Tech-invite3GPPspaceIETFspace
959493929190898887868584838281807978777675747372717069686766656463626160595857565554535251504948474645444342414039383736353433323130292827262524232221201918171615141312111009080706050403020100
in Index   Prev   Next

RFC 7416

A Security Threat Analysis for the Routing Protocol for Low-Power and Lossy Networks (RPLs)

Pages: 40
Informational
Part 2 of 2 – Pages 21 to 40
First   Prev   None

Top   ToC   RFC7416 - Page 21   prevText

7. Countermeasures

By recognizing the characteristics of LLNs that may impact routing, this analysis provides the basis for understanding the capabilities within RPL used to deter the identified attacks and mitigate the threats. The following subsections consider such countermeasures by grouping the attacks according to the classification of the ISO 7498-2 model so that associations with the necessary security services are more readily visible.

7.1. Confidentiality Attack Countermeasures

Attacks to disclosure routing information may be mounted at the level of the routing information assets, at the points of access associated with routing exchanges between nodes, or through device interface access. To gain access to routing/topology information, the attacker may rely on a compromised node that deliberately exposes the information during the routing exchange process, on passive wiretapping or traffic analysis, or on attempting access through a component or device interface of a tampered routing node.

7.1.1. Countering Deliberate Exposure Attacks

A deliberate exposure attack is one in which an entity that is party to the routing process or topology exchange allows the routing/ topology information or generated route information to be exposed to an unauthorized entity. For instance, due to misconfiguration or inappropriate enabling of a diagnostic interface, an entity might be copying ("bridging") traffic from a secured ESSID/PAN to an unsecured interface. A prerequisite to countering this attack is to ensure that the communicating nodes are authenticated prior to data encryption applied in the routing exchange. The authentication ensures that the LLN starts with trusted nodes, but it does not provide an indication of whether the node has been compromised. Reputation systems could be used to help when some nodes may sleep for extended periods of time. It is also unclear if resulting datasets would even fit into constrained devices. To mitigate the risk of deliberate exposure, the process that communicating nodes use to establish session keys must be peer-to-peer (i.e., between the routing initiating and responding nodes). As is pointed out in [RFC4107], automatic key management is critical for good security. This helps ensure that neither node is exchanging routing information with another peer without the
Top   ToC   RFC7416 - Page 22
   knowledge of both communicating peers.  For a deliberate exposure
   attack to succeed, the comprised node will need to be more overt and
   take independent actions in order to disclose the routing information
   to a third party.

   Note that the same measures that apply to securing routing/topology
   exchanges between operational nodes must also extend to field tools
   and other devices used in a deployed network where such devices can
   be configured to participate in routing exchanges.

7.1.2. Countering Passive Wiretapping Attacks

A passive wiretap attack seeks to breach routing confidentiality through passive, direct analysis and processing of the information exchanges between nodes. Passive wiretap attacks can be directly countered through the use of data encryption for all routing exchanges. Only when a validated and authenticated node association is completed will routing exchange be allowed to proceed using established session keys and an agreed encryption algorithm. The mandatory-to-implement CCM mode AES-128 method, described in [RFC3610], is believed to be secure against a brute-force attack by even the most well-equipped adversary. The significant challenge for RPL is in the provisioning of the key, which in some modes of RFC 6550 is used network wide. This problem is not solved in RFC 6550, and it is the subject of significant future work: see, for instance, [AceCharterProposal], [SolaceProposal], and [SmartObjectSecurityWorkshop]. A number of deployments, such as [ZigBeeIP] specify no Layer 3 (L3) / RPL encryption or authentication and rely upon similar security at Layer 2 (L2). These networks are immune to outside wiretapping attacks but are vulnerable to passive (and active) routing attacks through compromises of nodes (see Section 8.2). Section 10.9 of [RFC6550] specifies AES-128 in CCM mode with a 32-bit Message Authentication Code (MAC). Section 5.6 of ZigBee IP [ZigBeeIP] specifies use of CCM, with PANA and EAP-TLS for key management.

7.1.3. Countering Traffic Analysis

Traffic analysis provides an indirect means of subverting confidentiality and gaining access to routing information by allowing an attacker to indirectly map the connectivity or flow patterns (including link load) of the network from which other attacks can be
Top   ToC   RFC7416 - Page 23
   mounted.  The traffic-analysis attack on an LLN, especially one
   founded on a shared medium, is passive and relies on the ability to
   read the immutable source/destination L2 and/or L3 routing
   information that must remain unencrypted to permit network routing.

