tech-invite   World Map     

IETF     RFCs     Groups     SIP     ABNFs    |    3GPP     Specs     Gloss.     Arch.     IMS     UICC    |    Misc.    |    search     info

RFC 7416

Informational
Pages: 40
Top     in Index     Prev     Next
in Group Index     Prev in Group     Next in Group     Group: ROLL

A Security Threat Analysis for the Routing Protocol for Low-Power and Lossy Networks (RPLs)

Part 1 of 2, p. 1 to 20
None       Next RFC Part

 


Top       ToC       Page 1 
Internet Engineering Task Force (IETF)                           T. Tsao
Request for Comments: 7416                                  R. Alexander
Category: Informational            Eaton's Cooper Power Systems Business
ISSN: 2070-1721                                                M. Dohler
                                                                    CTTC
                                                                 V. Daza
                                                               A. Lozano
                                                Universitat Pompeu Fabra
                                                      M. Richardson, Ed.
                                                Sandelman Software Works
                                                            January 2015


                     A Security Threat Analysis for
      the Routing Protocol for Low-Power and Lossy Networks (RPLs)

Abstract

   This document presents a security threat analysis for the Routing
   Protocol for Low-Power and Lossy Networks (RPLs).  The development
   builds upon previous work on routing security and adapts the
   assessments to the issues and constraints specific to low-power and
   lossy networks.  A systematic approach is used in defining and
   evaluating the security threats.  Applicable countermeasures are
   application specific and are addressed in relevant applicability
   statements.

Status of This Memo

   This document is not an Internet Standards Track specification; it is
   published for informational purposes.

   This document is a product of the Internet Engineering Task Force
   (IETF).  It represents the consensus of the IETF community.  It has
   received public review and has been approved for publication by the
   Internet Engineering Steering Group (IESG).  Not all documents
   approved by the IESG are a candidate for any level of Internet
   Standard; see Section 2 of RFC 5741.

   Information about the current status of this document, any errata,
   and how to provide feedback on it may be obtained at
   http://www.rfc-editor.org/info/rfc7416.

Page 2 
Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Relationship to Other Documents . . . . . . . . . . . . . . .   4
   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Considerations on RPL Security  . . . . . . . . . . . . . . .   5
     4.1.  Routing Assets and Points of Access . . . . . . . . . . .   6
     4.2.  The ISO 7498-2 Security Reference Model . . . . . . . . .   8
     4.3.  Issues Specific to or Amplified in LLNs . . . . . . . . .  10
     4.4.  RPL Security Objectives . . . . . . . . . . . . . . . . .  12
   5.  Threat Sources  . . . . . . . . . . . . . . . . . . . . . . .  13
   6.  Threats and Attacks . . . . . . . . . . . . . . . . . . . . .  13
     6.1.  Threats Due to Failures to Authenticate . . . . . . . . .  14
       6.1.1.  Node Impersonation  . . . . . . . . . . . . . . . . .  14
       6.1.2.  Dummy Node  . . . . . . . . . . . . . . . . . . . . .  14
       6.1.3.  Node Resource Spam  . . . . . . . . . . . . . . . . .  15
     6.2.  Threats Due to Failure to Keep Routing Information
           Confidential  . . . . . . . . . . . . . . . . . . . . . .  15
       6.2.1.  Routing Exchange Exposure . . . . . . . . . . . . . .  15
       6.2.2.  Routing Information (Routes and Network Topology)
               Exposure  . . . . . . . . . . . . . . . . . . . . . .  15
     6.3.  Threats and Attacks on Integrity  . . . . . . . . . . . .  16
       6.3.1.  Routing Information Manipulation  . . . . . . . . . .  16
       6.3.2.  Node Identity Misappropriation  . . . . . . . . . . .  17
     6.4.  Threats and Attacks on Availability . . . . . . . . . . .  18
       6.4.1.  Routing Exchange Interference or Disruption . . . . .  18
       6.4.2.  Network Traffic Forwarding Disruption . . . . . . . .  18
       6.4.3.  Communications Resource Disruption  . . . . . . . . .  20
       6.4.4.  Node Resource Exhaustion  . . . . . . . . . . . . . .  20

