draft-ietf-roll-security-framework-00.txt   draft-ietf-roll-security-framework-01.txt 
Networking Working Group T. Tsao, Ed. Networking Working Group T. Tsao
Internet-Draft R. Alexander, Ed. Internet-Draft R. Alexander
Intended status: Informational Eka Systems Intended status: Informational Cooper Power Systems
Expires: October 1, 2010 M. Dohler, Ed. Expires: April 3, 2011 M. Dohler
CTTC CTTC
V. Daza, Ed. V. Daza
A. Lozano, Ed. A. Lozano
Universitat Pompeu Fabra Universitat Pompeu Fabra
March 30, 2010 September 30, 2010
A Security Framework for Routing over Low Power and Lossy Networks A Security Framework for Routing over Low Power and Lossy Networks
draft-ietf-roll-security-framework-00 draft-ietf-roll-security-framework-01
Abstract Abstract
This document presents a security framework for routing over low This document presents a security framework for routing over low
power and lossy networks. The development builds upon previous work power and lossy networks (LLN). The development builds upon previous
on routing security and adapts the assessments to the issues and work on routing security and adapts the assessments to the issues and
constraints specific to low power and lossy networks. A systematic constraints specific to low power and lossy networks. A systematic
approach is used in defining and evaluating the security threats and approach is used in defining and evaluating the security threats and
identifying applicable countermeasures. These assessments provide identifying applicable countermeasures. These assessments provide
the basis of the security recommendations for incorporation into low the basis of the security recommendations for incorporation into low
power, lossy network routing protocols. As an illustration, this power, lossy network routing protocols. As an illustration, this
framework is applied to RPL. framework is applied to IPv6 Routing Protocol for Low Power and Lossy
Networks (RPL).
Requirements Language Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in RFC "OPTIONAL" in this document are to be interpreted as described in RFC
2119 [RFC2119]. 2119 [RFC2119].
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF). Note that other groups may also distribute
other groups may also distribute working documents as Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at This Internet-Draft will expire on April 3, 2011.
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on October 1, 2010.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Considerations on ROLL Security . . . . . . . . . . . . . . . 5 3. Considerations on ROLL Security . . . . . . . . . . . . . . . 6
3.1. Routing Assets and Points of Access . . . . . . . . . . . 6 3.1. Routing Assets and Points of Access . . . . . . . . . . . 6
3.2. The CIA Security Reference Model . . . . . . . . . . . . . 8 3.2. The CIA Security Reference Model . . . . . . . . . . . . . 9
3.3. Issues Specific to or Amplified in LLNs . . . . . . . . . 9 3.3. Issues Specific to or Amplified in LLNs . . . . . . . . . 10
3.4. ROLL Security Objectives . . . . . . . . . . . . . . . . . 11 3.4. ROLL Security Objectives . . . . . . . . . . . . . . . . . 12
4. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 12 4. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 13
4.1. Threats and Attacks on Confidentiality . . . . . . . . . . 12 4.1. Threats and Attacks on Confidentiality . . . . . . . . . . 13
4.1.1. Routing Exchange Exposure . . . . . . . . . . . . . . 12 4.1.1. Routing Exchange Exposure . . . . . . . . . . . . . . 14
4.1.2. Routing Information (Routes and Network Topology) 4.1.2. Routing Information (Routes and Network Topology)
Exposure . . . . . . . . . . . . . . . . . . . . . . . 13 Exposure . . . . . . . . . . . . . . . . . . . . . . . 14
4.2. Threats and Attacks on Integrity . . . . . . . . . . . . . 13 4.2. Threats and Attacks on Integrity . . . . . . . . . . . . . 15
4.2.1. Routing Information Manipulation . . . . . . . . . . . 14 4.2.1. Routing Information Manipulation . . . . . . . . . . . 15
4.2.2. Node Identity Misappropriation . . . . . . . . . . . . 14 4.2.2. Node Identity Misappropriation . . . . . . . . . . . . 15
4.3. Threats and Attacks on Availability . . . . . . . . . . . 15 4.3. Threats and Attacks on Availability . . . . . . . . . . . 16
4.3.1. Routing Exchange Interference or Disruption . . . . . 15 4.3.1. Routing Exchange Interference or Disruption . . . . . 16
4.3.2. Network Traffic Forwarding Disruption . . . . . . . . 15 4.3.2. Network Traffic Forwarding Disruption . . . . . . . . 16
4.3.3. Communications Resource Disruption . . . . . . . . . . 15 4.3.3. Communications Resource Disruption . . . . . . . . . . 17
4.3.4. Node Resource Exhaustion . . . . . . . . . . . . . . . 16 4.3.4. Node Resource Exhaustion . . . . . . . . . . . . . . . 18
5. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 16 5. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 18
5.1. Confidentiality Attack Countermeasures . . . . . . . . . . 17 5.1. Confidentiality Attack Countermeasures . . . . . . . . . . 19
5.1.1. Countering Deliberate Exposure Attacks . . . . . . . . 17 5.1.1. Countering Deliberate Exposure Attacks . . . . . . . . 19
5.1.2. Countering Sniffing Attacks . . . . . . . . . . . . . 17 5.1.2. Countering Sniffing Attacks . . . . . . . . . . . . . 19
5.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 19 5.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 20
5.1.4. Countering Physical Device Compromise . . . . . . . . 19 5.1.4. Countering Physical Device Compromise . . . . . . . . 21
5.1.5. Countering Remote Device Access Attacks . . . . . . . 21 5.1.5. Countering Remote Device Access Attacks . . . . . . . 23
5.2. Integrity Attack Countermeasures . . . . . . . . . . . . . 21 5.2. Integrity Attack Countermeasures . . . . . . . . . . . . . 23
5.2.1. Countering Tampering Attacks . . . . . . . . . . . . . 22 5.2.1. Countering Tampering Attacks . . . . . . . . . . . . . 24
5.2.2. Countering Overclaiming and Misclaiming Attacks . . . 22 5.2.2. Countering Overclaiming and Misclaiming Attacks . . . 24
5.2.3. Countering Identity (including Sybil) Attacks . . . . 22 5.2.3. Countering Identity (including Sybil) Attacks . . . . 24
5.2.4. Countering Routing Information Replay Attacks . . . . 23 5.2.4. Countering Routing Information Replay Attacks . . . . 25
5.2.5. Countering Byzantine Routing Information Attacks . . . 23 5.2.5. Countering Byzantine Routing Information Attacks . . . 25
5.3. Availability Attack Countermeasures . . . . . . . . . . . 24 5.3. Availability Attack Countermeasures . . . . . . . . . . . 26
5.3.1. Countering HELLO Flood Attacks and ACK Spoofing 5.3.1. Countering HELLO Flood Attacks and ACK Spoofing
Attacks . . . . . . . . . . . . . . . . . . . . . . . 24 Attacks . . . . . . . . . . . . . . . . . . . . . . . 26
5.3.2. Countering Overload Attacks . . . . . . . . . . . . . 26 5.3.2. Countering Overload Attacks . . . . . . . . . . . . . 28
5.3.3. Countering Selective Forwarding Attacks . . . . . . . 27 5.3.3. Countering Selective Forwarding Attacks . . . . . . . 29
5.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 27 5.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 29
5.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 28 5.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 30
6. ROLL Security Features . . . . . . . . . . . . . . . . . . . . 28 6. ROLL Security Features . . . . . . . . . . . . . . . . . . . . 31
6.1. Confidentiality Features . . . . . . . . . . . . . . . . . 29 6.1. Confidentiality Features . . . . . . . . . . . . . . . . . 31
6.2. Integrity Features . . . . . . . . . . . . . . . . . . . . 30 6.2. Integrity Features . . . . . . . . . . . . . . . . . . . . 32
6.3. Availability Features . . . . . . . . . . . . . . . . . . 31 6.3. Availability Features . . . . . . . . . . . . . . . . . . 33
6.4. Additional Related Features . . . . . . . . . . . . . . . 31 6.4. Additional Related Features . . . . . . . . . . . . . . . 33
6.5. Consideration on Matching Application Domain Needs . . . . 31 6.5. Consideration on Matching Application Domain Needs . . . . 34
6.5.1. Security Architecture . . . . . . . . . . . . . . . . 32 6.5.1. Security Architecture . . . . . . . . . . . . . . . . 34
6.5.2. Mechanisms and Operations . . . . . . . . . . . . . . 34 6.5.2. Mechanisms and Operations . . . . . . . . . . . . . . 36
7. Application of ROLL Security Framework to RPL . . . . . . . . 36 7. Application of ROLL Security Framework to RPL . . . . . . . . 38
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 38 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
9. Security Considerations . . . . . . . . . . . . . . . . . . . 38 9. Security Considerations . . . . . . . . . . . . . . . . . . . 40
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 38 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 40
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 38 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 41
11.1. Normative References . . . . . . . . . . . . . . . . . . . 38 11.1. Normative References . . . . . . . . . . . . . . . . . . . 41
11.2. Informative References . . . . . . . . . . . . . . . . . . 39 11.2. Informative References . . . . . . . . . . . . . . . . . . 42
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 40 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 43
1. Terminology 1. Terminology
This document conforms to the terminology defined in This document adopts and conforms to the terminology defined in
[I-D.ietf-roll-terminology]. [I-D.ietf-roll-terminology] and in [RFC4949], with the following
addition:
Node An element of a low power lossy network that may be a router or
a host.
2. Introduction 2. Introduction
In recent times, networked wireless devices have found an increasing In recent times, networked electronic devices have found an
number of applications in various fields. Yet, for reasons ranging increasing number of applications in various fields. Yet, for
from operational application to economics, these wireless devices are reasons ranging from operational application to economics, these
often supplied with minimum physical resources, e.g., limited power wired and wireless devices are often supplied with minimum physical
reserve, slow speed or low capability computation, or small memory resources; the constraints include those on computational resources
size. As a consequence, the resulting networks are more prone to (RAM, clock speed, storage), communication resources (duty cycle,
loss of traffic and other vulnerabilities. The proliferation of packet size, etc.), but also form factors that may rule out user
these low power and lossy networks (LLNs), however, are drawing access interface (e.g., the housing of a small stick-on switch), or
efforts to examine and address their potential networking challenges. simply safety considerations (e.g., with gas meters). As a
consequence, the resulting networks are more prone to loss of traffic
and other vulnerabilities. The proliferation of these low power and
lossy networks (LLNs), however, are drawing efforts to examine and
address their potential networking challenges. Securing the
establishment and maintenance of network connectivity among these
deployed devices becomes one of these key challenges.
This document presents a framework for securing routing over low This document presents a framework for securing Routing Over LLNs
power and lossy networks (ROLL) through an analysis that starts from (ROLL) through an analysis that starts from the routing basics. The
the routing basics. The objective is two-fold. First, the framework objective is two-fold. First, the framework will be used to identify
will be used to identify pertinent security issues. Second, it will pertinent security issues. Second, it will facilitate both the
facilitate both the assessment of a protocol's security threats and assessment of a protocol's security threats and the identification of
the identification of the necessary features for development of the necessary features for development of secure protocols for the
secure protocols for ROLL. ROLL Working Group.
The approach adopted in this effort proceeds in four steps, to The approach adopted in this effort proceeds in four steps, to
examine ROLL security issues, to analyze threats and attacks, to examine security issues in ROLL, to analyze threats and attacks, to
consider the countermeasures, and then to make recommendations for consider the countermeasures, and then to make recommendations for
securing ROLL. The basis is found on identifying the assets and securing ROLL. The basis is found on identifying the assets and
points of access of routing and evaluating their security needs based points of access of routing and evaluating their security needs based
on the Confidentiality, Integrity, and Availability (CIA) model in on the Confidentiality, Integrity, and Availability (CIA) model in
the context of LLN. The utility of this framework is demonstrated the context of LLN. The utility of this framework is demonstrated
with an application to RPL [I-D.ietf-roll-rpl]. with an application to IPv6 Routing Protocol for Low Power and Lossy
Networks (RPL) [I-D.ietf-roll-rpl].
3. Considerations on ROLL Security 3. Considerations on ROLL Security
Security, in essence, entails implementing measures to ensure
controlled state changes on devices and network elements, both based
on external inputs (received via communications) or internal inputs
(physical security of device itself and parameters maintained by the
device, including, e.g., clock). A security assessment can therefore
begin with a focus on the assets or elements of information that may
be the target of the state changes and the access points in terms of
interfaces and protocol exchanges through which such changes may
occur. In the case of routing security the focus is directed towards
the elements associated with the establishment and maintenance of
network connectivity.
This section sets the stage for the development of the framework by This section sets the stage for the development of the framework by
applying the systematic approach proposed in [Myagmar2005] to the applying the systematic approach proposed in [Myagmar2005] to the
routing security problem, while also drawing references from other routing security problem, while also drawing references from other
reviews and assessments found in the literature, particularly, reviews and assessments found in the literature, particularly,
[RFC4593] and [Karlof2003]. The subsequent subsections begin with a [RFC4593] and [Karlof2003]; thus, the work presented herein may find
use beyond routing for LLNs. The subsequent subsections begin with a
focus on the elements of a generic routing process that is used to focus on the elements of a generic routing process that is used to
establish routing assets and points of access of the routing establish routing assets and points of access to the routing
functionality. Next, the CIA security model is briefly described. functionality. Next, the CIA security model is briefly described.
