idnits 2.17.1 draft-ietf-roll-security-threats-11.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year == The document seems to lack the recommended RFC 2119 boilerplate, even if it appears to use RFC 2119 keywords. (The document does seem to have the reference to RFC 2119 which the ID-Checklist requires). -- The document date (October 02, 2014) is 3487 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Outdated reference: A later version (-03) exists of draft-gilger-smart-object-security-workshop-02 == Outdated reference: A later version (-06) exists of draft-kelsey-intarea-mesh-link-establishment-05 -- Obsolete informational reference (is this intentional?): RFC 5751 (Obsoleted by RFC 8551) -- Obsolete informational reference (is this intentional?): RFC 6824 (Obsoleted by RFC 8684) Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 3 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Routing Over Low-Power and Lossy Networks T. Tsao 3 Internet-Draft R. Alexander 4 Intended status: Informational Cooper Power Systems 5 Expires: April 05, 2015 M. Dohler 6 CTTC 7 V. Daza 8 A. Lozano 9 Universitat Pompeu Fabra 10 M. Richardson, Ed. 11 Sandelman Software Works 12 October 02, 2014 14 A Security Threat Analysis for Routing Protocol for Low-power and lossy 15 networks (RPL) 16 draft-ietf-roll-security-threats-11 18 Abstract 20 This document presents a security threat analysis for the Routing 21 Protocol for Low-power and lossy networks (RPL, ROLL). The 22 development builds upon previous work on routing security and adapts 23 the assessments to the issues and constraints specific to low-power 24 and lossy networks. A systematic approach is used in defining and 25 evaluating the security threats. Applicable countermeasures are 26 application specific and are addressed in relevant applicability 27 statements. 29 Status of This Memo 31 This Internet-Draft is submitted in full conformance with the 32 provisions of BCP 78 and BCP 79. 34 Internet-Drafts are working documents of the Internet Engineering 35 Task Force (IETF). Note that other groups may also distribute 36 working documents as Internet-Drafts. The list of current Internet- 37 Drafts is at http://datatracker.ietf.org/drafts/current/. 39 Internet-Drafts are draft documents valid for a maximum of six months 40 and may be updated, replaced, or obsoleted by other documents at any 41 time. It is inappropriate to use Internet-Drafts as reference 42 material or to cite them other than as "work in progress." 44 This Internet-Draft will expire on April 05, 2015. 46 Copyright Notice 47 Copyright (c) 2014 IETF Trust and the persons identified as the 48 document authors. All rights reserved. 50 This document is subject to BCP 78 and the IETF Trust's Legal 51 Provisions Relating to IETF Documents 52 (http://trustee.ietf.org/license-info) in effect on the date of 53 publication of this document. Please review these documents 54 carefully, as they describe your rights and restrictions with respect 55 to this document. Code Components extracted from this document must 56 include Simplified BSD License text as described in Section 4.e of 57 the Trust Legal Provisions and are provided without warranty as 58 described in the Simplified BSD License. 60 Table of Contents 62 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 63 2. Relationship to other documents . . . . . . . . . . . . . . . 4 64 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 65 4. Considerations on RPL Security . . . . . . . . . . . . . . . 5 66 4.1. Routing Assets and Points of Access . . . . . . . . . . . 6 67 4.2. The ISO 7498-2 Security Reference Model . . . . . . . . . 8 68 4.3. Issues Specific to or Amplified in LLNs . . . . . . . . . 10 69 4.4. RPL Security Objectives . . . . . . . . . . . . . . . . . 12 70 5. Threat Sources . . . . . . . . . . . . . . . . . . . . . . . 13 71 6. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 13 72 6.1. Threats due to failures to Authenticate . . . . . . . . . 14 73 6.1.1. Node Impersonation . . . . . . . . . . . . . . . . . 14 74 6.1.2. Dummy Node . . . . . . . . . . . . . . . . . . . . . 14 75 6.1.3. Node Resource Spam . . . . . . . . . . . . . . . . . 14 76 6.2. Threats due to failure to keep routing information 77 confidential . . . . . . . . . . . . . . . . . . . . . . 15 78 6.2.1. Routing Exchange Exposure . . . . . . . . . . . . . . 15 79 6.2.2. Routing Information (Routes and Network Topology) 80 Exposure . . . . . . . . . . . . . . . . . . . . . . 15 81 6.3. Threats and Attacks on Integrity . . . . . . . . . . . . 16 82 6.3.1. Routing Information Manipulation . . . . . . . . . . 16 83 6.3.2. Node Identity Misappropriation . . . . . . . . . . . 17 84 6.4. Threats and Attacks on Availability . . . . . . . . . . . 17 85 6.4.1. Routing Exchange Interference or Disruption . . . . . 17 86 6.4.2. Network Traffic Forwarding Disruption . . . . . . . . 17 87 6.4.3. Communications Resource Disruption . . . . . . . . . 19 88 6.4.4. Node Resource Exhaustion . . . . . . . . . . . . . . 19 89 7. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 20 90 7.1. Confidentiality Attack Countermeasures . . . . . . . . . 20 91 7.1.1. Countering Deliberate Exposure Attacks . . . . . . . 20 92 7.1.2. Countering Passive Wiretapping Attacks . . . . . . . 21 93 7.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 22 94 7.1.4. Countering Remote Device Access Attacks . . . . . . . 23 96 7.2. Integrity Attack Countermeasures . . . . . . . . . . . . 23 97 7.2.1. Countering Unauthorized Modification Attacks . . . . 23 98 7.2.2. Countering Overclaiming and Misclaiming Attacks . . . 24 99 7.2.3. Countering Identity (including Sybil) Attacks . . . . 24 100 7.2.4. Countering Routing Information Replay Attacks . . . . 25 101 7.2.5. Countering Byzantine Routing Information Attacks . . 25 102 7.3. Availability Attack Countermeasures . . . . . . . . . . . 26 103 7.3.1. Countering HELLO Flood Attacks and ACK Spoofing 104 Attacks . . . . . . . . . . . . . . . . . . . . . . . 26 105 7.3.2. Countering Overload Attacks . . . . . . . . . . . . . 27 106 7.3.3. Countering Selective Forwarding Attacks . . . . . . . 28 107 7.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 29 108 7.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 30 109 8. RPL Security Features . . . . . . . . . . . . . . . . . . . . 31 110 8.1. Confidentiality Features . . . . . . . . . . . . . . . . 31 111 8.2. Integrity Features . . . . . . . . . . . . . . . . . . . 32 112 8.3. Availability Features . . . . . . . . . . . . . . . . . . 33 113 8.4. Key Management . . . . . . . . . . . . . . . . . . . . . 33 114 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 115 10. Security Considerations . . . . . . . . . . . . . . . . . . . 34 116 11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 34 117 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 118 12.1. Normative References . . . . . . . . . . . . . . . . . . 34 119 12.2. Informative References . . . . . . . . . . . . . . . . . 35 120 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 38 122 1. Introduction 124 In recent times, networked electronic devices have found an 125 increasing number of applications in various fields. Yet, for 126 reasons ranging from operational application to economics, these 127 wired and wireless devices are often supplied with minimum physical 128 resources; the constraints include those on computational resources 129 (RAM, clock speed, storage), communication resources (duty cycle, 130 packet size, etc.), but also form factors that may rule out user 131 access interfaces (e.g., the housing of a small stick-on switch), or 132 simply safety considerations (e.g., with gas meters). As a 133 consequence, the resulting networks are more prone to loss of traffic 134 and other vulnerabilities. The proliferation of these low-power and 135 lossy networks (LLNs), however, are drawing efforts to examine and 136 address their potential networking challenges. Securing the 137 establishment and maintenance of network connectivity among these 138 deployed devices becomes one of these key challenges. 140 This document presents a threat analysis for securing the Routing 141 Protocol for LLNs (RPL). The process requires two steps. First, the 142 analysis will be used to identify pertinent security issues. The 143 second step is to identify necessary countermeasures to secure RPL. 145 As there are multiple ways to solve the problem and the specific 146 tradeoffs are deployment specific, the specific countermeasure to be 147 used is detailed in applicability statements. 149 This document uses [ISO.7498-2.1988]] model, which describes 150 Authentication, Access Control, Data Confidentiality, Data Integrity, 151 and Non-Repudiation security services and to which Availability is 152 added. As explained below, Non-Repudiation does not apply to routing 153 protocols. 155 Many of the issues in this document were also covered in The IAB 156 Smart Object Workshop [RFC6574], and The IAB Smart Object Security 157 Workshop [I-D.gilger-smart-object-security-workshop]. 159 All of this document concerns itself with securing the control plane 160 traffic. As such it does not address authorization or authentication 161 of application traffic. RPL uses multicast as part of its protocol, 162 and therefore mechanisms which RPL uses to secure this traffic might 163 also be applicable to MPL control traffic as well: the important part 164 is that the threats are similar. 166 2. Relationship to other documents 168 ROLL has specified a set of routing protocols for Lossy and Low- 169 resource Networks (LLN) [RFC6550]. A number of applicability texts 170 describes a subset of these protocols and the conditions which make 171 the subset the correct choice. The text recommends and motivates the 172 accompanying parameter value ranges. Multiple applicability domains 173 are recognized including: Building and Home, and Advanced Metering 174 Infrastructure. The applicability domains distinguish themselves in 175 the way they are operated, their performance requirements, and the 176 most probable network structures. Each applicability statement 177 identifies the distinguishing properties according to a common set of 178 subjects described in as many sections. 180 The common set of security threats herein are referred to by the 181 applicability statements, and that series of documents describes the 182 preferred security settings and solutions within the applicability 183 statement conditions. This applicability statements may recommend 184 more light weight security solutions and specify the conditions under 185 which these solutions are appropriate. 