Top      ToC       Page 3 
   7.  Countermeasures . . . . . . . . . . . . . . . . . . . . . . .  21
     7.1.  Confidentiality Attack Countermeasures  . . . . . . . . .  21
       7.1.1.  Countering Deliberate Exposure Attacks  . . . . . . .  21
       7.1.2.  Countering Passive Wiretapping Attacks  . . . . . . .  22
       7.1.3.  Countering Traffic Analysis . . . . . . . . . . . . .  22
       7.1.4.  Countering Remote Device Access Attacks . . . . . . .  23
     7.2.  Integrity Attack Countermeasures  . . . . . . . . . . . .  24
       7.2.1.  Countering Unauthorized Modification Attacks  . . . .  24
       7.2.2.  Countering Overclaiming and Misclaiming Attacks . . .  24
       7.2.3.  Countering Identity (including Sybil) Attacks . . . .  25
       7.2.4.  Countering Routing Information Replay Attacks . . . .  25
       7.2.5.  Countering Byzantine Routing Information Attacks  . .  26
     7.3.  Availability Attack Countermeasures . . . . . . . . . . .  26
       7.3.1.  Countering HELLO Flood Attacks and ACK Spoofing
               Attacks . . . . . . . . . . . . . . . . . . . . . . .  27
       7.3.2.  Countering Overload Attacks . . . . . . . . . . . . .  27
       7.3.3.  Countering Selective Forwarding Attacks . . . . . . .  29
       7.3.4.  Countering Sinkhole Attacks . . . . . . . . . . . . .  29
       7.3.5.  Countering Wormhole Attacks . . . . . . . . . . . . .  30
   8.  RPL Security Features . . . . . . . . . . . . . . . . . . . .  31
     8.1.  Confidentiality Features  . . . . . . . . . . . . . . . .  32
     8.2.  Integrity Features  . . . . . . . . . . . . . . . . . . .  32
     8.3.  Availability Features . . . . . . . . . . . . . . . . . .  33
     8.4.  Key Management  . . . . . . . . . . . . . . . . . . . . .  34
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  34
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  34
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  34
     10.2.  Informative References . . . . . . . . . . . . . . . . .  35
   Acknowledgments  . . . . . .  . . . . . . . . . . . . . . . . . .  39
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  40

1.  Introduction

   In recent times, networked electronic devices have found an
   increasing number of applications in various fields.  Yet, for
   reasons ranging from operational application to economics, these
   wired and wireless devices are often supplied with minimum physical
   resources; the constraints include those on computational resources
   (RAM, clock speed, and storage) and communication resources (duty
   cycle, packet size, etc.) but also form factors that may rule out
   user-access interfaces (e.g., the housing of a small stick-on switch)
   or simply safety considerations (e.g., with gas meters).  As a
   consequence, the resulting networks are more prone to loss of traffic
   and other vulnerabilities.  The proliferation of these Low-Power and
   Lossy Networks (LLNs), however, are drawing efforts to examine and
   address their potential networking challenges.  Securing the
   establishment and maintenance of network connectivity among these
   deployed devices becomes one of these key challenges.

Top      ToC       Page 4 
   This document presents a threat analysis for securing the Routing
   Protocol for LLNs (RPL).  The process requires two steps.  First, the
   analysis will be used to identify pertinent security issues.  The
   second step is to identify necessary countermeasures to secure RPL.
   As there are multiple ways to solve the problem and the specific
   trade-offs are deployment specific, the specific countermeasure to be
   used is detailed in applicability statements.

   This document uses a model based on [ISO.7498-2.1989], which
   describes authentication, access control, data confidentiality, data
   integrity, and non-repudiation security services.  This document
   expands the model to include the concept of availability.  As
   explained below, non-repudiation does not apply to routing protocols.

   Many of the issues in this document were also covered in the IAB
   Smart Object Workshop [RFC6574] and the IAB Smart Object Security
   Workshop [RFC7397].

   This document concerns itself with securing the control-plane
   traffic.  As such, it does not address authorization or
   authentication of application traffic.  RPL uses multicast as part of
   its protocol; therefore, mechanisms that RPL uses to secure this
   traffic might also be applicable to the Multicast Protocol for Low-
   Power and Lossy Networks (MPL) control traffic as well: the important
   part is that the threats are similar.

2.  Relationship to Other Documents

   Routing Over Low-Power and Lossy (ROLL) networks has specified a set
   of routing protocols for LLNs [RFC6550].  A number of applicability
   texts describe a subset of these protocols and the conditions that
   make the subset the correct choice.  The text recommends and
   motivates the accompanying parameter value ranges.  Multiple
   applicability domains are recognized, including Building and Home and
   Advanced Metering Infrastructure.  The applicability domains
   distinguish themselves in the way they are operated, by their
   performance requirements, and by the most probable network
   structures.  Each applicability statement identifies the
   distinguishing properties according to a common set of subjects
   described in as many sections.

