draft-ietf-roll-security-threats-11.txt   rfc7416.txt 
Routing Over Low-Power and Lossy Networks T. Tsao Internet Engineering Task Force (IETF) T. Tsao
Internet-Draft R. Alexander Request for Comments: 7416 R. Alexander
Intended status: Informational Cooper Power Systems Category: Informational Eaton's Cooper Power Systems Business
Expires: April 05, 2015 M. Dohler ISSN: 2070-1721 M. Dohler
CTTC CTTC
V. Daza V. Daza
A. Lozano A. Lozano
Universitat Pompeu Fabra Universitat Pompeu Fabra
M. Richardson, Ed. M. Richardson, Ed.
Sandelman Software Works Sandelman Software Works
October 02, 2014 January 2015
A Security Threat Analysis for Routing Protocol for Low-power and lossy A Security Threat Analysis for
networks (RPL) the Routing Protocol for Low-Power and Lossy Networks (RPLs)
draft-ietf-roll-security-threats-11
Abstract Abstract
This document presents a security threat analysis for the Routing This document presents a security threat analysis for the Routing
Protocol for Low-power and lossy networks (RPL, ROLL). The Protocol for Low-Power and Lossy Networks (RPLs). The development
development builds upon previous work on routing security and adapts builds upon previous work on routing security and adapts the
the assessments to the issues and constraints specific to low-power assessments to the issues and constraints specific to low-power and
and lossy networks. A systematic approach is used in defining and lossy networks. A systematic approach is used in defining and
evaluating the security threats. Applicable countermeasures are evaluating the security threats. Applicable countermeasures are
application specific and are addressed in relevant applicability application specific and are addressed in relevant applicability
statements. statements.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This document is not an Internet Standards Track specification; it is
provisions of BCP 78 and BCP 79. published for informational purposes.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months This document is a product of the Internet Engineering Task Force
and may be updated, replaced, or obsoleted by other documents at any (IETF). It represents the consensus of the IETF community. It has
time. It is inappropriate to use Internet-Drafts as reference received public review and has been approved for publication by the
material or to cite them other than as "work in progress." Internet Engineering Steering Group (IESG). Not all documents
approved by the IESG are a candidate for any level of Internet
Standard; see Section 2 of RFC 5741.
This Internet-Draft will expire on April 05, 2015. Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7416.
Copyright Notice Copyright Notice
Copyright (c) 2014 IETF Trust and the persons identified as the
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Relationship to other documents . . . . . . . . . . . . . . . 4 2. Relationship to Other Documents . . . . . . . . . . . . . . . 4
3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
4. Considerations on RPL Security . . . . . . . . . . . . . . . 5 4. Considerations on RPL Security . . . . . . . . . . . . . . . 5
4.1. Routing Assets and Points of Access . . . . . . . . . . . 6 4.1. Routing Assets and Points of Access . . . . . . . . . . . 6
4.2. The ISO 7498-2 Security Reference Model . . . . . . . . . 8 4.2. The ISO 7498-2 Security Reference Model . . . . . . . . . 8
4.3. Issues Specific to or Amplified in LLNs . . . . . . . . . 10 4.3. Issues Specific to or Amplified in LLNs . . . . . . . . . 10
4.4. RPL Security Objectives . . . . . . . . . . . . . . . . . 12 4.4. RPL Security Objectives . . . . . . . . . . . . . . . . . 12
5. Threat Sources . . . . . . . . . . . . . . . . . . . . . . . 13 5. Threat Sources . . . . . . . . . . . . . . . . . . . . . . . 13
6. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 13 6. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 13
6.1. Threats due to failures to Authenticate . . . . . . . . . 14 6.1. Threats Due to Failures to Authenticate . . . . . . . . . 14
6.1.1. Node Impersonation . . . . . . . . . . . . . . . . . 14 6.1.1. Node Impersonation . . . . . . . . . . . . . . . . . 14
6.1.2. Dummy Node . . . . . . . . . . . . . . . . . . . . . 14 6.1.2. Dummy Node . . . . . . . . . . . . . . . . . . . . . 14
6.1.3. Node Resource Spam . . . . . . . . . . . . . . . . . 14 6.1.3. Node Resource Spam . . . . . . . . . . . . . . . . . 15
6.2. Threats due to failure to keep routing information 6.2. Threats Due to Failure to Keep Routing Information
confidential . . . . . . . . . . . . . . . . . . . . . . 15 Confidential . . . . . . . . . . . . . . . . . . . . . . 15
6.2.1. Routing Exchange Exposure . . . . . . . . . . . . . . 15 6.2.1. Routing Exchange Exposure . . . . . . . . . . . . . . 15
6.2.2. Routing Information (Routes and Network Topology) 6.2.2. Routing Information (Routes and Network Topology)
Exposure . . . . . . . . . . . . . . . . . . . . . . 15 Exposure . . . . . . . . . . . . . . . . . . . . . . 15
6.3. Threats and Attacks on Integrity . . . . . . . . . . . . 16 6.3. Threats and Attacks on Integrity . . . . . . . . . . . . 16
6.3.1. Routing Information Manipulation . . . . . . . . . . 16 6.3.1. Routing Information Manipulation . . . . . . . . . . 16
6.3.2. Node Identity Misappropriation . . . . . . . . . . . 17 6.3.2. Node Identity Misappropriation . . . . . . . . . . . 17
6.4. Threats and Attacks on Availability . . . . . . . . . . . 17 6.4. Threats and Attacks on Availability . . . . . . . . . . . 18
6.4.1. Routing Exchange Interference or Disruption . . . . . 17 6.4.1. Routing Exchange Interference or Disruption . . . . . 18
6.4.2. Network Traffic Forwarding Disruption . . . . . . . . 17 6.4.2. Network Traffic Forwarding Disruption . . . . . . . . 18
6.4.3. Communications Resource Disruption . . . . . . . . . 19 6.4.3. Communications Resource Disruption . . . . . . . . . 20
6.4.4. Node Resource Exhaustion . . . . . . . . . . . . . . 19 6.4.4. Node Resource Exhaustion . . . . . . . . . . . . . . 20
7. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 20
7.1. Confidentiality Attack Countermeasures . . . . . . . . . 20 7. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 21
7.1.1. Countering Deliberate Exposure Attacks . . . . . . . 20 7.1. Confidentiality Attack Countermeasures . . . . . . . . . 21
7.1.2. Countering Passive Wiretapping Attacks . . . . . . . 21 7.1.1. Countering Deliberate Exposure Attacks . . . . . . . 21
7.1.2. Countering Passive Wiretapping Attacks . . . . . . . 22
7.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 22 7.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 22
7.1.4. Countering Remote Device Access Attacks . . . . . . . 23 7.1.4. Countering Remote Device Access Attacks . . . . . . . 23
7.2. Integrity Attack Countermeasures . . . . . . . . . . . . 24
7.2. Integrity Attack Countermeasures . . . . . . . . . . . . 23 7.2.1. Countering Unauthorized Modification Attacks . . . . 24
7.2.1. Countering Unauthorized Modification Attacks . . . . 23
7.2.2. Countering Overclaiming and Misclaiming Attacks . . . 24 7.2.2. Countering Overclaiming and Misclaiming Attacks . . . 24
7.2.3. Countering Identity (including Sybil) Attacks . . . . 24 7.2.3. Countering Identity (including Sybil) Attacks . . . . 25
7.2.4. Countering Routing Information Replay Attacks . . . . 25 7.2.4. Countering Routing Information Replay Attacks . . . . 25
7.2.5. Countering Byzantine Routing Information Attacks . . 25 7.2.5. Countering Byzantine Routing Information Attacks . . 26
7.3. Availability Attack Countermeasures . . . . . . . . . . . 26 7.3. Availability Attack Countermeasures . . . . . . . . . . . 26
7.3.1. Countering HELLO Flood Attacks and ACK Spoofing 7.3.1. Countering HELLO Flood Attacks and ACK Spoofing
Attacks . . . . . . . . . . . . . . . . . . . . . . . 26 Attacks . . . . . . . . . . . . . . . . . . . . . . . 27
7.3.2. Countering Overload Attacks . . . . . . . . . . . . . 27 7.3.2. Countering Overload Attacks . . . . . . . . . . . . . 27
7.3.3. Countering Selective Forwarding Attacks . . . . . . . 28 7.3.3. Countering Selective Forwarding Attacks . . . . . . . 29
7.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 29 7.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 29
7.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 30 7.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 30
8. RPL Security Features . . . . . . . . . . . . . . . . . . . . 31 8. RPL Security Features . . . . . . . . . . . . . . . . . . . . 31
8.1. Confidentiality Features . . . . . . . . . . . . . . . . 31 8.1. Confidentiality Features . . . . . . . . . . . . . . . . 32
8.2. Integrity Features . . . . . . . . . . . . . . . . . . . 32 8.2. Integrity Features . . . . . . . . . . . . . . . . . . . 32
8.3. Availability Features . . . . . . . . . . . . . . . . . . 33 8.3. Availability Features . . . . . . . . . . . . . . . . . . 33
8.4. Key Management . . . . . . . . . . . . . . . . . . . . . 33 8.4. Key Management . . . . . . . . . . . . . . . . . . . . . 34
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 34 9. Security Considerations . . . . . . . . . . . . . . . . . . . 34
10. Security Considerations . . . . . . . . . . . . . . . . . . . 34 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 34
11. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 34 10.1. Normative References . . . . . . . . . . . . . . . . . . 34
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 10.2. Informative References . . . . . . . . . . . . . . . . . 35
12.1. Normative References . . . . . . . . . . . . . . . . . . 34 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 39
12.2. Informative References . . . . . . . . . . . . . . . . . 35 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 38
1. Introduction 1. Introduction
In recent times, networked electronic devices have found an In recent times, networked electronic devices have found an
increasing number of applications in various fields. Yet, for increasing number of applications in various fields. Yet, for
reasons ranging from operational application to economics, these reasons ranging from operational application to economics, these
wired and wireless devices are often supplied with minimum physical wired and wireless devices are often supplied with minimum physical
resources; the constraints include those on computational resources resources; the constraints include those on computational resources
(RAM, clock speed, storage), communication resources (duty cycle, (RAM, clock speed, and storage) and communication resources (duty
packet size, etc.), but also form factors that may rule out user cycle, packet size, etc.) but also form factors that may rule out
access interfaces (e.g., the housing of a small stick-on switch), or user-access interfaces (e.g., the housing of a small stick-on switch)
simply safety considerations (e.g., with gas meters). As a or simply safety considerations (e.g., with gas meters). As a
consequence, the resulting networks are more prone to loss of traffic consequence, the resulting networks are more prone to loss of traffic
and other vulnerabilities. The proliferation of these low-power and and other vulnerabilities. The proliferation of these Low-Power and
lossy networks (LLNs), however, are drawing efforts to examine and Lossy Networks (LLNs), however, are drawing efforts to examine and
address their potential networking challenges. Securing the address their potential networking challenges. Securing the
establishment and maintenance of network connectivity among these establishment and maintenance of network connectivity among these
deployed devices becomes one of these key challenges. deployed devices becomes one of these key challenges.
This document presents a threat analysis for securing the Routing This document presents a threat analysis for securing the Routing
Protocol for LLNs (RPL). The process requires two steps. First, the Protocol for LLNs (RPL). The process requires two steps. First, the
analysis will be used to identify pertinent security issues. The analysis will be used to identify pertinent security issues. The
second step is to identify necessary countermeasures to secure RPL. second step is to identify necessary countermeasures to secure RPL.
As there are multiple ways to solve the problem and the specific As there are multiple ways to solve the problem and the specific
tradeoffs are deployment specific, the specific countermeasure to be trade-offs are deployment specific, the specific countermeasure to be
used is detailed in applicability statements. used is detailed in applicability statements.
This document uses [ISO.7498-2.1988]] model, which describes This document uses a model based on [ISO.7498-2.1989], which
Authentication, Access Control, Data Confidentiality, Data Integrity, describes authentication, access control, data confidentiality, data
and Non-Repudiation security services and to which Availability is integrity, and non-repudiation security services. This document
added. As explained below, Non-Repudiation does not apply to routing expands the model to include the concept of availability. As
protocols. explained below, non-repudiation does not apply to routing protocols.
Many of the issues in this document were also covered in The IAB Many of the issues in this document were also covered in the IAB
Smart Object Workshop [RFC6574], and The IAB Smart Object Security Smart Object Workshop [RFC6574] and the IAB Smart Object Security
Workshop [I-D.gilger-smart-object-security-workshop]. Workshop [RFC7397].
All of this document concerns itself with securing the control plane This document concerns itself with securing the control-plane
traffic. As such it does not address authorization or authentication traffic. As such, it does not address authorization or
of application traffic. RPL uses multicast as part of its protocol, authentication of application traffic. RPL uses multicast as part of
and therefore mechanisms which RPL uses to secure this traffic might its protocol; therefore, mechanisms that RPL uses to secure this
also be applicable to MPL control traffic as well: the important part traffic might also be applicable to the Multicast Protocol for Low-
is that the threats are similar. Power and Lossy Networks (MPL) control traffic as well: the important
part is that the threats are similar.
2. Relationship to other documents 2. Relationship to Other Documents
ROLL has specified a set of routing protocols for Lossy and Low- Routing Over Low-Power and Lossy (ROLL) networks has specified a set
resource Networks (LLN) [RFC6550]. A number of applicability texts of routing protocols for LLNs [RFC6550]. A number of applicability
describes a subset of these protocols and the conditions which make texts describe a subset of these protocols and the conditions that
the subset the correct choice. The text recommends and motivates the make the subset the correct choice. The text recommends and
accompanying parameter value ranges. Multiple applicability domains motivates the accompanying parameter value ranges. Multiple
are recognized including: Building and Home, and Advanced Metering applicability domains are recognized, including Building and Home and
Infrastructure. The applicability domains distinguish themselves in Advanced Metering Infrastructure. The applicability domains
the way they are operated, their performance requirements, and the distinguish themselves in the way they are operated, by their
most probable network structures. Each applicability statement performance requirements, and by the most probable network
identifies the distinguishing properties according to a common set of structures. Each applicability statement identifies the
subjects described in as many sections. distinguishing properties according to a common set of subjects
described in as many sections.
The common set of security threats herein are referred to by the The common set of security threats herein are referred to by the
applicability statements, and that series of documents describes the applicability statements, and that series of documents describes the
preferred security settings and solutions within the applicability preferred security settings and solutions within the applicability
statement conditions. This applicability statements may recommend statement conditions. This applicability statement may recommend
more light weight security solutions and specify the conditions under more lightweight security solutions and specify the conditions under
which these solutions are appropriate. which these solutions are appropriate.
3. Terminology 3. Terminology
This document adopts the terminology defined in [RFC6550], in This document adopts the terminology defined in [RFC6550], [RFC4949],
[RFC4949], and in [RFC7102]. and [RFC7102].
The terms control plane and forwarding plane are used consistently The terms "control plane" and "forwarding plane" are used in a manner
with section 1 of [RFC6192]. consistent with Section 1 of [RFC6192].
The term DODAG is from [RFC6550]. The term "Destination-Oriented DAG (DODAG)" is from [RFC6550].
EAP-TLS is defined in [RFC5216]. Extensible Authentication Protocol - Transport Layer Security
(EAP-TLS) is defined in [RFC5216].
PANA is defined in [RFC5191]. The Protocol for Carrying Authentication for Network Access (PANA) is
defined in [RFC5191].
