idnits 2.17.1 draft-ietf-roll-security-threats-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 10, 2014) is 3606 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Missing Reference: 'IS07498-2' is mentioned on line 154, but not defined == Unused Reference: 'RFC4107' is defined on line 1543, but no explicit reference was found in the text == Unused Reference: 'RFC4301' is defined on line 1546, but no explicit reference was found in the text == Unused Reference: 'FIPS197' is defined on line 1569, but no explicit reference was found in the text == Unused Reference: 'Huang2003' is defined on line 1573, but no explicit reference was found in the text == Unused Reference: 'I-D.alexander-roll-mikey-lln-key-mgmt' is defined on line 1581, but no explicit reference was found in the text == Unused Reference: 'IEEE1149.1' is defined on line 1598, but no explicit reference was found in the text == Unused Reference: 'Kasumi3gpp' is defined on line 1616, but no explicit reference was found in the text == Unused Reference: 'Messerges2003' is defined on line 1621, but no explicit reference was found in the text == Unused Reference: 'RFC2080' is defined on line 1642, but no explicit reference was found in the text == Unused Reference: 'RFC2453' is defined on line 1647, but no explicit reference was found in the text == Unused Reference: 'RFC3830' is defined on line 1653, but no explicit reference was found in the text == Unused Reference: 'RFC4046' is defined on line 1657, but no explicit reference was found in the text == Unused Reference: 'RFC5055' is defined on line 1670, but no explicit reference was found in the text == Unused Reference: 'RFC5197' is defined on line 1674, but no explicit reference was found in the text == Unused Reference: 'RFC5996' is defined on line 1698, but no explicit reference was found in the text == Unused Reference: 'RFC6574' is defined on line 1705, but no explicit reference was found in the text == Unused Reference: 'Szcze2008' is defined on line 1726, but no explicit reference was found in the text == Unused Reference: 'Wander2005' is defined on line 1739, but no explicit reference was found in the text == Outdated reference: A later version (-13) exists of draft-ietf-roll-terminology-04 == Outdated reference: A later version (-06) exists of draft-kelsey-intarea-mesh-link-establishment-05 -- Obsolete informational reference (is this intentional?): RFC 1142 (Obsoleted by RFC 7142) -- Obsolete informational reference (is this intentional?): RFC 5751 (Obsoleted by RFC 8551) -- Obsolete informational reference (is this intentional?): RFC 5996 (Obsoleted by RFC 7296) -- Obsolete informational reference (is this intentional?): RFC 6824 (Obsoleted by RFC 8684) Summary: 0 errors (**), 0 flaws (~~), 22 warnings (==), 5 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Routing Over Low-Power and Lossy Networks T. Tsao 3 Internet-Draft R. Alexander 4 Intended status: Informational Cooper Power Systems 5 Expires: December 12, 2014 M. Dohler 6 CTTC 7 V. Daza 8 A. Lozano 9 Universitat Pompeu Fabra 10 M. Richardson 11 Sandelman Software Works 12 June 10, 2014 14 A Security Threat Analysis for Routing Protocol for Low-power and lossy 15 networks (RPL) 16 draft-ietf-roll-security-threats-07 18 Abstract 20 This document presents a security threat analysis for the Routing 21 Protocol for Low-power and lossy networks (RPL, ROLL). The 22 development builds upon previous work on routing security and adapts 23 the assessments to the issues and constraints specific to low-power 24 and lossy networks. A systematic approach is used in defining and 25 evaluating the security threats. Applicable countermeasures are 26 application specific and are addressed in relevant applicability 27 statements. 29 Requirements Language 31 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 32 "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and 33 "OPTIONAL" in this document are to be interpreted as described in RFC 34 2119 [RFC2119]. 36 Status of This Memo 38 This Internet-Draft is submitted in full conformance with the 39 provisions of BCP 78 and BCP 79. 41 Internet-Drafts are working documents of the Internet Engineering 42 Task Force (IETF). Note that other groups may also distribute 43 working documents as Internet-Drafts. The list of current Internet- 44 Drafts is at http://datatracker.ietf.org/drafts/current/. 46 Internet-Drafts are draft documents valid for a maximum of six months 47 and may be updated, replaced, or obsoleted by other documents at any 48 time. It is inappropriate to use Internet-Drafts as reference 49 material or to cite them other than as "work in progress." 51 This Internet-Draft will expire on December 12, 2014. 53 Copyright Notice 55 Copyright (c) 2014 IETF Trust and the persons identified as the 56 document authors. All rights reserved. 58 This document is subject to BCP 78 and the IETF Trust's Legal 59 Provisions Relating to IETF Documents 60 (http://trustee.ietf.org/license-info) in effect on the date of 61 publication of this document. Please review these documents 62 carefully, as they describe your rights and restrictions with respect 63 to this document. Code Components extracted from this document must 64 include Simplified BSD License text as described in Section 4.e of 65 the Trust Legal Provisions and are provided without warranty as 66 described in the Simplified BSD License. 68 Table of Contents 70 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 71 2. Relationship to other documents . . . . . . . . . . . . . . . 4 72 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 73 4. Considerations on RPL Security . . . . . . . . . . . . . . . 5 74 4.1. Routing Assets and Points of Access . . . . . . . . . . . 5 75 4.2. The ISO 7498-2 Security Reference Model . . . . . . . . . 7 76 4.3. Issues Specific to or Amplified in LLNs . . . . . . . . . 9 77 4.4. RPL Security Objectives . . . . . . . . . . . . . . . . . 11 78 5. Threat Sources . . . . . . . . . . . . . . . . . . . . . . . 12 79 6. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 13 80 6.1. Threats due to failures to Authenticate . . . . . . . . . 13 81 6.1.1. Node Impersonation . . . . . . . . . . . . . . . . . 13 82 6.1.2. Dummy Node . . . . . . . . . . . . . . . . . . . . . 14 83 6.1.3. Node Resource Spam . . . . . . . . . . . . . . . . . 14 84 6.2. Threats and Attacks on Confidentiality . . . . . . . . . 14 85 6.2.1. Routing Exchange Exposure . . . . . . . . . . . . . . 14 86 6.2.2. Routing Information (Routes and Network Topology) 87 Exposure . . . . . . . . . . . . . . . . . . . . . . 14 88 6.3. Threats and Attacks on Integrity . . . . . . . . . . . . 15 89 6.3.1. Routing Information Manipulation . . . . . . . . . . 15 90 6.3.2. Node Identity Misappropriation . . . . . . . . . . . 16 91 6.4. Threats and Attacks on Availability . . . . . . . . . . . 17 92 6.4.1. Routing Exchange Interference or Disruption . . . . . 17 93 6.4.2. Network Traffic Forwarding Disruption . . . . . . . . 17 94 6.4.3. Communications Resource Disruption . . . . . . . . . 18 95 6.4.4. Node Resource Exhaustion . . . . . . . . . . . . . . 19 96 7. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 20 97 7.1. Confidentiality Attack Countermeasures . . . . . . . . . 20 98 7.1.1. Countering Deliberate Exposure Attacks . . . . . . . 20 99 7.1.2. Countering Passive Wiretapping Attacks . . . . . . . 21 100 7.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 21 101 7.1.4. Countering Remote Device Access Attacks . . . . . . . 22 102 7.2. Integrity Attack Countermeasures . . . . . . . . . . . . 22 103 7.2.1. Countering Unauthorized Modification Attacks . . . . 23 104 7.2.2. Countering Overclaiming and Misclaiming Attacks . . . 23 105 7.2.3. Countering Identity (including Sybil) Attacks . . . . 24 106 7.2.4. Countering Routing Information Replay Attacks . . . . 24 107 7.2.5. Countering Byzantine Routing Information Attacks . . 25 108 7.3. Availability Attack Countermeasures . . . . . . . . . . . 25 109 7.3.1. Countering HELLO Flood Attacks and ACK Spoofing 110 Attacks . . . . . . . . . . . . . . . . . . . . . . . 26 111 7.3.2. Countering Overload Attacks . . . . . . . . . . . . . 26 112 7.3.3. Countering Selective Forwarding Attacks . . . . . . . 28 113 7.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 29 114 7.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 30 115 8. RPL Security Features . . . . . . . . . . . . . . . . . . . . 30 116 8.1. Confidentiality Features . . . . . . . . . . . . . . . . 31 117 8.2. Integrity Features . . . . . . . . . . . . . . . . . . . 32 118 8.3. Availability Features . . . . . . . . . . . . . . . . . . 33 119 8.4. Key Management . . . . . . . . . . . . . . . . . . . . . 33 120 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 33 121 10. Security Considerations . . . . . . . . . . . . . . . . . . . 34 122 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 34 123 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 124 12.1. Normative References . . . . . . . . . . . . . . . . . . 34 125 12.2. Informative References . . . . . . . . . . . . . . . . . 35 126 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 39 128 1. Introduction 130 In recent times, networked electronic devices have found an 131 increasing number of applications in various fields. Yet, for 132 reasons ranging from operational application to economics, these 133 wired and wireless devices are often supplied with minimum physical 134 resources; the constraints include those on computational resources 135 (RAM, clock speed, storage), communication resources (duty cycle, 136 packet size, etc.), but also form factors that may rule out user 137 access interfaces (e.g., the housing of a small stick-on switch), or 138 simply safety considerations (e.g., with gas meters). As a 139 consequence, the resulting networks are more prone to loss of traffic 140 and other vulnerabilities. The proliferation of these low-power and 141 lossy networks (LLNs), however, are drawing efforts to examine and 142 address their potential networking challenges. Securing the 143 establishment and maintenance of network connectivity among these 144 deployed devices becomes one of these key challenges. 146 This document presents a threat analysis for securing the Routing 147 Protocol for LLNs (RPL). The process requires two steps. First, the 148 analysis will be used to identify pertinent security issues. The 149 second step is to identify necessary countermeasures to secure RPL. 150 As there are multiple ways to solve the problem and the specific 151 tradeoffs are deployment specific, the specific countermeasure to be 152 used is detailed in applicability statements. 154 This document uses [IS07498-2] model, which describes Authentication, 155 Access Control, Data Confidentiality, Data Integrity, and Non- 156 Repudiation security services and to which Availability is added. 