   The common set of security threats herein are referred to by the
   applicability statements, and that series of documents describes the
   preferred security settings and solutions within the applicability
   statement conditions.  This applicability statement may recommend
   more lightweight security solutions and specify the conditions under
   which these solutions are appropriate.

Top      ToC       Page 5 
3.  Terminology

   This document adopts the terminology defined in [RFC6550], [RFC4949],
   and [RFC7102].

   The terms "control plane" and "forwarding plane" are used in a manner
   consistent with Section 1 of [RFC6192].

   The term "Destination-Oriented DAG (DODAG)" is from [RFC6550].

   Extensible Authentication Protocol - Transport Layer Security
   (EAP-TLS) is defined in [RFC5216].

   The Protocol for Carrying Authentication for Network Access (PANA) is
   defined in [RFC5191].

   Counter with CBC-MAC (CCM) mode is defined in [RFC3610].

   The term "sleepy node", introduced in [RFC7102], refers to a node
   that may sometimes go into a low-power state, suspending protocol
   communications.

   The terms Service Set Identifier (SSID), Extended Service Set
   Identifier (ESSID), and Personal Area Network (PAN) refer to network
   identifiers, defined in [IEEE.802.11] and [IEEE.802.15.4].

   Although this is not a protocol specification, the key words "MUST",
   "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
   "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119] in order to
   clarify and emphasize the guidance and directions to implementers and
   deployers of LLN nodes that utilize RPL.

4.  Considerations on RPL Security

   Routing security, in essence, ensures that the routing protocol
   operates correctly.  It entails implementing measures to ensure
   controlled state changes on devices and network elements, both based
   on external inputs (received via communications) or internal inputs
   (physical security of the device itself and parameters maintained by
   the device, including, e.g., clock).  State changes would thereby
   involve not only authorization of the injector's actions,
   authentication of injectors, and potentially confidentiality of
   routing data, but also proper order of state changes through
   timeliness, since seriously delayed state changes, such as commands
   or updates of routing tables, may negatively impact system operation.
   A security assessment can, therefore, begin with a focus on the
   assets [RFC4949] that may be the target of the state changes and the

Top      ToC       Page 6 
   access points in terms of interfaces and protocol exchanges through
   which such changes may occur.  In the case of routing security, the
   focus is directed towards the elements associated with the
   establishment and maintenance of network connectivity.

   This section sets the stage for the development of the analysis by
   applying the systematic approach proposed in [Myagmar2005] to the
   routing security, while also drawing references from other reviews
   and assessments found in the literature, particularly [RFC4593] and
   [Karlof2003] (i.e., selective forwarding, wormhole, and sinkhole
   attacks).  The subsequent subsections begin with a focus on the
   elements of a generic routing process that is used to establish
   routing assets and points of access to the routing functionality.
   Next, the security model based on [ISO.7498-2.1989] is briefly
   described.  Then, consideration is given to issues specific to or
   amplified in LLNs.  This section concludes with the formulation of a
   set of security objectives for RPL.

4.1.  Routing Assets and Points of Access

   An asset is an important system resource (including information,
   process, or physical resource); the access to and corruption or loss
   of an asset adversely affects the system.  In the control-plane
   context, an asset is information about the network, processes used to
   manage and manipulate this data, and the physical devices on which
   this data is stored and manipulated.  The corruption or loss of these
   assets may adversely impact the control plane of the network.  Within
   the same context, a point of access is an interface or protocol that
   facilitates interaction between control-plane assets.  Identifying
   these assets and points of access will provide a basis for
   enumerating the attack surface of the control plane.

   A level-0 data flow diagram [Yourdon1979] is used here to identify
   the assets and points of access within a generic routing process.
   The use of a data flow diagram allows for a clear and concise model
   of the way in which routing nodes interact and process information;
   hence, it provides a context for threats and attacks.  The goal of
   the model is to be as detailed as possible so that corresponding
   assets, points of access, and processes in an individual routing
   protocol can be readily identified.

   Figure 1 shows that nodes participating in the routing process
   transmit messages to discover neighbors and to exchange routing
   information; routes are then generated and stored, which may be
   maintained in the form of the protocol forwarding table.  The nodes
   use the derived routes for making forwarding decisions.