Then, consideration is given to issues specific to or amplified in Then, consideration is given to issues specific to or amplified in
LLNs. This section concludes with the formulation of a set of LLNs. This section concludes with the formulation of a set of
security objectives for ROLL. security objectives for ROLL.
3.1. Routing Assets and Points of Access 3.1. Routing Assets and Points of Access
An asset implies important system component (including information, An asset implies an important system component (including
process, or physical resource), the access to, corruption or loss of information, process, or physical resource), the access to,
which adversely affects the system. In network routing, assets lie corruption or loss of which adversely affects the system. In network
in the routing information, routing process, and node's physical routing, assets lie in the routing information, routing process, and
resources. That is, the access to, corruption, or loss of these node's physical resources. That is, the access to, corruption, or
elements adversely affects system routing. In network routing, a loss of these elements adversely affects system routing. In network
point of access refers to the point of entry facilitating routing, a point of access refers to the point of entry facilitating
communication with or other interaction with a system component in communication with or other interaction with a system component in
order to use system resources to either manipulate information or order to use system resources to either manipulate information or
gain knowledge of the information contained within the system. gain knowledge of the information contained within the system.
Security of the routing protocol must be focused on the assets of the Security of the routing protocol must be focused on the assets of the
routing nodes and the points of access of the information exchanges routing nodes and the points of access of the information exchanges
and information storage that may permit routing compromise. The and information storage that may permit routing compromise. The
identification of routing assets and points of access hence provides identification of routing assets and points of access hence provides
a basis for the identification of associated threats and attacks. a basis for the identification of associated threats and attacks.
This subsection identifies assets and points of access of a generic This subsection identifies assets and points of access of a generic
routing process with a level-0 data flow diagram. The use of the routing process with a level-0 data flow diagram [Yourdon1979]
data flow diagram allows for a clear, concise model of the routing revealing how the routing protocol interacts with its environment.
functionality; it also has the benefit of showing the manner in which
nodes participate in the routing process, thus providing context when In particular, the use of the data flow diagram allows for a clear,
later threats and attacks are considered. The goal of the model is concise model of the routing functionality; it also has the benefit
to be as detailed as possible so that corresponding components and of showing the manner in which nodes participate in the routing
mechanisms in an individual routing protocol can be readily process, thus providing context when later threats and attacks are
identified, but also to be as general as possible to maximize the considered. The goal of the model is to be as detailed as possible
relevancy of this effort for the various existing and future so that corresponding components and mechanisms in an individual
protocols. Nevertheless, there may be discrepancies, likely in the routing protocol can be readily identified, but also to be as general
form of additional elements, when the model is applied to some as possible to maximize the relevancy of this effort for the various
protocols. For such cases, the analysis approach laid out in this existing and future protocols. Nevertheless, there may be
document should still provide a valid and illustrative path for their discrepancies, likely in the form of additional elements, when the
security assessment. model is applied to some protocols. For such cases, the analysis
approach laid out in this document should still provide a valid and
illustrative path for their security assessment.
Figure 1 shows that nodes participating in the routing process Figure 1 shows that nodes participating in the routing process
transmit messages to determine their neighbors (neighbor discovery). transmit messages to discover neighbors and to exchange routing
Using the neighboring relationships, routing protocols may exchange information; routes are then generated and stored. The nodes use the
network topology (including link-specific information) to generate derived routes for making forwarding decisions.
routes or may exchange routes directly as part of a routing exchange;
nodes which do not directly participate in the process with a given
node will get the route/topology information relayed from others. It
is likely that a node will store some or all of the routes and
topology information according to tradeoffs of node resources and
latency associated with the particular routing protocol. The nodes
use the derived routes for making forwarding decisions.
................................................... ...................................................
: : : :
: _________________ : : :
|Node_i|<------->(Neighbor Discovery)--->Neighbor Topology : |Node_i|<------->(Routing Neighbor _________________ :
: Discovery)------------>Neighbor Topology :
: -------+--------- : : -------+--------- :
: | : : | :
|Node_j|<------->(Route/Topology +--------+ : |Node_j|<------->(Route/Topology +--------+ :
: Exchange) | : : Exchange) | :
: | V ______ : : | V ______ :
: +---->(Route Generation)--->Routes : : +---->(Route Generation)--->Routes :
: ---+-- : : ---+-- :
: | : : | :
: Routing on a Node Node_k | : : Routing on a Node Node_k | :
................................................... ...................................................
skipping to change at page 8, line 14 skipping to change at page 9, line 14
o Points of access include o Points of access include
* neighbor discovery; * neighbor discovery;
* route/topology exchange; * route/topology exchange;
* node physical interfaces (including access to data storage). * node physical interfaces (including access to data storage).
A focus on the above list of assets and points of access enables a A focus on the above list of assets and points of access enables a
more directed assessment of routing security. Indeed, the intention more directed assessment of routing security; for example, it is
is to be comprehensive; nonetheless, the discussions to follow on readily understood that some routing attacks are in the form of
attempts to misrepresent routing topology. Indeed, the intention is
to be comprehensive; nonetheless, the discussions to follow on
physical related issues are not related to routing protocol design physical related issues are not related to routing protocol design
but provided for reference since they do have direct consequences on but provided for reference since they do have direct consequences on
the security of routing. the security of routing.
3.2. The CIA Security Reference Model 3.2. The CIA Security Reference Model
At the conceptual level, security within an information system in At the conceptual level, security within an information system in
general and applied to ROLL in particular is concerned with the general and applied to ROLL in particular is concerned with the
primary issues of confidentiality, integrity, and availability. In primary issues of confidentiality, integrity, and availability. In
the context of ROLL: the context of ROLL:
Confidentiality Confidentiality
Confidentiality involves the protection of routing information Confidentiality involves the protection of routing information
as well as routing neighbor maintenance exchanges so that only as well as routing neighbor maintenance exchanges so that only
authorized and intended network entities may view or access it. authorized and intended network entities may view or access it.
Because of the wireless, and sometimes ad hoc, nature of the Because LLNs are most commonly found on publicly accessible
network, confidentiality also extends to the neighbor state and shared medium, e.g., air or wiring in a building, and sometimes
database information within the routing device since the formed ad hoc, confidentiality also extends to the neighbor
deployment of the network creates the potential for state and database information within the routing device since
the deployment of the network creates the potential for
unauthorized access to the physical devices themselves. unauthorized access to the physical devices themselves.
Integrity Integrity
Integrity, as a security principle, entails the protection of Integrity, as a security principle, entails the protection of
routing information and routing neighbor maintenance exchanges, routing information and routing neighbor maintenance exchanges,
as well as derived information maintained in the database, from as well as derived information maintained in the database, from
misuse or unauthorized and improper modification. In addition, misuse or unauthorized and improper modification. In addition,
integrity also requires the authenticity of claimed identity in integrity also requires the authenticity of claimed identity in
the origin and destination of a message, access and removal of the origin and destination of a message, access and removal of
data, execution of the routing process, and use of computing data, execution of the routing process, and use of computing
skipping to change at page 9, line 7 skipping to change at page 10, line 14
Availability Availability
Availability ensures that routing information exchanges and Availability ensures that routing information exchanges and
forwarding services need to be available when they are required forwarding services need to be available when they are required
for the functioning of the serving network. Availability will for the functioning of the serving network. Availability will
apply to maintaining efficient and correct operation of routing apply to maintaining efficient and correct operation of routing
and neighbor discovery exchanges (including needed information) and neighbor discovery exchanges (including needed information)
and forwarding services so as not to impair or limit the and forwarding services so as not to impair or limit the
network's central traffic flow function. network's central traffic flow function.
It is noted that, besides those captured in the CIA model, non- It is noted that, besides those captured in the CIA model, assurance
repudiation is a security interest under certain circumstances. With of no denial of the transmission and/or reception of a message, i.e.,
respect to routing, non-repudiation will involve providing some non-repudiation, is a security interest under certain circumstances.
With respect to routing, non-repudiation will involve providing some
ability to allow traceability or network management review of ability to allow traceability or network management review of
participants of the routing process including the ability to participants of the routing process including the ability to
determine the events and actions leading to a particular routing determine the events and actions leading to a particular routing
state. Non-repudiation implies after the fact and thus relies on the state. Non-repudiation implies after the fact and thus relies on the
logging or other capture of on-going routing exchanges. Given the logging or other capture of on-going routing exchanges and
limited resources of a node and potentially the communication signatures. Given the limited resources of a node and potentially
channel, and considering the operating mode associated with LLNs, the communication channel, and considering the operating mode
routing transaction logging or auditing process communication associated with LLNs, routing transaction logging or auditing process
overhead will not be practical; as such, non-repudiation is not communication overhead will not be practical; as such, non-
further considered as a relevant ROLL security issue. repudiation in the context of routing is not further considered as a
ROLL security issue.
3.3. Issues Specific to or Amplified in LLNs 3.3. Issues Specific to or Amplified in LLNs
The work [RFC5548] and [RFC5673], as well as two other ongoing The work [RFC5548] and [RFC5673], [RFC5826], and [RFC5867] have
efforts, [I-D.ietf-roll-home-routing-reqs] and identified specific issues and constraints of routing in LLNs for the
[I-D.ietf-roll-building-routing-reqs], have identified ROLL specific urban, industrial, home automation, and building automation
requirements and constraints for the urban, industrial, home application domains, respectively. The following is a list of
automation, and building automation application domains, observations and evaluation of their impact on routing security
respectively. The following is a list of observations and evaluation considerations.
of their impact on routing security considerations.
Limited energy reserve, memory, and processing resources Limited energy, memory, and processing node resources
As a consequence of these constraints, there is an even more As a consequence of these constraints, there is an even more
critical need than usual for a careful trade study on which and critical need than usual for a careful trade study on which and
what level of security services are to be afforded during the what level of security services are to be afforded during the
system design process. In addition, the choices of security system design process. In addition, the choices of security
mechanisms are more stringent. Synchronization of security mechanisms are more stringent. Synchronization of security
states with sleepy nodes is yet another issues. states with sleepy nodes is yet another issue.
Large scale of rolled out network Large scale of rolled out network
The possibly numerous nodes to be deployed, as well as the The possibly numerous nodes to be deployed, e.g., an urban
general level of expertise of the installers, make manual on- deployment can see several hundreds of thousands of nodes, as
site configuration unlikely. Prolonged rollout and delayed well as the generally low level of expertise expected of the
addition of nodes, which may be from old inventory, over the installers, make manual on-site configuration unlikely.
lifetime of the network, also complicate the operations of key Prolonged rollout and delayed addition of nodes, which may be
management. from old inventory, over the lifetime of the network, also
complicate the operations of key management.
Autonomous operations Autonomous operations
Self-forming and self-organizing are commonly prescribed Self-forming and self-organizing are commonly prescribed
requirements of ROLL. In other words, a ROLL protocol needs to requirements of LLNs. In other words, a routing protocol
contain elements of ad hoc networking and cannot rely on manual designed for LLNs needs to contain elements of ad hoc
networking and in most cases cannot rely on manual
configuration for initialization or local filtering rules. configuration for initialization or local filtering rules.
Network topology/ownership changes, partitioning or merging, as Network topology/ownership changes, partitioning or merging, as
well as node replacement, can all contribute to key management well as node replacement, can all contribute to key management
issues. issues.
Highly directional traffic Highly directional traffic
Some types of LLNs see a high percentage of their total traffic Some types of LLNs see a high percentage of their total traffic
traverse between the nodes and the gateways where the LLNs traverse between the nodes and the Lln Border Routers (LBRs)
connect to wired networks. The special routing status of and where the LLNs connect to non-LLNs. The special routing status
the greater volume of traffic near the gateways/sinks have of and the greater volume of traffic near the LBRs have routing
routing security consequences. security consequences. In fact, when Point-to-MultiPoint
(P2MP) and MultiPoint-to-Point (MP2P) traffic represents a
majority of the traffic, routing attacks consisting of
advertising low route cost may cause serious damages.
Unattended locations and limited physical security Unattended locations and limited physical security
Many applications have the nodes deployed in unattended or Many applications have the nodes deployed in unattended or
remote locations; furthermore, the nodes themselves are often remote locations; furthermore, the nodes themselves are often
built with minimal physical protection. These constraints built with minimal physical protection. These constraints
lower the barrier of accessing the data or security material lower the barrier of accessing the data or security material
stored on the nodes through physical means. stored on the nodes through physical means.
