One document matched: draft-tsao-roll-security-framework-01.xml
<?xml version="1.0" encoding="US-ASCII"?>
<!-- This template is for creating an Internet Draft using xml2rfc, which is available here: http://xml.resource.org. -->
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!-- One method to get references from the online citation libraries.
There has to be one entity for each item to be referenced.
An alternate method (rfc include) is described in the references. -->
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC2328 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2328.xml">
<!ENTITY RFC2453 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2453.xml">
<!ENTITY RFC2080 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2080.xml">
<!ENTITY RFC5340 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5340.xml">
<!ENTITY RFC4949 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4949.xml">
<!ENTITY RFC3654 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3654.xml">
<!ENTITY RFC4593 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4593.xml">
<!ENTITY RFC4822 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4822.xml">
<!ENTITY I-D.ietf-roll-terminology SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-roll-terminology-01.xml">
<!ENTITY RFC5548 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.5548.xml">
<!ENTITY I-D.ietf-roll-indus-routing-reqs SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-roll-indus-routing-reqs-06.xml">
<!ENTITY I-D.ietf-roll-home-routing-reqs SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-roll-home-routing-reqs-08.xml">
<!ENTITY I-D.ietf-roll-building-routing-reqs SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-roll-building-routing-reqs-07.xml">
<!ENTITY I-D.suhopark-hello-wsn SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-suhopark-hello-wsn-00.xml">
<!ENTITY I-D.ietf-rpsec-ospf-vuln SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-rpsec-ospf-vuln-02.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<!-- used by XSLT processors -->
<!-- For a complete list and description of processing instructions (PIs), please see http://xml.resource.org/authoring/README.html. -->
<!-- Below are generally applicable Processing Instructions (PIs) that most I-Ds might want to use. (Here they are set differently than their defaults in xml2rfc v1.32) -->
<?rfc strict="yes" ?>
<!-- give errors regarding ID-nits and DTD validation -->
<!-- control the table of contents (ToC) -->
<?rfc toc="yes"?>
<!-- generate a ToC -->
<?rfc tocdepth="4"?>
<!-- the number of levels of subsections in ToC. default: 3 -->
<!-- control references -->
<?rfc symrefs="yes"?>
<!-- use symbolic references tags, i.e, [RFC2119] instead of [1] -->
<?rfc sortrefs="yes" ?>
<!-- sort the reference entries alphabetically -->
<!-- control vertical white space (using these PIs as follows is recommended by the RFC Editor) -->
<?rfc compact="yes" ?>
<!-- do not start each main section on a new page -->
<?rfc subcompact="no" ?>
<!-- keep one blank line between list items -->
<!-- end of list of popular I-D processing instructions -->
<rfc category="info" docName="draft-tsao-roll-security-framework-01"
ipr="trust200902">
<!-- category values: std, bcp, info, exp, and historic ipr values: full3667, noModification3667, noDerivatives3667 you can add the attributes updates="NNNN" and obsoletes="NNNN" hey will automatically be output with "(if approved)" -->
<!-- ***** FRONT MATTER ***** -->
<front>
<!-- The abbreviated title is used in the page header - it is only necessary if the full title is longer than 39 characters -->
<title abbrev="Security Framework for ROLL">A Security Framework for
Routing over Low Power and Lossy Networks</title>
<!-- add 'role="editor"' below for the editors if appropriate -->
<!-- Another author who claims to be an editor -->
<author fullname="Tzeta Tsao" initials="T." role="editor" surname="Tsao">
<organization>Eka Systems</organization>
<address>
<postal>
<street>20201 Century Blvd. Suite 250</street>
<!-- Reorder these if your country does things differently -->
<city>Germantown</city>
<region>Maryland</region>
<code>20874</code>
<country>USA</country>
</postal>
<email>tzeta.tsao@ekasystems.com</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<author fullname="Roger K. Alexander" initials="R.K." role="editor"
surname="Alexander">
<organization>Eka Systems</organization>
<address>
<postal>
<street>20201 Century Blvd. Suite 250</street>
<!-- Reorder these if your country does things differently -->
<city>Germantown</city>
<region>Maryland</region>
<code>20874</code>
<country>USA</country>
</postal>
<email>roger.alexander@ekasystems.com</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<author fullname="Mischa Dohler" initials="M." role="editor"
surname="Dohler">
<organization>CTTC</organization>
<address>
<postal>
<street>Parc Mediterrani de la Tecnologia, Av. Canal Olimpic
S/N</street>
<!-- Reorder these if your country does things differently -->
<code>08860</code>
<city>Castelldefels</city>
<region>Barcelona</region>
<country>Spain</country>
</postal>
<email>mischa.dohler@cttc.es</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<author fullname="Vanesa Daza" initials="V." role="editor" surname="Daza">
<organization>Universitat Pompeu Fabra</organization>
<address>
<postal>
<street>P/ Circumval.lacio 8, Oficina 308</street>
<!-- Reorder these if your country does things differently -->
<code>08003</code>
<region>Barcelona</region>
<country>Spain</country>
</postal>
<email>vanesa.daza@upf.edu</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<author fullname="Angel Lozano" initials="A." role="editor"
surname="Lozano">
<organization>Universitat Pompeu Fabra</organization>
<address>
<postal>
<street>P/ Circumval.lacio 8, Oficina 309</street>
<!-- Reorder these if your country does things differently -->
<code>08003</code>
<region>Barcelona</region>
<country>Spain</country>
</postal>
<email>angel.lozano@upf.edu</email>
<!-- uri and facsimile elements may also be added -->
</address>
</author>
<date month="September" year="2009" />
<!-- If the month and year are both specified and are the current ones, xml2rfc will fill in the current day for you. If only the current year is specified, xml2rfc will fill in the current day and month for you. If the year is not the current one, it is necessary to specify at least a month (xml2rfc assumes day="1" if not specified for the purpose of calculating the expiry date). With drafts it is normally sufficient to specify just the year. -->
<!-- Meta-data Declarations -->
<area>Routing</area>
<workgroup>Networking Working Group</workgroup>
<!-- WG name at the upperleft corner of the doc, IETF is fine for individual submissions. If this element is not present, the default is "Network Working Group", which is used by the RFC Editor as a nod to the history of the IETF. -->
<keyword>ROLL, security</keyword>