Top      ToC       Page 7 
                    ...................................................
                    :                                                 :
                    :                                                 :
        |Node_i|<------->(Routing Neighbor       _________________    :
                    :     Discovery)------------>Neighbor Topology    :
                    :                            -------+---------    :
                    :                                   |             :
        |Node_j|<------->(Route/Topology       +--------+             :
                    :     Exchange)            |                      :
                    :           |              V            ______    :
                    :           +---->(Route Generation)--->Routes    :
                    :                                       ---+--    :
                    :                                          |      :
                    : Routing on Node_k                        |      :
                    ...................................................
                                                               |
        |Forwarding                                            |
        |on Node_l|<-------------------------------------------+

   Notation:

   (Proc)     A process Proc

   ________
   topology   A structure storing neighbor adjacency (parent/child)
   --------
   ________
    routes    A structure storing the forwarding information base (FIB)
   --------

   |Node_n|   An external entity Node_n

   ------->   Data flow


         Figure 1: Data Flow Diagram of a Generic Routing Process

   Figure 1 shows the following:

   o  Assets include

      *  routing and/or topology information;

      *  route generation process;

      *  communication channel resources (bandwidth);

Top      ToC       Page 8 
      *  node resources (computing capacity, memory, and remaining
         energy); and

      *  node identifiers (including node identity and ascribed
         attributes such as relative or absolute node location).

   o  Points of access include

      *  neighbor discovery;

      *  route/topology exchange; and

      *  node physical interfaces (including access to data storage).

   A focus on the above list of assets and points of access enables a
   more directed assessment of routing security; for example, it is
   readily understood that some routing attacks are in the form of
   attempts to misrepresent routing topology.  Indeed, the intention of
   the security threat analysis is to be comprehensive.  Hence, some of
   the discussion that follows is associated with assets and points of
   access that are not directly related to routing protocol design but
   are nonetheless provided for reference since they do have direct
   consequences on the security of routing.

4.2.  The ISO 7498-2 Security Reference Model

   At the conceptual level, security within an information system, in
   general, and applied to RPL in particular is concerned with the
   primary issues of authentication, access control, data
   confidentiality, data integrity, and non-repudiation.  In the context
   of RPL:

   Authentication
         Authentication involves the mutual authentication of the
         routing peers prior to exchanging route information (i.e., peer
         authentication) as well as ensuring that the source of the
         route data is from the peer (i.e., data origin authentication).
         LLNs can be drained by unauthenticated peers before
         configuration per [RFC5548].  Availability of open and
         untrusted side channels for new joiners is required by
         [RFC5673], and strong and automated authentication is required
         so that networks can automatically accept or reject new
         joiners.

   Access Control
         Access Control provides protection against unauthorized use of
         the asset and deals with the authorization of a node.

Top      ToC       Page 9 
   Confidentiality
         Confidentiality involves the protection of routing information
         as well as routing neighbor maintenance exchanges so that only
         authorized and intended network entities may view or access it.
         Because LLNs are most commonly found on a publicly accessible
         shared medium, e.g., air or wiring in a building, and are
         sometimes formed ad hoc, confidentiality also extends to the
         neighbor state and database information within the routing
         device since the deployment of the network creates the
         potential for unauthorized access to the physical devices
         themselves.

   Integrity
         Integrity entails the protection of routing information and
         routing neighbor maintenance exchanges, as well as derived
         information maintained in the database, from unauthorized
         modifications, insertions, deletions, or replays to be
         addressed beyond the routing protocol.

   Non-repudiation
         Non-repudiation is the assurance that the transmission and/or
         reception of a message cannot later be denied.  The service of
         non-repudiation applies after the fact; thus, it relies on the
         logging or other capture of ongoing message exchanges and
         signatures.  Routing protocols typically do not have a notion
         of repudiation, so non-repudiation services are not required.
         Further, with the LLN application domains as described in
         [RFC5867] and [RFC5548], proactive measures are much more
         critical than retrospective protections.  Finally, given the
         significant practical limits to ongoing routing transaction
         logging and storage and individual device digital signature
         verification for each exchange, non-repudiation in the context
         of routing is an unsupportable burden that bears no further
         consideration as an RPL security issue.

   It is recognized that, besides those security issues captured in the
   ISO 7498-2 model, availability is a security requirement:

   Availability
         Availability ensures that routing information exchanges and
         forwarding services are available when they are required for
         the functioning of the serving network.  Availability will
         apply to maintaining efficient and correct operation of routing
         and neighbor discovery exchanges (including needed information)
         and forwarding services so as not to impair or limit the
         network's central traffic flow function.