Support for mobility Support for mobility
On the one hand, only a number of applications require the On the one hand, only a number of applications require the
support of mobile nodes, e.g., a home LLN that includes nodes support of mobile nodes, e.g., a home LLN that includes nodes
on wearable health care devices or an industry LLN that on wearable health care devices or an industry LLN that
includes nodes on cranes and vehicles. On the other hand, if a includes nodes on cranes and vehicles. On the other hand, if a
routing protocol is indeed used in such applications, it will routing protocol is indeed used in such applications, it will
clearly need to have corresponding security mechanisms. clearly need to have corresponding security mechanisms.
Support for multicast and anycast Support for multicast and anycast
Support for multicast and anycast is called out chiefly for Support for multicast and anycast is called out chiefly for
large-scale networks. As these are relatively new routing large-scale networks. Since application of these routing
technologies, there has been an ongoing effort devoted to their mechanisms in autonomous operations of many nodes is new, the
security mechanisms, e.g., from the IETF Multicast Security consequence on security requires careful consideration.
working group. However, inclusion of such mechanisms in a
routing protocol, and consequently their security analysis, are
still areas not fully developed or their impact entirely
understood, whether in a more traditional wired or wireless
network, or LLN.
The above list considers how a LLN's physical constraints, size, The above list considers how a LLN's physical constraints, size,
operations, and varieties of application areas may impact security. operations, and varieties of application areas may impact security.
It is noted here also that LLNs commonly have the majority, if not The following subsection sets up the security objectives for the
all, of their nodes equipped to route. One of the consequences is routing protocol designed by the ROLL WG.
that the distinction between the link and network layers become
artificial in some respects. Similarly, the distinction between a
host and a router is blurred, especially when the set of applications
running on a node is small. The continued evolution of ROLL and its
security functionality requirements need close attention.
3.4. ROLL Security Objectives 3.4. ROLL Security Objectives
This subsection applies the CIA model to the routing assets and This subsection applies the CIA model to the routing assets and
access points, taking into account the LLN issues, to develop a set access points, taking into account the LLN issues, to develop a set
of ROLL security objectives. of ROLL security objectives.
Since the fundament function of a routing protocol is to build routes Since the fundament function of a routing protocol is to build routes
for forwarding packets, it is essential to ensure that for forwarding packets, it is essential to ensure that
o routing/topology information is not tampered during transfer and o routing/topology information is not tampered during transfer and
in storage; in storage;
o routing/topology information is not misappropriated; o routing/topology information is not misappropriated;
o routing/topology information is available when needed. o routing/topology information is available when needed.
In conjunction, it is necessary to be assured of In conjunction, it is necessary to be assured of
o the authenticity and legitimacy of the participants of the o the authenticity and legitimacy of the participants of the routing
neighbor discovery process; neighbor discovery process;
o the routing/topology information received was faithfully generated o the routing/topology information received was faithfully generated
according to the protocol design. according to the protocol design.
However, when trust cannot be fully vested through authentication of However, when trust cannot be fully vested through authentication of
the principals alone, i.e., concerns of insider attack, assurance of the principals alone, i.e., concerns of insider attack, assurance of
the truthfulness and timeliness of the received routing/topology the truthfulness and timeliness of the received routing/topology
information is necessary. With regard to confidentiality, protecting information is necessary. With regard to confidentiality, protecting
the routing/topology information from eavesdropping or unauthorized the routing/topology information from eavesdropping or unauthorized
exposure is in itself less pertinent in general to the routing exposure is in itself less pertinent in general to the routing
function. function.
One of the main problems of synchronizing security states of sleepy One of the main problems of synchronizing security states of sleepy
nodes, as listed in the last subsection, lies in difficulties in nodes, as listed in the last subsection, lies in difficulties in
authentication; these nodes may not have received in time the most authentication; these nodes may not have received in time the most
recent update of security material. Similarly, the issues of minimal recent update of security material. Similarly, the issues of minimal
manual configuration, prolonged rollout and delayed addition of manual configuration, prolonged rollout and delayed addition of
nodes, and network topology changes also complicate key management. nodes, and network topology changes also complicate key management.
Hence, ROLL needs to bootstrap the authentication process and allow Hence, routing in LLNs needs to bootstrap the authentication process
for flexible expiration scheme of authentication credentials. and allow for flexible expiration scheme of authentication
credentials.
The vulnerability brought forth by some special-function nodes, e.g., The vulnerability brought forth by some special-function nodes, e.g.,
gateways/sinks requires the assurance, particularly, LBRs, requires the assurance, particularly in a security context,
o of the availability of communication channels and node resources; o of the availability of communication channels and node resources;
o that the neighbor discovery process operates without undermining o that the neighbor discovery process operates without undermining
routing availability. routing availability.
There are other factors which are not part of a ROLL protocol but There are other factors which are not part of a ROLL protocol but
directly affecting its function. These factors include weaker directly affecting its function. These factors include weaker
barrier of accessing the data or security material stored on the barrier of accessing the data or security material stored on the
nodes through physical means; therefore, the internal and external nodes through physical means; therefore, the internal and external
interfaces of a node need to be adequate for guarding the integrity, interfaces of a node need to be adequate for guarding the integrity,
and possibly the confidentiality, of stored information, as well as and possibly the confidentiality, of stored information, as well as
the integrity of routing and route generation processes. the integrity of routing and route generation processes.
skipping to change at page 12, line 16 skipping to change at page 13, line 18
directly affecting its function. These factors include weaker directly affecting its function. These factors include weaker
barrier of accessing the data or security material stored on the barrier of accessing the data or security material stored on the
nodes through physical means; therefore, the internal and external nodes through physical means; therefore, the internal and external
interfaces of a node need to be adequate for guarding the integrity, interfaces of a node need to be adequate for guarding the integrity,
and possibly the confidentiality, of stored information, as well as and possibly the confidentiality, of stored information, as well as
the integrity of routing and route generation processes. the integrity of routing and route generation processes.
Each individual system's use and environment will dictate how the Each individual system's use and environment will dictate how the
above objectives are applied, including the choices of security above objectives are applied, including the choices of security
services as well as the strengths of the mechanisms that must be services as well as the strengths of the mechanisms that must be
implemented. The next two sections give a closer look at how the implemented. The next two sections take a closer look at how the
ROLL security objectives may be compromised and countered, ROLL security objectives may be compromised and how those potential
respectively. compromises can be countered.
4. Threats and Attacks 4. Threats and Attacks
This section outlines general categories of threats under the CIA This section outlines general categories of threats under the CIA
model and highlights the specific attacks in each of these categories model and highlights the specific attacks in each of these categories
for ROLL. As defined in [RFC4949], a threat is "a potential for for ROLL. As defined in [RFC4949], a threat is "a potential for
violation of security, which exists when there is a circumstance, violation of security, which exists when there is a circumstance,
capability, action, or event that could breach security and cause capability, action, or event that could breach security and cause
harm." An attack is "an assault on system security that derives from harm." An attack is "an assault on system security that derives from
an intelligent threat, i.e., an intelligent act that is a deliberate an intelligent threat, i.e., an intelligent act that is a deliberate
skipping to change at page 14, line 10 skipping to change at page 15, line 15
4.2. Threats and Attacks on Integrity 4.2. Threats and Attacks on Integrity
The assessment in Section 3.2 indicates that information and identity The assessment in Section 3.2 indicates that information and identity
assets are exposed to integrity threats from all points of access. assets are exposed to integrity threats from all points of access.
4.2.1. Routing Information Manipulation 4.2.1. Routing Information Manipulation
Manipulation of routing information will allow unauthorized sources Manipulation of routing information will allow unauthorized sources
to influence the operation and convergence of the routing protocols to influence the operation and convergence of the routing protocols
and ultimately impact the forwarding decisions made in the network. and ultimately impact the forwarding decisions made in the network.
Manipulation of neighbor state (topology) information will allow Manipulation of topology and reachability information will allow
unauthorized sources to influence the nodes with which routing unauthorized sources to influence the nodes with which routing
information is exchanged and updated. The consequence of information is exchanged and updated. The consequence of
manipulating routing exchanges can thus lead to sub-optimality and manipulating routing exchanges can thus lead to sub-optimality and
fragmentation or partitioning of the network by restricting the fragmentation or partitioning of the network by restricting the
universe of routers with which associations can be established and universe of routers with which associations can be established and
maintained. maintained. For example, being able to attract network traffic can
make a blackhole attack more damaging.
The forms of attack that allow manipulation to compromise the content The forms of attack that allow manipulation to compromise the content
and validity of routing information include and validity of routing information include
o Falsification, including overclaiming and misclaiming; o Falsification, including overclaiming and misclaiming;
o Routing information replay; o Routing information replay;
o Byzantine (internal) attacks that permit corruption of routing o Byzantine (internal) attacks that permit corruption of routing
information in the node even where the node continues to be a information in the node even where the node continues to be a
skipping to change at page 14, line 45 skipping to change at page 16, line 4
incorrect routing relationships to form and/or topologies to emerge. incorrect routing relationships to form and/or topologies to emerge.
Routing attacks may also be mounted through less sophisticated node Routing attacks may also be mounted through less sophisticated node
identity misappropriation in which the valid information broadcast or identity misappropriation in which the valid information broadcast or
exchanged by a node is replayed without modification. The receipt of exchanged by a node is replayed without modification. The receipt of
seemingly valid information that is however no longer current can seemingly valid information that is however no longer current can
result in routing disruption, and instability (including failure to result in routing disruption, and instability (including failure to
converge). Without measures to authenticate the routing participants converge). Without measures to authenticate the routing participants
and to ensure the freshness and validity of the received information and to ensure the freshness and validity of the received information
the protocol operation can be compromised. The forms of attack that the protocol operation can be compromised. The forms of attack that
misuse node identity include misuse node identity include
o Identity attacks, including Sybil attacks in which a malicious
o Identity (including Sybil) attacks; node illegitimately assumes multiple identities;
o Routing information replay. o Routing information replay.
4.3. Threats and Attacks on Availability 4.3. Threats and Attacks on Availability
The assessment in Section 3.2 indicates that the process and The assessment in Section 3.2 indicates that the process and
resources assets are exposed to availability threats; attacks of this resources assets are exposed to availability threats; attacks of this
category may exploit directly or indirectly information exchange or category may exploit directly or indirectly information exchange or
forwarding. forwarding.
skipping to change at page 15, line 37 skipping to change at page 16, line 41
4.3.2. Network Traffic Forwarding Disruption 4.3.2. Network Traffic Forwarding Disruption
The disruption of the network traffic forwarding capability of the The disruption of the network traffic forwarding capability of the
network will undermine the central function of network routers and network will undermine the central function of network routers and
the ability to handle user traffic. This threat and the associated the ability to handle user traffic. This threat and the associated
attacks affect the availability of the network because of the attacks affect the availability of the network because of the
potential to impair the primary capability of the network. potential to impair the primary capability of the network.
The forms of attack that allows disruption of network traffic The forms of attack that allows disruption of network traffic
forwarding include forwarding include [Karlof2003]
o Selective forwarding attacks; o Selective forwarding attacks;
o Sinkhole attacks; o Wormhole attacks;
o Wormhole attacks. o Sinkhole attacks.
For reference, Figure 2 depicts the aforementioned three types of
attacks.
|Node_1|--(msg1|msg2|msg3)-->|Attacker|--(msg1|msg3)-->|Node_2|
(a) Selective Forwarding
|Node_1|-------------Unreachable---------x|Node_2|
| ^
| Private Link |
'-->|Attacker_1|===========>|Attacker_2|--'
(b) Wormhole
|Node_1| |Node_4|
| |
`--------. |
Falsify as \ |
Good Link \ | |
To Node_5 \ | |
\ V V
|Node_2|-->|Attacker|--Not Forwarded---x|Node_5|
^ ^ \
| | \ Falsify as
| | \Good Link
/ | To Node_5
,-------' |
| |
|Node_3| |Node_i|
(c) Sinkhole
Figure 2: Selective Forwarding, Wormhole, and Sinkhole Attacks
4.3.3. Communications Resource Disruption 4.3.3. Communications Resource Disruption
Attacks mounted against the communication channel resource assets Attacks mounted against the communication channel resource assets
needed by the routing protocol can be used as a means of disrupting needed by the routing protocol can be used as a means of disrupting
its operation. However, while various forms of Denial of Service its operation. However, while various forms of Denial of Service
(DoS) attacks on the underlying transport subsystem will affect (DoS) attacks on the underlying transport subsystem will affect
routing protocol exchanges and operation (for example physical layer routing protocol exchanges and operation (for example physical layer
RF jamming in a wireless network or link layer attacks), these RF jamming in a wireless network or link layer attacks), these
attacks cannot be countered by the routing protocol. As such, the attacks cannot be countered by the routing protocol. As such, the
skipping to change at page 18, line 5 skipping to change at page 19, line 49
exchanges between operational nodes must also extend to field tools exchanges between operational nodes must also extend to field tools
and other devices used in a deployed network where such devices can and other devices used in a deployed network where such devices can
be configured to participate in routing exchanges. be configured to participate in routing exchanges.
