draft-ietf-roll-security-framework-01.txt   draft-ietf-roll-security-framework-02.txt 
Networking Working Group T. Tsao Networking Working Group T. Tsao
Internet-Draft R. Alexander Internet-Draft R. Alexander
Intended status: Informational Cooper Power Systems Intended status: Informational Cooper Power Systems
Expires: April 3, 2011 M. Dohler Expires: May 12, 2011 M. Dohler
CTTC CTTC
V. Daza V. Daza
A. Lozano A. Lozano
Universitat Pompeu Fabra Universitat Pompeu Fabra
September 30, 2010 November 8, 2010
A Security Framework for Routing over Low Power and Lossy Networks A Security Framework for Routing over Low Power and Lossy Networks
draft-ietf-roll-security-framework-01 draft-ietf-roll-security-framework-02
Abstract Abstract
This document presents a security framework for routing over low This document presents a security framework for routing over low
power and lossy networks (LLN). The development builds upon previous power and lossy networks (LLN). The development builds upon previous
work on routing security and adapts the assessments to the issues and work on routing security and adapts the assessments to the issues and
constraints specific to low power and lossy networks. A systematic constraints specific to low power and lossy networks. A systematic
approach is used in defining and evaluating the security threats and approach is used in defining and evaluating the security threats and
identifying applicable countermeasures. These assessments provide identifying applicable countermeasures. These assessments provide
the basis of the security recommendations for incorporation into low the basis of the security recommendations for incorporation into low
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 3, 2011. This Internet-Draft will expire on May 12, 2011.
Copyright Notice Copyright Notice
Copyright (c) 2010 IETF Trust and the persons identified as the Copyright (c) 2010 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 15 skipping to change at page 3, line 15
Table of Contents Table of Contents
1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Considerations on ROLL Security . . . . . . . . . . . . . . . 6 3. Considerations on ROLL Security . . . . . . . . . . . . . . . 6
3.1. Routing Assets and Points of Access . . . . . . . . . . . 6 3.1. Routing Assets and Points of Access . . . . . . . . . . . 6
3.2. The CIA Security Reference Model . . . . . . . . . . . . . 9 3.2. The CIA Security Reference Model . . . . . . . . . . . . . 9
3.3. Issues Specific to or Amplified in LLNs . . . . . . . . . 10 3.3. Issues Specific to or Amplified in LLNs . . . . . . . . . 10
3.4. ROLL Security Objectives . . . . . . . . . . . . . . . . . 12 3.4. ROLL Security Objectives . . . . . . . . . . . . . . . . . 12
4. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 13 4. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 13
4.1. Threats and Attacks on Confidentiality . . . . . . . . . . 13 4.1. Threats and Attacks on Confidentiality . . . . . . . . . . 14
4.1.1. Routing Exchange Exposure . . . . . . . . . . . . . . 14 4.1.1. Routing Exchange Exposure . . . . . . . . . . . . . . 14
4.1.2. Routing Information (Routes and Network Topology) 4.1.2. Routing Information (Routes and Network Topology)
Exposure . . . . . . . . . . . . . . . . . . . . . . . 14 Exposure . . . . . . . . . . . . . . . . . . . . . . . 14
4.2. Threats and Attacks on Integrity . . . . . . . . . . . . . 15 4.2. Threats and Attacks on Integrity . . . . . . . . . . . . . 15
4.2.1. Routing Information Manipulation . . . . . . . . . . . 15 4.2.1. Routing Information Manipulation . . . . . . . . . . . 15
4.2.2. Node Identity Misappropriation . . . . . . . . . . . . 15 4.2.2. Node Identity Misappropriation . . . . . . . . . . . . 15
4.3. Threats and Attacks on Availability . . . . . . . . . . . 16 4.3. Threats and Attacks on Availability . . . . . . . . . . . 16
4.3.1. Routing Exchange Interference or Disruption . . . . . 16 4.3.1. Routing Exchange Interference or Disruption . . . . . 16
4.3.2. Network Traffic Forwarding Disruption . . . . . . . . 16 4.3.2. Network Traffic Forwarding Disruption . . . . . . . . 16
4.3.3. Communications Resource Disruption . . . . . . . . . . 17 4.3.3. Communications Resource Disruption . . . . . . . . . . 17
4.3.4. Node Resource Exhaustion . . . . . . . . . . . . . . . 18 4.3.4. Node Resource Exhaustion . . . . . . . . . . . . . . . 18
5. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 18 5. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 18
5.1. Confidentiality Attack Countermeasures . . . . . . . . . . 19 5.1. Confidentiality Attack Countermeasures . . . . . . . . . . 19
