Internet Engineering Task Force (IETF) T. Tsao Request for Comments: 7416 R. Alexander Category: Informational Eaton's Cooper Power Systems Business ISSN: 2070-1721 M. Dohler CTTC V. Daza A. Lozano Universitat Pompeu Fabra M. Richardson, Ed. Sandelman Software Works January 2015 A Security Threat Analysis for the Routing Protocol for Low-Power and Lossy Networks (RPLs)
AbstractThis document presents a security threat analysis for the Routing Protocol for Low-Power and Lossy Networks (RPLs). The development builds upon previous work on routing security and adapts the assessments to the issues and constraints specific to low-power and lossy networks. A systematic approach is used in defining and evaluating the security threats. Applicable countermeasures are application specific and are addressed in relevant applicability statements. Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7416.
Copyright Notice Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Relationship to Other Documents . . . . . . . . . . . . . . . 4 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 4. Considerations on RPL Security . . . . . . . . . . . . . . . 5 4.1. Routing Assets and Points of Access . . . . . . . . . . . 6 4.2. The ISO 7498-2 Security Reference Model . . . . . . . . . 8 4.3. Issues Specific to or Amplified in LLNs . . . . . . . . . 10 4.4. RPL Security Objectives . . . . . . . . . . . . . . . . . 12 5. Threat Sources . . . . . . . . . . . . . . . . . . . . . . . 13 6. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 13 6.1. Threats Due to Failures to Authenticate . . . . . . . . . 14 6.1.1. Node Impersonation . . . . . . . . . . . . . . . . . 14 6.1.2. Dummy Node . . . . . . . . . . . . . . . . . . . . . 14 6.1.3. Node Resource Spam . . . . . . . . . . . . . . . . . 15 6.2. Threats Due to Failure to Keep Routing Information Confidential . . . . . . . . . . . . . . . . . . . . . . 15 6.2.1. Routing Exchange Exposure . . . . . . . . . . . . . . 15 6.2.2. Routing Information (Routes and Network Topology) Exposure . . . . . . . . . . . . . . . . . . . . . . 15 6.3. Threats and Attacks on Integrity . . . . . . . . . . . . 16 6.3.1. Routing Information Manipulation . . . . . . . . . . 16 6.3.2. Node Identity Misappropriation . . . . . . . . . . . 17 6.4. Threats and Attacks on Availability . . . . . . . . . . . 18 6.4.1. Routing Exchange Interference or Disruption . . . . . 18 6.4.2. Network Traffic Forwarding Disruption . . . . . . . . 18 6.4.3. Communications Resource Disruption . . . . . . . . . 20 6.4.4. Node Resource Exhaustion . . . . . . . . . . . . . . 20
7. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 21 7.1. Confidentiality Attack Countermeasures . . . . . . . . . 21 7.1.1. Countering Deliberate Exposure Attacks . . . . . . . 21 7.1.2. Countering Passive Wiretapping Attacks . . . . . . . 22 7.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 22 7.1.4. Countering Remote Device Access Attacks . . . . . . . 23 7.2. Integrity Attack Countermeasures . . . . . . . . . . . . 24 7.2.1. Countering Unauthorized Modification Attacks . . . . 24 7.2.2. Countering Overclaiming and Misclaiming Attacks . . . 24 7.2.3. Countering Identity (including Sybil) Attacks . . . . 25 7.2.4. Countering Routing Information Replay Attacks . . . . 25 7.2.5. Countering Byzantine Routing Information Attacks . . 26 7.3. Availability Attack Countermeasures . . . . . . . . . . . 26 7.3.1. Countering HELLO Flood Attacks and ACK Spoofing Attacks . . . . . . . . . . . . . . . . . . . . . . . 27 7.3.2. Countering Overload Attacks . . . . . . . . . . . . . 27 7.3.3. Countering Selective Forwarding Attacks . . . . . . . 29 7.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 29 7.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 30 8. RPL Security Features . . . . . . . . . . . . . . . . . . . . 31 8.1. Confidentiality Features . . . . . . . . . . . . . . . . 32 8.2. Integrity Features . . . . . . . . . . . . . . . . . . . 32 8.3. Availability Features . . . . . . . . . . . . . . . . . . 33 8.4. Key Management . . . . . . . . . . . . . . . . . . . . . 34 9. Security Considerations . . . . . . . . . . . . . . . . . . . 34 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 10.1. Normative References . . . . . . . . . . . . . . . . . . 34 10.2. Informative References . . . . . . . . . . . . . . . . . 35 Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . 39 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40