187 3. Terminology 189 This document adopts the terminology defined in [RFC6550], in 190 [RFC4949], and in [RFC7102]. 192 The terms control plane and forwarding plane are used consistently 193 with section 1 of [RFC6192]. 195 The term DODAG is from [RFC6550]. 197 EAP-TLS is defined in [RFC5216]. 199 PANA is defined in [RFC5191]. 201 CCM mode is defined in [RFC3610]. 203 [RFC7102] introduces the term Sleepy Node, referring to a node which 204 may somtimes go into a low-power state, suspending protocol 205 communications 207 The terms SSID, ESSID and PAN refer to network identifiers, defined 208 in [IEEE.802.11] and [IEEE.802.15.4]. 210 Although this is not a protocol specification, the key words "MUST", 211 "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", 212 "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this 213 document are to be interpreted as described in [RFC2119] in order to 214 clarify and emphasize the guidance and directions to implementers and 215 deployers of LLN nodes that utilize RPL. 217 4. Considerations on RPL Security 219 Routing security, in essence, ensures that the routing protocol 220 operates correctly. It entails implementing measures to ensure 221 controlled state changes on devices and network elements, both based 222 on external inputs (received via communications) or internal inputs 223 (physical security of device itself and parameters maintained by the 224 device, including, e.g., clock). State changes would thereby involve 225 not only authorization of injector's actions, authentication of 226 injectors, and potentially confidentiality of routing data, but also 227 proper order of state changes through timeliness, since seriously 228 delayed state changes, such as commands or updates of routing tables, 229 may negatively impact system operation. A security assessment can 230 therefore begin with a focus on the assets [RFC4949] that may be the 231 target of the state changes and the access points in terms of 232 interfaces and protocol exchanges through which such changes may 233 occur. In the case of routing security, the focus is directed 234 towards the elements associated with the establishment and 235 maintenance of network connectivity. 237 This section sets the stage for the development of the analysis by 238 applying the systematic approach proposed in [Myagmar2005] to the 239 routing security, while also drawing references from other reviews 240 and assessments found in the literature, particularly, [RFC4593] and 241 [Karlof2003] (i.e. selective forwarding, wormhole and sinkhole 242 attacks). The subsequent subsections begin with a focus on the 243 elements of a generic routing process that is used to establish 244 routing assets and points of access to the routing functionality. 245 Next, the [ISO.7498-2.1988] security model is briefly described. 246 Then, consideration is given to issues specific to or amplified in 247 LLNs. This section concludes with the formulation of a set of 248 security objectives for RPL. 250 4.1. Routing Assets and Points of Access 252 An asset is an important system resource (including information, 253 process, or physical resource), the access to, corruption or loss of 254 which adversely affects the system. In the control plane context, an 255 asset is information about the network, processes used to manage and 256 manipulate this data, and the physical devices on which this data is 257 stored and manipulated. The corruption or loss of these assets may 258 adversely impact the control plane of the network. Within the same 259 context, a point of access is an interface or protocol that 260 facilitates interaction between control plane assets. Identifying 261 these assets and points of access will provide a basis for 262 enumerating the attack surface of the control plane. 264 A level-0 data flow diagram [Yourdon1979] is used here to identify 265 the assets and points of access within a generic routing process. 266 The use of a data flow diagram allows for a clear and concise model 267 of the way in which routing nodes interact and process information, 268 and hence provides a context for threats and attacks. The goal of 269 the model is to be as detailed as possible so that corresponding 270 assets, points of access, and process in an individual routing 271 protocol can be readily identified. 273 Figure 1 shows that nodes participating in the routing process 274 transmit messages to discover neighbors and to exchange routing 275 information; routes are then generated and stored, which may be 276 maintained in the form of the protocol forwarding table. The nodes 277 use the derived routes for making forwarding decisions. 279 ................................................... 280 : : 281 : : 282 |Node_i|<------->(Routing Neighbor _________________ : 283 : Discovery)------------>Neighbor Topology : 284 : -------+--------- : 285 : | : 286 |Node_j|<------->(Route/Topology +--------+ : 288 : Exchange) | : 289 : | V ______ : 290 : +---->(Route Generation)--->Routes : 291 : ---+-- : 292 : | : 293 : Routing on a Node Node_k | : 294 ................................................... 295 | 296 |Forwarding | 297 |On Node_l|<-------------------------------------------+ 299 Notation: 301 (Proc) A process Proc 303 ________ 304 topology A structure storing neighbor adjacency (parent/child) 305 -------- 306 ________ 307 routes A structure storing the forwarding information base (FIB) 308 -------- 310 |Node_n| An external entity Node_n 312 -------> Data flow 314 Figure 1: Data Flow Diagram of a Generic Routing Process 316 It is seen from Figure 1 that 318 o Assets include 320 * routing and/or topology information; 322 * route generation process; 324 * communication channel resources (bandwidth); 326 * node resources (computing capacity, memory, and remaining 327 energy); 329 * node identifiers (including node identity and ascribed 330 attributes such as relative or absolute node location). 332 o Points of access include 333 * neighbor discovery; 335 * route/topology exchange; 337 * node physical interfaces (including access to data storage). 339 A focus on the above list of assets and points of access enables a 340 more directed assessment of routing security; for example, it is 341 readily understood that some routing attacks are in the form of 342 attempts to misrepresent routing topology. Indeed, the intention of 343 the security threat analysis is to be comprehensive. Hence, some of 344 the discussion which follows is associated with assets and points of 345 access that are not directly related to routing protocol design but 346 nonetheless provided for reference since they do have direct 347 consequences on the security of routing. 349 4.2. The ISO 7498-2 Security Reference Model 351 At the conceptual level, security within an information system in 352 general and applied to RPL in particular is concerned with the 353 primary issues of authentication, access control, data 354 confidentiality, data integrity, and non-repudiation. In the context 355 of RPL: 357 Authentication 358 Authentication involves the mutual authentication of the 359 routing peers prior to exchanging route information (i.e., peer 360 authentication) as well as ensuring that the source of the 361 route data is from the peer (i.e., data origin authentication). 362 [RFC5548] points out that LLNs can be drained by 363 unauthenticated peers before configuration. [RFC5673] requires 364 availability of open and untrusted side channels for new 365 joiners, and it requires strong and automated authentication so 366 that networks can automatically accept or reject new joiners. 368 Access Control 369 Access Control provides protection against unauthorized use of 370 the asset, and deals with the authorization of a node. 372 Confidentiality 373 Confidentiality involves the protection of routing information 374 as well as routing neighbor maintenance exchanges so that only 375 authorized and intended network entities may view or access it. 376 Because LLNs are most commonly found on a publicly accessible 377 shared medium, e.g., air or wiring in a building, and sometimes 378 formed ad hoc, confidentiality also extends to the neighbor 379 state and database information within the routing device since 380 the deployment of the network creates the potential for 381 unauthorized access to the physical devices themselves. 383 Integrity 384 Integrity entails the protection of routing information and 385 routing neighbor maintenance exchanges, as well as derived 386 information maintained in the database, from unauthorized 387 modification, insertions, deletions or replays. to be addressed 388 beyond the routing protocol. 390 Non-repudiation 391 Non-repudiation is the assurance that the transmission and/or 392 reception of a message cannot later be denied. The service of 393 non-repudiation applies after-the-fact and thus relies on the 394 logging or other capture of on-going message exchanges and 395 signatures. Routing protocols typically do not have a notion 396 of repudiation, so non-repudiation services are not required. 397 Further, with the LLN application domains as described in 398 [RFC5867] and [RFC5548], proactive measures are much more 399 critical than retrospective protections. Finally, given the 400 significant practical limits to on-going routing transaction 401 logging and storage and individual device digital signature 402 verification for each exchange, non-repudiation in the context 403 of routing is an unsupportable burden that bears no further 404 considered as an RPL security issue. 406 It is recognized that, besides those security issues captured in the 407 ISO 7498-2 model, availability, is a security requirement: 409 Availability 410 Availability ensures that routing information exchanges and 411 forwarding services need to be available when they are required 412 for the functioning of the serving network. Availability will 413 apply to maintaining efficient and correct operation of routing 414 and neighbor discovery exchanges (including needed information) 415 and forwarding services so as not to impair or limit the 416 network's central traffic flow function 418 It should be emphasized here that for RPL security the above 419 requirements must be complemented by the proper security policies and 420 enforcement mechanisms to ensure that security objectives are met by 421 a given RPL implementation. 