Top      ToC       Page 10 
   It should be emphasized here that for RPL security, the above
   requirements must be complemented by the proper security policies and
   enforcement mechanisms to ensure that security objectives are met by
   a given RPL implementation.

4.3.  Issues Specific to or Amplified in LLNs

   The requirements work detailed in Urban Requirements [RFC5548],
   Industrial Requirements [RFC5673], Home Automation [RFC5826], and
   Building Automation [RFC5867] have identified specific issues and
   constraints of routing in LLNs.  The following is a list of
   observations from those requirements and evaluations of their impact
   on routing security considerations.

   Limited energy, memory, and processing node resources
         As a consequence of these constraints, the need to evaluate the
         kinds of security that can be provided needs careful study.
         For instance, security provided at one level could be very
         memory efficient yet might also be very energy costly for the
         network (as a whole) if it requires significant effort to
         synchronize the security state.  Synchronization of security
         states with sleepy nodes [RFC7102] is a complex issue.  A non-
         rechargeable battery-powered node may well be limited in energy
         for it's lifetime: once exhausted, it may well never function
         again.

   Large scale of rolled out network
         The possibly numerous nodes to be deployed make manual on-site
         configuration unlikely.  For example, an urban deployment can
         see several hundreds of thousands of nodes being installed by
         many installers with a low level of expertise.  Nodes may be
         installed and not activated for many years, and additional
         nodes may be added later on, which may be from old inventory.
         The lifetime of the network is measured in decades, and this
         complicates the operation of key management.

   Autonomous operations
         Self-forming and self-organizing are commonly prescribed
         requirements of LLNs.  In other words, a routing protocol
         designed for LLNs needs to contain elements of ad hoc
         networking and, in most cases, cannot rely on manual
         configuration for initialization or local filtering rules.
         Network topology/ownership changes, partitioning or merging,
         and node replacement can all contribute to complicating the
         operations of key management.

Top      ToC       Page 11 
   Highly directional traffic
         Some types of LLNs see a high percentage of their total traffic
         traverse between the nodes and the LLN Border Routers (LBRs)
         where the LLNs connect to non-LLNs.  The special routing status
         of and the greater volume of traffic near the LBRs have routing
         security consequences as a higher-valued attack target.  In
         fact, when Point-to-MultiPoint (P2MP) and MultiPoint-to-Point
         (MP2P) traffic represents a majority of the traffic, routing
         attacks consisting of advertising incorrect preferred routes
         can cause serious damage.

         While it might seem that nodes higher up in the acyclic graph
         (i.e., those with lower rank) should be secured in a stronger
         fashion, it is not, in general, easy to predict which nodes
         will occupy those positions until after deployment.  Issues of
         redundancy and inventory control suggest that any node might
         wind up in such a sensitive attack position, so all nodes are
         to be capable of being fully secured.

         In addition, even if it were possible to predict which nodes
         will occupy positions of lower rank and provision them with
         stronger security mechanisms, in the absence of a strong
         authorization model, any node could advertise an incorrect
         preferred route.

   Unattended locations and limited physical security
         In many applications, the nodes are deployed in unattended or
         remote locations; furthermore, the nodes themselves are often
         built with minimal physical protection.  These constraints
         lower the barrier of accessing the data or security material
         stored on the nodes through physical means.

   Support for mobility
         On the one hand, only a limited number of applications require
         the support of mobile nodes, e.g., a home LLN that includes
         nodes on wearable health care devices or an industry LLN that
         includes nodes on cranes and vehicles.  On the other hand, if a
         routing protocol is indeed used in such applications, it will
         clearly need to have corresponding security mechanisms.

         Additionally, nodes may appear to move from one side of a wall
         to another without any actual motion involved, which is the
         result of changes to electromagnetic properties, such as the
         opening and closing of a metal door.

Top      ToC       Page 12 
   Support for multicast and anycast
         Support for multicast and anycast is called out chiefly for
         large-scale networks.  Since application of these routing
         mechanisms in autonomous operations of many nodes is new, the
         consequence on security requires careful consideration.

   The above list considers how an LLN's physical constraints, size,
   operations, and variety of application areas may impact security.
   However, it is the combinations of these factors that particularly
   stress the security concerns.  For instance, securing routing for a
   large number of autonomous devices that are left in unattended
   locations with limited physical security presents challenges that are
   not found in the common circumstance of administered networked
   routers.  The following subsection sets up the security objectives
   for the routing protocol designed by the ROLL WG.

