One document matched: draft-ietf-roll-security-threats-09.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!-- This template is for creating an Internet Draft using xml2rfc, which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!-- One method to get references from the online citation libraries.
There has to be one entity for each item to be referenced.
An alternate method (rfc include) is described in the references. -->
<!ENTITY RFC1142 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.1142.xml">
<!ENTITY RFC2328 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2328.xml">
<!ENTITY RFC2453 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2453.xml">
<!ENTITY RFC3029 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3029.xml">
<!ENTITY RFC3610 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3610.xml">
<!ENTITY RFC3830 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3830.xml">
<!ENTITY RFC4046 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4046.xml">
<!ENTITY RFC5340 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5340.xml">
<!ENTITY RFC5673 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5673.xml">
<!ENTITY RFC4301 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4301.xml">
<!ENTITY RFC4949 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4949.xml">
<!ENTITY RFC3654 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3654.xml">
<!ENTITY RFC4593 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4593.xml">
<!ENTITY RFC4732 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4732.xml">
<!ENTITY RFC4822 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4822.xml">
<!ENTITY RFC4107 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4107.xml">
<!ENTITY RFC5548 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5548.xml">
<!ENTITY RFC5751 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5751.xml">
<!ENTITY RFC5826 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5826.xml">
<!ENTITY RFC5867 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5867.xml">
<!ENTITY RFC6192 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6192.xml">
<!ENTITY RFC6550 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6550.xml">
<!ENTITY RFC6553 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6553.xml">
<!ENTITY RFC6554 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6554.xml">
<!ENTITY RFC6574 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6574.xml">
<!ENTITY RFC6719 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6719.xml">
<!ENTITY RFC6824 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.6824.xml">
<!ENTITY I-D.suhopark-hello-wsn SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-suhopark-hello-wsn-00.xml">
<!ENTITY I-D.kelsey-intarea-mesh-link-establishment SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.kelsey-intarea-mesh-link-establishment.xml">
<!ENTITY I-D.ietf-rpsec-ospf-vuln SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-rpsec-ospf-vuln-02.xml">
<!ENTITY ISO.7498-2.1988 SYSTEM "http://xml.resource.org/public/rfc/bibxml-misc/reference.ISO.7498-2.1988.xml">
<!ENTITY ZigBeeIP SYSTEM "http://www.sandelman.ca/rfc/xml/reference.ZigBeeIP.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs), please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use. (Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<?rfc autobreaks="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space (using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc category="info" docName="draft-ietf-roll-security-threats-09"
ipr="trust200902">
<!-- category values: std, bcp, info, exp, and historic ipr values: full3667, noModification3667, noDerivatives3667 you can add the attributes updates="NNNN" and obsoletes="NNNN" hey will automatically be output with "(if approved)" -->
<!-- ***** FRONT MATTER ***** -->
<front>
<!-- The abbreviated title is used in the page header - it is only necessary if the full title is longer than 39 characters -->
<title abbrev="Security Threat Analysis for ROLL RPL">A Security Threat
Analysis for Routing Protocol for Low-power and lossy networks
(RPL)</title>
<!-- add 'role="editor"' below for the editors if appropriate -->
<!-- Another author who claims to be an editor -->
<author fullname="Tzeta Tsao" initials="T." surname="Tsao">
<organization>Cooper Power Systems</organization>
<address>
<postal>
<street>910 Clopper Rd. Suite 201S</street>
<!-- Reorder these if your country does things differently -->
<city>Gaithersburg</city>
<region>Maryland</region>
<code>20878</code>
<country>USA</country>
</postal>
<email>tzeta.tsao@cooperindustries.com</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<author fullname="Roger K. Alexander" initials="R.K." surname="Alexander">
<organization>Cooper Power Systems</organization>
<address>
<postal>
<street>910 Clopper Rd. Suite 201S</street>
<!-- Reorder these if your country does things differently -->
<city>Gaithersburg</city>
<region>Maryland</region>
<code>20878</code>
<country>USA</country>
</postal>
<email>roger.alexander@cooperindustries.com</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<author fullname="Mischa Dohler" initials="M." surname="Dohler">
<organization>CTTC</organization>
<address>
<postal>
<street>Parc Mediterrani de la Tecnologia, Av. Canal Olimpic
S/N</street>
<!-- Reorder these if your country does things differently -->
<code>08860</code>
<city>Castelldefels</city>
<region>Barcelona</region>
<country>Spain</country>
</postal>
<email>mischa.dohler@cttc.es</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<author fullname="Vanesa Daza" initials="V." surname="Daza">
<organization>Universitat Pompeu Fabra</organization>
<address>
<postal>
<street>P/ Circumval.lacio 8, Oficina 308</street>
<!-- Reorder these if your country does things differently -->
<code>08003</code>
<region>Barcelona</region>
<country>Spain</country>
</postal>
<email>vanesa.daza@upf.edu</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<author fullname="Angel Lozano" initials="A." surname="Lozano">
<organization>Universitat Pompeu Fabra</organization>
<address>
<postal>
<street>P/ Circumval.lacio 8, Oficina 309</street>
<!-- Reorder these if your country does things differently -->
<code>08003</code>
<region>Barcelona</region>
<country>Spain</country>
</postal>
<email>angel.lozano@upf.edu</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<author fullname="Michael Richardson (ed)" initials="M." role="editor"
surname="Richardson">
<organization>Sandelman Software Works</organization>
<address>
<postal>
<street>470 Dawson Avenue</street>
<city>Ottawa</city>
<region>ON</region>
<code>K1Z5V7</code>
<country>Canada</country>
</postal>
<email>mcr+ietf@sandelman.ca</email>
</address>
</author>
<date year="2014"/>
<!-- If the month and year are both specified and are the current ones, xml2rfc will fill in the current day for you. If only the current year is specified, xml2rfc will fill in the current day and month for you. If the year is not the current one, it is necessary to specify at least a month (xml2rfc assumes day="1" if not specified for the purpose of calculating the expiry date). With drafts it is normally sufficient to specify just the year. -->
<!-- Meta-data Declarations -->
<area>Routing</area>
<workgroup>Routing Over Low-Power and Lossy Networks</workgroup>
<!-- WG name at the upperleft corner of the doc, IETF is fine for individual submissions. If this element is not present, the default is "Network Working Group", which is used by the RFC Editor as a nod to the history of the IETF. -->
<keyword>LLN, ROLL, security</keyword>
<!-- Keywords will be incorporated into HTML output files in a meta tag but they have no effect on text or nroff output. If you submit your draft to the RFC Editor, the keywords will be used for the search engine. -->
<abstract>
<t>This document presents a security threat analysis for the Routing
Protocol for Low-power and lossy networks (RPL, ROLL). The development
builds upon previous work on routing security and adapts the assessments
to the issues and constraints specific to low-power and lossy networks.
A systematic approach is used in defining and evaluating the security
threats. Applicable countermeasures are application specific and are
addressed in relevant applicability statements.</t>
</abstract>
</front>
<middle>
<section anchor="intro" title="Introduction">
<t>In recent times, networked electronic devices have found an
increasing number of applications in various fields. Yet, for reasons
ranging from operational application to economics, these wired and
wireless devices are often supplied with minimum physical resources; the
constraints include those on computational resources (RAM, clock speed,
storage), communication resources (duty cycle, packet size, etc.), but
also form factors that may rule out user access interfaces (e.g., the
housing of a small stick-on switch), or simply safety considerations
(e.g., with gas meters). As a consequence, the resulting networks are
more prone to loss of traffic and other vulnerabilities. The
proliferation of these low-power and lossy networks (LLNs), however, are
drawing efforts to examine and address their potential networking
challenges. Securing the establishment and maintenance of network
connectivity among these deployed devices becomes one of these key
challenges.</t>
<t>This document presents a threat analysis for securing the Routing
Protocol for LLNs (RPL). The process requires two steps. First, the
analysis will be used to identify pertinent security issues. The second
step is to identify necessary countermeasures to secure RPL. As there
are multiple ways to solve the problem and the specific tradeoffs are
deployment specific, the specific countermeasure to be used is detailed
in applicability statements.</t>
<t>This document uses <xref target="ISO.7498-2.1988"/>] model, which describes Authentication,
Access Control, Data Confidentiality, Data Integrity, and
Non-Repudiation security services and to which Availability is added.</t>
<t>
Many of the issues in this document were also covered in The IAB Smart Object Workshop
<xref target="RFC6574" />, and
The IAB Smart Object Security Workshop <xref target="I-D.gilger-smart-object-security-workshop"/>.
</t>
<t>All of this document concerns itself with securing the control plane
traffic. As such it does not address authorization or authentication of
application traffic. RPL uses multicast as part of its protocol, and
therefore mechanisms which RPL uses to secure this traffic might also be applicable
to MPL control traffic as well: the important part is that the threats
are similar.</t>
</section>
<section title="Relationship to other documents">
<t>
ROLL has specified a set of routing protocols for Lossy and Low-resource
Networks (LLN) <xref target="RFC6550" />.