This document presents a threat analysis for securing the Routing Protocol for LLNs (RPL). The process requires two steps. First, the analysis will be used to identify pertinent security issues. The second step is to identify necessary countermeasures to secure RPL. As there are multiple ways to solve the problem and the specific trade-offs are deployment specific, the specific countermeasure to be used is detailed in applicability statements. This document uses a model based on [ISO.7498-2.1989], which describes authentication, access control, data confidentiality, data integrity, and non-repudiation security services. This document expands the model to include the concept of availability. As explained below, non-repudiation does not apply to routing protocols. Many of the issues in this document were also covered in the IAB Smart Object Workshop [RFC6574] and the IAB Smart Object Security Workshop [RFC7397]. This document concerns itself with securing the control-plane traffic. As such, it does not address authorization or authentication of application traffic. RPL uses multicast as part of its protocol; therefore, mechanisms that RPL uses to secure this traffic might also be applicable to the Multicast Protocol for Low- Power and Lossy Networks (MPL) control traffic as well: the important part is that the threats are similar. RFC6550]. A number of applicability texts describe a subset of these protocols and the conditions that make the subset the correct choice. The text recommends and motivates the accompanying parameter value ranges. Multiple applicability domains are recognized, including Building and Home and Advanced Metering Infrastructure. The applicability domains distinguish themselves in the way they are operated, by their performance requirements, and by the most probable network structures. Each applicability statement identifies the distinguishing properties according to a common set of subjects described in as many sections. The common set of security threats herein are referred to by the applicability statements, and that series of documents describes the preferred security settings and solutions within the applicability statement conditions. This applicability statement may recommend more lightweight security solutions and specify the conditions under which these solutions are appropriate.
RFC6550], [RFC4949], and [RFC7102]. The terms "control plane" and "forwarding plane" are used in a manner consistent with Section 1 of [RFC6192]. The term "Destination-Oriented DAG (DODAG)" is from [RFC6550]. Extensible Authentication Protocol - Transport Layer Security (EAP-TLS) is defined in [RFC5216]. The Protocol for Carrying Authentication for Network Access (PANA) is defined in [RFC5191]. Counter with CBC-MAC (CCM) mode is defined in [RFC3610]. The term "sleepy node", introduced in [RFC7102], refers to a node that may sometimes go into a low-power state, suspending protocol communications. The terms Service Set Identifier (SSID), Extended Service Set Identifier (ESSID), and Personal Area Network (PAN) refer to network identifiers, defined in [IEEE.802.11] and [IEEE.802.15.4]. Although this is not a protocol specification, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] in order to clarify and emphasize the guidance and directions to implementers and deployers of LLN nodes that utilize RPL. RFC4949] that may be the target of the state changes and the
access points in terms of interfaces and protocol exchanges through which such changes may occur. In the case of routing security, the focus is directed towards the elements associated with the establishment and maintenance of network connectivity. This section sets the stage for the development of the analysis by applying the systematic approach proposed in [Myagmar2005] to the routing security, while also drawing references from other reviews and assessments found in the literature, particularly [RFC4593] and [Karlof2003] (i.e., selective forwarding, wormhole, and sinkhole attacks). The subsequent subsections begin with a focus on the elements of a generic routing process that is used to establish routing assets and points of access to the routing functionality. Next, the security model based on [ISO.7498-2.1989] is briefly described. Then, consideration is given to issues specific to or amplified in LLNs. This section concludes with the formulation of a set of security objectives for RPL. Yourdon1979] is used here to identify the assets and points of access within a generic routing process. The use of a data flow diagram allows for a clear and concise model of the way in which routing nodes interact and process information; hence, it provides a context for threats and attacks. The goal of the model is to be as detailed as possible so that corresponding assets, points of access, and processes in an individual routing protocol can be readily identified. Figure 1 shows that nodes participating in the routing process transmit messages to discover neighbors and to exchange routing information; routes are then generated and stored, which may be maintained in the form of the protocol forwarding table. The nodes use the derived routes for making forwarding decisions.