423 4.3. Issues Specific to or Amplified in LLNs 425 The requirements work detailed in Urban Requirements ([RFC5548]), 426 Industrial Requirements ([RFC5673]), Home Automation ([RFC5826], and 427 Building Automation ([RFC5867]) have identified specific issues and 428 constraints of routing in LLNs. The following is a list of 429 observations from those requirements and evaluation of their impact 430 on routing security considerations. 432 Limited energy, memory, and processing node resources 433 As a consequence of these constraints, there is an even more 434 critical need than usual for a careful study of trade-offs on 435 which and what level of security services are to be afforded 436 during the system design process. The chosen security 437 mechanisms also needs to work within these constraints. 438 Synchronization of security states with sleepy nodes [RFC7102] 439 is yet another issue. A non-rechargeable battery powered node 440 may well be limited in energy for it's lifetime: once 441 exchausted, it may well never function again. 443 Large scale of rolled out network 444 The possibly numerous nodes to be deployed make manual on-site 445 configuration unlikely. For example, an urban deployment can 446 see several hundreds of thousands of nodes being installed by 447 many installers with a low level of expertise. Nodes may be 448 installed and not activated for many years, and additional 449 nodes may be added later on, which may be from old inventory. 450 The lifetime of the network is measured in decades, and this 451 complicates the operation of key management. 453 Autonomous operations 454 Self-forming and self-organizing are commonly prescribed 455 requirements of LLNs. In other words, a routing protocol 456 designed for LLNs needs to contain elements of ad hoc 457 networking and in most cases cannot rely on manual 458 configuration for initialization or local filtering rules. 459 Network topology/ownership changes, partitioning or merging, as 460 well as node replacement, can all contribute to complicating 461 the operations of key management. 463 Highly directional traffic 464 Some types of LLNs see a high percentage of their total traffic 465 traverse between the nodes and the LLN Border Routers (LBRs) 466 where the LLNs connect to non-LLNs. The special routing status 467 of and the greater volume of traffic near the LBRs have routing 468 security consequences as a higher valued attack target. In 469 fact, when Point-to-MultiPoint (P2MP) and MultiPoint-to-Point 470 (MP2P) traffic represents a majority of the traffic, routing 471 attacks consisting of advertising incorrect preferred routes 472 can cause serious damage. 474 While it might seem that nodes higher up in the acyclic graph 475 (i.e. those with lower rank) should be secured in a stronger 476 fashion, it is not in general easy to predict which nodes will 477 occupy those positions until after deployment. Issues of 478 redundancy and inventory control suggests that any node might 479 wind up in such a sensitive attack position, so all nodes to be 480 capable of being fully secured. 482 In addition, even if it were possible to predict which nodes 483 will occupy positions of lower rank and provision them with 484 stronger security mechanisms, in the absense of a strong 485 authorization model, any node could advertise an incorrect 486 preferred route. 488 Unattended locations and limited physical security 489 Many applications have the nodes deployed in unattended or 490 remote locations; furthermore, the nodes themselves are often 491 built with minimal physical protection. These constraints 492 lower the barrier of accessing the data or security material 493 stored on the nodes through physical means. 495 Support for mobility 496 On the one hand, only a limited number of applications require 497 the support of mobile nodes, e.g., a home LLN that includes 498 nodes on wearable health care devices or an industry LLN that 499 includes nodes on cranes and vehicles. On the other hand, if a 500 routing protocol is indeed used in such applications, it will 501 clearly need to have corresponding security mechanisms. 503 Additionally nodes may appear to move from one side of a wall 504 to another without any actual motion involved, the result of 505 changes to electromagnetic properties, such as opening and 506 closing of a metal door. 508 Support for multicast and anycast 509 Support for multicast and anycast is called out chiefly for 510 large-scale networks. Since application of these routing 511 mechanisms in autonomous operations of many nodes is new, the 512 consequence on security requires careful consideration. 514 The above list considers how an LLN's physical constraints, size, 515 operations, and variety of application areas may impact security. 516 However, it is the combinations of these factors that particularly 517 stress the security concerns. For instance, securing routing for a 518 large number of autonomous devices that are left in unattended 519 locations with limited physical security presents challenges that are 520 not found in the common circumstance of administered networked 521 routers. The following subsection sets up the security objectives 522 for the routing protocol designed by the ROLL WG. 524 4.4. RPL Security Objectives 526 This subsection applies the ISO 7498-2 model to routing assets and 527 access points, taking into account the LLN issues, to develop a set 528 of RPL security objectives. 530 Since the fundamental function of a routing protocol is to build 531 routes for forwarding packets, it is essential to ensure that: 533 o routing/topology information integrity remains intact during 534 transfer and in storage; 536 o routing/topology information is used by authorized entities; 538 o routing/topology information is available when needed. 540 In conjunction, it is necessary to be assured that 542 o authorized peers authenticate themselves during the routing 543 neighbor discovery process; 545 o the routing/topology information received is generated according 546 to the protocol design. 548 However, when trust cannot be fully vested through authentication of 549 the principals alone, i.e., concerns of insider attack, assurance of 550 the truthfulness and timeliness of the received routing/topology 551 information is necessary. With regard to confidentiality, protecting 552 the routing/topology information from unauthorized exposure may be 553 desirable in certain cases but is in itself less pertinent in general 554 to the routing function. 556 One of the main problems of synchronizing security states of sleepy 557 nodes, as listed in the last subsection, lies in difficulties in 558 authentication; these nodes may not have received in time the most 559 recent update of security material. Similarly, the issues of minimal 560 manual configuration, prolonged rollout and delayed addition of 561 nodes, and network topology changes also complicate key management. 563 Hence, routing in LLNs needs to bootstrap the authentication process 564 and allow for flexible expiration scheme of authentication 565 credentials. 567 The vulnerability brought forth by some special-function nodes, e.g., 568 LBRs, requires the assurance, particularly in a security context, 570 o of the availability of communication channels and node resources; 572 o that the neighbor discovery process operates without undermining 573 routing availability. 575 There are other factors which are not part of RPL but directly 576 affecting its function. These factors include weaker barrier of 577 accessing the data or security material stored on the nodes through 578 physical means; therefore, the internal and external interfaces of a 579 node need to be adequate for guarding the integrity, and possibly the 580 confidentiality, of stored information, as well as the integrity of 581 routing and route generation processes. 583 Each individual system's use and environment will dictate how the 584 above objectives are applied, including the choices of security 585 services as well as the strengths of the mechanisms that must be 586 implemented. The next two sections take a closer look at how the RPL 587 security objectives may be compromised and how those potential 588 compromises can be countered. 590 5. Threat Sources 592 [RFC4593] provides a detailed review of the threat sources: outsiders 593 and byzantine. RPL has the same threat sources. 595 6. Threats and Attacks 597 This section outlines general categories of threats under the ISO 598 7498-2 model and highlights the specific attacks in each of these 599 categories for RPL. As defined in [RFC4949], a threat is "a 600 potential for violation of security, which exists when there is a 601 circumstance, capability, action, or event that could breach security 602 and cause harm." 604 An attack is "an assault on system security that derives from an 605 intelligent threat, i.e., an intelligent act that is a deliberate 606 attempt (especially in the sense of a method or technique) to evade 607 security services and violate the security policy of a system." 609 The subsequent subsections consider the threats and the attacks that 610 can cause security breaches under the ISO 7498-2 model to the routing 611 assets and via the routing points of access identified in 612 Section 4.1. The assessment steps through the security concerns of 613 each routing asset and looks at the attacks that can exploit routing 614 points of access. The threats and attacks identified are based on 615 the routing model analysis and associated review of the existing 616 literature. The source of the attacks is assumed to be from either 617 inside or outside attackers. While some attackers inside the network 618 will be using compromised nodes, and therefore are only able to do 619 what an ordinary node can ("node-equivalent"), other attacks may not 620 limited in memory, CPU, power consumption or long term storage. 621 Moore's law favours the attacker with access to the latest 622 capabilities, while the defenders will remain in place for years to 623 decades. 625 6.1. Threats due to failures to Authenticate 627 6.1.1. Node Impersonation 629 If an attacker can join a network using any identity, then it may be 630 able to assume the role of a legitimate (and existing node). It may 631 be able to report false readings (in metering applications), or 632 provide inappropriate control messages (in control systems involving 633 actuators) if the security of the application is implied by the 634 security of the routing system. 