draft-ietf-roll-security-threats-02.txt   draft-ietf-roll-security-threats-03.txt 
Networking Working Group T. Tsao Networking Working Group T. Tsao
Internet-Draft R. Alexander Internet-Draft R. Alexander
Intended status: Informational Cooper Power Systems Intended status: Informational Cooper Power Systems
Expires: December 13, 2013 M. Dohler Expires: December 27, 2013 M. Dohler
CTTC CTTC
V. Daza V. Daza
A. Lozano A. Lozano
Universitat Pompeu Fabra Universitat Pompeu Fabra
June 11, 2013 June 25, 2013
A Security Threat Analysis for Routing over Low-Power and Lossy Networks A Security Threat Analysis for Routing over Low-Power and Lossy Networks
draft-ietf-roll-security-threats-02 draft-ietf-roll-security-threats-03
Abstract Abstract
This document presents a security threat analysis for routing over This document presents a security threat analysis for routing over
low-power and lossy networks (LLN). The development builds upon low-power and lossy networks (LLN). The development builds upon
previous work on routing security and adapts the assessments to the previous work on routing security and adapts the assessments to the
issues and constraints specific to low-power and lossy networks. A issues and constraints specific to low-power and lossy networks. A
systematic approach is used in defining and evaluating the security systematic approach is used in defining and evaluating the security
threats. Applicable countermeasures are application specific and are threats. Applicable countermeasures are application specific and are
addressed in relevant applicability statements. These assessments addressed in relevant applicability statements. These assessments
skipping to change at page 2, line 4 skipping to change at page 2, line 4
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 13, 2013. This Internet-Draft will expire on December 27, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 10 skipping to change at page 3, line 10
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. Considerations on ROLL Security . . . . . . . . . . . . . . . 6 3. Considerations on ROLL Security . . . . . . . . . . . . . . . 6
3.1. Routing Assets and Points of Access . . . . . . . . . . . 6 3.1. Routing Assets and Points of Access . . . . . . . . . . . 7
3.2. The ISO 7498-2 Security Reference Model . . . . . . . . . 9 3.2. The ISO 7498-2 Security Reference Model . . . . . . . . . 9
3.3. Issues Specific to or Amplified in LLNs . . . . . . . . . 11 3.3. Issues Specific to or Amplified in LLNs . . . . . . . . . 11
3.4. ROLL Security Objectives . . . . . . . . . . . . . . . . . 12 3.4. ROLL Security Objectives . . . . . . . . . . . . . . . . . 12
4. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 14 4. Threat Sources . . . . . . . . . . . . . . . . . . . . . . . . 14
4.1. Threats and Attacks on Confidentiality . . . . . . . . . . 14 5. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 14
4.1.1. Routing Exchange Exposure . . . . . . . . . . . . . . 14 5.1. Threats due to failures to Authenticate . . . . . . . . . 14
4.1.2. Routing Information (Routes and Network Topology) 5.2. Threats due to failures to Authenticate . . . . . . . . . 14
5.3. Threats and Attacks on Confidentiality . . . . . . . . . . 14
5.3.1. Routing Exchange Exposure . . . . . . . . . . . . . . 15
5.3.2. Routing Information (Routes and Network Topology)
Exposure . . . . . . . . . . . . . . . . . . . . . . . 15 Exposure . . . . . . . . . . . . . . . . . . . . . . . 15
4.2. Threats and Attacks on Integrity . . . . . . . . . . . . . 16 6. Threats and Attacks on Integrity . . . . . . . . . . . . . . . 16
4.2.1. Routing Information Manipulation . . . . . . . . . . . 16 6.1. Routing Information Manipulation . . . . . . . . . . . . . 16
4.2.2. Node Identity Misappropriation . . . . . . . . . . . . 16 6.2. Node Identity Misappropriation . . . . . . . . . . . . . . 17
4.3. Threats and Attacks on Availability . . . . . . . . . . . 17 7. Threats and Attacks on Availability . . . . . . . . . . . . . 17
4.3.1. Routing Exchange Interference or Disruption . . . . . 17 7.1. Routing Exchange Interference or Disruption . . . . . . . 17
4.3.2. Network Traffic Forwarding Disruption . . . . . . . . 17 7.2. Network Traffic Forwarding Disruption . . . . . . . . . . 18
4.3.3. Communications Resource Disruption . . . . . . . . . . 19 7.3. Communications Resource Disruption . . . . . . . . . . . . 19
4.3.4. Node Resource Exhaustion . . . . . . . . . . . . . . . 19 7.4. Node Resource Exhaustion . . . . . . . . . . . . . . . . . 20
5. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 20 8. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 20
5.1. Confidentiality Attack Countermeasures . . . . . . . . . . 20 8.1. Confidentiality Attack Countermeasures . . . . . . . . . . 21
5.1.1. Countering Deliberate Exposure Attacks . . . . . . . . 20 8.1.1. Countering Deliberate Exposure Attacks . . . . . . . . 21
5.1.2. Countering Sniffing Attacks . . . . . . . . . . . . . 21 8.1.2. Countering Sniffing Attacks . . . . . . . . . . . . . 21
5.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 22 8.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 22
5.1.4. Countering Physical Device Compromise . . . . . . . . 23 8.1.4. Countering Physical Device Compromise . . . . . . . . 23
5.1.5. Countering Remote Device Access Attacks . . . . . . . 25 8.1.5. Countering Remote Device Access Attacks . . . . . . . 25
5.2. Integrity Attack Countermeasures . . . . . . . . . . . . . 25 8.2. Integrity Attack Countermeasures . . . . . . . . . . . . . 26
5.2.1. Countering Unauthorized Modification Attacks . . . . . 25 8.2.1. Countering Unauthorized Modification Attacks . . . . . 26
5.2.2. Countering Overclaiming and Misclaiming Attacks . . . 26 8.2.2. Countering Overclaiming and Misclaiming Attacks . . . 26
5.2.3. Countering Identity (including Sybil) Attacks . . . . 26 8.2.3. Countering Identity (including Sybil) Attacks . . . . 27
5.2.4. Countering Routing Information Replay Attacks . . . . 27 8.2.4. Countering Routing Information Replay Attacks . . . . 27
5.2.5. Countering Byzantine Routing Information Attacks . . . 27 8.2.5. Countering Byzantine Routing Information Attacks . . . 27
5.3. Availability Attack Countermeasures . . . . . . . . . . . 28 8.3. Availability Attack Countermeasures . . . . . . . . . . . 28
5.3.1. Countering HELLO Flood Attacks and ACK Spoofing 8.3.1. Countering HELLO Flood Attacks and ACK Spoofing
Attacks . . . . . . . . . . . . . . . . . . . . . . . 28 Attacks . . . . . . . . . . . . . . . . . . . . . . . 29
5.3.2. Countering Overload Attacks . . . . . . . . . . . . . 29 8.3.2. Countering Overload Attacks . . . . . . . . . . . . . 30
5.3.3. Countering Selective Forwarding Attacks . . . . . . . 31 8.3.3. Countering Selective Forwarding Attacks . . . . . . . 31
5.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 31 8.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 32
5.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 32 8.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 33
6. ROLL Security Features . . . . . . . . . . . . . . . . . . . . 32 9. ROLL Security Features . . . . . . . . . . . . . . . . . . . . 33
6.1. Confidentiality Features . . . . . . . . . . . . . . . . . 34 9.1. Confidentiality Features . . . . . . . . . . . . . . . . . 34
6.2. Integrity Features . . . . . . . . . . . . . . . . . . . . 35 9.2. Integrity Features . . . . . . . . . . . . . . . . . . . . 35
6.3. Availability Features . . . . . . . . . . . . . . . . . . 36 9.3. Availability Features . . . . . . . . . . . . . . . . . . 36
6.4. Security Key Management . . . . . . . . . . . . . . . . . 36 9.4. Key Management . . . . . . . . . . . . . . . . . . . . . . 37
6.5. Consideration on Matching Application Domain Needs . . . . 38 9.5. Consideration on Matching Application Domain Needs . . . . 38
6.5.1. Security Architecture . . . . . . . . . . . . . . . . 38 9.5.1. Security Architecture . . . . . . . . . . . . . . . . 38
6.5.2. Mechanisms and Operations . . . . . . . . . . . . . . 41 9.5.2. Mechanisms and Operations . . . . . . . . . . . . . . 41
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 42 10. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 43
8. Security Considerations . . . . . . . . . . . . . . . . . . . 42 11. Security Considerations . . . . . . . . . . . . . . . . . . . 43
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 43 12. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 44
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 43 13. References . . . . . . . . . . . . . . . . . . . . . . . . . . 44
10.1. Normative References . . . . . . . . . . . . . . . . . . . 43 13.1. Normative References . . . . . . . . . . . . . . . . . . . 44
10.2. Informative References . . . . . . . . . . . . . . . . . . 43 13.2. Informative References . . . . . . . . . . . . . . . . . . 44
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 46 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 47
1. Introduction 1. Introduction
In recent times, networked electronic devices have found an In recent times, networked electronic devices have found an
increasing number of applications in various fields. Yet, for increasing number of applications in various fields. Yet, for
reasons ranging from operational application to economics, these reasons ranging from operational application to economics, these
wired and wireless devices are often supplied with minimum physical wired and wireless devices are often supplied with minimum physical
resources; the constraints include those on computational resources resources; the constraints include those on computational resources
(RAM, clock speed, storage), communication resources (duty cycle, (RAM, clock speed, storage), communication resources (duty cycle,
packet size, etc.), but also form factors that may rule out user packet size, etc.), but also form factors that may rule out user
skipping to change at page 6, line 34 skipping to change at page 6, line 34
operates correctly. It entails implementing measures to ensure operates correctly. It entails implementing measures to ensure
controlled state changes on devices and network elements, both based controlled state changes on devices and network elements, both based
on external inputs (received via communications) or internal inputs on external inputs (received via communications) or internal inputs
(physical security of device itself and parameters maintained by the (physical security of device itself and parameters maintained by the
device, including, e.g., clock). State changes would thereby involve device, including, e.g., clock). State changes would thereby involve
not only authorization of injector's actions, authentication of not only authorization of injector's actions, authentication of
injectors, authentication, integrity, and potentially confidentiality injectors, authentication, integrity, and potentially confidentiality
of routing data, but also proper order of state changes through of routing data, but also proper order of state changes through
timeliness, since seriously delayed state changes, such as commands timeliness, since seriously delayed state changes, such as commands
or updates of routing tables, may negatively impact system operation. or updates of routing tables, may negatively impact system operation.
A security assesment can therefore begin with a focus on the
assetsRFC4949 [RFC4949]that may be the target of the state changes
and the access points in terms of interfaces and protocol exchanges
through which such changes may occur. In the case of routing
security the focus is directed towards the elements associated with
the establishment and maintenance of network connectivity.
This section sets the stage for the development of the analysis by This section sets the stage for the development of the analysis by
applying the systematic approach proposed in [Myagmar2005] to the applying the systematic approach proposed in [Myagmar2005] to the
routing security, while also drawing references from other reviews routing security, while also drawing references from other reviews
and assessments found in the literature, particularly, [RFC4593] and and assessments found in the literature, particularly, [RFC4593] and
[Karlof2003]. The subsequent subsections begin with a focus on the [Karlof2003]. The subsequent subsections begin with a focus on the
elements of a generic routing process that is used to establish elements of a generic routing process that is used to establish
routing assets and points of access to the routing functionality. routing assets and points of access to the routing functionality.
Next, the ISO 7498-2 security model is briefly described. Then, Next, the ISO 7498-2 security model is briefly described. Then,
consideration is given to issues specific to or amplified in LLNs. consideration is given to issues specific to or amplified in LLNs.
This section concludes with the formulation of a set of security This section concludes with the formulation of a set of security
objectives for ROLL. objectives for ROLL.
3.1. Routing Assets and Points of Access 3.1. Routing Assets and Points of Access
An asset implies an important system component (including An asset is an important system resource (including information,
information, process, or physical resource), the access to, process, or physical resource), the access to, corruption or loss of
corruption or loss of which adversely affects the system. In the which adversely affects the system. In the control plane context, an
control plane context, an asset is information about the network, asset is information about the network, processes used to manage and
processes used to manage and manipulate this data, and the physical manipulate this data, and the physical devices on which this data is
devices on which this data is stored and manipulated. The corruption stored and manipulated. The corruption or loss of these assets may
or loss of these assets may adversely impact the control plane of the adversely impact the control plane of the network. Within the same
network. Within the same context, a point of access is an interface context, a point of access is an interface or protocol that
or protocol that facilitates interaction between control plane facilitates interaction between control plane components.
components. Identifying these assets and points of access will Identifying these assets and points of access will provide a basis
provide a basis for enumerating the attack surface of the control for enumerating the attack surface of the control plane.
plane.