   One way in which passive traffic-analysis attacks can be muted is
   through the support of load balancing that allows traffic to a given
   destination to be sent along diverse routing paths.  RPL does not
   generally support multipath routing within a single DODAG.  Multiple
   DODAGs are supported in the protocol, and an implementation could
   make use of that.  RPL does not have any inherent or standard way to
   guarantee that the different DODAGs would have significantly diverse
   paths.  Having the diverse DODAGs routed at different border routers
   might work in some instances, and this could be combined with a
   multipath technology like Multipath TCP (MPTCP) [RFC6824].  It is
   unlikely that it will be affordable in many LLNs, as few deployments
   will have memory space for more than a few sets of DODAG tables.

   Another approach to countering passive traffic analysis could be for
   nodes to maintain a constant amount of traffic to different
   destinations through the generation of arbitrary traffic flows; the
   drawback of course would be the consequent overhead and energy
   expenditure.

   The only means of fully countering a traffic-analysis attack is
   through the use of tunneling (encapsulation) where encryption is
   applied across the entirety of the original packet source/destination
   addresses.  Deployments that use L2 security that includes encryption
   already do this for all traffic.

7.1.4. Countering Remote Device Access Attacks

Where LLN nodes are deployed in the field, measures are introduced to allow for remote retrieval of routing data and for software or field upgrades. These paths create the potential for a device to be remotely accessed across the network or through a provided field tool. In the case of network management, a node can be directly requested to provide routing tables and neighbor information. To ensure confidentiality of the node routing information against attacks through remote access, any local or remote device requesting routing information must be authenticated and must be authorized for that access. Since remote access is not invoked as part of a routing protocol, security of routing information stored on the node against remote access will not be addressable as part of the routing protocol.
Top   ToC   RFC7416 - Page 24

7.2. Integrity Attack Countermeasures

Integrity attack countermeasures address routing information manipulation, as well as node identity and routing information misuse. Manipulation can occur in the form of a falsification attack and physical compromise. To be effective, the following development considers the two aspects of falsification, namely, the unauthorized modifications and the overclaiming and misclaiming content. The countering of physical compromise was considered in the previous section and is not repeated here. With regard to misuse, there are two types of attacks to be deterred: identity attacks and replay attacks.

7.2.1. Countering Unauthorized Modification Attacks

Unauthorized modifications may occur in the form of altering the message being transferred or the data stored. Therefore, it is necessary to ensure that only authorized nodes can change the portion of the information that is allowed to be mutable, while the integrity of the rest of the information is protected, e.g., through well- studied cryptographic mechanisms. Unauthorized modifications may also occur in the form of insertion or deletion of messages during protocol changes. Therefore, the protocol needs to ensure the integrity of the sequence of the exchange sequence. The countermeasure to unauthorized modifications needs to: o implement access control on storage; o provide data integrity service to transferred messages and stored data; and o include a sequence number under integrity protection.

7.2.2. Countering Overclaiming and Misclaiming Attacks

Both overclaiming and misclaiming aim to introduce false routes or a false topology that would not occur otherwise, while there are not necessarily unauthorized modifications to the routing messages or information. In order to counter overclaiming, the capability to determine unreasonable routes or topology is required. The counter to overclaiming and misclaiming may employ: o Comparison with historical routing/topology data.
Top   ToC   RFC7416 - Page 25
   o  Designs that restrict realizable network topologies.

   RPL includes no specific mechanisms in the protocol to counter
   overclaims or misclaims.  An implementation could have specific
   heuristics implemented locally.

7.2.3. Countering Identity (including Sybil) Attacks

Identity attacks, sometimes simply called spoofing, seek to gain or damage assets whose access is controlled through identity. In routing, an identity attacker can illegitimately participate in routing exchanges, distribute false routing information, or cause an invalid outcome of a routing process. A perpetrator of Sybil attacks assumes multiple identities. The result is not only an amplification of the damage to routing but extension to new areas, e.g., where geographic distribution is explicitly or implicitly an asset to an application running on the LLN, for example, the LBR in a P2MP or MP2P LLN. RPL includes specific public key-based authentication at L3 that provides for authorization. Many deployments use L2 security that includes admission controls at L2 using mechanisms such as PANA.