5.1.2. Countering Sniffing Attacks 5.1.2. Countering Sniffing Attacks
A sniffing attack seeks to breach routing confidentiality through A sniffing attack seeks to breach routing confidentiality through
passive, direct analysis and processing of the information exchanges passive, direct analysis and processing of the information exchanges
between nodes. A sniffing attack in an LLN that is not based on a between nodes. A sniffing attack in an LLN that is not based on a
physical device compromise will rely on the attacker attempting to physical device compromise will rely on the attacker attempting to
directly derive information from the over-the-air routing/topology directly derive information from the over-the-shared-medium routing/
communication exchange (neighbor discovery exchanges may of necessity topology communication exchange (neighbor discovery exchanges may of
be conducted in the clear thus limiting the extent to which the necessity be conducted in the clear thus limiting the extent to which
information can be kept confidential). the information can be kept confidential).
Sniffing attacks can be directly countered through the use of data Sniffing attacks can be directly countered through the use of data
encryption for all routing exchanges. Only when a validated and encryption for all routing exchanges. Only when a validated and
authenticated node association is completed will routing exchange be authenticated node association is completed will routing exchange be
allowed to proceed using established session confidentiality keys and allowed to proceed using established session confidentiality keys and
an agreed confidentiality algorithm. The level of security applied an agreed confidentiality algorithm. The level of security applied
in providing confidentiality will determine the minimum requirement in providing confidentiality will determine the minimum requirement
for an attacker mounting this passive security attack. Because of for an attacker mounting this passive security attack. The
the resource constraints of LLN devices, symmetric (private) key possibility of incorporating options for security level and
session security will provide the best tradeoff in terms of node and algorithms is further considered in Section 6.5. Because of the
channel resource overhead and the level of security achieved. This resource constraints of LLN devices, symmetric (private) key session
will of course not preclude the use of asymmetric (public) key security will provide the best tradeoff in terms of node and channel
encryption during the session key establishment phase. resource overhead and the level of security achieved. This will of
course not preclude the use of asymmetric (public) key encryption
during the session key establishment phase.
As with the key establishment process, data encryption must include As with the key establishment process, data encryption must include
an authentication prerequisite to ensure that each node is an authentication prerequisite to ensure that each node is
implementing a level of security that prevents deliberate or implementing a level of security that prevents deliberate or
inadvertent exposure. The authenticated key establishment will inadvertent exposure. The authenticated key establishment will
ensure that confidentiality is not compromised by providing the ensure that confidentiality is not compromised by providing the
information to an unauthorized entity (see also [Huang2003]). information to an unauthorized entity (see also [Huang2003]).
Based on the current state of the art, a minimum 128-bit key length Based on the current state of the art, a minimum 128-bit key length
should be applied where robust confidentiality is demanded for should be applied where robust confidentiality is demanded for
routing protection. This session key shall be applied in conjunction routing protection. This session key shall be applied in conjunction
with an encryption algorithm that has been publicly vetted and where with an encryption algorithm that has been publicly vetted and where
applicable approved for the level of security desired. Algorithms applicable approved for the level of security desired. Algorithms
such as AES (adopted by the U.S. government) or Kasumi-Misty (adopted such as the Advanced Encryption Standard (AES) [FIPS197], adopted by
by the 3GPP 3rd generation wireless mobile consortium) are examples the U.S. government, or Kasumi-Misty [Kasumi3gpp], adopted by the
of symmetric-key algorithms capable of ensuring robust 3GPP 3rd generation wireless mobile consortium, are examples of
confidentiality for routing exchanges. The key length, algorithm and symmetric-key algorithms capable of ensuring robust confidentiality
mode of operation will be selected as part of the overall security for routing exchanges. The key length, algorithm and mode of
tradeoff that also achieves a balance with the level of operation will be selected as part of the overall security tradeoff
confidentiality afforded by the physical device in protecting the that also achieves a balance with the level of confidentiality
routing assets (see Section 5.1.4 below). afforded by the physical device in protecting the routing assets (see
Section 5.1.4 below).
As with any encryption algorithm, the use of ciphering As with any encryption algorithm, the use of ciphering
synchronization parameters and limitations to the usage duration of synchronization parameters and limitations to the usage duration of
established keys should be part of the security specification to established keys should be part of the security specification to
reduce the potential for brute force analysis. reduce the potential for brute force analysis.
5.1.3. Countering Traffic Analysis 5.1.3. Countering Traffic Analysis
Traffic analysis provides an indirect means of subverting Traffic analysis provides an indirect means of subverting
confidentiality and gaining access to routing information by allowing confidentiality and gaining access to routing information by allowing
an attacker to indirectly map the connectivity or flow patterns an attacker to indirectly map the connectivity or flow patterns
(including link-load) of the network from which other attacks can be (including link-load) of the network from which other attacks can be
mounted. The traffic analysis attack on a LLN may be passive and mounted. The traffic analysis attack on a LLN, especially one
relying on the ability to read the immutable source/destination founded on shared medium, may be passive and relying on the ability
routing information that must remain unencrypted to permit network to read the immutable source/destination routing information that
routing. Alternatively, attacks can be active through the injection must remain unencrypted to permit network routing. Alternatively,
of unauthorized discovery traffic into the network. By implementing attacks can be active through the injection of unauthorized discovery
authentication measures between communicating nodes, active traffic traffic into the network. By implementing authentication measures
analysis attacks can be prevented within the LLN thereby reducing between communicating nodes, active traffic analysis attacks can be
confidentiality vulnerabilities to those associated with passive prevented within the LLN thereby reducing confidentiality
analysis. vulnerabilities to those associated with passive analysis.
One way in which passive traffic analysis attacks can be muted is One way in which passive traffic analysis attacks can be muted is
through the support of load balancing that allows traffic to a given through the support of load balancing that allows traffic to a given
destination to be sent along diverse routing paths. Where the destination to be sent along diverse routing paths. Where the
routing protocol supports load balancing along multiple links at each routing protocol supports load balancing along multiple links at each
node, the number of routing permutations in a wide area network node, the number of routing permutations in a wide area network
surges thus increasing the cost of traffic analysis. Network surges thus increasing the cost of traffic analysis. Network
analysis through this passive attack will require a wider array of analysis through this passive attack will require a wider array of
analysis points and additional processing on the part of the analysis points and additional processing on the part of the
attacker. In LLNs, the diverse radio connectivity and dynamic links attacker. In LLNs, the diverse radio connectivity and dynamic links
(including potential frequency hopping) will help to further mitigate (including potential frequency hopping), or a complex wiring system
traffic analysis attacks when load balancing is implemented. hidden from sight, will help to further mitigate traffic analysis
attacks when load balancing is implemented.
The only means of fully countering a traffic analysis attack is The only means of fully countering a traffic analysis attack is
through the use of tunneling (encapsulation) where encryption is through the use of tunneling (encapsulation) where encryption is
applied across the entirety of the original packet source/destination applied across the entirety of the original packet source/destination
addresses. With tunneling there is a further requirement that the addresses. With tunneling there is a further requirement that the
encapsulating intermediate nodes apply an additional layer of routing encapsulating intermediate nodes apply an additional layer of routing
so that traffic arrives at the destination through dynamic routes. so that traffic arrives at the destination through dynamic routes.
For LLNs, memory and processing constraints as well as the For some LLNs, memory and processing constraints as well as the
limitations of the communication channel will preclude both the limitations of the communication channel will preclude both the
additional routing traffic overhead and the node implementation additional routing traffic overhead and the node implementation
required for tunneling countermeasures to traffic analysis. required for tunneling countermeasures to traffic analysis.
5.1.4. Countering Physical Device Compromise 5.1.4. Countering Physical Device Compromise
Given the distributed nature of LLNs, confidentiality of routing Section 4 identified that many threats to the routing functionality
assets and points of access will rely heavily on the security of the may involve compromised devices. For the sake of completeness, this
routing devices. One means of precluding attacks on the physical subsection examines how to counter physical device compromise,
device is to prevent physical access to the node through other without restricting the consideration to only those methods and
external security means. However, given the environment in which apparatuses available to a LLN routing protocol.
LLNs operate, preventing unauthorized access to the physical device
cannot be assured. Countermeasures must therefore be employed at the Given the distributed nature of LLNs and the varying environment of
device and component level so that routing/topology or neighbor deployed devices, confidentiality of routing assets and points of
information and stored route information cannot be accessed even if access may rely heavily on the security of the routing devices. One
physical access to the node is obtained. means of precluding attacks on the physical device is to prevent
physical access to the node through other external security means.
However, given the environment in which many LLNs operate, preventing
unauthorized access to the physical device cannot be assured.
Countermeasures must therefore be employed at the device and
component level so that routing/topology or neighbor information and
stored route information cannot be accessed even if physical access
to the node is obtained.
With the physical device in the possession of an attacker, With the physical device in the possession of an attacker,
unauthorized information access can be attempted by probing internal unauthorized information access can be attempted by probing internal
interfaces or device components. Device security must therefore move interfaces or device components. Device security must therefore move
to preventing the reading of device processor code or memory to preventing the reading of device processor code or memory
locations without the appropriate security keys and in preventing the locations without the appropriate security keys and in preventing the
access to any information exchanges occurring between individual access to any information exchanges occurring between individual
components. Information access will then be restricted to external components. Information access will then be restricted to external
interfaces in which confidentiality, integrity and authentication interfaces in which confidentiality, integrity and authentication
measures can be applied. measures can be applied.
skipping to change at page 20, line 43 skipping to change at page 22, line 45
exchanges (other than secure external device exchanges) will increase exchanges (other than secure external device exchanges) will increase
routing security against a physical device interface attack. With an routing security against a physical device interface attack. With an
integrated package and disabled internal component interfaces, the integrated package and disabled internal component interfaces, the
level of physical device security can be controlled by managing the level of physical device security can be controlled by managing the
degree to which the device packaging is protected against expert degree to which the device packaging is protected against expert
physical decomposition and analysis. physical decomposition and analysis.
The device package should be hardened such that attempts to remove The device package should be hardened such that attempts to remove
the integrated components will result in damage to access interfaces, the integrated components will result in damage to access interfaces,
ports or pins that prevent retrieval of code or stored information. ports or pins that prevent retrieval of code or stored information.
The degree of VLSI or PCB package security through manufacture can be The degree of Very Large Scale Integration (VLSI) or Printed Circuit
selected as a tradeoff or desired security consistent with the level Board (PCB) package security through manufacture can be selected as a
of security achieved by measures applied for other routing assets and tradeoff or desired security consistent with the level of security
points of access. With package hardening and restricted component achieved by measures applied for other routing assets and points of
access countermeasures, the security level will be raised to that access. With package hardening and restricted component access
provided by measures employed at the external communications countermeasures, the security level will be raised to that provided
interfaces. by measures employed at the external communications interfaces.
Another area of node interface vulnerability is that associated with Another area of node interface vulnerability is that associated with
interfaces provided for remote software or firmware upgrades. This interfaces provided for remote software or firmware upgrades. This
may impact both routing information and routing/topology exchange may impact both routing information and routing/topology exchange
security where it leads to unauthorized upgrade or change to the security where it leads to unauthorized upgrade or change to the
routing protocol running on a given node as this type of attack can routing protocol running on a given node as this type of attack can
allow for the execution of compromised or intentionally malicious allow for the execution of compromised or intentionally malicious
routing code on multiple nodes. Countermeasures to this device routing code on multiple nodes. Countermeasures to this device
interface confidentiality attack needs to be addressed in the larger interface confidentiality attack needs to be addressed in the larger
context of node remote access security. This will ensure not only context of node remote access security. This will ensure not only
skipping to change at page 23, line 5 skipping to change at page 25, line 6
Identity attacks, sometimes simply called spoofing, seek to gain or Identity attacks, sometimes simply called spoofing, seek to gain or
damage assets whose access is controlled through identity. In damage assets whose access is controlled through identity. In
routing, an identity attacker can illegitimately participate in routing, an identity attacker can illegitimately participate in
routing exchanges, distribute false routing information, or cause an routing exchanges, distribute false routing information, or cause an
invalid outcome of a routing process. invalid outcome of a routing process.
A perpetrator of Sybil attacks assumes multiple identities. The A perpetrator of Sybil attacks assumes multiple identities. The
result is not only an amplification of the damage to routing, but result is not only an amplification of the damage to routing, but
extension to new areas, e.g., where geographic distribution is extension to new areas, e.g., where geographic distribution is
explicit or implicit an asset to an application running on the LLN. explicit or implicit an asset to an application running on the LLN,
for example, the LBR in a P2MP or MP2P LLN.
The counter of identity attacks need to ensure the authenticity and The countering of identity attacks need to ensure the authenticity
liveliness of the parties of a message exchange; the measure may use and liveliness of the parties of a message exchange. The means may
shared key or public key based authentication scheme. On the one be through the use of shared key or public key based authentication
hand, the large-scale nature of the LLNs makes the network-wide scheme. On the one hand, the large-scale nature of the LLNs makes
shared key scheme undesirable from a security perspective; on the the network-wide shared key scheme undesirable from a security
other hand, public-key based approaches generally require more perspective; on the other hand, public-key based approaches generally
computational resources. Each system will need to make trade-off require more computational resources. Each system will need to make
decisions based on its security requirements. trade-off decisions based on its security requirements. As an
example, [Wander2005] compared the energy consumption between two
public-key algorithms on a low-power microcontroller, with reference
to a symmetric-key algorithm and a hash algorithm.