<!-- Keywords will be incorporated into HTML output files in a meta tag but they have no effect on text or nroff output. If you submit your draft to the RFC Editor, the keywords will be used for the search engine. -->
<abstract>
<t>This document presents a security framework for routing over low
power and lossy networks. The development of the framework builds upon
previous work on routing security and adapts the security assessments to
the issues and constraints specific to low power and lossy networks. A
systematic approach is used in defining and assessing the security
threats and identifying applicable countermeasures. These assessments
provide the basis of the security recommendations for incorporation into
low power, lossy network routing protocols.</t>
</abstract>
<note title="Requirements Language">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in <xref
target="RFC2119">RFC 2119</xref>.</t>
</note>
</front>
<middle>
<section title="Terminology">
<t>This document conforms to the terminology defined in <xref
target="I-D.ietf-roll-terminology"></xref>, with the following
additions.</t>
<t><list hangIndent="6" style="hanging">
<t hangText="Link Cost">A quantification of chosen characteristics
of a link.</t>
<t hangText="Node">A base unit of a network, e.g., a router or a
host on a low power and lossy network.</t>
<t hangText="Routing Metric">A function of link costs along routes,
whose value gives rise to preference of routing choices.</t>
</list></t>
</section>
<section anchor="intro" title="Introduction">
<t>In recent times, networked wireless devices have found an increasing
number of applications in various fields. Yet, for reasons ranging from
operational application to economics, these wireless devices are often
supplied with minimum physical resources, e.g., limited power reserve,
slow speed or low capability computation, or small memory size. As a
consequence, the resulting networks are more prone to loss of traffic
and other vulnerabilities. The proliferation of these low power and
lossy networks (LLNs), however, are drawing efforts to examine and
address their potential networking challenges.</t>
<t>This document presents a framework for securing routing over low
power and lossy networks (ROLL) through an analysis that starts from the
routing basics. The objective is two-fold. First, the framework will be
used to identify pertinent security issues. Second, it will facilitate
both the assessment of a protocol's security threats and the
identification of the necessary features for development of secure
protocols for ROLL.</t>
<t>The approach adopted in this effort proceeds in four steps, to
examine ROLL security issues, to analyze threats and attacks, to
consider the countermeasures, and then to make recommendations for
securing ROLL. The basis is found on identifying the assets and points
of access of routing and evaluating their security needs based on the
Confidentiality, Integrity, and Availability (CIA) model in the context
of LLN.</t>
</section>
<section anchor="gen-rpsec" title="Considerations on ROLL Security">
<t>This section sets the stage for the development of the framework by
applying the systematic approach proposed in <xref
target="Myagmar2005"></xref> to the routing security problem, while also
drawing references from other reviews and assessments found in the
literature, particularly, <xref target="RFC4593"></xref> and <xref
target="Karlof2003"></xref>. The subsequent subsections begin with a
focus on the elements of a generic routing process that is used to
establish routing assets and points of access of the routing
functionality. Next, the CIA security model is briefly described. Then,
consideration is given to issues specific to or magnified in LLNs.</t>
<section anchor="assets" title="Routing Assets and Points of Access">
<t>An asset implies important system component (including information,
process, or physical resource), the access to, corruption or loss of
which adversely affects the system. In network routing, assets lie in
the routing information, routing process, and node's physical
resources. That is, the access to, corruption, or loss of these
elements adversely affects system routing. In network routing, a point
of access refers to the point of entry facilitating communication with
or other interaction with a system component in order to use system
resources to either manipulate information or gain knowledge of the
information contained within the system. Security of the routing
protocol must be focused on the assets of the routing nodes and the
points of access of the information exchanges and information storage
that may permit routing compromise. The identification of routing
assets and points of access hence provides a basis for the
identification of associated threats and attacks.</t>
<t>This subsection identifies assets and points of access of a generic
routing process with a level-0 data flow diagram. The use of the data
flow diagram allows for a clear, concise model of the routing
functionality; it also has the benefit of showing the manner in which
nodes participate in the routing process, thus providing context when
later threats and attacks are considered. The goal of the model is to
be as detailed as possible so that corresponding components and
mechanisms in an individual routing protocol can be readily
identified, but also to be as general as possible to maximize the
relevancy of this effort for the various existing and future
protocols. Nevertheless, there may be discrepancies, likely in the
form of additional elements, when the model is applied to some
protocols. For such cases, the analysis approach laid out in this
document should still provide a valid and illustrative path for their
security assessment.</t>
<t><xref target="Fig1"></xref> shows that nodes participating in the
routing process transmit messages to determine their neighbors
(neighbor discovery). Using the neighboring relationships, routing
protocols may exchange network topology (including link-specific
information) to generate routes or may exchange routes directly as
part of a routing exchange; nodes which do not directly participate in
the process with a given node will get the route/topology information
relayed from others. It is likely that a node will store some or all
of the routes and topology information according to tradeoffs of node
resources and latency associated with the particular routing protocol.
The nodes use the derived routes for making forwarding decisions.</t>
<figure align="center" anchor="Fig1"
title="Data Flow Diagram of a Generic Routing Process">
<preamble></preamble>
<artwork align="left"><![CDATA[
...................................................
: :
: _________________ :
|Node_i|<------->(Neighbor Discovery)--->Neighbor Topology :
: ----------------- :
: | :
|Node_j|<------->(Route/Topology +--------+ :
: Exchange ) | :
: | V ______ :
: +---->(Route Generation)--->Routes :
: ------ :
: | :
: Routing on a Node Node_k | :
...................................................
