[Docs] [txt|pdf|xml|html] [Tracker] [Email] [Diff1] [Diff2] [Nits]

Versions: 00 01 02 draft-ietf-roll-security-framework

Networking Working Group                                    T. Tsao, Ed.
Internet-Draft                                         R. Alexander, Ed.
Intended status: Informational                               Eka Systems
Expires: March 24, 2010                                   M. Dohler, Ed.
                                                                    CTTC
                                                            V. Daza, Ed.
                                                          A. Lozano, Ed.
                                                Universitat Pompeu Fabra
                                                      September 20, 2009


   A Security Framework for Routing over Low Power and Lossy Networks
                 draft-tsao-roll-security-framework-01

Status of this Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on March 24, 2010.

Copyright Notice

   Copyright (c) 2009 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents in effect on the date of
   publication of this document (http://trustee.ietf.org/license-info).
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.




Tsao, et al.             Expires March 24, 2010                 [Page 1]


Internet-Draft         Security Framework for ROLL        September 2009


Abstract

   This document presents a security framework for routing over low
   power and lossy networks.  The development of the framework builds
   upon previous work on routing security and adapts the security
   assessments to the issues and constraints specific to low power and
   lossy networks.  A systematic approach is used in defining and
   assessing the security threats and identifying applicable
   countermeasures.  These assessments provide the basis of the security
   recommendations for incorporation into low power, lossy network
   routing protocols.

Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].


































Tsao, et al.             Expires March 24, 2010                 [Page 2]


Internet-Draft         Security Framework for ROLL        September 2009


Table of Contents

   1.  Terminology  . . . . . . . . . . . . . . . . . . . . . . . . .  5
   2.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  5
   3.  Considerations on ROLL Security  . . . . . . . . . . . . . . .  5
     3.1.  Routing Assets and Points of Access  . . . . . . . . . . .  6
     3.2.  The CIA Security Reference Model . . . . . . . . . . . . .  8
     3.3.  Issues Specific to or Magnified in LLNs  . . . . . . . . . 10
   4.  Threats and Attacks  . . . . . . . . . . . . . . . . . . . . . 11
     4.1.  Threats and Attacks on Confidentiality . . . . . . . . . . 12
       4.1.1.  Routing Exchange Exposure  . . . . . . . . . . . . . . 12
       4.1.2.  Routing Information (Routes and Network Topology)
               Exposure . . . . . . . . . . . . . . . . . . . . . . . 12
     4.2.  Threats and Attacks on Integrity . . . . . . . . . . . . . 13
       4.2.1.  Routing Information Manipulation . . . . . . . . . . . 13
       4.2.2.  Node Identity Misappropriation . . . . . . . . . . . . 13
     4.3.  Threats and Attacks on Availability  . . . . . . . . . . . 14
       4.3.1.  Routing Exchange Interference or Disruption  . . . . . 14
       4.3.2.  Network Traffic Forwarding Disruption  . . . . . . . . 14
       4.3.3.  Communications Resource Disruption . . . . . . . . . . 15
       4.3.4.  Node Resource Exhaustion . . . . . . . . . . . . . . . 15
   5.  Countermeasures  . . . . . . . . . . . . . . . . . . . . . . . 16
     5.1.  Confidentiality Attack Countermeasures . . . . . . . . . . 16
       5.1.1.  Countering Deliberate Exposure Attacks . . . . . . . . 16
       5.1.2.  Countering Sniffing Attacks  . . . . . . . . . . . . . 17
       5.1.3.  Countering Traffic Analysis  . . . . . . . . . . . . . 18
       5.1.4.  Countering Physical Device Compromise  . . . . . . . . 18
       5.1.5.  Countering Remote Device Access Attacks  . . . . . . . 20
     5.2.  Integrity Attack Countermeasures . . . . . . . . . . . . . 20
       5.2.1.  Countering Tampering Attacks . . . . . . . . . . . . . 21
       5.2.2.  Countering Overclaiming and Misclaiming Attacks  . . . 21
       5.2.3.  Countering Identity (including Sybil) Attacks  . . . . 21
       5.2.4.  Countering Routing Information Replay Attacks  . . . . 22
     5.3.  Availability Attack Countermeasures  . . . . . . . . . . . 22
       5.3.1.  Countering HELLO Flood Attacks and ACK Spoofing
               Attacks  . . . . . . . . . . . . . . . . . . . . . . . 22
       5.3.2.  Countering Overload Attacks  . . . . . . . . . . . . . 24
       5.3.3.  Countering Selective Forwarding Attacks  . . . . . . . 25
       5.3.4.  Countering Sinkhole Attacks  . . . . . . . . . . . . . 25
       5.3.5.  Countering Wormhole Attacks  . . . . . . . . . . . . . 26
   6.  ROLL Security Features . . . . . . . . . . . . . . . . . . . . 27
     6.1.  Confidentiality Features . . . . . . . . . . . . . . . . . 27
     6.2.  Integrity Features . . . . . . . . . . . . . . . . . . . . 27
     6.3.  Availability Features  . . . . . . . . . . . . . . . . . . 27
     6.4.  Additional Related Features  . . . . . . . . . . . . . . . 28
     6.5.  Consideration on Matching Application Domain Needs . . . . 28
       6.5.1.  Architecture . . . . . . . . . . . . . . . . . . . . . 28
       6.5.2.  Mechanisms and Operations  . . . . . . . . . . . . . . 29



Tsao, et al.             Expires March 24, 2010                 [Page 3]


Internet-Draft         Security Framework for ROLL        September 2009


   7.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . . 30
   8.  Security Considerations  . . . . . . . . . . . . . . . . . . . 30
   9.  Acknowledgments  . . . . . . . . . . . . . . . . . . . . . . . 30
   10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 30
     10.1. Normative References . . . . . . . . . . . . . . . . . . . 30
     10.2. Informative References . . . . . . . . . . . . . . . . . . 31
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 33












































Tsao, et al.             Expires March 24, 2010                 [Page 4]


Internet-Draft         Security Framework for ROLL        September 2009


1.  Terminology

   This document conforms to the terminology defined in
   [I-D.ietf-roll-terminology], with the following additions.

   Link Cost  A quantification of chosen characteristics of a link.

   Node  A base unit of a network, e.g., a router or a host on a low
         power and lossy network.

   Routing Metric  A function of link costs along routes, whose value
         gives rise to preference of routing choices.


2.  Introduction

   In recent times, networked wireless devices have found an increasing
   number of applications in various fields.  Yet, for reasons ranging
   from operational application to economics, these wireless devices are
   often supplied with minimum physical resources, e.g., limited power
   reserve, slow speed or low capability computation, or small memory
   size.  As a consequence, the resulting networks are more prone to
   loss of traffic and other vulnerabilities.  The proliferation of
   these low power and lossy networks (LLNs), however, are drawing
   efforts to examine and address their potential networking challenges.

   This document presents a framework for securing routing over low
   power and lossy networks (ROLL) through an analysis that starts from
   the routing basics.  The objective is two-fold.  First, the framework
   will be used to identify pertinent security issues.  Second, it will
   facilitate both the assessment of a protocol's security threats and
   the identification of the necessary features for development of
   secure protocols for ROLL.

   The approach adopted in this effort proceeds in four steps, to
   examine ROLL security issues, to analyze threats and attacks, to
   consider the countermeasures, and then to make recommendations for
   securing ROLL.  The basis is found on identifying the assets and
   points of access of routing and evaluating their security needs based
   on the Confidentiality, Integrity, and Availability (CIA) model in
   the context of LLN.