636 Even in systems where there application layer security, the ability 637 to impersonate a node would permit an attacker to direct traffic to 638 itself. This may permit various on-path attacks which would 639 otherwise be difficult, such replaying, delaying, or duplicating 640 (application) control messages. 642 6.1.2. Dummy Node 644 If an attacker can join a network using any identify, then it can 645 pretend to be a legitimate node, receiving any service legitimate 646 nodes receive. It may also be able to report false readings (in 647 metering applications), or provide inappropriate authorizations (in 648 control systems involving actuators), or perform any other attacks 649 that are facilitated by being able to direct traffic towards itself. 651 6.1.3. Node Resource Spam 653 If an attacker can join a network with any identify, then it can 654 continously do so with new (random) identities. This act may drain 655 down the resources of the network (battery, RAM, bandwidth). This 656 may cause legitimate nodes of the network to be unable to 657 communicate. 659 6.2. Threats due to failure to keep routing information confidential 661 The assessment in Section 4.2 indicates that there are attacks 662 against the confidentiality of routing information at all points of 663 access. This threat may result in disclosure, as described in 664 Section 3.1.2 of [RFC4593], and may involve a disclosure of routing 665 information. 667 6.2.1. Routing Exchange Exposure 669 Routing exchanges include both routing information as well as 670 information associated with the establishment and maintenance of 671 neighbor state information. As indicated in Section 4.1, the 672 associated routing information assets may also include device 673 specific resource information, such as available memory, remaining 674 power, etc., that may be metrics of the routing protocol. 676 The routing exchanges will contain reachability information, which 677 would identify the relative importance of different nodes in the 678 network. Nodes higher up in the DODAG, to which more streams of 679 information flow, would be more interesting targets for other 680 attacks, and routing exchange exposures can identify them. 682 6.2.2. Routing Information (Routes and Network Topology) Exposure 684 Routes (which may be maintained in the form of the protocol 685 forwarding table) and neighbor topology information are the products 686 of the routing process that are stored within the node device 687 databases. 689 The exposure of this information will allow attackers to gain direct 690 access to the configuration and connectivity of the network thereby 691 exposing routing to targeted attacks on key nodes or links. Since 692 routes and neighbor topology information is stored within the node 693 device, attacks on the confidentiality of the information will apply 694 to the physical device including specified and unspecified internal 695 and external interfaces. 697 The forms of attack that allow unauthorized access or disclosure of 698 the routing information will include: 700 o Physical device compromise; 702 o Remote device access attacks (including those occurring through 703 remote network management or software/field upgrade interfaces). 705 Both of these attack vectors are considered a device specific issue, 706 and are out of scope for RPL to defend against. In some 707 applications, physical device compromise may be a real threat and it 708 may be necessary to provide for other devices to securely detect a 709 compromised device and react quickly to exclude it. 711 6.3. Threats and Attacks on Integrity 713 The assessment in Section 4.2 indicates that information and identity 714 assets are exposed to integrity threats from all points of access. 715 In other words, the integrity threat space is defined by the 716 potential for exploitation introduced by access to assets available 717 through routing exchanges and the on-device storage. 719 6.3.1. Routing Information Manipulation 721 Manipulation of routing information that range from neighbor states 722 to derived routes will allow unauthorized sources to influence the 723 operation and convergence of the routing protocols and ultimately 724 impact the forwarding decisions made in the network. 726 Manipulation of topology and reachability information will allow 727 unauthorized sources to influence the nodes with which routing 728 information is exchanged and updated. The consequence of 729 manipulating routing exchanges can thus lead to sub-optimality and 730 fragmentation or partitioning of the network by restricting the 731 universe of routers with which associations can be established and 732 maintained. 734 A sub-optimal network may use too much power and/or may congest some 735 routes leading to premature failure of a node, and a denial of 736 service on the entire network. 738 In addition, being able to attract network traffic can make a 739 blackhole attack more damaging. 741 The forms of attack that allow manipulation to compromise the content 742 and validity of routing information include 744 o Falsification, including overclaiming and misclaiming (claiming 745 routes to devices which the device can not in fact reach); 747 o Routing information replay; 749 o Byzantine (internal) attacks that permit corruption of routing 750 information in the node even where the node continues to be a 751 validated entity within the network (see, for example, [RFC4593] 752 for further discussions on Byzantine attacks); 754 o Physical device compromise or remote device access attacks. 756 6.3.2. Node Identity Misappropriation 758 Falsification or misappropriation of node identity between routing 759 participants opens the door for other attacks; it can also cause 760 incorrect routing relationships to form and/or topologies to emerge. 761 Routing attacks may also be mounted through less sophisticated node 762 identity misappropriation in which the valid information broadcast or 763 exchanged by a node is replayed without modification. The receipt of 764 seemingly valid information that is however no longer current can 765 result in routing disruption, and instability (including failure to 766 converge). Without measures to authenticate the routing participants 767 and to ensure the freshness and validity of the received information 768 the protocol operation can be compromised. The forms of attack that 769 misuse node identity include 771 o Identity attacks, including Sybil attacks (see [Sybil2002]) in 772 which a malicious node illegitimately assumes multiple identities; 774 o Routing information replay. 776 6.4. Threats and Attacks on Availability 778 The assessment in Section 4.2 indicates that the process and 779 resources assets are exposed to threats against availability; attacks 780 in this category may exploit directly or indirectly information 781 exchange or forwarding (see [RFC4732] for a general discussion). 783 6.4.1. Routing Exchange Interference or Disruption 785 Interference is the threat action and disruption is threat 786 consequence that allows attackers to influence the operation and 787 convergence of the routing protocols by impeding the routing 788 information exchange. 790 The forms of attack that allow interference or disruption of routing 791 exchange include: 793 o Routing information replay; 795 o ACK spoofing; 797 o Overload attacks. (Section 7.3.2) 799 In addition, attacks may also be directly conducted at the physical 800 layer in the form of jamming or interfering. 802 6.4.2. Network Traffic Forwarding Disruption 803 The disruption of the network traffic forwarding capability will 804 undermine the central function of network routers and the ability to 805 handle user traffic. This affects the availability of the network 806 because of the potential to impair the primary capability of the 807 network. 809 In addition to physical layer obstructions, the forms of attack that 810 allows disruption of network traffic forwarding include [Karlof2003] 812 o Selective forwarding attacks; 814 |Node_1|--(msg1|msg2|msg3)-->|Attacker|--(msg1|msg3)-->|Node_2| 816 Figure 2: Selective forwarding example 818 o Wormhole attacks; 820 |Node_1|-------------Unreachable---------x|Node_2| 821 | ^ 822 | Private Link | 823 '-->|Attacker_1|===========>|Attacker_2|--' 825 Figure 3: Wormhole Attacks 827 o Sinkhole attacks. 829 |Node_1| |Node_4| 830 | | 831 `--------. | 832 Falsify as \ | 833 Good Link \ | | 834 To Node_5 \ | | 835 \ V V 836 |Node_2|-->|Attacker|--Not Forwarded---x|Node_5| 837 ^ ^ \ 838 | | \ Falsify as 839 | | \Good Link 840 / | To Node_5 841 ,-------' | 842 | | 843 |Node_3| |Node_i| 845 Figure 4: sinkhole attack example 847 These attacks are generally done to both control plane and forwarding 848 plane traffic. A system that prevents control plane traffic (RPL 849 messages) from being diverted in these ways will also prevent actual 850 data from being diverted. 852 6.4.3. Communications Resource Disruption 854 Attacks mounted against the communication channel resource assets 855 needed by the routing protocol can be used as a means of disrupting 856 its operation. However, while various forms of Denial of Service 857 (DoS) attacks on the underlying transport subsystem will affect 858 routing protocol exchanges and operation (for example physical layer 859 RF jamming in a wireless network or link layer attacks), these 860 attacks cannot be countered by the routing protocol. As such, the 861 threats to the underlying transport network that supports routing is 862 considered beyond the scope of the current document. Nonetheless, 863 attacks on the subsystem will affect routing operation and so must be 864 directly addressed within the underlying subsystem and its 865 implemented protocol layers. 867 6.4.4. Node Resource Exhaustion 869 A potential threat consequence can arise from attempts to overload 870 the node resource asset by initiating exchanges that can lead to the 871 exhaustion of processing, memory, or energy resources. The 872 establishment and maintenance of routing neighbors opens the routing 873 process to engagement and potential acceptance of multiple 874 neighboring peers. Association information must be stored for each 875 peer entity and for the wireless network operation provisions made to 876 periodically update and reassess the associations. An introduced 877 proliferation of apparent routing peers can therefore have a negative 878 impact on node resources. 