158 All of this document concerns itself with securing the control plane 159 traffic. As such it does not address authorization or authentication 160 of application traffic. RPL uses multicast as part of it's protocol, 161 and therefore mechanisms which RPL uses to secure this traffic MAY be 162 applicable to MPL control traffic as well: the important part is that 163 the threats are similiar. 165 2. Relationship to other documents 167 ROLL has specified a set of routing protocols for Lossy and Low- 168 resource Networks (LLN) [RFC6550]. A number of applicability texts 169 describes a subset of these protocols and the conditions which make 170 the subset the correct choice. The text recommends and motivates the 171 accompanying parameter value ranges. Multiple applicability domains 172 are recognized including: Building and Home, and Advanced Metering 173 Infrastructure. The applicability domains distinguish themselves in 174 the way they are operated, their performance requirements, and the 175 most probable network structures. Each applicability statement 176 identifies the distinguishing properties according to a common set of 177 subjects described in as many sections. 179 The common set of security threats are herein are referred to by the 180 applicability statements, and that series of documents describes the 181 preferred security settings and solutions within the applicability 182 statement conditions. This applicability statements may recommend 183 more light weight security solutions and specify the conditions under 184 which these solutions are appropriate. 186 3. Terminology 188 This document adopts the terminology defined in [RFC6550], in 189 [RFC4949], and in [I-D.ietf-roll-terminology]. 191 The terms control plane and forwarding plane are used consistently 192 with section 1 of [RFC6192]. 194 4. Considerations on RPL Security 196 Routing security, in essence, ensures that the routing protocol 197 operates correctly. It entails implementing measures to ensure 198 controlled state changes on devices and network elements, both based 199 on external inputs (received via communications) or internal inputs 200 (physical security of device itself and parameters maintained by the 201 device, including, e.g., clock). State changes would thereby involve 202 not only authorization of injector's actions, authentication of 203 injectors, and potentially confidentiality of routing data, but also 204 proper order of state changes through timeliness, since seriously 205 delayed state changes, such as commands or updates of routing tables, 206 may negatively impact system operation. A security assessment can 207 therefore begin with a focus on the assets [RFC4949] that may be the 208 target of the state changes and the access points in terms of 209 interfaces and protocol exchanges through which such changes may 210 occur. In the case of routing security, the focus is directed 211 towards the elements associated with the establishment and 212 maintenance of network connectivity. 214 This section sets the stage for the development of the analysis by 215 applying the systematic approach proposed in [Myagmar2005] to the 216 routing security, while also drawing references from other reviews 217 and assessments found in the literature, particularly, [RFC4593] and 218 [Karlof2003]. The subsequent subsections begin with a focus on the 219 elements of a generic routing process that is used to establish 220 routing assets and points of access to the routing functionality. 221 Next, the [ISO.7498-2.1988] security model is briefly described. 222 Then, consideration is given to issues specific to or amplified in 223 LLNs. This section concludes with the formulation of a set of 224 security objectives for RPL. 226 4.1. Routing Assets and Points of Access 228 An asset is an important system resource (including information, 229 process, or physical resource), the access to, corruption or loss of 230 which adversely affects the system. In the control plane context, an 231 asset is information about the network, processes used to manage and 232 manipulate this data, and the physical devices on which this data is 233 stored and manipulated. The corruption or loss of these assets may 234 adversely impact the control plane of the network. Within the same 235 context, a point of access is an interface or protocol that 236 facilitates interaction between control plane assets. Identifying 237 these assets and points of access will provide a basis for 238 enumerating the attack surface of the control plane. 240 A level-0 data flow diagram [Yourdon1979] is used here to identify 241 the assets and points of access within a generic routing process. 242 The use of a data flow diagram allows for a clear and concise model 243 of the way in which routing nodes interact and process information, 244 and hence provides a context for threats and attacks. The goal of 245 the model is to be as detailed as possible so that corresponding 246 assets, points of access, and process in an individual routing 247 protocol can be readily identified. 249 Figure 1 shows that nodes participating in the routing process 250 transmit messages to discover neighbors and to exchange routing 251 information; routes are then generated and stored, which may be 252 maintained in the form of the protocol forwarding table. The nodes 253 use the derived routes for making forwarding decisions. 255 ................................................... 256 : : 257 : : 258 |Node_i|<------->(Routing Neighbor _________________ : 259 : Discovery)------------>Neighbor Topology : 260 : -------+--------- : 261 : | : 262 |Node_j|<------->(Route/Topology +--------+ : 263 : Exchange) | : 264 : | V ______ : 265 : +---->(Route Generation)--->Routes : 266 : ---+-- : 267 : | : 268 : Routing on a Node Node_k | : 269 ................................................... 270 | 271 |Forwarding | 272 |On Node_l|<-------------------------------------------+ 274 Notation: 276 (Proc) A process Proc 278 ________ 279 topology A structure storing neighbor adjacency (parent/child) 280 -------- 281 ________ 282 routes A structure storing the forwarding information base (FIB) 283 -------- 285 |Node_n| An external entity Node_n 286 -------> Data flow 288 Figure 1: Data Flow Diagram of a Generic Routing Process 290 It is seen from Figure 1 that 292 o Assets include 294 * routing and/or topology information; 296 * route generation process; 298 * communication channel resources (bandwidth); 300 * node resources (computing capacity, memory, and remaining 301 energy); 303 * node identifiers (including node identity and ascribed 304 attributes such as relative or absolute node location). 306 o Points of access include 308 * neighbor discovery; 310 * route/topology exchange; 312 * node physical interfaces (including access to data storage). 314 A focus on the above list of assets and points of access enables a 315 more directed assessment of routing security; for example, it is 316 readily understood that some routing attacks are in the form of 317 attempts to misrepresent routing topology. Indeed, the intention of 318 the security threat analysis is to be comprehensive. Hence, some of 319 the discussion which follows is associated with assets and points of 320 access that are not directly related to routing protocol design but 321 nonetheless provided for reference since they do have direct 322 consequences on the security of routing. 324 4.2. The ISO 7498-2 Security Reference Model 326 At the conceptual level, security within an information system in 327 general and applied to RPL; in particular is concerned with the 328 primary issues of authentication, access control, data 329 confidentiality, data integrity, and non-repudiation. In the context 330 of RPL 332 Authentication 333 Authentication involves the mutual authentication of the 334 routing peers prior to exchanging route information (i.e., peer 335 authentication) as well as ensuring that the source of the 336 route data is from the peer (i.e., data origin authentication). 337 [RFC5548] points out that LLNs can be drained by 338 unauthenticated peers before configuration. [RFC5673] requires 339 availability of open and untrusted side channels for new 340 joiners, and it requires strong and automated authentication so 341 that networks can automatically accept or reject new joiners. 343 Access Control 344 Access Control provides protection against unauthorized use of 345 the asset, and deals with the authorization of a node. 347 Confidentiality 348 Confidentiality involves the protection of routing information 349 as well as routing neighbor maintenance exchanges so that only 350 authorized and intended network entities may view or access it. 351 Because LLNs are most commonly found on a publicly accessible 352 shared medium, e.g., air or wiring in a building, and sometimes 353 formed ad hoc, confidentiality also extends to the neighbor 354 state and database information within the routing device since 355 the deployment of the network creates the potential for 356 unauthorized access to the physical devices themselves. 358 Integrity 359 Integrity entails the protection of routing information and 360 routing neighbor maintenance exchanges, as well as derived 361 information maintained in the database, from unauthorized 362 modification, insertions, deletions or replays. to be addressed 363 beyond the routing protocol. 365 Non-repudiation 366 Non-repudiation is the assurance that the transmission and/or 367 reception of a message cannot later be denied. The service of 368 non-repudiation applies after-the-fact and thus relies on the 369 logging or other capture of on-going message exchanges and 370 signatures. Applied to routing, non-repudiation is not an 371 issue because it does not apply to routing protocols, which are 372 machine-to-machine protocols. Further, with the LLN 373 application domains as described in [RFC5867] and [RFC5548], 374 proactive measures are much more critical than retrospective 375 protections. Finally, given the significant practical limits 376 to on-going routing transaction logging and storage and 377 individual device digital signature verification for each 378 exchange, non-repudiation in the context of routing is an 379 unsupportable burden that bears no further considered as an RPL 380 security issue. 