key forwarding nodes). 'MAY' covers 1359 optional requirements that can further enhance security by increasing 1360 the space over which an attacker must operate or the resources that 1361 must be applied. While in support of routing security, where 1362 appropriate, these requirements may also be addressed beyond the 1363 network routing protocol at other system communications layers. 1365 The first part of this section, Section 7.1 to Section 7.3, is a 1366 prescription of RPL security features of measures that can be 1367 addressed as part of the routing protocol itself. As routing is one 1368 component of an LLN system, the actual strength of the security 1369 services afforded to it should be made to conform to each system's 1370 security policy; how a design may address the needs of the urban, 1371 industrial, home automation, and building automation application 1372 domains also needs to be considered. The second part of this 1373 section, Section 7.4 and Section 7.5, discusses system security 1374 aspects that may impact routing but that also require considerations 1375 beyond the routing protocol, as well as potential approaches. 1377 If an LLN employs multicast and/or anycast, these alternative 1378 communications modes MUST be secured with the same routing security 1379 services specified in this section. Furthermore, irrespective of the 1380 modes of communication, nodes MUST provide adequate physical tamper 1381 resistance commensurate with the particular application domain 1382 environment to ensure the confidentiality, integrity, and 1383 availability of stored routing information. 1385 7.1. Confidentiality Features 1386 With regard to confidentiality, protecting the routing/topology 1387 information from unauthorized disclosure is not directly essential to 1388 maintaining the routing function. Breaches of confidentiality may 1389 lead to other attacks or the focusing of an attacker's resources (see 1390 Section 5.2) but does not of itself directly undermine the operation 1391 of the routing function. However, to protect against, and reduce 1392 consequences from other more direct attacks, routing information 1393 should be protected. Thus, a secured RPL protocol: 1395 o MUST implement payload encryption; 1397 o MAY provide tunneling; 1399 o MAY provide load balancing. 1401 Where confidentiality is incorporated into the routing exchanges, 1402 encryption algorithms and key lengths need to be specified in 1403 accordance with the level of protection dictated by the routing 1404 protocol and the associated application domain transport network. In 1405 terms of the life time of the keys, the opportunity to periodically 1406 change the encryption key increases the offered level of security for 1407 any given implementation. However, where strong cryptography is 1408 employed, physical, procedural, and logical data access protection 1409 considerations may have more significant impact on cryptoperiod 1410 selection than algorithm and key size factors. Nevertheless, in 1411 general, shorter cryptoperiods, during which a single key is applied, 1412 will enhance security. 1414 Given the mandatory protocol requirement to implement routing node 1415 authentication as part of routing integrity (see Section 7.2), key 1416 exchanges may be coordinated as part of the integrity verification 1417 process. This provides an opportunity to increase the frequency of 1418 key exchange and shorten the cryptoperiod as a complement to the key 1419 length and encryption algorithm required for a given application 1420 domain. For LLNs, the coordination of confidentiality key management 1421 with the implementation of node device authentication can thus reduce 1422 the overhead associated with supporting data confidentiality. If a 1423 new ciphering key is concurrently generated or updated in conjunction 1424 with the mandatory authentication exchange occurring with each 1425 routing peer association, signaling exchange overhead can be reduced. 1427 7.2. Integrity Features 1429 The integrity of routing information provides the basis for ensuring 1430 that the function of the routing protocol is achieved and maintained. 1431 To protect integrity, RPL must either run using only the Secure 1432 versions of the messages, or must run over a layer-2 that uses 1433 channel binding between node identity and transmissions. (i.e.: a 1434 layer-2 which has an identical network-wide transmission key can not 1435 defend against many attacks) 1437 While logging is critical, it is often impossible. 