|
|Forwarding |
On Node_k |<------------------------------------------+
Notation:
(Proc) A process Proc
________
DataBase A data storage DataBase
--------
|Node_n| An external entity Node_n
-------> Data flow
]]></artwork>
<postamble></postamble>
</figure>
<t>It is seen from <xref target="Fig1"></xref> that <list
style="symbols">
<t>Assets include<list style="symbols">
<t>routing and/or topology information;</t>
<t>communication channel resources (bandwidth);</t>
<t>node resources (computing capacity, memory, and remaining
energy);</t>
<t>node identifiers (including node identity and ascribed
attributes such as relative or absolute node location).</t>
</list></t>
<t>Points of access include<list style="symbols">
<t>neighbor discovery;</t>
<t>route/topology exchange;</t>
<t>node physical interfaces (including access to data
storage).</t>
</list></t>
</list>A focus on the above list of assets and points of access
enables a more directed assessment of routing security. Indeed, the
intention is to be comprehensive; nonetheless, the discussions to
follow on physical related issues are not related to routing protocol
design but provided for reference since they do have direct
consequences on the security of routing.</t>
</section>
<section anchor="cia" title="The CIA Security Reference Model">
<t>At the conceptual level, security within an information system in
general and applied to ROLL in particular is concerned with the
primary issues of confidentiality, integrity, and availability. In the
context of ROLL:</t>
<t><list hangIndent="6" style="hanging">
<t hangText="Confidentiality"><vspace />Confidentiality involves
the protection of routing information as well as routing neighbor
maintenance exchanges so that only authorized and intended network
entities may view or access it. Because of the wireless, and
sometimes ad hoc, nature of the network, confidentiality also
extends to the neighbor state and database information within the
routing device since the deployment of the network creates the
potential for unauthorized access to the physical devices
themselves.</t>
<t hangText="Integrity"><vspace />Integrity, as a security
principle, entails the protection of routing information and
routing neighbor maintenance exchanges, as well as derived
information maintained in the database, from misuse or
unauthorized and improper modification. In addition, integrity
also requires the authenticity of claimed identity in the origin
and destination of a message, access and removal of data,
execution of the routing process, and use of computing and energy
resources.</t>
<t hangText="Availability"><vspace />Availability ensures that
routing information exchanges and forwarding services need to be
available when they are required for the functioning of the
serving network. Availability will apply to maintaining efficient
and correct operation of routing and neighbor discovery exchanges
(including needed information) and forwarding services so as not
to impair or limit the network's central traffic flow
function.</t>
</list></t>
<t>It is noted that, besides those captured in the CIA model,
non-repudiation is another security concern evaluated. With respect to
routing, non-repudiation will involve providing some ability to allow
traceability or network management review of participants of the
routing process including the ability to determine the events and
actions leading to a particular routing state. Non-repudiation implies
after the fact and thus relies on the logging or other capture of
on-going routing exchanges. Given the limited resources of a node and
potentially the communication channel, and considering the operating
mode associated with LLNs, routing transaction logging or auditing
process communication overhead will not be practical; as such,
non-repudiation is not further considered as a relevant ROLL security
issue.</t>
<t>Based upon the CIA model, a high-level assessment of the security
needs of the assets found in <xref target="assets"></xref> shows
that<list style="symbols">
<t>routing/topology information needs to be integrity protected,
maintained with confidentiality, and prevented from unauthorized
use;</t>
<t>neighbor discovery process needs to operate without undermining
routing availability;</t>
<t>routing/topology exchange process needs to ensure that the
participants are authenticated, the communication of information
is integrity protected and confidential;</t>
<t>communication channels and node resources need to have their
availability maintained;</t>
<t>the internal and external interfaces of a node need to be
protected to ensure that integrity and confidentiality of stored
information is maintained as well as the integrity of routing and
route generation processes is assured.</t>
</list>Each individual system's use and environment will dictate how
the above general assessments are applied, including the choices of
security services as well as the strengths of the mechanisms that must
be implemented. The next subsection brings LLN-related issues to
light.</t>
</section>
<section anchor="issues" title="Issues Specific to or Magnified in LLNs">
<t>The work <xref target="RFC5548"></xref>, as well as three other
ongoing efforts, <xref
target="I-D.ietf-roll-indus-routing-reqs"></xref>, <xref
target="I-D.ietf-roll-home-routing-reqs"></xref>, and <xref
target="I-D.ietf-roll-building-routing-reqs"></xref>, have identified
ROLL specific requirements and constraints for the urban, industrial,
home automation, and building automation application domains,
respectively. The following is a list of observations and evaluation
of their impact on routing security considerations.</t>
<t><list hangIndent="6" style="hanging">
<t
hangText="Limited energy reserve, memory, and processing resources"><vspace />As
a consequence of these constraints, there is an even more critical
need than usual for a careful trade study on which and what level
of security services are to be afforded during the system design
process. In addition, routing schemes based on various metrics
have been proposed, e.g., geographic location. Transmission and
exchanging such metrics may have security and/or privacy
concerns.</t>
<t hangText="Large scale of rolled out network"><vspace />The
possibly numerous nodes to be deployed, as well as the general
level of expertise of the installers, make manual on-site
configuration unlikely. Prolonged rollout and delayed addition of
nodes, which may be from old inventory, over the lifetime of the
network, also complicate the operations of key management.</t>
<t hangText="Autonomous operations"><vspace />Self-forming and
self-organizing are commonly prescribed requirements of ROLL. In
other words, a ROLL protocol needs to contain elements of ad hoc
networking and cannot rely on manual configuration for
initialization or local filtering rules.</t>
<t hangText="Highly directional traffic"><vspace />Some types of
LLNs see a high percentage of their total traffic traverse between
the nodes and the gateways where the LLNs connect to wired
networks. The special routing status of and the greater volume of
traffic near the gateways have routing security consequences.</t>
<t
hangText="Unattended locations and limited physical security"><vspace />Many
applications have the nodes deployed in unattended or remote
locations; furthermore, the nodes themselves are often built with
minimal physical protection. These constraints lower the barrier
of accessing the data or security material stored on the nodes
through physical means.</t>
<t hangText="Support for mobility"><vspace />On the one hand, only
a number of applications require the support of mobile nodes,
e.g., a home LLN that includes nodes on wearable health care
devices or an industry LLN that includes nodes on cranes and
vehicles. On the other hand, if a routing protocol is indeed used
in such applications, it will clearly need to have corresponding
security mechanisms.</t>
<t hangText="Support for multicast and anycast"><vspace />ROLL
support for multicast and anycast is called out chiefly for
large-scale networks. As these are relatively new routing
technologies, there has been an ongoing effort devoted to their
security mechanisms, e.g., from the IETF Multicast Security
working group. However, the threat model and attack analysis are
still areas not fully evaluated, and hence their impact is not yet
fully understood, whether in a wired, wireless, or LLN.</t>
</list></t>
<t>The above list considers how a LLN's physical constraints, size,
operations, and varieties of application areas may impact security. It
is noted here also that LLNs commonly have the majority, if not all,
of their nodes equipped to route. One of the consequences is that the
distinction between the link and network layers become artificial in
some respects. Similarly, the distinction between a host and a router
is blurred, especially when the set of applications running on a node