382 It is recognized that, besides those security issues captured in the 383 ISO 7498-2 model, availability, is a security requirement: 385 Availability 386 Availability ensures that routing information exchanges and 387 forwarding services need to be available when they are required 388 for the functioning of the serving network. Availability will 389 apply to maintaining efficient and correct operation of routing 390 and neighbor discovery exchanges (including needed information) 391 and forwarding services so as not to impair or limit the 392 network's central traffic flow function 394 It should be emphasized here that for RPL security the above 395 requirements must be complemented by the proper security policies and 396 enforcement mechanisms to ensure that security objectives are met by 397 a given RPL implementation. 399 4.3. Issues Specific to or Amplified in LLNs 401 The requirements work detailed in Urban Requirements ([RFC5548]), 402 Industrial Requirements ([RFC5673]), Home Automation ([RFC5826], and 403 Building Automation ([RFC5867]) have identified specific issues and 404 constraints of routing in LLNs. The following is a list of 405 observations from those requirements and evaluation of their impact 406 on routing security considerations. 408 Limited energy, memory, and processing node resources 409 As a consequence of these constraints, there is an even more 410 critical need than usual for a careful study of trade-offs on 411 which and what level of security services are to be afforded 412 during the system design process. The chosen security 413 mechanisms also needs to work within these constraints. 414 Synchronization of security states with sleepy nodes is yet 415 another issue. 417 Large scale of rolled out network 418 The possibly numerous nodes to be deployed make manual on-site 419 configuration unlikely. For example, an urban deployment can 420 see several hundreds of thousands of nodes being installed by 421 many installers with a low level of expertise. Nodes may be 422 installed and not activated for many years, and additional 423 nodes may be added later on, which may be from old inventory. 424 The lifetime of the network is measured in decades, and this 425 complicates the operation of key management. 427 Autonomous operations 428 Self-forming and self-organizing are commonly prescribed 429 requirements of LLNs. In other words, a routing protocol 430 designed for LLNs needs to contain elements of ad hoc 431 networking and in most cases cannot rely on manual 432 configuration for initialization or local filtering rules. 433 Network topology/ownership changes, partitioning or merging, as 434 well as node replacement, can all contribute to complicating 435 the operations of key management. 437 Highly directional traffic 438 Some types of LLNs see a high percentage of their total traffic 439 traverse between the nodes and the LLN Border Routers (LBRs) 440 where the LLNs connect to non-LLNs. The special routing status 441 of and the greater volume of traffic near the LBRs have routing 442 security consequences as a higher valued attack target. In 443 fact, when Point-to-MultiPoint (P2MP) and MultiPoint-to-Point 444 (MP2P) traffic represents a majority of the traffic, routing 445 attacks consisting of advertising incorrect preferred routes 446 can cause serious damage. 448 While it might seem that nodes higher up in the cyclic graph 449 (i.e. those with lower rank) should be secured in a stronger 450 fashion, it is not in general easy to predict which nodes will 451 occupy those positions until after deployment. Issues of 452 redundancy and inventory control suggests that any node might 453 wind up in such a sensitive attack position, so all nodes need 454 to be equally secure. 456 In addition, even if it were possible to predict which nodes 457 will occupy positions of lower rank and provision them with 458 stronger security mechanisms, in the absense of a strong 459 authorization model, any node could advertise an incorrect 460 preferred route. 462 Unattended locations and limited physical security 463 Many applications have the nodes deployed in unattended or 464 remote locations; furthermore, the nodes themselves are often 465 built with minimal physical protection. These constraints 466 lower the barrier of accessing the data or security material 467 stored on the nodes through physical means. 469 Support for mobility 470 On the one hand, only a limited number of applications require 471 the support of mobile nodes, e.g., a home LLN that includes 472 nodes on wearable health care devices or an industry LLN that 473 includes nodes on cranes and vehicles. On the other hand, if a 474 routing protocol is indeed used in such applications, it will 475 clearly need to have corresponding security mechanisms. 477 Additionally nodes may appear to move from one side of a wall 478 to another without any actual motion involved, the result of 479 changes to electromagnetic properties, such as opening and 480 closing of a metal door. 482 Support for multicast and anycast 483 Support for multicast and anycast is called out chiefly for 484 large-scale networks. Since application of these routing 485 mechanisms in autonomous operations of many nodes is new, the 486 consequence on security requires careful consideration. 488 The above list considers how an LLN's physical constraints, size, 489 operations, and variety of application areas may impact security. 490 However, it is the combinations of these factors that particularly 491 stress the security concerns. For instance, securing routing for a 492 large number of autonomous devices that are left in unattended 493 locations with limited physical security presents challenges that are 494 not found in the common circumstance of administered networked 495 routers. The following subsection sets up the security objectives 496 for the routing protocol designed by the ROLL WG. 498 4.4. RPL Security Objectives 500 This subsection applies the ISO 7498-2 model to routing assets and 501 access points, taking into account the LLN issues, to develop a set 502 of RPL security objectives. 504 Since the fundamental function of a routing protocol is to build 505 routes for forwarding packets, it is essential to ensure that: 507 o routing/topology information integrity remains intact during 508 transfer and in storage; 510 o routing/topology information is used by authorized entities; 512 o routing/topology information is available when needed. 514 In conjunction, it is necessary to be assured that 516 o authorized peers authenticate themselves during the routing 517 neighbor discovery process; 519 o the routing/topology information received is generated according 520 to the protocol design. 522 However, when trust cannot be fully vested through authentication of 523 the principals alone, i.e., concerns of insider attack, assurance of 524 the truthfulness and timeliness of the received routing/topology 525 information is necessary. With regard to confidentiality, protecting 526 the routing/topology information from unauthorized exposure may be 527 desirable in certain cases but is in itself less pertinent in general 528 to the routing function. 530 One of the main problems of synchronizing security states of sleepy 531 nodes, as listed in the last subsection, lies in difficulties in 532 authentication; these nodes may not have received in time the most 533 recent update of security material. Similarly, the issues of minimal 534 manual configuration, prolonged rollout and delayed addition of 535 nodes, and network topology changes also complicate key management. 536 Hence, routing in LLNs needs to bootstrap the authentication process 537 and allow for flexible expiration scheme of authentication 538 credentials. 540 The vulnerability brought forth by some special-function nodes, e.g., 541 LBRs, requires the assurance, particularly in a security context, 543 o of the availability of communication channels and node resources; 545 o that the neighbor discovery process operates without undermining 546 routing availability. 548 There are other factors which are not part of RPL but directly 549 affecting its function. These factors include weaker barrier of 550 accessing the data or security material stored on the nodes through 551 physical means; therefore, the internal and external interfaces of a 552 node need to be adequate for guarding the integrity, and possibly the 553 confidentiality, of stored information, as well as the integrity of 554 routing and route generation processes. 556 Each individual system's use and environment will dictate how the 557 above objectives are applied, including the choices of security 558 services as well as the strengths of the mechanisms that must be 559 implemented. The next two sections take a closer look at how the RPL 560 security objectives may be compromised and how those potential 561 compromises can be countered. 563 5. Threat Sources 565 [RFC4593] provides a detailed review of the threat sources: outsiders 566 and byzantine. RPL has the same threat sources. 568 6. Threats and Attacks 570 This section outlines general categories of threats under the ISO 571 7498-2 model and highlights the specific attacks in each of these 572 categories for RPL. As defined in [RFC4949], a threat is "a 573 potential for violation of security, which exists when there is a 574 circumstance, capability, action, or event that could breach security 575 and cause harm." 577 An attack is "an assault on system security that derives from an 578 intelligent threat, i.e., an intelligent act that is a deliberate 579 attempt (especially in the sense of a method or technique) to evade 580 security services and violate the security policy of a system." 582 The subsequent subsections consider the threats and the attacks that 583 can cause security breaches under the ISO 7498-2 model to the routing 584 assets and via the routing points of access identified in 585 Section 4.1. The assessment steps through the security concerns of 586 each routing asset and looks at the attacks that can exploit routing 587 points of access. The threats and attacks identified are based on 588 the routing model analysis and associated review of the existing 589 literature. The source of the attacks is assumed to be from either 590 inside or outside attackers. While some attackers inside the network 591 will be using compromised nodes, and therefore are only able to do 592 what an ordinary node can ("node-equivalent"), other attacks may not 593 limited in memory, CPU, power consumption or long term storage. 594 Moore's law favours the attacker with access to the latest 595 capabilities, while the defenders will remain in place for years to 596 decades. 598 6.1. Threats due to failures to Authenticate 600 An attacker can assert an arbitrary identity, including the identity 601 of another node is said to be able to assert "any" identity. 603 6.1.1. Node Impersonation 605 If an attacker can join a network using any identity, then it may be 606 able to assume the role of a legitimate (and existing node). It may 607 be able to report false readings (in metering applications), or 608 provide inappropriate control messages (in control systems involving 609 actuators) if the security of the application is implied by the 610 security of the routing system. 