1439 7.3. Availability Features 1441 Availability of routing information is linked to system and network 1442 availability which in the case of LLNs require a broader security 1443 view beyond the requirements of the routing entities (see 1444 Section 7.5). Where availability of the network is compromised, 1445 routing information availability will be accordingly affected. 1446 However, to specifically assist in protecting routing availability: 1448 o MAY restrict neighborhood cardinality; 1450 o MAY use multiple paths; 1452 o MAY use multiple destinations; 1454 o MAY choose randomly if multiple paths are available; 1456 o MAY set quotas to limit transmit or receive volume; 1458 o MAY use geographic information for flow control. 1460 7.4. Key Management 1462 The functioning of the routing security services requires keys and 1463 credentials. Therefore, even though not directly a RPL security 1464 requirement, an LLN MUST have a process for initial key and 1465 credential configuration, as well as secure storage within the 1466 associated devices. Anti-tampering SHOULD be a consideration in 1467 physical design. Beyond initial credential configuration, an LLN is 1468 also encouraged to have automatic procedures for the revocation and 1469 replacement of the maintained security credentials. 1471 While RPL has secure modes, but some modes are impractical without 1472 use of public key cryptography believed to be too expensive by many. 1473 RPL layer-3 security will often depend upon existing LLN layer-2 1474 security mechanisms, which provides for node authentication, but 1475 little in the way of node authorization. 1477 7.5. Consideration on Matching Application Domain Needs 1479 Providing security within an LLN requires considerations that extend 1480 beyond routing security to the broader LLN application domain 1481 security implementation. In other words, as routing is one component 1482 of an LLN system, the actual strength of the implemented security 1483 algorithms for the routing protocol MUST be made to conform to the 1484 system's target level of security. The development so far takes into 1485 account collectively the impacts of the issues gathered from 1486 [RFC5548], [RFC5673], [RFC5826], and [RFC5867]. The following two 1487 subsections first consider from an architectural perspective how the 1488 security design of a RPL protocol may be made to adapt to the four 1489 application domains, and then examine mechanisms and protocol 1490 operations issues. 1492 7.5.1. Mechanisms and Operations 1494 Figure 5 provides an overview of the larger context of system 1495 security and the relationship between RPL requirements and measures 1496 and those that relate to the LLN system. 1498 Security Services for 1499 RPL-Addressable 1500 Security Requirements 1501 | | 1502 +---+ +---+ 1503 Node_i | | Node_j 1504 _____v___ ___v_____ 1505 Specify Security / \ / \ Specify Security 1506 Requirements | Routing | | Routing | Requirements 1507 +---------| Protocol| | Protocol|---------+ 1508 | | Entity | | Entity | | 1509 | \_________/ \_________/ | 1510 | | | | 1511 |RPL-Specified | | RPL-Specified| 1512 ---Interface | | Interface--- 1513 | ...................................... | 1514 | : | | : | 1515 | : +-----+----+ +----+-----+ : | 1516 | : |Transport/| |Transport/| : | 1517 ____v___ : +>|Network | |Network |<+ : ___v____ 1518 / \ : | +-----+----+ +----+-----+ | : / \ 1519 | |-:-+ | | +-:-| | 1520 |Security| : +-----+----+ +----+-----+ : |Security| 1521 +->|Services|-:-->| Link | | Link |<--:-|Services|<-+ 1522 | |Entity | : +-----+----+ +----+-----+ : |Entity | | 1523 | | |-:-+ | | +-:-| | | 1524 | \________/ : | +-----+----+ +----+-----+ | : \________/ | 1525 | : +>| Physical | | Physical |<+ : | 1526 Application : +-----+----+ +----+-----+ : Application 1527 Domain User : | | : Domain User 1528 Configuration : |__Comm. Channel_| : Configuration 1529 : : 1530 ...Protocol Stack..................... 1532 Figure 5: LLN Device Security Model 1534 8. IANA Considerations 1536 This memo includes no request to IANA. 1538 9. Security Considerations 1540 The analysis presented in this document provides security analysis 1541 and design guidelines with a scope limited to RPL. Security services 1542 are identified as requirements for securing RPL. The specific 1543 mechanisms to be used to deal with each threat is specified in link- 1544 layer and deployment specific applicability statements. 1546 10. Acknowledgments 1548 The authors would like to acknowledge the review and comments from 1549 Rene Struik and JP Vasseur. The authors would also like to 1550 acknowledge the guidance and input provided by the RPL Chairs, David 1551 Culler, and JP Vasseur, and the Area Director Adrian Farrel. 