is small. The continued evolution of ROLL and its security
functionality requirements need close attention.</t>
</section>
</section>
<section anchor="threats" title="Threats and Attacks">
<t>This section outlines general categories of threats under the CIA
model and highlights the specific attacks in each of these categories
for ROLL. As defined in <xref target="RFC4949"></xref>, a threat is "a
potential for violation of security, which exists when there is a
circumstance, capability, action, or event that could breach security
and cause harm." An attack is "an assault on system security that
derives from an intelligent threat, i.e., an intelligent act that is a
deliberate attempt (especially in the sense of a method or technique) to
evade security services and violate the security policy of a
system."</t>
<t>The subsequent subsections consider the threats and their realizing
attacks that can cause security breaches under the CIA model to the
assets identified in <xref target="assets"></xref>. The analysis steps
through the security concerns of each routing asset and looks at the
attacks that can exploit points of access. The manifestation of the
attacks is assumed to be from either inside or outside attackers, whose
capabilities may be limited to node-equivalent or more sophisticated
computing platforms.</t>
<section anchor="conft" title="Threats and Attacks on Confidentiality">
<t>The assessment in <xref target="cia"></xref> indicates that
information assets are exposed to confidentiality threats from all
points of access.</t>
<section anchor="expo" title="Routing Exchange Exposure">
<t>Routing exchanges include both routing information as well as
information associated with the establishment and maintenance of
neighbor state information.</t>
<t>The exposure of routing information exchanged will allow
unauthorized sources to gain access to the content of the exchanges
between communicating nodes. The exposure of neighbor state
information will allow unauthorized sources to gain knowledge of
communication links between routing nodes that are necessary to
maintain routing information exchanges.</t>
<t>The forms of attack that allow unauthorized access or exposure of
routing exchange information, as reported in the literature,
include<list style="symbols">
<t>Deliberate exposure;</t>
<t>Sniffing;</t>
<t>Traffic analysis.</t>
</list></t>
</section>
<section anchor="expo2"
title="Routing Information (Routes and Network Topology) Exposure">
<t>Routes and neighbor topology information are the products of the
routing process that are stored within the node device
databases.</t>
<t>The exposure of this information will allow unauthorized sources
to gain direct access to the configuration and connectivity of the
network thereby exposing routing to targeted attacks on key nodes or
links. Since routes and neighbor topology information is stored
within the node device, threats or attacks on the confidentiality of
the information will apply to the physical device including
specified and unspecified internal and external interfaces.</t>
<t>The forms of attack that allow unauthorized access or exposure of
the routing information (other than occurring through explicit node
exchanges) will include<list style="symbols">
<t>Physical device compromise;</t>
<t>Remote device access attacks (including those occurring
through remote network management or software/field upgrade
interfaces).</t>
</list>More detailed descriptions of the exposure attacks on
routing exchange and information will be given in <xref
target="securing"></xref> together with the corresponding
countermeasures.</t>
</section>
</section>
<section anchor="intt" title="Threats and Attacks on Integrity">
<t>The assessment in <xref target="cia"></xref> indicates that
information and identity assets are exposed to integrity threats from
all points of access.</t>
<section anchor="manipul" title="Routing Information Manipulation">
<t>Manipulation of routing information will allow unauthorized
sources to influence the operation and convergence of the routing
protocols and ultimately impact the forwarding decisions made in the
network. Manipulation of neighbor state (topology) information will
allow unauthorized sources to influence the nodes with which routing
information is exchanged and updated. The consequence of
manipulating routing exchanges can thus lead to sub-optimality and
fragmentation or partitioning of the network by restricting the
universe of routers with which associations can be established and
maintained.</t>
<t>The forms of attack that allow manipulation of routing
information include<list style="symbols">
<t>Falsification, including overclaiming and misclaiming;</t>
<t>Routing information replay;</t>
<t>Physical device compromise.</t>
</list></t>
</section>
<section anchor="mis" title="Node Identity Misappropriation">
<t>Falsification or misappropriation of node identity between
routing participants opens the door for other attacks; it can also
cause incorrect routing relationships to form and/or topologies to
emerge. Routing attacks may also be mounted through less
sophisticated node identity misappropriation in which the valid
information broadcast or exchanged by a node is replayed without
modification. The receipt of seemingly valid information that is
however no longer current can result in routing disruption, and
instability (including failure to converge). Without measures to
authenticate the routing participants and to ensure the freshness
and validity of the received information the protocol operation can
be compromised. The forms of attack that misuse node identity
include<list style="symbols">
<t>Identity (including Sybil) attacks;</t>
<t>Routing information replay.</t>
</list></t>
</section>
</section>
<section anchor="avat" title="Threats and Attacks on Availability">
<t>The assessment in <xref target="cia"></xref> indicates that the
process and resources assets are exposed to availability threats;
attacks of this category may exploit directly or indirectly
information exchange or forwarding.</t>
<section anchor="interf"
title="Routing Exchange Interference or Disruption">
<t>Interference or disruption of routing information exchanges will
allow unauthorized sources to influence the operation and
convergence of the routing protocols by impeding the regularity of
routing information exchange.</t>
<t>The forms of attack that allow interference or disruption of
routing exchange include<list style="symbols">
<t>Routing information replay;</t>
<t>HELLO flood attacks and ACK spoofing;</t>
<t>Overload attacks.</t>
</list></t>
</section>
<section anchor="disrupt"
title="Network Traffic Forwarding Disruption">
<t>The disruption of the network traffic forwarding capability of
the network will undermine the central function of network routers
and the ability to handle user traffic. This threat and the
associated attacks affect the availability of the network because of
the potential to impair the primary capability of the network.</t>
<t>The forms of attack that allows disruption of network traffic
forwarding include<list style="symbols">
<t>Selective forwarding attacks;</t>
<t>Sinkhole attacks;</t>
<t>Wormhole attacks.</t>
</list></t>
</section>
<section anchor="transp" title="Communications Resource Disruption">
<t>Attacks mounted against the communication channel resource assets
needed by the routing protocol can be used as a means of disrupting
its operation. However, while various forms of Denial of Service
(DoS) attacks on the underlying transport subsystem will affect
routing protocol exchanges and operation (for example physical layer
RF jamming in a wireless network or link layer attacks), these
attacks cannot be countered by the routing protocol. As such, the
threats to the underlying transport network that supports routing is
considered beyond the scope of the current document. Nonetheless,
attacks on the subsystem will affect routing operation and so must
be directly addressed within the underlying subsystem and its
implemented protocol layers.</t>
</section>
<section anchor="exh" title="Node Resource Exhaustion">
<t>A potential security threat to routing can arise from attempts to
exhaust the node resource asset by initiating exchanges that can
lead to the undue utilization of exhaustion of processing, memory or
energy resources. The establishment and maintenance of routing
neighbors opens the routing process to engagement and potential
acceptance of multiple neighboring peers. Association information
must be stored for each peer entity and for the wireless network
operation provisions made to periodically update and reassess the
associations. An introduced proliferation of apparent routing peers
can therefore have a negative impact on node resources.</t>
<t>Node resources may also be unduly consumed by the attackers
attempting uncontrolled topology peering or routing exchanges,
routing replays, or the generating of other data traffic floods.