612 Even in systems where there application layer security, the ability 613 to impersonate a node would permit an attacker to direct traffic to 614 itself. This may permit various on-path attacks which would 615 otherwise be difficult, such replaying, delaying, or duplicating 616 (application) control messages. 618 6.1.2. Dummy Node 620 If an attacker can join a network with any identify, then it can 621 pretend to be a legitimate node, receiving any service legitimate 622 nodes receive. It may also be able to report false readings (in 623 metering applications), or provide inappropriate authorizations (in 624 control systems involving actuators), or perform any other attacks 625 that are facilitated by being able to direct traffic towards itself. 627 6.1.3. Node Resource Spam 629 If an attacker can join a network with any identify, then it can 630 continously do so with new (random) identities. This act may drain 631 down the resources of the network (battery, ram, bandwidth). This 632 may cause legitimate nodes of the network to be unable to 633 communicate. 635 6.2. Threats and Attacks on Confidentiality 637 The assessment in Section 4.2 indicates that there are attacks 638 against the confidentiality of routing information at all points of 639 access. This threat results in disclosure, as described in 640 Section 3.1.2 of [RFC4593], and may involve a disclosure of routing 641 information. 643 6.2.1. Routing Exchange Exposure 645 Routing exchanges include both routing information as well as 646 information associated with the establishment and maintenance of 647 neighbor state information. As indicated in Section 4.1, the 648 associated routing information assets may also include device 649 specific resource information, such as available memory, remaining 650 power, etc., that may be metrics of the routing protocol. 652 The routing exchanges will contain reachability information, which 653 would identify the relative importance of different nodes in the 654 network. Nodes higher up in the DODAG, to which more streams of 655 information flow, would be more interesting targets for other 656 attacks, and routing exchange exposures can identify them. 658 6.2.2. Routing Information (Routes and Network Topology) Exposure 659 Routes (which may be maintained in the form of the protocol 660 forwarding table) and neighbor topology information are the products 661 of the routing process that are stored within the node device 662 databases. 664 The exposure of this information will allow attackers to gain direct 665 access to the configuration and connectivity of the network thereby 666 exposing routing to targeted attacks on key nodes or links. Since 667 routes and neighbor topology information is stored within the node 668 device, attacks on the confidentiality of the information will apply 669 to the physical device including specified and unspecified internal 670 and external interfaces. 672 The forms of attack that allow unauthorized access or disclosure of 673 the routing information will include: 675 o Physical device compromise; 677 o Remote device access attacks (including those occurring through 678 remote network management or software/field upgrade interfaces). 680 Both of these attack vectors are considered a device specific issue, 681 and are out of scope for RPL to defend against. In some 682 applications, physical device compromise may be a real threat and it 683 may be necessary to provide for other devices to securely detect a 684 compromised device and react quickly to exclude it. 686 6.3. Threats and Attacks on Integrity 688 The assessment in Section 4.2 indicates that information and identity 689 assets are exposed to integrity threats from all points of access. 690 In other words, the integrity threat space is defined by the 691 potential for exploitation introduced by access to assets available 692 through routing exchanges and the on-device storage. 694 6.3.1. Routing Information Manipulation 696 Manipulation of routing information that range from neighbor states 697 to derived routes will allow unauthorized sources to influence the 698 operation and convergence of the routing protocols and ultimately 699 impact the forwarding decisions made in the network. 701 Manipulation of topology and reachability information will allow 702 unauthorized sources to influence the nodes with which routing 703 information is exchanged and updated. The consequence of 704 manipulating routing exchanges can thus lead to sub-optimality and 705 fragmentation or partitioning of the network by restricting the 706 universe of routers with which associations can be established and 707 maintained. 709 A sub-optimal network may use too much power and/or may congest some 710 routes leading to premature failure of a node, and a denial of 711 service on the entire network. 713 In addition, being able to attract network traffic can make a 714 blackhole attack more damaging. 716 The forms of attack that allow manipulation to compromise the content 717 and validity of routing information include 719 o Falsification, including overclaiming and misclaiming (claiming 720 routes to devices which the device can not in fact reach); 722 o Routing information replay; 724 o Byzantine (internal) attacks that permit corruption of routing 725 information in the node even where the node continues to be a 726 validated entity within the network (see, for example, [RFC4593] 727 for further discussions on Byzantine attacks); 729 o Physical device compromise or remote device access attacks. 731 6.3.2. Node Identity Misappropriation 733 Falsification or misappropriation of node identity between routing 734 participants opens the door for other attacks; it can also cause 735 incorrect routing relationships to form and/or topologies to emerge. 736 Routing attacks may also be mounted through less sophisticated node 737 identity misappropriation in which the valid information broadcast or 738 exchanged by a node is replayed without modification. The receipt of 739 seemingly valid information that is however no longer current can 740 result in routing disruption, and instability (including failure to 741 converge). Without measures to authenticate the routing participants 742 and to ensure the freshness and validity of the received information 743 the protocol operation can be compromised. The forms of attack that 744 misuse node identity include 746 o Identity attacks, including Sybil attacks (see [Sybil2002]) in 747 which a malicious node illegitimately assumes multiple identities; 749 o Routing information replay. 751 6.4. Threats and Attacks on Availability 753 The assessment in Section 4.2 indicates that the process and 754 resources assets are exposed to threats against availability; attacks 755 in this category may exploit directly or indirectly information 756 exchange or forwarding (see [RFC4732] for a general discussion). 758 6.4.1. Routing Exchange Interference or Disruption 760 Interference is the threat action and disruption is threat 761 consequence that allows attackers to influence the operation and 762 convergence of the routing protocols by impeding the routing 763 information exchange. 765 The forms of attack that allow interference or disruption of routing 766 exchange include: 768 o Routing information replay; 770 o ACK spoofing; 772 o Overload attacks. (Section 7.3.2) 774 In addition, attacks may also be directly conducted at the physical 775 layer in the form of jamming or interfering. 777 6.4.2. Network Traffic Forwarding Disruption 779 The disruption of the network traffic forwarding capability will 780 undermine the central function of network routers and the ability to 781 handle user traffic. This affects the availability of the network 782 because of the potential to impair the primary capability of the 783 network. 785 In addition to physical layer obstructions, the forms of attack that 786 allows disruption of network traffic forwarding include [Karlof2003] 788 o Selective forwarding attacks; 790 |Node_1|--(msg1|msg2|msg3)-->|Attacker|--(msg1|msg3)-->|Node_2| 792 Figure 2: Selective forwarding example 794 o Wormhole attacks; 795 |Node_1|-------------Unreachable---------x|Node_2| 796 | ^ 797 | Private Link | 798 '-->|Attacker_1|===========>|Attacker_2|--' 800 Figure 3: Wormhole Attacks 802 o Sinkhole attacks. 804 |Node_1| |Node_4| 805 | | 806 `--------. | 807 Falsify as \ | 808 Good Link \ | | 809 To Node_5 \ | | 810 \ V V 811 |Node_2|-->|Attacker|--Not Forwarded---x|Node_5| 812 ^ ^ \ 813 | | \ Falsify as 814 | | \Good Link 815 / | To Node_5 816 ,-------' | 817 | | 818 |Node_3| |Node_i| 820 Figure 4: sinkhole attack example 822 These attacks are generally done to both control plane and forwarding 823 plane traffic. A system that prevents control plane traffic (RPL 824 messages) from being diverted in these ways will also prevent actual 825 data from being diverted. 827 6.4.3. Communications Resource Disruption 828 Attacks mounted against the communication channel resource assets 829 needed by the routing protocol can be used as a means of disrupting 830 its operation. However, while various forms of Denial of Service 831 (DoS) attacks on the underlying transport subsystem will affect 832 routing protocol exchanges and operation (for example physical layer 833 RF jamming in a wireless network or link layer attacks), these 834 attacks cannot be countered by the routing protocol. As such, the 835 threats to the underlying transport network that supports routing is 836 considered beyond the scope of the current document. Nonetheless, 837 attacks on the subsystem will affect routing operation and so must be 838 directly addressed within the underlying subsystem and its 839 implemented protocol layers. 841 6.4.4. Node Resource Exhaustion 843 A potential threat consequence can arise from attempts to overload 844 the node resource asset by initiating exchanges that can lead to the 845 exhaustion of processing, memory, or energy resources. The 846 establishment and maintenance of routing neighbors opens the routing 847 process to engagement and potential acceptance of multiple 848 neighboring peers. Association information must be stored for each 849 peer entity and for the wireless network operation provisions made to 850 periodically update and reassess the associations. An introduced 851 proliferation of apparent routing peers can therefore have a negative 852 impact on node resources. 