7.2.4. Countering Routing Information Replay Attacks

In many routing protocols, message replay can result in false topology and/or routes. This is often counted with some kind of counter to ensure the freshness of the message. Replay of a current, literal RPL message is, in general, idempotent to the topology. If replayed, an older (lower DODAGVersionNumber) message would be rejected as being stale. If the trickle algorithm further dampens the effect of any such replay, as if the message was current, then it would contain the same information as before, and it would cause no network changes. Replays may well occur in some radio technologies (though not very likely; see [IEEE.802.15.4]) as a result of echos or reflections, so some replays must be assumed to occur naturally. Note that for there to be no effect at all, the replay must be done with the same apparent power for all nodes receiving the replay. A change in apparent power might change the metrics through changes to the Expected Transmission Count (ETX); therefore, it might affect the routing even though the contents of the packet were never changed. Any replay that appears to be different should be analyzed as a selective forwarding attack, sinkhole attack, or wormhole attack.
Top   ToC   RFC7416 - Page 26

7.2.5. Countering Byzantine Routing Information Attacks

Where a node is captured or compromised but continues to operate for a period with valid network security credentials, the potential exists for routing information to be manipulated. This compromise of the routing information could thus exist in spite of security countermeasures that operate between the peer routing devices. Consistent with the end-to-end principle of communications, such an attack can only be fully addressed through measures operating directly between the routing entities themselves or by means of external entities accessing and independently analyzing the routing information. Verification of the authenticity and liveliness of the routing entities can, therefore, only provide a limited counter against internal (Byzantine) node attacks. For link-state routing protocols where information is flooded with, for example, areas (OSPF [RFC2328]) or levels (IS-IS [RFC7142]), countermeasures can be directly applied by the routing entities through the processing and comparison of link-state information received from different peers. By comparing the link information from multiple sources, decisions can be made by a routing node or external entity with regard to routing information validity; see Chapter 2 of [Perlman1988] for a discussion on flooding attacks. For distance vector protocols, such as RPL, where information is aggregated at each routing node, it is not possible for nodes to directly detect Byzantine information manipulation attacks from the routing information exchange. In such cases, the routing protocol must include and support indirect communications exchanges between non-adjacent routing peers to provide a secondary channel for performing routing information validation. S-RIP [Wan2004] is an example of the implementation of this type of dedicated routing protocol security where the correctness of aggregate distance vector information can only be validated by initiating confirmation exchanges directly between nodes that are not routing neighbors. RPL does not provide any direct mechanisms like S-RIP. It does listen to multiple parents and may switch parents if it begins to suspect that it is being lied to.

7.3. Availability Attack Countermeasures

As alluded to before, availability requires that routing information exchanges and forwarding mechanisms be available when needed so as to guarantee proper functioning of the network. This may, e.g., include the correct operation of routing information and neighbor state information exchanges, among others. We will highlight the key
Top   ToC   RFC7416 - Page 27
   features of the security threats along with typical countermeasures
   to prevent or at least mitigate them.  We will also note that an
   availability attack may be facilitated by an identity attack as well
   as a replay attack, as was addressed in Sections 7.2.3 and 7.2.4,
   respectively.

7.3.1. Countering HELLO Flood Attacks and ACK Spoofing Attacks

HELLO Flood [Karlof2003], [HELLO], and ACK spoofing attacks are different but highly related forms of attacking an LLN. They essentially lead nodes to believe that suitable routes are available even though they are not and hence constitute a serious availability attack. A HELLO attack mounted against RPL would involve sending out (or replaying) DODAG Information Object (DIO) messages by the attacker. Lower-power LLN nodes might then attempt to join the DODAG at a lower rank than they would otherwise. The most effective method from [HELLO] is bidirectional verification. A number of L2 links are arranged in controller/spoke arrangements and are continuously validating connectivity at layer 2. In addition, in order to calculate metrics, the ETX must be computed, and this involves, in general, sending a number of messages between nodes that are believed to be adjacent. One such protocol is [MESH-LINK]. In order to join the DODAG, a Destination Advertisement Object (DAO) message is sent upwards. In RPL, the DAO is acknowledged by the DAO-ACK message. This clearly checks bidirectionality at the control plane. As discussed in Section 5.1 of [HELLO], a receiver with a sensitive receiver could well hear the DAOs and even send DAO-ACKs as well. Such a node is a form of wormhole attack. These attacks are also all easily defended against using either L2 or L3 authentication. Such an attack could only be made against a completely open network (such as might be used for provisioning new nodes) or by a compromised node.