1553 This document started out as a combined threat and solutions 1554 document. As a result of security review, the document was split up 1555 by RPL co-Chair Michael Richardson and security Area Director Sean 1556 Turner as it went through the IETF publication process. The 1557 solutions to the threads are application and layer-2 specific, and 1558 have therefore been moved to the relevant applicability statements. 1560 Ines Robles kept track of the many issues that were raised during the 1561 development of this document 1563 11. References 1564 11.1. Normative References 1566 [I-D.ietf-roll-terminology] 1567 Vasseur, J., "Terminology in Low power And Lossy 1568 Networks", draft-ietf-roll-terminology-04 (work in 1569 progress), September 2010. 1571 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1572 Requirement Levels", BCP 14, RFC 2119, March 1997. 1574 [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic 1575 Key Management", BCP 107, RFC 4107, June 2005. 1577 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1578 Internet Protocol", RFC 4301, December 2005. 1580 [RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R., 1581 Levis, P., Pister, K., Struik, R., Vasseur, JP., and R. 1582 Alexander, "RPL: IPv6 Routing Protocol for Low-Power and 1583 Lossy Networks", RFC 6550, March 2012. 1585 [RFC6719] Gnawali, O. and P. Levis, "The Minimum Rank with 1586 Hysteresis Objective Function", RFC 6719, September 2012. 1588 [ZigBeeIP] 1589 ZigBee Public Document 15-002r00, "ZigBee IP 1590 Specification", 2013. 1592 11.2. Informative References 1594 [AceCharterProposal] 1595 Kepeng, L., Ed., "Authentication and Authorization for 1596 Constrained Environment Charter (work-in-progress)", 1597 December 2013, . 1600 [FIPS197] , "Federal Information Processing Standards Publication 1601 197: Advanced Encryption Standard (AES)", US National 1602 Institute of Standards and Technology, Nov. 26 2001. 1604 [Huang2003] 1605 Huang, Q., Cukier, J., Kobayashi, H., Liu, B., and J. 1606 Zhang, "Fast Authenticated Key Establishment Protocols for 1607 Self-Organizing Sensor Networks", in Proceedings of the 1608 2nd ACM International Conference on Wireless Sensor 1609 Networks and Applications, San Diego, CA, USA, pp. 1610 141-150, Sept. 19 2003. 1612 [I-D.alexander-roll-mikey-lln-key-mgmt] 1613 Alexander, R. and T. Tsao, "Adapted Multimedia Internet 1614 KEYing (AMIKEY): An extension of Multimedia Internet 1615 KEYing (MIKEY) Methods for Generic LLN Environments", 1616 draft-alexander-roll-mikey-lln-key-mgmt-04 (work in 1617 progress), September 2012. 1619 [I-D.kelsey-intarea-mesh-link-establishment] 1620 Kelsey, R., "Mesh Link Establishment", draft-kelsey- 1621 intarea-mesh-link-establishment-05 (work in progress), 1622 February 2013. 1624 [I-D.suhopark-hello-wsn] 1625 Park, S., "Routing Security in Sensor Network: HELLO Flood 1626 Attack and Defense", draft-suhopark-hello-wsn-00 (work in 1627 progress), December 2005. 1629 [IEEE1149.1] 1630 , "IEEE Standard Test Access Port and Boundary Scan 1631 Architecture", IEEE-SA Standards Board, Jun. 14 2001. 1633 [ISO.7498-2.1988] 1634 International Organization for Standardization, 1635 "Information Processing Systems - Open Systems 1636 Interconnection Reference Model - Security Architecture", 1637 ISO Standard 7498-2, 1988. 1639 [Karlof2003] 1640 Karlof, C. and D. Wagner, "Secure routing in wireless 1641 sensor networks: attacks and countermeasures", Elsevier 1642 AdHoc Networks Journal, Special Issue on Sensor Network 1643 Applications and Protocols, 1(2):293-315, September 2003. 1645 [Kasumi3gpp] 1646 , "3GPP TS 35.202 Specification of the 3GPP 1647 confidentiality and integrity algorithms; Document 2: 1648 Kasumi specification", 3GPP TSG SA3, 2009. 1650 [Messerges2003] 1651 Messerges, T., Cukier, J., Kevenaar, T., Puhl, L., Struik, 1652 R., and E. Callaway, "Low-Power Security for Wireless 1653 Sensor Networks", in Proceedings of the 1st ACM Workshop 1654 on Security of Ad Hoc and Sensor Networks, Fairfax, VA, 1655 USA, pp. 1-11, Oct. 31 2003. 1657 [Myagmar2005] 1658 Myagmar, S., Lee, AJ., and W. Yurcik, "Threat Modeling as 1659 a Basis for Security Requirements", in Proceedings of the 1660 Symposium on Requirements Engineering for Information 1661 Security (SREIS'05), Paris, France, pp. 94-102, Aug 29, 1662 2005. 1664 [Perlman1988] 1665 Perlman, N., "Network Layer Protocols with Byzantine 1666 Robustness", MIT LCS Tech Report, 429, 1988. 1668 [RFC1142] Oran, D., "OSI IS-IS Intra-domain Routing Protocol", RFC 1669 1142, February 1990. 1671 [RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080, 1672 January 1997. 1674 [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998. 