5.1.1. Countering Deliberate Exposure Attacks . . . . . . . . 19 5.1.1. Countering Deliberate Exposure Attacks . . . . . . . . 19
5.1.2. Countering Sniffing Attacks . . . . . . . . . . . . . 19 5.1.2. Countering Sniffing Attacks . . . . . . . . . . . . . 19
5.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 20 5.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 21
5.1.4. Countering Physical Device Compromise . . . . . . . . 21 5.1.4. Countering Physical Device Compromise . . . . . . . . 21
5.1.5. Countering Remote Device Access Attacks . . . . . . . 23 5.1.5. Countering Remote Device Access Attacks . . . . . . . 23
5.2. Integrity Attack Countermeasures . . . . . . . . . . . . . 23 5.2. Integrity Attack Countermeasures . . . . . . . . . . . . . 24
5.2.1. Countering Tampering Attacks . . . . . . . . . . . . . 24 5.2.1. Countering Tampering Attacks . . . . . . . . . . . . . 24
5.2.2. Countering Overclaiming and Misclaiming Attacks . . . 24 5.2.2. Countering Overclaiming and Misclaiming Attacks . . . 24
5.2.3. Countering Identity (including Sybil) Attacks . . . . 24 5.2.3. Countering Identity (including Sybil) Attacks . . . . 25
5.2.4. Countering Routing Information Replay Attacks . . . . 25 5.2.4. Countering Routing Information Replay Attacks . . . . 25
5.2.5. Countering Byzantine Routing Information Attacks . . . 25 5.2.5. Countering Byzantine Routing Information Attacks . . . 25
5.3. Availability Attack Countermeasures . . . . . . . . . . . 26 5.3. Availability Attack Countermeasures . . . . . . . . . . . 26
5.3.1. Countering HELLO Flood Attacks and ACK Spoofing 5.3.1. Countering HELLO Flood Attacks and ACK Spoofing
Attacks . . . . . . . . . . . . . . . . . . . . . . . 26 Attacks . . . . . . . . . . . . . . . . . . . . . . . 27
5.3.2. Countering Overload Attacks . . . . . . . . . . . . . 28 5.3.2. Countering Overload Attacks . . . . . . . . . . . . . 28
5.3.3. Countering Selective Forwarding Attacks . . . . . . . 29 5.3.3. Countering Selective Forwarding Attacks . . . . . . . 29
5.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 29 5.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 30
5.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 30 5.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 30
6. ROLL Security Features . . . . . . . . . . . . . . . . . . . . 31 6. ROLL Security Features . . . . . . . . . . . . . . . . . . . . 31
6.1. Confidentiality Features . . . . . . . . . . . . . . . . . 31 6.1. Confidentiality Features . . . . . . . . . . . . . . . . . 31
6.2. Integrity Features . . . . . . . . . . . . . . . . . . . . 32 6.2. Integrity Features . . . . . . . . . . . . . . . . . . . . 32
6.3. Availability Features . . . . . . . . . . . . . . . . . . 33 6.3. Availability Features . . . . . . . . . . . . . . . . . . 33
6.4. Additional Related Features . . . . . . . . . . . . . . . 33 6.4. Additional Related Features . . . . . . . . . . . . . . . 34
6.5. Consideration on Matching Application Domain Needs . . . . 34 6.5. Consideration on Matching Application Domain Needs . . . . 34
6.5.1. Security Architecture . . . . . . . . . . . . . . . . 34 6.5.1. Security Architecture . . . . . . . . . . . . . . . . 34
6.5.2. Mechanisms and Operations . . . . . . . . . . . . . . 36 6.5.2. Mechanisms and Operations . . . . . . . . . . . . . . 37
7. Application of ROLL Security Framework to RPL . . . . . . . . 38 7. Application of ROLL Security Framework to RPL . . . . . . . . 38
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 40
9. Security Considerations . . . . . . . . . . . . . . . . . . . 40 9. Security Considerations . . . . . . . . . . . . . . . . . . . 40
10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 40 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 40
11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 41 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 41
11.1. Normative References . . . . . . . . . . . . . . . . . . . 41 11.1. Normative References . . . . . . . . . . . . . . . . . . . 41
11.2. Informative References . . . . . . . . . . . . . . . . . . 42 11.2. Informative References . . . . . . . . . . . . . . . . . . 41
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 43 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 43
1. Terminology 1. Terminology
This document adopts and conforms to the terminology defined in This document adopts and conforms to the terminology defined in
[I-D.ietf-roll-terminology] and in [RFC4949], with the following [I-D.ietf-roll-terminology] and in [RFC4949], with the following
addition: addition:
Node An element of a low power lossy network that may be a router or Node An element of a low power lossy network that may be a router or
a host. a host.