A level-0 data flow diagram [Yourdon1979] is used here to identify A level-0 data flow diagram [Yourdon1979] is used here to identify
the assets and points of access within a generic routing process. the assets and points of access within a generic routing process.
The use of a data flow diagram allows for a clear and concise model The use of a data flow diagram allows for a clear and concise model
of the way in which routing nodes interact and process information, of the way in which routing nodes interact and process information,
and hence provides a context for threats and attacks. The goal of and hence provides a context for threats and attacks. The goal of
the model is to be as detailed as possible so that corresponding the model is to be as detailed as possible so that corresponding
assets, points of access, and process in an individual routing assets, points of access, and process in an individual routing
protocol can be readily identified. protocol can be readily identified.
Figure 1 shows that nodes participating in the routing process Figure 1 shows that nodes participating in the routing process
transmit messages to discover neighbors and to exchange routing transmit messages to discover neighbors and to exchange routing
information; routes are then generated and stored, which may be information; routes are then generated and stored, which may be
maintained in the form of the protocol forwarding table. The nodes maintained in the form of the protocol forwarding table. The nodes
use the derived routes for making forwarding decisions. use the derived routes for making forwarding decisions.
................................................... ...................................................
: : : :
: : : :
|Node_i|<------->(Routing Neighbor _________________ : |Node_i|<------->(Routing Neighbor _________________ :
: Discovery)------------>Neighbor Topology : : Discovery)------------>Neighbor Topology :
: -------+--------- : : -------+--------- :
: | : : | :
|Node_j|<------->(Route/Topology +--------+ : |Node_j|<------->(Route/Topology +--------+ :
: Exchange) | : : Exchange) | :
: | V ______ : : | V ______ :
: +---->(Route Generation)--->Routes : : +---->(Route Generation)--->Routes :
: ---+-- : : ---+-- :
: | : : | :
: Routing on a Node Node_k | : : Routing on a Node Node_k | :
................................................... ...................................................
| |
|Forwarding | |Forwarding |
On Node_l|<-------------------------------------------+ |On Node_l|<-------------------------------------------+
Notation: Notation:
(Proc) A process Proc (Proc) A process Proc
________ ________
DataBase A data storage DataBase DataBase A data storage DataBase
-------- --------
|Node_n| An external entity Node_n |Node_n| An external entity Node_n
skipping to change at page 9, line 38 skipping to change at page 9, line 38
At the conceptual level, security within an information system in At the conceptual level, security within an information system in
general and applied to ROLL in particular is concerned with the general and applied to ROLL in particular is concerned with the
primary issues of authentication, access control, data primary issues of authentication, access control, data
confidentiality, data integrity, and non-repudiation. In the context confidentiality, data integrity, and non-repudiation. In the context
of ROLL of ROLL
Authentication Authentication
Authentication involves the mutual authentication of the Authentication involves the mutual authentication of the
routing peers prior to exchanging route information (i.e., peer routing peers prior to exchanging route information (i.e., peer
authentication) as well as ensuring that the source of the authentication) as well as ensuring that the source of the
route data is from the peer (i.e., data origin route data is from the peer (i.e., data origin authentication).
authentication).From 5478 LLNs can be drained by From 5478 LLNs can be drained by unauthenticated peers before
unauthenticated peers before confirguratin From 5673 This confirguratin From 5673 This requires availability of open and
requires availability of open and untrusted side channels for untrusted side channels for new joiners, and it requires strong
new joiners, and it requires strong and automated and automated authentication so that networks can automatically
authentication so that networks can automatically accept or accept or reject new joiners. spt: Do we need more here?
reject new joiners. spt: Do we need more here?
Access Control Access Control
Access Control provides protection against unauthorized use of Access Control provides protection against unauthorized use of
the asset. the asset, and deals with the authorization of a node.
Confidentiality Confidentiality
Confidentiality involves the protection of routing information Confidentiality involves the protection of routing information
as well as routing neighbor maintenance exchanges so that only as well as routing neighbor maintenance exchanges so that only
authorized and intended network entities may view or access it. authorized and intended network entities may view or access it.
Because LLNs are most commonly found on a publicly accessible Because LLNs are most commonly found on a publicly accessible
shared medium, e.g., air or wiring in a building, and sometimes shared medium, e.g., air or wiring in a building, and sometimes
formed ad hoc, confidentiality also extends to the neighbor formed ad hoc, confidentiality also extends to the neighbor
state and database information within the routing device since state and database information within the routing device since
the deployment of the network creates the potential for the deployment of the network creates the potential for
unauthorized access to the physical devices themselves. unauthorized access to the physical devices themselves.
Integrity Integrity
IIntegrity entails the protection of routing information and Integrity entails the protection of routing information and
routing neighbor maintenance exchanges, as well as derived routing neighbor maintenance exchanges, as well as derived
information maintained in the database, from unauthorized information maintained in the database, from unauthorized
modification, insertions, deletions or replays. to be addressed modification, insertions, deletions or replays. to be addressed
beyond the routing protocol. beyond the routing protocol.
Non-repudiation Non-repudiation
Non-repudiation is the assurance that the transmission and/or Non-repudiation is the assurance that the transmission and/or
reception of a message cannot later be denied. The service of reception of a message cannot later be denied. The service of
non-repudiation applies after-the-fact and thus relies on the non-repudiation applies after-the-fact and thus relies on the
logging or other capture of on-going message exchanges and logging or other capture of on-going message exchanges and
skipping to change at page 10, line 52 skipping to change at page 10, line 48
Availability Availability
Availability ensures that routing information exchanges and Availability ensures that routing information exchanges and
forwarding services need to be available when they are required forwarding services need to be available when they are required
for the functioning of the serving network. Availability will for the functioning of the serving network. Availability will
apply to maintaining efficient and correct operation of routing apply to maintaining efficient and correct operation of routing
and neighbor discovery exchanges (including needed information) and neighbor discovery exchanges (including needed information)
and forwarding services so as not to impair or limit the and forwarding services so as not to impair or limit the
network's central traffic flow function network's central traffic flow function
IIt should be emphasized here that for routing security the above It should be emphasized here that for ROLL security the above
requirements must be complemented by the proper security policies and requirements must be complemented by the proper security policies and
enforcement mechanisms to ensure that security objectives are met by enforcement mechanisms to ensure that security objectives are met by
a given routing protocol implementation. a given ROLL implementation.
3.3. Issues Specific to or Amplified in LLNs 3.3. Issues Specific to or Amplified in LLNs
The work [RFC5548], [RFC5673], [RFC5826], and [RFC5867] have The work [RFC5548], [RFC5673], [RFC5826], and [RFC5867] have
identified specific issues and constraints of routing in LLNs for the identified specific issues and constraints of routing in LLNs for the
urban, industrial, home automation, and building automation urban, industrial, home automation, and building automation
application domains, respectively. The following is a list of application domains, respectively. The following is a list of
observations and evaluation of their impact on routing security observations and evaluation of their impact on routing security
considerations. considerations.
skipping to change at page 13, line 21 skipping to change at page 13, line 14
o authorized peers authenticate themselves during the routing o authorized peers authenticate themselves during the routing
neighbor discovery process; neighbor discovery process;
o the routing/topology information received is generated according o the routing/topology information received is generated according
to the protocol design. to the protocol design.
However, when trust cannot be fully vested through authentication of However, when trust cannot be fully vested through authentication of
the principals alone, i.e., concerns of insider attack, assurance of the principals alone, i.e., concerns of insider attack, assurance of
the truthfulness and timeliness of the received routing/topology the truthfulness and timeliness of the received routing/topology
information is necessary. With regard to confidentiality, protecting information is necessary. With regard to confidentiality, protecting
the routing/topology information from eavesdropping or unauthorized the routing/topology information from unauthorized exposure may be
exposure may be desirable in certain cases but is in itself less desirable in certain cases but is in itself less pertinent in general
pertinent in general to the routing function. to the routing function.
One of the main problems of synchronizing security states of sleepy One of the main problems of synchronizing security states of sleepy
nodes, as listed in the last subsection, lies in difficulties in nodes, as listed in the last subsection, lies in difficulties in
authentication; these nodes may not have received in time the most authentication; these nodes may not have received in time the most
recent update of security material. Similarly, the issues of minimal recent update of security material. Similarly, the issues of minimal
manual configuration, prolonged rollout and delayed addition of manual configuration, prolonged rollout and delayed addition of
nodes, and network topology changes also complicate key management. nodes, and network topology changes also complicate key management.
Hence, routing in LLNs needs to bootstrap the authentication process Hence, routing in LLNs needs to bootstrap the authentication process
and allow for flexible expiration scheme of authentication and allow for flexible expiration scheme of authentication
credentials. credentials.
skipping to change at page 14, line 9 skipping to change at page 14, line 5
and possibly the confidentiality, of stored information, as well as and possibly the confidentiality, of stored information, as well as
the integrity of routing and route generation processes. the integrity of routing and route generation processes.
Each individual system's use and environment will dictate how the Each individual system's use and environment will dictate how the
above objectives are applied, including the choices of security above objectives are applied, including the choices of security
services as well as the strengths of the mechanisms that must be services as well as the strengths of the mechanisms that must be
implemented. The next two sections take a closer look at how the implemented. The next two sections take a closer look at how the
ROLL security objectives may be compromised and how those potential ROLL security objectives may be compromised and how those potential
compromises can be countered. compromises can be countered.
4. Threats and Attacks 4. Threat Sources
This section outlines general categories of threats under the CIA provides a detailed review of the threat sources: outsiders and
model and highlights the specific attacks in each of these categories byzantine. ROLL has the same threat sources. [RFC4593]
for ROLL. As defined in [RFC4949], a threat is "a potential for
violation of security, which exists when there is a circumstance, 5. Threats and Attacks
capability, action, or event that could breach security and cause
harm." An attack is "an assault on system security that derives from This section outlines general categories of threats under the ISO
an intelligent threat, i.e., an intelligent act that is a deliberate 7498-2 model and highlights the specific attacks in each of these
categories for ROLL. As defined in [RFC4949], a threat is "a
potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security
and cause harm."
An attack is "an assault on system security that derives from an
intelligent threat, i.e., an intelligent act that is a deliberate
attempt (especially in the sense of a method or technique) to evade attempt (especially in the sense of a method or technique) to evade
security services and violate the security policy of a system." security services and violate the security policy of a system."
The subsequent subsections consider the threats and their realizing The subsequent subsections consider the threats and the attacks that
attacks that can cause security breaches under the CIA model to the can cause security breaches under the ISO 7498-2 model to the routing
routing assets and via the routing points of access identified in assets and via the routing points of access identified in
Section 3.1. The assessment steps through the security concerns of Section 3.1. The assessment steps through the security concerns of
each routing asset and looks at the attacks that can exploit routing each routing asset and looks at the attacks that can exploit routing
points of access. The threats and attacks identified are based on points of access. The threats and attacks identified are based on
the routing model analysis and associated review of the existing the routing model analysis and associated review of the existing
literature. The manifestation of the attacks is assumed to be from literature. The source of the attacks is assumed to be from either
either inside or outside attackers, whose capabilities may be limited inside or outside attackers Section 4, whose capabilities may be
to node-equivalent or more sophisticated computing platforms. limited to node-equivalent or more sophisticated computing platforms.
4.1. Threats and Attacks on Confidentiality 5.1. Threats due to failures to Authenticate
The assessment in CIA indicates that routing information assets are 5.2. Threats due to failures to Authenticate
exposed to confidentiality threats from all points of access. The
confidentiality threat space is thus defined by the access to routing
information achievable through the communication exchanges between
routing nodes together with the direct access to information
maintained within the nodes.
4.1.1. Routing Exchange Exposure 5.3. Threats and Attacks on Confidentiality
The assessment in Section 3.2 indicates that there are threat actions
against the confidentiality of routing information at all points of
access. The confidentiality threat consequences is disclosure, see
Section 3.1.2 of [RFC4593]. For ROLL this is the disclosure of
routing information either by evesdropping on the communication
exchanges between routing nodes or by direct access of node's
information.