7.3.2. Countering Overload Attacks

Overload attacks are a form of DoS attack in that a malicious node overloads the network with irrelevant traffic, thereby draining the nodes' energy store more quickly when the nodes rely on batteries or energy scavenging. Thus, it significantly shortens the lifetime of
Top   ToC   RFC7416 - Page 28
   networks of energy-constrained nodes and constitutes another serious
   availability attack.

   With energy being one of the most precious assets of LLNs, targeting
   its availability is a fairly obvious attack.  Another way of
   depleting the energy of an LLN node is to have the malicious node
   overload the network with irrelevant traffic.  This impacts
   availability since certain routes get congested, which:

   o  renders them useless for affected nodes; hence, data cannot be
      delivered;

   o  makes routes longer as the shortest path algorithms work with the
      congested network; and

   o  depletes battery and energy scavenging nodes more quickly and thus
      shortens the network's availability at large.

   Overload attacks can be countered by deploying a series of mutually
   non-exclusive security measures that:

   o  introduce quotas on the traffic rate each node is allowed to send;

   o  isolate nodes that send traffic above a certain threshold based on
      system operation characteristics; and

   o  allow only trusted data to be received and forwarded.

   As for the first one, a simple approach to minimize the harmful
   impact of an overload attack is to introduce traffic quotas.  This
   prevents a malicious node from injecting a large amount of traffic
   into the network, even though it does not prevent the said node from
   injecting irrelevant traffic at all.  Another method is to isolate
   nodes from the network at the network layer once it has been detected
   that more traffic is injected into the network than allowed by a
   prior set or dynamically adjusted threshold.  Finally, if
   communication is sufficiently secured, only trusted nodes can receive
   and forward traffic, which also lowers the risk of an overload
   attack.

   Receiving nodes that validate signatures and sending nodes that
   encrypt messages need to be cautious of cryptographic processing
   usage when validating signatures and encrypting messages.  Where
   feasible, certificates should be validated prior to use of the
   associated keys to counter potential resource overloading attacks.
   The associated design decision needs to also consider that the
   validation process requires resources; thus, it could be exploited
   for attacks.  Alternatively, resource management limits can be placed
Top   ToC   RFC7416 - Page 29
   on routing security processing events (see the comment in Section 6,
   paragraph 4, of [RFC5751]).

7.3.3. Countering Selective Forwarding Attacks

Selective forwarding attacks are a form of DoS attack that impacts the availability of the generated routing paths. A selective forwarding attack may be done by a node involved with the routing process, or it may be done by what otherwise appears to be a passive antenna or other RF feature or device, but is in fact an active (and selective) device. An RF antenna/repeater that is not selective is not a threat. An insider malicious node basically blends in neatly with the network but then may decide to forward and/or manipulate certain packets. If all packets are dropped, then this attacker is also often referred to as a "black hole". Such a form of attack is particularly dangerous if coupled with sinkhole attacks since inherently a large amount of traffic is attracted to the malicious node, thereby causing significant damage. In a shared medium, an outside malicious node would selectively jam overheard data flows, where the thus caused collisions incur selective forwarding. Selective forwarding attacks can be countered by deploying a series of mutually non-exclusive security measures: o Multipath routing of the same message over disjoint paths. o Dynamically selecting the next hop from a set of candidates. The first measure basically guarantees that if a message gets lost on a particular routing path due to a malicious selective forwarding attack, there will be another route that successfully delivers the data. Such a method is inherently suboptimal from an energy consumption point of view; it is also suboptimal from a network utilization perspective. The second method basically involves a constantly changing routing topology in that next-hop routers are chosen from a dynamic set in the hope that the number of malicious nodes in this set is negligible. A routing protocol that allows for disjoint routing paths may also be useful.

7.3.4. Countering Sinkhole Attacks

In sinkhole attacks, the malicious node manages to attract a lot of traffic mainly by advertising the availability of high-quality links even though there are none [Karlof2003]. Hence, it constitutes a serious attack on availability.
Top   ToC   RFC7416 - Page 30
   The malicious node creates a sinkhole by attracting a large amount
   of, if not all, traffic from surrounding neighbors by advertising in
   and outwards links of superior quality.  Hence, affected nodes
   eagerly route their traffic via the malicious node that, if coupled
   with other attacks such as selective forwarding, may lead to serious
   availability and security breaches.  Such an attack can only be
   executed by an inside malicious node and is generally very difficult
   to detect.  An ongoing attack has a profound impact on the network
   topology and essentially becomes a problem of flow control.