5.2.4. Countering Routing Information Replay Attacks 5.2.4. Countering Routing Information Replay Attacks
In routing, message replay can result in false topology and/or In routing, message replay can result in false topology and/or
routes. The counter of replay attacks need to ensure the freshness routes. The counter of replay attacks need to ensure the freshness
of the message. On the one hand, there are a number of mechanisms of the message. On the one hand, there are a number of mechanisms
commonly used for countering replay. On the other hand, the choice commonly used for countering replay, e.g., with a counter. On the
should take into account how a particular mechanism is made available other hand, the choice should take into account how a particular
in a LLN. For example, many LLNs have a central source of time and mechanism is made available in a LLN. For example, many LLNs have a
have it distributed by relaying, such that secured time distribution central source of time and have it distributed by relaying, such that
becomes a prerequisite of using timestamping to counter replay. secured time distribution becomes a prerequisite of using
timestamping to counter replay.
5.2.5. Countering Byzantine Routing Information Attacks 5.2.5. Countering Byzantine Routing Information Attacks
Where a node is captured or compromized but continues to operate for Where a node is captured or compromised but continues to operate for
a period with valid network security credentials, the potential a period with valid network security credentials, the potential
exists for routing information to be manipulated. This compromise of exists for routing information to be manipulated. This compromise of
the routing information could thus exist in spite of security the routing information could thus exist in spite of security
countermeasures that operate between the peer routing devices. countermeasures that operate between the peer routing devices.
Consistent with the end-to-end principle of communications, such an Consistent with the end-to-end principle of communications, such an
attack can only be fully addressed through measures operating attack can only be fully addressed through measures operating
directly between the routing entities themselves or by means of directly between the routing entities themselves or by means of
external entities able to access and independently analyze the external entities able to access and independently analyze the
routing information. Verification of the authenticity and liveliness routing information. Verification of the authenticity and liveliness
of the routing principals can therefore only provide a limited of the routing principals can therefore only provide a limited
counter against internal (Byzantine) node attacks. counter against internal (Byzantine) node attacks.
For link state routing protocols where information is flooded For link state routing protocols where information is flooded with
countermeasures can be directly applied by the routing entities areas (OSPF) or levels (ISIS), countermeasures can be directly
through the processing and comparison of link state information applied by the routing entities through the processing and comparison
received from different peers. By comparing the link information of link state information received from different peers. By
from multiple sources decisions can be made by a routing node or comparing the link information from multiple sources decisions can be
external entity with regard to routing information validity. made by a routing node or external entity with regard to routing
information validity.
For distance vector protocols where information is aggregated at each For distance vector protocols where information is aggregated at each
routing node it is not possible for nodes to directly detect routing node it is not possible for nodes to directly detect
Byzantine information manipulation attacks from the routing Byzantine information manipulation attacks from the routing
information exchange. In such cases, the routing protocol must information exchange. In such cases, the routing protocol must
include and support indirect communications exchanges between non- include and support indirect communications exchanges between non-
adjacent routing peers to provide a secondary channel for performing adjacent routing peers to provide a secondary channel for performing
routing information validation. S-RIP [Wan2004] is an example of the routing information validation. S-RIP [Wan2004] is an example of the
implementation of this type of dedicated routing protocol security implementation of this type of dedicated routing protocol security
where the correctness of aggregate distance vector information can where the correctness of aggregate distance vector information can
skipping to change at page 24, line 45 skipping to change at page 27, line 4
5.3.1. Countering HELLO Flood Attacks and ACK Spoofing Attacks 5.3.1. Countering HELLO Flood Attacks and ACK Spoofing Attacks
HELLO Flood [Karlof2003],[I-D.suhopark-hello-wsn] and ACK Spoofing HELLO Flood [Karlof2003],[I-D.suhopark-hello-wsn] and ACK Spoofing
attacks are different but highly related forms of attacking a LLN. attacks are different but highly related forms of attacking a LLN.
They essentially lead nodes to believe that suitable routes are They essentially lead nodes to believe that suitable routes are
available even though they are not and hence constitute a serious available even though they are not and hence constitute a serious
availability attack. availability attack.
The origin of facilitating a HELLO flood attack lies in the fact that The origin of facilitating a HELLO flood attack lies in the fact that
many wireless routing protocols require nodes to send HELLO packets many routing protocols require nodes to send HELLO packets either
either upon joining or in regular intervals so as to announce or upon joining or in regular intervals so as to announce or confirm
confirm their existence to the network. Those nodes that receive the their existence to the network. Those nodes that receive the HELLO
HELLO packet assume that they are within radio range of the packet assume that they are indeed neighbors.
transmitter by means of a bidirectional communication link.
With this in mind, a malicious node can send or replay HELLO packets With this in mind, a malicious node can send or replay HELLO packets
using a higher transmission power. That creates the false illusion using, e.g., a higher transmission power. That creates the false
of being a neighbor to an increased number of nodes in the network, illusion of being a neighbor to an increased number of nodes in the
thereby effectively increasing its unidirectional neighborhood network, thereby effectively increasing its unidirectional
cardinality. The high quality of the falsely advertised link may neighborhood cardinality. The high quality of the falsely advertised
coerce nodes to route data via the malicious node. However, those link may coerce nodes to route data via the malicious node. However,
affected nodes, for which the malicious node is out of radio range, those affected nodes, for which the malicious node is in fact
never succeed in their delivery and the packets are effectively unreachable, never succeed in their delivery and the packets are
dropped. The symptoms are hence similar to those of a sinkhole, effectively dropped. The symptoms are hence similar to those of a
wormhole and selective forwarding attack. sinkhole, wormhole and selective forwarding attack.
A malicious HELLO flood attack clearly distorts the network topology. A malicious HELLO flood attack clearly distorts the network topology.
It thus affects protocols building and maintaining the network It thus affects protocols building and maintaining the network
topology as well as routing protocols as such, since the attack is topology as well as routing protocols as such, since the attack is
primarily targeted on protocols that require sharing of information primarily targeted on protocols that require sharing of information
for topology maintenance or flow control. for topology maintenance or flow control.
To counter HELLO flood attacks, several mutually non-exclusive To counter HELLO flood attacks, several mutually non-exclusive
methods are feasible: methods are feasible:
o restricting neighborhood cardinality; o restricting neighborhood cardinality;
o facilitating multipath routing; o facilitating multipath routing;
o verifying bidirectionality. o verifying bidirectionality.
Restricting the neighborhood cardinality prevents malicious nodes Restricting the neighborhood cardinality prevents malicious nodes
from having an extended set of neighbors beyond some tolerated from having an extended set of neighbors beyond some tolerated
threshold and thereby preventing topologies to be built where threshold and thereby preventing topologies to be built where
malicious nodes have an extended neighborhood set. Furthermore, as malicious nodes have a false neighborhood set. Furthermore, as shown
shown in [I-D.suhopark-hello-wsn], if the routing protocol supports in [I-D.suhopark-hello-wsn], if the routing protocol supports
multiple paths from a sensing node towards several gateways then multiple paths from a sensing node towards several LBRs then HELLO
HELLO flood attacks can also be diminished; however, the energy- flood attacks can also be diminished; however, the energy-efficiency
efficiency of such approach is clearly sub-optimal. Finally, of such approach is clearly sub-optimal. Finally, verifying that the
verifying that the link is truly bidirectional by means of, e.g., an link is truly bidirectional by means of, e.g., an ACK handshake and
ACK handshake and appropriate security measures ensures that a appropriate security measures ensures that a communication link is
communication link is only established if not only the affected node only established if not only the affected node is within range of the
is within range of the malicious node but also vice versa. Whilst malicious node but also vice versa. Whilst this does not really
this does not really eliminate the problem of HELLO flooding, it eliminate the problem of HELLO flooding, it greatly reduces the
greatly reduces the number of affected nodes and the probability of number of affected nodes and the probability of such an attack
such an attack succeeding. succeeding.
As for the latter, the adversary may spoof the ACK messages to As for the latter, the adversary may spoof the ACK messages to
convince the affected node that the link is truly bidirectional and convince the affected node that the link is truly bidirectional and
thereupon drop, tunnel or selectively forward messages. Such ACK thereupon drop, tunnel or selectively forward messages. Such ACK
spoofing attack is possible if the malicious node has a receiver spoofing attack is possible if the malicious node has a receiver
which is significantly more sensitive than that of a normal node, which is significantly more sensitive than that of a normal node,
thereby effectively extending its range. Since an ACK spoofing thereby effectively extending its range. Since an ACK spoofing
attack facilitates a HELLO flood attack, similar countermeasure are attack facilitates a HELLO flood attack, similar countermeasure are
applicable here. Viable counter and security measures for both applicable here. Viable counter and security measures for both
attacks have been exposed in [I-D.suhopark-hello-wsn]. attacks have been exposed in [I-D.suhopark-hello-wsn].
5.3.2. Countering Overload Attacks 5.3.2. Countering Overload Attacks
Overload attacks are a form of DoS attack in that a malicious node Overload attacks are a form of DoS attack in that a malicious node
overloads the network with irrelevant traffic, thereby draining the overloads the network with irrelevant traffic, thereby draining the
nodes' energy budget quicker. It thus significantly shortens the nodes' energy budget quicker, when the nodes rely on battery or
network lifetime and hence constitutes another serious availability energy scavenging. It thus significantly shortens the lifetime of
attack. networks of battery nodes and constitutes another serious
availability attack.
With energy being one of the most precious assets of LLNs, targeting With energy being one of the most precious assets of LLNs, targeting
its availability is a fairly obvious attack. Another way of its availability is a fairly obvious attack. Another way of
depleting the energy of a LLN node is to have the malicious node depleting the energy of a LLN node is to have the malicious node
overload the network with irrelevant traffic. This impacts overload the network with irrelevant traffic. This impacts
availability since certain routes get congested which availability since certain routes get congested which
o renders them useless for affected nodes and data can hence not be o renders them useless for affected nodes and data can hence not be
delivered; delivered;
o makes routes longer as shortest path algorithms work with the o makes routes longer as shortest path algorithms work with the
congested network; congested network;
o depletes nodes quicker and thus shortens the network's o depletes battery and energy scavenging nodes quicker and thus
availability at large. shortens the network's availability at large.
Overload attacks can be countered by deploying a series of mutually Overload attacks can be countered by deploying a series of mutually
non-exclusive security measures: non-exclusive security measures:
o introduce quotas on the traffic rate each node is allowed to send; o introduce quotas on the traffic rate each node is allowed to send;
o isolate nodes which send traffic above a certain threshold; o isolate nodes which send traffic above a certain threshold based
on system operation characteristics;
o allow only trusted data to be received and forwarded. o allow only trusted data to be received and forwarded.
As for the first one, a simple approach to minimize the harmful As for the first one, a simple approach to minimize the harmful
impact of an overload attack is to introduce traffic quotas. This impact of an overload attack is to introduce traffic quotas. This
prevents a malicious node from injecting a large amount of traffic prevents a malicious node from injecting a large amount of traffic
into the network, even though it does not prevent said node from into the network, even though it does not prevent said node from
injecting irrelevant traffic at all. Another method is to isolate injecting irrelevant traffic at all. Another method is to isolate
nodes from the network once it has been detected that more traffic is nodes from the network at the network layer once it has been detected
injected into the network than allowed by a prior set or dynamically that more traffic is injected into the network than allowed by a
adjusted threshold. Finally, if communication is sufficiently prior set or dynamically adjusted threshold. Finally, if
secured, only trusted nodes can receive and forward traffic which communication is sufficiently secured, only trusted nodes can receive
also lowers the risk of an overload attack. and forward traffic which also lowers the risk of an overload attack.
5.3.3. Countering Selective Forwarding Attacks 5.3.3. Countering Selective Forwarding Attacks
Selective forwarding attacks are another form of DoS attack which Selective forwarding attacks are another form of DoS attack which
impacts the routing path availability. impacts the routing path availability.
An insider malicious node basically blends neatly in with the network An insider malicious node basically blends neatly in with the network
but then may decide to forward and/or manipulate certain packets. If but then may decide to forward and/or manipulate certain packets. If
all packets are dropped, then this attacker is also often referred to all packets are dropped, then this attacker is also often referred to
as a "black hole". Such a form of attack is particularly dangerous as a "black hole". Such a form of attack is particularly dangerous
if coupled with sinkhole attacks since inherently a large amount of if coupled with sinkhole attacks since inherently a large amount of
traffic is attracted to the malicious node and thereby causing traffic is attracted to the malicious node and thereby causing
significant damage. An outside malicious node would selectively jam significant damage. In a shared medium, an outside malicious node
overheard data flows, where the thus caused collisions incur would selectively jam overheard data flows, where the thus caused
selective forwarding. collisions incur selective forwarding.