................................................... : : : : |Node_i|<------->(Routing Neighbor _________________ : : Discovery)------------>Neighbor Topology : : -------+--------- : : | : |Node_j|<------->(Route/Topology +--------+ : : Exchange) | : : | V ______ : : +---->(Route Generation)--->Routes : : ---+-- : : | : : Routing on Node_k | : ................................................... | |Forwarding | |on Node_l|<-------------------------------------------+ Notation: (Proc) A process Proc ________ topology A structure storing neighbor adjacency (parent/child) -------- ________ routes A structure storing the forwarding information base (FIB) -------- |Node_n| An external entity Node_n -------> Data flow Figure 1: Data Flow Diagram of a Generic Routing Process Figure 1 shows the following: o Assets include * routing and/or topology information; * route generation process; * communication channel resources (bandwidth);
* node resources (computing capacity, memory, and remaining energy); and * node identifiers (including node identity and ascribed attributes such as relative or absolute node location). o Points of access include * neighbor discovery; * route/topology exchange; and * node physical interfaces (including access to data storage). A focus on the above list of assets and points of access enables a more directed assessment of routing security; for example, it is readily understood that some routing attacks are in the form of attempts to misrepresent routing topology. Indeed, the intention of the security threat analysis is to be comprehensive. Hence, some of the discussion that follows is associated with assets and points of access that are not directly related to routing protocol design but are nonetheless provided for reference since they do have direct consequences on the security of routing. RFC5548]. Availability of open and untrusted side channels for new joiners is required by [RFC5673], and strong and automated authentication is required so that networks can automatically accept or reject new joiners. Access Control Access Control provides protection against unauthorized use of the asset and deals with the authorization of a node.
Confidentiality Confidentiality involves the protection of routing information as well as routing neighbor maintenance exchanges so that only authorized and intended network entities may view or access it. Because LLNs are most commonly found on a publicly accessible shared medium, e.g., air or wiring in a building, and are sometimes formed ad hoc, confidentiality also extends to the neighbor state and database information within the routing device since the deployment of the network creates the potential for unauthorized access to the physical devices themselves. Integrity Integrity entails the protection of routing information and routing neighbor maintenance exchanges, as well as derived information maintained in the database, from unauthorized modifications, insertions, deletions, or replays to be addressed beyond the routing protocol. Non-repudiation Non-repudiation is the assurance that the transmission and/or reception of a message cannot later be denied. The service of non-repudiation applies after the fact; thus, it relies on the logging or other capture of ongoing message exchanges and signatures. Routing protocols typically do not have a notion of repudiation, so non-repudiation services are not required. Further, with the LLN application domains as described in [RFC5867] and [RFC5548], proactive measures are much more critical than retrospective protections. Finally, given the significant practical limits to ongoing routing transaction logging and storage and individual device digital signature verification for each exchange, non-repudiation in the context of routing is an unsupportable burden that bears no further consideration as an RPL security issue. It is recognized that, besides those security issues captured in the ISO 7498-2 model, availability is a security requirement: Availability Availability ensures that routing information exchanges and forwarding services are available when they are required for the functioning of the serving network. Availability will apply to maintaining efficient and correct operation of routing and neighbor discovery exchanges (including needed information) and forwarding services so as not to impair or limit the network's central traffic flow function.