A number of applicability texts describes a subset of these protocols
and the conditions which make the subset the correct choice. The text
recommends and motivates the accompanying parameter value ranges.
Multiple applicability domains are recognized including: Building and Home,
and Advanced Metering Infrastructure. The applicability domains distinguish
themselves in the way they are operated, their performance requirements, and the
most probable network
structures. Each applicability statement identifies the distinguishing
properties according to a common set of subjects described in as many
sections.
</t>
<t>
The common set of security threats herein are referred to by
the applicability statements, and that series of documents
describes the preferred security settings and solutions within the
applicability statement conditions. This applicability statements may
recommend more light weight security solutions and specify the conditions
under which these solutions are appropriate.
</t>
</section>
<section title="Terminology">
<t>This document adopts the terminology defined in <xref
target="RFC6550"/>, in <xref target="RFC4949"/>, and in <xref
target="RFC7102"/>.</t>
<t>The terms control plane and forwarding plane are used consistently
with section 1 of <xref target="RFC6192"/>.</t>
<t>The term DODAG is from <xref target="RFC6550"/>.</t>
<t>EAP-TLS is defined in <xref target="RFC5216"/>.</t>
<t>PANA is defined in <xref target="RFC5191"/>.</t>
<t>CCM mode is defined in <xref target="RFC3610"/>.</t>
<t>The terms SSID, ESSID and PAN refer to network identifiers, defined in
<xref target="IEEE.802.11"/> and <xref target="IEEE.802.15.4" />.</t>
<t>
Although this is not a protocol specification, the key words "MUST",
"MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT",
"RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref target="RFC2119" /> in
order to clarify and emphasize the guidance and directions to
implementers and deployers of LLN nodes that utilize RPL.
</t>
</section>
<section anchor="cons-on-roll-sec" title="Considerations on RPL Security">
<t>Routing security, in essence, ensures that the routing protocol
operates correctly. It entails implementing measures to ensure
controlled state changes on devices and network elements, both based on
external inputs (received via communications) or internal inputs
(physical security of device itself and parameters maintained by the
device, including, e.g., clock). State changes would thereby involve not
only authorization of injector's actions, authentication of injectors,
and potentially confidentiality of routing data, but also proper order
of state changes through timeliness, since seriously delayed state
changes, such as commands or updates of routing tables, may negatively
impact system operation. A security assessment can therefore begin with a
focus on the assets <xref target="RFC4949"/> that may be the target of
the state changes and the access points in terms of interfaces and
protocol exchanges through which such changes may occur. In the case of
routing security, the focus is directed towards the elements associated
with the establishment and maintenance of network connectivity.</t>
<t>This section sets the stage for the development of the analysis by
applying the systematic approach proposed in <xref
target="Myagmar2005"/> to the routing security, while also drawing
references from other reviews and assessments found in the literature,
particularly, <xref target="RFC4593"/> and <xref target="Karlof2003"/>.
The subsequent subsections begin with a focus on the elements of a
generic routing process that is used to establish routing assets and
points of access to the routing functionality. Next, the <xref
target="ISO.7498-2.1988"/> security model is briefly described. Then,
consideration is given to issues specific to or amplified in LLNs. This
section concludes with the formulation of a set of security objectives
for RPL.</t>
<section anchor="routing-assets"
title="Routing Assets and Points of Access">
<t>An asset is an important system resource (including information,
process, or physical resource), the access to, corruption or loss of
which adversely affects the system. In the control plane context, an
asset is information about the network, processes used to manage and
manipulate this data, and the physical devices on which this data is
stored and manipulated. The corruption or loss of these assets may
adversely impact the control plane of the network. Within the same
context, a point of access is an interface or protocol that
facilitates interaction between control plane assets. Identifying
these assets and points of access will provide a basis for enumerating
the attack surface of the control plane.</t>
<t>A level-0 data flow diagram <xref target="Yourdon1979"/> is used
here to identify the assets and points of access within a generic
routing process. The use of a data flow diagram allows for a clear and
concise model of the way in which routing nodes interact and process
information, and hence provides a context for threats and attacks. The
goal of the model is to be as detailed as possible so that
corresponding assets, points of access, and process in an individual
routing protocol can be readily identified.</t>
<t><xref target="Fig1"/> shows that nodes participating in the routing
process transmit messages to discover neighbors and to exchange
routing information; routes are then generated and stored, which may
be maintained in the form of the protocol forwarding table. The nodes
use the derived routes for making forwarding decisions.</t>
<figure align="center" anchor="Fig1"
title="Data Flow Diagram of a Generic Routing Process">
<preamble/>
<artwork align="left">
<![CDATA[
...................................................
: :
: :
|Node_i|<------->(Routing Neighbor _________________ :
: Discovery)------------>Neighbor Topology :
: -------+--------- :
: | :
|Node_j|<------->(Route/Topology +--------+ :
: Exchange) | :
: | V ______ :
: +---->(Route Generation)--->Routes :
: ---+-- :
: | :
: Routing on a Node Node_k | :
...................................................
|
|Forwarding |
|On Node_l|<-------------------------------------------+
Notation:
(Proc) A process Proc
________
topology A structure storing neighbor adjacency (parent/child)
--------
________
routes A structure storing the forwarding information base (FIB)
--------
|Node_n| An external entity Node_n
-------> Data flow
]]>
</artwork>
<postamble/>
</figure>
<t>It is seen from <xref target="Fig1"/> that <list style="symbols">
<t>Assets include<list style="symbols">
<t>routing and/or topology information;</t>
<t>route generation process;</t>
<t>communication channel resources (bandwidth);</t>
<t>node resources (computing capacity, memory, and remaining
energy);</t>
<t>node identifiers (including node identity and ascribed
attributes such as relative or absolute node location).</t>
</list></t>
<t>Points of access include<list style="symbols">
<t>neighbor discovery;</t>
<t>route/topology exchange;</t>
<t>node physical interfaces (including access to data
storage).</t>
</list></t>
</list>A focus on the above list of assets and points of access
enables a more directed assessment of routing security; for example,
it is readily understood that some routing attacks are in the form of
attempts to misrepresent routing topology. Indeed, the intention of
the security threat analysis is to be comprehensive. Hence, some of
the discussion which follows is associated with assets and points of
access that are not directly related to routing protocol design but
nonetheless provided for reference since they do have direct
consequences on the security of routing.</t>
</section>
<section anchor="iso" title="The ISO 7498-2 Security Reference Model">
<t>At the conceptual level, security within an information system in
general and applied to RPL in particular is concerned with the primary
issues of authentication, access control, data confidentiality, data
integrity, and non-repudiation. In the context of RPL:</t>
<t><list hangIndent="6" style="hanging">
<t hangText="Authentication"><vspace/>Authentication involves the
mutual authentication of the routing peers prior to exchanging
route information (i.e., peer authentication) as well as ensuring
that the source of the route data is from the peer (i.e., data
origin authentication). <xref target="RFC5548"/> points out that
LLNs can be drained by unauthenticated peers before configuration.
<xref target="RFC5673"/> requires availability of open and
untrusted side channels for new joiners, and it requires strong
and automated authentication so that networks can automatically
accept or reject new joiners.</t>
<t hangText="Access Control"><vspace/>Access Control provides
protection against unauthorized use of the asset, and deals with
the authorization of a node.</t>
<t hangText="Confidentiality"><vspace/>Confidentiality involves
the protection of routing information as well as routing neighbor
maintenance exchanges so that only authorized and intended network
entities may view or access it. Because LLNs are most commonly
found on a publicly accessible shared medium, e.g., air or wiring
in a building, and sometimes formed ad hoc, confidentiality also
extends to the neighbor state and database information within the
routing device since the deployment of the network creates the
potential for unauthorized access to the physical devices
themselves.</t>
<t hangText="Integrity"><vspace/>Integrity entails the protection
of routing information and routing neighbor maintenance exchanges,
as well as derived information maintained in the database, from
unauthorized modification, insertions, deletions or replays. to be
addressed beyond the routing protocol.</t>
<t hangText="Non-repudiation"><vspace/>Non-repudiation is the
assurance that the transmission and/or reception of a message
cannot later be denied. The service of non-repudiation applies
after-the-fact and thus relies on the logging or other capture of
on-going message exchanges and signatures. Applied to routing,
non-repudiation is not an issue because it does not apply to
routing protocols, which are machine-to-machine protocols.
Further, with the LLN application domains as described in <xref
target="RFC5867"/> and <xref target="RFC5548"/>, proactive
measures are much more critical than retrospective protections.