CCM mode is defined in [RFC3610]. Counter with CBC-MAC (CCM) mode is defined in [RFC3610].
[RFC7102] introduces the term Sleepy Node, referring to a node which The term "sleepy node", introduced in [RFC7102], refers to a node
may somtimes go into a low-power state, suspending protocol that may sometimes go into a low-power state, suspending protocol
communications communications.
The terms SSID, ESSID and PAN refer to network identifiers, defined The terms Service Set Identifier (SSID), Extended Service Set
in [IEEE.802.11] and [IEEE.802.15.4]. Identifier (ESSID), and Personal Area Network (PAN) refer to network
identifiers, defined in [IEEE.802.11] and [IEEE.802.15.4].
Although this is not a protocol specification, the key words "MUST", Although this is not a protocol specification, the key words "MUST",
"MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119] in order to document are to be interpreted as described in [RFC2119] in order to
clarify and emphasize the guidance and directions to implementers and clarify and emphasize the guidance and directions to implementers and
deployers of LLN nodes that utilize RPL. deployers of LLN nodes that utilize RPL.
4. Considerations on RPL Security 4. Considerations on RPL Security
Routing security, in essence, ensures that the routing protocol Routing security, in essence, ensures that the routing protocol
operates correctly. It entails implementing measures to ensure operates correctly. It entails implementing measures to ensure
controlled state changes on devices and network elements, both based controlled state changes on devices and network elements, both based
on external inputs (received via communications) or internal inputs on external inputs (received via communications) or internal inputs
(physical security of device itself and parameters maintained by the (physical security of the device itself and parameters maintained by
device, including, e.g., clock). State changes would thereby involve the device, including, e.g., clock). State changes would thereby
not only authorization of injector's actions, authentication of involve not only authorization of the injector's actions,
injectors, and potentially confidentiality of routing data, but also authentication of injectors, and potentially confidentiality of
proper order of state changes through timeliness, since seriously routing data, but also proper order of state changes through
delayed state changes, such as commands or updates of routing tables, timeliness, since seriously delayed state changes, such as commands
may negatively impact system operation. A security assessment can or updates of routing tables, may negatively impact system operation.
therefore begin with a focus on the assets [RFC4949] that may be the A security assessment can, therefore, begin with a focus on the
target of the state changes and the access points in terms of assets [RFC4949] that may be the target of the state changes and the
interfaces and protocol exchanges through which such changes may access points in terms of interfaces and protocol exchanges through
occur. In the case of routing security, the focus is directed which such changes may occur. In the case of routing security, the
towards the elements associated with the establishment and focus is directed towards the elements associated with the
maintenance of network connectivity. establishment and maintenance of network connectivity.
This section sets the stage for the development of the analysis by This section sets the stage for the development of the analysis by
applying the systematic approach proposed in [Myagmar2005] to the applying the systematic approach proposed in [Myagmar2005] to the
routing security, while also drawing references from other reviews routing security, while also drawing references from other reviews
and assessments found in the literature, particularly, [RFC4593] and and assessments found in the literature, particularly [RFC4593] and
[Karlof2003] (i.e. selective forwarding, wormhole and sinkhole [Karlof2003] (i.e., selective forwarding, wormhole, and sinkhole
attacks). The subsequent subsections begin with a focus on the attacks). The subsequent subsections begin with a focus on the
elements of a generic routing process that is used to establish elements of a generic routing process that is used to establish
routing assets and points of access to the routing functionality. routing assets and points of access to the routing functionality.
Next, the [ISO.7498-2.1988] security model is briefly described. Next, the security model based on [ISO.7498-2.1989] is briefly
Then, consideration is given to issues specific to or amplified in described. Then, consideration is given to issues specific to or
LLNs. This section concludes with the formulation of a set of amplified in LLNs. This section concludes with the formulation of a
security objectives for RPL. set of security objectives for RPL.
4.1. Routing Assets and Points of Access 4.1. Routing Assets and Points of Access
An asset is an important system resource (including information, An asset is an important system resource (including information,
process, or physical resource), the access to, corruption or loss of process, or physical resource); the access to and corruption or loss
which adversely affects the system. In the control plane context, an of an asset adversely affects the system. In the control-plane
asset is information about the network, processes used to manage and context, an asset is information about the network, processes used to
manipulate this data, and the physical devices on which this data is manage and manipulate this data, and the physical devices on which
stored and manipulated. The corruption or loss of these assets may this data is stored and manipulated. The corruption or loss of these
adversely impact the control plane of the network. Within the same assets may adversely impact the control plane of the network. Within
context, a point of access is an interface or protocol that the same context, a point of access is an interface or protocol that
facilitates interaction between control plane assets. Identifying facilitates interaction between control-plane assets. Identifying
these assets and points of access will provide a basis for these assets and points of access will provide a basis for
enumerating the attack surface of the control plane. enumerating the attack surface of the control plane.
A level-0 data flow diagram [Yourdon1979] is used here to identify A level-0 data flow diagram [Yourdon1979] is used here to identify
the assets and points of access within a generic routing process. the assets and points of access within a generic routing process.
The use of a data flow diagram allows for a clear and concise model The use of a data flow diagram allows for a clear and concise model
of the way in which routing nodes interact and process information, of the way in which routing nodes interact and process information;
and hence provides a context for threats and attacks. The goal of hence, it provides a context for threats and attacks. The goal of
the model is to be as detailed as possible so that corresponding the model is to be as detailed as possible so that corresponding
assets, points of access, and process in an individual routing assets, points of access, and processes in an individual routing
protocol can be readily identified. protocol can be readily identified.
Figure 1 shows that nodes participating in the routing process Figure 1 shows that nodes participating in the routing process
transmit messages to discover neighbors and to exchange routing transmit messages to discover neighbors and to exchange routing
information; routes are then generated and stored, which may be information; routes are then generated and stored, which may be
maintained in the form of the protocol forwarding table. The nodes maintained in the form of the protocol forwarding table. The nodes
use the derived routes for making forwarding decisions. use the derived routes for making forwarding decisions.
................................................... ...................................................
: : : :
: : : :
|Node_i|<------->(Routing Neighbor _________________ : |Node_i|<------->(Routing Neighbor _________________ :
: Discovery)------------>Neighbor Topology : : Discovery)------------>Neighbor Topology :
: -------+--------- : : -------+--------- :
: | : : | :
|Node_j|<------->(Route/Topology +--------+ : |Node_j|<------->(Route/Topology +--------+ :
: Exchange) | : : Exchange) | :
: | V ______ : : | V ______ :
: +---->(Route Generation)--->Routes : : +---->(Route Generation)--->Routes :
: ---+-- : : ---+-- :
: | : : | :
: Routing on a Node Node_k | : : Routing on Node_k | :
................................................... ...................................................
| |
|Forwarding | |Forwarding |
|On Node_l|<-------------------------------------------+ |on Node_l|<-------------------------------------------+
Notation: Notation:
(Proc) A process Proc (Proc) A process Proc
________ ________
topology A structure storing neighbor adjacency (parent/child) topology A structure storing neighbor adjacency (parent/child)
-------- --------
________ ________
routes A structure storing the forwarding information base (FIB) routes A structure storing the forwarding information base (FIB)
-------- --------
|Node_n| An external entity Node_n |Node_n| An external entity Node_n
-------> Data flow -------> Data flow
Figure 1: Data Flow Diagram of a Generic Routing Process Figure 1: Data Flow Diagram of a Generic Routing Process
It is seen from Figure 1 that Figure 1 shows the following:
o Assets include o Assets include
* routing and/or topology information; * routing and/or topology information;
* route generation process; * route generation process;
* communication channel resources (bandwidth); * communication channel resources (bandwidth);
* node resources (computing capacity, memory, and remaining * node resources (computing capacity, memory, and remaining
energy); energy); and
* node identifiers (including node identity and ascribed * node identifiers (including node identity and ascribed
attributes such as relative or absolute node location). attributes such as relative or absolute node location).
o Points of access include o Points of access include
* neighbor discovery; * neighbor discovery;
* route/topology exchange; * route/topology exchange; and
* node physical interfaces (including access to data storage). * node physical interfaces (including access to data storage).
A focus on the above list of assets and points of access enables a A focus on the above list of assets and points of access enables a
more directed assessment of routing security; for example, it is more directed assessment of routing security; for example, it is
readily understood that some routing attacks are in the form of readily understood that some routing attacks are in the form of
attempts to misrepresent routing topology. Indeed, the intention of attempts to misrepresent routing topology. Indeed, the intention of
the security threat analysis is to be comprehensive. Hence, some of the security threat analysis is to be comprehensive. Hence, some of
the discussion which follows is associated with assets and points of the discussion that follows is associated with assets and points of
access that are not directly related to routing protocol design but access that are not directly related to routing protocol design but
nonetheless provided for reference since they do have direct are nonetheless provided for reference since they do have direct
consequences on the security of routing. consequences on the security of routing.
4.2. The ISO 7498-2 Security Reference Model 4.2. The ISO 7498-2 Security Reference Model
At the conceptual level, security within an information system in At the conceptual level, security within an information system, in
general and applied to RPL in particular is concerned with the general, and applied to RPL in particular is concerned with the
primary issues of authentication, access control, data primary issues of authentication, access control, data
confidentiality, data integrity, and non-repudiation. In the context confidentiality, data integrity, and non-repudiation. In the context
of RPL: of RPL:
Authentication Authentication
Authentication involves the mutual authentication of the Authentication involves the mutual authentication of the
routing peers prior to exchanging route information (i.e., peer routing peers prior to exchanging route information (i.e., peer
authentication) as well as ensuring that the source of the authentication) as well as ensuring that the source of the
route data is from the peer (i.e., data origin authentication). route data is from the peer (i.e., data origin authentication).
[RFC5548] points out that LLNs can be drained by LLNs can be drained by unauthenticated peers before
unauthenticated peers before configuration. [RFC5673] requires configuration per [RFC5548]. Availability of open and
availability of open and untrusted side channels for new untrusted side channels for new joiners is required by
joiners, and it requires strong and automated authentication so [RFC5673], and strong and automated authentication is required
that networks can automatically accept or reject new joiners. so that networks can automatically accept or reject new
joiners.
Access Control Access Control
Access Control provides protection against unauthorized use of Access Control provides protection against unauthorized use of
the asset, and deals with the authorization of a node. the asset and deals with the authorization of a node.
Confidentiality Confidentiality
Confidentiality involves the protection of routing information Confidentiality involves the protection of routing information
as well as routing neighbor maintenance exchanges so that only as well as routing neighbor maintenance exchanges so that only
authorized and intended network entities may view or access it. authorized and intended network entities may view or access it.
Because LLNs are most commonly found on a publicly accessible Because LLNs are most commonly found on a publicly accessible
shared medium, e.g., air or wiring in a building, and sometimes shared medium, e.g., air or wiring in a building, and are
formed ad hoc, confidentiality also extends to the neighbor sometimes formed ad hoc, confidentiality also extends to the
state and database information within the routing device since neighbor state and database information within the routing
the deployment of the network creates the potential for device since the deployment of the network creates the
unauthorized access to the physical devices themselves. potential for unauthorized access to the physical devices
themselves.
Integrity Integrity
Integrity entails the protection of routing information and Integrity entails the protection of routing information and
routing neighbor maintenance exchanges, as well as derived routing neighbor maintenance exchanges, as well as derived
information maintained in the database, from unauthorized information maintained in the database, from unauthorized
modification, insertions, deletions or replays. to be addressed modifications, insertions, deletions, or replays to be
beyond the routing protocol. addressed beyond the routing protocol.
Non-repudiation Non-repudiation
Non-repudiation is the assurance that the transmission and/or Non-repudiation is the assurance that the transmission and/or
reception of a message cannot later be denied. The service of reception of a message cannot later be denied. The service of
non-repudiation applies after-the-fact and thus relies on the non-repudiation applies after the fact; thus, it relies on the
logging or other capture of on-going message exchanges and logging or other capture of ongoing message exchanges and
signatures. Routing protocols typically do not have a notion signatures. Routing protocols typically do not have a notion
of repudiation, so non-repudiation services are not required. of repudiation, so non-repudiation services are not required.
Further, with the LLN application domains as described in Further, with the LLN application domains as described in
[RFC5867] and [RFC5548], proactive measures are much more [RFC5867] and [RFC5548], proactive measures are much more
critical than retrospective protections. Finally, given the critical than retrospective protections. Finally, given the
significant practical limits to on-going routing transaction significant practical limits to ongoing routing transaction
logging and storage and individual device digital signature logging and storage and individual device digital signature
verification for each exchange, non-repudiation in the context verification for each exchange, non-repudiation in the context
of routing is an unsupportable burden that bears no further of routing is an unsupportable burden that bears no further
considered as an RPL security issue. consideration as an RPL security issue.
It is recognized that, besides those security issues captured in the It is recognized that, besides those security issues captured in the
ISO 7498-2 model, availability, is a security requirement: ISO 7498-2 model, availability is a security requirement:
Availability Availability
Availability ensures that routing information exchanges and Availability ensures that routing information exchanges and
forwarding services need to be available when they are required forwarding services are available when they are required for
for the functioning of the serving network. Availability will the functioning of the serving network. Availability will
apply to maintaining efficient and correct operation of routing apply to maintaining efficient and correct operation of routing
and neighbor discovery exchanges (including needed information) and neighbor discovery exchanges (including needed information)
and forwarding services so as not to impair or limit the and forwarding services so as not to impair or limit the
network's central traffic flow function network's central traffic flow function.
It should be emphasized here that for RPL security the above It should be emphasized here that for RPL security, the above
requirements must be complemented by the proper security policies and requirements must be complemented by the proper security policies and
enforcement mechanisms to ensure that security objectives are met by enforcement mechanisms to ensure that security objectives are met by
a given RPL implementation. a given RPL implementation.
4.3. Issues Specific to or Amplified in LLNs 4.3. Issues Specific to or Amplified in LLNs
The requirements work detailed in Urban Requirements ([RFC5548]), The requirements work detailed in Urban Requirements [RFC5548],
Industrial Requirements ([RFC5673]), Home Automation ([RFC5826], and Industrial Requirements [RFC5673], Home Automation [RFC5826], and
Building Automation ([RFC5867]) have identified specific issues and Building Automation [RFC5867] have identified specific issues and
constraints of routing in LLNs. The following is a list of constraints of routing in LLNs. The following is a list of
observations from those requirements and evaluation of their impact observations from those requirements and evaluations of their impact
on routing security considerations. on routing security considerations.
Limited energy, memory, and processing node resources Limited energy, memory, and processing node resources
As a consequence of these constraints, there is an even more As a consequence of these constraints, the need to evaluate the
critical need than usual for a careful study of trade-offs on kinds of security that can be provided needs careful study.
which and what level of security services are to be afforded For instance, security provided at one level could be very
during the system design process. The chosen security memory efficient yet might also be very energy costly for the
mechanisms also needs to work within these constraints. network (as a whole) if it requires significant effort to
Synchronization of security states with sleepy nodes [RFC7102] synchronize the security state. Synchronization of security
is yet another issue. A non-rechargeable battery powered node states with sleepy nodes [RFC7102] is a complex issue. A non-
may well be limited in energy for it's lifetime: once rechargeable battery-powered node may well be limited in energy
exchausted, it may well never function again. for it's lifetime: once exhausted, it may well never function
again.