5.3.1. Routing Exchange Exposure
Routing exchanges include both routing information as well as Routing exchanges include both routing information as well as
information associated with the establishment and maintenance of information associated with the establishment and maintenance of
neighbor state information. As indicated in Section 3.1, the neighbor state information. As indicated in Section 3.1, the
associated routing information assets may also include device associated routing information assets may also include device
specific resource information, such as memory, remaining power, etc., specific resource information, such as memory, remaining power, etc.,
that may be metrics of the routing protocol. that may be metrics of the routing protocol.
The exposure of routing information exchanged will allow unauthorized The routing exchanges will contain reachability information, which
sources to gain access to the content of the exchanges between would identify the relative importance of different nodes in the
communicating nodes. The exposure of neighbor state information will network. Nodes higher up in the DODAG, to which more streams of
allow unauthorized sources to gain knowledge of communication links information flow, would be more interesting targets for other
between routing nodes that are necessary to maintain routing attacks, and routing exchange exposures can identify them.
information exchanges.
The forms of attack that allow unauthorized access or exposure of
routing exchange information include
o Deliberate exposure (where one party to the routing exchange is
able to independently provide unauthorized access);
o Sniffing (passive reading of transmitted data content);
o Traffic analysis (evaluation of the network routing header
information).
4.1.2. Routing Information (Routes and Network Topology) Exposure 5.3.2. Routing Information (Routes and Network Topology) Exposure
Routes (which may be maintained in the form of the protocol Routes (which may be maintained in the form of the protocol
forwarding table) and neighbor topology information are the products forwarding table) and neighbor topology information are the products
of the routing process that are stored within the node device of the routing process that are stored within the node device
databases. databases.
The exposure of this information will allow unauthorized sources to The exposure of this information will allow attachers to gain direct
gain direct access to the configuration and connectivity of the access to the configuration and connectivity of the network thereby
network thereby exposing routing to targeted attacks on key nodes or exposing routing to targeted attacks on key nodes or links. Since
links. Since routes and neighbor topology information is stored routes and neighbor topology information is stored within the node
within the node device, threats or attacks on the confidentiality of device, threats or attacks on the confidentiality of the information
the information will apply to the physical device including specified will apply to the physical device including specified and unspecified
and unspecified internal and external interfaces. internal and external interfaces.
The forms of attack that allow unauthorized access or exposure of the The forms of attack that allow unauthorized access or disclosure of
routing information (other than occurring through explicit node the routing information (other than occurring through explicit node
exchanges) will include exchanges) will include:
o Physical device compromise; o Physical device compromise;
o Remote device access attacks (including those occurring through o Remote device access attacks (including those occurring through
remote network management or software/field upgrade interfaces). remote network management or software/field upgrade interfaces).
More detailed descriptions of the exposure attacks on routing Both of these attack vectors are considered a device specific issue,
exchange and information will be given in Section 5 together with the and are out of scope for the RPL protocol to defend against. In some
corresponding countermeasures. applications, physical device compromise may be a real threat and it
may be necessary to provide for other devices to react quickly to
exclude a compromised device.
4.2. Threats and Attacks on Integrity 6. Threats and Attacks on Integrity
The assessment in CIA indicates that information and identity assets The assessment in Section 3.2 indicates that information and identity
are exposed to integrity threats from all points of access. In other assets are exposed to integrity threats from all points of access.
words, the integrity threat space is defined by the potential for In other words, the integrity threat space is defined by the
exploitation introduced by access to assets available through routing potential for exploitation introduced by access to assets available
exchanges and the on-device storage. through routing exchanges and the on-device storage.
4.2.1. Routing Information Manipulation 6.1. Routing Information Manipulation
Manipulation of routing information that range from neighbor states Manipulation of routing information that range from neighbor states
to derived routes will allow unauthorized sources to influence the to derived routes will allow unauthorized sources to influence the
operation and convergence of the routing protocols and ultimately operation and convergence of the routing protocols and ultimately
impact the forwarding decisions made in the network. Manipulation of impact the forwarding decisions made in the network.
topology and reachability information will allow unauthorized sources
to influence the nodes with which routing information is exchanged Manipulation of topology and reachability information will allow
and updated. The consequence of manipulating routing exchanges can unauthorized sources to influence the nodes with which routing
thus lead to sub-optimality and fragmentation or partitioning of the information is exchanged and updated. The consequence of
network by restricting the universe of routers with which manipulating routing exchanges can thus lead to sub-optimality and
associations can be established and maintained. For example, being fragmentation or partitioning of the network by restricting the
able to attract network traffic can make a blackhole attack more universe of routers with which associations can be established and
damaging. maintained.
A sub-optimal network may use too much power and/or may congest some
routes leading to premature failure of a node, and a denial of
service on the entire network.
In addition, being able to attract network traffic can make a
blackhole attack more damaging.
The forms of attack that allow manipulation to compromise the content The forms of attack that allow manipulation to compromise the content
and validity of routing information include and validity of routing information include
o Falsification, including overclaiming and misclaiming; o Falsification, including overclaiming and misclaiming;
o Routing information replay; o Routing information replay;
o Byzantine (internal) attacks that permit corruption of routing o Byzantine (internal) attacks that permit corruption of routing
information in the node even where the node continues to be a information in the node even where the node continues to be a
validated entity within the network (see, for example, [RFC4593] validated entity within the network (see, for example, [RFC4593]
for further discussions on Byzantine attacks); for further discussions on Byzantine attacks);
o Physical device compromise or remote device access attacks. o Physical device compromise or remote device access attacks.
4.2.2. Node Identity Misappropriation 6.2. Node Identity Misappropriation
Falsification or misappropriation of node identity between routing Falsification or misappropriation of node identity between routing
participants opens the door for other attacks; it can also cause participants opens the door for other attacks; it can also cause
incorrect routing relationships to form and/or topologies to emerge. incorrect routing relationships to form and/or topologies to emerge.
Routing attacks may also be mounted through less sophisticated node Routing attacks may also be mounted through less sophisticated node
identity misappropriation in which the valid information broadcast or identity misappropriation in which the valid information broadcast or
exchanged by a node is replayed without modification. The receipt of exchanged by a node is replayed without modification. The receipt of
seemingly valid information that is however no longer current can seemingly valid information that is however no longer current can
result in routing disruption, and instability (including failure to result in routing disruption, and instability (including failure to
converge). Without measures to authenticate the routing participants converge). Without measures to authenticate the routing participants
and to ensure the freshness and validity of the received information and to ensure the freshness and validity of the received information
the protocol operation can be compromised. The forms of attack that the protocol operation can be compromised. The forms of attack that
misuse node identity include misuse node identity include
o Identity attacks, including Sybil attacks in which a malicious o Identity attacks, including Sybil attacks in which a malicious
node illegitimately assumes multiple identities; node illegitimately assumes multiple identities;
o Routing information replay. o Routing information replay.
4.3. Threats and Attacks on Availability 7. Threats and Attacks on Availability
The assessment in CIA indicates that the process and resources assets The assessment in Section 3.2 indicates that the process and
are exposed to availability threats; attacks of this category may resources assets are exposed to threats against availability; attacks
exploit directly or indirectly information exchange or forwarding in this category may exploit directly or indirectly information
(see [RFC4732] for a general discussion). exchange or forwarding (see [RFC4732] for a general discussion).
4.3.1. Routing Exchange Interference or Disruption 7.1. Routing Exchange Interference or Disruption
Interference or disruption of routing information exchanges will Interference is the threat action and disruption is threat
allow unauthorized sources to influence the operation and convergence consequence that allows attackers to influence the operation and
of the routing protocols by impeding the regularity of routing convergence of the routing protocols by impeding the routing
information exchange. information exchange.
The forms of attack that allow interference or disruption of routing The forms of attack that allow interference or disruption of routing
exchange include exchange include:
o Routing information replay; o Routing information replay;
o HELLO flood attacks and ACK spoofing; o ACK spoofing;
o Overload attacks. o Overload attacks.
In addition, attacks may also be directly conducted at the physical In addition, attacks may also be directly conducted at the physical
layer in the form of jamming or interfering. layer in the form of jamming or interfering.
4.3.2. Network Traffic Forwarding Disruption 7.2. Network Traffic Forwarding Disruption
The disruption of the network traffic forwarding capability of the The disruption of the network traffic forwarding capability will
network will undermine the central function of network routers and undermine the central function of network routers and the ability to
the ability to handle user traffic. This threat and the associated handle user traffic. This affects the availability of the network
attacks affect the availability of the network because of the because of the potential to impair the primary capability of the
potential to impair the primary capability of the network. network.
In addition to physical layer obstructions, the forms of attack that In addition to physical layer obstructions, the forms of attack that
allows disruption of network traffic forwarding include [Karlof2003] allows disruption of network traffic forwarding include [Karlof2003]
o Selective forwarding attacks; o Selective forwarding attacks;
o Wormhole attacks; o Wormhole attacks;
o Sinkhole attacks. o Sinkhole attacks.
For reference, Figure 2 depicts the above listed three types of For reference, Figure 2 depicts the above listed three types of
attacks. attacks.
|Node_1|--(msg1|msg2|msg3)-->|Attacker|--(msg1|msg3)-->|Node_2| |Node_1|--(msg1|msg2|msg3)-->|Attacker|--(msg1|msg3)-->|Node_2|
(a) Selective Forwarding (a) Selective Forwarding
|Node_1|-------------Unreachable---------x|Node_2| |Node_1|-------------Unreachable---------x|Node_2|
| ^ | ^
| Private Link | | Private Link |
'-->|Attacker_1|===========>|Attacker_2|--' '-->|Attacker_1|===========>|Attacker_2|--'
(b) Wormhole (b) Wormhole
|Node_1| |Node_4| |Node_1| |Node_4|
| | | |
`--------. | `--------. |
Falsify as \ | Falsify as \ |
Good Link \ | | Good Link \ | |
To Node_5 \ | | To Node_5 \ | |
\ V V \ V V
|Node_2|-->|Attacker|--Not Forwarded---x|Node_5| |Node_2|-->|Attacker|--Not Forwarded---x|Node_5|
^ ^ \ ^ ^ \
| | \ Falsify as | | \ Falsify as
| | \Good Link | | \Good Link
/ | To Node_5 / | To Node_5
,-------' | ,-------' |
| | | |
|Node_3| |Node_i| |Node_3| |Node_i|
(c) Sinkhole (c) Sinkhole
Figure 2: Selective Forwarding, Wormhole, and Sinkhole Attacks Figure 2: Selective Forwarding, Wormhole, and Sinkhole Attacks
4.3.3. Communications Resource Disruption 7.3. Communications Resource Disruption
Attacks mounted against the communication channel resource assets Attacks mounted against the communication channel resource assets
needed by the routing protocol can be used as a means of disrupting needed by the routing protocol can be used as a means of disrupting
its operation. However, while various forms of Denial of Service its operation. However, while various forms of Denial of Service
(DoS) attacks on the underlying transport subsystem will affect (DoS) attacks on the underlying transport subsystem will affect
routing protocol exchanges and operation (for example physical layer routing protocol exchanges and operation (for example physical layer
RF jamming in a wireless network or link layer attacks), these RF jamming in a wireless network or link layer attacks), these
attacks cannot be countered by the routing protocol. As such, the attacks cannot be countered by the routing protocol. As such, the
threats to the underlying transport network that supports routing is threats to the underlying transport network that supports routing is
considered beyond the scope of the current document. Nonetheless, considered beyond the scope of the current document. Nonetheless,
attacks on the subsystem will affect routing operation and so must be attacks on the subsystem will affect routing operation and so must be
directly addressed within the underlying subsystem and its directly addressed within the underlying subsystem and its
implemented protocol layers. implemented protocol layers.
4.3.4. Node Resource Exhaustion 7.4. Node Resource Exhaustion
A potential security threat to routing can arise from attempts to A potential threat consequence can arise from attempts to overload
exhaust the node resource asset by initiating exchanges that can lead the node resource asset by initiating exchanges that can lead to the
to the undue utilization or exhaustion of processing, memory, or exhaustion of processing, memory, or energy resources. The
energy resources. The establishment and maintenance of routing establishment and maintenance of routing neighbors opens the routing
neighbors opens the routing process to engagement and potential process to engagement and potential acceptance of multiple
acceptance of multiple neighboring peers. Association information neighboring peers. Association information must be stored for each
must be stored for each peer entity and for the wireless network peer entity and for the wireless network operation provisions made to
operation provisions made to periodically update and reassess the periodically update and reassess the associations. An introduced
associations. An introduced proliferation of apparent routing peers proliferation of apparent routing peers can therefore have a negative
can therefore have a negative impact on node resources. impact on node resources.