854 Node resources may also be unduly consumed by attackers attempting 855 uncontrolled topology peering or routing exchanges, routing replays, 856 or the generating of other data traffic floods. Beyond the 857 disruption of communications channel resources, these consequences 858 may be able to exhaust node resources only where the engagements are 859 able to proceed with the peer routing entities. Routing operation 860 and network forwarding functions can thus be adversely impacted by 861 node resources exhaustion that stems from attacks that include: 863 o Identity (including Sybil) attacks (see [Sybil2002]); 865 o Routing information replay attacks; 867 o HELLO-type flood attacks; 869 o Overload attacks. (Section 7.3.2) 871 7. Countermeasures 873 By recognizing the characteristics of LLNs that may impact routing, 874 this analysis provides the basis for understanding the capabilities 875 within RPL used to deter the identified attacks and mitigate the 876 threats. The following subsections consider such countermeasures by 877 grouping the attacks according to the classification of the ISO 878 7498-2 model so that associations with the necessary security 879 services are more readily visible. 881 7.1. Confidentiality Attack Countermeasures 883 Attacks to disclosure routing information may be mounted at the level 884 of the routing information assets, at the points of access associated 885 with routing exchanges between nodes, or through device interface 886 access. To gain access to routing/topology information, the attacker 887 may rely on a compromised node that deliberately exposes the 888 information during the routing exchange process, may rely on passive 889 wiretapping or traffic analysis, or may attempt access through a 890 component or device interface of a tampered routing node. 892 7.1.1. Countering Deliberate Exposure Attacks 894 A deliberate exposure attack is one in which an entity that is party 895 to the routing process or topology exchange allows the routing/ 896 topology information or generated route information to be exposed to 897 an unauthorized entity. 899 For instance, due to mis-configuration or inappropriate enabling of a 900 diagnostic interface, an entity might be copying ("bridging") traffic 901 from a secured ESSID/PAN to an unsecured interface. 903 A prerequisite to countering this attack is to ensure that the 904 communicating nodes are authenticated prior to data encryption 905 applied in the routing exchange. Authentication ensures that the 906 nodes are who they claim to be even though it does not provide an 907 indication of whether the node has been compromised. 909 To mitigate the risk of deliberate exposure, the process that 910 communicating nodes use to establish session keys must be peer-to- 911 peer (i.e., between the routing initiating and responding nodes). 912 This helps ensure that neither node is exchanging routing information 913 with another peer without the knowledge of both communicating peers. 914 For a deliberate exposure attack to succeed, the comprised node will 915 need to be more overt and take independent actions in order to 916 disclose the routing information to 3rd party. 918 Note that the same measures which apply to securing routing/topology 919 exchanges between operational nodes must also extend to field tools 920 and other devices used in a deployed network where such devices can 921 be configured to participate in routing exchanges. 923 7.1.2. Countering Passive Wiretapping Attacks 925 A passive wiretap attack seeks to breach routing confidentiality 926 through passive, direct analysis and processing of the information 927 exchanges between nodes. 929 Passive wiretap attacks can be directly countered through the use of 930 data encryption for all routing exchanges. Only when a validated and 931 authenticated node association is completed will routing exchange be 932 allowed to proceed using established session keys and an agreed 933 encryption algorithm. The mandatory to implement CCM mode AES-128 934 method, is described in [RFC3610], and is believed to be secure 935 against a brute force attack by even the most well-equiped adversary. 937 The significant challenge for RPL is in the provisioning of the key, 938 which in some modes of RFC6550 is used network-wide. RFC6550 does 939 not solve this problem, and it is the subject of significant future 940 work: see, for instance: [AceCharterProposal], [SolaceProposal], 941 [SmartObjectSecurityWorkshop]. 943 A number of deployments, such as [ZigBeeIP] specify no layer-3/RPL 944 encryption or authentication and rely upon similiar security at 945 layer-2. These networks are immune to outside wiretapping attacks, 946 but are particularly vulnerable to passive (and active) attacks 947 through compromises of nodes. 949 Section 10.9 of [RFC6550] specifies AES-128 in CCM mode with a 32-bit 950 MAC. 952 Section 5.6 Zigbee IP [ZigBeeIP] specifies use of CCM, with PANA and 953 EAP-TLS for key management. 955 7.1.3. Countering Traffic Analysis 957 Traffic analysis provides an indirect means of subverting 958 confidentiality and gaining access to routing information by allowing 959 an attacker to indirectly map the connectivity or flow patterns 960 (including link-load) of the network from which other attacks can be 961 mounted. The traffic analysis attack on an LLN, especially one 962 founded on shared medium, is passive and relies on the ability to 963 read the immutable source/destination layer-2 and/or layer-3 routing 964 information that must remain unencrypted to permit network routing. 966 One way in which passive traffic analysis attacks can be muted is 967 through the support of load balancing that allows traffic to a given 968 destination to be sent along diverse routing paths. RPL does not 969 generally support multi-path routing within a single DODAG. Multiple 970 DODAGs are supported in the protocol, and an implementation could 971 make use of that. RPL does not have any inherent or standard way to 972 guarantee that the different DODAGs would have significantly diverse 973 paths. Having the diverse DODAGs routed at different border routers 974 might work in some instances, and this could be combined with a 975 multipath technology like MPTCP ([RFC6824]. It is unlikely that it 976 will be affordable in many LLNs, as few deployments will have memory 977 space for more than a few sets of DODAG tables. 979 Another approach to countering passive traffic analysis could be for 980 nodes to maintain constant amount of traffic to different 981 destinations through the generation of arbitrary traffic flows; the 982 drawback of course would be the consequent overhead and energy 983 expenditure. 985 The only means of fully countering a traffic analysis attack is 986 through the use of tunneling (encapsulation) where encryption is 987 applied across the entirety of the original packet source/destination 988 addresses. Deployments which use layer-2 security that includes 989 encryption already do this for all traffic. 991 7.1.4. Countering Remote Device Access Attacks 993 Where LLN nodes are deployed in the field, measures are introduced to 994 allow for remote retrieval of routing data and for software or field 995 upgrades. These paths create the potential for a device to be 996 remotely accessed across the network or through a provided field 997 tool. In the case of network management a node can be directly 998 requested to provide routing tables and neighbor information. 1000 To ensure confidentiality of the node routing information against 1001 attacks through remote access, any local or remote device requesting 1002 routing information must be authenticated, and must be authorized for 1003 that access. Since remote access is not invoked as part of a routing 1004 protocol, security of routing information stored on the node against 1005 remote access will not be addressable as part of the routing 1006 protocol. 1008 7.2. Integrity Attack Countermeasures 1010 Integrity attack countermeasures address routing information 1011 manipulation, as well as node identity and routing information 1012 misuse. Manipulation can occur in the form of falsification attack 1013 and physical compromise. To be effective, the following development 1014 considers the two aspects of falsification, namely, the unauthorized 1015 modifications and the overclaiming and misclaiming content. The 1016 countering of physical compromise was considered in the previous 1017 section and is not repeated here. With regard to misuse, there are 1018 two types of attacks to be deterred, identity attacks and replay 1019 attacks. 1021 7.2.1. Countering Unauthorized Modification Attacks 1023 Unauthorized modifications may occur in the form of altering the 1024 message being transferred or the data stored. Therefore, it is 1025 necessary to ensure that only authorized nodes can change the portion 1026 of the information that is allowed to be mutable, while the integrity 1027 of the rest of the information is protected, e.g., through well- 1028 studied cryptographic mechanisms. 1030 Unauthorized modifications may also occur in the form of insertion or 1031 deletion of messages during protocol changes. Therefore, the 1032 protocol needs to ensure the integrity of the sequence of the 1033 exchange sequence. 1035 The countermeasure to unauthorized modifications needs to: 1037 o implement access control on storage; 1039 o provide data integrity service to transferred messages and stored 1040 data; 1042 o include sequence number under integrity protection. 1044 7.2.2. Countering Overclaiming and Misclaiming Attacks 1046 Both overclaiming and misclaiming aim to introduce false routes or a 1047 false topology that would not occur otherwise, while there are not 1048 necessarily unauthorized modifications to the routing messages or 1049 information. In order to counter overclaiming, the capability to 1050 determine unreasonable routes or topology is required. 1052 The counter to overclaiming and misclaiming may employ: 1054 o comparison with historical routing/topology data; 1056 o designs which restrict realizable network topologies. 1058 RPL includes no specific mechanisms in the protocol to counter 1059 overclaims or misclaims. An implementation could have specific 1060 heuristics implemented locally. 1062 7.2.3. Countering Identity (including Sybil) Attacks 1064 Identity attacks, sometimes simply called spoofing, seek to gain or 1065 damage assets whose access is controlled through identity. In 1066 routing, an identity attacker can illegitimately participate in 1067 routing exchanges, distribute false routing information, or cause an 1068 invalid outcome of a routing process. 