   Sinkhole attacks can be countered by deploying a series of mutually
   non-exclusive security measures to:

   o  use geographical insights for flow control;

   o  isolate nodes that receive traffic above a certain threshold;

   o  dynamically pick up the next hop from a set of candidates; and

   o  allow only trusted data to be received and forwarded.

   A canary node could periodically call home (using a cryptographic
   process) with the home system, noting if it fails to call in.  This
   provides detection of a problem, but does not mitigate it, and it may
   have significant energy consequences for the LLN.

   Some LLNs may provide for geolocation services, often derived from
   solving triangulation equations from radio delay calculation; such
   calculations could in theory be subverted by a sinkhole that
   transmitted at precisely the right power in a node-to-node fashion.

   While geographic knowledge could help assure that traffic always goes
   in the physical direction desired, it would not assure that the
   traffic is taking the most efficient route, as the lowest cost real
   route might match the physical topology, such as when different parts
   of an LLN are connected by high-speed wired networks.

7.3.5. Countering Wormhole Attacks

In wormhole attacks, at least two malicious nodes claim to have a short path between themselves [Karlof2003]. This changes the availability of certain routing paths and hence constitutes a serious security breach. Essentially, two malicious insider nodes use another, more powerful, transmitter to communicate with each other and thereby distort the would-be-agreed routing path. This distortion could involve shortcutting and hence paralyzing a large part of the network; it
Top   ToC   RFC7416 - Page 31
   could also involve tunneling the information to another region of the
   network where there are, e.g., more malicious nodes available to aid
   the intrusion or where messages are replayed, etc.

   In conjunction with selective forwarding, wormhole attacks can create
   race conditions that impact topology maintenance and routing
   protocols as well as any security suits built on "time of check" and
   "time of use".

   A pure wormhole attack is nearly impossible to detect.  A wormhole
   that is used in order to subsequently mount another kind of attack
   would be defeated by defeating the other attack.  A perfect wormhole,
   in which there is nothing adverse that occurs to the traffic, would
   be difficult to call an attack.  The worst thing that a benign
   wormhole can do in such a situation is to cease to operate (become
   unstable), causing the network to have to recalculate routes.

   A highly unstable wormhole is no different than a radio opaque (i.e.,
   metal) door that opens and closes a lot.  RPL includes hysteresis in
   its objective functions [RFC6719] in an attempt to deal with frequent
   changes to the ETX between nodes.

8. RPL Security Features

The assessments and analysis in Section 6 examined all areas of threats and attacks that could impact routing, and the countermeasures presented in Section 7 were reached without confining the consideration to means only available to routing. This section puts the results into perspective, dealing with those threats that are endemic to this field, that have been mitigated through RPL protocol design, and that require specific decisions to be made as part of provisioning a network. The first part of this section, Sections 8.1 to 8.3, presents a description of RPL security features that address specific threats. The second part of this section, Section 8.4, discusses issues of the provisioning of security aspects that may impact routing but that also require considerations beyond the routing protocol, as well as potential approaches. RPL employs multicast, so these alternative communications modes MUST be secured with the same routing security services specified in this section. Furthermore, irrespective of the modes of communication, nodes MUST provide adequate physical tamper resistance commensurate with the particular application-domain environment to ensure the confidentiality, integrity, and availability of stored routing information.
Top   ToC   RFC7416 - Page 32

8.1. Confidentiality Features

With regard to confidentiality, protecting the routing/topology information from unauthorized disclosure is not directly essential to maintaining the routing function. Breaches of confidentiality may lead to other attacks or the focusing of an attacker's resources (see Section 6.2) but does not of itself directly undermine the operation of the routing function. However, to protect against and reduce consequences from other more direct attacks, routing information should be protected. Thus, to secure RPL: o Implement payload encryption using L3 mechanisms described in [RFC6550] or o Implement L2 confidentiality Where confidentiality is incorporated into the routing exchanges, encryption algorithms and key lengths need to be specified in accordance with the level of protection dictated by the routing protocol and the associated application-domain transport network. For most networks, this means use of AES-128 in CCM mode, but this needs to be specified clearly in the applicability statement. In terms of the lifetime of the keys, the opportunity to periodically change the encryption key increases the offered level of security for any given implementation. However, where strong cryptography is employed, physical, procedural, and logical data access protection considerations may have a more significant impact on cryptoperiod selection than algorithm and key size factors. Nevertheless, in general, shorter cryptoperiods, during which a single key is applied, will enhance security. Given the mandatory protocol requirement to implement routing node authentication as part of routing integrity (see Section 8.2), key exchanges may be coordinated as part of the integrity verification process. This provides an opportunity to increase the frequency of key exchange and shorten the cryptoperiod as a complement to the key length and encryption algorithm required for a given application domain.