4.4.  RPL Security Objectives

   This subsection applies the ISO 7498-2 model to routing assets and
   access points, taking into account the LLN issues, to develop a set
   of RPL security objectives.

   Since the fundamental function of a routing protocol is to build
   routes for forwarding packets, it is essential to ensure that:

   o  routing/topology information integrity remains intact during
      transfer and in storage;

   o  routing/topology information is used by authorized entities; and

   o  routing/topology information is available when needed.

   In conjunction, it is necessary to be assured that:

   o  Authorized peers authenticate themselves during the routing
      neighbor discovery process.

   o  The routing/topology information received is generated according
      to the protocol design.

   However, when trust cannot be fully vested through authentication of
   the principals alone, i.e., concerns of an insider attack, assurance
   of the truthfulness and timeliness of the received routing/topology
   information is necessary.  With regard to confidentiality, protecting
   the routing/topology information from unauthorized exposure may be
   desirable in certain cases but is in itself less pertinent, in
   general, to the routing function.

Top      ToC       Page 13 
   One of the main problems of synchronizing security states of sleepy
   nodes, as listed in the last subsection, lies in difficulties in
   authentication; these nodes may not have received the most recent
   update of security material in time.  Similarly, the issues of
   minimal manual configuration, prolonged rollout and delayed addition
   of nodes, and network topology changes also complicate key
   management.  Hence, routing in LLNs needs to bootstrap the
   authentication process and allow for a flexible expiration scheme of
   authentication credentials.

   The vulnerability brought forth by some special-function nodes, e.g.,
   LBRs, requires the assurance, particularly in a security context, of
   the following:

   o  The availability of communication channels and node resources.

   o  The neighbor discovery process operates without undermining
      routing availability.

   There are other factors that are not part of RPL but directly affect
   its function.  These factors include a weaker barrier of accessing
   the data or security material stored on the nodes through physical
   means; therefore, the internal and external interfaces of a node need
   to be adequate for guarding the integrity, and possibly the
   confidentiality, of stored information, as well as the integrity of
   routing and route generation processes.

   Each individual system's use and environment will dictate how the
   above objectives are applied, including the choices of security
   services as well as the strengths of the mechanisms that must be
   implemented.  The next two sections take a closer look at how the RPL
   security objectives may be compromised and how those potential
   compromises can be countered.

5.  Threat Sources

   [RFC4593] provides a detailed review of the threat sources: outsiders
   and Byzantine.  RPL has the same threat sources.

6.  Threats and Attacks

   This section outlines general categories of threats under the ISO
   7498-2 model and highlights the specific attacks in each of these
   categories for RPL.  As defined in [RFC4949], a threat is "a
   potential for violation of security, which exists when there is a
   circumstance, capability, action, or event that could breach security
   and cause harm."

Top      ToC       Page 14 
   Per [RFC3067], an attack is "an assault on system security that
   derives from an intelligent threat, i.e., an intelligent act that is
   a deliberate attempt (especially in the sense of a method or
   technique) to evade security services and violate the security policy
   of a system."

   The subsequent subsections consider the threats and the attacks that
   can cause security breaches under the ISO 7498-2 model to the routing
   assets and via the routing points of access identified in
   Section 4.1.  The assessment reviews the security concerns of each
   routing asset and looks at the attacks that can exploit routing
   points of access.  The threats and attacks identified are based on
   the routing model analysis and associated review of the existing
   literature.  The source of the attacks is assumed to be from either
   inside or outside attackers.  While some attackers inside the network
   will be using compromised nodes and, therefore, are only able to do
   what an ordinary node can ("node-equivalent"), other attacks may not
   be limited in memory, CPU, power consumption, or long-term storage.
   Moore's law favors the attacker with access to the latest
   capabilities, while the defenders will remain in place for years to
   decades.

6.1.  Threats Due to Failures to Authenticate

6.1.1.  Node Impersonation

   If an attacker can join a network using any identity, then it may be
   able to assume the role of a legitimate (and existing node).  It may
   be able to report false readings (in metering applications) or
   provide inappropriate control messages (in control systems involving
   actuators) if the security of the application is implied by the
   security of the routing system.

   Even in systems where there is application-layer security, the
   ability to impersonate a node would permit an attacker to direct
   traffic to itself.  This may permit various on-path attacks that
   would otherwise be difficult, such as replaying, delaying, or
   duplicating (application) control messages.