Large scale of rolled out network Large scale of rolled out network
The possibly numerous nodes to be deployed make manual on-site The possibly numerous nodes to be deployed make manual on-site
configuration unlikely. For example, an urban deployment can configuration unlikely. For example, an urban deployment can
see several hundreds of thousands of nodes being installed by see several hundreds of thousands of nodes being installed by
many installers with a low level of expertise. Nodes may be many installers with a low level of expertise. Nodes may be
installed and not activated for many years, and additional installed and not activated for many years, and additional
nodes may be added later on, which may be from old inventory. nodes may be added later on, which may be from old inventory.
The lifetime of the network is measured in decades, and this The lifetime of the network is measured in decades, and this
complicates the operation of key management. complicates the operation of key management.
Autonomous operations Autonomous operations
Self-forming and self-organizing are commonly prescribed Self-forming and self-organizing are commonly prescribed
requirements of LLNs. In other words, a routing protocol requirements of LLNs. In other words, a routing protocol
designed for LLNs needs to contain elements of ad hoc designed for LLNs needs to contain elements of ad hoc
networking and in most cases cannot rely on manual networking and, in most cases, cannot rely on manual
configuration for initialization or local filtering rules. configuration for initialization or local filtering rules.
Network topology/ownership changes, partitioning or merging, as Network topology/ownership changes, partitioning or merging,
well as node replacement, can all contribute to complicating and node replacement can all contribute to complicating the
the operations of key management. operations of key management.
Highly directional traffic Highly directional traffic
Some types of LLNs see a high percentage of their total traffic Some types of LLNs see a high percentage of their total traffic
traverse between the nodes and the LLN Border Routers (LBRs) traverse between the nodes and the LLN Border Routers (LBRs)
where the LLNs connect to non-LLNs. The special routing status where the LLNs connect to non-LLNs. The special routing status
of and the greater volume of traffic near the LBRs have routing of and the greater volume of traffic near the LBRs have routing
security consequences as a higher valued attack target. In security consequences as a higher-valued attack target. In
fact, when Point-to-MultiPoint (P2MP) and MultiPoint-to-Point fact, when Point-to-MultiPoint (P2MP) and MultiPoint-to-Point
(MP2P) traffic represents a majority of the traffic, routing (MP2P) traffic represents a majority of the traffic, routing
attacks consisting of advertising incorrect preferred routes attacks consisting of advertising incorrect preferred routes
can cause serious damage. can cause serious damage.
While it might seem that nodes higher up in the acyclic graph While it might seem that nodes higher up in the acyclic graph
(i.e. those with lower rank) should be secured in a stronger (i.e., those with lower rank) should be secured in a stronger
fashion, it is not in general easy to predict which nodes will fashion, it is not, in general, easy to predict which nodes
occupy those positions until after deployment. Issues of will occupy those positions until after deployment. Issues of
redundancy and inventory control suggests that any node might redundancy and inventory control suggest that any node might
wind up in such a sensitive attack position, so all nodes to be wind up in such a sensitive attack position, so all nodes are
capable of being fully secured. to be capable of being fully secured.
In addition, even if it were possible to predict which nodes In addition, even if it were possible to predict which nodes
will occupy positions of lower rank and provision them with will occupy positions of lower rank and provision them with
stronger security mechanisms, in the absense of a strong stronger security mechanisms, in the absence of a strong
authorization model, any node could advertise an incorrect authorization model, any node could advertise an incorrect
preferred route. preferred route.
Unattended locations and limited physical security Unattended locations and limited physical security
Many applications have the nodes deployed in unattended or In many applications, the nodes are deployed in unattended or
remote locations; furthermore, the nodes themselves are often remote locations; furthermore, the nodes themselves are often
built with minimal physical protection. These constraints built with minimal physical protection. These constraints
lower the barrier of accessing the data or security material lower the barrier of accessing the data or security material
stored on the nodes through physical means. stored on the nodes through physical means.
Support for mobility Support for mobility
On the one hand, only a limited number of applications require On the one hand, only a limited number of applications require
the support of mobile nodes, e.g., a home LLN that includes the support of mobile nodes, e.g., a home LLN that includes
nodes on wearable health care devices or an industry LLN that nodes on wearable health care devices or an industry LLN that
includes nodes on cranes and vehicles. On the other hand, if a includes nodes on cranes and vehicles. On the other hand, if a
routing protocol is indeed used in such applications, it will routing protocol is indeed used in such applications, it will
clearly need to have corresponding security mechanisms. clearly need to have corresponding security mechanisms.
Additionally nodes may appear to move from one side of a wall Additionally, nodes may appear to move from one side of a wall
to another without any actual motion involved, the result of to another without any actual motion involved, which is the
changes to electromagnetic properties, such as opening and result of changes to electromagnetic properties, such as the
closing of a metal door. opening and closing of a metal door.
Support for multicast and anycast Support for multicast and anycast
Support for multicast and anycast is called out chiefly for Support for multicast and anycast is called out chiefly for
large-scale networks. Since application of these routing large-scale networks. Since application of these routing
mechanisms in autonomous operations of many nodes is new, the mechanisms in autonomous operations of many nodes is new, the
consequence on security requires careful consideration. consequence on security requires careful consideration.
The above list considers how an LLN's physical constraints, size, The above list considers how an LLN's physical constraints, size,
operations, and variety of application areas may impact security. operations, and variety of application areas may impact security.
However, it is the combinations of these factors that particularly However, it is the combinations of these factors that particularly
skipping to change at page 12, line 27 skipping to change at page 12, line 33
This subsection applies the ISO 7498-2 model to routing assets and This subsection applies the ISO 7498-2 model to routing assets and
access points, taking into account the LLN issues, to develop a set access points, taking into account the LLN issues, to develop a set
of RPL security objectives. of RPL security objectives.
Since the fundamental function of a routing protocol is to build Since the fundamental function of a routing protocol is to build
routes for forwarding packets, it is essential to ensure that: routes for forwarding packets, it is essential to ensure that:
o routing/topology information integrity remains intact during o routing/topology information integrity remains intact during
transfer and in storage; transfer and in storage;
o routing/topology information is used by authorized entities; o routing/topology information is used by authorized entities; and
o routing/topology information is available when needed. o routing/topology information is available when needed.
In conjunction, it is necessary to be assured that In conjunction, it is necessary to be assured that:
o authorized peers authenticate themselves during the routing o Authorized peers authenticate themselves during the routing
neighbor discovery process; neighbor discovery process.
o the routing/topology information received is generated according o The routing/topology information received is generated according
to the protocol design. to the protocol design.
However, when trust cannot be fully vested through authentication of However, when trust cannot be fully vested through authentication of
the principals alone, i.e., concerns of insider attack, assurance of the principals alone, i.e., concerns of an insider attack, assurance
the truthfulness and timeliness of the received routing/topology of the truthfulness and timeliness of the received routing/topology
information is necessary. With regard to confidentiality, protecting information is necessary. With regard to confidentiality, protecting
the routing/topology information from unauthorized exposure may be the routing/topology information from unauthorized exposure may be
desirable in certain cases but is in itself less pertinent in general desirable in certain cases but is in itself less pertinent, in
to the routing function. general, to the routing function.
One of the main problems of synchronizing security states of sleepy One of the main problems of synchronizing security states of sleepy
nodes, as listed in the last subsection, lies in difficulties in nodes, as listed in the last subsection, lies in difficulties in
authentication; these nodes may not have received in time the most authentication; these nodes may not have received the most recent
recent update of security material. Similarly, the issues of minimal update of security material in time. Similarly, the issues of
manual configuration, prolonged rollout and delayed addition of minimal manual configuration, prolonged rollout and delayed addition
nodes, and network topology changes also complicate key management. of nodes, and network topology changes also complicate key
management. Hence, routing in LLNs needs to bootstrap the
Hence, routing in LLNs needs to bootstrap the authentication process authentication process and allow for a flexible expiration scheme of
and allow for flexible expiration scheme of authentication authentication credentials.
credentials.
The vulnerability brought forth by some special-function nodes, e.g., The vulnerability brought forth by some special-function nodes, e.g.,
LBRs, requires the assurance, particularly in a security context, LBRs, requires the assurance, particularly in a security context, of
the following:
o of the availability of communication channels and node resources; o The availability of communication channels and node resources.
o that the neighbor discovery process operates without undermining o The neighbor discovery process operates without undermining
routing availability. routing availability.
There are other factors which are not part of RPL but directly There are other factors that are not part of RPL but directly affect
affecting its function. These factors include weaker barrier of its function. These factors include a weaker barrier of accessing
accessing the data or security material stored on the nodes through the data or security material stored on the nodes through physical
physical means; therefore, the internal and external interfaces of a means; therefore, the internal and external interfaces of a node need
node need to be adequate for guarding the integrity, and possibly the to be adequate for guarding the integrity, and possibly the
confidentiality, of stored information, as well as the integrity of confidentiality, of stored information, as well as the integrity of
routing and route generation processes. routing and route generation processes.
Each individual system's use and environment will dictate how the Each individual system's use and environment will dictate how the
above objectives are applied, including the choices of security above objectives are applied, including the choices of security
services as well as the strengths of the mechanisms that must be services as well as the strengths of the mechanisms that must be
implemented. The next two sections take a closer look at how the RPL implemented. The next two sections take a closer look at how the RPL
security objectives may be compromised and how those potential security objectives may be compromised and how those potential
compromises can be countered. compromises can be countered.
5. Threat Sources 5. Threat Sources
[RFC4593] provides a detailed review of the threat sources: outsiders [RFC4593] provides a detailed review of the threat sources: outsiders
and byzantine. RPL has the same threat sources. and Byzantine. RPL has the same threat sources.
6. Threats and Attacks 6. Threats and Attacks
This section outlines general categories of threats under the ISO This section outlines general categories of threats under the ISO
7498-2 model and highlights the specific attacks in each of these 7498-2 model and highlights the specific attacks in each of these
categories for RPL. As defined in [RFC4949], a threat is "a categories for RPL. As defined in [RFC4949], a threat is "a
potential for violation of security, which exists when there is a potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security circumstance, capability, action, or event that could breach security
and cause harm." and cause harm."
Per [RFC3067], an attack is "an assault on system security that
An attack is "an assault on system security that derives from an derives from an intelligent threat, i.e., an intelligent act that is
intelligent threat, i.e., an intelligent act that is a deliberate a deliberate attempt (especially in the sense of a method or
attempt (especially in the sense of a method or technique) to evade technique) to evade security services and violate the security policy
security services and violate the security policy of a system." of a system."
The subsequent subsections consider the threats and the attacks that The subsequent subsections consider the threats and the attacks that
can cause security breaches under the ISO 7498-2 model to the routing can cause security breaches under the ISO 7498-2 model to the routing
assets and via the routing points of access identified in assets and via the routing points of access identified in
Section 4.1. The assessment steps through the security concerns of Section 4.1. The assessment reviews the security concerns of each
each routing asset and looks at the attacks that can exploit routing routing asset and looks at the attacks that can exploit routing
points of access. The threats and attacks identified are based on points of access. The threats and attacks identified are based on
the routing model analysis and associated review of the existing the routing model analysis and associated review of the existing
literature. The source of the attacks is assumed to be from either literature. The source of the attacks is assumed to be from either
inside or outside attackers. While some attackers inside the network inside or outside attackers. While some attackers inside the network
will be using compromised nodes, and therefore are only able to do will be using compromised nodes and, therefore, are only able to do
what an ordinary node can ("node-equivalent"), other attacks may not what an ordinary node can ("node-equivalent"), other attacks may not
limited in memory, CPU, power consumption or long term storage. be limited in memory, CPU, power consumption, or long-term storage.
Moore's law favours the attacker with access to the latest Moore's law favors the attacker with access to the latest
capabilities, while the defenders will remain in place for years to capabilities, while the defenders will remain in place for years to
decades. decades.
6.1. Threats due to failures to Authenticate 6.1. Threats Due to Failures to Authenticate
6.1.1. Node Impersonation 6.1.1. Node Impersonation
If an attacker can join a network using any identity, then it may be If an attacker can join a network using any identity, then it may be
able to assume the role of a legitimate (and existing node). It may able to assume the role of a legitimate (and existing node). It may
be able to report false readings (in metering applications), or be able to report false readings (in metering applications) or
provide inappropriate control messages (in control systems involving provide inappropriate control messages (in control systems involving
actuators) if the security of the application is implied by the actuators) if the security of the application is implied by the
security of the routing system. security of the routing system.
Even in systems where there application layer security, the ability Even in systems where there is application-layer security, the
to impersonate a node would permit an attacker to direct traffic to ability to impersonate a node would permit an attacker to direct
itself. This may permit various on-path attacks which would traffic to itself. This may permit various on-path attacks that
otherwise be difficult, such replaying, delaying, or duplicating would otherwise be difficult, such as replaying, delaying, or
(application) control messages. duplicating (application) control messages.
6.1.2. Dummy Node 6.1.2. Dummy Node
If an attacker can join a network using any identify, then it can If an attacker can join a network using any identify, then it can
pretend to be a legitimate node, receiving any service legitimate pretend to be a legitimate node, receiving any service legitimate
nodes receive. It may also be able to report false readings (in nodes receive. It may also be able to report false readings (in
metering applications), or provide inappropriate authorizations (in metering applications), provide inappropriate authorizations (in
control systems involving actuators), or perform any other attacks control systems involving actuators), or perform any other attacks
that are facilitated by being able to direct traffic towards itself. that are facilitated by being able to direct traffic towards itself.
6.1.3. Node Resource Spam 6.1.3. Node Resource Spam
If an attacker can join a network with any identify, then it can If an attacker can join a network with any identity, then it can
continously do so with new (random) identities. This act may drain continuously do so with new (random) identities. This act may drain
down the resources of the network (battery, RAM, bandwidth). This down the resources of the network (battery, RAM, bandwidth). This
may cause legitimate nodes of the network to be unable to may cause legitimate nodes of the network to be unable to
communicate. communicate.
6.2. Threats due to failure to keep routing information confidential 6.2. Threats Due to Failure to Keep Routing Information Confidential
The assessment in Section 4.2 indicates that there are attacks The assessment in Section 4.2 indicates that there are attacks
against the confidentiality of routing information at all points of against the confidentiality of routing information at all points of
access. This threat may result in disclosure, as described in access. This threat may result in disclosure, as described in
Section 3.1.2 of [RFC4593], and may involve a disclosure of routing Section 3.1.2 of [RFC4593], and may involve a disclosure of routing
information. information.
6.2.1. Routing Exchange Exposure 6.2.1. Routing Exchange Exposure
Routing exchanges include both routing information as well as Routing exchanges include both routing information as well as
information associated with the establishment and maintenance of information associated with the establishment and maintenance of
neighbor state information. As indicated in Section 4.1, the neighbor state information. As indicated in Section 4.1, the
associated routing information assets may also include device associated routing information assets may also include device-
specific resource information, such as available memory, remaining specific resource information, such as available memory, remaining
power, etc., that may be metrics of the routing protocol. power, etc., that may be metrics of the routing protocol.
The routing exchanges will contain reachability information, which The routing exchanges will contain reachability information, which
would identify the relative importance of different nodes in the would identify the relative importance of different nodes in the
network. Nodes higher up in the DODAG, to which more streams of network. Nodes higher up in the DODAG, to which more streams of
information flow, would be more interesting targets for other information flow, would be more interesting targets for other
attacks, and routing exchange exposures can identify them. attacks, and routing exchange exposures could identify them.