Finally, given the significant practical limits to on-going
routing transaction logging and storage and individual device
digital signature verification for each exchange, non-repudiation
in the context of routing is an unsupportable burden that bears no
further considered as an RPL security issue.</t>
</list></t>
<t>It is recognized that, besides those security issues captured in
the ISO 7498-2 model, availability, is a security requirement:<list
hangIndent="6" style="hanging">
<t hangText="Availability"><vspace/>Availability ensures that
routing information exchanges and forwarding services need to be
available when they are required for the functioning of the
serving network. Availability will apply to maintaining efficient
and correct operation of routing and neighbor discovery exchanges
(including needed information) and forwarding services so as not
to impair or limit the network's central traffic flow function</t>
</list></t>
<t>It should be emphasized here that for RPL security the above
requirements must be complemented by the proper security policies and
enforcement mechanisms to ensure that security objectives are met by a
given RPL implementation.</t>
</section>
<section anchor="roll-issues"
title="Issues Specific to or Amplified in LLNs">
<t>The requirements work detailed in Urban Requirements (<xref target="RFC5548"/>),
Industrial Requirements (<xref target="RFC5673"/>),
Home Automation (<xref target="RFC5826"/>, and
Building Automation (<xref target="RFC5867"/>) have identified
specific issues and constraints of routing in LLNs.
The following is a list of observations from those requirements and
evaluation of their impact on routing security considerations.</t>
<t><list hangIndent="6" style="hanging">
<t
hangText="Limited energy, memory, and processing node resources"><vspace/>As
a consequence of these constraints, there is an even more critical
need than usual for a careful study of trade-offs on which and
what level of security services are to be afforded during the
system design process. The chosen security mechanisms also needs
to work within these constraints. Synchronization of security
states with sleepy nodes is yet another issue. A non-rechargeable battery powered
node may well be limited in energy for it's lifetime: once exchausted, it may well
never function again.</t>
<t hangText="Large scale of rolled out network"><vspace/>The
possibly numerous nodes to be deployed make manual on-site
configuration unlikely. For example, an urban deployment can see
several hundreds of thousands of nodes being installed by many
installers with a low level of expertise. Nodes may be installed
and not activated for many years, and additional nodes may be
added later on, which may be from old inventory. The lifetime of
the network is measured in decades, and this complicates the
operation of key management.</t>
<t hangText="Autonomous operations"><vspace/>Self-forming and
self-organizing are commonly prescribed requirements of LLNs. In
other words, a routing protocol designed for LLNs needs to contain
elements of ad hoc networking and in most cases cannot rely on
manual configuration for initialization or local filtering rules.
Network topology/ownership changes, partitioning or merging, as
well as node replacement, can all contribute to complicating the
operations of key management.</t>
<t hangText="Highly directional traffic"><vspace/>Some types of
LLNs see a high percentage of their total traffic traverse between
the nodes and the LLN Border Routers (LBRs) where the LLNs connect
to non-LLNs. The special routing status of and the greater volume
of traffic near the LBRs have routing security consequences as a
higher valued attack target. In fact, when Point-to-MultiPoint
(P2MP) and MultiPoint-to-Point (MP2P) traffic represents a
majority of the traffic, routing attacks consisting of advertising
incorrect preferred routes can cause serious damage.</t>
<t>While it might seem that nodes higher up in the cyclic graph
(i.e. those with lower rank) should be secured in a stronger
fashion, it is not in general easy to predict which nodes will
occupy those positions until after deployment. Issues of
redundancy and inventory control suggests that any node might wind
up in such a sensitive attack position, so all nodes need to be
equally secure.</t>
<t>In addition, even if it were possible to predict which nodes
will occupy positions of lower rank and provision them with
stronger security mechanisms, in the absense of a strong
authorization model, any node could advertise an incorrect
preferred route.</t>
<t
hangText="Unattended locations and limited physical security"><vspace/>Many
applications have the nodes deployed in unattended or remote
locations; furthermore, the nodes themselves are often built with
minimal physical protection. These constraints lower the barrier
of accessing the data or security material stored on the nodes
through physical means.</t>
<t hangText="Support for mobility"><vspace/>On the one hand, only
a limited number of applications require the support of mobile
nodes, e.g., a home LLN that includes nodes on wearable health
care devices or an industry LLN that includes nodes on cranes and
vehicles. On the other hand, if a routing protocol is indeed used
in such applications, it will clearly need to have corresponding
security mechanisms.</t>
<t>Additionally nodes may appear to move from one side of a wall
to another without any actual motion involved, the result of
changes to electromagnetic properties, such as opening and closing
of a metal door.</t>
<t hangText="Support for multicast and anycast"><vspace/>Support
for multicast and anycast is called out chiefly for large-scale
networks. Since application of these routing mechanisms in
autonomous operations of many nodes is new, the consequence on
security requires careful consideration.</t>
</list></t>
<t>The above list considers how an LLN's physical constraints, size,
operations, and variety of application areas may impact security.
However, it is the combinations of these factors that particularly
stress the security concerns. For instance, securing routing for a
large number of autonomous devices that are left in unattended
locations with limited physical security presents challenges that are
not found in the common circumstance of administered networked
routers. The following subsection sets up the security objectives for
the routing protocol designed by the ROLL WG.</t>
</section>
<section anchor="roll-objs" title="RPL Security Objectives">
<t>This subsection applies the ISO 7498-2 model to routing assets and
access points, taking into account the LLN issues, to develop a set of
RPL security objectives.</t>
<t>Since the fundamental function of a routing protocol is to build
routes for forwarding packets, it is essential to ensure that: <list
style="symbols">
<t>routing/topology information integrity remains intact during
transfer and in storage;</t>
<t>routing/topology information is used by authorized
entities;</t>
<t>routing/topology information is available when needed.</t>
</list> In conjunction, it is necessary to be assured that <list
style="symbols">
<t>authorized peers authenticate themselves during the routing
neighbor discovery process;</t>
<t>the routing/topology information received is generated
according to the protocol design.</t>
</list> However, when trust cannot be fully vested through
authentication of the principals alone, i.e., concerns of insider
attack, assurance of the truthfulness and timeliness of the received
routing/topology information is necessary. With regard to
confidentiality, protecting the routing/topology information from
unauthorized exposure may be desirable in certain cases but is in
itself less pertinent in general to the routing function.</t>
<t>One of the main problems of synchronizing security states of sleepy
nodes, as listed in the last subsection, lies in difficulties in
authentication; these nodes may not have received in time the most
recent update of security material. Similarly, the issues of minimal
manual configuration, prolonged rollout and delayed addition of nodes,
and network topology changes also complicate key management. Hence,
routing in LLNs needs to bootstrap the authentication process and
allow for flexible expiration scheme of authentication
credentials.</t>
<t>The vulnerability brought forth by some special-function nodes,
e.g., LBRs, requires the assurance, particularly in a security
context, <list style="symbols">
<t>of the availability of communication channels and node
resources;</t>
<t>that the neighbor discovery process operates without
undermining routing availability.</t>
</list></t>
<t>There are other factors which are not part of RPL but directly
affecting its function. These factors include weaker barrier of
accessing the data or security material stored on the nodes through
physical means; therefore, the internal and external interfaces of a
node need to be adequate for guarding the integrity, and possibly the
confidentiality, of stored information, as well as the integrity of
routing and route generation processes.</t>
<t>Each individual system's use and environment will dictate how the
above objectives are applied, including the choices of security
services as well as the strengths of the mechanisms that must be
implemented. The next two sections take a closer look at how the RPL
security objectives may be compromised and how those potential
compromises can be countered.</t>
</section>
</section>
<section anchor="threat-sources" title="Threat Sources">
<t><xref target="RFC4593"/> provides a detailed review of the threat
sources: outsiders and byzantine. RPL has the same threat sources.</t>
</section>
<section anchor="roll-threats" title="Threats and Attacks">
<t>This section outlines general categories of threats under the ISO
7498-2 model and highlights the specific attacks in each of these
categories for RPL. As defined in <xref target="RFC4949"/>, a threat is
"a potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security
and cause harm."</t>
<t>An attack is "an assault on system security that derives from an
intelligent threat, i.e., an intelligent act that is a deliberate
attempt (especially in the sense of a method or technique) to evade
security services and violate the security policy of a system."</t>
<t>The subsequent subsections consider the threats and the attacks that
can cause security breaches under the ISO 7498-2 model to the routing
assets and via the routing points of access identified in <xref
target="routing-assets"/>. The assessment steps through the security
concerns of each routing asset and looks at the attacks that can exploit
routing points of access. The threats and attacks identified are based
on the routing model analysis and associated review of the existing
literature. The source of the attacks is assumed to be from either
inside or outside attackers. While some attackers inside the network
will be using compromised nodes, and therefore are only able to do
what an ordinary node can ("node-equivalent"), other attacks may not
limited in memory, CPU, power consumption or long term storage. Moore's
law favours the attacker with access to the latest capabilities, while
the defenders will remain in place for years to decades.</t>
<section anchor="authorization-threat"
title="Threats due to failures to Authenticate">
<section anchor="any-identity" title="Node Impersonation">
<t>If an attacker can join a network using any identity, then it may
be able to assume the role of a legitimate (and existing node). It
may be able to report false readings (in metering applications), or
provide inappropriate control messages (in control systems involving
actuators) if the security of the application is implied by the
security of the routing system.</t>
<t>Even in systems where there application layer security,
the ability to impersonate a node would permit an attacker
to direct traffic to itself. This may permit various on-path attacks
which would otherwise be difficult, such replaying, delaying, or duplicating
(application) control messages.</t>
</section>
<section anchor="extra-node" title="Dummy Node">
<t>If an attacker can join a network using any identify, then it can
pretend to be a legitimate node, receiving any service legitimate
nodes receive. It may also be able to report false readings (in
metering applications), or provide inappropriate authorizations (in
control systems involving actuators), or perform any other attacks
that are facilitated by being able to direct traffic towards
itself.</t>
</section>
<section anchor="spam-resource" title="Node Resource Spam">
<t>If an attacker can join a network with any identify, then it can
continously do so with new (random) identities. This act may drain down the resources
of the network (battery, RAM, bandwidth). This may cause
legitimate nodes of the network to be unable to communicate.</t>
</section>
</section>
<section anchor="confident-threat"
title="Threats and Attacks on Confidentiality">
<t>The assessment in <xref target="iso"/> indicates that there are
attacks against the confidentiality of routing information at
all points of access. This threat may result in disclosure, as described
in Section 3.1.2 of <xref target="RFC4593"/>, and may involve a
disclosure of routing information.</t>
<section anchor="route-exch-expo" title="Routing Exchange Exposure">
<t>Routing exchanges include both routing information as well as
information associated with the establishment and maintenance of
neighbor state information. As indicated in <xref
target="routing-assets"/>, the associated routing information assets
may also include device specific resource information, such as
available memory, remaining power, etc., that may be metrics of the routing
protocol.</t>
<t>The routing exchanges will contain reachability information,
which would identify the relative importance of different nodes in
the network. Nodes higher up in the DODAG, to which more streams of
information flow, would be more interesting targets for other
attacks, and routing exchange exposures can identify them.</t>
</section>
<section anchor="route-info-expo"
title="Routing Information (Routes and Network Topology) Exposure">
<t>Routes (which may be maintained in the form of the protocol
forwarding table) and neighbor topology information are the products
of the routing process that are stored within the node device
databases.</t>
<t>The exposure of this information will allow attackers to gain
direct access to the configuration and connectivity of the network
thereby exposing routing to targeted attacks on key nodes or links.