6.1.2.  Dummy Node

   If an attacker can join a network using any identify, then it can
   pretend to be a legitimate node, receiving any service legitimate
   nodes receive.  It may also be able to report false readings (in
   metering applications), provide inappropriate authorizations (in
   control systems involving actuators), or perform any other attacks
   that are facilitated by being able to direct traffic towards itself.

Top      ToC       Page 15 
6.1.3.  Node Resource Spam

   If an attacker can join a network with any identity, then it can
   continuously do so with new (random) identities.  This act may drain
   down the resources of the network (battery, RAM, bandwidth).  This
   may cause legitimate nodes of the network to be unable to
   communicate.

6.2.  Threats Due to Failure to Keep Routing Information Confidential

   The assessment in Section 4.2 indicates that there are attacks
   against the confidentiality of routing information at all points of
   access.  This threat may result in disclosure, as described in
   Section 3.1.2 of [RFC4593], and may involve a disclosure of routing
   information.

6.2.1.  Routing Exchange Exposure

   Routing exchanges include both routing information as well as
   information associated with the establishment and maintenance of
   neighbor state information.  As indicated in Section 4.1, the
   associated routing information assets may also include device-
   specific resource information, such as available memory, remaining
   power, etc., that may be metrics of the routing protocol.

   The routing exchanges will contain reachability information, which
   would identify the relative importance of different nodes in the
   network.  Nodes higher up in the DODAG, to which more streams of
   information flow, would be more interesting targets for other
   attacks, and routing exchange exposures could identify them.

6.2.2.  Routing Information (Routes and Network Topology) Exposure

   Routes (which may be maintained in the form of the protocol
   forwarding table) and neighbor topology information are the products
   of the routing process that are stored within the node device
   databases.

   The exposure of this information will allow attackers to gain direct
   access to the configuration and connectivity of the network, thereby
   exposing routing to targeted attacks on key nodes or links.  Since
   routes and neighbor topology information are stored within the node
   device, attacks on the confidentiality of the information will apply
   to the physical device, including specified and unspecified internal
   and external interfaces.

Top      ToC       Page 16 
   The forms of attack that allow unauthorized access or disclosure of
   the routing information will include:

   o  Physical device compromise.

   o  Remote device access attacks (including those occurring through
      remote network management or software/field upgrade interfaces).

   Both of these attack vectors are considered a device-specific issue
   and are out of scope for RPL to defend against.  In some
   applications, physical device compromise may be a real threat, and it
   may be necessary to provide for other devices to securely detect a
   compromised device and react quickly to exclude it.

6.3.  Threats and Attacks on Integrity

   The assessment in Section 4.2 indicates that information and identity
   assets are exposed to integrity threats from all points of access.
   In other words, the integrity threat space is defined by the
   potential for exploitation introduced by access to assets available
   through routing exchanges and the on-device storage.

6.3.1.  Routing Information Manipulation

   Manipulation of routing information that ranges from neighbor states
   to derived routes will allow unauthorized sources to influence the
   operation and convergence of the routing protocols and ultimately
   impact the forwarding decisions made in the network.

   Manipulation of topology and reachability information will allow
   unauthorized sources to influence the nodes with which routing
   information is exchanged and updated.  The consequence of
   manipulating routing exchanges can thus lead to suboptimality and
   fragmentation or partitioning of the network by restricting the
   universe of routers with which associations can be established and
   maintained.

   A suboptimal network may use too much power and/or may congest some
   routes leading to premature failure of a node and a denial of service
   (DoS) on the entire network.

   In addition, being able to attract network traffic can make a black-
   hole attack more damaging.

Top      ToC       Page 17 
   The forms of attack that allow manipulation to compromise the content
   and validity of routing information include:

   o  falsification, including overclaiming and misclaiming (claiming
      routes to devices that the device cannot in fact reach);

   o  routing information replay;

   o  Byzantine (internal) attacks that permit corruption of routing
      information in the node even when the node continues to be a
      validated entity within the network (see, for example, [RFC4593]
      for further discussions on Byzantine attacks); and

   o  physical device compromise or remote device access attacks.

6.3.2.  Node Identity Misappropriation

   Falsification or misappropriation of node identity between routing
   participants opens the door for other attacks; it can also cause
   incorrect routing relationships to form and/or topologies to emerge.
   Routing attacks may also be mounted through less-sophisticated node
   identity misappropriation in which the valid information broadcasted
   or exchanged by a node is replayed without modification.  The receipt
   of seemingly valid information that is, however, no longer current
   can result in routing disruption and instability (including failure
   to converge).  Without measures to authenticate the routing
   participants and to ensure the freshness and validity of the received
   information, the protocol operation can be compromised.  The forms of
   attack that misuse node identity include:

   o  Identity attacks, including Sybil attacks (see [Sybil2002]) in
      which a malicious node illegitimately assumes multiple identities.

   o  Routing information replay.