Selective Forwarding attacks can be countered by deploying a series Selective Forwarding attacks can be countered by deploying a series
of mutually non-exclusive security measures: of mutually non-exclusive security measures:
o multipath routing of the same message over disjoint paths; o multipath routing of the same message over disjoint paths;
o dynamically select the next hop from a set of candidates. o dynamically select the next hop from a set of candidates.
The first measure basically guarantees that if a message gets lost on The first measure basically guarantees that if a message gets lost on
a particular routing path due to a malicious selective forwarding a particular routing path due to a malicious selective forwarding
attack, there will be another route which successfully delivers the attack, there will be another route which successfully delivers the
data. Such method is inherently suboptimal from an energy data. Such method is inherently suboptimal from an energy
consumption point of view. The second method basically involves a consumption point of view. The second method basically involves a
constantly changing routing topology in that next-hop routers are constantly changing routing topology in that next-hop routers are
chosen from a dynamic set in the hope that the number of malicious chosen from a dynamic set in the hope that the number of malicious
nodes in this set is negligible. nodes in this set is negligible. A routing protocol that allows for
disjoint routing paths may also be useful.
5.3.4. Countering Sinkhole Attacks 5.3.4. Countering Sinkhole Attacks
In sinkhole attacks, the malicious node manages to attract a lot of In sinkhole attacks, the malicious node manages to attract a lot of
traffic mainly by advertising the availability of high-quality links traffic mainly by advertising the availability of high-quality links
even though there are none. It hence constitutes a serious attack on even though there are none. It hence constitutes a serious attack on
availability. availability.
The malicious node creates a sinkhole by attracting a large amount The malicious node creates a sinkhole by attracting a large amount
of, if not all, traffic from surrounding neighbors by advertising in of, if not all, traffic from surrounding neighbors by advertising in
skipping to change at page 28, line 19 skipping to change at page 30, line 25
o isolate nodes which receive traffic above a certain threshold; o isolate nodes which receive traffic above a certain threshold;
o dynamically pick up next hop from set of candidates; o dynamically pick up next hop from set of candidates;
o allow only trusted data to be received and forwarded. o allow only trusted data to be received and forwarded.
Whilst most of these countermeasures have been discussed before, the Whilst most of these countermeasures have been discussed before, the
use of geographical information deserves further attention. use of geographical information deserves further attention.
Essentially, if geographic positions of nodes are available, then the Essentially, if geographic positions of nodes are available, then the
network can assure that data is actually routed towards the sink(s) network can assure that data is actually routed towards the intended
and not elsewhere. On the other hand, geographic position is a destination and not elsewhere. On the other hand, geographic
sensitive information that may have security and/or privacy position is a sensitive information that may have security and/or
consequences. privacy consequences.
5.3.5. Countering Wormhole Attacks 5.3.5. Countering Wormhole Attacks
In wormhole attacks at least two malicious nodes shortcut or divert In wormhole attacks at least two malicious nodes shortcut or divert
the usual routing path by means of a low-latency out-of-band channel. the usual routing path by means of a low-latency out-of-band channel.
This changes the availability of certain routing paths and hence This changes the availability of certain routing paths and hence
constitutes a serious security breach. constitutes a serious security breach.
Essentially, two malicious insider nodes use another, more powerful, Essentially, two malicious insider nodes use another, more powerful,
radio to communicate with each other and thereby distort the would- transmitter to communicate with each other and thereby distort the
be-agreed routing path. This distortion could involve shortcutting would-be-agreed routing path. This distortion could involve
and hence paralyzing a large part of the network; it could also shortcutting and hence paralyzing a large part of the network; it
involve tunneling the information to another region of the network could also involve tunneling the information to another region of the
where there are, e.g., more malicious nodes available to aid the network where there are, e.g., more malicious nodes available to aid
intrusion or where messages are replayed, etc. In conjunction with the intrusion or where messages are replayed, etc. In conjunction
selective forwarding, wormhole attacks can create race conditions with selective forwarding, wormhole attacks can create race
which impact topology maintenance, routing protocols as well as any conditions which impact topology maintenance, routing protocols as
security suits built on "time of check" and "time of use". well as any security suits built on "time of check" and "time of
use".
Wormhole attacks are very difficult to detect in general but can be Wormhole attacks are very difficult to detect in general but can be
mitigated using similar strategies as already outlined above in the mitigated using similar strategies as already outlined above in the
context of sinkhole attacks. context of sinkhole attacks.
6. ROLL Security Features 6. ROLL Security Features
The assessments and analysis in Section 4 examined all areas of The assessments and analysis in Section 4 examined all areas of
threats and attacks that could impact routing, and the threats and attacks that could impact routing, and the
countermeasures presented in Section 5 were reached without confining countermeasures presented in Section 5 were reached without confining
the consideration to means only available to routing. This section the consideration to means only available to routing. This section
puts the results into perspective and provides a framework for puts the results into perspective and provides a framework for
addressing the derived set of security objectives that must be met by addressing the derived set of security objectives that must be met by
the ROLL protocol. It bears emphasizing that the target here is a the routing protocol(s) specified by the ROLL Working Group. It
generic ROLL protocol and the normative keywords are mainly to convey bears emphasizing that the target here is a generic, universal form
the relative level of urgency of the features specified. of the protocol(s) specified and the normative keywords are mainly to
convey the relative level of importance or urgency of the features
specified.
The first part of this section, Section 6.1 to Section 6.3, is a The first part of this section, Section 6.1 to Section 6.3, is a
prescription of ROLL security features of measures that can be prescription of ROLL security features of measures that can be
addressed as part of the routing protocol itself. As routing is one addressed as part of the routing protocol itself. As routing is one
component of a LLN system, the actual strength of the security component of a LLN system, the actual strength of the security
services afforded to it should be made to conform to each system's services afforded to it should be made to conform to each system's
security policy; how a design may address the needs of the urban, security policy; how a design may address the needs of the urban,
industrial, home automation, and building automation application industrial, home automation, and building automation application
domains also needs to be considered. The second part of this domains also needs to be considered. The second part of this
section, Section 6.4 and Section 6.5, discusses system security section, Section 6.4 and Section 6.5, discusses system security
skipping to change at page 29, line 40 skipping to change at page 31, line 49
to protect against, and improve vulnerability against other more to protect against, and improve vulnerability against other more
direct attacks, routing information confidentiality should be direct attacks, routing information confidentiality should be
protected. Thus, a secured ROLL protocol protected. Thus, a secured ROLL protocol
o SHOULD provide payload encryption; o SHOULD provide payload encryption;
o MAY provide tunneling; o MAY provide tunneling;
o MAY provide load balancing; o MAY provide load balancing;
o SHOULD provide privacy, e.g., when geographic information is used. o SHOULD provide privacy when geographic information is used (see,
e.g., [RFC3693]).
Where confidentiality is incorporated into the routing exchanges, Where confidentiality is incorporated into the routing exchanges,
encryption algorithms and key lengths need to be specified in encryption algorithms and key lengths need to be specified in
accordance of the level of protection dictated by the routing accordance of the level of protection dictated by the routing
protocol and the associated application domain transport network. In protocol and the associated application domain transport network. In
terms of the life time of the keys, the opportunity to periodically terms of the life time of the keys, the opportunity to periodically
change the encryption key increases the offered level of security for change the encryption key increases the offered level of security for
any given implementation. However, where strong cryptography is any given implementation. However, where strong cryptography is
employed, physical, procedural, and logical data access protection employed, physical, procedural, and logical data access protection
considerations may have more significant impact on cryptoperiod considerations may have more significant impact on cryptoperiod
skipping to change at page 30, line 50 skipping to change at page 33, line 11
exchange. This is particularly important in the case of distance exchange. This is particularly important in the case of distance
vector-based routing protocols, where information is updated at vector-based routing protocols, where information is updated at
intermediate nodes, In such cases, there are no direct means within intermediate nodes, In such cases, there are no direct means within
routing for a receiver to verify the validity of the routing routing for a receiver to verify the validity of the routing
information beyond the current exchange; as such, nodes would need to information beyond the current exchange; as such, nodes would need to
be able to communicate and request information from non-adjacent be able to communicate and request information from non-adjacent
peers (see [Wan2004]) to provide information integrity assurances. peers (see [Wan2004]) to provide information integrity assurances.
With link state-based protocols, on the other hand, routing With link state-based protocols, on the other hand, routing
information can be signed at the source thus providing a means for information can be signed at the source thus providing a means for
validating information that originates beyond a routing peer. validating information that originates beyond a routing peer.
Therefore, where necessary, a secured ROLL protocol Therefore, where necessary, a secured ROLL protocol MAY use security
o MAY use security auditing mechanisms that are external to routing auditing mechanisms that are external to routing to verify the
to verify the validity of the routing information content validity of the routing information content exchanged among routing
exchanged among routing peers. peers.
6.3. Availability Features 6.3. Availability Features
Availability of routing information is linked to system and network Availability of routing information is linked to system and network
availability which in the case of LLNs require a broader security availability which in the case of LLNs require a broader security
view beyond the requirements of the routing entities (see view beyond the requirements of the routing entities (see
Section 6.5). Where availability of the network is compromised, Section 6.5). Where availability of the network is compromised,
routing information availability will be accordingly affected. routing information availability will be accordingly affected.
However, to specifically assist in protecting routing availability However, to specifically assist in protecting routing availability
skipping to change at page 31, line 32 skipping to change at page 33, line 40
o MAY choose randomly if multiple paths are available; o MAY choose randomly if multiple paths are available;
o MAY set quotas to limit transmit or receive volume; o MAY set quotas to limit transmit or receive volume;
o MAY use geographic insights for flow control. o MAY use geographic insights for flow control.
6.4. Additional Related Features 6.4. Additional Related Features
If a LLN employs multicast and/or anycast, it MUST secure these If a LLN employs multicast and/or anycast, it MUST secure these
protocols with the services listed in this sections. Furthermore, mechanisms with the services listed in this sections. Furthermore,
the nodes MUST provide adequate physical tamper resistance to ensure the nodes MUST provide adequate physical tamper resistance to ensure
the integrity of stored routing information. the integrity of stored routing information.
The functioning of the security services requires keys and The functioning of the security services requires keys and
credentials. Therefore, even though not directly a ROLL security credentials. Therefore, even though not directly a ROLL security
requirement, a LLN must include a process for key and credential requirement, a LLN must include a process for key and credential
distribution; a LLN is encouraged to have procedures for their distribution; a LLN is encouraged to have procedures for their
revocation and replacement. revocation and replacement.
6.5. Consideration on Matching Application Domain Needs 6.5. Consideration on Matching Application Domain Needs
As routing is one component of a LLN system, the actual strength of As routing is one component of a LLN system, the actual strength of
the security services afforded to it should be made to conform to the security services afforded to it should be made to conform to
each system's security policy; how a design may address the needs of each system's security policy; how a design may address the needs of
the urban, industrial, home automation, and building automation the urban, industrial, home automation, and building automation
application domains is considered as part of the security application domains is considered as part of the security
architecture in Section 6.5.1. architecture in Section 6.5.1.
The development so far takes into account collectively the impacts of The development so far takes into account collectively the impacts of
the issues gathered from [RFC5548], [RFC5673], the issues gathered from [RFC5548], [RFC5673], [RFC5826], and
[I-D.ietf-roll-home-routing-reqs], and [RFC5867]. The following two subsections first consider from an
[I-D.ietf-roll-building-routing-reqs]. The following two subsections architectural perspective how the security design of a ROLL protocol
first consider from an architectural perspective how the security may be made to adapt to the four application domains, and then
design of a ROLL protocol may be made to adapt to the four examine mechanism and protocol operations issues.
application domains, and then examine mechanism and protocol
operations issues.
6.5.1. Security Architecture 6.5.1. Security Architecture
The first challenge for a ROLL protocol security design is to have an The first challenge for a ROLL protocol security design is to have an
architecture that can adequately address a set of very diversified architecture that can adequately address a set of very diversified
needs. It is mainly a consequence of the fact that there are both needs. It is mainly a consequence of the fact that there are both
common and non-overlapping requirements from the four application common and non-overlapping requirements from the four application
domains, while, conceivably, each individual application will present domains, while, conceivably, each individual application will present
yet its own unique constraints. yet its own unique constraints.
For a ROLL protocol, the security requirements defined in Section 6.1 For a ROLL protocol, the security requirements defined in Section 6.1
to Section 6.4 can be addressed at two levels: 1) through measures to Section 6.4 can be addressed at two levels: 1) through measures
implemented directly within the routing protocol itself and initiated implemented directly within the routing protocol itself and initiated
and controlled by the routing protocol entities; or 2) through and controlled by the routing protocol entities; or 2) through
measures invoked on behalf of the routing protocol entities but measures invoked on behalf of the routing protocol entities but
implemented within the transport network over which the protocol implemented within the part of the network over which the protocol
exchanges occur. exchanges occur.