880 Node resources may also be unduly consumed by attackers attempting 881 uncontrolled topology peering or routing exchanges, routing replays, 882 or the generating of other data traffic floods. Beyond the 883 disruption of communications channel resources, these consequences 884 may be able to exhaust node resources only where the engagements are 885 able to proceed with the peer routing entities. Routing operation 886 and network forwarding functions can thus be adversely impacted by 887 node resources exhaustion that stems from attacks that include: 889 o Identity (including Sybil) attacks (see [Sybil2002]); 891 o Routing information replay attacks; 893 o HELLO-type flood attacks; 895 o Overload attacks. (Section 7.3.2) 897 7. Countermeasures 899 By recognizing the characteristics of LLNs that may impact routing, 900 this analysis provides the basis for understanding the capabilities 901 within RPL used to deter the identified attacks and mitigate the 902 threats. The following subsections consider such countermeasures by 903 grouping the attacks according to the classification of the ISO 904 7498-2 model so that associations with the necessary security 905 services are more readily visible. 907 7.1. Confidentiality Attack Countermeasures 909 Attacks to disclosure routing information may be mounted at the level 910 of the routing information assets, at the points of access associated 911 with routing exchanges between nodes, or through device interface 912 access. To gain access to routing/topology information, the attacker 913 may rely on a compromised node that deliberately exposes the 914 information during the routing exchange process, may rely on passive 915 wiretapping or traffic analysis, or may attempt access through a 916 component or device interface of a tampered routing node. 918 7.1.1. Countering Deliberate Exposure Attacks 920 A deliberate exposure attack is one in which an entity that is party 921 to the routing process or topology exchange allows the routing/ 922 topology information or generated route information to be exposed to 923 an unauthorized entity. 925 For instance, due to mis-configuration or inappropriate enabling of a 926 diagnostic interface, an entity might be copying ("bridging") traffic 927 from a secured ESSID/PAN to an unsecured interface. 929 A prerequisite to countering this attack is to ensure that the 930 communicating nodes are authenticated prior to data encryption 931 applied in the routing exchange. The authentication ensures the LLN 932 starts with trusted nodes, but it does not provide an indication of 933 whether the node has been compromised. 935 Reputation systems could be be used to help when some nodes may sleep 936 for extended periods of times. It is also unclear if resulting 937 dataset would even fit into constrained devices. 939 To mitigate the risk of deliberate exposure, the process that 940 communicating nodes use to establish session keys must be peer-to- 941 peer (i.e., between the routing initiating and responding nodes). As 942 is pointed out in [RFC4107], automatic key management is critical for 943 good security. This helps ensure that neither node is exchanging 944 routing information with another peer without the knowledge of both 945 communicating peers. For a deliberate exposure attack to succeed, 946 the comprised node will need to be more overt and take independent 947 actions in order to disclose the routing information to 3rd party. 949 Note that the same measures which apply to securing routing/topology 950 exchanges between operational nodes must also extend to field tools 951 and other devices used in a deployed network where such devices can 952 be configured to participate in routing exchanges. 954 7.1.2. Countering Passive Wiretapping Attacks 956 A passive wiretap attack seeks to breach routing confidentiality 957 through passive, direct analysis and processing of the information 958 exchanges between nodes. 960 Passive wiretap attacks can be directly countered through the use of 961 data encryption for all routing exchanges. Only when a validated and 962 authenticated node association is completed will routing exchange be 963 allowed to proceed using established session keys and an agreed 964 encryption algorithm. The mandatory to implement CCM mode AES-128 965 method, is described in [RFC3610], and is believed to be secure 966 against a brute force attack by even the most well-equipped 967 adversary. 969 The significant challenge for RPL is in the provisioning of the key, 970 which in some modes of RFC6550 is used network-wide. RFC6550 does 971 not solve this problem, and it is the subject of significant future 972 work: see, for instance: [AceCharterProposal], [SolaceProposal], 973 [SmartObjectSecurityWorkshop]. 975 A number of deployments, such as [ZigBeeIP] specify no layer-3/RPL 976 encryption or authentication and rely upon similiar security at 977 layer-2. These networks are immune to outside wiretapping attacks, 978 but are vulnerable to passive (and active) routing attacks through 979 compromises of nodes. (see Section 8.2). 981 Section 10.9 of [RFC6550] specifies AES-128 in CCM mode with a 32-bit 982 MAC. 984 Section 5.6 Zigbee IP [ZigBeeIP] specifies use of CCM, with PANA and 985 EAP-TLS for key management. 987 7.1.3. Countering Traffic Analysis 989 Traffic analysis provides an indirect means of subverting 990 confidentiality and gaining access to routing information by allowing 991 an attacker to indirectly map the connectivity or flow patterns 992 (including link-load) of the network from which other attacks can be 993 mounted. The traffic analysis attack on an LLN, especially one 994 founded on shared medium, is passive and relies on the ability to 995 read the immutable source/destination layer-2 and/or layer-3 routing 996 information that must remain unencrypted to permit network routing. 998 One way in which passive traffic analysis attacks can be muted is 999 through the support of load balancing that allows traffic to a given 1000 destination to be sent along diverse routing paths. RPL does not 1001 generally support multi-path routing within a single DODAG. Multiple 1002 DODAGs are supported in the protocol, and an implementation could 1003 make use of that. RPL does not have any inherent or standard way to 1004 guarantee that the different DODAGs would have significantly diverse 1005 paths. Having the diverse DODAGs routed at different border routers 1006 might work in some instances, and this could be combined with a 1007 multipath technology like MPTCP ([RFC6824]. It is unlikely that it 1008 will be affordable in many LLNs, as few deployments will have memory 1009 space for more than a few sets of DODAG tables. 1011 Another approach to countering passive traffic analysis could be for 1012 nodes to maintain constant amount of traffic to different 1013 destinations through the generation of arbitrary traffic flows; the 1014 drawback of course would be the consequent overhead and energy 1015 expenditure. 1017 The only means of fully countering a traffic analysis attack is 1018 through the use of tunneling (encapsulation) where encryption is 1019 applied across the entirety of the original packet source/destination 1020 addresses. Deployments which use layer-2 security that includes 1021 encryption already do this for all traffic. 1023 7.1.4. Countering Remote Device Access Attacks 1025 Where LLN nodes are deployed in the field, measures are introduced to 1026 allow for remote retrieval of routing data and for software or field 1027 upgrades. These paths create the potential for a device to be 1028 remotely accessed across the network or through a provided field 1029 tool. In the case of network management a node can be directly 1030 requested to provide routing tables and neighbor information. 1032 To ensure confidentiality of the node routing information against 1033 attacks through remote access, any local or remote device requesting 1034 routing information must be authenticated, and must be authorized for 1035 that access. Since remote access is not invoked as part of a routing 1036 protocol, security of routing information stored on the node against 1037 remote access will not be addressable as part of the routing 1038 protocol. 1040 7.2. Integrity Attack Countermeasures 1042 Integrity attack countermeasures address routing information 1043 manipulation, as well as node identity and routing information 1044 misuse. Manipulation can occur in the form of falsification attack 1045 and physical compromise. To be effective, the following development 1046 considers the two aspects of falsification, namely, the unauthorized 1047 modifications and the overclaiming and misclaiming content. The 1048 countering of physical compromise was considered in the previous 1049 section and is not repeated here. With regard to misuse, there are 1050 two types of attacks to be deterred, identity attacks and replay 1051 attacks. 1053 7.2.1. Countering Unauthorized Modification Attacks 1055 Unauthorized modifications may occur in the form of altering the 1056 message being transferred or the data stored. Therefore, it is 1057 necessary to ensure that only authorized nodes can change the portion 1058 of the information that is allowed to be mutable, while the integrity 1059 of the rest of the information is protected, e.g., through well- 1060 studied cryptographic mechanisms. 1062 Unauthorized modifications may also occur in the form of insertion or 1063 deletion of messages during protocol changes. Therefore, the 1064 protocol needs to ensure the integrity of the sequence of the 1065 exchange sequence. 1067 The countermeasure to unauthorized modifications needs to: 1069 o implement access control on storage; 1071 o provide data integrity service to transferred messages and stored 1072 data; 1074 o include sequence number under integrity protection. 1076 7.2.2. Countering Overclaiming and Misclaiming Attacks 1078 Both overclaiming and misclaiming aim to introduce false routes or a 1079 false topology that would not occur otherwise, while there are not 1080 necessarily unauthorized modifications to the routing messages or 1081 information. In order to counter overclaiming, the capability to 1082 determine unreasonable routes or topology is required. 1084 The counter to overclaiming and misclaiming may employ: 1086 o comparison with historical routing/topology data; 1088 o designs which restrict realizable network topologies. 1090 RPL includes no specific mechanisms in the protocol to counter 1091 overclaims or misclaims. An implementation could have specific 1092 heuristics implemented locally. 