Since routes and neighbor topology information is stored within the
node device, attacks on the confidentiality of the
information will apply to the physical device including specified
and unspecified internal and external interfaces.</t>
<t>The forms of attack that allow unauthorized access or disclosure
of the routing information will include: <list style="symbols">
<t>Physical device compromise;</t>
<t>Remote device access attacks (including those occurring
through remote network management or software/field upgrade
interfaces).</t>
</list></t>
<t>Both of these attack vectors are considered a device specific
issue, and are out of scope for RPL to defend against. In some
applications, physical device compromise may be a real threat and it
may be necessary to provide for other devices to securely detect a compromised
device and react quickly to exclude it.</t>
</section>
</section>
<section anchor="integ-threat" title="Threats and Attacks on Integrity">
<t>The assessment in <xref target="iso"/> indicates that information
and identity assets are exposed to integrity threats from all points
of access. In other words, the integrity threat space is defined by
the potential for exploitation introduced by access to assets
available through routing exchanges and the on-device storage.</t>
<section anchor="manipul" title="Routing Information Manipulation">
<t>Manipulation of routing information that range from neighbor
states to derived routes will allow unauthorized sources to
influence the operation and convergence of the routing protocols and
ultimately impact the forwarding decisions made in the network.</t>
<t>Manipulation of topology and reachability information will allow
unauthorized sources to influence the nodes with which routing
information is exchanged and updated. The consequence of
manipulating routing exchanges can thus lead to sub-optimality and
fragmentation or partitioning of the network by restricting the
universe of routers with which associations can be established and
maintained.</t>
<t>A sub-optimal network may use too much power and/or may congest
some routes leading to premature failure of a node, and a denial of
service on the entire network.</t>
<t>In addition, being able to attract network traffic can make a
blackhole attack more damaging.</t>
<t>The forms of attack that allow manipulation to compromise the
content and validity of routing information include<list
style="symbols">
<t>Falsification, including overclaiming and misclaiming (claiming routes to devices
which the device can not in fact reach);</t>
<t>Routing information replay;</t>
<t>Byzantine (internal) attacks that permit corruption of
routing information in the node even where the node continues to
be a validated entity within the network (see, for example,
<xref target="RFC4593"/> for further discussions on Byzantine
attacks);</t>
<t>Physical device compromise or remote device access
attacks.</t>
</list></t>
</section>
<section anchor="id-misappr" title="Node Identity Misappropriation">
<t>Falsification or misappropriation of node identity between
routing participants opens the door for other attacks; it can also
cause incorrect routing relationships to form and/or topologies to
emerge. Routing attacks may also be mounted through less
sophisticated node identity misappropriation in which the valid
information broadcast or exchanged by a node is replayed without
modification. The receipt of seemingly valid information that is
however no longer current can result in routing disruption, and
instability (including failure to converge). Without measures to
authenticate the routing participants and to ensure the freshness
and validity of the received information the protocol operation can
be compromised. The forms of attack that misuse node identity
include<list style="symbols">
<t>Identity attacks, including Sybil attacks (see <xref target="Sybil2002" />) in which a
malicious node illegitimately assumes multiple identities;</t>
<t>Routing information replay.</t>
</list></t>
</section>
</section>
<section anchor="avail-threat"
title="Threats and Attacks on Availability">
<t>The assessment in <xref target="iso"/> indicates that the process
and resources assets are exposed to threats against availability;
attacks in this category may exploit directly or indirectly
information exchange or forwarding (see <xref target="RFC4732"/> for a
general discussion).</t>
<section anchor="route-exch-intrpt"
title="Routing Exchange Interference or Disruption">
<t>Interference is the threat action and disruption is threat
consequence that allows attackers to influence the operation and
convergence of the routing protocols by impeding the routing
information exchange.</t>
<t>The forms of attack that allow interference or disruption of
routing exchange include:<list style="symbols">
<t>Routing information replay;</t>
<t>ACK spoofing;</t>
<t><xref target="overload-attack">Overload attacks.</xref></t>
</list></t>
<t>In addition, attacks may also be directly conducted at the
physical layer in the form of jamming or interfering.</t>
</section>
<section anchor="disrupt-forward"
title="Network Traffic Forwarding Disruption">
<t>The disruption of the network traffic forwarding capability will
undermine the central function of network routers and the ability to
handle user traffic. This affects the availability of the network
because of the potential to impair the primary capability of the
network.</t>
<t>In addition to physical layer obstructions, the forms of attack
that allows disruption of network traffic forwarding include <xref
target="Karlof2003"/><list style="symbols">
<t>Selective forwarding attacks; <figure align="center"
anchor="Fig2" title="Selective forwarding example">
<preamble/>
<artwork align="left">
<![CDATA[
|Node_1|--(msg1|msg2|msg3)-->|Attacker|--(msg1|msg3)-->|Node_2|
]]>
</artwork>
<postamble/>
</figure></t>
<t>Wormhole attacks; <figure align="center" anchor="Fig3"
title="Wormhole Attacks">
<preamble/>
<artwork align="left">
<![CDATA[
|Node_1|-------------Unreachable---------x|Node_2|
| ^
| Private Link |
'-->|Attacker_1|===========>|Attacker_2|--'
]]>
</artwork>
<postamble/>
</figure></t>
<t>Sinkhole attacks. <figure align="center" anchor="Fig4"
title="sinkhole attack example">
<preamble/>
<artwork align="left">
<![CDATA[
|Node_1| |Node_4|
| |
`--------. |
Falsify as \ |
Good Link \ | |
To Node_5 \ | |
\ V V
|Node_2|-->|Attacker|--Not Forwarded---x|Node_5|
^ ^ \
| | \ Falsify as
| | \Good Link
/ | To Node_5
,-------' |
| |
|Node_3| |Node_i|
]]>
</artwork>
<postamble/>
</figure></t>
</list></t>
<t>These attacks are generally done to both control plane and
forwarding plane traffic. A system that prevents control plane
traffic (RPL messages) from being diverted in these ways will also
prevent actual data from being diverted.</t>
</section>
<section anchor="disrpt-comm-resourse"
title="Communications Resource Disruption">
<t>Attacks mounted against the communication channel resource assets
needed by the routing protocol can be used as a means of disrupting
its operation. However, while various forms of Denial of Service
(DoS) attacks on the underlying transport subsystem will affect
routing protocol exchanges and operation (for example physical layer
RF jamming in a wireless network or link layer attacks), these
attacks cannot be countered by the routing protocol. As such, the
threats to the underlying transport network that supports routing is
considered beyond the scope of the current document. Nonetheless,
attacks on the subsystem will affect routing operation and so must
be directly addressed within the underlying subsystem and its
implemented protocol layers.</t>
</section>
<section anchor="exhaust-resource" title="Node Resource Exhaustion">
<t>A potential threat consequence can arise from attempts to
overload the node resource asset by initiating exchanges that can
lead to the exhaustion of processing, memory, or energy resources.