Top      ToC       Page 18 
6.4.  Threats and Attacks on Availability

   The assessment in Section 4.2 indicates that the process and resource
   assets are exposed to threats against availability; attacks in this
   category may exploit directly or indirectly information exchange or
   forwarding (see [RFC4732] for a general discussion).

6.4.1.  Routing Exchange Interference or Disruption

   Interference is the threat action and disruption is the threat
   consequence that allows attackers to influence the operation and
   convergence of the routing protocols by impeding the routing
   information exchange.

   The forms of attack that allow interference or disruption of routing
   exchange include:

   o  routing information replay;

   o  ACK spoofing; and

   o  overload attacks (Section 7.3.2).

   In addition, attacks may also be directly conducted at the physical
   layer in the form of jamming or interfering.

6.4.2.  Network Traffic Forwarding Disruption

   The disruption of the network traffic forwarding capability will
   undermine the central function of network routers and the ability to
   handle user traffic.  This affects the availability of the network
   because of the potential to impair the primary capability of the
   network.

Top      ToC       Page 19 
   In addition to physical-layer obstructions, the forms of attack that
   allow disruption of network traffic forwarding include [Karlof2003]:

   o  selective forwarding attacks;

         |Node_1|--(msg1|msg2|msg3)-->|Attacker|--(msg1|msg3)-->|Node_2|

                  Figure 2: Selective Forwarding Example

   o  wormhole attacks; and

               |Node_1|-------------Unreachable---------x|Node_2|
                  |                                         ^
                  |               Private Link              |
                  '-->|Attacker_1|===========>|Attacker_2|--'

                        Figure 3: Wormhole Attacks

   o  sinkhole attacks.

                |Node_1|     |Node_4|
                    |            |
                    `--------.   |
                Falsify as    \  |
                Good Link \   |  |
                to Node_5  \  |  |
                            \ V  V
                |Node_2|-->|Attacker|--Not Forwarded---x|Node_5|
                              ^  ^ \
                              |  |  \ Falsify as
                              |  |   \Good Link
                              /  |    to Node_5
                     ,-------'   |
                     |           |
                |Node_3|     |Node_i|

                     Figure 4: Sinkhole Attack Example

   These attacks are generally done to both control- and forwarding-
   plane traffic.  A system that prevents control-plane traffic (RPL
   messages) from being diverted in these ways will also prevent actual
   data from being diverted.

Top      ToC       Page 20 
6.4.3.  Communications Resource Disruption

   Attacks mounted against the communication channel resource assets
   needed by the routing protocol can be used as a means of disrupting
   its operation.  However, while various forms of DoS attacks on the
   underlying transport subsystem will affect routing protocol exchanges
   and operation (for example, physical-layer Radio Frequency (RF)
   jamming in a wireless network or link-layer attacks), these attacks
   cannot be countered by the routing protocol.  As such, the threats to
   the underlying transport network that supports routing is considered
   beyond the scope of the current document.  Nonetheless, attacks on
   the subsystem will affect routing operation and must be directly
   addressed within the underlying subsystem and its implemented
   protocol layers.

6.4.4.  Node Resource Exhaustion

   A potential threat consequence can arise from attempts to overload
   the node resource asset by initiating exchanges that can lead to the
   exhaustion of processing, memory, or energy resources.  The
   establishment and maintenance of routing neighbors opens the routing
   process to engagement and potential acceptance of multiple
   neighboring peers.  Association information must be stored for each
   peer entity and for the wireless network operation provisions made to
   periodically update and reassess the associations.  An introduced
   proliferation of apparent routing peers can, therefore, have a
   negative impact on node resources.

   Node resources may also be unduly consumed by attackers attempting
   uncontrolled topology peering or routing exchanges, routing replays,
   or the generating of other data-traffic floods.  Beyond the
   disruption of communications channel resources, these consequences
   may be able to exhaust node resources only where the engagements are
   able to proceed with the peer routing entities.  Routing operation
   and network forwarding functions can thus be adversely impacted by
   node resources exhaustion that stems from attacks that include:

   o  identity (including Sybil) attacks (see [Sybil2002]);

   o  routing information replay attacks;

   o  HELLO-type flood attacks; and

   o  overload attacks (Section 7.3.2).


Next RFC Part