1094 7.2.3. Countering Identity (including Sybil) Attacks 1096 Identity attacks, sometimes simply called spoofing, seek to gain or 1097 damage assets whose access is controlled through identity. In 1098 routing, an identity attacker can illegitimately participate in 1099 routing exchanges, distribute false routing information, or cause an 1100 invalid outcome of a routing process. 1102 A perpetrator of Sybil attacks assumes multiple identities. The 1103 result is not only an amplification of the damage to routing, but 1104 extension to new areas, e.g., where geographic distribution is 1105 explicitly or implicitly an asset to an application running on the 1106 LLN, for example, the LBR in a P2MP or MP2P LLN. 1108 RPL includes specific public key based authentication at layer-3 that 1109 provide for authorization. Many deployments use layer-2 security 1110 that includes admission controls at layer-2 using mechanisms such as 1111 PANA. 1113 7.2.4. Countering Routing Information Replay Attacks 1115 In many routing protocols, message replay can result in false 1116 topology and/or routes. This is often counted with some kind of 1117 counter to ensure the freshness of the message. Replay of a current, 1118 literal RPL message are in general idempotent to the topology. An 1119 older (lower DODAGVersionNumber) message, if replayed would be 1120 rejected as being stale. The trickle algorithm further dampens the 1121 effect of any such replay, as if the message was current, then it 1122 would contain the same information as before, and it would cause no 1123 network changes. 1125 Replays may well occur in some radio technologies (not very likely, 1126 802.15.4) as a result of echos or reflections, and so some replays 1127 must be assumed to occur naturally. 1129 Note that for there to be no affect at all, the replay must be done 1130 with the same apparent power for all nodes receiving the replay. A 1131 change in apparent power might change the metrics through changes to 1132 the ETX and therefore might affect the routing even though the 1133 contents of the packet were never changed. Any replay which appears 1134 to be different should be analyzed as a Selective Forwarding Attack, 1135 Sinkhole Attack or Wormhole Attack. 1137 7.2.5. Countering Byzantine Routing Information Attacks 1139 Where a node is captured or compromised but continues to operate for 1140 a period with valid network security credentials, the potential 1141 exists for routing information to be manipulated. This compromise of 1142 the routing information could thus exist in spite of security 1143 countermeasures that operate between the peer routing devices. 1145 Consistent with the end-to-end principle of communications, such an 1146 attack can only be fully addressed through measures operating 1147 directly between the routing entities themselves or by means of 1148 external entities able to access and independently analyze the 1149 routing information. Verification of the authenticity and liveliness 1150 of the routing entities can therefore only provide a limited counter 1151 against internal (Byzantine) node attacks. 1153 For link state routing protocols where information is flooded with, 1154 for example, areas (OSPF [RFC2328]) or levels (ISIS [RFC7142]), 1155 countermeasures can be directly applied by the routing entities 1156 through the processing and comparison of link state information 1157 received from different peers. By comparing the link information 1158 from multiple sources decisions can be made by a routing node or 1159 external entity with regard to routing information validity; see 1160 Chapter 2 of [Perlman1988] for a discussion on flooding attacks. 1162 For distance vector protocols, such as RPL, where information is 1163 aggregated at each routing node it is not possible for nodes to 1164 directly detect Byzantine information manipulation attacks from the 1165 routing information exchange. In such cases, the routing protocol 1166 must include and support indirect communications exchanges between 1167 non-adjacent routing peers to provide a secondary channel for 1168 performing routing information validation. S-RIP [Wan2004] is an 1169 example of the implementation of this type of dedicated routing 1170 protocol security where the correctness of aggregate distance vector 1171 information can only be validated by initiating confirmation 1172 exchanges directly between nodes that are not routing neighbors. 1174 RPL does not provide any direct mechanisms like S-RIP. It does 1175 listen to multiple parents, and may switch parents if it begins to 1176 suspect that it is being lied to. 1178 7.3. Availability Attack Countermeasures 1180 As alluded to before, availability requires that routing information 1181 exchanges and forwarding mechanisms be available when needed so as to 1182 guarantee proper functioning of the network. This may, e.g., include 1183 the correct operation of routing information and neighbor state 1184 information exchanges, among others. We will highlight the key 1185 features of the security threats along with typical countermeasures 1186 to prevent or at least mitigate them. We will also note that an 1187 availability attack may be facilitated by an identity attack as well 1188 as a replay attack, as was addressed in Section 7.2.3 and 1189 Section 7.2.4, respectively. 1191 7.3.1. Countering HELLO Flood Attacks and ACK Spoofing Attacks 1193 HELLO Flood [Karlof2003],[I-D.suhopark-hello-wsn] and ACK Spoofing 1194 attacks are different but highly related forms of attacking an LLN. 1195 They essentially lead nodes to believe that suitable routes are 1196 available even though they are not and hence constitute a serious 1197 availability attack. 1199 A HELLO attack mounted against RPL would involve sending out (or 1200 replaying) DIO messages by the attacker. Lower power LLN nodes might 1201 then attempt to join the DODAG at a lower rank than they would 1202 otherwise. 1204 The most effective method from [I-D.suhopark-hello-wsn] is the verify 1205 bidirectionality. A number of layer-2 links are arranged in 1206 controller/spoke arrangements, and continuously are validating 1207 connectivity at layer 2. 1209 In addition, in order to calculate metrics, the ETX must be computed, 1210 and this involves, in general, sending a number of messages between 1211 nodes which are believed to be adjacent. 1212 [I-D.kelsey-intarea-mesh-link-establishment] is one such protocol. 1214 In order to join the DODAG, a DAO message is sent upwards. In RPL 1215 the DAO is acknowledged by the DAO-ACK message. This clearly checks 1216 bidirectionality at the control plane. 1218 As discussed in section 5.1, [I-D.suhopark-hello-wsn] a receiver with 1219 a sensitive receiver could well hear the DAOs, and even send DAO-ACKs 1220 as well. Such a node is a form of wormhole attack. 1222 These attacks are also all easily defended against using either 1223 layer-2 or layer-3 authentication. Such an attack could only be made 1224 against a completely open network (such as might be used for 1225 provisioning new nodes), or by a compromised node. 1227 7.3.2. Countering Overload Attacks 1229 Overload attacks are a form of DoS attack in that a malicious node 1230 overloads the network with irrelevant traffic, thereby draining the 1231 nodes' energy store more quickly, when the nodes rely on batteries or 1232 energy scavenging. It thus significantly shortens the lifetime of 1233 networks of energy-constrained nodes and constitutes another serious 1234 availability attack. 1236 With energy being one of the most precious assets of LLNs, targeting 1237 its availability is a fairly obvious attack. Another way of 1238 depleting the energy of an LLN node is to have the malicious node 1239 overload the network with irrelevant traffic. This impacts 1240 availability since certain routes get congested which: 1242 o renders them useless for affected nodes and data can hence not be 1243 delivered; 1245 o makes routes longer as shortest path algorithms work with the 1246 congested network; 1248 o depletes battery and energy scavenging nodes more quickly and thus 1249 shortens the network's availability at large. 1251 Overload attacks can be countered by deploying a series of mutually 1252 non-exclusive security measures: 1254 o introduce quotas on the traffic rate each node is allowed to send; 1256 o isolate nodes which send traffic above a certain threshold based 1257 on system operation characteristics; 1259 o allow only trusted data to be received and forwarded. 1261 As for the first one, a simple approach to minimize the harmful 1262 impact of an overload attack is to introduce traffic quotas. This 1263 prevents a malicious node from injecting a large amount of traffic 1264 into the network, even though it does not prevent said node from 1265 injecting irrelevant traffic at all. Another method is to isolate 1266 nodes from the network at the network layer once it has been detected 1267 that more traffic is injected into the network than allowed by a 1268 prior set or dynamically adjusted threshold. Finally, if 1269 communication is sufficiently secured, only trusted nodes can receive 1270 and forward traffic which also lowers the risk of an overload attack. 1272 Receiving nodes that validate signatures and sending nodes that 1273 encrypt messages need to be cautious of cryptographic processing 1274 usage when validating signatures and encrypting messages. Where 1275 feasible, certificates should be validated prior to use of the 1276 associated keys to counter potential resource overloading attacks. 1277 The associated design decision needs to also consider that the 1278 validation process requires resources and thus itself could be 1279 exploited for attacks. Alternatively, resource management limits can 1280 be placed on routing security processing events (see the comment in 1281 Section 6, paragraph 4, of [RFC5751]). 1283 7.3.3. Countering Selective Forwarding Attacks 1285 Selective forwarding attacks are a form of DoS attack which impacts 1286 the availability of the generated routing paths. 1288 A selective forwarding attack may be done by a node involved with the 1289 routing process, or it may be done by what otherwise appears to be a 1290 passive antenna or other RF feature or device, but is in fact an 1291 active (and selective) device. An RF antenna/repeater which is not 1292 selective, is not a threat. 