Beyond the disruption of communications channel resources, these
threats may be able to exhaust node resources only where the
engagements are able to proceed with the peer routing entities.
Routing operation and network forwarding functions can thus be
adversely impacted by node resources exhaustion that stems from
attacks that include<list style="symbols">
<t>Identity (including Sybil) attacks;</t>
<t>Routing information replay attacks;</t>
<t>HELLO flood attacks and ACK spoofing;</t>
<t>Overload attacks.</t>
</list></t>
</section>
</section>
</section>
<section anchor="securing" title="Countermeasures">
<t>By recognizing the characteristics of LLNs that may impact routing
and identifying potential countermeasures, this framework provides the
basis for developing capabilities within ROLL protocols to deter the
identified attacks and mitigate the threats. The following subsections
consider such countermeasures by grouping the attacks according to the
classification of the CIA model so that associations with the necessary
security services are more readily visible.</t>
<section anchor="conf-atk"
title="Confidentiality Attack Countermeasures">
<t>Attacks on confidentiality may be mounted at the level of the
routing information assets, at the points of access associated with
routing exchanges between nodes, or through device interface access.
To gain access to routing/topology information, the attacker may rely
on a compromised node that deliberately exposes the information during
the routing exchange process, may rely on passive sniffing or analysis
of routing traffic, or may attempt access through a component or
device interface of a tampered routing node.</t>
<section title="Countering Deliberate Exposure Attacks">
<t>A deliberate exposure attack is one in which an entity that is
party to the routing process or topology exchange allows the
routing/topology information or generated route information to be
exposed to an unauthorized entity during the exchange.</t>
<t>A prerequisite to countering this type of confidentiality attacks
associated with the routing/topology exchange is to ensure that the
communicating nodes are authenticated prior to data encryption
applied in the routing exchange. Authentication ensures that the
nodes are who they claim to be even though it does not provide an
indication of whether the node has been compromised.</t>
<t>To prevent deliberate exposure, the process that communicating
nodes use for establishing communication session keys must be
symmetric at each node so that neither node can independently weaken
the confidentiality of the exchange without the knowledge of its
communicating peer. A deliberate exposure attack will therefore
require more overt and independent action on the part of the
offending node.</t>
<t>Note that the same measures which apply to securing
routing/topology exchanges between operational nodes must also
extend to field tools and other devices used in a deployed network
where such devices can be configured to participate in routing
exchanges.</t>
</section>
<section title="Countering Sniffing Attacks">
<t>A sniffing attack seeks to breach routing confidentiality through
passive, direct analysis and processing of the information exchanges
between nodes. A sniffing attack in an LLN that is not based on a
physical device compromise will rely on the attacker attempting to
directly derive information from the over-the-air routing/topology
communication exchange (neighbor discovery exchanges may of
necessity be conducted in the clear thus limiting the extent to
which the information can be kept confidential).</t>
<t>Sniffing attacks can be directly countered through the use of
data encryption for all routing exchanges. Only when a validated and
authenticated node association is completed will routing exchange be
allowed to proceed using established session confidentiality keys
and an agreed confidentiality algorithm. The level of security
applied in providing confidentiality will determine the minimum
requirement for an attacker mounting this passive security attack.
Because of the resource constraints of LLN devices, symmetric
(private) key session security will provide the best tradeoff in
terms of node and channel resource overhead and the level of
security achieved. This will of course not preclude the use of
asymmetric (public) key encryption during the session key
establishment phase.</t>
<t>As with the key establishment process, data encryption must
include an authentication prerequisite to ensure that each node is
implementing a level of security that prevents deliberate or
inadvertent exposure. The authenticated key establishment will
ensure that confidentiality is not compromised by providing the
information to an unauthorized entity (see also <xref
target="Huang2003"></xref>).</t>
<t>Based on the current state of the art, a minimum 128-bit key
length should be applied where robust confidentiality is demanded
for routing protection. This session key shall be applied in
conjunction with an encryption algorithm that has been publicly
vetted and where applicable approved for the level of security
desired. Algorithms such as AES (adopted by the U.S. government) or
Kasumi-Misty (adopted by the 3GPP 3rd generation wireless mobile
consortium) are examples of symmetric-key algorithms capable of
ensuring robust confidentiality for routing exchanges. The key
length, algorithm and mode of operation will be selected as part of
the overall security tradeoff that also achieves a balance with the
level of confidentiality afforded by the physical device in
protecting the routing assets (see <xref target="phy"></xref>
below).</t>
<t>As with any encryption algorithm, the use of ciphering
synchronization parameters and limitations to the usage duration of
established keys should be part of the security specification to
reduce the potential for brute force analysis.</t>
</section>
<section title="Countering Traffic Analysis">
<t>Traffic analysis provides an indirect means of subverting
confidentiality and gaining access to routing information by
allowing an attacker to indirectly map the connectivity or flow
patterns (including link-load) of the network from which other
attacks can be mounted. The traffic analysis attack on a LLN may be
passive and relying on the ability to read the immutable
source/destination routing information that must remain unencrypted
to permit network routing. Alternatively, attacks can be active
through the injection of unauthorized discovery traffic into the
network. By implementing authentication measures between
communicating nodes, active traffic analysis attacks can be
prevented within the LLN thereby reducing confidentiality
vulnerabilities to those associated with passive analysis.</t>
<t>One way in which passive traffic analysis attacks can be muted is
through the support of load balancing that allows traffic to a given