Where security is directly implemented as part of the routing Where security is directly implemented as part of the routing
protocol the security requirements configured by the user (system protocol the security requirements configured by the user (system
administrator) will operate independent of the underlying transport administrator) will operate independent of the lower layers. OSPFv2
network. OSPFv2 [RFC2328] is an example of such an approach in which [RFC2328] is an example of such an approach in which security
security parameters are exchanged and assessed within the routing parameters are exchanged and assessed within the routing protocol
protocol messages. In this case, the mechanism may be, e.g., a messages. In this case, the mechanism may be, e.g., a header
header containing security material of configurable security containing security material of configurable security primitives in
primitives in the fashion of OSPFv2 or RIPv2 [RFC2453]. Where IPsec the fashion of OSPFv2 or RIPv2 [RFC2453]. Where IPsec [RFC4301] is
[RFC4301] is employed to secure the network, the included protocol- employed to secure the network, the included protocol-specific (OSPF
specific (OSPF or RIP) security elements are in addition to and or RIP) security elements are in addition to and independent of those
independent of those at the network layer. In the case of LLNs or at the network layer. In the case of LLNs or other networks where
other networks where system security mandates protective mechanisms system security mandates protective mechanisms at other lower layers
at other lower layers of the transport network, security measures of the network, security measures implemented as part of the routing
implemented as part of the routing protocol will be redundant to protocol will be redundant to security measures implemented elsewhere
security measures implemented elsewhere as part of the transport as part of the protocol stack.
network.
Security mechanisms built into the routing protocol can ensure that Security mechanisms built into the routing protocol can ensure that
all desired countermeasures can be directly addressed by the protocol all desired countermeasures can be directly addressed by the protocol
all the way to the endpoint of the routing exchange. In particular, all the way to the endpoint of the routing exchange. In particular,
routing protocol Byzantine attacks by a compromised node that retains routing protocol Byzantine attacks by a compromised node that retains
valid network security credentials can only be detected at the level valid network security credentials can only be detected at the level
of the information exchanged within the routing protocol. Such of the information exchanged within the routing protocol. Such
attacks aimed the manipulation of the routing information can only be attacks aimed the manipulation of the routing information can only be
fully addressed through measures operating directly between the fully addressed through measures operating directly between the
routing entities themselves or external entities able to access and routing entities themselves or external entities able to access and
skipping to change at page 33, line 18 skipping to change at page 35, line 25
On the other hand, it is more desirable from a LLN device perspective On the other hand, it is more desirable from a LLN device perspective
that the ROLL protocol is integrated into the framework of an overall that the ROLL protocol is integrated into the framework of an overall
system architecture where the security facility may be shared by system architecture where the security facility may be shared by
different applications and/or across layers for efficiency, and where different applications and/or across layers for efficiency, and where
security policy and configurations can be consistently specified. security policy and configurations can be consistently specified.
See, for example, considerations made in RIPng [RFC2080] or the See, for example, considerations made in RIPng [RFC2080] or the
approach presented in [Messerges2003]. approach presented in [Messerges2003].
Where the routing protocol is able to rely on security measures Where the routing protocol is able to rely on security measures
configured with the transport network, greater system efficiency can configured with other part of the protocol stack, greater system
be realized by avoiding potentially redundant security. Relying on efficiency can be realized by avoiding potentially redundant
an open trust model [Messerges2003], the security requirements of the security. Relying on an open trust model [Messerges2003], the
routing protocol can be more flexibly met at different layers of the security requirements of the routing protocol can be more flexibly
transport network; measures that must be applied to protect the met at different layers of the transport network; measures that must
communications network are concurrently able to provide the needed be applied to protect the communications network are concurrently
routing protocol protection. able to provide the needed routing protocol protection.
In addition, in the context of the different application domains, it In addition, in the context of the different application domains, it
allows the level of security applied for routing to be consistent allows the level of security applied for routing to be consistent
with that needed for protecting the network itself. For example, with that needed for protecting the network itself. For example,
where AES-128 is deemed the appropriate standard for network where a 128-bit AES (AES-128) is deemed the appropriate standard for
confidentiality of data exchanges at the link layer, that level of network confidentiality of data exchanges at the link layer, that
security is automatically afforded to routing protocol exchanges. level of security is automatically afforded to routing protocol
Similarly, where SHA-1 is stipulated as the standard required for exchanges. Similarly, where the Secure Hash Algorithm, v. 1, (SHA-1)
authenticating routing protocol peers, the use of SHA-1 at the [FIPS180] is stipulated as the standard required for authenticating
network layer between communicating routing devices automatically routing protocol peers, the use of SHA-1 at the network layer between
meets the routing protocol security requirement within the context of communicating routing devices automatically meets the routing
open trust across layers within the device. protocol security requirement within the context of open trust across
layers within the device.
A ROLL protocol MUST be made flexible by a design that offers the A ROLL protocol MUST be made flexible by a design that offers the
configuration facility so that the user (network administrator) can configuration facility so that the user (network administrator) can
choose the security settings that match the application's needs. choose the security settings that match the application's needs.
Furthermore, in the case of LLNs that flexibility should extend to Furthermore, in the case of LLNs that flexibility should extend to
allowing the routing protocol security requirements to be met by allowing the routing protocol security requirements to be met by
measures applied at different protocol layers, provided the measures applied at different protocol layers, provided the
identified requirements are collectively met. identified requirements are collectively met.
Since Byzantine attacks that can affect the validity of the Since Byzantine attacks that can affect the validity of the
skipping to change at page 34, line 14 skipping to change at page 36, line 21
made optional within the protocol allowing it to be invoked according made optional within the protocol allowing it to be invoked according
to the given routing protocol and application domain and as selected to the given routing protocol and application domain and as selected
by the system user. All other ROLL security mechanisms needed to by the system user. All other ROLL security mechanisms needed to
meet the above identified routing security requirements should be meet the above identified routing security requirements should be
flexibly implemented within the transport network (at the IP network flexibly implemented within the transport network (at the IP network
layer or higher or lower protocol layers(s)) according to the layer or higher or lower protocol layers(s)) according to the
particular application domain and user network configuration. particular application domain and user network configuration.
Based on device capabilities and the spectrum of operating Based on device capabilities and the spectrum of operating
environments it would be difficult for a single fixed security design environments it would be difficult for a single fixed security design
to be applied to address the diversified needs of the four ROLL to be applied to address the diversified needs of the urban,
application domains without forcing a very low common denominator set industrial, home, and building ROLL application domains, and
foreseeable others, without forcing a very low common denominator set
of requirements. On the other hand, providing four individual domain of requirements. On the other hand, providing four individual domain
designs that attempt to a priori match each individual domain is also designs that attempt to a priori match each individual domain is also
very likely to provide a suitable answer given the degree of network very likely to provide a suitable answer given the degree of network
variability even within a given domain. Instead, the framework variability even within a given domain; furthermore, the type of link
implementation approach recommended for optional, routing protocol- layers in use within each domain also influences the overall
specific measures together with flexible transport network mechanisms security. Instead, the framework implementation approach recommended
can be the most effective. This approach allows countermeasures for optional, routing protocol-specific measures together with
against internal attacks to be applied in environments where flexible transport network mechanisms can be the most effective.
applicable threats exist. At the same time, it allows routing This approach allows countermeasures against internal attacks to be
protocol security to be configured through measures implemented applied in environments where applicable threats exist. At the same
within the transport network that is commensurate and consistent with time, it allows routing protocol security to be configured through
the level and strength applied in the particular application domain measures implemented within the transport network that is
networks. commensurate and consistent with the level and strength applied in
the particular application domain networks.
6.5.2. Mechanisms and Operations 6.5.2. Mechanisms and Operations
With an architecture allowing different configurations to meet the With an architecture allowing different configurations to meet the
application domain needs, the task is then to find suitable application domain needs, the task is then to find suitable
mechanisms. For example, one of the main problems of synchronizing mechanisms. For example, one of the main problems of synchronizing
security states of sleepy nodes, as listed in the last subsection, security states of sleepy nodes, as listed in the last subsection,
lies in difficulties in authentication; these nodes may not have lies in difficulties in authentication; these nodes may not have
received in time the most recent update of security material. received in time the most recent update of security material.
Similarly, the issues of minimal manual configuration, prolonged Similarly, the issues of minimal manual configuration, prolonged
rollout and delayed addition of nodes, and network topology changes rollout and delayed addition of nodes, and network topology changes
also complicate security management. In such case the ROLL protocol also complicate security management. In such case the ROLL protocol
may need to bootstrap the authentication process and allow for may need to bootstrap the authentication process and allow for
flexible expiration scheme of authentication credentials. This flexible expiration scheme of authentication credentials. This
exemplifies the need for the coordination and interoperation between exemplifies the need for the coordination and interoperation between
the requirements of the ROLL routing protocol and that of the system the requirements of the ROLL routing protocol and that of the system
security elements. security elements.
Similarly, the vulnerability brought forth by some special-function Similarly, the vulnerability brought forth by some special-function
nodes, e.g., gateways/sinks requires the assurance, particularly, of nodes, e.g., LBRs requires the assurance, particularly, of the
the availability of communication channels and node resources, or availability of communication channels and node resources, or that
that the neighbor discovery process operates without undermining the neighbor discovery process operates without undermining routing
routing availability. availability.
There and other factors which are not part of a ROLL routing protocol There and other factors which are not part of a ROLL routing protocol
can still affect its operation. This includes elements such as can still affect its operation. This includes elements such as
weaker barrier to accessing the data or security material stored on weaker barrier to accessing the data or security material stored on
the nodes through physical means; therefore, the internal and the nodes through physical means; therefore, the internal and
external interfaces of a node need to be adequate for guarding the external interfaces of a node need to be adequate for guarding the
integrity, and possibly the confidentiality, of stored information, integrity, and possibly the confidentiality, of stored information,
as well as the integrity of routing and route generation processes. as well as the integrity of routing and route generation processes.
Figure 2 provides an overview of the larger context of system Figure 3 provides an overview of the larger context of system
security and the relationship between ROLL requirements and measures security and the relationship between ROLL requirements and measures
and those that relate to the LLN system. and those that relate to the LLN system.
Security Services for Security Services for
ROLL-Addressable ROLL-Addressable
Security Requirements Security Requirements
| | | |
+---+ +---+ +---+ +---+
Node_i | | Node_j Node_i | | Node_j
_____v___ ___v_____ _____v___ ___v_____
skipping to change at page 36, line 37 skipping to change at page 38, line 37
|Security| : +-----+----+ +----+-----+ : |Security| |Security| : +-----+----+ +----+-----+ : |Security|
+->|Services|-:-->| Link | | Link |<--:-|Services|<-+ +->|Services|-:-->| Link | | Link |<--:-|Services|<-+
| |Entity | : +-----+----+ +----+-----+ : |Entity | | | |Entity | : +-----+----+ +----+-----+ : |Entity | |
| | |-:-+ | | +-:-| | | | | |-:-+ | | +-:-| | |
| \________/ : | +-----+----+ +----+-----+ | : \________/ | | \________/ : | +-----+----+ +----+-----+ | : \________/ |
| : +>| Physical | | Physical |<+ : | | : +>| Physical | | Physical |<+ : |
Application : +-----+----+ +----+-----+ : Application Application : +-----+----+ +----+-----+ : Application
Domain User : | | : Domain User Domain User : | | : Domain User
Configuration : |__Comm. Channel_| : Configuration Configuration : |__Comm. Channel_| : Configuration
: : : :
...Transport Network.................. ...Protocol Stack.....................
Figure 2: LLN Device Security Model Figure 3: LLN Device Security Model
7. Application of ROLL Security Framework to RPL 7. Application of ROLL Security Framework to RPL
This section applies the assessments given in Section 6 to RPL as an This section applies the assessments given in Section 6 to RPL as an
illustration of the application of the LLN security framework. illustration of the application of the LLN security framework.
Specializing the approach used in Section 3.1, Figure 3 gives a Specializing the approach used in Section 3.1, Figure 4 gives a data
level-1 data flow diagram representation of RPL to show the routing flow diagram representation of RPL to show the routing "assets" and
"assets" and "points of access" that may be vulnerable and need to be "points of access" that may be vulnerable and need to be protected.
protected.
............................................ ............................................