1294 An insider malicious node basically blends neatly in with the network 1295 but then may decide to forward and/or manipulate certain packets. If 1296 all packets are dropped, then this attacker is also often referred to 1297 as a "black hole". Such a form of attack is particularly dangerous 1298 if coupled with sinkhole attacks since inherently a large amount of 1299 traffic is attracted to the malicious node and thereby causing 1300 significant damage. In a shared medium, an outside malicious node 1301 would selectively jam overheard data flows, where the thus caused 1302 collisions incur selective forwarding. 1304 Selective Forwarding attacks can be countered by deploying a series 1305 of mutually non-exclusive security measures: 1307 o multipath routing of the same message over disjoint paths; 1309 o dynamically selecting the next hop from a set of candidates. 1311 The first measure basically guarantees that if a message gets lost on 1312 a particular routing path due to a malicious selective forwarding 1313 attack, there will be another route which successfully delivers the 1314 data. Such a method is inherently suboptimal from an energy 1315 consumption point of view; it is also suboptimal from a network 1316 utilization perspective. The second method basically involves a 1317 constantly changing routing topology in that next-hop routers are 1318 chosen from a dynamic set in the hope that the number of malicious 1319 nodes in this set is negligible. A routing protocol that allows for 1320 disjoint routing paths may also be useful. 1322 7.3.4. Countering Sinkhole Attacks 1324 In sinkhole attacks, the malicious node manages to attract a lot of 1325 traffic mainly by advertising the availability of high-quality links 1326 even though there are none [Karlof2003]. It hence constitutes a 1327 serious attack on availability. 1329 The malicious node creates a sinkhole by attracting a large amount 1330 of, if not all, traffic from surrounding neighbors by advertising in 1331 and outwards links of superior quality. Affected nodes hence eagerly 1332 route their traffic via the malicious node which, if coupled with 1333 other attacks such as selective forwarding, may lead to serious 1334 availability and security breaches. Such an attack can only be 1335 executed by an inside malicious node and is generally very difficult 1336 to detect. An ongoing attack has a profound impact on the network 1337 topology and essentially becomes a problem of flow control. 1339 Sinkhole attacks can be countered by deploying a series of mutually 1340 non-exclusive security measures: 1342 o use geographical insights for flow control; 1344 o isolate nodes which receive traffic above a certain threshold; 1346 o dynamically pick up next hop from set of candidates; 1348 o allow only trusted data to be received and forwarded. 1350 A canary node could periodically call home (using a cryptographic 1351 process), with the home system noting if it fails to call in. This 1352 provides detection of a problem, but does not mitigate it, and it may 1353 have significant energy consequences for the LLN. 1355 Some LLNs may provide for geolocation services, often derived from 1356 solving triangulation equations from radio delay calculations, such 1357 calculations could in theory be subverted by a sinkhole that 1358 transmitted at precisely the right power in a node to node fashion. 1360 While geographic knowledge could help assure that traffic always went 1361 in the physical direction desired, it would not assure that the 1362 traffic was taking the most efficient route, as the lowest cost real 1363 route might be match the physical topology; such as when different 1364 parts of an LLN are connected by high-speed wired networks. 1366 7.3.5. Countering Wormhole Attacks 1368 In wormhole attacks at least two malicious nodes claim to have a 1369 short path between themselves [Karlof2003]. This changes the 1370 availability of certain routing paths and hence constitutes a serious 1371 security breach. 1373 Essentially, two malicious insider nodes use another, more powerful, 1374 transmitter to communicate with each other and thereby distort the 1375 would-be-agreed routing path. This distortion could involve 1376 shortcutting and hence paralyzing a large part of the network; it 1377 could also involve tunneling the information to another region of the 1378 network where there are, e.g., more malicious nodes available to aid 1379 the intrusion or where messages are replayed, etc. 1381 In conjunction with selective forwarding, wormhole attacks can create 1382 race conditions which impact topology maintenance, routing protocols 1383 as well as any security suits built on "time of check" and "time of 1384 use". 1386 A pure wormhole attack is nearly impossible to detect. A wormhole 1387 which is used in order to subsequently mount another kind of attack 1388 would be defeated by defeating the other attack. A perfect wormhole, 1389 in which there is nothing adverse that occurs to the traffic, would 1390 be difficult to call an attack. The worst thing that a benign 1391 wormhole can do in such a situation is to cease to operate (become 1392 unstable), causing the network to have to recalculate routes. 1394 A highly unstable wormhole is no different than a radio opaque (i.e. 1395 metal) door that opens and closes a lot. RPL includes hysteresis in 1396 its objective functions [RFC6719] in an attempt to deal with frequent 1397 changes to the ETX between nodes. 1399 8. RPL Security Features 1401 The assessments and analysis in Section 6 examined all areas of 1402 threats and attacks that could impact routing, and the 1403 countermeasures presented in Section 7 were reached without confining 1404 the consideration to means only available to routing. This section 1405 puts the results into perspective; dealing with those threats which 1406 are endemic to this field, those which have been mitigated through 1407 RPL protocol design, and those which require specific decisions to be 1408 made as part of provisioning a network. 1410 The first part of this section, Section 8.1 to Section 8.3, is a 1411 description of RPL security features that address specific threats. 1412 The second part of this section, Section 8.4, discusses issues of 1413 provisioning of security aspects that may impact routing but that 1414 also require considerations beyond the routing protocol, as well as 1415 potential approaches. 1417 RPL employs multicast and so these alternative communications modes 1418 MUST be secured with the same routing security services specified in 1419 this section. Furthermore, irrespective of the modes of 1420 communication, nodes MUST provide adequate physical tamper resistance 1421 commensurate with the particular application domain environment to 1422 ensure the confidentiality, integrity, and availability of stored 1423 routing information. 1425 8.1. Confidentiality Features 1427 With regard to confidentiality, protecting the routing/topology 1428 information from unauthorized disclosure is not directly essential to 1429 maintaining the routing function. Breaches of confidentiality may 1430 lead to other attacks or the focusing of an attacker's resources (see 1431 Section 6.2) but does not of itself directly undermine the operation 1432 of the routing function. However, to protect against, and reduce 1433 consequences from other more direct attacks, routing information 1434 should be protected. Thus, to secure RPL: 1436 o implement payload encryption using layer-3 mechanisms described in 1437 [RFC6550]; 1439 o or: implement layer-2 confidentiality; 1441 Where confidentiality is incorporated into the routing exchanges, 1442 encryption algorithms and key lengths need to be specified in 1443 accordance with the level of protection dictated by the routing 1444 protocol and the associated application domain transport network. 1445 For most networks, this means use of AES128 in CCM mode, but this 1446 needs to be specified clearly in the applicability statement. 1448 In terms of the life time of the keys, the opportunity to 1449 periodically change the encryption key increases the offered level of 1450 security for any given implementation. However, where strong 1451 cryptography is employed, physical, procedural, and logical data 1452 access protection considerations may have more significant impact on 1453 cryptoperiod selection than algorithm and key size factors. 1454 Nevertheless, in general, shorter cryptoperiods, during which a 1455 single key is applied, will enhance security. 1457 Given the mandatory protocol requirement to implement routing node 1458 authentication as part of routing integrity (see Section 8.2), key 1459 exchanges may be coordinated as part of the integrity verification 1460 process. This provides an opportunity to increase the frequency of 1461 key exchange and shorten the cryptoperiod as a complement to the key 1462 length and encryption algorithm required for a given application 1463 domain. 1465 8.2. Integrity Features 1467 The integrity of routing information provides the basis for ensuring 1468 that the function of the routing protocol is achieved and maintained. 1469 To protect integrity, RPL must either run using only the Secure 1470 versions of the messages, or must run over a layer-2 that uses 1471 channel binding between node identity and transmissions. 1473 Some layer-2 security mechanisms use a single key for the entire 1474 network, and these networks can not provide significant amount of 1475 integrity protection, as any node that has that key may impersonate 1476 any other node. This mode of operation is likely acceptable when an 1477 entire deployment is under the control of a single administrative 1478 entity. 1480 Other layer-2 security mechanisms form a unique session key for every 1481 pair of nodes that needs to communicate; this is often called a per- 1482 link key. Such networks can provide a strong degree of origin 1483 authentication and integrity on unicast messages. 1485 However, some RPL messages are broadcast, and even when per-node 1486 layer-2 security mechanisms are used, the integrity and origin 1487 authentication of broadcast messages can not be as trusted due to the 1488 proliferation of the key used to secure them. 1490 RPL has two specific options which are broadcast in RPL Control 1491 Messages: the DODAG Information Object (DIO), and the DODAG 1492 Information Solicitation (DIS). The purpose of the DIS is to cause 1493 potential parents to reply with a DIO, so the integrity of the DIS is 1494 not of great concern. The DIS may also be unicast. 