6.2.2. Routing Information (Routes and Network Topology) Exposure 6.2.2. Routing Information (Routes and Network Topology) Exposure
Routes (which may be maintained in the form of the protocol Routes (which may be maintained in the form of the protocol
forwarding table) and neighbor topology information are the products forwarding table) and neighbor topology information are the products
of the routing process that are stored within the node device of the routing process that are stored within the node device
databases. databases.
The exposure of this information will allow attackers to gain direct The exposure of this information will allow attackers to gain direct
access to the configuration and connectivity of the network thereby access to the configuration and connectivity of the network, thereby
exposing routing to targeted attacks on key nodes or links. Since exposing routing to targeted attacks on key nodes or links. Since
routes and neighbor topology information is stored within the node routes and neighbor topology information are stored within the node
device, attacks on the confidentiality of the information will apply device, attacks on the confidentiality of the information will apply
to the physical device including specified and unspecified internal to the physical device, including specified and unspecified internal
and external interfaces. and external interfaces.
The forms of attack that allow unauthorized access or disclosure of The forms of attack that allow unauthorized access or disclosure of
the routing information will include: the routing information will include:
o Physical device compromise; o Physical device compromise.
o Remote device access attacks (including those occurring through o Remote device access attacks (including those occurring through
remote network management or software/field upgrade interfaces). remote network management or software/field upgrade interfaces).
Both of these attack vectors are considered a device specific issue, Both of these attack vectors are considered a device-specific issue
and are out of scope for RPL to defend against. In some and are out of scope for RPL to defend against. In some
applications, physical device compromise may be a real threat and it applications, physical device compromise may be a real threat, and it
may be necessary to provide for other devices to securely detect a may be necessary to provide for other devices to securely detect a
compromised device and react quickly to exclude it. compromised device and react quickly to exclude it.
6.3. Threats and Attacks on Integrity 6.3. Threats and Attacks on Integrity
The assessment in Section 4.2 indicates that information and identity The assessment in Section 4.2 indicates that information and identity
assets are exposed to integrity threats from all points of access. assets are exposed to integrity threats from all points of access.
In other words, the integrity threat space is defined by the In other words, the integrity threat space is defined by the
potential for exploitation introduced by access to assets available potential for exploitation introduced by access to assets available
through routing exchanges and the on-device storage. through routing exchanges and the on-device storage.
6.3.1. Routing Information Manipulation 6.3.1. Routing Information Manipulation
Manipulation of routing information that range from neighbor states Manipulation of routing information that ranges from neighbor states
to derived routes will allow unauthorized sources to influence the to derived routes will allow unauthorized sources to influence the
operation and convergence of the routing protocols and ultimately operation and convergence of the routing protocols and ultimately
impact the forwarding decisions made in the network. impact the forwarding decisions made in the network.
Manipulation of topology and reachability information will allow Manipulation of topology and reachability information will allow
unauthorized sources to influence the nodes with which routing unauthorized sources to influence the nodes with which routing
information is exchanged and updated. The consequence of information is exchanged and updated. The consequence of
manipulating routing exchanges can thus lead to sub-optimality and manipulating routing exchanges can thus lead to suboptimality and
fragmentation or partitioning of the network by restricting the fragmentation or partitioning of the network by restricting the
universe of routers with which associations can be established and universe of routers with which associations can be established and
maintained. maintained.
A sub-optimal network may use too much power and/or may congest some A suboptimal network may use too much power and/or may congest some
routes leading to premature failure of a node, and a denial of routes leading to premature failure of a node and a denial of service
service on the entire network. (DoS) on the entire network.
In addition, being able to attract network traffic can make a In addition, being able to attract network traffic can make a black-
blackhole attack more damaging. hole attack more damaging.
The forms of attack that allow manipulation to compromise the content The forms of attack that allow manipulation to compromise the content
and validity of routing information include and validity of routing information include:
o Falsification, including overclaiming and misclaiming (claiming o falsification, including overclaiming and misclaiming (claiming
routes to devices which the device can not in fact reach); routes to devices that the device cannot in fact reach);
o Routing information replay; o routing information replay;
o Byzantine (internal) attacks that permit corruption of routing o Byzantine (internal) attacks that permit corruption of routing
information in the node even where the node continues to be a information in the node even when the node continues to be a
validated entity within the network (see, for example, [RFC4593] validated entity within the network (see, for example, [RFC4593]
for further discussions on Byzantine attacks); for further discussions on Byzantine attacks); and
o Physical device compromise or remote device access attacks. o physical device compromise or remote device access attacks.
6.3.2. Node Identity Misappropriation 6.3.2. Node Identity Misappropriation
Falsification or misappropriation of node identity between routing Falsification or misappropriation of node identity between routing
participants opens the door for other attacks; it can also cause participants opens the door for other attacks; it can also cause
incorrect routing relationships to form and/or topologies to emerge. incorrect routing relationships to form and/or topologies to emerge.
Routing attacks may also be mounted through less sophisticated node Routing attacks may also be mounted through less-sophisticated node
identity misappropriation in which the valid information broadcast or identity misappropriation in which the valid information broadcasted
exchanged by a node is replayed without modification. The receipt of or exchanged by a node is replayed without modification. The receipt
seemingly valid information that is however no longer current can of seemingly valid information that is, however, no longer current
result in routing disruption, and instability (including failure to can result in routing disruption and instability (including failure
converge). Without measures to authenticate the routing participants to converge). Without measures to authenticate the routing
and to ensure the freshness and validity of the received information participants and to ensure the freshness and validity of the received
the protocol operation can be compromised. The forms of attack that information, the protocol operation can be compromised. The forms of
misuse node identity include attack that misuse node identity include:
o Identity attacks, including Sybil attacks (see [Sybil2002]) in o Identity attacks, including Sybil attacks (see [Sybil2002]) in
which a malicious node illegitimately assumes multiple identities; which a malicious node illegitimately assumes multiple identities.
o Routing information replay. o Routing information replay.
6.4. Threats and Attacks on Availability 6.4. Threats and Attacks on Availability
The assessment in Section 4.2 indicates that the process and The assessment in Section 4.2 indicates that the process and resource
resources assets are exposed to threats against availability; attacks assets are exposed to threats against availability; attacks in this
in this category may exploit directly or indirectly information category may exploit directly or indirectly information exchange or
exchange or forwarding (see [RFC4732] for a general discussion). forwarding (see [RFC4732] for a general discussion).
6.4.1. Routing Exchange Interference or Disruption 6.4.1. Routing Exchange Interference or Disruption
Interference is the threat action and disruption is threat Interference is the threat action and disruption is the threat
consequence that allows attackers to influence the operation and consequence that allows attackers to influence the operation and
convergence of the routing protocols by impeding the routing convergence of the routing protocols by impeding the routing
information exchange. information exchange.
The forms of attack that allow interference or disruption of routing The forms of attack that allow interference or disruption of routing
exchange include: exchange include:
o Routing information replay; o routing information replay;
o ACK spoofing; o ACK spoofing; and
o Overload attacks. (Section 7.3.2) o overload attacks (Section 7.3.2).
In addition, attacks may also be directly conducted at the physical In addition, attacks may also be directly conducted at the physical
layer in the form of jamming or interfering. layer in the form of jamming or interfering.
6.4.2. Network Traffic Forwarding Disruption 6.4.2. Network Traffic Forwarding Disruption
The disruption of the network traffic forwarding capability will The disruption of the network traffic forwarding capability will
undermine the central function of network routers and the ability to undermine the central function of network routers and the ability to
handle user traffic. This affects the availability of the network handle user traffic. This affects the availability of the network
because of the potential to impair the primary capability of the because of the potential to impair the primary capability of the
network. network.
In addition to physical layer obstructions, the forms of attack that In addition to physical-layer obstructions, the forms of attack that
allows disruption of network traffic forwarding include [Karlof2003] allow disruption of network traffic forwarding include [Karlof2003]:
o Selective forwarding attacks; o selective forwarding attacks;
|Node_1|--(msg1|msg2|msg3)-->|Attacker|--(msg1|msg3)-->|Node_2| |Node_1|--(msg1|msg2|msg3)-->|Attacker|--(msg1|msg3)-->|Node_2|
Figure 2: Selective forwarding example Figure 2: Selective Forwarding Example
o Wormhole attacks; o wormhole attacks; and
|Node_1|-------------Unreachable---------x|Node_2| |Node_1|-------------Unreachable---------x|Node_2|
| ^ | ^
| Private Link | | Private Link |
'-->|Attacker_1|===========>|Attacker_2|--' '-->|Attacker_1|===========>|Attacker_2|--'
Figure 3: Wormhole Attacks Figure 3: Wormhole Attacks
o Sinkhole attacks. o sinkhole attacks.
|Node_1| |Node_4| |Node_1| |Node_4|
| | | |
`--------. | `--------. |
Falsify as \ | Falsify as \ |
Good Link \ | | Good Link \ | |
To Node_5 \ | | to Node_5 \ | |
\ V V \ V V
|Node_2|-->|Attacker|--Not Forwarded---x|Node_5| |Node_2|-->|Attacker|--Not Forwarded---x|Node_5|
^ ^ \ ^ ^ \
| | \ Falsify as | | \ Falsify as
| | \Good Link | | \Good Link
/ | To Node_5 / | to Node_5
,-------' | ,-------' |
| | | |
|Node_3| |Node_i| |Node_3| |Node_i|
Figure 4: sinkhole attack example Figure 4: Sinkhole Attack Example
These attacks are generally done to both control plane and forwarding These attacks are generally done to both control- and forwarding-
plane traffic. A system that prevents control plane traffic (RPL plane traffic. A system that prevents control-plane traffic (RPL
messages) from being diverted in these ways will also prevent actual messages) from being diverted in these ways will also prevent actual
data from being diverted. data from being diverted.
6.4.3. Communications Resource Disruption 6.4.3. Communications Resource Disruption
Attacks mounted against the communication channel resource assets Attacks mounted against the communication channel resource assets
needed by the routing protocol can be used as a means of disrupting needed by the routing protocol can be used as a means of disrupting
its operation. However, while various forms of Denial of Service its operation. However, while various forms of DoS attacks on the
(DoS) attacks on the underlying transport subsystem will affect underlying transport subsystem will affect routing protocol exchanges
routing protocol exchanges and operation (for example physical layer and operation (for example, physical-layer Radio Frequency (RF)
RF jamming in a wireless network or link layer attacks), these jamming in a wireless network or link-layer attacks), these attacks
attacks cannot be countered by the routing protocol. As such, the cannot be countered by the routing protocol. As such, the threats to
threats to the underlying transport network that supports routing is the underlying transport network that supports routing is considered
considered beyond the scope of the current document. Nonetheless, beyond the scope of the current document. Nonetheless, attacks on
attacks on the subsystem will affect routing operation and so must be the subsystem will affect routing operation and must be directly
directly addressed within the underlying subsystem and its addressed within the underlying subsystem and its implemented
implemented protocol layers. protocol layers.
6.4.4. Node Resource Exhaustion 6.4.4. Node Resource Exhaustion
A potential threat consequence can arise from attempts to overload A potential threat consequence can arise from attempts to overload
the node resource asset by initiating exchanges that can lead to the the node resource asset by initiating exchanges that can lead to the
exhaustion of processing, memory, or energy resources. The exhaustion of processing, memory, or energy resources. The
establishment and maintenance of routing neighbors opens the routing establishment and maintenance of routing neighbors opens the routing
process to engagement and potential acceptance of multiple process to engagement and potential acceptance of multiple
neighboring peers. Association information must be stored for each neighboring peers. Association information must be stored for each
peer entity and for the wireless network operation provisions made to peer entity and for the wireless network operation provisions made to
periodically update and reassess the associations. An introduced periodically update and reassess the associations. An introduced
proliferation of apparent routing peers can therefore have a negative proliferation of apparent routing peers can, therefore, have a
impact on node resources. negative impact on node resources.
Node resources may also be unduly consumed by attackers attempting Node resources may also be unduly consumed by attackers attempting
uncontrolled topology peering or routing exchanges, routing replays, uncontrolled topology peering or routing exchanges, routing replays,
or the generating of other data traffic floods. Beyond the or the generating of other data-traffic floods. Beyond the
disruption of communications channel resources, these consequences disruption of communications channel resources, these consequences
may be able to exhaust node resources only where the engagements are may be able to exhaust node resources only where the engagements are
able to proceed with the peer routing entities. Routing operation able to proceed with the peer routing entities. Routing operation
and network forwarding functions can thus be adversely impacted by and network forwarding functions can thus be adversely impacted by
node resources exhaustion that stems from attacks that include: node resources exhaustion that stems from attacks that include:
o Identity (including Sybil) attacks (see [Sybil2002]); o identity (including Sybil) attacks (see [Sybil2002]);
o Routing information replay attacks; o routing information replay attacks;
o HELLO-type flood attacks; o HELLO-type flood attacks; and
o Overload attacks. (Section 7.3.2) o overload attacks (Section 7.3.2).
7. Countermeasures 7. Countermeasures
By recognizing the characteristics of LLNs that may impact routing, By recognizing the characteristics of LLNs that may impact routing,
this analysis provides the basis for understanding the capabilities this analysis provides the basis for understanding the capabilities
within RPL used to deter the identified attacks and mitigate the within RPL used to deter the identified attacks and mitigate the
threats. The following subsections consider such countermeasures by threats. The following subsections consider such countermeasures by
grouping the attacks according to the classification of the ISO grouping the attacks according to the classification of the ISO
7498-2 model so that associations with the necessary security 7498-2 model so that associations with the necessary security
services are more readily visible. services are more readily visible.
7.1. Confidentiality Attack Countermeasures 7.1. Confidentiality Attack Countermeasures
Attacks to disclosure routing information may be mounted at the level Attacks to disclosure routing information may be mounted at the level
of the routing information assets, at the points of access associated of the routing information assets, at the points of access associated
with routing exchanges between nodes, or through device interface with routing exchanges between nodes, or through device interface
access. To gain access to routing/topology information, the attacker access. To gain access to routing/topology information, the attacker
may rely on a compromised node that deliberately exposes the may rely on a compromised node that deliberately exposes the
information during the routing exchange process, may rely on passive information during the routing exchange process, on passive
wiretapping or traffic analysis, or may attempt access through a wiretapping or traffic analysis, or on attempting access through a
component or device interface of a tampered routing node. component or device interface of a tampered routing node.
7.1.1. Countering Deliberate Exposure Attacks 7.1.1. Countering Deliberate Exposure Attacks
A deliberate exposure attack is one in which an entity that is party A deliberate exposure attack is one in which an entity that is party
to the routing process or topology exchange allows the routing/ to the routing process or topology exchange allows the routing/
topology information or generated route information to be exposed to topology information or generated route information to be exposed to
an unauthorized entity. an unauthorized entity.
For instance, due to mis-configuration or inappropriate enabling of a For instance, due to misconfiguration or inappropriate enabling of a
diagnostic interface, an entity might be copying ("bridging") traffic diagnostic interface, an entity might be copying ("bridging") traffic
from a secured ESSID/PAN to an unsecured interface. from a secured ESSID/PAN to an unsecured interface.
A prerequisite to countering this attack is to ensure that the A prerequisite to countering this attack is to ensure that the
communicating nodes are authenticated prior to data encryption communicating nodes are authenticated prior to data encryption
applied in the routing exchange. The authentication ensures the LLN applied in the routing exchange. The authentication ensures that the
starts with trusted nodes, but it does not provide an indication of LLN starts with trusted nodes, but it does not provide an indication
whether the node has been compromised. of whether the node has been compromised.