8.2. Integrity Features

The integrity of routing information provides the basis for ensuring that the function of the routing protocol is achieved and maintained. To protect integrity, RPL must run either using only the secure versions of the messages or over a L2 that uses channel binding between node identity and transmissions.
Top   ToC   RFC7416 - Page 33
   Some L2 security mechanisms use a single key for the entire network,
   and these networks cannot provide a significant amount of integrity
   protection, as any node that has that key may impersonate any other
   node.  This mode of operation is likely acceptable when an entire
   deployment is under the control of a single administrative entity.

   Other L2 security mechanisms form a unique session key for every pair
   of nodes that needs to communicate; this is often called a per-link
   key.  Such networks can provide a strong degree of origin
   authentication and integrity on unicast messages.

   However, some RPL messages are broadcast, and even when per-node L2
   security mechanisms are used, the integrity and origin authentication
   of broadcast messages cannot be as trusted due to the proliferation
   of the key used to secure them.

   RPL has two specific options that are broadcast in RPL Control
   Messages: the DIO and the DODAG Information Solicitation (DIS).  The
   purpose of the DIS is to cause potential parents to reply with a DIO,
   so the integrity of the DIS is not of great concern.  The DIS may
   also be unicast.

   The DIO is a critical piece of routing and carries many critical
   parameters.  RPL provides for asymmetric authentication at L3 of the
   RPL Control Message carrying the DIO, and this may be warranted in
   some deployments.  A node could, if it felt that the DIO that it had
   received was suspicious, send a unicast DIS message to the node in
   question, and that node would reply with a unicast DIS.  Those
   messages could be protected with the per-link key.

8.3. Availability Features

Availability of routing information is linked to system and network availability, which in the case of LLNs require a broader security view beyond the requirements of the routing entities. Where availability of the network is compromised, routing information availability will be accordingly affected. However, to specifically assist in protecting routing availability, nodes MAY: o restrict neighborhood cardinality; o use multiple paths; o use multiple destinations; o choose randomly if multiple paths are available; o set quotas to limit transmit or receive volume; and
Top   ToC   RFC7416 - Page 34
   o  use geographic information for flow control.

8.4. Key Management

The functioning of the routing security services requires keys and credentials. Therefore, even though it's not directly an RPL security requirement, an LLN MUST have a process for initial key and credential configuration, as well as secure storage within the associated devices. Anti-tampering SHOULD be a consideration in physical design. Beyond initial credential configuration, an LLN is also encouraged to have automatic procedures for the revocation and replacement of the maintained security credentials. While RPL has secure modes, some modes are impractical without the use of public key cryptography, which is believed to be too expensive by many. RPL L3 security will often depend upon existing LLN L2 security mechanisms, which provide for node authentication but little in the way of node authorization.

9. Security Considerations

The analysis presented in this document provides security analysis and design guidelines with a scope limited to RPL. Security services are identified as requirements for securing RPL. The specific mechanisms to be used to deal with each threat is specified in link- Land deployment-specific applicability statements.

10. References

10.1. Normative References

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>. [RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic Key Management", BCP 107, RFC 4107, June 2005, <http://www.rfc-editor.org/info/rfc4107>. [RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur, JP., and R. Alexander, "RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks", RFC 6550, March 2012, <http://www.rfc-editor.org/info/rfc6550>. [RFC6719] Gnawali, O. and P. Levis, "The Minimum Rank with Hysteresis Objective Function", RFC 6719, September 2012, <http://www.rfc-editor.org/info/rfc6719>.
Top   ToC   RFC7416 - Page 35
   [RFC7102]  Vasseur, JP., "Terms Used in Routing for Low-Power and
              Lossy Networks", RFC 7102, January 2014,
              <http://www.rfc-editor.org/info/rfc7102>.

   [ZigBeeIP] ZigBee Alliance, "ZigBee IP Specification", Public
              Document 15-002r00, March 2013.