skipping to change at page 6, line 11 skipping to change at page 6, line 11
the context of LLN. The utility of this framework is demonstrated the context of LLN. The utility of this framework is demonstrated
with an application to IPv6 Routing Protocol for Low Power and Lossy with an application to IPv6 Routing Protocol for Low Power and Lossy
Networks (RPL) [I-D.ietf-roll-rpl]. Networks (RPL) [I-D.ietf-roll-rpl].
3. Considerations on ROLL Security 3. Considerations on ROLL Security
Security, in essence, entails implementing measures to ensure Security, in essence, entails implementing measures to ensure
controlled state changes on devices and network elements, both based controlled state changes on devices and network elements, both based
on external inputs (received via communications) or internal inputs on external inputs (received via communications) or internal inputs
(physical security of device itself and parameters maintained by the (physical security of device itself and parameters maintained by the
device, including, e.g., clock). A security assessment can therefore device, including, e.g., clock). State changes would thereby involve
begin with a focus on the assets or elements of information that may proper authorization for actions, authentication, and potentially
be the target of the state changes and the access points in terms of confidentiality, but also proper order of state changes through
interfaces and protocol exchanges through which such changes may timeliness (since seriously delayed state changes, such as commands
occur. In the case of routing security the focus is directed towards or updates of routing tables, may negatively impact system
the elements associated with the establishment and maintenance of operation). A security assessment can therefore begin with a focus
network connectivity. on the assets or elements of information that may be the target of
the state changes and the access points in terms of interfaces and
protocol exchanges through which such changes may occur. In the case
of routing security the focus is directed towards the elements
associated with the establishment and maintenance of network
connectivity.
This section sets the stage for the development of the framework by This section sets the stage for the development of the framework by
applying the systematic approach proposed in [Myagmar2005] to the applying the systematic approach proposed in [Myagmar2005] to the
routing security problem, while also drawing references from other routing security problem, while also drawing references from other
reviews and assessments found in the literature, particularly, reviews and assessments found in the literature, particularly,
[RFC4593] and [Karlof2003]; thus, the work presented herein may find [RFC4593] and [Karlof2003]; thus, the work presented herein may find
use beyond routing for LLNs. The subsequent subsections begin with a use beyond routing for LLNs. The subsequent subsections begin with a
focus on the elements of a generic routing process that is used to focus on the elements of a generic routing process that is used to
establish routing assets and points of access to the routing establish routing assets and points of access to the routing
functionality. Next, the CIA security model is briefly described. functionality. Next, the CIA security model is briefly described.
skipping to change at page 9, line 16 skipping to change at page 9, line 16
* neighbor discovery; * neighbor discovery;
* route/topology exchange; * route/topology exchange;
* node physical interfaces (including access to data storage). * node physical interfaces (including access to data storage).
A focus on the above list of assets and points of access enables a A focus on the above list of assets and points of access enables a
more directed assessment of routing security; for example, it is more directed assessment of routing security; for example, it is
readily understood that some routing attacks are in the form of readily understood that some routing attacks are in the form of
attempts to misrepresent routing topology. Indeed, the intention is attempts to misrepresent routing topology. Indeed, the intention of
to be comprehensive; nonetheless, the discussions to follow on the security framework is to be comprehensive. Hence, some of the
physical related issues are not related to routing protocol design discussion which follows is associated with assets and points of
but provided for reference since they do have direct consequences on access that are not directly related to routing protocol design but
the security of routing. nonetheless provided for reference since they do have direct
consequences on the security of routing.