3.  Considerations on ROLL Security

   This section sets the stage for the development of the framework by
   applying the systematic approach proposed in [Myagmar2005] to the
   routing security problem, while also drawing references from other



Tsao, et al.             Expires March 24, 2010                 [Page 5]


Internet-Draft         Security Framework for ROLL        September 2009


   reviews and assessments found in the literature, particularly,
   [RFC4593] and [Karlof2003].  The subsequent subsections begin with a
   focus on the elements of a generic routing process that is used to
   establish routing assets and points of access of the routing
   functionality.  Next, the CIA security model is briefly described.
   Then, consideration is given to issues specific to or magnified in
   LLNs.

3.1.  Routing Assets and Points of Access

   An asset implies important system component (including information,
   process, or physical resource), the access to, corruption or loss of
   which adversely affects the system.  In network routing, assets lie
   in the routing information, routing process, and node's physical
   resources.  That is, the access to, corruption, or loss of these
   elements adversely affects system routing.  In network routing, a
   point of access refers to the point of entry facilitating
   communication with or other interaction with a system component in
   order to use system resources to either manipulate information or
   gain knowledge of the information contained within the system.
   Security of the routing protocol must be focused on the assets of the
   routing nodes and the points of access of the information exchanges
   and information storage that may permit routing compromise.  The
   identification of routing assets and points of access hence provides
   a basis for the identification of associated threats and attacks.

   This subsection identifies assets and points of access of a generic
   routing process with a level-0 data flow diagram.  The use of the
   data flow diagram allows for a clear, concise model of the routing
   functionality; it also has the benefit of showing the manner in which
   nodes participate in the routing process, thus providing context when
   later threats and attacks are considered.  The goal of the model is
   to be as detailed as possible so that corresponding components and
   mechanisms in an individual routing protocol can be readily
   identified, but also to be as general as possible to maximize the
   relevancy of this effort for the various existing and future
   protocols.  Nevertheless, there may be discrepancies, likely in the
   form of additional elements, when the model is applied to some
   protocols.  For such cases, the analysis approach laid out in this
   document should still provide a valid and illustrative path for their
   security assessment.

   Figure 1 shows that nodes participating in the routing process
   transmit messages to determine their neighbors (neighbor discovery).
   Using the neighboring relationships, routing protocols may exchange
   network topology (including link-specific information) to generate
   routes or may exchange routes directly as part of a routing exchange;
   nodes which do not directly participate in the process with a given



Tsao, et al.             Expires March 24, 2010                 [Page 6]


Internet-Draft         Security Framework for ROLL        September 2009


   node will get the route/topology information relayed from others.  It
   is likely that a node will store some or all of the routes and
   topology information according to tradeoffs of node resources and
   latency associated with the particular routing protocol.  The nodes
   use the derived routes for making forwarding decisions.



               ...................................................
               :                                                 :
               :                            _________________    :
   |Node_i|<------->(Neighbor Discovery)--->Neighbor Topology    :
               :                            -----------------    :
               :                                   |             :
   |Node_j|<------->(Route/Topology       +--------+             :
               :     Exchange      )      |                      :
               :           |              V            ______    :
               :           +---->(Route Generation)--->Routes    :
               :                                       ------    :
               :                                          |      :
               : Routing on a Node Node_k                 |      :
               ...................................................
                                                          |
   |Forwarding                                            |
    On Node_k |<------------------------------------------+


   Notation:

   (Proc)     A process Proc

   ________
   DataBase   A data storage DataBase
   --------

   |Node_n|   An external entity Node_n

   ------->   Data flow


         Figure 1: Data Flow Diagram of a Generic Routing Process

   It is seen from Figure 1 that

   o  Assets include

      *  routing and/or topology information;




Tsao, et al.             Expires March 24, 2010                 [Page 7]


Internet-Draft         Security Framework for ROLL        September 2009


      *  communication channel resources (bandwidth);

      *  node resources (computing capacity, memory, and remaining
         energy);

      *  node identifiers (including node identity and ascribed
         attributes such as relative or absolute node location).

   o  Points of access include

      *  neighbor discovery;

      *  route/topology exchange;

      *  node physical interfaces (including access to data storage).

   A focus on the above list of assets and points of access enables a
   more directed assessment of routing security.  Indeed, the intention
   is to be comprehensive; nonetheless, the discussions to follow on
   physical related issues are not related to routing protocol design
   but provided for reference since they do have direct consequences on
   the security of routing.

3.2.  The CIA Security Reference Model

   At the conceptual level, security within an information system in
   general and applied to ROLL in particular is concerned with the
   primary issues of confidentiality, integrity, and availability.  In
   the context of ROLL:

   Confidentiality
         Confidentiality involves the protection of routing information
         as well as routing neighbor maintenance exchanges so that only
         authorized and intended network entities may view or access it.
         Because of the wireless, and sometimes ad hoc, nature of the
         network, confidentiality also extends to the neighbor state and
         database information within the routing device since the
         deployment of the network creates the potential for
         unauthorized access to the physical devices themselves.

   Integrity
         Integrity, as a security principle, entails the protection of
         routing information and routing neighbor maintenance exchanges,
         as well as derived information maintained in the database, from
         misuse or unauthorized and improper modification.  In addition,
         integrity also requires the authenticity of claimed identity in
         the origin and destination of a message, access and removal of
         data, execution of the routing process, and use of computing



Tsao, et al.             Expires March 24, 2010                 [Page 8]


Internet-Draft         Security Framework for ROLL        September 2009


         and energy resources.

   Availability
         Availability ensures that routing information exchanges and
         forwarding services need to be available when they are required
         for the functioning of the serving network.  Availability will
         apply to maintaining efficient and correct operation of routing
         and neighbor discovery exchanges (including needed information)
         and forwarding services so as not to impair or limit the
         network's central traffic flow function.

   It is noted that, besides those captured in the CIA model, non-
   repudiation is another security concern evaluated.  With respect to
   routing, non-repudiation will involve providing some ability to allow
   traceability or network management review of participants of the
   routing process including the ability to determine the events and
   actions leading to a particular routing state.  Non-repudiation
   implies after the fact and thus relies on the logging or other
   capture of on-going routing exchanges.  Given the limited resources
   of a node and potentially the communication channel, and considering
   the operating mode associated with LLNs, routing transaction logging
   or auditing process communication overhead will not be practical; as
   such, non-repudiation is not further considered as a relevant ROLL
   security issue.

   Based upon the CIA model, a high-level assessment of the security
   needs of the assets found in Section 3.1 shows that

   o  routing/topology information needs to be integrity protected,
      maintained with confidentiality, and prevented from unauthorized
      use;

   o  neighbor discovery process needs to operate without undermining
      routing availability;

   o  routing/topology exchange process needs to ensure that the
      participants are authenticated, the communication of information
      is integrity protected and confidential;

   o  communication channels and node resources need to have their
      availability maintained;

   o  the internal and external interfaces of a node need to be
      protected to ensure that integrity and confidentiality of stored
      information is maintained as well as the integrity of routing and
      route generation processes is assured.

   Each individual system's use and environment will dictate how the



Tsao, et al.             Expires March 24, 2010                 [Page 9]


Internet-Draft         Security Framework for ROLL        September 2009


   above general assessments are applied, including the choices of
   security services as well as the strengths of the mechanisms that
   must be implemented.  The next subsection brings LLN-related issues
   to light.

3.3.  Issues Specific to or Magnified in LLNs

   The work [RFC5548], as well as three other ongoing efforts,
   [I-D.ietf-roll-indus-routing-reqs],
   [I-D.ietf-roll-home-routing-reqs], and
   [I-D.ietf-roll-building-routing-reqs], have identified ROLL specific
   requirements and constraints for the urban, industrial, home
   automation, and building automation application domains,
   respectively.  The following is a list of observations and evaluation
   of their impact on routing security considerations.