Reputation systems could be be used to help when some nodes may sleep Reputation systems could be used to help when some nodes may sleep
for extended periods of times. It is also unclear if resulting for extended periods of time. It is also unclear if resulting
dataset would even fit into constrained devices. datasets would even fit into constrained devices.
To mitigate the risk of deliberate exposure, the process that To mitigate the risk of deliberate exposure, the process that
communicating nodes use to establish session keys must be peer-to- communicating nodes use to establish session keys must be
peer (i.e., between the routing initiating and responding nodes). As peer-to-peer (i.e., between the routing initiating and responding
is pointed out in [RFC4107], automatic key management is critical for nodes). As is pointed out in [RFC4107], automatic key management is
good security. This helps ensure that neither node is exchanging critical for good security. This helps ensure that neither node is
routing information with another peer without the knowledge of both exchanging routing information with another peer without the
communicating peers. For a deliberate exposure attack to succeed, knowledge of both communicating peers. For a deliberate exposure
the comprised node will need to be more overt and take independent attack to succeed, the comprised node will need to be more overt and
actions in order to disclose the routing information to 3rd party. take independent actions in order to disclose the routing information
to a third party.
Note that the same measures which apply to securing routing/topology Note that the same measures that apply to securing routing/topology
exchanges between operational nodes must also extend to field tools exchanges between operational nodes must also extend to field tools
and other devices used in a deployed network where such devices can and other devices used in a deployed network where such devices can
be configured to participate in routing exchanges. be configured to participate in routing exchanges.
7.1.2. Countering Passive Wiretapping Attacks 7.1.2. Countering Passive Wiretapping Attacks
A passive wiretap attack seeks to breach routing confidentiality A passive wiretap attack seeks to breach routing confidentiality
through passive, direct analysis and processing of the information through passive, direct analysis and processing of the information
exchanges between nodes. exchanges between nodes.
Passive wiretap attacks can be directly countered through the use of Passive wiretap attacks can be directly countered through the use of
data encryption for all routing exchanges. Only when a validated and data encryption for all routing exchanges. Only when a validated and
authenticated node association is completed will routing exchange be authenticated node association is completed will routing exchange be
allowed to proceed using established session keys and an agreed allowed to proceed using established session keys and an agreed
encryption algorithm. The mandatory to implement CCM mode AES-128 encryption algorithm. The mandatory-to-implement CCM mode AES-128
method, is described in [RFC3610], and is believed to be secure method, described in [RFC3610], is believed to be secure against a
against a brute force attack by even the most well-equipped brute-force attack by even the most well-equipped adversary.
adversary.
The significant challenge for RPL is in the provisioning of the key, The significant challenge for RPL is in the provisioning of the key,
which in some modes of RFC6550 is used network-wide. RFC6550 does which in some modes of RFC 6550 is used network wide. This problem
not solve this problem, and it is the subject of significant future is not solved in RFC 6550, and it is the subject of significant
work: see, for instance: [AceCharterProposal], [SolaceProposal], future work: see, for instance, [AceCharterProposal],
[SmartObjectSecurityWorkshop]. [SolaceProposal], and [SmartObjectSecurityWorkshop].
A number of deployments, such as [ZigBeeIP] specify no layer-3/RPL A number of deployments, such as [ZigBeeIP] specify no Layer 3 (L3) /
encryption or authentication and rely upon similiar security at RPL encryption or authentication and rely upon similar security at
layer-2. These networks are immune to outside wiretapping attacks, Layer 2 (L2). These networks are immune to outside wiretapping
but are vulnerable to passive (and active) routing attacks through attacks but are vulnerable to passive (and active) routing attacks
compromises of nodes. (see Section 8.2). through compromises of nodes (see Section 8.2).
Section 10.9 of [RFC6550] specifies AES-128 in CCM mode with a 32-bit Section 10.9 of [RFC6550] specifies AES-128 in CCM mode with a 32-bit
MAC. Message Authentication Code (MAC).
Section 5.6 Zigbee IP [ZigBeeIP] specifies use of CCM, with PANA and Section 5.6 of ZigBee IP [ZigBeeIP] specifies use of CCM, with PANA
EAP-TLS for key management. and EAP-TLS for key management.
7.1.3. Countering Traffic Analysis 7.1.3. Countering Traffic Analysis
Traffic analysis provides an indirect means of subverting Traffic analysis provides an indirect means of subverting
confidentiality and gaining access to routing information by allowing confidentiality and gaining access to routing information by allowing
an attacker to indirectly map the connectivity or flow patterns an attacker to indirectly map the connectivity or flow patterns
(including link-load) of the network from which other attacks can be (including link load) of the network from which other attacks can be
mounted. The traffic analysis attack on an LLN, especially one mounted. The traffic-analysis attack on an LLN, especially one
founded on shared medium, is passive and relies on the ability to founded on a shared medium, is passive and relies on the ability to
read the immutable source/destination layer-2 and/or layer-3 routing read the immutable source/destination L2 and/or L3 routing
information that must remain unencrypted to permit network routing. information that must remain unencrypted to permit network routing.
One way in which passive traffic analysis attacks can be muted is One way in which passive traffic-analysis attacks can be muted is
through the support of load balancing that allows traffic to a given through the support of load balancing that allows traffic to a given
destination to be sent along diverse routing paths. RPL does not destination to be sent along diverse routing paths. RPL does not
generally support multi-path routing within a single DODAG. Multiple generally support multipath routing within a single DODAG. Multiple
DODAGs are supported in the protocol, and an implementation could DODAGs are supported in the protocol, and an implementation could
make use of that. RPL does not have any inherent or standard way to make use of that. RPL does not have any inherent or standard way to
guarantee that the different DODAGs would have significantly diverse guarantee that the different DODAGs would have significantly diverse
paths. Having the diverse DODAGs routed at different border routers paths. Having the diverse DODAGs routed at different border routers
might work in some instances, and this could be combined with a might work in some instances, and this could be combined with a
multipath technology like MPTCP ([RFC6824]. It is unlikely that it multipath technology like Multipath TCP (MPTCP) [RFC6824]. It is
will be affordable in many LLNs, as few deployments will have memory unlikely that it will be affordable in many LLNs, as few deployments
space for more than a few sets of DODAG tables. will have memory space for more than a few sets of DODAG tables.
Another approach to countering passive traffic analysis could be for Another approach to countering passive traffic analysis could be for
nodes to maintain constant amount of traffic to different nodes to maintain a constant amount of traffic to different
destinations through the generation of arbitrary traffic flows; the destinations through the generation of arbitrary traffic flows; the
drawback of course would be the consequent overhead and energy drawback of course would be the consequent overhead and energy
expenditure. expenditure.
The only means of fully countering a traffic analysis attack is The only means of fully countering a traffic-analysis attack is
through the use of tunneling (encapsulation) where encryption is through the use of tunneling (encapsulation) where encryption is
applied across the entirety of the original packet source/destination applied across the entirety of the original packet source/destination
addresses. Deployments which use layer-2 security that includes addresses. Deployments that use L2 security that includes encryption
encryption already do this for all traffic. already do this for all traffic.
7.1.4. Countering Remote Device Access Attacks 7.1.4. Countering Remote Device Access Attacks
Where LLN nodes are deployed in the field, measures are introduced to Where LLN nodes are deployed in the field, measures are introduced to
allow for remote retrieval of routing data and for software or field allow for remote retrieval of routing data and for software or field
upgrades. These paths create the potential for a device to be upgrades. These paths create the potential for a device to be
remotely accessed across the network or through a provided field remotely accessed across the network or through a provided field
tool. In the case of network management a node can be directly tool. In the case of network management, a node can be directly
requested to provide routing tables and neighbor information. requested to provide routing tables and neighbor information.
To ensure confidentiality of the node routing information against To ensure confidentiality of the node routing information against
attacks through remote access, any local or remote device requesting attacks through remote access, any local or remote device requesting
routing information must be authenticated, and must be authorized for routing information must be authenticated and must be authorized for
that access. Since remote access is not invoked as part of a routing that access. Since remote access is not invoked as part of a routing
protocol, security of routing information stored on the node against protocol, security of routing information stored on the node against
remote access will not be addressable as part of the routing remote access will not be addressable as part of the routing
protocol. protocol.
7.2. Integrity Attack Countermeasures 7.2. Integrity Attack Countermeasures
Integrity attack countermeasures address routing information Integrity attack countermeasures address routing information
manipulation, as well as node identity and routing information manipulation, as well as node identity and routing information
misuse. Manipulation can occur in the form of falsification attack misuse. Manipulation can occur in the form of a falsification attack
and physical compromise. To be effective, the following development and physical compromise. To be effective, the following development
considers the two aspects of falsification, namely, the unauthorized considers the two aspects of falsification, namely, the unauthorized
modifications and the overclaiming and misclaiming content. The modifications and the overclaiming and misclaiming content. The
countering of physical compromise was considered in the previous countering of physical compromise was considered in the previous
section and is not repeated here. With regard to misuse, there are section and is not repeated here. With regard to misuse, there are
two types of attacks to be deterred, identity attacks and replay two types of attacks to be deterred: identity attacks and replay
attacks. attacks.
7.2.1. Countering Unauthorized Modification Attacks 7.2.1. Countering Unauthorized Modification Attacks
Unauthorized modifications may occur in the form of altering the Unauthorized modifications may occur in the form of altering the
message being transferred or the data stored. Therefore, it is message being transferred or the data stored. Therefore, it is
necessary to ensure that only authorized nodes can change the portion necessary to ensure that only authorized nodes can change the portion
of the information that is allowed to be mutable, while the integrity of the information that is allowed to be mutable, while the integrity
of the rest of the information is protected, e.g., through well- of the rest of the information is protected, e.g., through well-
studied cryptographic mechanisms. studied cryptographic mechanisms.
skipping to change at page 24, line 15 skipping to change at page 24, line 37
Unauthorized modifications may also occur in the form of insertion or Unauthorized modifications may also occur in the form of insertion or
deletion of messages during protocol changes. Therefore, the deletion of messages during protocol changes. Therefore, the
protocol needs to ensure the integrity of the sequence of the protocol needs to ensure the integrity of the sequence of the
exchange sequence. exchange sequence.
The countermeasure to unauthorized modifications needs to: The countermeasure to unauthorized modifications needs to:
o implement access control on storage; o implement access control on storage;
o provide data integrity service to transferred messages and stored o provide data integrity service to transferred messages and stored
data; data; and
o include sequence number under integrity protection. o include a sequence number under integrity protection.
7.2.2. Countering Overclaiming and Misclaiming Attacks 7.2.2. Countering Overclaiming and Misclaiming Attacks
Both overclaiming and misclaiming aim to introduce false routes or a Both overclaiming and misclaiming aim to introduce false routes or a
false topology that would not occur otherwise, while there are not false topology that would not occur otherwise, while there are not
necessarily unauthorized modifications to the routing messages or necessarily unauthorized modifications to the routing messages or
information. In order to counter overclaiming, the capability to information. In order to counter overclaiming, the capability to
determine unreasonable routes or topology is required. determine unreasonable routes or topology is required.
The counter to overclaiming and misclaiming may employ: The counter to overclaiming and misclaiming may employ:
o comparison with historical routing/topology data; o Comparison with historical routing/topology data.
o designs which restrict realizable network topologies. o Designs that restrict realizable network topologies.
RPL includes no specific mechanisms in the protocol to counter RPL includes no specific mechanisms in the protocol to counter
overclaims or misclaims. An implementation could have specific overclaims or misclaims. An implementation could have specific
heuristics implemented locally. heuristics implemented locally.
7.2.3. Countering Identity (including Sybil) Attacks 7.2.3. Countering Identity (including Sybil) Attacks
Identity attacks, sometimes simply called spoofing, seek to gain or Identity attacks, sometimes simply called spoofing, seek to gain or
damage assets whose access is controlled through identity. In damage assets whose access is controlled through identity. In
routing, an identity attacker can illegitimately participate in routing, an identity attacker can illegitimately participate in
routing exchanges, distribute false routing information, or cause an routing exchanges, distribute false routing information, or cause an
invalid outcome of a routing process. invalid outcome of a routing process.
A perpetrator of Sybil attacks assumes multiple identities. The A perpetrator of Sybil attacks assumes multiple identities. The
result is not only an amplification of the damage to routing, but result is not only an amplification of the damage to routing but
extension to new areas, e.g., where geographic distribution is extension to new areas, e.g., where geographic distribution is
explicitly or implicitly an asset to an application running on the explicitly or implicitly an asset to an application running on the
LLN, for example, the LBR in a P2MP or MP2P LLN. LLN, for example, the LBR in a P2MP or MP2P LLN.
RPL includes specific public key based authentication at layer-3 that RPL includes specific public key-based authentication at L3 that
provide for authorization. Many deployments use layer-2 security provides for authorization. Many deployments use L2 security that
that includes admission controls at layer-2 using mechanisms such as includes admission controls at L2 using mechanisms such as PANA.
PANA.
7.2.4. Countering Routing Information Replay Attacks 7.2.4. Countering Routing Information Replay Attacks
In many routing protocols, message replay can result in false In many routing protocols, message replay can result in false
topology and/or routes. This is often counted with some kind of topology and/or routes. This is often counted with some kind of
counter to ensure the freshness of the message. Replay of a current, counter to ensure the freshness of the message. Replay of a current,
literal RPL message are in general idempotent to the topology. An literal RPL message is, in general, idempotent to the topology. If
older (lower DODAGVersionNumber) message, if replayed would be replayed, an older (lower DODAGVersionNumber) message would be
rejected as being stale. The trickle algorithm further dampens the rejected as being stale. If the trickle algorithm further dampens
effect of any such replay, as if the message was current, then it the effect of any such replay, as if the message was current, then it
would contain the same information as before, and it would cause no would contain the same information as before, and it would cause no
network changes. network changes.
Replays may well occur in some radio technologies (not very likely, Replays may well occur in some radio technologies (though not very
802.15.4) as a result of echos or reflections, and so some replays likely; see [IEEE.802.15.4]) as a result of echos or reflections, so
must be assumed to occur naturally. some replays must be assumed to occur naturally.
Note that for there to be no affect at all, the replay must be done Note that for there to be no effect at all, the replay must be done
with the same apparent power for all nodes receiving the replay. A with the same apparent power for all nodes receiving the replay. A
change in apparent power might change the metrics through changes to change in apparent power might change the metrics through changes to
the ETX and therefore might affect the routing even though the the Expected Transmission Count (ETX); therefore, it might affect the
contents of the packet were never changed. Any replay which appears routing even though the contents of the packet were never changed.
to be different should be analyzed as a Selective Forwarding Attack, Any replay that appears to be different should be analyzed as a
Sinkhole Attack or Wormhole Attack. selective forwarding attack, sinkhole attack, or wormhole attack.
7.2.5. Countering Byzantine Routing Information Attacks 7.2.5. Countering Byzantine Routing Information Attacks
Where a node is captured or compromised but continues to operate for Where a node is captured or compromised but continues to operate for
a period with valid network security credentials, the potential a period with valid network security credentials, the potential
exists for routing information to be manipulated. This compromise of exists for routing information to be manipulated. This compromise of
the routing information could thus exist in spite of security the routing information could thus exist in spite of security
countermeasures that operate between the peer routing devices. countermeasures that operate between the peer routing devices.