The establishment and maintenance of routing neighbors opens the
routing process to engagement and potential acceptance of multiple
neighboring peers. Association information must be stored for each
peer entity and for the wireless network operation provisions made
to periodically update and reassess the associations. An introduced
proliferation of apparent routing peers can therefore have a
negative impact on node resources.</t>
<t>Node resources may also be unduly consumed by attackers
attempting uncontrolled topology peering or routing exchanges,
routing replays, or the generating of other data traffic floods.
Beyond the disruption of communications channel resources, these
consequences may be able to exhaust node resources only where the
engagements are able to proceed with the peer routing entities.
Routing operation and network forwarding functions can thus be
adversely impacted by node resources exhaustion that stems from
attacks that include:<list style="symbols">
<t>Identity (including Sybil) attacks (see <xref target="Sybil2002" />);</t>
<t>Routing information replay attacks;</t>
<t>HELLO-type flood attacks;</t>
<t><xref target="overload-attack">Overload attacks.</xref></t>
</list></t>
</section>
</section>
</section>
<section anchor="counter-measur" title="Countermeasures">
<t>By recognizing the characteristics of LLNs that may impact routing,
this analysis provides the basis for understanding the capabilities
within RPL used to deter the identified attacks and mitigate the
threats. The following subsections consider such countermeasures by
grouping the attacks according to the classification of the ISO 7498-2
model so that associations with the necessary security services are more
readily visible.</t>
<section anchor="counter-confident-atk"
title="Confidentiality Attack Countermeasures">
<t>Attacks to disclosure routing information may be mounted at the
level of the routing information assets, at the points of access
associated with routing exchanges between nodes, or through device
interface access. To gain access to routing/topology information, the
attacker may rely on a compromised node that deliberately exposes the
information during the routing exchange process, may rely on passive
wiretapping or traffic analysis, or may attempt access through a
component or device interface of a tampered routing node.</t>
<section title="Countering Deliberate Exposure Attacks">
<t>A deliberate exposure attack is one in which an entity that is
party to the routing process or topology exchange allows the
routing/topology information or generated route information to be
exposed to an unauthorized entity.</t>
<t>For instance, due to mis-configuration or inappropriate enabling
of a diagnostic interface, an entity might be copying ("bridging")
traffic from a secured ESSID/PAN to an unsecured interface.</t>
<!-- BULLSHIT? -->
<t>A prerequisite to countering this attack is to ensure that the
communicating nodes are authenticated prior to data encryption
applied in the routing exchange. Authentication ensures that the
nodes are who they claim to be even though it does not provide an
indication of whether the node has been compromised.</t>
<t>To mitigate the risk of deliberate exposure, the process that
communicating nodes use to establish session keys must be
peer-to-peer (i.e., between the routing initiating and responding
nodes). As is pointed out in <xref target="RFC4107" />, automatic key
management is critical for good security.
This helps ensure that neither node is exchanging routing
information with another peer without the knowledge of both
communicating peers. For a deliberate exposure attack to succeed,
the comprised node will need to be more overt and take independent
actions in order to disclose the routing information to 3rd
party.</t>
<t>Note that the same measures which apply to securing
routing/topology exchanges between operational nodes must also
extend to field tools and other devices used in a deployed network
where such devices can be configured to participate in routing
exchanges.</t>
</section>
<section title="Countering Passive Wiretapping Attacks">
<t>A passive wiretap attack seeks to breach routing confidentiality
through passive, direct analysis and processing of the information
exchanges between nodes.</t>
<t>Passive wiretap attacks can be directly countered through the use
of data encryption for all routing exchanges. Only when a validated
and authenticated node association is completed will routing
exchange be allowed to proceed using established session keys and an
agreed encryption algorithm. The mandatory to implement CCM mode
AES-128 method, is described in <xref target="RFC3610"/>, and is
believed to be secure against a brute force attack by even the most
well-equipped adversary.</t>
<t>The significant challenge for RPL is in the provisioning of the
key, which in some modes of RFC6550 is used network-wide. RFC6550
does not solve this problem, and it is the subject of significant
future work: see, for instance: <xref target="AceCharterProposal"/>,
<xref target="SolaceProposal"/>, <xref
target="SmartObjectSecurityWorkshop"/>.</t>
<t>A number of deployments, such as <xref target="ZigBeeIP"/>
specify no layer-3/RPL encryption or authentication and rely upon
similiar security at layer-2. These networks are immune to outside
wiretapping attacks, but are vulnerable to passive (and
active) routing attacks through compromises of nodes.
(see <xref target="intf" />).
</t>
<t>Section 10.9 of <xref target="RFC6550"/> specifies AES-128 in CCM
mode with a 32-bit MAC.</t>
<t>Section 5.6 Zigbee IP <xref target="ZigBeeIP"/> specifies use of
CCM, with PANA and EAP-TLS for key management.</t>
</section>
<section title="Countering Traffic Analysis">
<t>Traffic analysis provides an indirect means of subverting
confidentiality and gaining access to routing information by
allowing an attacker to indirectly map the connectivity or flow
patterns (including link-load) of the network from which other
attacks can be mounted. The traffic analysis attack on an LLN,
especially one founded on shared medium, is passive and relies on
the ability to read the immutable source/destination layer-2 and/or
layer-3 routing information that must remain unencrypted to permit
network routing.</t>
<t>One way in which passive traffic analysis attacks can be muted is
through the support of load balancing that allows traffic to a given
destination to be sent along diverse routing paths. RPL does not
generally support multi-path routing within a single DODAG. Multiple
DODAGs are supported in the protocol, and an implementation could
make use of that. RPL does not have any inherent or standard way to
guarantee that the different DODAGs would have significantly diverse
paths. Having the diverse DODAGs routed at different border routers
might work in some instances, and this could be combined with a
multipath technology like MPTCP (<xref target="RFC6824"/>. It is
unlikely that it will be affordable in many LLNs, as few deployments
will have memory space for more than a few sets of DODAG tables.</t>
<t>Another approach to countering passive traffic analysis could be
for nodes to maintain constant amount of traffic to different
destinations through the generation of arbitrary traffic flows; the
drawback of course would be the consequent overhead and energy
expenditure.</t>
<t>The only means of fully countering a traffic analysis attack is
through the use of tunneling (encapsulation) where encryption is
applied across the entirety of the original packet
source/destination addresses. Deployments which use layer-2 security
that includes encryption already do this for all traffic.</t>
</section>
<section anchor="counter-remote"
title="Countering Remote Device Access Attacks">
<t>Where LLN nodes are deployed in the field, measures are
introduced to allow for remote retrieval of routing data and for
software or field upgrades. These paths create the potential for a
device to be remotely accessed across the network or through a
provided field tool. In the case of network management a node can be
directly requested to provide routing tables and neighbor
information.</t>
<t>To ensure confidentiality of the node routing information against
attacks through remote access, any local or remote device requesting
routing information must be authenticated, and must be authorized
for that access. Since remote access is not invoked as part of a
routing protocol, security of routing information stored on the node
against remote access will not be addressable as part of the routing
protocol.</t>
</section>
</section>
<section anchor="counter-integ-atk"
title="Integrity Attack Countermeasures">
<t>Integrity attack countermeasures address routing information
manipulation, as well as node identity and routing information misuse.
Manipulation can occur in the form of falsification attack and
physical compromise. To be effective, the following development
considers the two aspects of falsification, namely, the unauthorized
modifications and the overclaiming and misclaiming content. The
countering of physical compromise was considered in the previous
section and is not repeated here. With regard to misuse, there are two
types of attacks to be deterred, identity attacks and replay
attacks.</t>
<section title="Countering Unauthorized Modification Attacks">
<t>Unauthorized modifications may occur in the form of altering the
message being transferred or the data stored. Therefore, it is
necessary to ensure that only authorized nodes can change the
portion of the information that is allowed to be mutable, while the
integrity of the rest of the information is protected, e.g., through
well-studied cryptographic mechanisms.</t>
<t>Unauthorized modifications may also occur in the form of
insertion or deletion of messages during protocol changes.