1496 The DIO is a critical piece of routing and carries many critical 1497 parameters. RPL provides for asymmetric authentication at layer 3 of 1498 the RPL Control Message carrying the DIO and this may be warranted in 1499 some deployments. A node could, if it felt that the DIO that it had 1500 received was suspicious, send a unicast DIS message to the node in 1501 question, and that node would reply with a unicast DIS. Those 1502 messages could be protected with the per-link key. 1504 8.3. Availability Features 1506 Availability of routing information is linked to system and network 1507 availability which in the case of LLNs require a broader security 1508 view beyond the requirements of the routing entities. Where 1509 availability of the network is compromised, routing information 1510 availability will be accordingly affected. However, to specifically 1511 assist in protecting routing availability, nodes: 1513 o MAY restrict neighborhood cardinality; 1515 o MAY use multiple paths; 1517 o MAY use multiple destinations; 1519 o MAY choose randomly if multiple paths are available; 1521 o MAY set quotas to limit transmit or receive volume; 1523 o MAY use geographic information for flow control. 1525 8.4. Key Management 1527 The functioning of the routing security services requires keys and 1528 credentials. Therefore, even though not directly a RPL security 1529 requirement, an LLN MUST have a process for initial key and 1530 credential configuration, as well as secure storage within the 1531 associated devices. Anti-tampering SHOULD be a consideration in 1532 physical design. Beyond initial credential configuration, an LLN is 1533 also encouraged to have automatic procedures for the revocation and 1534 replacement of the maintained security credentials. 1536 While RPL has secure modes, but some modes are impractical without 1537 use of public key cryptography believed to be too expensive by many. 1538 RPL layer-3 security will often depend upon existing LLN layer-2 1539 security mechanisms, which provides for node authentication, but 1540 little in the way of node authorization. 1542 9. IANA Considerations 1544 This memo includes no request to IANA. 1546 10. Security Considerations 1548 The analysis presented in this document provides security analysis 1549 and design guidelines with a scope limited to RPL. Security services 1550 are identified as requirements for securing RPL. The specific 1551 mechanisms to be used to deal with each threat is specified in link- 1552 layer and deployment specific applicability statements. 1554 11. Acknowledgments 1556 The authors would like to acknowledge the review and comments from 1557 Rene Struik and JP Vasseur. The authors would also like to 1558 acknowledge the guidance and input provided by the RPL Chairs, David 1559 Culler, and JP Vasseur, and the Area Director Adrian Farrel. 1561 This document started out as a combined threat and solutions 1562 document. As a result of a series of security reviews performed by 1563 Steve Kent, the document was split up by RPL co-Chair Michael 1564 Richardson and security Area Director Sean Turner as it went through 1565 the IETF publication process. The solutions to the threats are 1566 application and layer-2 specific, and have therefore been moved to 1567 the relevant applicability statements. 1569 Ines Robles and Robert Cragie kept track of the many issues that were 1570 raised during the development of this document 1572 12. References 1574 12.1. Normative References 1576 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 1577 Requirement Levels", BCP 14, RFC 2119, March 1997. 1579 [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic 1580 Key Management", BCP 107, RFC 4107, June 2005. 1582 [RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R., 1583 Levis, P., Pister, K., Struik, R., Vasseur, JP., and R. 1585 Alexander, "RPL: IPv6 Routing Protocol for Low-Power and 1586 Lossy Networks", RFC 6550, March 2012. 1588 [RFC6719] Gnawali, O. and P. Levis, "The Minimum Rank with 1589 Hysteresis Objective Function", RFC 6719, September 2012. 1591 [RFC7102] Vasseur, JP., "Terms Used in Routing for Low-Power and 1592 Lossy Networks", RFC 7102, January 2014. 1594 [ZigBeeIP] 1595 ZigBee Public Document 15-002r00, "ZigBee IP 1596 Specification", 2013. 1598 12.2. Informative References 1600 [AceCharterProposal] 1601 Li, Kepeng., Ed., "Authentication and Authorization for 1602 Constrained Environment Charter (work-in-progress)", 1603 December 2013, . 1606 [I-D.gilger-smart-object-security-workshop] 1607 Gilger, J. and H. Tschofenig, "Report from the 'Smart 1608 Object Security Workshop', March 23, 2012, Paris, France", 1609 draft-gilger-smart-object-security-workshop-02 (work in 1610 progress), October 2013. 1612 [I-D.kelsey-intarea-mesh-link-establishment] 1613 Kelsey, R., "Mesh Link Establishment", draft-kelsey- 1614 intarea-mesh-link-establishment-05 (work in progress), 1615 February 2013. 1617 [I-D.suhopark-hello-wsn] 1618 Park, S., "Routing Security in Sensor Network: HELLO Flood 1619 Attack and Defense", draft-suhopark-hello-wsn-00 (work in 1620 progress), December 2005. 1622 [IEEE.802.11] 1623 , "Draft Standard for Information Technology - 1624 Telecommunications and information exchange between 1625 systems - Local and metropolitan area networks Specific 1626 requirements - Part 11: Wireless LAN Medium Access Control 1627 (MAC) and Physical Layer (PHY) specifications ", IEEE 1628 802.11-REVma, 2006. 1630 [IEEE.802.15.4] 1631 , "Information technology - Telecommunications and 1632 information exchange between systems - Local and 1633 metropolitan area networks - Specific requirements - Part 1634 15.4: Wireless Medium Access Control (MAC) and Physical 1635 Layer (PHY) Specifications for Low Rate Wireless Personal 1636 Area Networks (LR-WPANs) ", IEEE Std 802.15.4-2006, June 1637 2006, . 1639 [ISO.7498-2.1988] 1640 International Organization for Standardization, 1641 "Information Processing Systems - Open Systems 1642 Interconnection Reference Model - Security Architecture", 1643 ISO Standard 7498-2, 1988. 1645 [Karlof2003] 1646 Karlof, C. and D. Wagner, "Secure routing in wireless 1647 sensor networks: attacks and countermeasures", Elsevier 1648 AdHoc Networks Journal, Special Issue on Sensor Network 1649 Applications and Protocols, 1(2):293-315, September 2003, 1650 . 1653 [Myagmar2005] 1654 Myagmar, S., Lee, AJ., and W. Yurcik, "Threat Modeling as 1655 a Basis for Security Requirements", in Proceedings of the 1656 Symposium on Requirements Engineering for Information 1657 Security (SREIS'05), Paris, France, pp. 94-102, Aug 29, 1658 2005. 1660 [Perlman1988] 1661 Perlman, N., "Network Layer Protocols with Byzantine 1662 Robustness", MIT LCS Tech Report, 429, 1988. 1664 [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998. 1666 [RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with 1667 CBC-MAC (CCM)", RFC 3610, September 2003. 1669 [RFC4593] Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to 1670 Routing Protocols", RFC 4593, October 2006. 1672 [RFC4732] Handley, M., Rescorla, E., IAB, "Internet Denial-of- 1673 Service Considerations", RFC 4732, December 2006. 1675 [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC 1676 4949, August 2007. 1678 [RFC5191] Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., and A. 1679 Yegin, "Protocol for Carrying Authentication for Network 1680 Access (PANA)", RFC 5191, May 2008. 1682 [RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS 1683 Authentication Protocol", RFC 5216, March 2008. 1685 [RFC5548] Dohler, M., Watteyne, T., Winter, T., and D. Barthel, 1686 "Routing Requirements for Urban Low-Power and Lossy 1687 Networks", RFC 5548, May 2009. 1689 [RFC5673] Pister, K., Thubert, P., Dwars, S., and T. Phinney, 1690 "Industrial Routing Requirements in Low-Power and Lossy 1691 Networks", RFC 5673, October 2009. 1693 [RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet 1694 Mail Extensions (S/MIME) Version 3.2 Message 1695 Specification", RFC 5751, January 2010. 1697 [RFC5826] Brandt, A., Buron, J., and G. Porcu, "Home Automation 1698 Routing Requirements in Low-Power and Lossy Networks", RFC 1699 5826, April 2010. 1701 [RFC5867] Martocci, J., De Mil, P., Riou, N., and W. Vermeylen, 1702 "Building Automation Routing Requirements in Low-Power and 1703 Lossy Networks", RFC 5867, June 2010. 1705 [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the 1706 Router Control Plane", RFC 6192, March 2011. 1708 [RFC6574] Tschofenig, H. and J. Arkko, "Report from the Smart Object 1709 Workshop", RFC 6574, April 2012. 1711 [RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, 1712 "TCP Extensions for Multipath Operation with Multiple 1713 Addresses", RFC 6824, January 2013. 1715 [RFC7142] Shand, M. and L. Ginsberg, "Reclassification of RFC 1142 1716 to Historic", RFC 7142, February 2014. 1718 [SmartObjectSecurityWorkshop] 1719 Klausen, T., Ed., "Workshop on Smart Object Security", 1720 March 2012, . 1723 [SolaceProposal] 1724 Bormann, C., Ed., "Notes from the SOLACE ad-hoc at IETF85 1725 (work-in-progress)", November 2012, . 1728 [Sybil2002] 1729 Douceur, J., "The Sybil Attack", First International 1730 Workshop on Peer-to-Peer Systems , March 2002. 1732 [Wan2004] Wan, T., Kranakis, E., and PC. van Oorschot, "S-RIP: A 1733 Secure Distance Vector Routing Protocol", in Proceedings 1734 of the 2nd International Conference on Applied 1735 Cryptography and Network Security, Yellow Mountain, China, 1736 pp. 103-119, Jun. 8-11 2004. 1738 [Yourdon1979] 1739 Yourdon, E. and L. Constantine, "Structured Design", 1740 Yourdon Press, New York, Chapter 10, pp. 187-222, 1979. 1742 Authors' Addresses 1744 Tzeta Tsao 1745 Cooper Power Systems 1746 910 Clopper Rd. Suite 201S 1747 Gaithersburg, Maryland 20878 1748 USA 1750 Email: tzeta.tsao@cooperindustries.com 1752 Roger K. Alexander 1753 Cooper Power Systems 1754 910 Clopper Rd. Suite 201S 1755 Gaithersburg, Maryland 20878 1756 USA 1758 Email: roger.alexander@cooperindustries.com 1760 Mischa Dohler 1761 CTTC 1762 Parc Mediterrani de la Tecnologia, Av. Canal Olimpic S/N 1763 Castelldefels, Barcelona 08860 1764 Spain 1766 Email: mischa.dohler@cttc.es 1767 Vanesa Daza 1768 Universitat Pompeu Fabra 1769 P/ Circumval.lacio 8, Oficina 308 1770 Barcelona 08003 1771 Spain 1773 Email: vanesa.daza@upf.edu 1775 Angel Lozano 1776 Universitat Pompeu Fabra 1777 P/ Circumval.lacio 8, Oficina 309 1778 Barcelona 08003 1779 Spain 1781 Email: angel.lozano@upf.edu 1783 Michael Richardson (ed) (editor) 1784 Sandelman Software Works 1785 470 Dawson Avenue 1786 Ottawa, ON K1Z5V7 1787 Canada 1789 Email: mcr+ietf@sandelman.ca