Consistent with the end-to-end principle of communications, such an Consistent with the end-to-end principle of communications, such an
attack can only be fully addressed through measures operating attack can only be fully addressed through measures operating
directly between the routing entities themselves or by means of directly between the routing entities themselves or by means of
external entities able to access and independently analyze the external entities accessing and independently analyzing the routing
routing information. Verification of the authenticity and liveliness information. Verification of the authenticity and liveliness of the
of the routing entities can therefore only provide a limited counter routing entities can, therefore, only provide a limited counter
against internal (Byzantine) node attacks. against internal (Byzantine) node attacks.
For link state routing protocols where information is flooded with, For link-state routing protocols where information is flooded with,
for example, areas (OSPF [RFC2328]) or levels (ISIS [RFC7142]), for example, areas (OSPF [RFC2328]) or levels (IS-IS [RFC7142]),
countermeasures can be directly applied by the routing entities countermeasures can be directly applied by the routing entities
through the processing and comparison of link state information through the processing and comparison of link-state information
received from different peers. By comparing the link information received from different peers. By comparing the link information
from multiple sources decisions can be made by a routing node or from multiple sources, decisions can be made by a routing node or
external entity with regard to routing information validity; see external entity with regard to routing information validity; see
Chapter 2 of [Perlman1988] for a discussion on flooding attacks. Chapter 2 of [Perlman1988] for a discussion on flooding attacks.
For distance vector protocols, such as RPL, where information is For distance vector protocols, such as RPL, where information is
aggregated at each routing node it is not possible for nodes to aggregated at each routing node, it is not possible for nodes to
directly detect Byzantine information manipulation attacks from the directly detect Byzantine information manipulation attacks from the
routing information exchange. In such cases, the routing protocol routing information exchange. In such cases, the routing protocol
must include and support indirect communications exchanges between must include and support indirect communications exchanges between
non-adjacent routing peers to provide a secondary channel for non-adjacent routing peers to provide a secondary channel for
performing routing information validation. S-RIP [Wan2004] is an performing routing information validation. S-RIP [Wan2004] is an
example of the implementation of this type of dedicated routing example of the implementation of this type of dedicated routing
protocol security where the correctness of aggregate distance vector protocol security where the correctness of aggregate distance vector
information can only be validated by initiating confirmation information can only be validated by initiating confirmation
exchanges directly between nodes that are not routing neighbors. exchanges directly between nodes that are not routing neighbors.
RPL does not provide any direct mechanisms like S-RIP. It does RPL does not provide any direct mechanisms like S-RIP. It does
listen to multiple parents, and may switch parents if it begins to listen to multiple parents and may switch parents if it begins to
suspect that it is being lied to. suspect that it is being lied to.
7.3. Availability Attack Countermeasures 7.3. Availability Attack Countermeasures
As alluded to before, availability requires that routing information As alluded to before, availability requires that routing information
exchanges and forwarding mechanisms be available when needed so as to exchanges and forwarding mechanisms be available when needed so as to
guarantee proper functioning of the network. This may, e.g., include guarantee proper functioning of the network. This may, e.g., include
the correct operation of routing information and neighbor state the correct operation of routing information and neighbor state
information exchanges, among others. We will highlight the key information exchanges, among others. We will highlight the key
features of the security threats along with typical countermeasures features of the security threats along with typical countermeasures
to prevent or at least mitigate them. We will also note that an to prevent or at least mitigate them. We will also note that an
availability attack may be facilitated by an identity attack as well availability attack may be facilitated by an identity attack as well
as a replay attack, as was addressed in Section 7.2.3 and as a replay attack, as was addressed in Sections 7.2.3 and 7.2.4,
Section 7.2.4, respectively. respectively.
7.3.1. Countering HELLO Flood Attacks and ACK Spoofing Attacks 7.3.1. Countering HELLO Flood Attacks and ACK Spoofing Attacks
HELLO Flood [Karlof2003],[I-D.suhopark-hello-wsn] and ACK Spoofing HELLO Flood [Karlof2003], [HELLO], and ACK spoofing attacks are
attacks are different but highly related forms of attacking an LLN. different but highly related forms of attacking an LLN. They
They essentially lead nodes to believe that suitable routes are essentially lead nodes to believe that suitable routes are available
available even though they are not and hence constitute a serious even though they are not and hence constitute a serious availability
availability attack. attack.
A HELLO attack mounted against RPL would involve sending out (or A HELLO attack mounted against RPL would involve sending out (or
replaying) DIO messages by the attacker. Lower power LLN nodes might replaying) DODAG Information Object (DIO) messages by the attacker.
then attempt to join the DODAG at a lower rank than they would Lower-power LLN nodes might then attempt to join the DODAG at a lower
otherwise. rank than they would otherwise.
The most effective method from [I-D.suhopark-hello-wsn] is the verify The most effective method from [HELLO] is bidirectional verification.
bidirectionality. A number of layer-2 links are arranged in A number of L2 links are arranged in controller/spoke arrangements
controller/spoke arrangements, and continuously are validating and are continuously validating connectivity at layer 2.
connectivity at layer 2.
In addition, in order to calculate metrics, the ETX must be computed, In addition, in order to calculate metrics, the ETX must be computed,
and this involves, in general, sending a number of messages between and this involves, in general, sending a number of messages between
nodes which are believed to be adjacent. nodes that are believed to be adjacent. One such protocol is
[I-D.kelsey-intarea-mesh-link-establishment] is one such protocol. [MESH-LINK].
In order to join the DODAG, a DAO message is sent upwards. In RPL In order to join the DODAG, a Destination Advertisement Object (DAO)
the DAO is acknowledged by the DAO-ACK message. This clearly checks message is sent upwards. In RPL, the DAO is acknowledged by the
bidirectionality at the control plane. DAO-ACK message. This clearly checks bidirectionality at the control
plane.
As discussed in section 5.1, [I-D.suhopark-hello-wsn] a receiver with As discussed in Section 5.1 of [HELLO], a receiver with a sensitive
a sensitive receiver could well hear the DAOs, and even send DAO-ACKs receiver could well hear the DAOs and even send DAO-ACKs as well.
as well. Such a node is a form of wormhole attack. Such a node is a form of wormhole attack.
These attacks are also all easily defended against using either These attacks are also all easily defended against using either L2 or
layer-2 or layer-3 authentication. Such an attack could only be made L3 authentication. Such an attack could only be made against a
against a completely open network (such as might be used for completely open network (such as might be used for provisioning new
provisioning new nodes), or by a compromised node. nodes) or by a compromised node.
7.3.2. Countering Overload Attacks 7.3.2. Countering Overload Attacks
Overload attacks are a form of DoS attack in that a malicious node Overload attacks are a form of DoS attack in that a malicious node
overloads the network with irrelevant traffic, thereby draining the overloads the network with irrelevant traffic, thereby draining the
nodes' energy store more quickly, when the nodes rely on batteries or nodes' energy store more quickly when the nodes rely on batteries or
energy scavenging. It thus significantly shortens the lifetime of energy scavenging. Thus, it significantly shortens the lifetime of
networks of energy-constrained nodes and constitutes another serious networks of energy-constrained nodes and constitutes another serious
availability attack. availability attack.
With energy being one of the most precious assets of LLNs, targeting With energy being one of the most precious assets of LLNs, targeting
its availability is a fairly obvious attack. Another way of its availability is a fairly obvious attack. Another way of
depleting the energy of an LLN node is to have the malicious node depleting the energy of an LLN node is to have the malicious node
overload the network with irrelevant traffic. This impacts overload the network with irrelevant traffic. This impacts
availability since certain routes get congested which: availability since certain routes get congested, which:
o renders them useless for affected nodes and data can hence not be o renders them useless for affected nodes; hence, data cannot be
delivered; delivered;
o makes routes longer as shortest path algorithms work with the o makes routes longer as the shortest path algorithms work with the
congested network; congested network; and
o depletes battery and energy scavenging nodes more quickly and thus o depletes battery and energy scavenging nodes more quickly and thus
shortens the network's availability at large. shortens the network's availability at large.
Overload attacks can be countered by deploying a series of mutually Overload attacks can be countered by deploying a series of mutually
non-exclusive security measures: non-exclusive security measures that:
o introduce quotas on the traffic rate each node is allowed to send; o introduce quotas on the traffic rate each node is allowed to send;
o isolate nodes which send traffic above a certain threshold based o isolate nodes that send traffic above a certain threshold based on
on system operation characteristics; system operation characteristics; and
o allow only trusted data to be received and forwarded. o allow only trusted data to be received and forwarded.
As for the first one, a simple approach to minimize the harmful As for the first one, a simple approach to minimize the harmful
impact of an overload attack is to introduce traffic quotas. This impact of an overload attack is to introduce traffic quotas. This
prevents a malicious node from injecting a large amount of traffic prevents a malicious node from injecting a large amount of traffic
into the network, even though it does not prevent said node from into the network, even though it does not prevent the said node from
injecting irrelevant traffic at all. Another method is to isolate injecting irrelevant traffic at all. Another method is to isolate
nodes from the network at the network layer once it has been detected nodes from the network at the network layer once it has been detected
that more traffic is injected into the network than allowed by a that more traffic is injected into the network than allowed by a
prior set or dynamically adjusted threshold. Finally, if prior set or dynamically adjusted threshold. Finally, if
communication is sufficiently secured, only trusted nodes can receive communication is sufficiently secured, only trusted nodes can receive
and forward traffic which also lowers the risk of an overload attack. and forward traffic, which also lowers the risk of an overload
attack.
Receiving nodes that validate signatures and sending nodes that Receiving nodes that validate signatures and sending nodes that
encrypt messages need to be cautious of cryptographic processing encrypt messages need to be cautious of cryptographic processing
usage when validating signatures and encrypting messages. Where usage when validating signatures and encrypting messages. Where
feasible, certificates should be validated prior to use of the feasible, certificates should be validated prior to use of the
associated keys to counter potential resource overloading attacks. associated keys to counter potential resource overloading attacks.
The associated design decision needs to also consider that the The associated design decision needs to also consider that the
validation process requires resources and thus itself could be validation process requires resources; thus, it could be exploited
exploited for attacks. Alternatively, resource management limits can for attacks. Alternatively, resource management limits can be placed
be placed on routing security processing events (see the comment in on routing security processing events (see the comment in Section 6,
Section 6, paragraph 4, of [RFC5751]). paragraph 4, of [RFC5751]).
7.3.3. Countering Selective Forwarding Attacks 7.3.3. Countering Selective Forwarding Attacks
Selective forwarding attacks are a form of DoS attack which impacts Selective forwarding attacks are a form of DoS attack that impacts
the availability of the generated routing paths. the availability of the generated routing paths.
A selective forwarding attack may be done by a node involved with the A selective forwarding attack may be done by a node involved with the
routing process, or it may be done by what otherwise appears to be a routing process, or it may be done by what otherwise appears to be a
passive antenna or other RF feature or device, but is in fact an passive antenna or other RF feature or device, but is in fact an
active (and selective) device. An RF antenna/repeater which is not active (and selective) device. An RF antenna/repeater that is not
selective, is not a threat. selective is not a threat.
An insider malicious node basically blends neatly in with the network An insider malicious node basically blends in neatly with the network
but then may decide to forward and/or manipulate certain packets. If but then may decide to forward and/or manipulate certain packets. If
all packets are dropped, then this attacker is also often referred to all packets are dropped, then this attacker is also often referred to
as a "black hole". Such a form of attack is particularly dangerous as a "black hole". Such a form of attack is particularly dangerous
if coupled with sinkhole attacks since inherently a large amount of if coupled with sinkhole attacks since inherently a large amount of
traffic is attracted to the malicious node and thereby causing traffic is attracted to the malicious node, thereby causing
significant damage. In a shared medium, an outside malicious node significant damage. In a shared medium, an outside malicious node
would selectively jam overheard data flows, where the thus caused would selectively jam overheard data flows, where the thus caused
collisions incur selective forwarding. collisions incur selective forwarding.
Selective Forwarding attacks can be countered by deploying a series Selective forwarding attacks can be countered by deploying a series
of mutually non-exclusive security measures: of mutually non-exclusive security measures:
o multipath routing of the same message over disjoint paths; o Multipath routing of the same message over disjoint paths.
o dynamically selecting the next hop from a set of candidates. o Dynamically selecting the next hop from a set of candidates.
The first measure basically guarantees that if a message gets lost on The first measure basically guarantees that if a message gets lost on
a particular routing path due to a malicious selective forwarding a particular routing path due to a malicious selective forwarding
attack, there will be another route which successfully delivers the attack, there will be another route that successfully delivers the
data. Such a method is inherently suboptimal from an energy data. Such a method is inherently suboptimal from an energy
consumption point of view; it is also suboptimal from a network consumption point of view; it is also suboptimal from a network
utilization perspective. The second method basically involves a utilization perspective. The second method basically involves a
constantly changing routing topology in that next-hop routers are constantly changing routing topology in that next-hop routers are
chosen from a dynamic set in the hope that the number of malicious chosen from a dynamic set in the hope that the number of malicious
nodes in this set is negligible. A routing protocol that allows for nodes in this set is negligible. A routing protocol that allows for
disjoint routing paths may also be useful. disjoint routing paths may also be useful.
7.3.4. Countering Sinkhole Attacks 7.3.4. Countering Sinkhole Attacks
In sinkhole attacks, the malicious node manages to attract a lot of In sinkhole attacks, the malicious node manages to attract a lot of
traffic mainly by advertising the availability of high-quality links traffic mainly by advertising the availability of high-quality links
even though there are none [Karlof2003]. It hence constitutes a even though there are none [Karlof2003]. Hence, it constitutes a
serious attack on availability. serious attack on availability.
The malicious node creates a sinkhole by attracting a large amount The malicious node creates a sinkhole by attracting a large amount
of, if not all, traffic from surrounding neighbors by advertising in of, if not all, traffic from surrounding neighbors by advertising in
and outwards links of superior quality. Affected nodes hence eagerly and outwards links of superior quality. Hence, affected nodes
route their traffic via the malicious node which, if coupled with eagerly route their traffic via the malicious node that, if coupled
other attacks such as selective forwarding, may lead to serious with other attacks such as selective forwarding, may lead to serious
availability and security breaches. Such an attack can only be availability and security breaches. Such an attack can only be
executed by an inside malicious node and is generally very difficult executed by an inside malicious node and is generally very difficult
to detect. An ongoing attack has a profound impact on the network to detect. An ongoing attack has a profound impact on the network
topology and essentially becomes a problem of flow control. topology and essentially becomes a problem of flow control.
Sinkhole attacks can be countered by deploying a series of mutually Sinkhole attacks can be countered by deploying a series of mutually
non-exclusive security measures: non-exclusive security measures to:
o use geographical insights for flow control; o use geographical insights for flow control;
o isolate nodes which receive traffic above a certain threshold; o isolate nodes that receive traffic above a certain threshold;
o dynamically pick up next hop from set of candidates; o dynamically pick up the next hop from a set of candidates; and
o allow only trusted data to be received and forwarded. o allow only trusted data to be received and forwarded.
A canary node could periodically call home (using a cryptographic A canary node could periodically call home (using a cryptographic
process), with the home system noting if it fails to call in. This process) with the home system, noting if it fails to call in. This
provides detection of a problem, but does not mitigate it, and it may provides detection of a problem, but does not mitigate it, and it may
have significant energy consequences for the LLN. have significant energy consequences for the LLN.