   Limited energy reserve, memory, and processing resources
         As a consequence of these constraints, there is an even more
         critical need than usual for a careful trade study on which and
         what level of security services are to be afforded during the
         system design process.  In addition, routing schemes based on
         various metrics have been proposed, e.g., geographic location.
         Transmission and exchanging such metrics may have security
         and/or privacy concerns.

   Large scale of rolled out network
         The possibly numerous nodes to be deployed, as well as the
         general level of expertise of the installers, make manual on-
         site configuration unlikely.  Prolonged rollout and delayed
         addition of nodes, which may be from old inventory, over the
         lifetime of the network, also complicate the operations of key
         management.

   Autonomous operations
         Self-forming and self-organizing are commonly prescribed
         requirements of ROLL.  In other words, a ROLL protocol needs to
         contain elements of ad hoc networking and cannot rely on manual
         configuration for initialization or local filtering rules.

   Highly directional traffic
         Some types of LLNs see a high percentage of their total traffic
         traverse between the nodes and the gateways where the LLNs
         connect to wired networks.  The special routing status of and
         the greater volume of traffic near the gateways have routing
         security consequences.






Tsao, et al.             Expires March 24, 2010                [Page 10]


Internet-Draft         Security Framework for ROLL        September 2009


   Unattended locations and limited physical security
         Many applications have the nodes deployed in unattended or
         remote locations; furthermore, the nodes themselves are often
         built with minimal physical protection.  These constraints
         lower the barrier of accessing the data or security material
         stored on the nodes through physical means.

   Support for mobility
         On the one hand, only a number of applications require the
         support of mobile nodes, e.g., a home LLN that includes nodes
         on wearable health care devices or an industry LLN that
         includes nodes on cranes and vehicles.  On the other hand, if a
         routing protocol is indeed used in such applications, it will
         clearly need to have corresponding security mechanisms.

   Support for multicast and anycast
         ROLL support for multicast and anycast is called out chiefly
         for large-scale networks.  As these are relatively new routing
         technologies, there has been an ongoing effort devoted to their
         security mechanisms, e.g., from the IETF Multicast Security
         working group.  However, the threat model and attack analysis
         are still areas not fully evaluated, and hence their impact is
         not yet fully understood, whether in a wired, wireless, or LLN.

   The above list considers how a LLN's physical constraints, size,
   operations, and varieties of application areas may impact security.
   It is noted here also that LLNs commonly have the majority, if not
   all, of their nodes equipped to route.  One of the consequences is
   that the distinction between the link and network layers become
   artificial in some respects.  Similarly, the distinction between a
   host and a router is blurred, especially when the set of applications
   running on a node is small.  The continued evolution of ROLL and its
   security functionality requirements need close attention.


4.  Threats and Attacks

   This section outlines general categories of threats under the CIA
   model and highlights the specific attacks in each of these categories
   for ROLL.  As defined in [RFC4949], a threat is "a potential for
   violation of security, which exists when there is a circumstance,
   capability, action, or event that could breach security and cause
   harm."  An attack is "an assault on system security that derives from
   an intelligent threat, i.e., an intelligent act that is a deliberate
   attempt (especially in the sense of a method or technique) to evade
   security services and violate the security policy of a system."

   The subsequent subsections consider the threats and their realizing



Tsao, et al.             Expires March 24, 2010                [Page 11]


Internet-Draft         Security Framework for ROLL        September 2009


   attacks that can cause security breaches under the CIA model to the
   assets identified in Section 3.1.  The analysis steps through the
   security concerns of each routing asset and looks at the attacks that
   can exploit points of access.  The manifestation of the attacks is
   assumed to be from either inside or outside attackers, whose
   capabilities may be limited to node-equivalent or more sophisticated
   computing platforms.

4.1.  Threats and Attacks on Confidentiality

   The assessment in Section 3.2 indicates that information assets are
   exposed to confidentiality threats from all points of access.

4.1.1.  Routing Exchange Exposure

   Routing exchanges include both routing information as well as
   information associated with the establishment and maintenance of
   neighbor state information.

   The exposure of routing information exchanged will allow unauthorized
   sources to gain access to the content of the exchanges between
   communicating nodes.  The exposure of neighbor state information will
   allow unauthorized sources to gain knowledge of communication links
   between routing nodes that are necessary to maintain routing
   information exchanges.

   The forms of attack that allow unauthorized access or exposure of
   routing exchange information, as reported in the literature, include

   o  Deliberate exposure;

   o  Sniffing;

   o  Traffic analysis.

4.1.2.  Routing Information (Routes and Network Topology) Exposure

   Routes and neighbor topology information are the products of the
   routing process that are stored within the node device databases.

   The exposure of this information will allow unauthorized sources to
   gain direct access to the configuration and connectivity of the
   network thereby exposing routing to targeted attacks on key nodes or
   links.  Since routes and neighbor topology information is stored
   within the node device, threats or attacks on the confidentiality of
   the information will apply to the physical device including specified
   and unspecified internal and external interfaces.




Tsao, et al.             Expires March 24, 2010                [Page 12]


Internet-Draft         Security Framework for ROLL        September 2009


   The forms of attack that allow unauthorized access or exposure of the
   routing information (other than occurring through explicit node
   exchanges) will include

   o  Physical device compromise;

   o  Remote device access attacks (including those occurring through
      remote network management or software/field upgrade interfaces).

   More detailed descriptions of the exposure attacks on routing
   exchange and information will be given in Section 5 together with the
   corresponding countermeasures.

4.2.  Threats and Attacks on Integrity

   The assessment in Section 3.2 indicates that information and identity
   assets are exposed to integrity threats from all points of access.

4.2.1.  Routing Information Manipulation

   Manipulation of routing information will allow unauthorized sources
   to influence the operation and convergence of the routing protocols
   and ultimately impact the forwarding decisions made in the network.
   Manipulation of neighbor state (topology) information will allow
   unauthorized sources to influence the nodes with which routing
   information is exchanged and updated.  The consequence of
   manipulating routing exchanges can thus lead to sub-optimality and
   fragmentation or partitioning of the network by restricting the
   universe of routers with which associations can be established and
   maintained.

   The forms of attack that allow manipulation of routing information
   include

   o  Falsification, including overclaiming and misclaiming;

   o  Routing information replay;

   o  Physical device compromise.

4.2.2.  Node Identity Misappropriation

   Falsification or misappropriation of node identity between routing
   participants opens the door for other attacks; it can also cause
   incorrect routing relationships to form and/or topologies to emerge.
   Routing attacks may also be mounted through less sophisticated node
   identity misappropriation in which the valid information broadcast or
   exchanged by a node is replayed without modification.  The receipt of



Tsao, et al.             Expires March 24, 2010                [Page 13]


Internet-Draft         Security Framework for ROLL        September 2009


   seemingly valid information that is however no longer current can
   result in routing disruption, and instability (including failure to
   converge).  Without measures to authenticate the routing participants
   and to ensure the freshness and validity of the received information
   the protocol operation can be compromised.  The forms of attack that
   misuse node identity include

   o  Identity (including Sybil) attacks;

   o  Routing information replay.

4.3.  Threats and Attacks on Availability

   The assessment in Section 3.2 indicates that the process and
   resources assets are exposed to availability threats; attacks of this
   category may exploit directly or indirectly information exchange or
   forwarding.

4.3.1.  Routing Exchange Interference or Disruption

   Interference or disruption of routing information exchanges will
   allow unauthorized sources to influence the operation and convergence
   of the routing protocols by impeding the regularity of routing
   information exchange.

   The forms of attack that allow interference or disruption of routing
   exchange include

   o  Routing information replay;

   o  HELLO flood attacks and ACK spoofing;

   o  Overload attacks.