: : : :
|Link-Local : : |Link-Local : :
Multicast : : Multicast : :
or Node_i|<----->(DIO/DIS/DAO)<--------------+ : or Node_i|<----->(DIO/DIS/DAO)<--------------+ :
: ^ | : : ^ | :
: | ______V______ : : | ______V______ :
: | Candidate : : | Candidate :
: V Neighbor List : : V Neighbor List :
skipping to change at page 37, line 27 skipping to change at page 39, line 27
: ^ (Route Generation) : : ^ (Route Generation) :
: | | : : | | :
: | ______V______ : : | ______V______ :
: +------+ Routing Table : : +------+ Routing Table :
: | ------+------ : : | ------+------ :
: | | : : | | :
: RPL on Node_j | | : : RPL on Node_j | | :
..................|.............|........... ..................|.............|...........
| | | |
|Forwarding V | |Forwarding V |
To/From Node_k|<-------->(Read/Write | To/From Node_k|<----->(Read/Write |
Flow Label)<-------+ Hop-by-Hop Option or |
Routing Header)<------+
Figure 3: Data Flow Diagram of RPL Figure 4: Data Flow Diagram of RPL
From Figure 3, it is seen that threats to the proper operation of RPL From Figure 4, it is seen that threats to the proper operation of RPL
are realized through attacks on its DIO, DIS, and DAO messages, as are realized through attacks on its DIO, DIS, and DAO messages, as
well as on the information the protocol places on the IPv6 Flow well as on the information the protocol places on the IPv6 Hop-by-Hop
Labels. As set forth in Section 6.1 to Section 6.4, the base Option Header [I-D.ietf-6man-rpl-option]and Routing Header
security requirements concern message integrity, authenticity and [I-D.ietf-6man-rpl-routing-header]. As set forth in Section 6.1 to
liveliness of the principals of a connection, and protection against Section 6.4, the base security requirements concern message
message replay; message encryption may be desirable. The security integrity, authenticity and liveliness of the principals of a
objectives for RPL are therefore to ensure that connection, and protection against message replay; message encryption
may be desirable. The security objectives for RPL are therefore to
ensure that
1. participants of the DIO, DIS, and DAO message exchanges are 1. participants of the DIO, DIS, and DAO message exchanges are
authentic; authentic;
2. the received DIO, DIS, and DAO messages are not modified during 2. the received DIO, DIS, and DAO messages are not modified during
transportation; transportation;
3. the received DIO, DIS, and DAO messages are not retransmissions 3. the received DIO, DIS, and DAO messages are not retransmissions
of previous messages; of previous messages;
4. the content of the DIO, DIS, and DAO messages may be made legible 4. the content of the DIO, DIS, and DAO messages may be made legible
to only authorized entities. to only authorized entities.
In meeting the above objectives, RPL also needs to provide tunable In meeting the above objectives, RPL also needs to provide tunable
mechanisms both to allow matching the security afforded to the mechanisms both to allow matching the security afforded to the
application domain requirements and to enable efficient use of system application domain requirements and to enable efficient use of system
resources, as discussed in Section 6.5.1 and Section 6.5.2. resources, as discussed in Section 6.5.1 and Section 6.5.2.
The functions of the different RPL messages and information placed The functions of the different RPL messages, and the next hops
within the user data plane Flow Labels are factors that can be taken information placed in the Routing Header and RPL option TLV carried
into account when deciding the optional security features and levels in the Hop-by-Hop Option Header are factors that can be taken into
of strength to be afforded. For example, the DIO messages build account when deciding the optional security features and levels of
routes to roots while the DAO messages support the building of strength to be afforded. For example, the DIO messages build routes
downward routes to leaf nodes. Consequently, there may be to roots while the DAO messages support the building of downward
application environments in which the directions of the routes have routes to leaf nodes. Consequently, there may be application
different importance and thus warrant the use of different security environments in which the directions of the routes have different
features and/or strength. In other words, it may be desirable to importance and thus warrant the use of different security features
have an RPL security design that extends the tunability of the and/or strength. In other words, it may be desirable to have an RPL
security features and strengths to message types. The use of a per- security design that extends the tunability of the security features
message security specification will allow flexibility in permitting and strengths to message types. The use of a per-message security
application-domain security choices as well as overall tunability. specification will allow flexibility in permitting application-domain
security choices as well as overall tunability.
8. IANA Considerations 8. IANA Considerations
This memo includes no request to IANA. This memo includes no request to IANA.
9. Security Considerations 9. Security Considerations
The framework presented in this document provides security analysis The framework presented in this document provides security analysis
and design guidelines with a scope limited to ROLL. Security and design guidelines with a scope limited to ROLL. Security
services are identified as requirements for securing ROLL. The services are identified as requirements for securing ROLL. The
skipping to change at page 38, line 41 skipping to change at page 41, line 4
and design guidelines with a scope limited to ROLL. Security and design guidelines with a scope limited to ROLL. Security
services are identified as requirements for securing ROLL. The services are identified as requirements for securing ROLL. The
results are applied to RPL, with consequent recommendations. results are applied to RPL, with consequent recommendations.
10. Acknowledgments 10. Acknowledgments
The authors would like to acknowledge the review and comments from The authors would like to acknowledge the review and comments from
Rene Struik. Rene Struik.
11. References 11. References
11.1. Normative References 11.1. Normative References
[FIPS180] "Federal Information Processing Standards Publication
180-1", US National Institute of Standards and Technology,
Apr. 17 1995.
[FIPS197] "Federal Information Processing Standards Publication
197", US National Institute of Standards and Technology,
Nov. 26 2006.
[I-D.ietf-6man-rpl-option]
Hui, J. and J. Vasseur, "RPL Option for Carrying RPL
Information in Data-Plane Datagrams",
draft-ietf-6man-rpl-option-00 (work in progress),
July 2010.
[I-D.ietf-6man-rpl-routing-header]
Hui, J., Vasseur, J., and D. Culler, "An IPv6 Routing
Header for Source Routes with RPL",
draft-ietf-6man-rpl-routing-header-00 (work in progress),
July 2010.
[I-D.ietf-roll-rpl]
Winter, T., Thubert, P., and R. Team, "RPL: IPv6 Routing
Protocol for Low power and Lossy Networks",
draft-ietf-roll-rpl-11 (work in progress), July 2010.
[Kasumi3gpp]
"3GPP TS 35.202 Specification of the 3GPP confidentiality
and integrity algorithms; Document 2: Kasumi
specification", 3GPP TSG SA3, 2009.
[RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080, [RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080,
January 1997. January 1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998. [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998.
[RFC2453] Malkin, G., "RIP Version 2", STD 56, RFC 2453, [RFC2453] Malkin, G., "RIP Version 2", STD 56, RFC 2453,
November 1998. November 1998.
[RFC3693] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and
J. Polk, "Geopriv Requirements", RFC 3693, February 2004.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005. Internet Protocol", RFC 4301, December 2005.
11.2. Informative References 11.2. Informative References
[Huang2003] [Huang2003]
Huang, Q., Cukier, J., Kobayashi, H., Liu, B., and J. Huang, Q., Cukier, J., Kobayashi, H., Liu, B., and J.
Zhang, "Fast Authenticated Key Establishment Protocols for Zhang, "Fast Authenticated Key Establishment Protocols for
Self-Organizing Sensor Networks", in Proceedings of the Self-Organizing Sensor Networks", in Proceedings of the
2nd ACM International Conference on Wireless Sensor 2nd ACM International Conference on Wireless Sensor
Networks and Applications, San Diego, CA, USA, pp. 141- Networks and Applications, San Diego, CA, USA, pp. 141-
150, Sept. 19 2003. 150, Sept. 19 2003.
[I-D.ietf-roll-building-routing-reqs]
Martocci, J., Riou, N., Mil, P., and W. Vermeylen,
"Building Automation Routing Requirements in Low Power and
Lossy Networks", draft-ietf-roll-building-routing-reqs-09
(work in progress), January 2010.
[I-D.ietf-roll-home-routing-reqs]
Brandt, A. and J. Buron, "Home Automation Routing
Requirements in Low Power and Lossy Networks",
draft-ietf-roll-home-routing-reqs-11 (work in progress),
January 2010.
[I-D.ietf-roll-rpl]
Winter, T., Thubert, P., and R. Team, "RPL: IPv6 Routing
Protocol for Low power and Lossy Networks",
draft-ietf-roll-rpl-07 (work in progress), March 2010.
[I-D.ietf-roll-terminology] [I-D.ietf-roll-terminology]
Vasseur, J., "Terminology in Low power And Lossy Vasseur, J., "Terminology in Low power And Lossy
Networks", draft-ietf-roll-terminology-03 (work in Networks", draft-ietf-roll-terminology-04 (work in
progress), March 2010. progress), September 2010.
[I-D.suhopark-hello-wsn] [I-D.suhopark-hello-wsn]
Park, S., "Routing Security in Sensor Network: HELLO Flood Park, S., "Routing Security in Sensor Network: HELLO Flood
Attack and Defense", draft-suhopark-hello-wsn-00 (work in Attack and Defense", draft-suhopark-hello-wsn-00 (work in
progress), December 2005. progress), December 2005.
[Karlof2003] [Karlof2003]
Karlof, C. and D. Wagner, "Secure routing in wireless Karlof, C. and D. Wagner, "Secure routing in wireless
sensor networks: attacks and countermeasures", Elsevier sensor networks: attacks and countermeasures", Elsevier
AdHoc Networks Journal, Special Issue on Sensor Network AdHoc Networks Journal, Special Issue on Sensor Network
skipping to change at page 40, line 35 skipping to change at page 43, line 10
RFC 4949, August 2007. RFC 4949, August 2007.
[RFC5548] Dohler, M., Watteyne, T., Winter, T., and D. Barthel, [RFC5548] Dohler, M., Watteyne, T., Winter, T., and D. Barthel,
"Routing Requirements for Urban Low-Power and Lossy "Routing Requirements for Urban Low-Power and Lossy
Networks", RFC 5548, May 2009. Networks", RFC 5548, May 2009.
[RFC5673] Pister, K., Thubert, P., Dwars, S., and T. Phinney, [RFC5673] Pister, K., Thubert, P., Dwars, S., and T. Phinney,
"Industrial Routing Requirements in Low-Power and Lossy "Industrial Routing Requirements in Low-Power and Lossy
Networks", RFC 5673, October 2009. Networks", RFC 5673, October 2009.
[RFC5826] Brandt, A., Buron, J., and G. Porcu, "Home Automation
Routing Requirements in Low-Power and Lossy Networks",
RFC 5826, April 2010.
[RFC5867] Martocci, J., De Mil, P., Riou, N., and W. Vermeylen,
"Building Automation Routing Requirements in Low-Power and
Lossy Networks", RFC 5867, June 2010.
[Wan2004] Wan, T., Kranakis, E., and PC. van Oorschot, "S-RIP: A [Wan2004] Wan, T., Kranakis, E., and PC. van Oorschot, "S-RIP: A
Secure Distance Vector Routing Protocol", in Proceedings Secure Distance Vector Routing Protocol", in Proceedings
of the 2nd International Conference on Applied of the 2nd International Conference on Applied
Cryptography and Network Security, Yellow Mountain, China, Cryptography and Network Security, Yellow Mountain, China,
pp. 103-119, Jun. 8-11 2004. pp. 103-119, Jun. 8-11 2004.
[Wander2005]
Wander, A., Gura, N., Eberle, H., Gupta, V., and S.
Shantz, "Energy analysis of public-key cryptography for
wireless sensor networ", in the Proceedings of the Third
IEEE International Conference on Pervasive Computing and
Communications pp. 324-328, March 8-12 2005.
[Yourdon1979]
Yourdon, E. and L. Constantine, "Structured Design",
Yourdon Press, New York, Chapter 10, pp. 187-222, 1979.
Authors' Addresses Authors' Addresses
Tzeta Tsao (editor) Tzeta Tsao
Eka Systems Cooper Power Systems
20201 Century Blvd. Suite 250 20201 Century Blvd. Suite 250
Germantown, Maryland 20874 Germantown, Maryland 20874
USA USA
Email: tzeta.tsao@ekasystems.com Email: tzeta.tsao@cooperindustries.com
Roger K. Alexander (editor) Roger K. Alexander
Eka Systems Cooper Power Systems
20201 Century Blvd. Suite 250 20201 Century Blvd. Suite 250
Germantown, Maryland 20874 Germantown, Maryland 20874
USA USA
Email: roger.alexander@ekasystems.com Email: roger.alexander@cooperindustries.com
Mischa Dohler (editor) Mischa Dohler
CTTC CTTC
Parc Mediterrani de la Tecnologia, Av. Canal Olimpic S/N Parc Mediterrani de la Tecnologia, Av. Canal Olimpic S/N
Castelldefels, Barcelona 08860 Castelldefels, Barcelona 08860
Spain Spain
Email: mischa.dohler@cttc.es Email: mischa.dohler@cttc.es
Vanesa Daza (editor) Vanesa Daza
Universitat Pompeu Fabra Universitat Pompeu Fabra
P/ Circumval.lacio 8, Oficina 308 P/ Circumval.lacio 8, Oficina 308
Barcelona 08003 Barcelona 08003
Spain Spain
Email: vanesa.daza@upf.edu Email: vanesa.daza@upf.edu
Angel Lozano (editor) Angel Lozano
Universitat Pompeu Fabra Universitat Pompeu Fabra
P/ Circumval.lacio 8, Oficina 309 P/ Circumval.lacio 8, Oficina 309
Barcelona 08003 Barcelona 08003
Spain Spain
Email: angel.lozano@upf.edu Email: angel.lozano@upf.edu
 End of changes. 108 change blocks. 
439 lines changed or deleted 547 lines changed or added

This html diff was produced by rfcdiff 1.39. The latest version is available from http://tools.ietf.org/tools/rfcdiff/