Node resources may also be unduly consumed by the attackers Node resources may also be unduly consumed by attackers attempting
attempting uncontrolled topology peering or routing exchanges, uncontrolled topology peering or routing exchanges, routing replays,
routing replays, or the generating of other data traffic floods. or the generating of other data traffic floods. Beyond the
Beyond the disruption of communications channel resources, these disruption of communications channel resources, these consequences
threats may be able to exhaust node resources only where the may be able to exhaust node resources only where the engagements are
engagements are able to proceed with the peer routing entities. able to proceed with the peer routing entities. Routing operation
Routing operation and network forwarding functions can thus be and network forwarding functions can thus be adversely impacted by
adversely impacted by node resources exhaustion that stems from node resources exhaustion that stems from attacks that include:
attacks that include
o Identity (including Sybil) attacks; o Identity (including Sybil) attacks;
o Routing information replay attacks; o Routing information replay attacks;
o HELLO flood attacks and ACK spoofing; o HELLO flood attacks;
o Overload attacks. o Overload attacks.
5. Countermeasures 8. Countermeasures
By recognizing the characteristics of LLNs that may impact routing By recognizing the characteristics of LLNs that may impact routing,
and identifying potential countermeasures, this analysis provides the this analysis provides the basis for developing capabilities within
basis for developing capabilities within ROLL protocols to deter the ROLL protocols to deter the identified attacks and mitigate the
identified attacks and mitigate the threats. The following threats. The following subsections consider such countermeasures by
subsections consider such countermeasures by grouping the attacks grouping the attacks according to the classification of the ISO
according to the classification of the CIA model so that associations 7498-2 model so that associations with the necessary security
with the necessary security services are more readily visible. services are more readily visible. However, the considerations here
However, the considerations here are more systematic than confined to are more systematic than confined to means available only within
means available only within routing; the next section will then routing; the next section will then distill and make recommendations
distill and make recommendations appropriate for a secured ROLL appropriate for a secured ROLL protocol.
protocol.
5.1. Confidentiality Attack Countermeasures 8.1. Confidentiality Attack Countermeasures
Attacks on confidentiality may be mounted at the level of the routing Attacks to disclosure routing information may be mounted at the level
information assets, at the points of access associated with routing of the routing information assets, at the points of access associated
exchanges between nodes, or through device interface access. To gain with routing exchanges between nodes, or through device interface
access to routing/topology information, the attacker may rely on a access. To gain access to routing/topology information, the attacker
compromised node that deliberately exposes the information during the may rely on a compromised node that deliberately exposes the
routing exchange process, may rely on passive sniffing or analysis of information during the routing exchange process, may rely on passive
routing traffic, or may attempt access through a component or device sniffing or traffic analysis, or may attempt access through a
interface of a tampered routing node. component or device interface of a tampered routing node.
5.1.1. Countering Deliberate Exposure Attacks 8.1.1. Countering Deliberate Exposure Attacks
A deliberate exposure attack is one in which an entity that is party A deliberate exposure attack is one in which an entity that is party
to the routing process or topology exchange allows the routing/ to the routing process or topology exchange allows the routing/
topology information or generated route information to be exposed to topology information or generated route information to be exposed to
an unauthorized entity during the exchange. an unauthorized entity.
A prerequisite to countering this type of confidentiality attacks A prerequisite to countering this attack is to ensure that the
associated with the routing/topology exchange is to ensure that the
communicating nodes are authenticated prior to data encryption communicating nodes are authenticated prior to data encryption
applied in the routing exchange. Authentication ensures that the applied in the routing exchange. Authentication ensures that the
nodes are who they claim to be even though it does not provide an nodes are who they claim to be even though it does not provide an
indication of whether the node has been compromised. indication of whether the node has been compromised.
To prevent deliberate exposure, the process that communicating nodes To mitigate the risk of deliberate exposure, the process that
use for establishing communication session keys must be peer-to-peer, communicating nodes use to establish session keys must be peer-to-
between the routing initiating and responding nodes, so that neither peer (i.e., between the routing initiating and responding nodes).
node can independently weaken the confidentiality of the exchange This helps ensure that neither node is exchaning routing information
without the knowledge of its communicating peer. A deliberate with another peer without the knowledge of both communicating
exposure attack will therefore require more overt and independent peerscan. For a deliberate exposure attack to succeed, the comprised
action on the part of the offending node. node will need to more overt and take independent actions in order to
disclose the routing information to 3rd party.
Note that the same measures which apply to securing routing/topology Note that the same measures which apply to securing routing/topology
exchanges between operational nodes must also extend to field tools exchanges between operational nodes must also extend to field tools
and other devices used in a deployed network where such devices can and other devices used in a deployed network where such devices can
be configured to participate in routing exchanges. be configured to participate in routing exchanges.
5.1.2. Countering Sniffing Attacks 8.1.2. Countering Sniffing Attacks
A sniffing attack seeks to breach routing confidentiality through A sniffing attack seeks to breach routing confidentiality through
passive, direct analysis and processing of the information exchanges passive, direct analysis and processing of the information exchanges
between nodes. A sniffing attack in an LLN that is not based on a between nodes. A sniffing attack in an LLN that is not based on a
physical device compromise will rely on the attacker attempting to physical device compromise will rely on the attacker attempting to
directly derive information from the over-the-shared-medium routing/ directly derive information from the over-the-shared-medium routing/
topology communication exchange (neighbor discovery exchanges may of topology communication exchange (neighbor discovery exchanges may of
necessity be conducted in the clear thus limiting the extent to which necessity be conducted in the clear thus limiting the extent to which
the information can be kept confidential). the information can be kept confidential).
Sniffing attacks can be directly countered through the use of data Sniffing attacks can be directly countered through the use of data
encryption for all routing exchanges. Only when a validated and encryption for all routing exchanges. Only when a validated and
authenticated node association is completed will routing exchange be authenticated node association is completed will routing exchange be
allowed to proceed using established session confidentiality keys and allowed to proceed using established session keys and an agreed
an agreed confidentiality algorithm. The level of security applied encryption algorithm. The strength of the encryption algorithm and
in providing confidentiality will determine the minimum requirement session key sizes will determine the minimum requirement for an
for an attacker mounting this passive security attack. The attacker mounting this passive security attack. The possibility of
possibility of incorporating options for security level and incorporating options for security level and algorithms is further
algorithms is further considered in Section 6.5. Because of the considered in Section 9.5. Because of the resource constraints of
resource constraints of LLN devices, symmetric (private) key session LLN devices, symmetric (private) key encryption will provide the best
security will provide the best trade-off in terms of node and channel trade-off in terms of node and channel resource overhead and the
resource overhead and the level of security achieved. This will of level of security achieved. This will of course not preclude the use
course not preclude the use of asymmetric (public) key encryption of asymmetric (public) key encryption during the session key
during the session key establishment phase. establishment phase.
As with the key establishment process, data encryption must include As with the key establishment process, data encryption must include
an authentication prerequisite to ensure that each node is an authentication prerequisite to ensure that each node is
implementing a level of security that prevents deliberate or implementing a level of security that prevents deliberate or
inadvertent exposure. The authenticated key establishment will inadvertent exposure. The authenticated key establishment will
ensure that confidentiality is not compromised by providing the ensure that confidentiality is not compromised by providing the
information to an unauthorized entity (see also [Huang2003]). information to an unauthorized entity (see also [Huang2003]).
Based on the current state of the art, a minimum 128-bit key length Based on the current state of the art, a minimum 128-bit key length
should be applied where robust confidentiality is demanded for should be applied where robust confidentiality is demanded for
skipping to change at page 22, line 6 skipping to change at page 22, line 40
with an encryption algorithm that has been publicly vetted and where with an encryption algorithm that has been publicly vetted and where
applicable approved for the level of security desired. Algorithms applicable approved for the level of security desired. Algorithms
such as the Advanced Encryption Standard (AES) [FIPS197], adopted by such as the Advanced Encryption Standard (AES) [FIPS197], adopted by
the U.S. government, or Kasumi-Misty [Kasumi3gpp], adopted by the the U.S. government, or Kasumi-Misty [Kasumi3gpp], adopted by the
3GPP 3rd generation wireless mobile consortium, are examples of 3GPP 3rd generation wireless mobile consortium, are examples of
symmetric-key algorithms capable of ensuring robust confidentiality symmetric-key algorithms capable of ensuring robust confidentiality
for routing exchanges. The key length, algorithm and mode of for routing exchanges. The key length, algorithm and mode of
operation will be selected as part of the overall security trade-off operation will be selected as part of the overall security trade-off
that also achieves a balance with the level of confidentiality that also achieves a balance with the level of confidentiality
afforded by the physical device in protecting the routing assets (see afforded by the physical device in protecting the routing assets (see
Section 5.1.4 below). Section 8.1.4 below).
As with any encryption algorithm, the use of ciphering As with any encryption algorithm, the use of ciphering
synchronization parameters and limitations to the usage duration of synchronization parameters and limitations to the usage duration of
established keys should be part of the security specification to established keys should be part of the security specification to
reduce the potential for brute force analysis. reduce the potential for brute force analysis.
5.1.3. Countering Traffic Analysis 8.1.3. Countering Traffic Analysis
Traffic analysis provides an indirect means of subverting Traffic analysis provides an indirect means of subverting
confidentiality and gaining access to routing information by allowing confidentiality and gaining access to routing information by allowing
an attacker to indirectly map the connectivity or flow patterns an attacker to indirectly map the connectivity or flow patterns
(including link-load) of the network from which other attacks can be (including link-load) of the network from which other attacks can be
mounted. The traffic analysis attack on an LLN, especially one mounted. The traffic analysis attack on an LLN, especially one
founded on shared medium, may be passive and relying on the ability founded on shared medium, is passive and relies on the ability to
to read the immutable source/destination routing information that read the immutable source/destination routing information that must
must remain unencrypted to permit network routing. Alternatively, remain unencrypted to permit network routing. Alternatively, attacks
attacks can be active through the injection of unauthorized discovery can be mounted through the injection of unauthorized discovery
traffic into the network. By implementing authentication measures traffic into the network. By implementing authentication measures
between communicating nodes, active traffic analysis attacks can be between communicating nodes, active traffic analysis attacks can be
prevented within the LLN thereby reducing confidentiality prevented within the LLN thereby reducing confidentiality
vulnerabilities to those associated with passive analysis. vulnerabilities to those associated with passive analysis.
One way in which passive traffic analysis attacks can be muted is One way in which passive traffic analysis attacks can be muted is
through the support of load balancing that allows traffic to a given through the support of load balancing that allows traffic to a given
destination to be sent along diverse routing paths. Where the destination to be sent along diverse routing paths. Where the
routing protocol supports load balancing along multiple links at each routing protocol supports load balancing along multiple links at each
node, the number of routing permutations in a wide area network node, the number of routing permutations in a wide area network
skipping to change at page 23, line 11 skipping to change at page 23, line 44
through the use of tunneling (encapsulation) where encryption is through the use of tunneling (encapsulation) where encryption is
applied across the entirety of the original packet source/destination applied across the entirety of the original packet source/destination
addresses. With tunneling there is a further requirement that the addresses. With tunneling there is a further requirement that the
encapsulating intermediate nodes apply an additional layer of routing encapsulating intermediate nodes apply an additional layer of routing
so that traffic arrives at the destination through dynamic routes. so that traffic arrives at the destination through dynamic routes.
For some LLNs, memory and processing constraints as well as the For some LLNs, memory and processing constraints as well as the
limitations of the communication channel will preclude both the limitations of the communication channel will preclude both the
additional routing traffic overhead and the node implementation additional routing traffic overhead and the node implementation
required for tunneling countermeasures to traffic analysis. required for tunneling countermeasures to traffic analysis.
5.1.4. Countering Physical Device Compromise 8.1.4. Countering Physical Device Compromise
Section 4 identified that many threats to the routing functionality Section 5 identified that many threats to the routing functionality
may involve compromised devices. For the sake of completeness, this may involve compromised devices. For the sake of completeness, this
subsection examines how to counter physical device compromise, subsection examines how to counter physical device compromise,
without restricting the consideration to only those methods and without restricting the consideration to only those methods and
apparatuses available to an LLN routing protocol. apparatuses available to an LLN routing protocol.