4.3.2.  Network Traffic Forwarding Disruption

   The disruption of the network traffic forwarding capability of the
   network will undermine the central function of network routers and
   the ability to handle user traffic.  This threat and the associated
   attacks affect the availability of the network because of the
   potential to impair the primary capability of the network.

   The forms of attack that allows disruption of network traffic
   forwarding include

   o  Selective forwarding attacks;





Tsao, et al.             Expires March 24, 2010                [Page 14]


Internet-Draft         Security Framework for ROLL        September 2009


   o  Sinkhole attacks;

   o  Wormhole attacks.

4.3.3.  Communications Resource Disruption

   Attacks mounted against the communication channel resource assets
   needed by the routing protocol can be used as a means of disrupting
   its operation.  However, while various forms of Denial of Service
   (DoS) attacks on the underlying transport subsystem will affect
   routing protocol exchanges and operation (for example physical layer
   RF jamming in a wireless network or link layer attacks), these
   attacks cannot be countered by the routing protocol.  As such, the
   threats to the underlying transport network that supports routing is
   considered beyond the scope of the current document.  Nonetheless,
   attacks on the subsystem will affect routing operation and so must be
   directly addressed within the underlying subsystem and its
   implemented protocol layers.

4.3.4.  Node Resource Exhaustion

   A potential security threat to routing can arise from attempts to
   exhaust the node resource asset by initiating exchanges that can lead
   to the undue utilization of exhaustion of processing, memory or
   energy resources.  The establishment and maintenance of routing
   neighbors opens the routing process to engagement and potential
   acceptance of multiple neighboring peers.  Association information
   must be stored for each peer entity and for the wireless network
   operation provisions made to periodically update and reassess the
   associations.  An introduced proliferation of apparent routing peers
   can therefore have a negative impact on node resources.

   Node resources may also be unduly consumed by the attackers
   attempting uncontrolled topology peering or routing exchanges,
   routing replays, or the generating of other data traffic floods.
   Beyond the disruption of communications channel resources, these
   threats may be able to exhaust node resources only where the
   engagements are able to proceed with the peer routing entities.
   Routing operation and network forwarding functions can thus be
   adversely impacted by node resources exhaustion that stems from
   attacks that include

   o  Identity (including Sybil) attacks;

   o  Routing information replay attacks;

   o  HELLO flood attacks and ACK spoofing;




Tsao, et al.             Expires March 24, 2010                [Page 15]


Internet-Draft         Security Framework for ROLL        September 2009


   o  Overload attacks.


5.  Countermeasures

   By recognizing the characteristics of LLNs that may impact routing
   and identifying potential countermeasures, this framework provides
   the basis for developing capabilities within ROLL protocols to deter
   the identified attacks and mitigate the threats.  The following
   subsections consider such countermeasures by grouping the attacks
   according to the classification of the CIA model so that associations
   with the necessary security services are more readily visible.

5.1.  Confidentiality Attack Countermeasures

   Attacks on confidentiality may be mounted at the level of the routing
   information assets, at the points of access associated with routing
   exchanges between nodes, or through device interface access.  To gain
   access to routing/topology information, the attacker may rely on a
   compromised node that deliberately exposes the information during the
   routing exchange process, may rely on passive sniffing or analysis of
   routing traffic, or may attempt access through a component or device
   interface of a tampered routing node.

5.1.1.  Countering Deliberate Exposure Attacks

   A deliberate exposure attack is one in which an entity that is party
   to the routing process or topology exchange allows the routing/
   topology information or generated route information to be exposed to
   an unauthorized entity during the exchange.

   A prerequisite to countering this type of confidentiality attacks
   associated with the routing/topology exchange is to ensure that the
   communicating nodes are authenticated prior to data encryption
   applied in the routing exchange.  Authentication ensures that the
   nodes are who they claim to be even though it does not provide an
   indication of whether the node has been compromised.

   To prevent deliberate exposure, the process that communicating nodes
   use for establishing communication session keys must be symmetric at
   each node so that neither node can independently weaken the
   confidentiality of the exchange without the knowledge of its
   communicating peer.  A deliberate exposure attack will therefore
   require more overt and independent action on the part of the
   offending node.

   Note that the same measures which apply to securing routing/topology
   exchanges between operational nodes must also extend to field tools



Tsao, et al.             Expires March 24, 2010                [Page 16]


Internet-Draft         Security Framework for ROLL        September 2009


   and other devices used in a deployed network where such devices can
   be configured to participate in routing exchanges.

5.1.2.  Countering Sniffing Attacks

   A sniffing attack seeks to breach routing confidentiality through
   passive, direct analysis and processing of the information exchanges
   between nodes.  A sniffing attack in an LLN that is not based on a
   physical device compromise will rely on the attacker attempting to
   directly derive information from the over-the-air routing/topology
   communication exchange (neighbor discovery exchanges may of necessity
   be conducted in the clear thus limiting the extent to which the
   information can be kept confidential).

   Sniffing attacks can be directly countered through the use of data
   encryption for all routing exchanges.  Only when a validated and
   authenticated node association is completed will routing exchange be
   allowed to proceed using established session confidentiality keys and
   an agreed confidentiality algorithm.  The level of security applied
   in providing confidentiality will determine the minimum requirement
   for an attacker mounting this passive security attack.  Because of
   the resource constraints of LLN devices, symmetric (private) key
   session security will provide the best tradeoff in terms of node and
   channel resource overhead and the level of security achieved.  This
   will of course not preclude the use of asymmetric (public) key
   encryption during the session key establishment phase.

   As with the key establishment process, data encryption must include
   an authentication prerequisite to ensure that each node is
   implementing a level of security that prevents deliberate or
   inadvertent exposure.  The authenticated key establishment will
   ensure that confidentiality is not compromised by providing the
   information to an unauthorized entity (see also [Huang2003]).

   Based on the current state of the art, a minimum 128-bit key length
   should be applied where robust confidentiality is demanded for
   routing protection.  This session key shall be applied in conjunction
   with an encryption algorithm that has been publicly vetted and where
   applicable approved for the level of security desired.  Algorithms
   such as AES (adopted by the U.S. government) or Kasumi-Misty (adopted
   by the 3GPP 3rd generation wireless mobile consortium) are examples
   of symmetric-key algorithms capable of ensuring robust
   confidentiality for routing exchanges.  The key length, algorithm and
   mode of operation will be selected as part of the overall security
   tradeoff that also achieves a balance with the level of
   confidentiality afforded by the physical device in protecting the
   routing assets (see Section 5.1.4 below).




Tsao, et al.             Expires March 24, 2010                [Page 17]


Internet-Draft         Security Framework for ROLL        September 2009


   As with any encryption algorithm, the use of ciphering
   synchronization parameters and limitations to the usage duration of
   established keys should be part of the security specification to
   reduce the potential for brute force analysis.

5.1.3.  Countering Traffic Analysis

   Traffic analysis provides an indirect means of subverting
   confidentiality and gaining access to routing information by allowing
   an attacker to indirectly map the connectivity or flow patterns
   (including link-load) of the network from which other attacks can be
   mounted.  The traffic analysis attack on a LLN may be passive and
   relying on the ability to read the immutable source/destination
   routing information that must remain unencrypted to permit network
   routing.  Alternatively, attacks can be active through the injection
   of unauthorized discovery traffic into the network.  By implementing
   authentication measures between communicating nodes, active traffic
   analysis attacks can be prevented within the LLN thereby reducing
   confidentiality vulnerabilities to those associated with passive
   analysis.