3.2. The CIA Security Reference Model 3.2. The CIA Security Reference Model
At the conceptual level, security within an information system in At the conceptual level, security within an information system in
general and applied to ROLL in particular is concerned with the general and applied to ROLL in particular is concerned with the
primary issues of confidentiality, integrity, and availability. In primary issues of confidentiality, integrity, and availability. In
the context of ROLL: the context of ROLL:
Confidentiality Confidentiality
Confidentiality involves the protection of routing information Confidentiality involves the protection of routing information
skipping to change at page 10, line 30 skipping to change at page 10, line 30
determine the events and actions leading to a particular routing determine the events and actions leading to a particular routing
state. Non-repudiation implies after the fact and thus relies on the state. Non-repudiation implies after the fact and thus relies on the
logging or other capture of on-going routing exchanges and logging or other capture of on-going routing exchanges and
signatures. Given the limited resources of a node and potentially signatures. Given the limited resources of a node and potentially
the communication channel, and considering the operating mode the communication channel, and considering the operating mode
associated with LLNs, routing transaction logging or auditing process associated with LLNs, routing transaction logging or auditing process
communication overhead will not be practical; as such, non- communication overhead will not be practical; as such, non-
repudiation in the context of routing is not further considered as a repudiation in the context of routing is not further considered as a
ROLL security issue. ROLL security issue.
It is important to note that for routing security the above CIA
requirements must be complemented by the proper security policies and
enforcement mechanisms to ensure that security objectives are met by
a given routing protocol implementation.
3.3. Issues Specific to or Amplified in LLNs 3.3. Issues Specific to or Amplified in LLNs
The work [RFC5548] and [RFC5673], [RFC5826], and [RFC5867] have The work [RFC5548] and [RFC5673], [RFC5826], and [RFC5867] have
identified specific issues and constraints of routing in LLNs for the identified specific issues and constraints of routing in LLNs for the
urban, industrial, home automation, and building automation urban, industrial, home automation, and building automation
application domains, respectively. The following is a list of application domains, respectively. The following is a list of
observations and evaluation of their impact on routing security observations and evaluation of their impact on routing security
considerations. considerations.
Limited energy, memory, and processing node resources Limited energy, memory, and processing node resources
skipping to change at page 40, line 42 skipping to change at page 40, line 42
9. Security Considerations 9. Security Considerations
The framework presented in this document provides security analysis The framework presented in this document provides security analysis
and design guidelines with a scope limited to ROLL. Security and design guidelines with a scope limited to ROLL. Security
services are identified as requirements for securing ROLL. The services are identified as requirements for securing ROLL. The
results are applied to RPL, with consequent recommendations. results are applied to RPL, with consequent recommendations.
10. Acknowledgments 10. Acknowledgments
The authors would like to acknowledge the review and comments from The authors would like to acknowledge the review and comments from
Rene Struik. Rene Struik and JP Vasseur. The authors would also like to
acknowledge the guidance and input provided by the ROLL Chairs, David
Culler and JP Vasseur, and the Area Director Adrian Farrel.
11. References 11. References
11.1. Normative References 11.1. Normative References
[FIPS180] "Federal Information Processing Standards Publication
180-1", US National Institute of Standards and Technology,
Apr. 17 1995.
[FIPS197] "Federal Information Processing Standards Publication
197", US National Institute of Standards and Technology,
Nov. 26 2006.
[I-D.ietf-6man-rpl-option] [I-D.ietf-6man-rpl-option]
Hui, J. and J. Vasseur, "RPL Option for Carrying RPL Hui, J. and J. Vasseur, "RPL Option for Carrying RPL
Information in Data-Plane Datagrams", Information in Data-Plane Datagrams",
draft-ietf-6man-rpl-option-00 (work in progress), draft-ietf-6man-rpl-option-01 (work in progress),
July 2010. October 2010.
[I-D.ietf-6man-rpl-routing-header] [I-D.ietf-6man-rpl-routing-header]
Hui, J., Vasseur, J., and D. Culler, "An IPv6 Routing Hui, J., Vasseur, J., Culler, D., and V. Manral, "An IPv6
Header for Source Routes with RPL", Routing Header for Source Routes with RPL",
draft-ietf-6man-rpl-routing-header-00 (work in progress), draft-ietf-6man-rpl-routing-header-01 (work in progress),
July 2010. October 2010.
[I-D.ietf-roll-rpl] [I-D.ietf-roll-rpl]
Winter, T., Thubert, P., and R. Team, "RPL: IPv6 Routing Winter, T., Thubert, P., and R. Team, "RPL: IPv6 Routing
Protocol for Low power and Lossy Networks", Protocol for Low power and Lossy Networks",
draft-ietf-roll-rpl-11 (work in progress), July 2010. draft-ietf-roll-rpl-11 (work in progress), July 2010.
[Kasumi3gpp]
"3GPP TS 35.202 Specification of the 3GPP confidentiality
and integrity algorithms; Document 2: Kasumi
specification", 3GPP TSG SA3, 2009.
[RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080, [RFC2080] Malkin, G. and R. Minnear, "RIPng for IPv6", RFC 2080,
January 1997. January 1997.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998. [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998.
[RFC2453] Malkin, G., "RIP Version 2", STD 56, RFC 2453, [RFC2453] Malkin, G., "RIP Version 2", STD 56, RFC 2453,
November 1998. November 1998.
[RFC3693] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and [RFC3693] Cuellar, J., Morris, J., Mulligan, D., Peterson, J., and
J. Polk, "Geopriv Requirements", RFC 3693, February 2004. J. Polk, "Geopriv Requirements", RFC 3693, February 2004.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005. Internet Protocol", RFC 4301, December 2005.
11.2. Informative References 11.2. Informative References
[FIPS180] "Federal Information Processing Standards Publication
180-3: Secure Hash Standard (SHS)", US National Institute
of Standards and Technology, Oct. 2008.
[FIPS197] "Federal Information Processing Standards Publication 197:
Advanced Encryption Standard (AES)", US National Institute
of Standards and Technology, Nov. 26 2001.
[Huang2003] [Huang2003]
Huang, Q., Cukier, J., Kobayashi, H., Liu, B., and J. Huang, Q., Cukier, J., Kobayashi, H., Liu, B., and J.
Zhang, "Fast Authenticated Key Establishment Protocols for Zhang, "Fast Authenticated Key Establishment Protocols for
Self-Organizing Sensor Networks", in Proceedings of the Self-Organizing Sensor Networks", in Proceedings of the
2nd ACM International Conference on Wireless Sensor 2nd ACM International Conference on Wireless Sensor
Networks and Applications, San Diego, CA, USA, pp. 141- Networks and Applications, San Diego, CA, USA, pp. 141-
150, Sept. 19 2003. 150, Sept. 19 2003.
[I-D.ietf-roll-terminology] [I-D.ietf-roll-terminology]
Vasseur, J., "Terminology in Low power And Lossy Vasseur, J., "Terminology in Low power And Lossy
Networks", draft-ietf-roll-terminology-04 (work in Networks", draft-ietf-roll-terminology-04 (work in
progress), September 2010. progress), September 2010.
skipping to change at page 42, line 31 skipping to change at page 42, line 27
Park, S., "Routing Security in Sensor Network: HELLO Flood Park, S., "Routing Security in Sensor Network: HELLO Flood
Attack and Defense", draft-suhopark-hello-wsn-00 (work in Attack and Defense", draft-suhopark-hello-wsn-00 (work in
progress), December 2005. progress), December 2005.
[Karlof2003] [Karlof2003]
Karlof, C. and D. Wagner, "Secure routing in wireless Karlof, C. and D. Wagner, "Secure routing in wireless
sensor networks: attacks and countermeasures", Elsevier sensor networks: attacks and countermeasures", Elsevier
AdHoc Networks Journal, Special Issue on Sensor Network AdHoc Networks Journal, Special Issue on Sensor Network
Applications and Protocols, 1(2):293-315, September 2003. Applications and Protocols, 1(2):293-315, September 2003.
[Kasumi3gpp]
"3GPP TS 35.202 Specification of the 3GPP confidentiality
and integrity algorithms; Document 2: Kasumi
specification", 3GPP TSG SA3, 2009.
[Messerges2003] [Messerges2003]
Messerges, T., Cukier, J., Kevenaar, T., Puhl, L., Struik, Messerges, T., Cukier, J., Kevenaar, T., Puhl, L., Struik,
R., and E. Callaway, "Low-Power Security for Wireless R., and E. Callaway, "Low-Power Security for Wireless
Sensor Networks", in Proceedings of the 1st ACM Workshop Sensor Networks", in Proceedings of the 1st ACM Workshop
on Security of Ad Hoc and Sensor Networks, Fairfax, VA, on Security of Ad Hoc and Sensor Networks, Fairfax, VA,
USA, pp. 1-11, Oct. 31 2003. USA, pp. 1-11, Oct. 31 2003.
[Myagmar2005] [Myagmar2005]
Myagmar, S., Lee, AJ., and W. Yurcik, "Threat Modeling as Myagmar, S., Lee, AJ., and W. Yurcik, "Threat Modeling as
a Basis for Security Requirements", in Proceedings of the a Basis for Security Requirements", in Proceedings of the
 End of changes. 24 change blocks. 
45 lines changed or deleted 59 lines changed or added

This html diff was produced by rfcdiff 1.40. The latest version is available from http://tools.ietf.org/tools/rfcdiff/