Therefore, the protocol needs to ensure the integrity of the
sequence of the exchange sequence.</t>
<t>The countermeasure to unauthorized modifications needs to: <list
style="symbols">
<t>implement access control on storage;</t>
<t>provide data integrity service to transferred messages and
stored data;</t>
<t>include sequence number under integrity protection.</t>
</list></t>
</section>
<section title="Countering Overclaiming and Misclaiming Attacks">
<t>Both overclaiming and misclaiming aim to introduce false routes
or a false topology that would not occur otherwise,
while there are not necessarily unauthorized modifications to the
routing messages or information. In order to counter overclaiming,
the capability to determine unreasonable routes or topology is
required.</t>
<t>The counter to overclaiming and misclaiming may employ: <list
style="symbols">
<t>comparison with historical routing/topology data;</t>
<t>designs which restrict realizable network topologies.</t>
</list></t>
<t>RPL includes no specific mechanisms in the protocol to counter
overclaims or misclaims. An implementation could have specific heuristics
implemented locally.</t>
</section>
<section anchor="counter-sybil"
title="Countering Identity (including Sybil) Attacks">
<t>Identity attacks, sometimes simply called spoofing, seek to gain
or damage assets whose access is controlled through identity. In
routing, an identity attacker can illegitimately participate in
routing exchanges, distribute false routing information, or cause an
invalid outcome of a routing process.</t>
<t>A perpetrator of Sybil attacks assumes multiple identities. The
result is not only an amplification of the damage to routing, but
extension to new areas, e.g., where geographic distribution is
explicitly or implicitly an asset to an application running on the
LLN, for example, the LBR in a P2MP or MP2P LLN.</t>
<t>RPL includes specific public key based authentication at layer-3
that provide for authorization. Many deployments use layer-2
security that includes admission controls at layer-2 using
mechanisms such as PANA.</t>
</section>
<section anchor="counter-replay"
title="Countering Routing Information Replay Attacks">
<t>In many routing protocols, message replay can result in false
topology and/or routes. This is often counted with some kind of
counter to ensure the freshness of the message. Replay of a current,
literal RPL message are in general idempotent to the topology. An
older (lower DODAGVersionNumber) message, if replayed would be
rejected as being stale. The trickle algorithm further dampens the
effect of any such replay, as if the message was current, then it
would contain the same information as before, and it would cause no
network changes.</t>
<t>Replays may well occur in some radio technologies (not very
likely, 802.15.4) as a result of echos or reflections, and so some
replays must be assumed to occur naturally.</t>
<t>Note that for there to be no affect at all, the replay must be
done with the same apparent power for all nodes receiving the
replay. A change in apparent power might change the metrics through
changes to the ETX and therefore might affect the routing even
though the contents of the packet were never changed. Any replay
which appears to be different should be analyzed as a Selective
Forwarding Attack, Sinkhole Attack or Wormhole Attack.</t>
</section>
<section anchor="counter-byzantine"
title="Countering Byzantine Routing Information Attacks">
<t>Where a node is captured or compromised but continues to operate
for a period with valid network security credentials, the potential
exists for routing information to be manipulated. This compromise of
the routing information could thus exist in spite of security
countermeasures that operate between the peer routing devices.</t>
<t>Consistent with the end-to-end principle of communications, such
an attack can only be fully addressed through measures operating
directly between the routing entities themselves or by means of
external entities able to access and independently analyze the
routing information. Verification of the authenticity and liveliness
of the routing entities can therefore only provide a limited counter
against internal (Byzantine) node attacks.</t>
<t>For link state routing protocols where information is flooded
with, for example, areas (OSPF <xref target="RFC2328"/>) or levels
(ISIS <xref target="RFC7142"/>), countermeasures can be directly
applied by the routing entities through the processing and
comparison of link state information received from different peers.
By comparing the link information from multiple sources decisions
can be made by a routing node or external entity with regard to
routing information validity; see Chapter 2 of <xref
target="Perlman1988"/> for a discussion on flooding attacks.</t>
<t>For distance vector protocols, such as RPL, where information is
aggregated at each routing node it is not possible for nodes to
directly detect Byzantine information manipulation attacks from the
routing information exchange. In such cases, the routing protocol
must include and support indirect communications exchanges between
non-adjacent routing peers to provide a secondary channel for
performing routing information validation. S-RIP <xref
target="Wan2004"/> is an example of the implementation of this type
of dedicated routing protocol security where the correctness of
aggregate distance vector information can only be validated by
initiating confirmation exchanges directly between nodes that are
not routing neighbors.</t>
<t>RPL does not provide any direct mechanisms like S-RIP. It does
listen to multiple parents, and may switch parents if it begins to
suspect that it is being lied to.</t>
</section>
</section>
<section anchor="counter-avail-atk"
title="Availability Attack Countermeasures">
<t>As alluded to before, availability requires that routing
information exchanges and forwarding mechanisms be available when
needed so as to guarantee proper functioning of the network. This may,
e.g., include the correct operation of routing information and
neighbor state information exchanges, among others. We will highlight
the key features of the security threats along with typical
countermeasures to prevent or at least mitigate them. We will also
note that an availability attack may be facilitated by an identity
attack as well as a replay attack, as was addressed in <xref
target="counter-sybil"/> and <xref target="counter-replay"/>,
respectively.</t>
<section title="Countering HELLO Flood Attacks and ACK Spoofing Attacks">
<t>HELLO Flood <xref target="Karlof2003"/>,<xref
target="I-D.suhopark-hello-wsn"/> and ACK Spoofing attacks are
different but highly related forms of attacking an LLN. They
essentially lead nodes to believe that suitable routes are available
even though they are not and hence constitute a serious availability
attack.</t>
<t>A HELLO attack mounted against RPL would involve sending out (or
replaying) DIO messages by the attacker. Lower power LLN nodes might
then attempt to join the DODAG at a lower rank than they would
otherwise.</t>
<t>The most effective method from <xref
target="I-D.suhopark-hello-wsn"/> is the verify bidirectionality. A
number of layer-2 links are arranged in controller/spoke
arrangements, and continuously are validating connectivity at layer
2.</t>
<t>In addition, in order to calculate metrics, the ETX must be
computed, and this involves, in general, sending a number of
messages between nodes which are believed to be adjacent. <xref
target="I-D.kelsey-intarea-mesh-link-establishment"/> is one such
protocol.</t>
<t>In order to join the DODAG, a DAO message is sent upwards. In RPL
the DAO is acknowledged by the DAO-ACK message. This clearly checks
bidirectionality at the control plane.</t>
<t>As discussed in section 5.1, <xref
target="I-D.suhopark-hello-wsn"/> a receiver with a sensitive
receiver could well hear the DAOs, and even send DAO-ACKs as well.
Such a node is a form of wormhole attack.</t>
<t>These attacks are also all easily defended against using either
layer-2 or layer-3 authentication. Such an attack could only be made
against a completely open network (such as might be used for
provisioning new nodes), or by a compromised node.</t>
</section>
<section anchor="overload-attack" title="Countering Overload Attacks">
<t>Overload attacks are a form of DoS attack in that a malicious
node overloads the network with irrelevant traffic, thereby draining
the nodes' energy store more quickly, when the nodes rely on
batteries or energy scavenging. It thus significantly shortens the
lifetime of networks of energy-constrained nodes and constitutes
another serious availability attack.</t>
<t>With energy being one of the most precious assets of LLNs,
targeting its availability is a fairly obvious attack. Another way
of depleting the energy of an LLN node is to have the malicious node
overload the network with irrelevant traffic. This impacts
availability since certain routes get congested which: <list
style="symbols">
<t>renders them useless for affected nodes and data can hence
not be delivered;</t>
<t>makes routes longer as shortest path algorithms work with the
congested network;</t>
<t>depletes battery and energy scavenging nodes more quickly and
thus shortens the network's availability at large.</t>
</list></t>
<t>Overload attacks can be countered by deploying a series of
mutually non-exclusive security measures: <list style="symbols">
<t>introduce quotas on the traffic rate each node is allowed to
send;</t>
<t>isolate nodes which send traffic above a certain threshold
based on system operation characteristics;</t>
<t>allow only trusted data to be received and forwarded.</t>
</list></t>
<t>As for the first one, a simple approach to minimize the harmful
impact of an overload attack is to introduce traffic quotas. This
prevents a malicious node from injecting a large amount of traffic
into the network, even though it does not prevent said node from
injecting irrelevant traffic at all. Another method is to isolate
nodes from the network at the network layer once it has been
detected that more traffic is injected into the network than allowed
by a prior set or dynamically adjusted threshold. Finally, if
communication is sufficiently secured, only trusted nodes can
receive and forward traffic which also lowers the risk of an
overload attack.</t>
<t>Receiving nodes that validate signatures and sending nodes that
encrypt messages need to be cautious of cryptographic processing
usage when validating signatures and encrypting messages. Where
feasible, certificates should be validated prior to use of the
associated keys to counter potential resource overloading attacks.