It should be emphasized here that for RPL security, the above requirements must be complemented by the proper security policies and enforcement mechanisms to ensure that security objectives are met by a given RPL implementation. RFC5548], Industrial Requirements [RFC5673], Home Automation [RFC5826], and Building Automation [RFC5867] have identified specific issues and constraints of routing in LLNs. The following is a list of observations from those requirements and evaluations of their impact on routing security considerations. Limited energy, memory, and processing node resources As a consequence of these constraints, the need to evaluate the kinds of security that can be provided needs careful study. For instance, security provided at one level could be very memory efficient yet might also be very energy costly for the network (as a whole) if it requires significant effort to synchronize the security state. Synchronization of security states with sleepy nodes [RFC7102] is a complex issue. A non- rechargeable battery-powered node may well be limited in energy for it's lifetime: once exhausted, it may well never function again. Large scale of rolled out network The possibly numerous nodes to be deployed make manual on-site configuration unlikely. For example, an urban deployment can see several hundreds of thousands of nodes being installed by many installers with a low level of expertise. Nodes may be installed and not activated for many years, and additional nodes may be added later on, which may be from old inventory. The lifetime of the network is measured in decades, and this complicates the operation of key management. Autonomous operations Self-forming and self-organizing are commonly prescribed requirements of LLNs. In other words, a routing protocol designed for LLNs needs to contain elements of ad hoc networking and, in most cases, cannot rely on manual configuration for initialization or local filtering rules. Network topology/ownership changes, partitioning or merging, and node replacement can all contribute to complicating the operations of key management.
Highly directional traffic Some types of LLNs see a high percentage of their total traffic traverse between the nodes and the LLN Border Routers (LBRs) where the LLNs connect to non-LLNs. The special routing status of and the greater volume of traffic near the LBRs have routing security consequences as a higher-valued attack target. In fact, when Point-to-MultiPoint (P2MP) and MultiPoint-to-Point (MP2P) traffic represents a majority of the traffic, routing attacks consisting of advertising incorrect preferred routes can cause serious damage. While it might seem that nodes higher up in the acyclic graph (i.e., those with lower rank) should be secured in a stronger fashion, it is not, in general, easy to predict which nodes will occupy those positions until after deployment. Issues of redundancy and inventory control suggest that any node might wind up in such a sensitive attack position, so all nodes are to be capable of being fully secured. In addition, even if it were possible to predict which nodes will occupy positions of lower rank and provision them with stronger security mechanisms, in the absence of a strong authorization model, any node could advertise an incorrect preferred route. Unattended locations and limited physical security In many applications, the nodes are deployed in unattended or remote locations; furthermore, the nodes themselves are often built with minimal physical protection. These constraints lower the barrier of accessing the data or security material stored on the nodes through physical means. Support for mobility On the one hand, only a limited number of applications require the support of mobile nodes, e.g., a home LLN that includes nodes on wearable health care devices or an industry LLN that includes nodes on cranes and vehicles. On the other hand, if a routing protocol is indeed used in such applications, it will clearly need to have corresponding security mechanisms. Additionally, nodes may appear to move from one side of a wall to another without any actual motion involved, which is the result of changes to electromagnetic properties, such as the opening and closing of a metal door.
Support for multicast and anycast Support for multicast and anycast is called out chiefly for large-scale networks. Since application of these routing mechanisms in autonomous operations of many nodes is new, the consequence on security requires careful consideration. The above list considers how an LLN's physical constraints, size, operations, and variety of application areas may impact security. However, it is the combinations of these factors that particularly stress the security concerns. For instance, securing routing for a large number of autonomous devices that are left in unattended locations with limited physical security presents challenges that are not found in the common circumstance of administered networked routers. The following subsection sets up the security objectives for the routing protocol designed by the ROLL WG.
One of the main problems of synchronizing security states of sleepy nodes, as listed in the last subsection, lies in difficulties in authentication; these nodes may not have received the most recent update of security material in time. Similarly, the issues of minimal manual configuration, prolonged rollout and delayed addition of nodes, and network topology changes also complicate key management. Hence, routing in LLNs needs to bootstrap the authentication process and allow for a flexible expiration scheme of authentication credentials. The vulnerability brought forth by some special-function nodes, e.g., LBRs, requires the assurance, particularly in a security context, of the following: o The availability of communication channels and node resources. o The neighbor discovery process operates without undermining routing availability. There are other factors that are not part of RPL but directly affect its function. These factors include a weaker barrier of accessing the data or security material stored on the nodes through physical means; therefore, the internal and external interfaces of a node need to be adequate for guarding the integrity, and possibly the confidentiality, of stored information, as well as the integrity of routing and route generation processes. Each individual system's use and environment will dictate how the above objectives are applied, including the choices of security services as well as the strengths of the mechanisms that must be implemented. The next two sections take a closer look at how the RPL security objectives may be compromised and how those potential compromises can be countered. RFC4593] provides a detailed review of the threat sources: outsiders and Byzantine. RPL has the same threat sources. RFC4949], a threat is "a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm."