   One way in which passive traffic analysis attacks can be muted is
   through the support of load balancing that allows traffic to a given
   destination to be sent along diverse routing paths.  Where the
   routing protocol supports load balancing along multiple links at each
   node, the number of routing permutations in a wide area network
   surges thus increasing the cost of traffic analysis.  Network
   analysis through this passive attack will require a wider array of
   analysis points and additional processing on the part of the
   attacker.  In LLNs, the diverse radio connectivity and dynamic links
   (including potential frequency hopping) will help to further mitigate
   traffic analysis attacks when load balancing is implemented.

   The only means of fully countering a traffic analysis attack is
   through the use of tunneling (encapsulation) where encryption is
   applied across the entirety of the original packet source/destination
   addresses.  With tunneling there is a further requirement that the
   encapsulating intermediate nodes apply an additional layer of routing
   so that traffic arrives at the destination through dynamic routes.
   For LLNs, memory and processing constraints as well as the
   limitations of the communication channel will preclude both the
   additional routing traffic overhead and the node implementation
   required for tunneling countermeasures to traffic analysis.

5.1.4.  Countering Physical Device Compromise

   Given the distributed nature of LLNs, confidentiality of routing
   assets and points of access will rely heavily on the security of the



Tsao, et al.             Expires March 24, 2010                [Page 18]


Internet-Draft         Security Framework for ROLL        September 2009


   routing devices.  One means of precluding attacks on the physical
   device is to prevent physical access to the node through other
   external security means.  However, given the environment in which
   LLNs operate, preventing unauthorized access to the physical device
   cannot be assured.  Countermeasures must therefore be employed at the
   device and component level so that routing/topology or neighbor
   information and stored route information cannot be accessed even if
   physical access to the node is obtained.

   With the physical device in the possession of an attacker,
   unauthorized information access can be attempted by probing internal
   interfaces or device components.  Device security must therefore move
   to preventing the reading of device processor code or memory
   locations without the appropriate security keys and in preventing the
   access to any information exchanges occurring between individual
   components.  Information access will then be restricted to external
   interfaces in which confidentiality, integrity and authentication
   measures can be applied.

   To prevent component information access, deployed routing devices
   must ensure that their implementation avoids address or data buses
   being connected to external general purpose input/output (GPIO) pins.
   Beyond this measure, an important component interface to be protected
   against attack is the Joint Test Action Group (JTAG) interface used
   for component and populated circuit board testing after manufacture.
   To provide security on the routing devices, components should be
   employed that allow fuses on the JTAG interfaces to be blown to
   disable access.  This will raise the bar on unauthorized component
   information access within a captured device.

   At the device level a key component information exchange is between
   the microprocessor and it associated external memory.  While
   encryption can be implemented to secure data bus exchanges, the use
   of integrated physical packaging which avoids inter-component
   exchanges (other than secure external device exchanges) will increase
   routing security against a physical device interface attack.  With an
   integrated package and disabled internal component interfaces, the
   level of physical device security can be controlled by managing the
   degree to which the device packaging is protected against expert
   physical decomposition and analysis.

   The device package should be hardened such that attempts to remove
   the integrated components will result in damage to access interfaces,
   ports or pins that prevent retrieval of code or stored information.
   The degree of VLSI or PCB package security through manufacture can be
   selected as a tradeoff or desired security consistent with the level
   of security achieved by measures applied for other routing assets and
   points of access.  With package hardening and restricted component



Tsao, et al.             Expires March 24, 2010                [Page 19]


Internet-Draft         Security Framework for ROLL        September 2009


   access countermeasures, the security level will be raised to that
   provided by measures employed at the external communications
   interfaces.

   Another area of node interface vulnerability is that associated with
   interfaces provided for remote software or firmware upgrades.  This
   may impact both routing information and routing/topology exchange
   security where it leads to unauthorized upgrade or change to the
   routing protocol running on a given node as this type of attack can
   allow for the execution of compromised or intentionally malicious
   routing code on multiple nodes.  Countermeasures to this device
   interface confidentiality attack needs to be addressed in the larger
   context of node remote access security.  This will ensure not only
   the authenticity of the provided code (including routing protocol)
   but that the process is initiated by an authorized (authenticated)
   entity.

   The above identified countermeasures against attacks on routing
   information confidentiality through internal device interface
   compromise must be part of the larger LLN system security as they
   cannot be addressed within the routing protocol itself.  Similarly,
   the use of field tools or other devices that allow explicit access to
   node information must implement security mechanisms to ensure that
   routing information can be protected against unauthorized access.
   These protections will also be external to the routing protocol and
   hence not part of ROLL.

5.1.5.  Countering Remote Device Access Attacks

   Where LLN nodes are deployed in the field, measures are introduced to
   allow for remote retrieval of routing data and for software or field
   upgrades.  These paths create the potential for a device to be
   remotely accessed across the network or through a provided field
   tool.  In the case of network management a node can be directly
   requested to provide routing tables and neighbor information.

   To ensure confidentiality of the node routing information against
   attacks through remote access, any device local or remote requesting
   routing information must be authenticated to ensure authorized
   access.  Since remote access is not invoked as part of a routing
   protocol security of routing information stored on the node against
   remote access will not be addressable as part of the routing
   protocol.

5.2.  Integrity Attack Countermeasures

   Integrity attack countermeasures address routing information
   manipulation, as well as node identity and routing information



Tsao, et al.             Expires March 24, 2010                [Page 20]


Internet-Draft         Security Framework for ROLL        September 2009


   misuse.  Manipulation can occur in the form of falsification attack
   and physical compromise.  To be effective, the following development
   considers the two aspects of falsification, namely, the tampering
   actions and the overclaiming and misclaiming content.  The countering
   of physical compromise was considered in the previous section and is
   not repeated here.  With regard to misuse, there are two types of
   attacks to be deterred, identity attacks and replay attacks.

5.2.1.  Countering Tampering Attacks

   Tampering may occur in the form of altering the message being
   transferred or the data stored.  Therefore, it is necessary to ensure
   that only authorized nodes can change the portion of the information
   that is allowed to be mutable, while the integrity of the rest of the
   information is protected, e.g., through well-studied cryptographic
   mechanisms.

   Tampering may also occur in the form of insertion or deletion of
   messages during protocol changes.  Therefore, the protocol needs to
   ensure the integrity of the sequence of the exchange sequence.

   The countermeasure to tampering needs to

   o  implement access control on storage;

   o  provide data integrity service to transferred messages and stored
      data;

   o  include sequence number under integrity protection.

5.2.2.  Countering Overclaiming and Misclaiming Attacks

   Both overclaiming and misclaiming aim to introduce false routes or
   topology that would not be generated by the network otherwise, while
   there is not necessarily tampering.  The requisite for a counter is
   the capability to determine unreasonable routes or topology.

   The counter to overclaiming and misclaiming may employ

   o  comparison with historical routing/topology data;

   o  designs which restrict realizable network topologies.

5.2.3.  Countering Identity (including Sybil) Attacks

   Identity attacks, sometimes simply called spoofing, seek to gain or
   damage assets whose access is controlled through identity.  In
   routing, an identity attacker can illegitimately participate in



Tsao, et al.             Expires March 24, 2010                [Page 21]


Internet-Draft         Security Framework for ROLL        September 2009


   routing exchanges, distribute false routing information, or cause an
   invalid outcome of a routing process.

   A perpetrator of Sybil attacks assumes multiple identities.  The
   result is not only an amplification of the damage to routing, but
   extension to new areas, e.g., where geographic distribution is
   explicit or implicit an asset to an application running on the LLN.

   The counter of identity attacks need to ensure the authenticity and
   liveness of the parties of a message exchange; the measure may use
   shared key or public key based authentication scheme.  On the one
   hand, the large-scale nature of the LLNs makes the network-wide
   shared key scheme undesirable from a security perspective; on the
   other hand, public-key based approaches generally require more
   computational resources.  Each system will need to make trade-off
   decisions based on its security requirements.