The associated design decision needs to also consider that the
validation process requires resources and thus itself could be
exploited for attacks. Alternatively, resource management limits can
be placed on routing security processing events (see the comment in
Section 6, paragraph 4, of <xref target="RFC5751"/>).</t>
</section>
<section title="Countering Selective Forwarding Attacks">
<t>Selective forwarding attacks are a form of DoS attack which
impacts the availability of the generated routing paths.</t>
<t>A selective forwarding attack may be done by a node involved with
the routing process, or it may be done by what otherwise appears to
be a passive antenna or other RF feature or device, but is in fact
an active (and selective) device. An RF antenna/repeater which is
not selective, is not a threat.</t>
<t>An insider malicious node basically blends neatly in with the
network but then may decide to forward and/or manipulate certain
packets. If all packets are dropped, then this attacker is also
often referred to as a "black hole". Such a form of attack is
particularly dangerous if coupled with sinkhole attacks since
inherently a large amount of traffic is attracted to the malicious
node and thereby causing significant damage. In a shared medium, an
outside malicious node would selectively jam overheard data flows,
where the thus caused collisions incur selective forwarding.</t>
<t>Selective Forwarding attacks can be countered by deploying a
series of mutually non-exclusive security measures: <list
style="symbols">
<t>multipath routing of the same message over disjoint
paths;</t>
<t>dynamically selecting the next hop from a set of
candidates.</t>
</list></t>
<t>The first measure basically guarantees that if a message gets
lost on a particular routing path due to a malicious selective
forwarding attack, there will be another route which successfully
delivers the data. Such a method is inherently suboptimal from an
energy consumption point of view; it is also suboptimal from a
network utilization perspective. The second method basically
involves a constantly changing routing topology in that next-hop
routers are chosen from a dynamic set in the hope that the number of
malicious nodes in this set is negligible. A routing protocol that
allows for disjoint routing paths may also be useful.</t>
</section>
<section title="Countering Sinkhole Attacks">
<t>In sinkhole attacks, the malicious node manages to attract a lot
of traffic mainly by advertising the availability of high-quality
links even though there are none <xref target="Karlof2003"/>. It
hence constitutes a serious attack on availability.</t>
<t>The malicious node creates a sinkhole by attracting a large
amount of, if not all, traffic from surrounding neighbors by
advertising in and outwards links of superior quality. Affected
nodes hence eagerly route their traffic via the malicious node
which, if coupled with other attacks such as selective forwarding,
may lead to serious availability and security breaches. Such an
attack can only be executed by an inside malicious node and is
generally very difficult to detect. An ongoing attack has a profound
impact on the network topology and essentially becomes a problem of
flow control.</t>
<t>Sinkhole attacks can be countered by deploying a series of
mutually non-exclusive security measures: <list style="symbols">
<t>use geographical insights for flow control;</t>
<t>isolate nodes which receive traffic above a certain
threshold;</t>
<t>dynamically pick up next hop from set of candidates;</t>
<t>allow only trusted data to be received and forwarded.</t>
</list></t>
<t>Some LLNs may provide for geolocation services, often derived
from solving triangulation equations from radio delay calculations,
such calculations could in theory be subverted by a sinkhole that
transmitted at precisely the right power in a node to node
fashion.</t>
<t>While geographic knowledge could help assure that traffic always
went in the physical direction desired, it would not assure that the
traffic was taking the most efficient route, as the lowest cost real
route might be match the physical topology; such as when different
parts of an LLN are connected by high-speed wired networks.</t>
</section>
<section title="Countering Wormhole Attacks">
<t>In wormhole attacks at least two malicious nodes claim to have a
short path between themselves <xref target="Karlof2003"/>. This
changes the availability of certain routing paths and hence
constitutes a serious security breach.</t>
<t>Essentially, two malicious insider nodes use another, more
powerful, transmitter to communicate with each other and thereby
distort the would-be-agreed routing path. This distortion could
involve shortcutting and hence paralyzing a large part of the
network; it could also involve tunneling the information to another
region of the network where there are, e.g., more malicious nodes
available to aid the intrusion or where messages are replayed,
etc.</t>
<t>In conjunction with selective forwarding, wormhole attacks can
create race conditions which impact topology maintenance, routing
protocols as well as any security suits built on "time of check" and
"time of use".</t>
<t>A pure wormhole attack is nearly impossible to detect. A wormhole
which is used in order to subsequently mount another kind of attack
would be defeated by defeating the other attack. A perfect wormhole,
in which there is nothing adverse that occurs to the traffic, would
be difficult to call an attack. The worst thing that a benign
wormhole can do in such a situation is to cease to operate (become
unstable), causing the network to have to recalculate routes.</t>
<t>A highly unstable wormhole is no different than a radio opaque
(i.e. metal) door that opens and closes a lot. RPL includes
hysteresis in its objective functions <xref target="RFC6719"/> in an
attempt to deal with frequent changes to the ETX between nodes.</t>
</section>
</section>
</section>
<!-- this is section 7 -->
<section anchor="roll-sec-features" title="RPL Security Features">
<t>The assessments and analysis in <xref target="roll-threats"/>
examined all areas of threats and attacks that could impact routing, and
the countermeasures presented in <xref target="counter-measur"/> were
reached without confining the consideration to means only available to
routing. This section puts the results into perspective; dealing with
those threats which are endemic to this field, those which have been
mitigated through RPL protocol design, and those which require specific
decisions to be made as part of provisioning a network.
</t>
<t>The first part of this section, <xref target="conff"/> to <xref
target="avaf"/>, is a description of RPL security features that address
specific threats.
The second part of this section, <xref
target="keymanage"/>, discusses issues of provisioning of
security aspects that may impact routing but that also require
considerations beyond the routing protocol, as well as potential
approaches.</t>
<t>RPL employs multicast and so these alternative
communications modes MUST be secured with the same routing security
services specified in this section. Furthermore, irrespective of the
modes of communication, nodes MUST provide adequate physical tamper
resistance commensurate with the particular application domain
environment to ensure the confidentiality, integrity, and availability
of stored routing information.</t>
<section anchor="conff" title="Confidentiality Features">
<t>With regard to confidentiality, protecting the routing/topology
information from unauthorized disclosure is not directly essential to
maintaining the routing function. Breaches of confidentiality may lead
to other attacks or the focusing of an attacker's resources (see <xref
target="confident-threat"/>) but does not of itself directly undermine
the operation of the routing function. However, to protect against,
and reduce consequences from other more direct attacks, routing
information should be protected. Thus, to secure RPL: <list
style="symbols">
<t>implement payload encryption using layer-3 mechanisms described in <xref target="RFC6550" />;</t>
<t>or: implement layer-2 confidentiality;</t>
</list></t>
<t>Where confidentiality is incorporated into the routing exchanges,
encryption algorithms and key lengths need to be specified in
accordance with the level of protection dictated by the routing
protocol and the associated application domain transport network.
For most networks, this means use of AES128 in CCM mode, but this
needs to be specified clearly in the applicability statement.</t>
<t>
In terms of the life time of the keys, the opportunity to periodically
change the encryption key increases the offered level of security for
any given implementation. However, where strong cryptography is
employed, physical, procedural, and logical data access protection
considerations may have more significant impact on cryptoperiod
selection than algorithm and key size factors. Nevertheless, in
general, shorter cryptoperiods, during which a single key is applied,
will enhance security.</t>
<t>Given the mandatory protocol requirement to implement routing node
authentication as part of routing integrity (see <xref
target="intf"/>), key exchanges may be coordinated as part of the
integrity verification process. This provides an opportunity to
increase the frequency of key exchange and shorten the cryptoperiod as
a complement to the key length and encryption algorithm required for a
given application domain. </t>
</section>
<section anchor="intf" title="Integrity Features">
<t>The integrity of routing information provides the basis for
ensuring that the function of the routing protocol is achieved and
maintained. To protect integrity, RPL must either run using only the
Secure versions of the messages, or must run over a layer-2 that uses
channel binding between node identity and transmissions.
</t>
<t>Some layer-2 security mechanisms use a single key for the
entire network, and these networks can not provide significant amount
of integrity protection, as any node that has that key may impersonate
any other node. This mode of operation is likely acceptable when an
entire deployment is under the control of a single administrative entity.</t>
<t>Other layer-2 security mechanisms form a unique session key for every
pair of nodes that needs to communicate; this is often called a per-link key.
Such networks can provide a strong
degree of origin authentication and integrity on unicast messages.</t>
<t>However, some RPL messages are broadcast, and even when per-node
layer-2 security mechanisms are used, the integrity and origin authentication
of broadcast messages can not be as trusted due to the proliferation of the key used
to secure them.</t>
<t>RPL has two specific options which are broadcast in RPL Control Messages: the DODAG
Information Object (DIO), and the DODAG Information Solicitation (DIS).
The purpose of the DIS is to cause
potential parents to reply with a DIO, so the integrity of the DIS is not
of great concern. The DIS may also be unicast.
</t>
<t>The DIO is a critical piece of routing and carries many critical parameters.
RPL provides for asymmetric authentication at layer 3 of the RPL Control Message
carrying the DIO and this may be warranted in some deployments.
A node could, if it felt that the
DIO that it had received was suspicious, send a unicast DIS message to the
node in question, and that node would reply with a unicast DIS. Those messages
could be protected with the per-link key.
</t>
</section>
<section anchor="avaf" title="Availability Features">
<t>Availability of routing information is linked to system and network
availability which in the case of LLNs require a broader security view
beyond the requirements of the routing entities.
Where availability of the network is
compromised, routing information availability will be accordingly
affected. However, to specifically assist in protecting routing
availability, nodes: <list style="symbols">
<t>MAY restrict neighborhood cardinality;</t>
<t>MAY use multiple paths;</t>
<t>MAY use multiple destinations;</t>
<t>MAY choose randomly if multiple paths are available;</t>
<t>MAY set quotas to limit transmit or receive volume;</t>
<t>MAY use geographic information for flow control.</t>
</list></t>
</section>
<section anchor="keymanage" title="Key Management">
<t>The functioning of the routing security services requires keys and
credentials. Therefore, even though not directly a RPL security
requirement, an LLN MUST have a process for initial key and credential
configuration, as well as secure storage within the associated
devices. Anti-tampering SHOULD be a consideration in physical design.