Given the distributed nature of LLNs and the varying environment of Given the distributed nature of LLNs and the varying environment of
deployed devices, confidentiality of routing assets and points of deployed devices, confidentiality of routing assets and points of
access may rely heavily on the security of the routing devices. One access may rely heavily on the security of the routing devices. One
means of precluding attacks on the physical device is to prevent means of precluding attacks on the physical device is to prevent
physical access to the node through other external security means. physical access to the node through other external security means.
skipping to change at page 25, line 5 skipping to change at page 25, line 35
The above identified countermeasures against attacks on routing The above identified countermeasures against attacks on routing
information confidentiality through internal device interface information confidentiality through internal device interface
compromise must be part of the larger LLN system security as they compromise must be part of the larger LLN system security as they
cannot be addressed within the routing protocol itself. Similarly, cannot be addressed within the routing protocol itself. Similarly,
the use of field tools or other devices that allow explicit access to the use of field tools or other devices that allow explicit access to
node information must implement security mechanisms to ensure that node information must implement security mechanisms to ensure that
routing information can be protected against unauthorized access. routing information can be protected against unauthorized access.
These protections will also be external to the routing protocol and These protections will also be external to the routing protocol and
hence not part of ROLL. hence not part of ROLL.
5.1.5. Countering Remote Device Access Attacks 8.1.5. Countering Remote Device Access Attacks
Where LLN nodes are deployed in the field, measures are introduced to Where LLN nodes are deployed in the field, measures are introduced to
allow for remote retrieval of routing data and for software or field allow for remote retrieval of routing data and for software or field
upgrades. These paths create the potential for a device to be upgrades. These paths create the potential for a device to be
remotely accessed across the network or through a provided field remotely accessed across the network or through a provided field
tool. In the case of network management a node can be directly tool. In the case of network management a node can be directly
requested to provide routing tables and neighbor information. requested to provide routing tables and neighbor information.
To ensure confidentiality of the node routing information against To ensure confidentiality of the node routing information against
attacks through remote access, any local or remote device requesting attacks through remote access, any local or remote device requesting
routing information must be authenticated to ensure authorized routing information must be authenticated to ensure authorized
access. Since remote access is not invoked as part of a routing access. Since remote access is not invoked as part of a routing
protocol security of routing information stored on the node against protocol security of routing information stored on the node against
remote access will not be addressable as part of the routing remote access will not be addressable as part of the routing
protocol. protocol.
5.2. Integrity Attack Countermeasures 8.2. Integrity Attack Countermeasures
Integrity attack countermeasures address routing information Integrity attack countermeasures address routing information
manipulation, as well as node identity and routing information manipulation, as well as node identity and routing information
misuse. Manipulation can occur in the form of falsification attack misuse. Manipulation can occur in the form of falsification attack
and physical compromise. To be effective, the following development and physical compromise. To be effective, the following development
considers the two aspects of falsification, namely, the unauthorized considers the two aspects of falsification, namely, the unauthorized
modifications and the overclaiming and misclaiming content. The modifications and the overclaiming and misclaiming content. The
countering of physical compromise was considered in the previous countering of physical compromise was considered in the previous
section and is not repeated here. With regard to misuse, there are section and is not repeated here. With regard to misuse, there are
two types of attacks to be deterred, identity attacks and replay two types of attacks to be deterred, identity attacks and replay
attacks. attacks.
5.2.1. Countering Unauthorized Modification Attacks 8.2.1. Countering Unauthorized Modification Attacks
Unauthorized modifications may occur in the form of altering the Unauthorized modifications may occur in the form of altering the
message being transferred or the data stored. Therefore, it is message being transferred or the data stored. Therefore, it is
necessary to ensure that only authorized nodes can change the portion necessary to ensure that only authorized nodes can change the portion
of the information that is allowed to be mutable, while the integrity of the information that is allowed to be mutable, while the integrity
of the rest of the information is protected, e.g., through well- of the rest of the information is protected, e.g., through well-
studied cryptographic mechanisms. studied cryptographic mechanisms.
Unauthorized modifications may also occur in the form of insertion or Unauthorized modifications may also occur in the form of insertion or
deletion of messages during protocol changes. Therefore, the deletion of messages during protocol changes. Therefore, the
protocol needs to ensure the integrity of the sequence of the protocol needs to ensure the integrity of the sequence of the
exchange sequence. exchange sequence.
The countermeasure to unauthorized modifications needs to The countermeasure to unauthorized modifications needs to:
o implement access control on storage; o implement access control on storage;
o provide data integrity service to transferred messages and stored o provide data integrity service to transferred messages and stored
data; data;
o include sequence number under integrity protection. o include sequence number under integrity protection.
5.2.2. Countering Overclaiming and Misclaiming Attacks 8.2.2. Countering Overclaiming and Misclaiming Attacks
Both overclaiming and misclaiming aim to introduce false routes or Both overclaiming and misclaiming aim to introduce false routes or
topology that would not be generated by the network otherwise, while topology that would not be generated by the network otherwise, while
there are not necessarily unauthorized modifications to the routing there are not necessarily unauthorized modifications to the routing
messages or information. The requisite for a counter is the messages or information. The requisite for a counter is the
capability to determine unreasonable routes or topology. capability to determine unreasonable routes or topology.
The counter to overclaiming and misclaiming may employ The counter to overclaiming and misclaiming may employ:
o comparison with historical routing/topology data; o comparison with historical routing/topology data;
o designs which restrict realizable network topologies. o designs which restrict realizable network topologies.
5.2.3. Countering Identity (including Sybil) Attacks 8.2.3. Countering Identity (including Sybil) Attacks
Identity attacks, sometimes simply called spoofing, seek to gain or Identity attacks, sometimes simply called spoofing, seek to gain or
damage assets whose access is controlled through identity. In damage assets whose access is controlled through identity. In
routing, an identity attacker can illegitimately participate in routing, an identity attacker can illegitimately participate in
routing exchanges, distribute false routing information, or cause an routing exchanges, distribute false routing information, or cause an
invalid outcome of a routing process. invalid outcome of a routing process.
A perpetrator of Sybil attacks assumes multiple identities. The A perpetrator of Sybil attacks assumes multiple identities. The
result is not only an amplification of the damage to routing, but result is not only an amplification of the damage to routing, but
extension to new areas, e.g., where geographic distribution is extension to new areas, e.g., where geographic distribution is
skipping to change at page 27, line 5 skipping to change at page 27, line 32
be through the use of shared key- or public key-based authentication be through the use of shared key- or public key-based authentication
scheme. On the one hand, the large-scale nature of the LLNs makes scheme. On the one hand, the large-scale nature of the LLNs makes
the network-wide shared key scheme undesirable from a security the network-wide shared key scheme undesirable from a security
perspective; on the other hand, public-key based approaches generally perspective; on the other hand, public-key based approaches generally
require more computational resources. Each system will need to make require more computational resources. Each system will need to make
trade-off decisions based on its security requirements. As an trade-off decisions based on its security requirements. As an
example, [Wander2005] compared the energy consumption between two example, [Wander2005] compared the energy consumption between two
public-key algorithms on a low-power microcontroller, with reference public-key algorithms on a low-power microcontroller, with reference
to a symmetric-key algorithm and a hash algorithm. to a symmetric-key algorithm and a hash algorithm.
5.2.4. Countering Routing Information Replay Attacks 8.2.4. Countering Routing Information Replay Attacks
In routing, message replay can result in false topology and/or In routing, message replay can result in false topology and/or
routes. The counter of replay attacks needs to ensure the freshness routes. The counter of replay attacks needs to ensure the freshness
of the message. On the one hand, there are a number of mechanisms of the message. On the one hand, there are a number of mechanisms
commonly used for countering replay, e.g., with a counter. On the commonly used for countering replay, e.g., with a counter. On the
other hand, the choice should take into account how a particular other hand, the choice should take into account how a particular
mechanism is made available in an LLN. For example, many LLNs have a mechanism is made available in an LLN. For example, many LLNs have a
central source of time and have it distributed by relaying, such that central source of time and have it distributed by relaying, such that
secured time distribution becomes a prerequisite of using secured time distribution becomes a prerequisite of using
timestamping to counter replay. timestamping to counter replay.
5.2.5. Countering Byzantine Routing Information Attacks 8.2.5. Countering Byzantine Routing Information Attacks
Where a node is captured or compromised but continues to operate for Where a node is captured or compromised but continues to operate for
a period with valid network security credentials, the potential a period with valid network security credentials, the potential
exists for routing information to be manipulated. This compromise of exists for routing information to be manipulated. This compromise of
the routing information could thus exist in spite of security the routing information could thus exist in spite of security
countermeasures that operate between the peer routing devices. countermeasures that operate between the peer routing devices.
Consistent with the end-to-end principle of communications, such an Consistent with the end-to-end principle of communications, such an
attack can only be fully addressed through measures operating attack can only be fully addressed through measures operating
directly between the routing entities themselves or by means of directly between the routing entities themselves or by means of
skipping to change at page 28, line 12 skipping to change at page 28, line 41
only be validated by initiating confirmation exchanges directly only be validated by initiating confirmation exchanges directly
between nodes that are not routing neighbors. between nodes that are not routing neighbors.
Alternatively, an entity external to the routing protocol would be Alternatively, an entity external to the routing protocol would be
required to collect and audit routing information exchanges to detect required to collect and audit routing information exchanges to detect
the Byzantine attack. In the context of the current security the Byzantine attack. In the context of the current security
analysis, any protection against Byzantine routing information analysis, any protection against Byzantine routing information
attacks will need to be directly included within the mechanisms of attacks will need to be directly included within the mechanisms of
the ROLL routing protocol. This can be implemented where such an the ROLL routing protocol. This can be implemented where such an
attack is considered relevant even within the physical device attack is considered relevant even within the physical device
protections discussed in Section 5.1.4. protections discussed in Section 8.1.4.
5.3. Availability Attack Countermeasures 8.3. Availability Attack Countermeasures
As alluded to before, availability requires that routing information As alluded to before, availability requires that routing information
exchanges and forwarding mechanisms be available when needed so as to exchanges and forwarding mechanisms be available when needed so as to
guarantee proper functioning of the network. This may, e.g., include guarantee proper functioning of the network. This may, e.g., include
the correct operation of routing information and neighbor state the correct operation of routing information and neighbor state
information exchanges, among others. We will highlight the key information exchanges, among others. We will highlight the key
features of the security threats along with typical countermeasures features of the security threats along with typical countermeasures
to prevent or at least mitigate them. We will also note that an to prevent or at least mitigate them. We will also note that an
availability attack may be facilitated by an identity attack as well availability attack may be facilitated by an identity attack as well
as a replay attack, as was addressed in Section 5.2.3 and as a replay attack, as was addressed in Section 8.2.3 and
Section 5.2.4, respectively. Section 8.2.4, respectively.
5.3.1. Countering HELLO Flood Attacks and ACK Spoofing Attacks 8.3.1. Countering HELLO Flood Attacks and ACK Spoofing Attacks
HELLO Flood [Karlof2003],[I-D.suhopark-hello-wsn] and ACK Spoofing HELLO Flood [Karlof2003],[I-D.suhopark-hello-wsn] and ACK Spoofing
attacks are different but highly related forms of attacking an LLN. attacks are different but highly related forms of attacking an LLN.
They essentially lead nodes to believe that suitable routes are They essentially lead nodes to believe that suitable routes are
available even though they are not and hence constitute a serious available even though they are not and hence constitute a serious
availability attack. availability attack.
The origin of facilitating a HELLO flood attack lies in the fact that The origin of facilitating a HELLO flood attack lies in the fact that
many routing protocols require nodes to send HELLO packets either many routing protocols require nodes to send HELLO packets either
upon joining or in regular intervals so as to announce or confirm upon joining or in regular intervals so as to announce or confirm
skipping to change at page 29, line 45 skipping to change at page 30, line 25
As for the latter, the adversary may spoof the ACK messages to As for the latter, the adversary may spoof the ACK messages to
convince the affected node that the link is truly bidirectional and convince the affected node that the link is truly bidirectional and
thereupon drop, tunnel or selectively forward messages. Such ACK thereupon drop, tunnel or selectively forward messages. Such ACK
spoofing attack is possible if the malicious node has a receiver spoofing attack is possible if the malicious node has a receiver
which is significantly more sensitive than that of a normal node, which is significantly more sensitive than that of a normal node,
thereby effectively extending its range. Since an ACK spoofing thereby effectively extending its range. Since an ACK spoofing
attack facilitates a HELLO flood attack, similar countermeasure are attack facilitates a HELLO flood attack, similar countermeasure are
applicable here. Viable counter and security measures for both applicable here. Viable counter and security measures for both
attacks have been exposed in [I-D.suhopark-hello-wsn] attacks have been exposed in [I-D.suhopark-hello-wsn]
5.3.2. Countering Overload Attacks 8.3.2. Countering Overload Attacks
Overload attacks are a form of DoS attack in that a malicious node Overload attacks are a form of DoS attack in that a malicious node
overloads the network with irrelevant traffic, thereby draining the overloads the network with irrelevant traffic, thereby draining the
nodes' energy store quicker, when the nodes rely on batteries or nodes' energy store more quickly, when the nodes rely on batteries or
energy scavenging. It thus significantly shortens the lifetime of energy scavenging. It thus significantly shortens the lifetime of
networks of energy-constrained nodes and constitutes another serious networks of energy-constrained nodes and constitutes another serious
availability attack. availability attack.