5.2.4.  Countering Routing Information Replay Attacks

   In routing, message replay can result in false topology and/or
   routes.  The counter of replay attacks need to ensure the freshness
   of the message.  On the one hand, there are a number of mechanisms
   commonly used for countering replay.  On the other hand, the choice
   should take into account how a particular mechanism is made available
   in a LLN.  For example, many LLNs have a central source of time and
   have it distributed by relaying, such that secured time distribution
   becomes a prerequisite of using timestamping to counter replay.

5.3.  Availability Attack Countermeasures

   As alluded to before, availability requires that routing information
   exchanges and forwarding mechanisms be available when needed so as to
   guarantee a proper functioning of the network.  This may, e.g.,
   include the correct operation of routing information and neighbor
   state information exchanges, among others.  We will highlight the key
   features of the security threats along with typical countermeasures
   to prevent or at least mitigate them.  We will also note that an
   availability attack may be facilitated by an identity attack as well
   as a replay attack, as was addressed in Section 5.2.3 and
   Section 5.2.4, respectively.

5.3.1.  Countering HELLO Flood Attacks and ACK Spoofing Attacks

   HELLO Flood [Karlof2003],[I-D.suhopark-hello-wsn] and ACK Spoofing
   attacks are different but highly related forms of attacking a LLN.
   They essentially lead nodes to believe that suitable routes are
   available even though they are not and hence constitute a serious
   availability attack.



Tsao, et al.             Expires March 24, 2010                [Page 22]


Internet-Draft         Security Framework for ROLL        September 2009


   The origin of facilitating a HELLO flood attack lies in the fact that
   many wireless routing protocols require nodes to send HELLO packets
   either upon joining or in regular intervals so as to announce or
   confirm their existence to the network.  Those nodes that receive the
   HELLO packet assume that they are within radio range of the
   transmitter by means of a bidirectional communication link.

   With this in mind, a malicious node can send or replay HELLO packets
   using a higher transmission power.  That creates the false illusion
   of being a neighbor to an increased number of nodes in the network,
   thereby effectively increasing its unidirectional neighborhood
   cardinality.  The high quality of the falsely advertised link may
   coerce nodes to route data via the malicious node.  However, those
   affected nodes, for which the malicious node is out of radio range,
   never succeed in their delivery and the packets are effectively
   dropped.  The symptoms are hence similar to those of a sinkhole,
   wormhole and selective forwarding attack.

   A malicious HELLO flood attack clearly distorts the network topology.
   It thus affects protocols building and maintaining the network
   topology as well as routing protocols as such, since the attack is
   primarily targeted on protocols that require sharing of information
   for topology maintenance or flow control.

   To counter HELLO flood attacks, several mutually non-exclusive
   methods are feasible:

   o  restricting neighborhood cardinality;

   o  facilitating multipath routing;

   o  verifying bidirectionality.

   Restricting the neighborhood cardinality prevents malicious nodes
   from having an extended set of neighbors beyond some tolerated
   threshold and thereby preventing topologies to be built where
   malicious nodes have an extended neighborhood set.  Furthermore, as
   shown in [I-D.suhopark-hello-wsn], if the routing protocol supports
   multiple paths from a sensing node towards several gateways then
   HELLO flood attacks can also be diminished; however, the energy-
   efficiency of such approach is clearly sub-optimal.  Finally,
   verifying that the link is truly bidirectional by means of, e.g., an
   ACK handshake and appropriate security measures ensures that a
   communication link is only established if not only the affected node
   is within range of the malicious node but also vice versa.  Whilst
   this does not really eliminate the problem of HELLO flooding, it
   greatly reduces the number of affected nodes and the probability of
   such an attack succeeding.



Tsao, et al.             Expires March 24, 2010                [Page 23]


Internet-Draft         Security Framework for ROLL        September 2009


   As for the latter, the adversary may spoof the ACK messages to
   convince the affected node that the link is truly bidirectional and
   thereupon drop, tunnel or selectively forward messages.  Such ACK
   spoofing attack is possible if the malicious node has a receiver
   which is significantly more sensitive than that of a normal node,
   thereby effectively extending its range.  Since an ACK spoofing
   attack facilitates a HELLO flood attack, similar countermeasure are
   applicable here.  Viable counter and security measures for both
   attacks have been exposed in [I-D.suhopark-hello-wsn].

5.3.2.  Countering Overload Attacks

   Overload attacks are a form of DoS attack in that a malicious node
   overloads the network with irrelevant traffic, thereby draining the
   nodes' energy budget quicker.  It thus significantly shortens the
   network lifetime and hence constitutes another serious availability
   attack.

   With energy being one of the most precious assets of LLNs, targeting
   its availability is a fairly obvious attack.  Another way of
   depleting the energy of a LLN node is to have the malicious node
   overload the network with irrelevant traffic.  This impacts
   availability since certain routes get congested which

   o  renders them useless for affected nodes and data can hence not be
      delivered;

   o  makes routes longer as shortest path algorithms work with the
      congested network;

   o  depletes nodes quicker and thus shortens the network's
      availability at large.

   Overload attacks can be countered by deploying a series of mutually
   non-exclusive security measures:

   o  introduce quotas on the traffic rate each node is allowed to send;

   o  isolate nodes which send traffic above a certain threshold;

   o  allow only trusted data to be received and forwarded.

   As for the first one, a simple approach to minimize the harmful
   impact of an overload attack is to introduce traffic quotas.  This
   prevents a malicious node from injecting a large amount of traffic
   into the network, even though it does not prevent said node from
   injecting irrelevant traffic at all.  Another method is to isolate
   nodes from the network once it has been detected that more traffic is



Tsao, et al.             Expires March 24, 2010                [Page 24]


Internet-Draft         Security Framework for ROLL        September 2009


   injected into the network than allowed by a prior set or dynamically
   adjusted threshold.  Finally, if communication is sufficiently
   secured, only trusted nodes can receive and forward traffic which
   also lowers the risk of an overload attack.

5.3.3.  Countering Selective Forwarding Attacks

   Selective forwarding attacks are another form of DoS attack which
   impacts the routing path availability.

   An insider malicious node basically blends neatly in with the network
   but then may decide to forward and/or manipulate certain packets.  If
   all packets are dropped, then this attacker is also often referred to
   as a "black hole".  Such a form of attack is particularly dangerous
   if coupled with sinkhole attacks since inherently a large amount of
   traffic is attracted to the malicious node and thereby causing
   significant damage.  An outside malicious node would selectively jam
   overheard data flows, where the thus caused collisions incur
   selective forwarding.

   Selective Forwarding attacks can be countered by deploying a series
   of mutually non-exclusive security measures:

   o  multipath routing of the same message over disjoint paths;

   o  dynamically select the next hop from a set of candidates.

   The first measure basically guarantees that if a message gets lost on
   a particular routing path due to a malicious selective forwarding
   attack, there will be another route which successfully delivers the
   data.  Such method is inherently suboptimal from an energy
   consumption point of view.  The second method basically involves a
   constantly changing routing topology in that next-hop routers are
   chosen from a dynamic set in the hope that the number of malicious
   nodes in this set is negligible.

5.3.4.  Countering Sinkhole Attacks

   In sinkhole attacks, the malicious node manages to attract a lot of
   traffic mainly by advertising the availability of high-quality links
   even though there are none.  It hence constitutes a serious attack on
   availability.