Beyond initial credential configuration, an LLN is also encouraged to
have automatic procedures for the revocation and replacement of the
maintained security credentials.</t>
<t>While RPL has secure modes, but some modes are impractical without
use of public key cryptography believed to be too expensive by many.
RPL layer-3 security will often depend upon existing LLN layer-2
security mechanisms, which provides for node authentication, but
little in the way of node authorization.</t>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This memo includes no request to IANA.</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>The analysis presented in this document provides security analysis
and design guidelines with a scope limited to RPL. Security services are
identified as requirements for securing RPL. The specific mechanisms to
be used to deal with each threat is specified in link-layer and
deployment specific applicability statements.</t>
</section>
<!-- Possibly a 'Contributors' section ... -->
<section anchor="Acknowledgements" title="Acknowledgments">
<t>The authors would like to acknowledge the review and comments from
Rene Struik and JP Vasseur. The authors would also like to acknowledge
the guidance and input provided by the RPL Chairs, David Culler, and JP
Vasseur, and the Area Director Adrian Farrel.</t>
<t>This document started out as a combined threat and solutions
document. As a result of security review, the document was split up by
RPL co-Chair Michael Richardson and security Area Director Sean Turner
as it went through the IETF publication process. The solutions to the
threats are application and layer-2 specific, and have therefore been
moved to the relevant applicability statements.</t>
<t>Ines Robles and Robert Cragie kept track of the many issues that were raised
during the development of this document</t>
</section>
</middle>
<!-- *****BACK MATTER ***** -->
<back>
<!-- References split into informative and normative -->
<!-- There are 2 ways to insert reference entries from the citation libraries:
1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
(for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")
Both are cited textually in the same manner: by using xref elements.
If you use the PI option, xml2rfc will, by default, try to find included files in the same
directory as the including file. You can also define the XML_LIBRARY environment variable
with a value containing a set of directories to search. These can be either in the local
filing system or remote ones accessed by http (http://domain/dir/... ).-->
<references title="Normative References">
<?rfc include="reference.RFC.2119" ?>
&RFC4107;
&RFC6550;
<?rfc include="reference.RFC.7102" ?>
&RFC6719;
&ZigBeeIP;
</references>
<references title="Informative References">
<!-- Here we use entities that we defined at the beginning. -->
<?rfc include="reference.RFC.7142" ?>
&RFC2328;
&RFC3610;
&RFC4732;
&RFC4949;
&RFC4593;
&RFC5751;
<?rfc include="reference.RFC.5216" ?>
<?rfc include="reference.RFC.5191" ?>
&RFC6192;
&RFC6574;
<?rfc include="reference.I-D.gilger-smart-object-security-workshop" ?>
&RFC6824;
<!--
<reference anchor="FIPS180">
<front>
<title>Federal Information Processing Standards Publication 180-3:
Secure Hash Standard (SHS)</title>
<author></author>
<date month="Oct." year="2008" />
</front>
<seriesInfo name="US"
value="National Institute of Standards and Technology" />
</reference>
<reference anchor="SP800-38A">
<front>
<title>NIST Special Publication 800-38A, Recommendation for Block
Cipher Modes of Operation</title>
<author></author>
<date month="Dec." year="2001" />
</front>
<seriesInfo name="US"
value="National Institute of Standards and Technology" />
</reference>
-->
<reference anchor="Perlman1988">
<front>
<title>Network Layer Protocols with Byzantine Robustness</title>
<author initials="N" surname="Perlman">
<organization/>
</author>
<date month="" year="1988"/>
</front>
<seriesInfo name="MIT LCS Tech Report," value="429"/>
</reference>
<reference anchor="AceCharterProposal"
target="http://trac.tools.ietf.org/wg/core/trac/wiki/ACE_charter">
<front>
<title>Authentication and Authorization for Constrained Environment
Charter (work-in-progress)</title>
<author initials="Kepeng" role="editor" surname="Li">
<organization/>
</author>
<date month="December" year="2013"/>
</front>
</reference>
<reference anchor="SolaceProposal"
target="http://www.ietf.org/mail-archive/web/solace/current/msg00015.html">
<front>
<title>Notes from the SOLACE ad-hoc at IETF85
(work-in-progress)</title>
<author initials="C." role="editor" surname="Bormann">
<organization/>
</author>
<date month="November" year="2012"/>
</front>
</reference>
<reference anchor="SmartObjectSecurityWorkshop"
target="http://www.lix.polytechnique.fr/hipercom/SmartObjectSecurity">
<front>
<title>Workshop on Smart Object Security</title>
<author initials="T." role="editor" surname="Klausen">
<organization/>
</author>
<date month="March" year="2012"/>
</front>
</reference>
<reference anchor="Karlof2003"
target="http://nest.cs.berkeley.edu/papers/sensor-route-security.pdf">
<front>
<title>Secure routing in wireless sensor networks: attacks and
countermeasures</title>
<author initials="C" surname="Karlof">
<organization/>
</author>
<author initials="D" surname="Wagner">
<organization/>
</author>
<date month="September" year="2003"/>
</front>
<seriesInfo name="Elsevier AdHoc Networks Journal, Special Issue on Sensor Network Applications and Protocols,"
value="1(2):293-315"/>
</reference>
&RFC5826;
&RFC5867;
&RFC5548;
&RFC5673;
&I-D.suhopark-hello-wsn;
&I-D.kelsey-intarea-mesh-link-establishment;
&ISO.7498-2.1988;
<!-- &I-D.ietf-rpsec-ospf-vuln; -->
<reference anchor="Myagmar2005">
<front>
<title>Threat Modeling as a Basis for Security Requirements</title>
<author initials="S" surname="Myagmar">
<organization/>
</author>
<author initials="AJ" surname="Lee">
<organization/>
</author>
<author initials="W" surname="Yurcik">
<organization/>
</author>
<date month="Aug 29," year="2005"/>
</front>
<seriesInfo name="in Proceedings of the Symposium on Requirements Engineering for Information Security (SREIS'05),"
value="Paris, France"/>
<seriesInfo name="pp." value="94-102"/>
</reference>
<reference anchor="Wan2004">
<front>
<title>S-RIP: A Secure Distance Vector Routing Protocol</title>
<author initials="T" surname="Wan">
<organization/>
</author>
<author initials="E" surname="Kranakis">
<organization/>
</author>
<author initials="PC" surname="van Oorschot">
<organization/>
</author>
<date month="Jun. 8-11" year="2004"/>
</front>
<seriesInfo name="in Proceedings of the 2nd International Conference on Applied Cryptography and Network Security,"
value="Yellow Mountain, China"/>
<seriesInfo name="pp." value="103-119"/>
</reference>
<reference anchor="Sybil2002">
<front>
<title>The Sybil Attack</title>
<author initials="J." surname="Douceur">
<organization/>
</author>
<date month="March" year="2002" />
</front>
<seriesInfo name="First International Workshop on Peer-to-Peer Systems" value=""/>
</reference>
<reference anchor="IEEE.802.15.4" target="http://standards.ieee.org/getieee802/802.15.html">
<front>
<title>
Information technology - Telecommunications and information exchange between systems -
Local and metropolitan area networks - Specific requirements -
Part 15.4: Wireless Medium Access Control (MAC) and Physical Layer (PHY) Specifications for Low Rate Wireless Personal Area Networks (LR-WPANs)
</title>
<author />
<date year="2006" month="June"/>
</front>
<seriesInfo name="IEEE" value="Std 802.15.4-2006"/>
</reference>
<reference anchor="IEEE.802.11">
<front>
<title>
Draft Standard for
Information Technology -
Telecommunications and information
exchange between systems -
Local and metropolitan area networks
Specific requirements -
Part 11: Wireless LAN Medium Access Control (MAC)
and Physical Layer (PHY) specifications
</title>
<author />
<date year="2006" />
</front>
<seriesInfo name="IEEE" value="802.11-REVma" />
</reference>
<reference anchor="Yourdon1979">
<front>
<title>Structured Design</title>
<author initials="E" surname="Yourdon">
<organization/>
</author>
<author initials="L" surname="Constantine">
<organization/>
</author>
<date month="" year="1979"/>
</front>
<seriesInfo name="Yourdon Press," value="New York"/>
<seriesInfo name="Chapter 10, pp." value="187-222"/>
</reference>
</references>
</back>
</rfc>
<!-- Keep this comment at the end of the file
Local variables:
mode: xml
sgml-omittag:nil
sgml-shorttag:nil
sgml-namecase-general:nil
sgml-general-insert-case:lower
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:2
sgml-indent-data:t
sgml-parent-document:nil
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
-->
| PAFTECH AB 2003-2026 | 2026-04-23 21:49:02 |