Some LLNs may provide for geolocation services, often derived from Some LLNs may provide for geolocation services, often derived from
solving triangulation equations from radio delay calculations, such solving triangulation equations from radio delay calculation; such
calculations could in theory be subverted by a sinkhole that calculations could in theory be subverted by a sinkhole that
transmitted at precisely the right power in a node to node fashion. transmitted at precisely the right power in a node-to-node fashion.
While geographic knowledge could help assure that traffic always went While geographic knowledge could help assure that traffic always goes
in the physical direction desired, it would not assure that the in the physical direction desired, it would not assure that the
traffic was taking the most efficient route, as the lowest cost real traffic is taking the most efficient route, as the lowest cost real
route might be match the physical topology; such as when different route might match the physical topology, such as when different parts
parts of an LLN are connected by high-speed wired networks. of an LLN are connected by high-speed wired networks.
7.3.5. Countering Wormhole Attacks 7.3.5. Countering Wormhole Attacks
In wormhole attacks at least two malicious nodes claim to have a In wormhole attacks, at least two malicious nodes claim to have a
short path between themselves [Karlof2003]. This changes the short path between themselves [Karlof2003]. This changes the
availability of certain routing paths and hence constitutes a serious availability of certain routing paths and hence constitutes a serious
security breach. security breach.
Essentially, two malicious insider nodes use another, more powerful, Essentially, two malicious insider nodes use another, more powerful,
transmitter to communicate with each other and thereby distort the transmitter to communicate with each other and thereby distort the
would-be-agreed routing path. This distortion could involve would-be-agreed routing path. This distortion could involve
shortcutting and hence paralyzing a large part of the network; it shortcutting and hence paralyzing a large part of the network; it
could also involve tunneling the information to another region of the could also involve tunneling the information to another region of the
network where there are, e.g., more malicious nodes available to aid network where there are, e.g., more malicious nodes available to aid
the intrusion or where messages are replayed, etc. the intrusion or where messages are replayed, etc.
In conjunction with selective forwarding, wormhole attacks can create In conjunction with selective forwarding, wormhole attacks can create
race conditions which impact topology maintenance, routing protocols race conditions that impact topology maintenance and routing
as well as any security suits built on "time of check" and "time of protocols as well as any security suits built on "time of check" and
use". "time of use".
A pure wormhole attack is nearly impossible to detect. A wormhole A pure wormhole attack is nearly impossible to detect. A wormhole
which is used in order to subsequently mount another kind of attack that is used in order to subsequently mount another kind of attack
would be defeated by defeating the other attack. A perfect wormhole, would be defeated by defeating the other attack. A perfect wormhole,
in which there is nothing adverse that occurs to the traffic, would in which there is nothing adverse that occurs to the traffic, would
be difficult to call an attack. The worst thing that a benign be difficult to call an attack. The worst thing that a benign
wormhole can do in such a situation is to cease to operate (become wormhole can do in such a situation is to cease to operate (become
unstable), causing the network to have to recalculate routes. unstable), causing the network to have to recalculate routes.
A highly unstable wormhole is no different than a radio opaque (i.e. A highly unstable wormhole is no different than a radio opaque (i.e.,
metal) door that opens and closes a lot. RPL includes hysteresis in metal) door that opens and closes a lot. RPL includes hysteresis in
its objective functions [RFC6719] in an attempt to deal with frequent its objective functions [RFC6719] in an attempt to deal with frequent
changes to the ETX between nodes. changes to the ETX between nodes.
8. RPL Security Features 8. RPL Security Features
The assessments and analysis in Section 6 examined all areas of The assessments and analysis in Section 6 examined all areas of
threats and attacks that could impact routing, and the threats and attacks that could impact routing, and the
countermeasures presented in Section 7 were reached without confining countermeasures presented in Section 7 were reached without confining
the consideration to means only available to routing. This section the consideration to means only available to routing. This section
puts the results into perspective; dealing with those threats which puts the results into perspective, dealing with those threats that
are endemic to this field, those which have been mitigated through are endemic to this field, that have been mitigated through RPL
RPL protocol design, and those which require specific decisions to be protocol design, and that require specific decisions to be made as
made as part of provisioning a network. part of provisioning a network.
The first part of this section, Section 8.1 to Section 8.3, is a The first part of this section, Sections 8.1 to 8.3, presents a
description of RPL security features that address specific threats. description of RPL security features that address specific threats.
The second part of this section, Section 8.4, discusses issues of The second part of this section, Section 8.4, discusses issues of the
provisioning of security aspects that may impact routing but that provisioning of security aspects that may impact routing but that
also require considerations beyond the routing protocol, as well as also require considerations beyond the routing protocol, as well as
potential approaches. potential approaches.
RPL employs multicast and so these alternative communications modes RPL employs multicast, so these alternative communications modes MUST
MUST be secured with the same routing security services specified in be secured with the same routing security services specified in this
this section. Furthermore, irrespective of the modes of section. Furthermore, irrespective of the modes of communication,
communication, nodes MUST provide adequate physical tamper resistance nodes MUST provide adequate physical tamper resistance commensurate
commensurate with the particular application domain environment to with the particular application-domain environment to ensure the
ensure the confidentiality, integrity, and availability of stored confidentiality, integrity, and availability of stored routing
routing information. information.
8.1. Confidentiality Features 8.1. Confidentiality Features
With regard to confidentiality, protecting the routing/topology With regard to confidentiality, protecting the routing/topology
information from unauthorized disclosure is not directly essential to information from unauthorized disclosure is not directly essential to
maintaining the routing function. Breaches of confidentiality may maintaining the routing function. Breaches of confidentiality may
lead to other attacks or the focusing of an attacker's resources (see lead to other attacks or the focusing of an attacker's resources (see
Section 6.2) but does not of itself directly undermine the operation Section 6.2) but does not of itself directly undermine the operation
of the routing function. However, to protect against, and reduce of the routing function. However, to protect against and reduce
consequences from other more direct attacks, routing information consequences from other more direct attacks, routing information
should be protected. Thus, to secure RPL: should be protected. Thus, to secure RPL:
o implement payload encryption using layer-3 mechanisms described in o Implement payload encryption using L3 mechanisms described in
[RFC6550]; [RFC6550] or
o or: implement layer-2 confidentiality; o Implement L2 confidentiality
Where confidentiality is incorporated into the routing exchanges, Where confidentiality is incorporated into the routing exchanges,
encryption algorithms and key lengths need to be specified in encryption algorithms and key lengths need to be specified in
accordance with the level of protection dictated by the routing accordance with the level of protection dictated by the routing
protocol and the associated application domain transport network. protocol and the associated application-domain transport network.
For most networks, this means use of AES128 in CCM mode, but this For most networks, this means use of AES-128 in CCM mode, but this
needs to be specified clearly in the applicability statement. needs to be specified clearly in the applicability statement.
In terms of the life time of the keys, the opportunity to In terms of the lifetime of the keys, the opportunity to periodically
periodically change the encryption key increases the offered level of change the encryption key increases the offered level of security for
security for any given implementation. However, where strong any given implementation. However, where strong cryptography is
cryptography is employed, physical, procedural, and logical data employed, physical, procedural, and logical data access protection
access protection considerations may have more significant impact on considerations may have a more significant impact on cryptoperiod
cryptoperiod selection than algorithm and key size factors. selection than algorithm and key size factors. Nevertheless, in
Nevertheless, in general, shorter cryptoperiods, during which a general, shorter cryptoperiods, during which a single key is applied,
single key is applied, will enhance security. will enhance security.
Given the mandatory protocol requirement to implement routing node Given the mandatory protocol requirement to implement routing node
authentication as part of routing integrity (see Section 8.2), key authentication as part of routing integrity (see Section 8.2), key
exchanges may be coordinated as part of the integrity verification exchanges may be coordinated as part of the integrity verification
process. This provides an opportunity to increase the frequency of process. This provides an opportunity to increase the frequency of
key exchange and shorten the cryptoperiod as a complement to the key key exchange and shorten the cryptoperiod as a complement to the key
length and encryption algorithm required for a given application length and encryption algorithm required for a given application
domain. domain.
8.2. Integrity Features 8.2. Integrity Features
The integrity of routing information provides the basis for ensuring The integrity of routing information provides the basis for ensuring
that the function of the routing protocol is achieved and maintained. that the function of the routing protocol is achieved and maintained.
To protect integrity, RPL must either run using only the Secure To protect integrity, RPL must run either using only the secure
versions of the messages, or must run over a layer-2 that uses versions of the messages or over a L2 that uses channel binding
channel binding between node identity and transmissions. between node identity and transmissions.
Some layer-2 security mechanisms use a single key for the entire Some L2 security mechanisms use a single key for the entire network,
network, and these networks can not provide significant amount of and these networks cannot provide a significant amount of integrity
integrity protection, as any node that has that key may impersonate protection, as any node that has that key may impersonate any other
any other node. This mode of operation is likely acceptable when an node. This mode of operation is likely acceptable when an entire
entire deployment is under the control of a single administrative deployment is under the control of a single administrative entity.
entity.
Other layer-2 security mechanisms form a unique session key for every Other L2 security mechanisms form a unique session key for every pair
pair of nodes that needs to communicate; this is often called a per- of nodes that needs to communicate; this is often called a per-link
link key. Such networks can provide a strong degree of origin key. Such networks can provide a strong degree of origin
authentication and integrity on unicast messages. authentication and integrity on unicast messages.
However, some RPL messages are broadcast, and even when per-node However, some RPL messages are broadcast, and even when per-node L2
layer-2 security mechanisms are used, the integrity and origin security mechanisms are used, the integrity and origin authentication
authentication of broadcast messages can not be as trusted due to the of broadcast messages cannot be as trusted due to the proliferation
proliferation of the key used to secure them. of the key used to secure them.
RPL has two specific options which are broadcast in RPL Control RPL has two specific options that are broadcast in RPL Control
Messages: the DODAG Information Object (DIO), and the DODAG Messages: the DIO and the DODAG Information Solicitation (DIS). The
Information Solicitation (DIS). The purpose of the DIS is to cause purpose of the DIS is to cause potential parents to reply with a DIO,
potential parents to reply with a DIO, so the integrity of the DIS is so the integrity of the DIS is not of great concern. The DIS may
not of great concern. The DIS may also be unicast. also be unicast.
The DIO is a critical piece of routing and carries many critical The DIO is a critical piece of routing and carries many critical
parameters. RPL provides for asymmetric authentication at layer 3 of parameters. RPL provides for asymmetric authentication at L3 of the
the RPL Control Message carrying the DIO and this may be warranted in RPL Control Message carrying the DIO, and this may be warranted in
some deployments. A node could, if it felt that the DIO that it had some deployments. A node could, if it felt that the DIO that it had
received was suspicious, send a unicast DIS message to the node in received was suspicious, send a unicast DIS message to the node in
question, and that node would reply with a unicast DIS. Those question, and that node would reply with a unicast DIS. Those
messages could be protected with the per-link key. messages could be protected with the per-link key.
8.3. Availability Features 8.3. Availability Features
Availability of routing information is linked to system and network Availability of routing information is linked to system and network
availability which in the case of LLNs require a broader security availability, which in the case of LLNs require a broader security
view beyond the requirements of the routing entities. Where view beyond the requirements of the routing entities. Where
availability of the network is compromised, routing information availability of the network is compromised, routing information
availability will be accordingly affected. However, to specifically availability will be accordingly affected. However, to specifically
assist in protecting routing availability, nodes: assist in protecting routing availability, nodes MAY:
o MAY restrict neighborhood cardinality;
o MAY use multiple paths; o restrict neighborhood cardinality;
o MAY use multiple destinations; o use multiple paths;
o MAY choose randomly if multiple paths are available; o use multiple destinations;
o MAY set quotas to limit transmit or receive volume; o choose randomly if multiple paths are available;
o MAY use geographic information for flow control. o set quotas to limit transmit or receive volume; and
o use geographic information for flow control.
8.4. Key Management 8.4. Key Management
The functioning of the routing security services requires keys and The functioning of the routing security services requires keys and
credentials. Therefore, even though not directly a RPL security credentials. Therefore, even though it's not directly an RPL
requirement, an LLN MUST have a process for initial key and security requirement, an LLN MUST have a process for initial key and
credential configuration, as well as secure storage within the credential configuration, as well as secure storage within the
associated devices. Anti-tampering SHOULD be a consideration in associated devices. Anti-tampering SHOULD be a consideration in
physical design. Beyond initial credential configuration, an LLN is physical design. Beyond initial credential configuration, an LLN is
also encouraged to have automatic procedures for the revocation and also encouraged to have automatic procedures for the revocation and
replacement of the maintained security credentials. replacement of the maintained security credentials.
While RPL has secure modes, but some modes are impractical without While RPL has secure modes, some modes are impractical without the
use of public key cryptography believed to be too expensive by many. use of public key cryptography, which is believed to be too expensive
RPL layer-3 security will often depend upon existing LLN layer-2 by many. RPL L3 security will often depend upon existing LLN L2
security mechanisms, which provides for node authentication, but security mechanisms, which provide for node authentication but little
little in the way of node authorization. in the way of node authorization.
9. IANA Considerations
This memo includes no request to IANA.
10. Security Considerations 9. Security Considerations
The analysis presented in this document provides security analysis The analysis presented in this document provides security analysis
and design guidelines with a scope limited to RPL. Security services and design guidelines with a scope limited to RPL. Security services
are identified as requirements for securing RPL. The specific are identified as requirements for securing RPL. The specific
mechanisms to be used to deal with each threat is specified in link- mechanisms to be used to deal with each threat is specified in link-
layer and deployment specific applicability statements. Land deployment-specific applicability statements.
11. Acknowledgments
The authors would like to acknowledge the review and comments from
Rene Struik and JP Vasseur. The authors would also like to
acknowledge the guidance and input provided by the RPL Chairs, David
Culler, and JP Vasseur, and the Area Director Adrian Farrel.
This document started out as a combined threat and solutions
document. As a result of a series of security reviews performed by
Steve Kent, the document was split up by RPL co-Chair Michael
Richardson and security Area Director Sean Turner as it went through
the IETF publication process. The solutions to the threats are
application and layer-2 specific, and have therefore been moved to
the relevant applicability statements.
Ines Robles and Robert Cragie kept track of the many issues that were
raised during the development of this document
12. References 10. References
12.1. Normative References 10.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
[RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic
Key Management", BCP 107, RFC 4107, June 2005. Key Management", BCP 107, RFC 4107, June 2005,
<http://www.rfc-editor.org/info/rfc4107>.
[RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R., [RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R.,
Levis, P., Pister, K., Struik, R., Vasseur, JP., and R. Levis, P., Pister, K., Struik, R., Vasseur, JP., and R.
Alexander, "RPL: IPv6 Routing Protocol for Low-Power and Alexander, "RPL: IPv6 Routing Protocol for Low-Power and
Lossy Networks", RFC 6550, March 2012. Lossy Networks", RFC 6550, March 2012,
<http://www.rfc-editor.org/info/rfc6550>.
[RFC6719] Gnawali, O. and P. Levis, "The Minimum Rank with [RFC6719] Gnawali, O. and P. Levis, "The Minimum Rank with
Hysteresis Objective Function", RFC 6719, September 2012. Hysteresis Objective Function", RFC 6719, September 2012,
<http://www.rfc-editor.org/info/rfc6719>.