   The malicious node creates a sinkhole by attracting a large amount
   of, if not all, traffic from surrounding neighbors by advertising in
   and outwards links of superior quality.  Affected nodes hence eagerly
   route their traffic via the malicious node which, if coupled with
   other attacks such as selective forwarding, may lead to serious



Tsao, et al.             Expires March 24, 2010                [Page 25]


Internet-Draft         Security Framework for ROLL        September 2009


   availability and security breaches.  Such an attack can only be
   executed by an inside malicious node and is generally very difficult
   to detect.  An ongoing attack has a profound impact on the network
   topology and essentially becomes a problem of flow control.

   Sinkhole attacks can be countered by deploying a series of mutually
   non-exclusive security measures:

   o  use geographical insights for flow control;

   o  isolate nodes which receive traffic above a certain threshold;

   o  dynamically pick up next hop from set of candidates;

   o  allow only trusted data to be received and forwarded.

   Whilst most of these countermeasures have been discussed before, the
   use of geographical information deserves further attention.
   Essentially, if geographic positions of nodes are available, then the
   network can assure that data is actually routed towards the sink(s)
   and not elsewhere.  On the other hand, geographic position is a
   sensitive information that may have security and/or privacy
   consequences.

5.3.5.  Countering Wormhole Attacks

   In wormhole attacks at least two malicious nodes shortcut or divert
   the usual routing path by means of a low-latency out-of-band channel.
   This changes the availability of certain routing paths and hence
   constitutes a serious security breach.

   Essentially, two malicious insider nodes use another, more powerful,
   radio to communicate with each other and thereby distort the would-
   be-agreed routing path.  This distortion could involve shortcutting
   and hence paralyzing a large part of the network; it could also
   involve tunneling the information to another region of the network
   where there are, e.g., more malicious nodes available to aid the
   intrusion or where messages are replayed, etc.  In conjunction with
   selective forwarding, wormhole attacks can create race conditions
   which impact topology maintenance, routing protocols as well as any
   security suits built on "time of check" and "time of use".

   Wormhole attacks are very difficult to detect in general but can be
   mitigated using similar strategies as already outlined above in the
   context of sinkhole attacks.






Tsao, et al.             Expires March 24, 2010                [Page 26]


Internet-Draft         Security Framework for ROLL        September 2009


6.  ROLL Security Features

   The issues discussed in Section 4, together with the countermeasures
   described in Section 5, provide the basis for the requirements of the
   following ROLL security features.  Still, it bears emphasizing that
   the target here is a generic ROLL protocol and the normative keywords
   are mainly to convey the relative level of urgency of the features
   specified.  As routing is one component of a LLN system, the actual
   strength of the security services afforded to it should be made to
   conform to each system's security policy; how a design may address
   the needs of the urban, industrial, home automation, and building
   automation application domains is considered in Section 6.5.

6.1.  Confidentiality Features

   To protect confidentiality, a secured ROLL protocol

   o  SHOULD provide payload encryption;

   o  MAY provide tunneling;

   o  MAY provide load balancing;

   o  SHOULD provide privacy, e.g., when geographic information is used.

6.2.  Integrity Features

   To protect integrity, a secured ROLL protocol

   o  MUST verify the liveliness of both principals of a connection;

   o  MUST verify message freshness;

   o  MUST verify message sequence and integrity;

6.3.  Availability Features

   To protect availability, a secured ROLL protocol

   o  MAY restrict neighborhood cardinality;

   o  MAY use multiple paths;

   o  MAY use multiple destinations;

   o  MAY choose randomly if multiple paths are available;





Tsao, et al.             Expires March 24, 2010                [Page 27]


Internet-Draft         Security Framework for ROLL        September 2009


   o  MAY set quotas to limit transmit or receive volume;

   o  MAY use geographic insights for flow control.

6.4.  Additional Related Features

   If a LLN employs multicast and/or anycast, it MUST secure these
   protocols with the services listed in this sections.  Furthermore,
   the nodes MUST provide adequate physical tamper resistance to ensure
   the integrity of stored routing information.

   The functioning of the security services requires keys and
   credentials.  Therefore, even though not directly a ROLL security
   requirement, a LLN must include a process for key and credential
   distribution; a LLN is encouraged to have procedures for their
   revocation and replacement.

6.5.  Consideration on Matching Application Domain Needs

   The development so far takes into account collectively the impacts of
   the issues gathered from [RFC5548],
   [I-D.ietf-roll-indus-routing-reqs],
   [I-D.ietf-roll-home-routing-reqs], and
   [I-D.ietf-roll-building-routing-reqs].  The following two subsections
   first consider from an architectural perspective how the security
   design of a ROLL protocol may be made to adapt to the four
   application domains, and then examine mechanism and protocol
   operations issues.

6.5.1.  Architecture

   The first challenge for a ROLL protocol security design is to have an
   architecture that can adequately address a set of very diversified
   needs.  It is mainly a consequence of the fact that there are both
   common and non-overlapping requirements from the four application
   domains, while, conceivably, each individual application will present
   yet its own unique constraints.

   A ROLL protocol MUST be made flexible with a design which allows the
   user to choose the security configurations that match the
   application's needs.  The construct may be, e.g., a header containing
   security material of configurable security primitives in the fashion
   of OSPFv2 [RFC2328] or RIPv2 [RFC2453].  On the other hand, it is
   more desirable from a LLN device perspective that the ROLL protocol
   specifies the necessity of an overall system architecture in which
   security facility may be shared by different applications and/or
   across layers for efficiency, while security policy and settings can
   be consistently made, e.g., RIPng [RFC2080] or the approach presented



Tsao, et al.             Expires March 24, 2010                [Page 28]


Internet-Draft         Security Framework for ROLL        September 2009


   in [Messerges2003].

6.5.2.  Mechanisms and Operations

   With an architecture allowing different configurations to meet the
   application domain needs, the task is then to find suitable
   mechanisms.  This subsection considers the security properties of a
   number of mechanisms found in widely employed routing protocols, as
   well as how some of their protocol operations affect security.  The
   discussion is based on analyses found in the open literature.  The
   intention is to offer a stepping stone for the security design of a
   ROLL protocol, as well as to be useful for preventing oversights, but
   not an exhaustive in-depth survey

   There has been quite an amount of effort applied to the assessment of
   the security of routing protocols, e.g., Section 2 of [Wan2004] and
   Section 2 of [Babakhouya2006] consider the security properties of RIP
   as well as distance vector protocols in general.  There are two
   issues worth taking note.

   Authentication
         The current version of RIP allows two options of
         authentication, i.e., clear-text password and cryptographic
         authentication, which includes keyed-MD5 [RFC4822].  On the one
         hand, transporting clear-text passwords without protection is
         ineffective for authentication.  On the other hand, the key for
         the MD5 operation is in a suffix position only and as such the
         key may be vulnerable to cryptanalysis [Kaliski1995].

   Information Aggregation
         Distance vector routers periodically exchange route updates
         that is the output of a computation on information gathered
         locally, making it difficult for the receiver to verify the
         correctness or resolve the sources of the information that went
         into the updates.

   There are also plenty of analyses on link state based protocols,
   especially on OSPF, e.g., [Wang1998] and [I-D.ietf-rpsec-ospf-vuln]
   are both entirely on this protocol.  The following issues about OSPF
   are of interest.

   The Age Field
         The Age field in the Link State Advertisement (LSA) is updated
         by each receiver; it is not covered by the integrity protection
         mechanism in OSPFv2 and so is exposed to forgery.  OSPFv3
         [RFC5340] relegates security services to the underlying IPv6's
         security mechanisms.




Tsao, et al.             Expires March 24, 2010                [Page 29]


Internet-Draft         Security Framework for ROLL        September 2009


   LSA Flooding
         LSAs are disseminated through flooding.  The router
         corresponding to the claimed advertiser of a LSA can either
         flush or update to correct inconsistencies.  However, this
         mechanism may be defeated by a persistent attacker
         [I-D.ietf-rpsec-ospf-vuln], is ineffective when the legitimate
         owner does not receive the altered LSA, or the claimed
         advertiser does not exist.