1676 [RFC2453] Malkin, G., "RIP Version 2", STD 56, RFC 2453, November 1677 1998. 1679 [RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with 1680 CBC-MAC (CCM)", RFC 3610, September 2003. 1682 [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. 1683 Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, 1684 August 2004. 1686 [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, 1687 "Multicast Security (MSEC) Group Key Management 1688 Architecture", RFC 4046, April 2005. 1690 [RFC4593] Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to 1691 Routing Protocols", RFC 4593, October 2006. 1693 [RFC4732] Handley, M., Rescorla, E., IAB, "Internet Denial-of- 1694 Service Considerations", RFC 4732, December 2006. 1696 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC 1697 4949, August 2007. 1699 [RFC5055] Freeman, T., Housley, R., Malpani, A., Cooper, D., and W. 1700 Polk, "Server-Based Certificate Validation Protocol 1701 (SCVP)", RFC 5055, December 2007. 1703 [RFC5197] Fries, S. and D. Ignjatic, "On the Applicability of 1704 Various Multimedia Internet KEYing (MIKEY) Modes and 1705 Extensions", RFC 5197, June 2008. 1707 [RFC5548] Dohler, M., Watteyne, T., Winter, T., and D. Barthel, 1708 "Routing Requirements for Urban Low-Power and Lossy 1709 Networks", RFC 5548, May 2009. 1711 [RFC5673] Pister, K., Thubert, P., Dwars, S., and T. Phinney, 1712 "Industrial Routing Requirements in Low-Power and Lossy 1713 Networks", RFC 5673, October 2009. 1715 [RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet 1716 Mail Extensions (S/MIME) Version 3.2 Message 1717 Specification", RFC 5751, January 2010. 1719 [RFC5826] Brandt, A., Buron, J., and G. Porcu, "Home Automation 1720 Routing Requirements in Low-Power and Lossy Networks", RFC 1721 5826, April 2010. 1723 [RFC5867] Martocci, J., De Mil, P., Riou, N., and W. Vermeylen, 1724 "Building Automation Routing Requirements in Low-Power and 1725 Lossy Networks", RFC 5867, June 2010. 1727 [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, 1728 "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 1729 5996, September 2010. 1731 [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the 1732 Router Control Plane", RFC 6192, March 2011. 1734 [RFC6574] Tschofenig, H. and J. Arkko, "Report from the Smart Object 1735 Workshop", RFC 6574, April 2012. 1737 [RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, 1738 "TCP Extensions for Multipath Operation with Multiple 1739 Addresses", RFC 6824, January 2013. 1741 [SmartObjectSecurityWorkshop] 1742 Klausen, T., Ed., "Workshop on Smart Object Security", 1743 March 2012, . 1746 [SolaceProposal] 1747 Bormann, C., Ed., "Notes from the SOLACE ad-hoc at IETF85 1748 (work-in-progress)", November 2012, . 1751 [Szcze2008] 1752 Szczechowiak1, P., Oliveira, L., Scott, M., Collier, M., 1753 and R. Dahab, "NanoECC: testing the limits of elliptic 1754 curve cryptography in sensor networks", pp. 324-328, 2008, 1755 . 1758 [Wan2004] Wan, T., Kranakis, E., and PC. van Oorschot, "S-RIP: A 1759 Secure Distance Vector Routing Protocol", in Proceedings 1760 of the 2nd International Conference on Applied 1761 Cryptography and Network Security, Yellow Mountain, China, 1762 pp. 103-119, Jun. 8-11 2004. 1764 [Wander2005] 1765 Wander, A., Gura, N., Eberle, H., Gupta, V., and S. 1766 Shantz, "Energy analysis of public-key cryptography for 1767 wireless sensor networ", in the Proceedings of the Third 1768 IEEE International Conference on Pervasive Computing and 1769 Communications pp. 324-328, March 8-12 2005. 1771 [Yourdon1979] 1772 Yourdon, E. and L. Constantine, "Structured Design", 1773 Yourdon Press, New York, Chapter 10, pp. 187-222, 1979. 1775 Authors' Addresses 1777 Tzeta Tsao 1778 Cooper Power Systems 1779 910 Clopper Rd. Suite 201S 1780 Gaithersburg, Maryland 20878 1781 USA 1783 Email: tzeta.tsao@cooperindustries.com 1785 Roger K. Alexander 1786 Cooper Power Systems 1787 910 Clopper Rd. Suite 201S 1788 Gaithersburg, Maryland 20878 1789 USA 1791 Email: roger.alexander@cooperindustries.com 1793 Mischa Dohler 1794 CTTC 1795 Parc Mediterrani de la Tecnologia, Av. Canal Olimpic S/N 1796 Castelldefels, Barcelona 08860 1797 Spain 1799 Email: mischa.dohler@cttc.es 1800 Vanesa Daza 1801 Universitat Pompeu Fabra 1802 P/ Circumval.lacio 8, Oficina 308 1803 Barcelona 08003 1804 Spain 1806 Email: vanesa.daza@upf.edu 1808 Angel Lozano 1809 Universitat Pompeu Fabra 1810 P/ Circumval.lacio 8, Oficina 309 1811 Barcelona 08003 1812 Spain 1814 Email: angel.lozano@upf.edu 1816 Michael Richardson (ed) 1817 Sandelman Software Works 1818 470 Dawson Avenue 1819 Ottawa, ON K1Z5V7 1820 Canada 1822 Email: mcr+ietf@sandelman.ca