[RFC7102] Vasseur, JP., "Terms Used in Routing for Low-Power and [RFC7102] Vasseur, JP., "Terms Used in Routing for Low-Power and
Lossy Networks", RFC 7102, January 2014. Lossy Networks", RFC 7102, January 2014,
<http://www.rfc-editor.org/info/rfc7102>.
[ZigBeeIP] [ZigBeeIP] ZigBee Alliance, "ZigBee IP Specification", Public
ZigBee Public Document 15-002r00, "ZigBee IP Document 15-002r00, March 2013.
Specification", 2013.
12.2. Informative References 10.2. Informative References
[AceCharterProposal] [AceCharterProposal]
Li, Kepeng., Ed., "Authentication and Authorization for Li, Kepeng., Ed., "Draft Charter V0.9c - Authentication
Constrained Environment Charter (work-in-progress)", and Authorization for Constrained Environment Charter",
December 2013, <http://trac.tools.ietf.org/wg/core/trac/ Work in Progress, December 2013,
wiki/ACE_charter>. <http://trac.tools.ietf.org/wg/core/trac/wiki/
ACE_charter>.
[I-D.gilger-smart-object-security-workshop]
Gilger, J. and H. Tschofenig, "Report from the 'Smart
Object Security Workshop', March 23, 2012, Paris, France",
draft-gilger-smart-object-security-workshop-02 (work in
progress), October 2013.
[I-D.kelsey-intarea-mesh-link-establishment]
Kelsey, R., "Mesh Link Establishment", draft-kelsey-
intarea-mesh-link-establishment-05 (work in progress),
February 2013.
[I-D.suhopark-hello-wsn] [HELLO] Park, S., "Routing Security in Sensor Network: HELLO Flood
Park, S., "Routing Security in Sensor Network: HELLO Flood Attack and Defense", Work in Progress, draft-suhopark-
Attack and Defense", draft-suhopark-hello-wsn-00 (work in hello-wsn-00, December 2005.
progress), December 2005.
[IEEE.802.11] [IEEE.802.11]
, "Draft Standard for Information Technology - IEEE, "IEEE Standard for Information Technology -
Telecommunications and information exchange between Telecommunications and information exchange between
systems - Local and metropolitan area networks Specific systems - Local and metropolitan area networks - Specific
requirements - Part 11: Wireless LAN Medium Access Control requirements Part 11: Wireless LAN Medium Access Control
(MAC) and Physical Layer (PHY) specifications ", IEEE (MAC) and Physical Layer (PHY) Specifications", IEEE Std
802.11-REVma, 2006. 802.11-2012, March 2012,
<http://standards.ieee.org/about/get/802/802.11.html>.
[IEEE.802.15.4] [IEEE.802.15.4]
, "Information technology - Telecommunications and IEEE, "IEEE Standard for Local and metropolitan area
information exchange between systems - Local and networks - Specific requirements - Part 15.4: Low-Rate
metropolitan area networks - Specific requirements - Part Wireless Personal Area Networks (LR-WPANs)", IEEE Std
15.4: Wireless Medium Access Control (MAC) and Physical 802.15.4-2011, September 2011,
Layer (PHY) Specifications for Low Rate Wireless Personal <http://standards.ieee.org/getieee802/802.15.html>.
Area Networks (LR-WPANs) ", IEEE Std 802.15.4-2006, June
2006, <http://standards.ieee.org/getieee802/802.15.html>.
[ISO.7498-2.1988] [ISO.7498-2.1989]
International Organization for Standardization, International Organization for Standardization,
"Information Processing Systems - Open Systems "Information processing systems - Open Systems
Interconnection Reference Model - Security Architecture", Interconnection -- Basic Reference Model - Part 2:
ISO Standard 7498-2, 1988. Security Architecture", ISO Standard 7498-2, 1989.
[Karlof2003] [Karlof2003]
Karlof, C. and D. Wagner, "Secure routing in wireless Karlof, C. and D. Wagner, "Secure Routing in Wireless
sensor networks: attacks and countermeasures", Elsevier Sensor Networks: Attacks and Countermeasures", Elsevier Ad
AdHoc Networks Journal, Special Issue on Sensor Network Hoc Networks Journal, Special Issue on Sensor Network
Applications and Protocols, 1(2):293-315, September 2003, Applications and Protocols, 1(2):293-315, September 2003,
<http://nest.cs.berkeley.edu/papers/sensor-route- <http://nest.cs.berkeley.edu/papers/
security.pdf>. sensor-route-security.pdf>.
[MESH-LINK]
Kelsey, R., "Mesh Link Establishment", Work in Progress,
draft-kelsey-intarea-mesh-link-establishment-06, May 2014.
[Myagmar2005] [Myagmar2005]
Myagmar, S., Lee, AJ., and W. Yurcik, "Threat Modeling as Myagmar, S., Lee, AJ., and W. Yurcik, "Threat Modeling as
a Basis for Security Requirements", in Proceedings of the a Basis for Security Requirements", in Proceedings of the
Symposium on Requirements Engineering for Information Symposium on Requirements Engineering for Information
Security (SREIS'05), Paris, France, pp. 94-102, Aug 29, Security (SREIS'05), Paris, France pp. 94-102, August
2005. 2005.
[Perlman1988] [Perlman1988]
Perlman, N., "Network Layer Protocols with Byzantine Perlman, R., "Network Layer Protocols with Byzantine
Robustness", MIT LCS Tech Report, 429, 1988. Robustness", MIT LCS Tech Report, 429, August 1988.
[RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998. [RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998,
<http://www.rfc-editor.org/info/rfc2328>.
[RFC3067] Arvidsson, J., Cormack, A., Demchenko, Y., and J. Meijer,
"TERENA'S Incident Object Description and Exchange Format
Requirements", RFC 3067, February 2001,
<http://www.rfc-editor.org/info/rfc3067>.
[RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with [RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with
CBC-MAC (CCM)", RFC 3610, September 2003. CBC-MAC (CCM)", RFC 3610, September 2003,
<http://www.rfc-editor.org/info/rfc3610>.
[RFC4593] Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to [RFC4593] Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to
Routing Protocols", RFC 4593, October 2006. Routing Protocols", RFC 4593, October 2006,
<http://www.rfc-editor.org/info/rfc4593>.
[RFC4732] Handley, M., Rescorla, E., IAB, "Internet Denial-of- [RFC4732] Handley, M., Rescorla, E., and IAB, "Internet Denial-of-
Service Considerations", RFC 4732, December 2006. Service Considerations", RFC 4732, December 2006,
<http://www.rfc-editor.org/info/rfc4732>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC
4949, August 2007. 4949, August 2007,
<http://www.rfc-editor.org/info/rfc4949>.
[RFC5191] Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., and A. [RFC5191] Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., and A.
Yegin, "Protocol for Carrying Authentication for Network Yegin, "Protocol for Carrying Authentication for Network
Access (PANA)", RFC 5191, May 2008. Access (PANA)", RFC 5191, May 2008,
<http://www.rfc-editor.org/info/rfc5191>.
[RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS [RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS
Authentication Protocol", RFC 5216, March 2008. Authentication Protocol", RFC 5216, March 2008,
<http://www.rfc-editor.org/info/rfc5216>.
[RFC5548] Dohler, M., Watteyne, T., Winter, T., and D. Barthel, [RFC5548] Dohler, M., Watteyne, T., Winter, T., and D. Barthel,
"Routing Requirements for Urban Low-Power and Lossy "Routing Requirements for Urban Low-Power and Lossy
Networks", RFC 5548, May 2009. Networks", RFC 5548, May 2009,
<http://www.rfc-editor.org/info/rfc5548>.
[RFC5673] Pister, K., Thubert, P., Dwars, S., and T. Phinney, [RFC5673] Pister, K., Thubert, P., Dwars, S., and T. Phinney,
"Industrial Routing Requirements in Low-Power and Lossy "Industrial Routing Requirements in Low-Power and Lossy
Networks", RFC 5673, October 2009. Networks", RFC 5673, October 2009,
<http://www.rfc-editor.org/info/rfc5673>.
[RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet [RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
Mail Extensions (S/MIME) Version 3.2 Message Mail Extensions (S/MIME) Version 3.2 Message
Specification", RFC 5751, January 2010. Specification", RFC 5751, January 2010,
<http://www.rfc-editor.org/info/rfc5751>.
[RFC5826] Brandt, A., Buron, J., and G. Porcu, "Home Automation [RFC5826] Brandt, A., Buron, J., and G. Porcu, "Home Automation
Routing Requirements in Low-Power and Lossy Networks", RFC Routing Requirements in Low-Power and Lossy Networks", RFC
5826, April 2010. 5826, April 2010,
<http://www.rfc-editor.org/info/rfc5826>.
[RFC5867] Martocci, J., De Mil, P., Riou, N., and W. Vermeylen, [RFC5867] Martocci, J., De Mil, P., Riou, N., and W. Vermeylen,
"Building Automation Routing Requirements in Low-Power and "Building Automation Routing Requirements in Low-Power and
Lossy Networks", RFC 5867, June 2010. Lossy Networks", RFC 5867, June 2010,
<http://www.rfc-editor.org/info/rfc5867>.
[RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the [RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
Router Control Plane", RFC 6192, March 2011. Router Control Plane", RFC 6192, March 2011,
<http://www.rfc-editor.org/info/rfc6192>.
[RFC6574] Tschofenig, H. and J. Arkko, "Report from the Smart Object [RFC6574] Tschofenig, H. and J. Arkko, "Report from the Smart Object
Workshop", RFC 6574, April 2012. Workshop", RFC 6574, April 2012,
<http://www.rfc-editor.org/info/rfc6574>.
[RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, [RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure,
"TCP Extensions for Multipath Operation with Multiple "TCP Extensions for Multipath Operation with Multiple
Addresses", RFC 6824, January 2013. Addresses", RFC 6824, January 2013,
<http://www.rfc-editor.org/info/rfc6824>.
[RFC7142] Shand, M. and L. Ginsberg, "Reclassification of RFC 1142 [RFC7142] Shand, M. and L. Ginsberg, "Reclassification of RFC 1142
to Historic", RFC 7142, February 2014. to Historic", RFC 7142, February 2014,
<http://www.rfc-editor.org/info/rfc7142>.
[RFC7397] Gilger, J. and H. Tschofenig, "Report from the Smart
Object Security Workshop", RFC 7397, November 2014,
<http://www.rfc-editor.org/info/rfc7397>.
[SmartObjectSecurityWorkshop] [SmartObjectSecurityWorkshop]
Klausen, T., Ed., "Workshop on Smart Object Security", Klausen, T., Ed., "Workshop on Smart Object Security",
March 2012, <http://www.lix.polytechnique.fr/hipercom/ March 2012, <http://www.lix.polytechnique.fr/hipercom/
SmartObjectSecurity>. SmartObjectSecurity>.
[SolaceProposal] [SolaceProposal]
Bormann, C., Ed., "Notes from the SOLACE ad-hoc at IETF85 Bormann, C., Ed., "Notes from the SOLACE ad hoc at IETF
(work-in-progress)", November 2012, <http://www.ietf.org/ 85", November 2012, <http://www.ietf.org/
mail-archive/web/solace/current/msg00015.html>. mail-archive/web/solace/current/msg00015.html>.
[Sybil2002] [Sybil2002]
Douceur, J., "The Sybil Attack", First International Douceur, J., "The Sybil Attack", First International
Workshop on Peer-to-Peer Systems , March 2002. Workshop on Peer-to-Peer Systems, March 2002.
[Wan2004] Wan, T., Kranakis, E., and PC. van Oorschot, "S-RIP: A [Wan2004] Wan, T., Kranakis, E., and PC. van Oorschot, "S-RIP: A
Secure Distance Vector Routing Protocol", in Proceedings Secure Distance Vector Routing Protocol", in Proceedings
of the 2nd International Conference on Applied of the 2nd International Conference on Applied
Cryptography and Network Security, Yellow Mountain, China, Cryptography and Network Security, pp. 103-119, June 2004.
pp. 103-119, Jun. 8-11 2004.
[Yourdon1979] [Yourdon1979]
Yourdon, E. and L. Constantine, "Structured Design", Yourdon, E. and L. Constantine, "Structured Design:
Yourdon Press, New York, Chapter 10, pp. 187-222, 1979. Fundamentals of a Discipline of Computer Program and
Systems Design", Yourdon Press, New York, Chapter 10, pp.
187-222, 1979.
Acknowledgments
The authors would like to acknowledge the review and comments from
Rene Struik and JP Vasseur. The authors would also like to
acknowledge the guidance and input provided by the ROLL Chairs, David
Culler and JP Vasseur, and Area Director Adrian Farrel.
This document started out as a combined threat and solutions
document. As a result of a series of security reviews performed by
Steve Kent, the document was split up by ROLL Co-Chair Michael
Richardson and Security Area Director Sean Turner as it went through
the IETF publication process. The solutions to the threats are
application and L2 specific and have, therefore, been moved to the
relevant applicability statements.
Ines Robles and Robert Cragie kept track of the many issues that were
raised during the development of this document.
Authors' Addresses Authors' Addresses
Tzeta Tsao Tzeta Tsao
Cooper Power Systems Eaton's Cooper Power Systems Business
910 Clopper Rd. Suite 201S 910 Clopper Rd., Suite 201S
Gaithersburg, Maryland 20878 Gaithersburg, Maryland 20878
USA United States
EMail: tzetatsao@eaton.com
Email: tzeta.tsao@cooperindustries.com
Roger K. Alexander Roger K. Alexander
Cooper Power Systems Eaton's Cooper Power Systems Business
910 Clopper Rd. Suite 201S 910 Clopper Rd., Suite 201S
Gaithersburg, Maryland 20878 Gaithersburg, Maryland 20878
USA United States
EMail: rogeralexander@eaton.com
Email: roger.alexander@cooperindustries.com
Mischa Dohler Mischa Dohler
CTTC CTTC
Parc Mediterrani de la Tecnologia, Av. Canal Olimpic S/N Parc Mediterrani de la Tecnologia, Av. Canal Olimpic S/N
Castelldefels, Barcelona 08860 Castelldefels, Barcelona 08860
Spain Spain
EMail: mischa.dohler@kcl.ac.uk
Email: mischa.dohler@cttc.es
Vanesa Daza Vanesa Daza
Universitat Pompeu Fabra Universitat Pompeu Fabra
P/ Circumval.lacio 8, Oficina 308 P/ Circumval.lacio 8, Oficina 308
Barcelona 08003 Barcelona 08003
Spain Spain
EMail: vanesa.daza@upf.edu
Email: vanesa.daza@upf.edu
Angel Lozano Angel Lozano
Universitat Pompeu Fabra Universitat Pompeu Fabra
P/ Circumval.lacio 8, Oficina 309 P/ Circumval.lacio 8, Oficina 309
Barcelona 08003 Barcelona 08003
Spain Spain
EMail: angel.lozano@upf.edu
Email: angel.lozano@upf.edu Michael Richardson (editor)
Michael Richardson (ed) (editor)
Sandelman Software Works Sandelman Software Works
470 Dawson Avenue 470 Dawson Avenue
Ottawa, ON K1Z5V7 Ottawa, ON K1Z5V7
Canada Canada
EMail: mcr+ietf@sandelman.ca
Email: mcr+ietf@sandelman.ca
 End of changes. 294 change blocks. 
667 lines changed or deleted 683 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/