1070 A perpetrator of Sybil attacks assumes multiple identities. The 1071 result is not only an amplification of the damage to routing, but 1072 extension to new areas, e.g., where geographic distribution is 1073 explicitly or implicitly an asset to an application running on the 1074 LLN, for example, the LBR in a P2MP or MP2P LLN. 1076 RPL includes specific public key based authentication at layer-3 that 1077 provide for authorization. Many deployments use layer-2 security 1078 that includes admission controls at layer-2 using mechanisms such as 1079 PANA. 1081 7.2.4. Countering Routing Information Replay Attacks 1083 In many routing protocols, message replay can result in false 1084 topology and/or routes. This is often counted with some kind of 1085 counter to ensure the freshness of the message. Replay of a current, 1086 literal RPL message are in general idempotent to the topology. An 1087 older (lower DODAGVersionNumber) message, if replayed would be 1088 rejected as being stale. The trickle algorithm further dampens the 1089 effect of any such replay, as if the message was current, then it 1090 would contain the same information as before, and it would cause no 1091 network changes. 1093 Replays may well occur in some radio technologies (not very likely, 1094 802.15.4) as a result of echos or reflections, and so some replays 1095 must be assumed to occur naturally. 1097 Note that for there to be no affect at all, the replay must be done 1098 with the same apparent power for all nodes receiving the replay. A 1099 change in apparent power might change the metrics through changes to 1100 the ETX and therefore might affect the routing even though the 1101 contents of the packet were never changed. Any replay which appears 1102 to be different should be analyzed as a Selective Forwarding Attack, 1103 Sinkhole Attack or Wormhole Attack. 1105 7.2.5. Countering Byzantine Routing Information Attacks 1107 Where a node is captured or compromised but continues to operate for 1108 a period with valid network security credentials, the potential 1109 exists for routing information to be manipulated. This compromise of 1110 the routing information could thus exist in spite of security 1111 countermeasures that operate between the peer routing devices. 1113 Consistent with the end-to-end principle of communications, such an 1114 attack can only be fully addressed through measures operating 1115 directly between the routing entities themselves or by means of 1116 external entities able to access and independently analyze the 1117 routing information. Verification of the authenticity and liveliness 1118 of the routing entities can therefore only provide a limited counter 1119 against internal (Byzantine) node attacks. 1121 For link state routing protocols where information is flooded with, 1122 for example, areas (OSPF [RFC2328]) or levels (ISIS [RFC1142]), 1123 countermeasures can be directly applied by the routing entities 1124 through the processing and comparison of link state information 1125 received from different peers. By comparing the link information 1126 from multiple sources decisions can be made by a routing node or 1127 external entity with regard to routing information validity; see 1128 Chapter 2 of [Perlman1988] for a discussion on flooding attacks. 1130 For distance vector protocols, such as RPL, where information is 1131 aggregated at each routing node it is not possible for nodes to 1132 directly detect Byzantine information manipulation attacks from the 1133 routing information exchange. In such cases, the routing protocol 1134 must include and support indirect communications exchanges between 1135 non-adjacent routing peers to provide a secondary channel for 1136 performing routing information validation. S-RIP [Wan2004] is an 1137 example of the implementation of this type of dedicated routing 1138 protocol security where the correctness of aggregate distance vector 1139 information can only be validated by initiating confirmation 1140 exchanges directly between nodes that are not routing neighbors. 1142 RPL does not provide any direct mechanisms like S-RIP. It does 1143 listen to multiple parents, and may switch parents if it begins to 1144 suspect that it is being lied to. 1146 7.3. Availability Attack Countermeasures 1148 As alluded to before, availability requires that routing information 1149 exchanges and forwarding mechanisms be available when needed so as to 1150 guarantee proper functioning of the network. This may, e.g., include 1151 the correct operation of routing information and neighbor state 1152 information exchanges, among others. We will highlight the key 1153 features of the security threats along with typical countermeasures 1154 to prevent or at least mitigate them. We will also note that an 1155 availability attack may be facilitated by an identity attack as well 1156 as a replay attack, as was addressed in Section 7.2.3 and 1157 Section 7.2.4, respectively. 1159 7.3.1. Countering HELLO Flood Attacks and ACK Spoofing Attacks 1161 HELLO Flood [Karlof2003],[I-D.suhopark-hello-wsn] and ACK Spoofing 1162 attacks are different but highly related forms of attacking an LLN. 1163 They essentially lead nodes to believe that suitable routes are 1164 available even though they are not and hence constitute a serious 1165 availability attack. 1167 A HELLO attack mounted against RPL would involve sending out (or 1168 replaying) DIO messages by the attacker. Lower power LLN nodes might 1169 then attempt to join the DODAG at a lower rank than they would 1170 otherwise. 1172 The most effective method from [I-D.suhopark-hello-wsn] is the verify 1173 bidirectionality. A number of layer-2 links are arranged in 1174 controller/spoke arrangements, and continuously are validating 1175 connectivity at layer 2. 1177 In addition, in order to calculate metrics, the ETX must be computed, 1178 and this involves, in general, sending a number of messages between 1179 nodes which are believed to be adjacent. 1180 [I-D.kelsey-intarea-mesh-link-establishment] is one such protocol. 1182 In order to join the DODAG, a DAO message is sent upwards. In RPL 1183 the DAO is acknowledged by the DAO-ACK message. This clearly checks 1184 bidirectionality at the control plane. 1186 As discussed in section 5.1, [I-D.suhopark-hello-wsn] a receiver with 1187 a sensitive receiver could well hear the DAOs, and even send DAO-ACKs 1188 as well. Such a node is a form of wormhole attack. 1190 These attacks are also all easily defended against using either 1191 layer-2 or layer-3 authentication. Such an attack could only be made 1192 against a completely open network (such as might be used for 1193 provisioning new nodes), or by a compromised node. 1195 7.3.2. Countering Overload Attacks 1197 Overload attacks are a form of DoS attack in that a malicious node 1198 overloads the network with irrelevant traffic, thereby draining the 1199 nodes' energy store more quickly, when the nodes rely on batteries or 1200 energy scavenging. It thus significantly shortens the lifetime of 1201 networks of energy-constrained nodes and constitutes another serious 1202 availability attack. 1204 With energy being one of the most precious assets of LLNs, targeting 1205 its availability is a fairly obvious attack. Another way of 1206 depleting the energy of an LLN node is to have the malicious node 1207 overload the network with irrelevant traffic. This impacts 1208 availability since certain routes get congested which: 1210 o renders them useless for affected nodes and data can hence not be 1211 delivered; 1213 o makes routes longer as shortest path algorithms work with the 1214 congested network; 1216 o depletes battery and energy scavenging nodes more quickly and thus 1217 shortens the network's availability at large. 1219 Overload attacks can be countered by deploying a series of mutually 1220 non-exclusive security measures: 1222 o introduce quotas on the traffic rate each node is allowed to send; 1224 o isolate nodes which send traffic above a certain threshold based 1225 on system operation characteristics; 1227 o allow only trusted data to be received and forwarded. 1229 As for the first one, a simple approach to minimize the harmful 1230 impact of an overload attack is to introduce traffic quotas. This 1231 prevents a malicious node from injecting a large amount of traffic 1232 into the network, even though it does not prevent said node from 1233 injecting irrelevant traffic at all. Another method is to isolate 1234 nodes from the network at the network layer once it has been detected 1235 that more traffic is injected into the network than allowed by a 1236 prior set or dynamically adjusted threshold. Finally, if 1237 communication is sufficiently secured, only trusted nodes can receive 1238 and forward traffic which also lowers the risk of an overload attack. 1240 Receiving nodes that validate signatures and sending nodes that 1241 encrypt messages need to be cautious of cryptographic processing 1242 usage when validating signatures and encrypting messages. Where 1243 feasible, certificates should be validated prior to use of the 1244 associated keys to counter potential resource overloading attacks. 1245 The associated design decision needs to also consider that the 1246 validation process requires resources and thus itself could be 1247 exploited for attacks. Alternatively, resource management limits can 1248 be placed on routing security processing events (see the comment in 1249 Section 6, paragraph 4, of [RFC5751]). 1251 7.3.3. Countering Selective Forwarding Attacks 1253 Selective forwarding attacks are a form of DoS attack which impacts 1254 the availability of the generated routing paths. 1256 A selective forwarding attack may be done by a node involved with the 1257 routing process, or it may be done by what otherwise appears to be a 1258 passive antenna or other RF feature or device, but is in fact an 1259 active (and selective) device. An RF antenna/repeater which is not 1260 selective, is not a threat. 1262 An insider malicious node basically blends neatly in with the network 1263 but then may decide to forward and/or manipulate certain packets. If 1264 all packets are dropped, then this attacker is also often referred to 1265 as a "black hole". Such a form of attack is particularly dangerous 1266 if coupled with sinkhole attacks since inherently a large amount of 1267 traffic is attracted to the malicious node and thereby causing 1268 significant damage. In a shared medium, an outside malicious node 1269 would selectively jam overheard data flows, where the thus caused 1270 collisions incur selective forwarding. 1272 Selective Forwarding attacks can be countered by deploying a series 1273 of mutually non-exclusive security measures: 1275 o multipath routing of the same message over disjoint paths; 1277 o dynamically selecting the next hop from a set of candidates. 