destination to be sent along diverse routing paths. Where the
routing protocol supports load balancing along multiple links at
each node, the number of routing permutations in a wide area network
surges thus increasing the cost of traffic analysis. Network
analysis through this passive attack will require a wider array of
analysis points and additional processing on the part of the
attacker. In LLNs, the diverse radio connectivity and dynamic links
(including potential frequency hopping) will help to further
mitigate traffic analysis attacks when load balancing is
implemented.</t>
<t>The only means of fully countering a traffic analysis attack is
through the use of tunneling (encapsulation) where encryption is
applied across the entirety of the original packet
source/destination addresses. With tunneling there is a further
requirement that the encapsulating intermediate nodes apply an
additional layer of routing so that traffic arrives at the
destination through dynamic routes. For LLNs, memory and processing
constraints as well as the limitations of the communication channel
will preclude both the additional routing traffic overhead and the
node implementation required for tunneling countermeasures to
traffic analysis.</t>
</section>
<section anchor="phy" title="Countering Physical Device Compromise">
<t>Given the distributed nature of LLNs, confidentiality of routing
assets and points of access will rely heavily on the security of the
routing devices. One means of precluding attacks on the physical
device is to prevent physical access to the node through other
external security means. However, given the environment in which
LLNs operate, preventing unauthorized access to the physical device
cannot be assured. Countermeasures must therefore be employed at the
device and component level so that routing/topology or neighbor
information and stored route information cannot be accessed even if
physical access to the node is obtained.</t>
<t>With the physical device in the possession of an attacker,
unauthorized information access can be attempted by probing internal
interfaces or device components. Device security must therefore move
to preventing the reading of device processor code or memory
locations without the appropriate security keys and in preventing
the access to any information exchanges occurring between individual
components. Information access will then be restricted to external
interfaces in which confidentiality, integrity and authentication
measures can be applied.</t>
<t>To prevent component information access, deployed routing devices
must ensure that their implementation avoids address or data buses
being connected to external general purpose input/output (GPIO)
pins. Beyond this measure, an important component interface to be
protected against attack is the Joint Test Action Group (JTAG)
interface used for component and populated circuit board testing
after manufacture. To provide security on the routing devices,
components should be employed that allow fuses on the JTAG
interfaces to be blown to disable access. This will raise the bar on
unauthorized component information access within a captured
device.</t>
<t>At the device level a key component information exchange is
between the microprocessor and it associated external memory. While
encryption can be implemented to secure data bus exchanges, the use
of integrated physical packaging which avoids inter-component
exchanges (other than secure external device exchanges) will
increase routing security against a physical device interface
attack. With an integrated package and disabled internal component
interfaces, the level of physical device security can be controlled
by managing the degree to which the device packaging is protected
against expert physical decomposition and analysis.</t>
<t>The device package should be hardened such that attempts to
remove the integrated components will result in damage to access
interfaces, ports or pins that prevent retrieval of code or stored
information. The degree of VLSI or PCB package security through
manufacture can be selected as a tradeoff or desired security
consistent with the level of security achieved by measures applied
for other routing assets and points of access. With package
hardening and restricted component access countermeasures, the
security level will be raised to that provided by measures employed
at the external communications interfaces.</t>
<t>Another area of node interface vulnerability is that associated
with interfaces provided for remote software or firmware upgrades.
This may impact both routing information and routing/topology
exchange security where it leads to unauthorized upgrade or change
to the routing protocol running on a given node as this type of
attack can allow for the execution of compromised or intentionally
malicious routing code on multiple nodes. Countermeasures to this
device interface confidentiality attack needs to be addressed in the
larger context of node remote access security. This will ensure not
only the authenticity of the provided code (including routing
protocol) but that the process is initiated by an authorized
(authenticated) entity.</t>
<t>The above identified countermeasures against attacks on routing
information confidentiality through internal device interface
compromise must be part of the larger LLN system security as they
cannot be addressed within the routing protocol itself. Similarly,
the use of field tools or other devices that allow explicit access
to node information must implement security mechanisms to ensure
that routing information can be protected against unauthorized
access. These protections will also be external to the routing
protocol and hence not part of ROLL.</t>
</section>
<section anchor="remote"
title="Countering Remote Device Access Attacks">
<t>Where LLN nodes are deployed in the field, measures are
introduced to allow for remote retrieval of routing data and for
software or field upgrades. These paths create the potential for a
device to be remotely accessed across the network or through a
provided field tool. In the case of network management a node can be
directly requested to provide routing tables and neighbor
information.</t>
<t>To ensure confidentiality of the node routing information against
attacks through remote access, any device local or remote requesting
routing information must be authenticated to ensure authorized
access. Since remote access is not invoked as part of a routing
protocol security of routing information stored on the node against
remote access will not be addressable as part of the routing
protocol.</t>
</section>
</section>
<section anchor="integ-atk" title="Integrity Attack Countermeasures">
<t>Integrity attack countermeasures address routing information
manipulation, as well as node identity and routing information misuse.