Per [RFC3067], an attack is "an assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system." The subsequent subsections consider the threats and the attacks that can cause security breaches under the ISO 7498-2 model to the routing assets and via the routing points of access identified in Section 4.1. The assessment reviews the security concerns of each routing asset and looks at the attacks that can exploit routing points of access. The threats and attacks identified are based on the routing model analysis and associated review of the existing literature. The source of the attacks is assumed to be from either inside or outside attackers. While some attackers inside the network will be using compromised nodes and, therefore, are only able to do what an ordinary node can ("node-equivalent"), other attacks may not be limited in memory, CPU, power consumption, or long-term storage. Moore's law favors the attacker with access to the latest capabilities, while the defenders will remain in place for years to decades.
Section 4.2 indicates that there are attacks against the confidentiality of routing information at all points of access. This threat may result in disclosure, as described in Section 3.1.2 of [RFC4593], and may involve a disclosure of routing information. Section 4.1, the associated routing information assets may also include device- specific resource information, such as available memory, remaining power, etc., that may be metrics of the routing protocol. The routing exchanges will contain reachability information, which would identify the relative importance of different nodes in the network. Nodes higher up in the DODAG, to which more streams of information flow, would be more interesting targets for other attacks, and routing exchange exposures could identify them.
The forms of attack that allow unauthorized access or disclosure of the routing information will include: o Physical device compromise. o Remote device access attacks (including those occurring through remote network management or software/field upgrade interfaces). Both of these attack vectors are considered a device-specific issue and are out of scope for RPL to defend against. In some applications, physical device compromise may be a real threat, and it may be necessary to provide for other devices to securely detect a compromised device and react quickly to exclude it. Section 4.2 indicates that information and identity assets are exposed to integrity threats from all points of access. In other words, the integrity threat space is defined by the potential for exploitation introduced by access to assets available through routing exchanges and the on-device storage.
The forms of attack that allow manipulation to compromise the content and validity of routing information include: o falsification, including overclaiming and misclaiming (claiming routes to devices that the device cannot in fact reach); o routing information replay; o Byzantine (internal) attacks that permit corruption of routing information in the node even when the node continues to be a validated entity within the network (see, for example, [RFC4593] for further discussions on Byzantine attacks); and o physical device compromise or remote device access attacks. Sybil2002]) in which a malicious node illegitimately assumes multiple identities. o Routing information replay.
Section 4.2 indicates that the process and resource assets are exposed to threats against availability; attacks in this category may exploit directly or indirectly information exchange or forwarding (see [RFC4732] for a general discussion). Section 7.3.2). In addition, attacks may also be directly conducted at the physical layer in the form of jamming or interfering.
In addition to physical-layer obstructions, the forms of attack that allow disruption of network traffic forwarding include [Karlof2003]: o selective forwarding attacks; |Node_1|--(msg1|msg2|msg3)-->|Attacker|--(msg1|msg3)-->|Node_2| Figure 2: Selective Forwarding Example o wormhole attacks; and |Node_1|-------------Unreachable---------x|Node_2| | ^ | Private Link | '-->|Attacker_1|===========>|Attacker_2|--' Figure 3: Wormhole Attacks o sinkhole attacks. |Node_1| |Node_4| | | `--------. | Falsify as \ | Good Link \ | | to Node_5 \ | | \ V V |Node_2|-->|Attacker|--Not Forwarded---x|Node_5| ^ ^ \ | | \ Falsify as | | \Good Link / | to Node_5 ,-------' | | | |Node_3| |Node_i| Figure 4: Sinkhole Attack Example These attacks are generally done to both control- and forwarding- plane traffic. A system that prevents control-plane traffic (RPL messages) from being diverted in these ways will also prevent actual data from being diverted.
Sybil2002]); o routing information replay attacks; o HELLO-type flood attacks; and o overload attacks (Section 7.3.2).