   Hierarchical Routing
         Partitioning of the autonomous system into areas facilitates
         scaling and also helps the containment of incorrect information
         to within an area.  On the other hand, routing information from
         autonomous system border routers are flooded throughout the
         autonomous system and thus have significant security
         consequences.

   The foregoing discussion has been based on widely employed routing
   protocols for the many studies they received can contribute to
   informed design decisions.  In addition, the attention was limited to
   those elements that are more relevant to a potential ROLL protocol
   design.


7.  IANA Considerations

   This memo includes no request to IANA.


8.  Security Considerations

   The framework presented in this document provides security analysis
   and design guidelines with a scope limited to ROLL.  The
   investigation is at a high-level and not specific to a particular
   protocol.  Security services, but not mechanisms, are identified as
   requirements for securing ROLL.


9.  Acknowledgments


10.  References

10.1.  Normative References

   [RFC2080]  Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080,
              January 1997.




Tsao, et al.             Expires March 24, 2010                [Page 30]


Internet-Draft         Security Framework for ROLL        September 2009


   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2328]  Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998.

   [RFC2453]  Malkin, G., "RIP Version 2", STD 56, RFC 2453,
              November 1998.

   [RFC4822]  Atkinson, R. and M. Fanto, "RIPv2 Cryptographic
              Authentication", RFC 4822, February 2007.

   [RFC5340]  Coltun, R., Ferguson, D., Moy, J., and A. Lindem, "OSPF
              for IPv6", RFC 5340, July 2008.

10.2.  Informative References

   [Babakhouya2006]
              Babakhouya, A., Challal, Y., Bouabdallah, M., and S.
              Gharout, "SDV: A New Approach to Secure Distance Vector
              Routing Protocols", IEEE Securecomm and
              Workshops, Baltimore, MD, USA, pp. 1-10, Aug. 28-Sept.
              1 2006.

   [Huang2003]
              Huang, Q., Cukier, J., Kobayashi, H., Liu, B., and J.
              Zhang, "Fast Authenticated Key Establishment Protocols for
              Self-Organizing Sensor Networks", in Proceedings of the
              2nd ACM International Conference on Wireless Sensor
              Networks and Applications, San Diego, CA, USA, pp. 141-
              150, Sept. 19 2003.

   [I-D.ietf-roll-building-routing-reqs]
              Martocci, J., Riou, N., Mil, P., and W. Vermeylen,
              "Building Automation Routing Requirements in Low Power and
              Lossy Networks", draft-ietf-roll-building-routing-reqs-07
              (work in progress), September 2009.

   [I-D.ietf-roll-home-routing-reqs]
              Brandt, A., Buron, J., and G. Porcu, "Home Automation
              Routing Requirements in Low Power and Lossy Networks",
              draft-ietf-roll-home-routing-reqs-08 (work in progress),
              September 2009.

   [I-D.ietf-roll-indus-routing-reqs]
              Networks, D., Thubert, P., Dwars, S., and T. Phinney,
              "Industrial Routing Requirements in Low Power and Lossy
              Networks", draft-ietf-roll-indus-routing-reqs-06 (work in
              progress), June 2009.



Tsao, et al.             Expires March 24, 2010                [Page 31]


Internet-Draft         Security Framework for ROLL        September 2009


   [I-D.ietf-roll-terminology]
              Vasseur, J., "Terminology in Low power And Lossy
              Networks", draft-ietf-roll-terminology-01 (work in
              progress), May 2009.

   [I-D.ietf-rpsec-ospf-vuln]
              Jones, E. and O. Moigne, "OSPF Security Vulnerabilities
              Analysis", draft-ietf-rpsec-ospf-vuln-02 (work in
              progress), June 2006.

   [I-D.suhopark-hello-wsn]
              Park, S., "Routing Security in Sensor Network: HELLO Flood
              Attack and Defense", draft-suhopark-hello-wsn-00 (work in
              progress), December 2005.

   [Kaliski1995]
              Kaliski, B. and M. Robshaw, "Message Authentication with
              MD5", RSA Labs' CryptoBytes, 1(1):5-8, 1995.

   [Karlof2003]
              Karlof, C. and D. Wagner, "Secure routing in wireless
              sensor networks: attacks and countermeasures", Elsevier
              AdHoc Networks Journal, Special Issue on Sensor Network
              Applications and Protocols, 1(2):293-315, September 2003.

   [Messerges2003]
              Messerges, T., Cukier, J., Kevenaar, T., Puhl, L., Struik,
              R., and E. Callaway, "Low-Power Security for Wireless
              Sensor Networks", in Proceedings of the 1st ACM Workshop
              on Security of Ad Hoc and Sensor Networks, Fairfax, VA,
              USA, pp. 1-11, Oct. 31 2003.

   [Myagmar2005]
              Myagmar, S., Lee, AJ., and W. Yurcik, "Threat Modeling as
              a Basis for Security Requirements", in Proceedings of the
              Symposium on Requirements Engineering for Information
              Security (SREIS'05), Paris, France, pp. 94-102, Aug
              29, 2005.

   [RFC4593]  Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to
              Routing Protocols", RFC 4593, October 2006.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
              RFC 4949, August 2007.

   [RFC5548]  Dohler, M., Watteyne, T., Winter, T., and D. Barthel,
              "Routing Requirements for Urban Low-Power and Lossy
              Networks", RFC 5548, May 2009.



Tsao, et al.             Expires March 24, 2010                [Page 32]


Internet-Draft         Security Framework for ROLL        September 2009


   [Wan2004]  Wan, T., Kranakis, E., and PC. van Oorschot, "S-RIP: A
              Secure Distance Vector Routing Protocol", in Proceedings
              of the 2nd International Conference on Applied
              Cryptography and Network Security, Yellow Mountain, China,
              pp. 103-119, Jun. 8-11 2004.

   [Wang1998]
              Wang, F. and SF. Wu, "On the Vulnerabilities and
              Protection of OSPF Routing Protocol", in Proceedings of
              the 7th International Conference on Computer
              Communications and Networks, Lafayette, LA, USA, pp. 148-
              152, Oct. 12-15 1998.


Authors' Addresses

   Tzeta Tsao (editor)
   Eka Systems
   20201 Century Blvd. Suite 250
   Germantown, Maryland  20874
   USA

   Email: tzeta.tsao@ekasystems.com


   Roger K. Alexander (editor)
   Eka Systems
   20201 Century Blvd. Suite 250
   Germantown, Maryland  20874
   USA

   Email: roger.alexander@ekasystems.com


   Mischa Dohler (editor)
   CTTC
   Parc Mediterrani de la Tecnologia, Av. Canal Olimpic S/N
   Castelldefels, Barcelona  08860
   Spain

   Email: mischa.dohler@cttc.es










Tsao, et al.             Expires March 24, 2010                [Page 33]


Internet-Draft         Security Framework for ROLL        September 2009


   Vanesa Daza (editor)
   Universitat Pompeu Fabra
   P/ Circumval.lacio 8, Oficina 308
   Barcelona  08003
   Spain

   Email: vanesa.daza@upf.edu


   Angel Lozano (editor)
   Universitat Pompeu Fabra
   P/ Circumval.lacio 8, Oficina 309
   Barcelona  08003
   Spain

   Email: angel.lozano@upf.edu



































Tsao, et al.             Expires March 24, 2010                [Page 34]


Html markup produced by rfcmarkup 1.129c, available from https://tools.ietf.org/tools/rfcmarkup/