With energy being one of the most precious assets of LLNs, targeting With energy being one of the most precious assets of LLNs, targeting
its availability is a fairly obvious attack. Another way of its availability is a fairly obvious attack. Another way of
depleting the energy of an LLN node is to have the malicious node depleting the energy of an LLN node is to have the malicious node
overload the network with irrelevant traffic. This impacts overload the network with irrelevant traffic. This impacts
availability since certain routes get congested which availability since certain routes get congested which:
o renders them useless for affected nodes and data can hence not be o renders them useless for affected nodes and data can hence not be
delivered; delivered;
o makes routes longer as shortest path algorithms work with the o makes routes longer as shortest path algorithms work with the
congested network; congested network;
o depletes battery and energy scavenging nodes quicker and thus o depletes battery and energy scavenging nodes quicker and thus
shortens the network's availability at large. shortens the network's availability at large.
skipping to change at page 31, line 5 skipping to change at page 31, line 34
encrypt messages need to be cautious of cryptographic processing encrypt messages need to be cautious of cryptographic processing
usage when validating signatures and encrypting messages. Where usage when validating signatures and encrypting messages. Where
feasible, certificates should be validated prior to use of the feasible, certificates should be validated prior to use of the
associated keys to counter potential resource overloading attacks. associated keys to counter potential resource overloading attacks.
The associated design decision needs to also consider that the The associated design decision needs to also consider that the
validation process requires resources and thus itself could be validation process requires resources and thus itself could be
exploited for attacks. Alternatively, resource management limits can exploited for attacks. Alternatively, resource management limits can
be placed on routing security processing events (see the comment in be placed on routing security processing events (see the comment in
Section 6, paragraph 4, of [RFC5751]). Section 6, paragraph 4, of [RFC5751]).
5.3.3. Countering Selective Forwarding Attacks 8.3.3. Countering Selective Forwarding Attacks
Selective forwarding attacks are another form of DoS attack which Selective forwarding attacks are another form of DoS attack which
impacts the routing path availability. impacts the routing path availability.
An insider malicious node basically blends neatly in with the network An insider malicious node basically blends neatly in with the network
but then may decide to forward and/or manipulate certain packets. If but then may decide to forward and/or manipulate certain packets. If
all packets are dropped, then this attacker is also often referred to all packets are dropped, then this attacker is also often referred to
as a "black hole". Such a form of attack is particularly dangerous as a "black hole". Such a form of attack is particularly dangerous
if coupled with sinkhole attacks since inherently a large amount of if coupled with sinkhole attacks since inherently a large amount of
traffic is attracted to the malicious node and thereby causing traffic is attracted to the malicious node and thereby causing
skipping to change at page 31, line 38 skipping to change at page 32, line 20
a particular routing path due to a malicious selective forwarding a particular routing path due to a malicious selective forwarding
attack, there will be another route which successfully delivers the attack, there will be another route which successfully delivers the
data. Such a method is inherently suboptimal from an energy data. Such a method is inherently suboptimal from an energy
consumption point of view; it is also suboptimal from a network consumption point of view; it is also suboptimal from a network
utilization perspective. The second method basically involves a utilization perspective. The second method basically involves a
constantly changing routing topology in that next-hop routers are constantly changing routing topology in that next-hop routers are
chosen from a dynamic set in the hope that the number of malicious chosen from a dynamic set in the hope that the number of malicious
nodes in this set is negligible. A routing protocol that allows for nodes in this set is negligible. A routing protocol that allows for
disjoint routing paths may also be useful. disjoint routing paths may also be useful.
5.3.4. Countering Sinkhole Attacks 8.3.4. Countering Sinkhole Attacks
In sinkhole attacks, the malicious node manages to attract a lot of In sinkhole attacks, the malicious node manages to attract a lot of
traffic mainly by advertising the availability of high-quality links traffic mainly by advertising the availability of high-quality links
even though there are none [Karlof2003]. It hence constitutes a even though there are none [Karlof2003]. It hence constitutes a
serious attack on availability. serious attack on availability.
The malicious node creates a sinkhole by attracting a large amount The malicious node creates a sinkhole by attracting a large amount
of, if not all, traffic from surrounding neighbors by advertising in of, if not all, traffic from surrounding neighbors by advertising in
and outwards links of superior quality. Affected nodes hence eagerly and outwards links of superior quality. Affected nodes hence eagerly
route their traffic via the malicious node which, if coupled with route their traffic via the malicious node which, if coupled with
skipping to change at page 32, line 23 skipping to change at page 33, line 5
o dynamically pick up next hop from set of candidates; o dynamically pick up next hop from set of candidates;
o allow only trusted data to be received and forwarded. o allow only trusted data to be received and forwarded.
Whilst most of these countermeasures have been discussed before, the Whilst most of these countermeasures have been discussed before, the
use of geographical information deserves further attention. use of geographical information deserves further attention.
Essentially, if geographic positions of nodes are available, then the Essentially, if geographic positions of nodes are available, then the
network can assure that data is actually routed towards the intended network can assure that data is actually routed towards the intended
destination and not elsewhere. On the other hand, geographic destination and not elsewhere. On the other hand, geographic
position is a sensitive information that has security and/or privacy position is a sensitive information that has security and/or privacy
consequences (see Section 6.1). consequences (see Section 9.1).
5.3.5. Countering Wormhole Attacks 8.3.5. Countering Wormhole Attacks
In wormhole attacks at least two malicious nodes shortcut or divert In wormhole attacks at least two malicious nodes shortcut or divert
the usual routing path by means of a low-latency out-of-band channel the usual routing path by means of a low-latency out-of-band channel
[Karlof2003]. This changes the availability of certain routing paths [Karlof2003]. This changes the availability of certain routing paths
and hence constitutes a serious security breach. and hence constitutes a serious security breach.
Essentially, two malicious insider nodes use another, more powerful, Essentially, two malicious insider nodes use another, more powerful,
transmitter to communicate with each other and thereby distort the transmitter to communicate with each other and thereby distort the
would-be-agreed routing path. This distortion could involve would-be-agreed routing path. This distortion could involve
shortcutting and hence paralyzing a large part of the network; it shortcutting and hence paralyzing a large part of the network; it
skipping to change at page 32, line 48 skipping to change at page 33, line 30
the intrusion or where messages are replayed, etc. In conjunction the intrusion or where messages are replayed, etc. In conjunction
with selective forwarding, wormhole attacks can create race with selective forwarding, wormhole attacks can create race
conditions which impact topology maintenance, routing protocols as conditions which impact topology maintenance, routing protocols as
well as any security suits built on "time of check" and "time of well as any security suits built on "time of check" and "time of
use". use".
Wormhole attacks are very difficult to detect in general but can be Wormhole attacks are very difficult to detect in general but can be
mitigated using similar strategies as already outlined above in the mitigated using similar strategies as already outlined above in the
context of sinkhole attacks. context of sinkhole attacks.
6. ROLL Security Features 9. ROLL Security Features
The assessments and analysis in Section 4 examined all areas of The assessments and analysis in Section 5 examined all areas of
threats and attacks that could impact routing, and the threats and attacks that could impact routing, and the
countermeasures presented in Section 5 were reached without confining countermeasures presented in Section 8 were reached without confining
the consideration to means only available to routing. This section the consideration to means only available to routing. This section
puts the results into perspective and provides a framework for puts the results into perspective and provides a framework for
addressing the derived set of security objectives that must be met by addressing the derived set of security objectives that must be met by
the routing protocol(s) specified by the ROLL Working Group. It the routing protocol(s) specified by the ROLL Working Group. It
bears emphasizing that the target here is a generic, universal form bears emphasizing that the target here is a generic, universal form
of the protocol(s) specified and the normative keywords are mainly to of the protocol(s) specified and the normative keywords are mainly to
convey the relative level of importance or urgency of the features convey the relative level of importance or urgency of the features
specified. specified.
In this view, 'MUST' is used to define the requirements that are In this view, 'MUST' is used to define the requirements that are
skipping to change at page 33, line 31 skipping to change at page 34, line 13
to define requirements that counter indirect routing attacks where to define requirements that counter indirect routing attacks where
such attacks do not of themselves affect routing but can assist an such attacks do not of themselves affect routing but can assist an
attacker in focusing its attack resources to impact network operation attacker in focusing its attack resources to impact network operation
(such as DoS targeting of key forwarding nodes). 'MAY' covers (such as DoS targeting of key forwarding nodes). 'MAY' covers
optional requirements that can further enhance security by increasing optional requirements that can further enhance security by increasing
the space over which an attacker must operate or the resources that the space over which an attacker must operate or the resources that
must be applied. While in support of routing security, where must be applied. While in support of routing security, where
appropriate, these requirements may also be addressed beyond the appropriate, these requirements may also be addressed beyond the
network routing protocol at other system communications layers. network routing protocol at other system communications layers.
The first part of this section, Section 6.1 to Section 6.3, is a The first part of this section, Section 9.1 to Section 9.3, is a
prescription of ROLL security features of measures that can be prescription of ROLL security features of measures that can be
addressed as part of the routing protocol itself. As routing is one addressed as part of the routing protocol itself. As routing is one
component of an LLN system, the actual strength of the security component of an LLN system, the actual strength of the security
services afforded to it should be made to conform to each system's services afforded to it should be made to conform to each system's
security policy; how a design may address the needs of the urban, security policy; how a design may address the needs of the urban,
industrial, home automation, and building automation application industrial, home automation, and building automation application
domains also needs to be considered. The second part of this domains also needs to be considered. The second part of this
section, Section 6.4 and Section 6.5, discusses system security section, Section 9.4 and Section 9.5, discusses system security
aspects that may impact routing but that also require considerations aspects that may impact routing but that also require considerations
beyond the routing protocol, as well as potential approaches. beyond the routing protocol, as well as potential approaches.
If an LLN employs multicast and/or anycast, these alternative If an LLN employs multicast and/or anycast, these alternative
communications modes MUST be secured with the same routing security communications modes MUST be secured with the same routing security
services specified in this section. Furthermore, irrespective of the services specified in this section. Furthermore, irrespective of the
modes of communication, nodes MUST provide adequate physical tamper modes of communication, nodes MUST provide adequate physical tamper
resistance commensurate with the particular application domain resistance commensurate with the particular application domain
environment to ensure the confidentiality, integrity, and environment to ensure the confidentiality, integrity, and
availability of stored routing information. availability of stored routing information.
6.1. Confidentiality Features 9.1. Confidentiality Features
With regard to confidentiality, protecting the routing/topology With regard to confidentiality, protecting the routing/topology
information from eavesdropping or unauthorized exposure is not information from unauthorized disclosure is not directly essential to
directly essential to maintaining the routing function. Breaches of maintaining the routing function. Breaches of confidentiality may
confidentiality may lead to other attacks or the focusing of an lead to other attacks or the focusing of an attacker's resources (see
attacker's resources (see Section 4.1) but does not of itself Section 5.3) but does not of itself directly undermine the operation
directly undermine the operation of the routing function. However, of the routing function. However, to protect against, and reduce
to protect against, and improve vulnerability against other more consequences from other more direct attacks, routing information
direct attacks, routing information confidentiality should be should be protected. Thus, a secured ROLL protocol:
protected. Thus, a secured ROLL protocol
o MUST implement payload encryption; o MUST implement payload encryption;
o MUST provide privacy when geographic information is used (see, o MUST provide privacy when geographic information is used (see,
e.g., [RFC3693]); e.g., [RFC3693]);
o MAY provide tunneling; o MAY provide tunneling;
o MAY provide load balancing. o MAY provide load balancing.