1279 The first measure basically guarantees that if a message gets lost on 1280 a particular routing path due to a malicious selective forwarding 1281 attack, there will be another route which successfully delivers the 1282 data. Such a method is inherently suboptimal from an energy 1283 consumption point of view; it is also suboptimal from a network 1284 utilization perspective. The second method basically involves a 1285 constantly changing routing topology in that next-hop routers are 1286 chosen from a dynamic set in the hope that the number of malicious 1287 nodes in this set is negligible. A routing protocol that allows for 1288 disjoint routing paths may also be useful. 1290 7.3.4. Countering Sinkhole Attacks 1292 In sinkhole attacks, the malicious node manages to attract a lot of 1293 traffic mainly by advertising the availability of high-quality links 1294 even though there are none [Karlof2003]. It hence constitutes a 1295 serious attack on availability. 1297 The malicious node creates a sinkhole by attracting a large amount 1298 of, if not all, traffic from surrounding neighbors by advertising in 1299 and outwards links of superior quality. Affected nodes hence eagerly 1300 route their traffic via the malicious node which, if coupled with 1301 other attacks such as selective forwarding, may lead to serious 1302 availability and security breaches. Such an attack can only be 1303 executed by an inside malicious node and is generally very difficult 1304 to detect. An ongoing attack has a profound impact on the network 1305 topology and essentially becomes a problem of flow control. 1307 Sinkhole attacks can be countered by deploying a series of mutually 1308 non-exclusive security measures: 1310 o use geographical insights for flow control; 1312 o isolate nodes which receive traffic above a certain threshold; 1314 o dynamically pick up next hop from set of candidates; 1316 o allow only trusted data to be received and forwarded. 1318 Some LLNs may provide for geolocation services, often derived from 1319 solving triangulation equations from radio delay calculations, such 1320 calculations could in theory be subverted by a sinkhole that 1321 transmitted at precisely the right power in a node to node fashion. 1323 While geographic knowledge could help assure that traffic always went 1324 in the physical direction desired, it would not assure that the 1325 traffic was taking the most efficient route, as the lowest cost real 1326 route might be match the physical topology; such as when different 1327 parts of an LLN are connected by high-speed wired networks. 1329 7.3.5. Countering Wormhole Attacks 1331 In wormhole attacks at least two malicious nodes claim to have a 1332 short path between themselves [Karlof2003]. This changes the 1333 availability of certain routing paths and hence constitutes a serious 1334 security breach. 1336 Essentially, two malicious insider nodes use another, more powerful, 1337 transmitter to communicate with each other and thereby distort the 1338 would-be-agreed routing path. This distortion could involve 1339 shortcutting and hence paralyzing a large part of the network; it 1340 could also involve tunneling the information to another region of the 1341 network where there are, e.g., more malicious nodes available to aid 1342 the intrusion or where messages are replayed, etc. 1344 In conjunction with selective forwarding, wormhole attacks can create 1345 race conditions which impact topology maintenance, routing protocols 1346 as well as any security suits built on "time of check" and "time of 1347 use". 1349 A pure wormhole attack is nearly impossible to detect. A wormhole 1350 which is used in order to subsequently mount another kind of attack 1351 would be defeated by defeating the other attack. A perfect wormhole, 1352 in which there is nothing adverse that occurs to the traffic, would 1353 be difficult to call an attack. The worst thing that a benign 1354 wormhole can do in such a situation is to cease to operate (become 1355 unstable), causing the network to have to recalculate routes. 1357 A highly unstable wormhole is no different than a radio opaque (i.e. 1358 metal) door that opens and closes a lot. RPL includes hysteresis in 1359 its objective functions [RFC6719] in an attempt to deal with frequent 1360 changes to the ETX between nodes. 1362 8. RPL Security Features 1363 The assessments and analysis in Section 6 examined all areas of 1364 threats and attacks that could impact routing, and the 1365 countermeasures presented in Section 7 were reached without confining 1366 the consideration to means only available to routing. This section 1367 puts the results into perspective; dealing with those threats which 1368 are endemnic to this field, those which have been mitigated through 1369 RPL protocol design, and those which require specific decisions to be 1370 made as part of provisioning a network. 1372 The first part of this section, Section 8.1 to Section 8.3, is a 1373 description of RPL security features that address specific threats. 1374 The second part of this section, Section 8.4, discusses issues of 1375 provisioning of security aspects that may impact routing but that 1376 also require considerations beyond the routing protocol, as well as 1377 potential approaches. 1379 RPL employs multicast and so these alternative communications modes 1380 MUST be secured with the same routing security services specified in 1381 this section. Furthermore, irrespective of the modes of 1382 communication, nodes MUST provide adequate physical tamper resistance 1383 commensurate with the particular application domain environment to 1384 ensure the confidentiality, integrity, and availability of stored 1385 routing information. 1387 8.1. Confidentiality Features 1389 With regard to confidentiality, protecting the routing/topology 1390 information from unauthorized disclosure is not directly essential to 1391 maintaining the routing function. Breaches of confidentiality may 1392 lead to other attacks or the focusing of an attacker's resources (see 1393 Section 6.2) but does not of itself directly undermine the operation 1394 of the routing function. However, to protect against, and reduce 1395 consequences from other more direct attacks, routing information 1396 should be protected. Thus, to secure RPL: 1398 o implement payload encryption using layer-3 mechanisms described in 1399 [RFC6550]; 1401 o or: implement layer-2 confidentiality; 1403 Where confidentiality is incorporated into the routing exchanges, 1404 encryption algorithms and key lengths need to be specified in 1405 accordance with the level of protection dictated by the routing 1406 protocol and the associated application domain transport network. 1407 For most networks, this means use of AES128 in CCM mode, but this 1408 needs to be specified clearly in the applicability statement. 1410 In terms of the life time of the keys, the opportunity to 1411 periodically change the encryption key increases the offered level of 1412 security for any given implementation. However, where strong 1413 cryptography is employed, physical, procedural, and logical data 1414 access protection considerations may have more significant impact on 1415 cryptoperiod selection than algorithm and key size factors. 1416 Nevertheless, in general, shorter cryptoperiods, during which a 1417 single key is applied, will enhance security. 1419 Given the mandatory protocol requirement to implement routing node 1420 authentication as part of routing integrity (see Section 8.2), key 1421 exchanges may be coordinated as part of the integrity verification 1422 process. This provides an opportunity to increase the frequency of 1423 key exchange and shorten the cryptoperiod as a complement to the key 1424 length and encryption algorithm required for a given application 1425 domain. 1427 8.2. Integrity Features 1429 The integrity of routing information provides the basis for ensuring 1430 that the function of the routing protocol is achieved and maintained. 1431 To protect integrity, RPL must either run using only the Secure 1432 versions of the messages, or must run over a layer-2 that uses 1433 channel binding between node identity and transmissions. 1435 Some layer-2 security mechanisms use a single key for the entire 1436 network, and these networks can not provide significant amount of 1437 integrity protection, as any node that has that key may impersonate 1438 any other node. This mode of operation is likely acceptable when an 1439 entire deployment is under the control of a single administrative 1440 entity. 1442 Other layer-2 security mechanisms form a unique session key for every 1443 pair of nodes that needs to communicate; this is often called a per- 1444 link key. Such networks can provide a strong degree of origin 1445 authentication and integrity on unicast messages. 1447 However, some RPL messages are broadcast, and even when per-node 1448 layer-2 security mechanisms are used, the integrity and origin 1449 authentication of broadcast messages can not be as securely known. 1451 RPL has two specific messages which are broadcast: the DODAG 1452 Information Object (DIO), and the DODAG Information Solicitation 1453 (DIS). The purpose of the DIS is to cause potential parents to reply 1454 with a DIO, so the integrity of the DIS is not of great concern. The 1455 DIS may also be unicast. 1457 The DIO is a critical piece of routing and carries many critical 1458 parameters. RPL provides for assymetric authentication at layer-3 of 1459 the DIO, and this may be waranteed in some deployments. A node 1460 could, if it felt that the DIO that it had received was suspicious, 1461 send a unicast DIS message to the node in question, and that node 1462 would reply with a unicast DIS. Those messages could be protected 1463 with the per-link key. 1465 8.3. Availability Features 1467 Availability of routing information is linked to system and network 1468 availability which in the case of LLNs require a broader security 1469 view beyond the requirements of the routing entities. Where 1470 availability of the network is compromised, routing information 1471 availability will be accordingly affected. However, to specifically 1472 assist in protecting routing availability: 1474 o MAY restrict neighborhood cardinality; 1476 o MAY use multiple paths; 1478 o MAY use multiple destinations; 1480 o MAY choose randomly if multiple paths are available; 1482 o MAY set quotas to limit transmit or receive volume; 1484 o MAY use geographic information for flow control. 1486 8.4. Key Management 1488 The functioning of the routing security services requires keys and 1489 credentials. Therefore, even though not directly a RPL security 1490 requirement, an LLN MUST have a process for initial key and 1491 credential configuration, as well as secure storage within the 1492 associated devices. Anti-tampering SHOULD be a consideration in 1493 physical design. Beyond initial credential configuration, an LLN is 1494 also encouraged to have automatic procedures for the revocation and 1495 replacement of the maintained security credentials. 