10.2. Informative References

[AceCharterProposal] Li, Kepeng., Ed., "Draft Charter V0.9c - Authentication and Authorization for Constrained Environment Charter", Work in Progress, December 2013, <http://trac.tools.ietf.org/wg/core/trac/wiki/ ACE_charter>. [HELLO] Park, S., "Routing Security in Sensor Network: HELLO Flood Attack and Defense", Work in Progress, draft-suhopark- hello-wsn-00, December 2005. [IEEE.802.11] IEEE, "IEEE Standard for Information Technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications", IEEE Std 802.11-2012, March 2012, <http://standards.ieee.org/about/get/802/802.11.html>. [IEEE.802.15.4] IEEE, "IEEE Standard for Local and metropolitan area networks - Specific requirements - Part 15.4: Low-Rate Wireless Personal Area Networks (LR-WPANs)", IEEE Std 802.15.4-2011, September 2011, <http://standards.ieee.org/getieee802/802.15.html>. [ISO.7498-2.1989] International Organization for Standardization, "Information processing systems - Open Systems Interconnection -- Basic Reference Model - Part 2: Security Architecture", ISO Standard 7498-2, 1989.
Top   ToC   RFC7416 - Page 36
   [Karlof2003]
              Karlof, C. and D. Wagner, "Secure Routing in Wireless
              Sensor Networks: Attacks and Countermeasures", Elsevier Ad
              Hoc Networks Journal, Special Issue on Sensor Network
              Applications and Protocols, 1(2):293-315, September 2003,
              <http://nest.cs.berkeley.edu/papers/
              sensor-route-security.pdf>.

   [MESH-LINK]
              Kelsey, R., "Mesh Link Establishment", Work in Progress,
              draft-kelsey-intarea-mesh-link-establishment-06, May 2014.

   [Myagmar2005]
              Myagmar, S., Lee, AJ., and W. Yurcik, "Threat Modeling as
              a Basis for Security Requirements", in Proceedings of the
              Symposium on Requirements Engineering for Information
              Security (SREIS'05), Paris, France pp. 94-102, August
              2005.

   [Perlman1988]
              Perlman, R., "Network Layer Protocols with Byzantine
              Robustness", MIT LCS Tech Report, 429, August 1988.

   [RFC2328]  Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998,
              <http://www.rfc-editor.org/info/rfc2328>.

   [RFC3067]  Arvidsson, J., Cormack, A., Demchenko, Y., and J. Meijer,
              "TERENA'S Incident Object Description and Exchange Format
              Requirements", RFC 3067, February 2001,
              <http://www.rfc-editor.org/info/rfc3067>.

   [RFC3610]  Whiting, D., Housley, R., and N. Ferguson, "Counter with
              CBC-MAC (CCM)", RFC 3610, September 2003,
              <http://www.rfc-editor.org/info/rfc3610>.

   [RFC4593]  Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to
              Routing Protocols", RFC 4593, October 2006,
              <http://www.rfc-editor.org/info/rfc4593>.

   [RFC4732]  Handley, M., Rescorla, E., and IAB, "Internet Denial-of-
              Service Considerations", RFC 4732, December 2006,
              <http://www.rfc-editor.org/info/rfc4732>.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2", RFC
              4949, August 2007,
              <http://www.rfc-editor.org/info/rfc4949>.
Top   ToC   RFC7416 - Page 37
   [RFC5191]  Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., and A.
              Yegin, "Protocol for Carrying Authentication for Network
              Access (PANA)", RFC 5191, May 2008,
              <http://www.rfc-editor.org/info/rfc5191>.

   [RFC5216]  Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS
              Authentication Protocol", RFC 5216, March 2008,
              <http://www.rfc-editor.org/info/rfc5216>.

   [RFC5548]  Dohler, M., Watteyne, T., Winter, T., and D. Barthel,
              "Routing Requirements for Urban Low-Power and Lossy
              Networks", RFC 5548, May 2009,
              <http://www.rfc-editor.org/info/rfc5548>.

   [RFC5673]  Pister, K., Thubert, P., Dwars, S., and T. Phinney,
              "Industrial Routing Requirements in Low-Power and Lossy
              Networks", RFC 5673, October 2009,
              <http://www.rfc-editor.org/info/rfc5673>.

   [RFC5751]  Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet
              Mail Extensions (S/MIME) Version 3.2 Message
              Specification", RFC 5751, January 2010,
              <http://www.rfc-editor.org/info/rfc5751>.

   [RFC5826]  Brandt, A., Buron, J., and G. Porcu, "Home Automation
              Routing Requirements in Low-Power and Lossy Networks", RFC
              5826, April 2010,
              <http://www.rfc-editor.org/info/rfc5826>.