Where confidentiality is incorporated into the routing exchanges, Where confidentiality is incorporated into the routing exchanges,
encryption algorithms and key lengths need to be specified in encryption algorithms and key lengths need to be specified in
accordance with the level of protection dictated by the routing accordance with the level of protection dictated by the routing
protocol and the associated application domain transport network. In protocol and the associated application domain transport network. In
terms of the life time of the keys, the opportunity to periodically terms of the life time of the keys, the opportunity to periodically
change the encryption key increases the offered level of security for change the encryption key increases the offered level of security for
any given implementation. However, where strong cryptography is any given implementation. However, where strong cryptography is
employed, physical, procedural, and logical data access protection employed, physical, procedural, and logical data access protection
skipping to change at page 34, line 40 skipping to change at page 35, line 20
terms of the life time of the keys, the opportunity to periodically terms of the life time of the keys, the opportunity to periodically
change the encryption key increases the offered level of security for change the encryption key increases the offered level of security for
any given implementation. However, where strong cryptography is any given implementation. However, where strong cryptography is
employed, physical, procedural, and logical data access protection employed, physical, procedural, and logical data access protection
considerations may have more significant impact on cryptoperiod considerations may have more significant impact on cryptoperiod
selection than algorithm and key size factors. Nevertheless, in selection than algorithm and key size factors. Nevertheless, in
general, shorter cryptoperiods, during which a single key is applied, general, shorter cryptoperiods, during which a single key is applied,
will enhance security. will enhance security.
Given the mandatory protocol requirement to implement routing node Given the mandatory protocol requirement to implement routing node
authentication as part of routing integrity (see Section 6.2), key authentication as part of routing integrity (see Section 9.2), key
exchanges may be coordinated as part of the integrity verification exchanges may be coordinated as part of the integrity verification
process. This provides an opportunity to increase the frequency of process. This provides an opportunity to increase the frequency of
key exchange and shorten the cryptoperiod as a complement to the key key exchange and shorten the cryptoperiod as a complement to the key
length and encryption algorithm required for a given application length and encryption algorithm required for a given application
domain. For LLNs, the coordination of confidentiality key management domain. For LLNs, the coordination of confidentiality key management
with the implementation of node device authentication can thus reduce with the implementation of node device authentication can thus reduce
the overhead associated with supporting data confidentiality. If a the overhead associated with supporting data confidentiality. If a
new ciphering key is concurrently generated or updated in conjunction new ciphering key is concurrently generated or updated in conjunction
with the mandatory authentication exchange occurring with each with the mandatory authentication exchange occurring with each
routing peer association, signaling exchange overhead can be reduced. routing peer association, signaling exchange overhead can be reduced.
6.2. Integrity Features 9.2. Integrity Features
The integrity of routing information provides the basis for ensuring The integrity of routing information provides the basis for ensuring
that the function of the routing protocol is achieved and maintained. that the function of the routing protocol is achieved and maintained.
To protect integrity, a secured ROLL protocol To protect integrity, a secured ROLL protocol:
o MUST provide and verify message integrity (including integrity of o MUST provide and verify message integrity (including integrity of
the encrypted message when confidentiality is applied); the encrypted message when confidentiality is applied);
o MUST verify the authenticity and liveness of both principals of a o MUST verify the authenticity and liveness of both principals of a
connection (independent of the device interface over which the connection (independent of the device interface over which the
information is received or accessed); information is received or accessed);
o MUST verify message sequence; o MUST verify message sequence;
skipping to change at page 36, line 13 skipping to change at page 36, line 42
be able to communicate and request information from non-adjacent be able to communicate and request information from non-adjacent
peers (see [Wan2004]) to provide information integrity assurances. peers (see [Wan2004]) to provide information integrity assurances.
With link state-based protocols, on the other hand, routing With link state-based protocols, on the other hand, routing
information can be signed at the source thus providing a means for information can be signed at the source thus providing a means for
validating information that originates beyond a routing peer. validating information that originates beyond a routing peer.
Therefore, where necessary, a secured ROLL protocol MAY use security Therefore, where necessary, a secured ROLL protocol MAY use security
auditing mechanisms that are external to routing to verify the auditing mechanisms that are external to routing to verify the
validity of the routing information content exchanged among routing validity of the routing information content exchanged among routing
peers. peers.
6.3. Availability Features 9.3. Availability Features
Availability of routing information is linked to system and network Availability of routing information is linked to system and network
availability which in the case of LLNs require a broader security availability which in the case of LLNs require a broader security
view beyond the requirements of the routing entities (see view beyond the requirements of the routing entities (see
Section 6.5). Where availability of the network is compromised, Section 9.5). Where availability of the network is compromised,
routing information availability will be accordingly affected. routing information availability will be accordingly affected.
However, to specifically assist in protecting routing availability However, to specifically assist in protecting routing availability:
o MAY restrict neighborhood cardinality; o MAY restrict neighborhood cardinality;
o MAY use multiple paths; o MAY use multiple paths;
o MAY use multiple destinations; o MAY use multiple destinations;
o MAY choose randomly if multiple paths are available; o MAY choose randomly if multiple paths are available;
o MAY set quotas to limit transmit or receive volume; o MAY set quotas to limit transmit or receive volume;
o MAY use geographic information for flow control. o MAY use geographic information for flow control.
skipping to change at page 36, line 34 skipping to change at page 37, line 14
o MAY use multiple paths; o MAY use multiple paths;
o MAY use multiple destinations; o MAY use multiple destinations;
o MAY choose randomly if multiple paths are available; o MAY choose randomly if multiple paths are available;
o MAY set quotas to limit transmit or receive volume; o MAY set quotas to limit transmit or receive volume;
o MAY use geographic information for flow control. o MAY use geographic information for flow control.
6.4. Security Key Management 9.4. Key Management
The functioning of the routing security services requires keys and The functioning of the routing security services requires keys and
credentials. Therefore, even though not directly a ROLL security credentials. Therefore, even though not directly a ROLL security
requirement, an LLN MUST have a process for initial key and requirement, an LLN MUST have a process for initial key and
credential configuration, as well as secure storage within the credential configuration, as well as secure storage within the
associated devices (including use of trusted platform modules where associated devices (including use of trusted platform modules where
feasible and appropriate to the operating environment). Beyond feasible and appropriate to the operating environment). Beyond
initial credential configuration, an LLN is also encouraged to have initial credential configuration, an LLN is also encouraged to have
automatic procedures for the long-term revocation and replacement of automatic procedures for the revocation and replacement of the
the maintained security credentials. maintained security credentials.
Individual routing peer associations and signaling exchanges will Peer associations and signaling exchanges require the generation and
require the generation and use of keys that may be derived from use of keys that MAY be derived from secret or public key exchanges
secret or public key exchanges or directly obtained through device as part of the routing signaling exchange or be directly obtained
configuration means. The routing protocol specification MUST include through device configuration. The routing protocol specification
mechanisms for identifying and synchronizing the keys used for MUST include mechanisms to identify and synchronize these keys.
securing exchanges between the routing entities. The keys used to
protect the communications between the routing entities MAY be
implicit, configured keys or may be explicitly generated as part of
the routing signaling exchange.
For the keys used to protect routing associations, the routing For keys used to establish peer associations, the routing protocol(s)
protocol(s) specified by the ROLL Working Group SHOULD employ key specified by the ROLL Working Group SHOULD employ key management
management mechanisms consistent with the guidelines given in mechanisms consistent with the guidelines given in [RFC4107]. Based
[RFC4107]. Based on that RFC's recommendations, many LLNs, on that RFC's recommendations, many LLNs, particularly given the
particularly given the intended scale and ad hoc device associations, intended scale and ad hoc device associations, will meet the
will meet the requirement for supporting automated key management in requirement for supporting automated key management in conjunction
conjunction with the routing protocol operation. These short-term, with the routing protocol operation. These short-term, automated
automated routing session keys may be derived from pre-stored routing session keys may be derived from pre-stored security
security credentials or can be generated through key management credentials or can be generated through key management mechanisms
mechanisms that are defined as part of the routing protocol exchange. that are defined as part of the routing protocol exchange. Beyond
Beyond the automated short-term keys, a long-term key management the automated short-term keys, a long-term key management mechanism
mechanism SHOULD also be defined for changing or updating the SHOULD also be defined for changing or updating the credentials from
credentials from which short-term routing association key material is which short-term routing association key material is derived.
derived.
The use of a public key infrastructure (PKI), where feasible, can be The use of a public key infrastructure (PKI), where feasible, can be
used to support authenticated short-term key management as well as used to support authenticated short-term key management as well as
the distribution of long-term routing security keying material. Note the distribution of long-term routing security keying material. Note
that where the option for a PKI is supported for security of the that where the option for a PKI is supported for security of the
routing protocol itself, the routing protocol MUST include provisions routing protocol itself, the routing protocol MUST include provisions
for public key certificates to be included or referenced within for public key certificates to be included or referenced within
routing messages to allow a node's public key to be shared with routing messages to allow a node's public key to be shared with
communicating peers. Even if the certificate itself is not communicating peers. Even if the certificate itself is not
distributed by the node, there needs to be a mechanism to inform the distributed by the node, there needs to be a mechanism to inform the
skipping to change at page 38, line 6 skipping to change at page 38, line 29
Where the long-term key management is defined separately from the Where the long-term key management is defined separately from the
routing protocol security, LLN application domains can appropriately routing protocol security, LLN application domains can appropriately
employ IETF-standard key management specifications. Established key employ IETF-standard key management specifications. Established key
management solutions such as IKEv2 [RFC5996] or MIKEY [RFC3830], management solutions such as IKEv2 [RFC5996] or MIKEY [RFC3830],
which supports several alternative private, public, or Diffie-Hellman which supports several alternative private, public, or Diffie-Hellman
key distribution methods (see [RFC5197]), can thus be adapted for use key distribution methods (see [RFC5197]), can thus be adapted for use
in LLNs. For example, see [I-D.alexander-roll-mikey-lln-key-mgmt]. in LLNs. For example, see [I-D.alexander-roll-mikey-lln-key-mgmt].
Group key management and distribution methods may also be developed Group key management and distribution methods may also be developed
based on the architecture principles defined in MSEC [RFC4046]. based on the architecture principles defined in MSEC [RFC4046].
6.5. Consideration on Matching Application Domain Needs 9.5. Consideration on Matching Application Domain Needs
Providing security within an LLN requires considerations that extend Providing security within an LLN requires considerations that extend
beyond routing security to the broader LLN application domain beyond routing security to the broader LLN application domain
security implementation. In other words, as routing is one component security implementation. In other words, as routing is one component
of an LLN system, the actual strength of the implemented security of an LLN system, the actual strength of the implemented security
algorithms for the routing protocol MUST be made to conform to the algorithms for the routing protocol MUST be made to conform to the
system's target level of security. The development so far takes into system's target level of security. The development so far takes into
account collectively the impacts of the issues gathered from account collectively the impacts of the issues gathered from
[RFC5548], [RFC5673], [RFC5826], and [RFC5867]. The following two [RFC5548], [RFC5673], [RFC5826], and [RFC5867]. The following two
subsections first consider from an architectural perspective how the subsections first consider from an architectural perspective how the
security design of a ROLL protocol may be made to adapt to the four security design of a ROLL protocol may be made to adapt to the four
application domains, and then examine mechanisms and protocol application domains, and then examine mechanisms and protocol
operations issues. operations issues.
6.5.1. Security Architecture 9.5.1. Security Architecture
The first challenge for a ROLL protocol security design is to have an The first challenge for a ROLL protocol security design is to have an
architecture that can adequately address a set of very diversified architecture that can adequately address a set of very diverse needs.
needs. It is mainly a consequence of the fact that there are both It is mainly a consequence of the fact that there are both common and
common and non-overlapping requirements from the four application non-overlapping requirements from the four application domains,
domains, while, conceivably, each individual application will present while, conceivably, each individual application will present yet its
yet its own unique constraints. own unique constraints.
For a ROLL protocol, the security requirements defined in Section 6.1 For a ROLL protocol, the security requirements defined in Section 9.1
to Section 6.4 can be addressed at two levels: 1) through measures to Section 9.4 can be addressed at two levels: 1) through measures
implemented directly within the routing protocol itself and initiated implemented directly within the routing protocol itself and initiated
and controlled by the routing protocol entities; or 2) through and controlled by the routing protocol entities; or 2) through
measures invoked on behalf of the routing protocol entities but measures invoked on behalf of the routing protocol entities but
implemented within the part of the network over which the protocol implemented within the part of the network over which the protocol
exchanges occur. exchanges occur.