1497 While RPL has secure modes, but some modes are impractical without 1498 use of public key cryptography believed to be too expensive by many. 1499 RPL layer-3 security will often depend upon existing LLN layer-2 1500 security mechanisms, which provides for node authentication, but 1501 little in the way of node authorization. 1503 9. IANA Considerations 1504 This memo includes no request to IANA. 1506 10. Security Considerations 1508 The analysis presented in this document provides security analysis 1509 and design guidelines with a scope limited to RPL. Security services 1510 are identified as requirements for securing RPL. The specific 1511 mechanisms to be used to deal with each threat is specified in link- 1512 layer and deployment specific applicability statements. 1514 11. Acknowledgments 1516 The authors would like to acknowledge the review and comments from 1517 Rene Struik and JP Vasseur. The authors would also like to 1518 acknowledge the guidance and input provided by the RPL Chairs, David 1519 Culler, and JP Vasseur, and the Area Director Adrian Farrel. 1521 This document started out as a combined threat and solutions 1522 document. As a result of security review, the document was split up 1523 by RPL co-Chair Michael Richardson and security Area Director Sean 1524 Turner as it went through the IETF publication process. The 1525 solutions to the threats are application and layer-2 specific, and 1526 have therefore been moved to the relevant applicability statements. 1528 Ines Robles and Robert Craigie kept track of the many issues that 1529 were raised during the development of this document 1531 12. References 1533 12.1. Normative References 1535 [I-D.ietf-roll-terminology] 1536 Vasseur, J., "Terminology in Low power And Lossy 1537 Networks", draft-ietf-roll-terminology-04 (work in 1538 progress), September 2010. 1540 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1541 Requirement Levels", BCP 14, RFC 2119, March 1997. 1543 [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic 1544 Key Management", BCP 107, RFC 4107, June 2005. 1546 [RFC4301] Kent, S. and K. Seo, "Security Architecture for the 1547 Internet Protocol", RFC 4301, December 2005. 1549 [RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R., 1550 Levis, P., Pister, K., Struik, R., Vasseur, JP., and R. 1551 Alexander, "RPL: IPv6 Routing Protocol for Low-Power and 1552 Lossy Networks", RFC 6550, March 2012. 1554 [RFC6719] Gnawali, O. and P. Levis, "The Minimum Rank with 1555 Hysteresis Objective Function", RFC 6719, September 2012. 1557 [ZigBeeIP] 1558 ZigBee Public Document 15-002r00, "ZigBee IP 1559 Specification", 2013. 1561 12.2. Informative References 1563 [AceCharterProposal] 1564 Li, Kepeng., Ed., "Authentication and Authorization for 1565 Constrained Environment Charter (work-in-progress)", 1566 December 2013, . 1569 [FIPS197] , "Federal Information Processing Standards Publication 1570 197: Advanced Encryption Standard (AES)", US National 1571 Institute of Standards and Technology, Nov. 26 2001. 1573 [Huang2003] 1574 Huang, Q., Cukier, J., Kobayashi, H., Liu, B., and J. 1575 Zhang, "Fast Authenticated Key Establishment Protocols for 1576 Self-Organizing Sensor Networks", in Proceedings of the 1577 2nd ACM International Conference on Wireless Sensor 1578 Networks and Applications, San Diego, CA, USA, pp. 1579 141-150, Sept. 19 2003. 1581 [I-D.alexander-roll-mikey-lln-key-mgmt] 1582 Alexander, R. and T. Tsao, "Adapted Multimedia Internet 1583 KEYing (AMIKEY): An extension of Multimedia Internet 1584 KEYing (MIKEY) Methods for Generic LLN Environments", 1585 draft-alexander-roll-mikey-lln-key-mgmt-04 (work in 1586 progress), September 2012. 1588 [I-D.kelsey-intarea-mesh-link-establishment] 1589 Kelsey, R., "Mesh Link Establishment", draft-kelsey- 1590 intarea-mesh-link-establishment-05 (work in progress), 1591 February 2013. 1593 [I-D.suhopark-hello-wsn] 1594 Park, S., "Routing Security in Sensor Network: HELLO Flood 1595 Attack and Defense", draft-suhopark-hello-wsn-00 (work in 1596 progress), December 2005. 1598 [IEEE1149.1] 1599 , "IEEE Standard Test Access Port and Boundary Scan 1600 Architecture", IEEE-SA Standards Board, Jun. 14 2001. 1602 [ISO.7498-2.1988] 1603 International Organization for Standardization, 1604 "Information Processing Systems - Open Systems 1605 Interconnection Reference Model - Security Architecture", 1606 ISO Standard 7498-2, 1988. 1608 [Karlof2003] 1609 Karlof, C. and D. Wagner, "Secure routing in wireless 1610 sensor networks: attacks and countermeasures", Elsevier 1611 AdHoc Networks Journal, Special Issue on Sensor Network 1612 Applications and Protocols, 1(2):293-315, September 2003, 1613 . 1616 [Kasumi3gpp] 1617 , "3GPP TS 35.202 Specification of the 3GPP 1618 confidentiality and integrity algorithms; Document 2: 1619 Kasumi specification", 3GPP TSG SA3, 2009. 1621 [Messerges2003] 1622 Messerges, T., Cukier, J., Kevenaar, T., Puhl, L., Struik, 1623 R., and E. Callaway, "Low-Power Security for Wireless 1624 Sensor Networks", in Proceedings of the 1st ACM Workshop 1625 on Security of Ad Hoc and Sensor Networks, Fairfax, VA, 1626 USA, pp. 1-11, Oct. 31 2003. 1628 [Myagmar2005] 1629 Myagmar, S., Lee, AJ., and W. Yurcik, "Threat Modeling as 1630 a Basis for Security Requirements", in Proceedings of the 1631 Symposium on Requirements Engineering for Information 1632 Security (SREIS'05), Paris, France, pp. 94-102, Aug 29, 1633 2005. 1635 [Perlman1988] 1636 Perlman, N., "Network Layer Protocols with Byzantine 1637 Robustness", MIT LCS Tech Report, 429, 1988. 1639 [RFC1142] Oran, D., "OSI IS-IS Intra-domain Routing Protocol", RFC 1640 1142, February 1990. 1642 [RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080, 1643 January 1997. 1645 [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998. 1647 [RFC2453] Malkin, G., "RIP Version 2", STD 56, RFC 2453, November 1648 1998. 1650 [RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with 1651 CBC-MAC (CCM)", RFC 3610, September 2003. 1653 [RFC3830] Arkko, J., Carrara, E., Lindholm, F., Naslund, M., and K. 1654 Norrman, "MIKEY: Multimedia Internet KEYing", RFC 3830, 1655 August 2004. 1657 [RFC4046] Baugher, M., Canetti, R., Dondeti, L., and F. Lindholm, 1658 "Multicast Security (MSEC) Group Key Management 1659 Architecture", RFC 4046, April 2005. 1661 [RFC4593] Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to 1662 Routing Protocols", RFC 4593, October 2006. 1664 [RFC4732] Handley, M., Rescorla, E., IAB, "Internet Denial-of- 1665 Service Considerations", RFC 4732, December 2006. 1667 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC 1668 4949, August 2007. 1670 [RFC5055] Freeman, T., Housley, R., Malpani, A., Cooper, D., and W. 1671 Polk, "Server-Based Certificate Validation Protocol 1672 (SCVP)", RFC 5055, December 2007. 1674 [RFC5197] Fries, S. and D. Ignjatic, "On the Applicability of 1675 Various Multimedia Internet KEYing (MIKEY) Modes and 1676 Extensions", RFC 5197, June 2008. 1678 [RFC5548] Dohler, M., Watteyne, T., Winter, T., and D. Barthel, 1679 "Routing Requirements for Urban Low-Power and Lossy 1680 Networks", RFC 5548, May 2009. 1682 [RFC5673] Pister, K., Thubert, P., Dwars, S., and T. Phinney, 1683 "Industrial Routing Requirements in Low-Power and Lossy 1684 Networks", RFC 5673, October 2009. 1686 [RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet 1687 Mail Extensions (S/MIME) Version 3.2 Message 1688 Specification", RFC 5751, January 2010. 1690 [RFC5826] Brandt, A., Buron, J., and G. Porcu, "Home Automation 1691 Routing Requirements in Low-Power and Lossy Networks", RFC 1692 5826, April 2010. 1694 [RFC5867] Martocci, J., De Mil, P., Riou, N., and W. Vermeylen, 1695 "Building Automation Routing Requirements in Low-Power and 1696 Lossy Networks", RFC 5867, June 2010. 1698 [RFC5996] Kaufman, C., Hoffman, P., Nir, Y., and P. Eronen, 1699 "Internet Key Exchange Protocol Version 2 (IKEv2)", RFC 1700 5996, September 2010. 1702 [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the 1703 Router Control Plane", RFC 6192, March 2011. 1705 [RFC6574] Tschofenig, H. and J. Arkko, "Report from the Smart Object 1706 Workshop", RFC 6574, April 2012. 1708 [RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, 1709 "TCP Extensions for Multipath Operation with Multiple 1710 Addresses", RFC 6824, January 2013. 1712 [SmartObjectSecurityWorkshop] 1713 Klausen, T., Ed., "Workshop on Smart Object Security", 1714 March 2012, . 1717 [SolaceProposal] 1718 Bormann, C., Ed., "Notes from the SOLACE ad-hoc at IETF85 1719 (work-in-progress)", November 2012, . 1722 [Sybil2002] 1723 Douceur, J., "The Sybil Attack", First International 1724 Workshop on Peer-to-Peer Systems , March 2002. 1726 [Szcze2008] 1727 Szczechowiak1, P., Oliveira, L., Scott, M., Collier, M., 1728 and R. Dahab, "NanoECC: testing the limits of elliptic 1729 curve cryptography in sensor networks", pp. 324-328, 2008, 1730 . 1733 [Wan2004] Wan, T., Kranakis, E., and PC. van Oorschot, "S-RIP: A 1734 Secure Distance Vector Routing Protocol", in Proceedings 1735 of the 2nd International Conference on Applied 1736 Cryptography and Network Security, Yellow Mountain, China, 1737 pp. 103-119, Jun. 8-11 2004. 1739 [Wander2005] 1740 Wander, A., Gura, N., Eberle, H., Gupta, V., and S. 1741 Shantz, "Energy analysis of public-key cryptography for 1742 wireless sensor networ", in the Proceedings of the Third 1743 IEEE International Conference on Pervasive Computing and 1744 Communications pp. 324-328, March 8-12 2005. 1746 [Yourdon1979] 1747 Yourdon, E. and L. Constantine, "Structured Design", 1748 Yourdon Press, New York, Chapter 10, pp. 187-222, 1979. 1750 Authors' Addresses 1752 Tzeta Tsao 1753 Cooper Power Systems 1754 910 Clopper Rd. Suite 201S 1755 Gaithersburg, Maryland 20878 1756 USA 1758 Email: tzeta.tsao@cooperindustries.com 1760 Roger K. Alexander 1761 Cooper Power Systems 1762 910 Clopper Rd. Suite 201S 1763 Gaithersburg, Maryland 20878 1764 USA 1766 Email: roger.alexander@cooperindustries.com 1768 Mischa Dohler 1769 CTTC 1770 Parc Mediterrani de la Tecnologia, Av. Canal Olimpic S/N 1771 Castelldefels, Barcelona 08860 1772 Spain 1774 Email: mischa.dohler@cttc.es 1776 Vanesa Daza 1777 Universitat Pompeu Fabra 1778 P/ Circumval.lacio 8, Oficina 308 1779 Barcelona 08003 1780 Spain 1782 Email: vanesa.daza@upf.edu 1783 Angel Lozano 1784 Universitat Pompeu Fabra 1785 P/ Circumval.lacio 8, Oficina 309 1786 Barcelona 08003 1787 Spain 1789 Email: angel.lozano@upf.edu 1791 Michael Richardson (ed) 1792 Sandelman Software Works 1793 470 Dawson Avenue 1794 Ottawa, ON K1Z5V7 1795 Canada 1797 Email: mcr+ietf@sandelman.ca