   [RFC5867]  Martocci, J., De Mil, P., Riou, N., and W. Vermeylen,
              "Building Automation Routing Requirements in Low-Power and
              Lossy Networks", RFC 5867, June 2010,
              <http://www.rfc-editor.org/info/rfc5867>.

   [RFC6192]  Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
              Router Control Plane", RFC 6192, March 2011,
              <http://www.rfc-editor.org/info/rfc6192>.

   [RFC6574]  Tschofenig, H. and J. Arkko, "Report from the Smart Object
              Workshop", RFC 6574, April 2012,
              <http://www.rfc-editor.org/info/rfc6574>.

   [RFC6824]  Ford, A., Raiciu, C., Handley, M., and O. Bonaventure,
              "TCP Extensions for Multipath Operation with Multiple
              Addresses", RFC 6824, January 2013,
              <http://www.rfc-editor.org/info/rfc6824>.
Top   ToC   RFC7416 - Page 38
   [RFC7142]  Shand, M. and L. Ginsberg, "Reclassification of RFC 1142
              to Historic", RFC 7142, February 2014,
              <http://www.rfc-editor.org/info/rfc7142>.

   [RFC7397]  Gilger, J. and H. Tschofenig, "Report from the Smart
              Object Security Workshop", RFC 7397, November 2014,
              <http://www.rfc-editor.org/info/rfc7397>.

   [SmartObjectSecurityWorkshop]
              Klausen, T., Ed., "Workshop on Smart Object Security",
              March 2012, <http://www.lix.polytechnique.fr/hipercom/
              SmartObjectSecurity>.

   [SolaceProposal]
              Bormann, C., Ed., "Notes from the SOLACE ad hoc at IETF
              85", November 2012, <http://www.ietf.org/
              mail-archive/web/solace/current/msg00015.html>.

   [Sybil2002]
              Douceur, J., "The Sybil Attack", First International
              Workshop on Peer-to-Peer Systems, March 2002.

   [Wan2004]  Wan, T., Kranakis, E., and PC. van Oorschot, "S-RIP: A
              Secure Distance Vector Routing Protocol", in Proceedings
              of the 2nd International Conference on Applied
              Cryptography and Network Security, pp. 103-119, June 2004.

   [Yourdon1979]
              Yourdon, E. and L. Constantine, "Structured Design:
              Fundamentals of a Discipline of Computer Program and
              Systems Design", Yourdon Press, New York, Chapter 10, pp.
              187-222, 1979.
Top   ToC   RFC7416 - Page 39

Acknowledgments

The authors would like to acknowledge the review and comments from Rene Struik and JP Vasseur. The authors would also like to acknowledge the guidance and input provided by the ROLL Chairs, David Culler and JP Vasseur, and Area Director Adrian Farrel. This document started out as a combined threat and solutions document. As a result of a series of security reviews performed by Steve Kent, the document was split up by ROLL Co-Chair Michael Richardson and Security Area Director Sean Turner as it went through the IETF publication process. The solutions to the threats are application and L2 specific and have, therefore, been moved to the relevant applicability statements. Ines Robles and Robert Cragie kept track of the many issues that were raised during the development of this document.
Top   ToC   RFC7416 - Page 40

Authors' Addresses

Tzeta Tsao Eaton's Cooper Power Systems Business 910 Clopper Rd., Suite 201S Gaithersburg, Maryland 20878 United States EMail: tzetatsao@eaton.com Roger K. Alexander Eaton's Cooper Power Systems Business 910 Clopper Rd., Suite 201S Gaithersburg, Maryland 20878 United States EMail: rogeralexander@eaton.com Mischa Dohler CTTC Parc Mediterrani de la Tecnologia, Av. Canal Olimpic S/N Castelldefels, Barcelona 08860 Spain EMail: mischa.dohler@kcl.ac.uk Vanesa Daza Universitat Pompeu Fabra P/ Circumval.lacio 8, Oficina 308 Barcelona 08003 Spain EMail: vanesa.daza@upf.edu Angel Lozano Universitat Pompeu Fabra P/ Circumval.lacio 8, Oficina 309 Barcelona 08003 Spain EMail: angel.lozano@upf.edu Michael Richardson (editor) Sandelman Software Works 470 Dawson Avenue Ottawa, ON K1Z5V7 Canada EMail: mcr+ietf@sandelman.ca