Manipulation can occur in the form of falsification attack and
physical compromise. To be effective, the following development
considers the two aspects of falsification, namely, the tampering
actions and the overclaiming and misclaiming content. The countering
of physical compromise was considered in the previous section and is
not repeated here. With regard to misuse, there are two types of
attacks to be deterred, identity attacks and replay attacks.</t>
<section title="Countering Tampering Attacks">
<t>Tampering may occur in the form of altering the message being
transferred or the data stored. Therefore, it is necessary to ensure
that only authorized nodes can change the portion of the information
that is allowed to be mutable, while the integrity of the rest of
the information is protected, e.g., through well-studied
cryptographic mechanisms.</t>
<t>Tampering may also occur in the form of insertion or deletion of
messages during protocol changes. Therefore, the protocol needs to
ensure the integrity of the sequence of the exchange sequence.</t>
<t>The countermeasure to tampering needs to<list style="symbols">
<t>implement access control on storage;</t>
<t>provide data integrity service to transferred messages and
stored data;</t>
<t>include sequence number under integrity protection.</t>
</list></t>
</section>
<section title="Countering Overclaiming and Misclaiming Attacks">
<t>Both overclaiming and misclaiming aim to introduce false routes
or topology that would not be generated by the network otherwise,
while there is not necessarily tampering. The requisite for a
counter is the capability to determine unreasonable routes or
topology.</t>
<t>The counter to overclaiming and misclaiming may employ<list
style="symbols">
<t>comparison with historical routing/topology data;</t>
<t>designs which restrict realizable network topologies.</t>
</list></t>
</section>
<section anchor="entity"
title="Countering Identity (including Sybil) Attacks">
<t>Identity attacks, sometimes simply called spoofing, seek to gain
or damage assets whose access is controlled through identity. In
routing, an identity attacker can illegitimately participate in
routing exchanges, distribute false routing information, or cause an
invalid outcome of a routing process.</t>
<t>A perpetrator of Sybil attacks assumes multiple identities. The
result is not only an amplification of the damage to routing, but
extension to new areas, e.g., where geographic distribution is
explicit or implicit an asset to an application running on the
LLN.</t>
<t>The counter of identity attacks need to ensure the authenticity
and liveness of the parties of a message exchange; the measure may
use shared key or public key based authentication scheme. On the one
hand, the large-scale nature of the LLNs makes the network-wide
shared key scheme undesirable from a security perspective; on the
other hand, public-key based approaches generally require more
computational resources. Each system will need to make trade-off
decisions based on its security requirements.</t>
</section>
<section anchor="replay"
title="Countering Routing Information Replay Attacks">
<t>In routing, message replay can result in false topology and/or
routes. The counter of replay attacks need to ensure the freshness
of the message. On the one hand, there are a number of mechanisms
commonly used for countering replay. On the other hand, the choice
should take into account how a particular mechanism is made
available in a LLN. For example, many LLNs have a central source of
time and have it distributed by relaying, such that secured time
distribution becomes a prerequisite of using timestamping to counter
replay.</t>
</section>
</section>
<section anchor="avail-atk" title="Availability Attack Countermeasures">
<t>As alluded to before, availability requires that routing
information exchanges and forwarding mechanisms be available when
needed so as to guarantee a proper functioning of the network. This
may, e.g., include the correct operation of routing information and
neighbor state information exchanges, among others. We will highlight
the key features of the security threats along with typical
countermeasures to prevent or at least mitigate them. We will also
note that an availability attack may be facilitated by an identity
attack as well as a replay attack, as was addressed in <xref
target="entity"></xref> and <xref target="replay"></xref>,
respectively.</t>
<section title="Countering HELLO Flood Attacks and ACK Spoofing Attacks">
<t>HELLO Flood <xref target="Karlof2003"></xref>,<xref
target="I-D.suhopark-hello-wsn"></xref> and ACK Spoofing attacks are
different but highly related forms of attacking a LLN. They
essentially lead nodes to believe that suitable routes are available
even though they are not and hence constitute a serious availability
attack.</t>
<t>The origin of facilitating a HELLO flood attack lies in the fact
that many wireless routing protocols require nodes to send HELLO
packets either upon joining or in regular intervals so as to
announce or confirm their existence to the network. Those nodes that
receive the HELLO packet assume that they are within radio range of
the transmitter by means of a bidirectional communication link.</t>
<t>With this in mind, a malicious node can send or replay HELLO
packets using a higher transmission power. That creates the false
illusion of being a neighbor to an increased number of nodes in the
network, thereby effectively increasing its unidirectional
neighborhood cardinality. The high quality of the falsely advertised
link may coerce nodes to route data via the malicious node. However,
those affected nodes, for which the malicious node is out of radio
range, never succeed in their delivery and the packets are
effectively dropped. The symptoms are hence similar to those of a
sinkhole, wormhole and selective forwarding attack.</t>
<t>A malicious HELLO flood attack clearly distorts the network
topology. It thus affects protocols building and maintaining the
network topology as well as routing protocols as such, since the
attack is primarily targeted on protocols that require sharing of
information for topology maintenance or flow control.</t>
<t>To counter HELLO flood attacks, several mutually non-exclusive
methods are feasible:<list style="symbols">
<t>restricting neighborhood cardinality;</t>
<t>facilitating multipath routing;</t>
<t>verifying bidirectionality.</t>
</list></t>
<t>Restricting the neighborhood cardinality prevents malicious nodes
from having an extended set of neighbors beyond some tolerated
threshold and thereby preventing topologies to be built where
malicious nodes have an extended neighborhood set. Furthermore, as
shown in <xref target="I-D.suhopark-hello-wsn"></xref>, if the
routing protocol supports multiple paths from a sensing node towards
several gateways then HELLO flood attacks can also be diminished;
however, the energy-efficiency of such approach is clearly
sub-optimal. Finally, verifying that the link is truly bidirectional
by means of, e.g., an ACK handshake and appropriate security
measures ensures that a communication link is only established if
not only the affected node is within range of the malicious node but
also vice versa. Whilst this does not really eliminate the problem
of HELLO flooding, it greatly reduces the number of affected nodes
and the probability of such an attack succeeding.</t>
<t>As for the latter, the adversary may spoof the ACK messages to
convince the affected node that the link is truly bidirectional and
thereupon drop, tunnel or selectively forward messages. Such ACK
spoofing attack is possible if the malicious node has a receiver
which is significantly more sensitive than that of a normal node,
thereby effectively extending its range. Since an ACK spoofing
attack facilitates a HELLO flood attack, similar countermeasure are
applicable here. Viable counter and security measures for both
attacks have been exposed in <xref
target="I-D.suhopark-hello-wsn"></xref>.</t>
</section>
<section title="Countering Overload Attacks">