Where security is directly implemented as part of the routing Where security is directly implemented as part of the routing
protocol the security requirements configured by the user (system protocol the security requirements configured by the user (system
administrator) will operate independently of the lower layers. administrator) will operate independently of the lower layers.
OSPFv2 [RFC2328] is an example of such an approach in which security OSPFv2 [RFC2328] is an example of such an approach in which security
skipping to change at page 39, line 15 skipping to change at page 39, line 38
Security mechanisms built into the routing protocol can ensure that Security mechanisms built into the routing protocol can ensure that
all desired countermeasures can be directly addressed by the protocol all desired countermeasures can be directly addressed by the protocol
all the way to the endpoint of the routing exchange. In particular, all the way to the endpoint of the routing exchange. In particular,
routing protocol Byzantine attacks by a compromised node that retains routing protocol Byzantine attacks by a compromised node that retains
valid network security credentials can only be detected at the level valid network security credentials can only be detected at the level
of the information exchanged within the routing protocol. Such of the information exchanged within the routing protocol. Such
attacks aimed at the manipulation of the routing information can only attacks aimed at the manipulation of the routing information can only
be fully addressed through measures operating directly between the be fully addressed through measures operating directly between the
routing entities themselves or external entities able to access and routing entities themselves or external entities able to access and
analyze the routing information (see discussion in Section 5.2.5). analyze the routing information (see discussion in Section 8.2.5).
On the other hand, it is more desirable from an LLN device On the other hand, it is more desirable from an LLN device
perspective that the ROLL protocol is integrated into the framework perspective that the ROLL protocol is integrated into the framework
of an overall system architecture where the security facility may be of an overall system architecture where the security facility may be
shared by different applications and/or across layers for efficiency, shared by different applications and/or across layers for efficiency,
and where security policy and configurations can be consistently and where security policy and configurations can be consistently
specified. See, for example, considerations made in RIPng [RFC2080] specified. See, for example, considerations made in RIPng [RFC2080]
or the approach presented in [Messerges2003]. or the approach presented in [Messerges2003].
Where the routing protocol is able to rely on security measures Where the routing protocol is able to rely on security measures
skipping to change at page 40, line 6 skipping to change at page 40, line 28
protecting the network within the given environment. protecting the network within the given environment.
A ROLL protocol MUST be made flexible by a design that offers the A ROLL protocol MUST be made flexible by a design that offers the
configuration facility so that the user (network administrator) can configuration facility so that the user (network administrator) can
choose the security settings that match the application's needs. choose the security settings that match the application's needs.
Furthermore, in the case of LLNs, that flexibility SHOULD extend to Furthermore, in the case of LLNs, that flexibility SHOULD extend to
allowing the routing protocol security requirements to be met by allowing the routing protocol security requirements to be met by
measures applied at different protocol layers, provided the measures applied at different protocol layers, provided the
identified requirements are collectively met. identified requirements are collectively met.
Since Byzantine attacks that can affect the validity of the Since Byzantine attackers that can affect the validity of the
information content exchanged between routing entities can only be information content exchanged between routing entities can only be
directly countered at the routing protocol level, the ROLL protocol directly countered at the routing protocol level, the ROLL protocol
MAY support mechanisms for verifying routing data validity that MAY support mechanisms for verifying routing data validity that
extend beyond the chain of trust created through device extend beyond the chain of trust created through device
authentication. This protocol-specific security mechanism SHOULD be authentication. This protocol-specific security mechanism SHOULD be
made optional within the protocol allowing it to be invoked according made optional within the protocol allowing it to be invoked according
to the given routing protocol and application domain and as selected to the given routing protocol and application domain and as selected
by the system user. All other ROLL security mechanisms needed to by the system user. All other ROLL security mechanisms needed to
meet the above identified routing security requirements can be meet the above identified routing security requirements can be
flexibly implemented within the transport network (at the IP network flexibly implemented within the transport network (at the IP network
skipping to change at page 40, line 46 skipping to change at page 41, line 20
valid parameter ranges, increments and/or event frequencies that can valid parameter ranges, increments and/or event frequencies that can
be verified by individual routing devices. In addition to deliberate be verified by individual routing devices. In addition to deliberate
attacks this allows basic protocol sanity checks against attacks this allows basic protocol sanity checks against
unintentional mis-configuration. Transport network mechanisms would unintentional mis-configuration. Transport network mechanisms would
include out-of-band communications that may be defined to allow an include out-of-band communications that may be defined to allow an
external entity to request and process individual device information external entity to request and process individual device information
as a means to effecting an external verification of the derived as a means to effecting an external verification of the derived
network routing information to identify the existence of intentional network routing information to identify the existence of intentional
or unintentional network anomalies. or unintentional network anomalies.
This approach allows countermeasures against internal attacks to be This approach allows countermeasures against byzantine attackers to
applied in environments where applicable threats exist. At the same be applied in environments where applicable threats exist. At the
time, it allows routing protocol security to be supported through same time, it allows routing protocol security to be supported
measures implemented within the transport network that are consistent through measures implemented within the transport network that are
with available system resources and commensurate and consistent with consistent with available system resources and commensurate and
the security level and strength applied in the particular application consistent with the security level and strength applied in the
domain networks. particular application domain networks.
6.5.2. Mechanisms and Operations 9.5.2. Mechanisms and Operations
With an architecture allowing different configurations to meet the With an architecture allowing different configurations to meet the
application domain needs, the task is then to find suitable application domain needs, the task is then to find suitable
mechanisms. For example, one of the main problems of synchronizing mechanisms. For example, one of the main problems of synchronizing
security states of sleepy nodes lies in difficulties in security states of sleepy nodes lies in difficulties in
authentication; these nodes may not have received in time the most authentication; these nodes may not have received in time the most
recent update of security material. Similarly, the issues of minimal recent update of security material. Similarly, the issues of minimal
manual configuration, prolonged rollout and delayed addition of manual configuration, prolonged rollout and delayed addition of
nodes, and network topology changes also complicate security nodes, and network topology changes also complicate security
management. In many cases the ROLL protocol may need to bootstrap management. In many cases the ROLL protocol may need to bootstrap
skipping to change at page 42, line 5 skipping to change at page 43, line 5
stored on the nodes through physical means; therefore, the internal stored on the nodes through physical means; therefore, the internal
and external interfaces of a node need to be adequate for guarding and external interfaces of a node need to be adequate for guarding
the integrity, and possibly the confidentiality, of stored the integrity, and possibly the confidentiality, of stored
information, as well as the integrity of routing and route generation information, as well as the integrity of routing and route generation
processes. processes.
Figure 3 provides an overview of the larger context of system Figure 3 provides an overview of the larger context of system
security and the relationship between ROLL requirements and measures security and the relationship between ROLL requirements and measures
and those that relate to the LLN system. and those that relate to the LLN system.
Security Services for Security Services for
ROLL-Addressable ROLL-Addressable
Security Requirements Security Requirements
| | | |
+---+ +---+ +---+ +---+
Node_i | | Node_j Node_i | | Node_j
_____v___ ___v_____ _____v___ ___v_____
Specify Security / \ / \ Specify Security Specify Security / \ / \ Specify Security
Requirements | Routing | | Routing | Requirements Requirements | Routing | | Routing | Requirements
+---------| Protocol| | Protocol|---------+ +---------| Protocol| | Protocol|---------+
| | Entity | | Entity | | | | Entity | | Entity | |
| \_________/ \_________/ | | \_________/ \_________/ |
| | | | | | | |
|ROLL-Specified | | ROLL-Specified| |ROLL-Specified | | ROLL-Specified|
---Interface | | Interface--- ---Interface | | Interface---
| ...................................... | | ...................................... |
| : | | : | | : | | : |
| : +-----+----+ +----+-----+ : | | : +-----+----+ +----+-----+ : |
| : |Transport/| |Transport/| : | | : |Transport/| |Transport/| : |
____v___ : +>|Network | |Network |<+ : ___v____ ____v___ : +>|Network | |Network |<+ : ___v____
/ \ : | +-----+----+ +----+-----+ | : / \ / \ : | +-----+----+ +----+-----+ | : / \
| |-:-+ | | +-:-| | | |-:-+ | | +-:-| |
|Security| : +-----+----+ +----+-----+ : |Security| |Security| : +-----+----+ +----+-----+ : |Security|
+->|Services|-:-->| Link | | Link |<--:-|Services|<-+ +->|Services|-:-->| Link | | Link |<--:-|Services|<-+
| |Entity | : +-----+----+ +----+-----+ : |Entity | | | |Entity | : +-----+----+ +----+-----+ : |Entity | |
| | |-:-+ | | +-:-| | | | | |-:-+ | | +-:-| | |
| \________/ : | +-----+----+ +----+-----+ | : \________/ | | \________/ : | +-----+----+ +----+-----+ | : \________/ |
| : +>| Physical | | Physical |<+ : | | : +>| Physical | | Physical |<+ : |
Application : +-----+----+ +----+-----+ : Application Application : +-----+----+ +----+-----+ : Application
Domain User : | | : Domain User Domain User : | | : Domain User
Configuration : |__Comm. Channel_| : Configuration Configuration : |__Comm. Channel_| : Configuration
: : : :
...Protocol Stack..................... ...Protocol Stack.....................
Figure 3: LLN Device Security Model Figure 3: LLN Device Security Model
7. IANA Considerations 10. IANA Considerations
This memo includes no request to IANA. This memo includes no request to IANA.
8. Security Considerations 11. Security Considerations
The analysis presented in this document provides security analysis The analysis presented in this document provides security analysis
and design guidelines with a scope limited to ROLL. Security and design guidelines with a scope limited to ROLL. Security
services are identified as requirements for securing ROLL. The services are identified as requirements for securing ROLL. The
specific mechanisms to be used to deal with each threat is specified specific mechanisms to be used to deal with each threat is specified
in link-layer and deployment specific applicability statements. in link-layer and deployment specific applicability statements.
9. Acknowledgments 12. Acknowledgments
The authors would like to acknowledge the review and comments from The authors would like to acknowledge the review and comments from
Rene Struik and JP Vasseur. The authors would also like to Rene Struik and JP Vasseur. The authors would also like to
acknowledge the guidance and input provided by the ROLL Chairs, David acknowledge the guidance and input provided by the ROLL Chairs, David
Culler, and JP Vasseur, and the Area Director Adrian Farrel. Culler, and JP Vasseur, and the Area Director Adrian Farrel.
This document started out as a combined threat and solutions This document started out as a combined threat and solutions
document, but was split up by ROLL co-Chair Michael Richardson as it document. As a result of security review, the document was split up
went through the IETF publication process. by ROLL co-Chair Michael Richardson and security Area Director Sean
Turner as it went through the IETF publication process. The
solutions to the threads are application and layer-2 specific, and
have therefore been moved to the relevant applicability statements.
10. References 13. References
10.1. Normative References 13.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic
Key Management", BCP 107, RFC 4107, June 2005. Key Management", BCP 107, RFC 4107, June 2005.
[RFC4301] Kent, S. and K. Seo, "Security Architecture for the [RFC4301] Kent, S. and K. Seo, "Security Architecture for the
Internet Protocol", RFC 4301, December 2005. Internet Protocol", RFC 4301, December 2005.
[RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R., [RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R.,
Levis, P., Pister, K., Struik, R., Vasseur, JP., and R. Levis, P., Pister, K., Struik, R., Vasseur, JP., and R.
Alexander, "RPL: IPv6 Routing Protocol for Low-Power and Alexander, "RPL: IPv6 Routing Protocol for Low-Power and
Lossy Networks", RFC 6550, March 2012. Lossy Networks", RFC 6550, March 2012.
10.2. Informative References 13.2. Informative References
[FIPS197] "Federal Information Processing Standards Publication 197: [FIPS197] "Federal Information Processing Standards Publication 197:
Advanced Encryption Standard (AES)", US National Institute Advanced Encryption Standard (AES)", US National Institute
of Standards and Technology, Nov. 26 2001. of Standards and Technology, Nov. 26 2001.
[Huang2003] [Huang2003]
Huang, Q., Cukier, J., Kobayashi, H., Liu, B., and J. Huang, Q., Cukier, J., Kobayashi, H., Liu, B., and J.
Zhang, "Fast Authenticated Key Establishment Protocols for Zhang, "Fast Authenticated Key Establishment Protocols for
Self-Organizing Sensor Networks", in Proceedings of the Self-Organizing Sensor Networks", in Proceedings of the
2nd ACM International Conference on Wireless Sensor 2nd ACM International Conference on Wireless Sensor
 End of changes. 126 change blocks. 
406 lines changed or deleted 417 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/