<t>Overload attacks are a form of DoS attack in that a malicious
node overloads the network with irrelevant traffic, thereby draining
the nodes' energy budget quicker. It thus significantly shortens the
network lifetime and hence constitutes another serious availability
attack.</t>
<t>With energy being one of the most precious assets of LLNs,
targeting its availability is a fairly obvious attack. Another way
of depleting the energy of a LLN node is to have the malicious node
overload the network with irrelevant traffic. This impacts
availability since certain routes get congested which<list
style="symbols">
<t>renders them useless for affected nodes and data can hence
not be delivered;</t>
<t>makes routes longer as shortest path algorithms work with the
congested network;</t>
<t>depletes nodes quicker and thus shortens the network's
availability at large.</t>
</list></t>
<t>Overload attacks can be countered by deploying a series of
mutually non-exclusive security measures:<list style="symbols">
<t>introduce quotas on the traffic rate each node is allowed to
send;</t>
<t>isolate nodes which send traffic above a certain
threshold;</t>
<t>allow only trusted data to be received and forwarded.</t>
</list></t>
<t>As for the first one, a simple approach to minimize the harmful
impact of an overload attack is to introduce traffic quotas. This
prevents a malicious node from injecting a large amount of traffic
into the network, even though it does not prevent said node from
injecting irrelevant traffic at all. Another method is to isolate
nodes from the network once it has been detected that more traffic
is injected into the network than allowed by a prior set or
dynamically adjusted threshold. Finally, if communication is
sufficiently secured, only trusted nodes can receive and forward
traffic which also lowers the risk of an overload attack.</t>
</section>
<section title="Countering Selective Forwarding Attacks">
<t>Selective forwarding attacks are another form of DoS attack which
impacts the routing path availability.</t>
<t>An insider malicious node basically blends neatly in with the
network but then may decide to forward and/or manipulate certain
packets. If all packets are dropped, then this attacker is also
often referred to as a "black hole". Such a form of attack is
particularly dangerous if coupled with sinkhole attacks since
inherently a large amount of traffic is attracted to the malicious
node and thereby causing significant damage. An outside malicious
node would selectively jam overheard data flows, where the thus
caused collisions incur selective forwarding.</t>
<t>Selective Forwarding attacks can be countered by deploying a
series of mutually non-exclusive security measures:<list
style="symbols">
<t>multipath routing of the same message over disjoint
paths;</t>
<t>dynamically select the next hop from a set of candidates.</t>
</list></t>
<t>The first measure basically guarantees that if a message gets
lost on a particular routing path due to a malicious selective
forwarding attack, there will be another route which successfully
delivers the data. Such method is inherently suboptimal from an
energy consumption point of view. The second method basically
involves a constantly changing routing topology in that next-hop
routers are chosen from a dynamic set in the hope that the number of
malicious nodes in this set is negligible.</t>
</section>
<section title="Countering Sinkhole Attacks">
<t>In sinkhole attacks, the malicious node manages to attract a lot
of traffic mainly by advertising the availability of high-quality
links even though there are none. It hence constitutes a serious
attack on availability.</t>
<t>The malicious node creates a sinkhole by attracting a large
amount of, if not all, traffic from surrounding neighbors by
advertising in and outwards links of superior quality. Affected
nodes hence eagerly route their traffic via the malicious node
which, if coupled with other attacks such as selective forwarding,
may lead to serious availability and security breaches. Such an
attack can only be executed by an inside malicious node and is
generally very difficult to detect. An ongoing attack has a profound
impact on the network topology and essentially becomes a problem of
flow control.</t>
<t>Sinkhole attacks can be countered by deploying a series of
mutually non-exclusive security measures:<list style="symbols">
<t>use geographical insights for flow control;</t>
<t>isolate nodes which receive traffic above a certain
threshold;</t>
<t>dynamically pick up next hop from set of candidates;</t>
<t>allow only trusted data to be received and forwarded.</t>
</list></t>
<t>Whilst most of these countermeasures have been discussed before,
the use of geographical information deserves further attention.
Essentially, if geographic positions of nodes are available, then
the network can assure that data is actually routed towards the
sink(s) and not elsewhere. On the other hand, geographic position is
a sensitive information that may have security and/or privacy
consequences.</t>
</section>
<section title="Countering Wormhole Attacks">
<t>In wormhole attacks at least two malicious nodes shortcut or
divert the usual routing path by means of a low-latency out-of-band
channel. This changes the availability of certain routing paths and
hence constitutes a serious security breach.</t>
<t>Essentially, two malicious insider nodes use another, more
powerful, radio to communicate with each other and thereby distort
the would-be-agreed routing path. This distortion could involve
shortcutting and hence paralyzing a large part of the network; it
could also involve tunneling the information to another region of
the network where there are, e.g., more malicious nodes available to
aid the intrusion or where messages are replayed, etc. In
conjunction with selective forwarding, wormhole attacks can create
race conditions which impact topology maintenance, routing protocols
as well as any security suits built on "time of check" and "time of
use".</t>
<t>Wormhole attacks are very difficult to detect in general but can
be mitigated using similar strategies as already outlined above in
the context of sinkhole attacks.</t>
</section>
</section>
</section>
<section anchor="features" title="ROLL Security Features">
<t>The issues discussed in <xref target="threats"></xref>, together with
the countermeasures described in <xref target="securing"></xref>,
provide the basis for the requirements of the following ROLL security
features. Still, it bears emphasizing that the target here is a generic
ROLL protocol and the normative keywords are mainly to convey the
relative level of urgency of the features specified. As routing is one
component of a LLN system, the actual strength of the security services
afforded to it should be made to conform to each system's security
policy; how a design may address the needs of the urban, industrial,
home automation, and building automation application domains is
considered in <xref target="conm"></xref>.</t>
<section anchor="conff" title="Confidentiality Features">
<t>To protect confidentiality, a secured ROLL protocol<list
style="symbols">
<t>SHOULD provide payload encryption;</t>
<t>MAY provide tunneling;</t>
<t>MAY provide load balancing;</t>
<t>SHOULD provide privacy, e.g., when geographic information is
used.</t>
</list></t>
</section>
<section anchor="intf" title="Integrity Features">
<t>To protect integrity, a secured ROLL protocol<list style="symbols">
<t>MUST verify the liveliness of both principals of a
connection;</t>
<t>MUST verify message freshness;</t>
<t>MUST verify message sequence and integrity;</t>
</list></t>
</section>
<section anchor="avaf" title="Availability Features">
<t>To protect availability, a secured ROLL protocol<list
style="symbols">
<t>MAY restrict neighborhood cardinality;</t>
<t>MAY use multiple paths;</t>
<t>MAY use multiple destinations;</t>
<t>MAY choose randomly if multiple paths are available;</t>
<t>MAY set quotas to limit transmit or receive volume;</t>
<t>MAY use geographic insights for flow control.</t>
</list></t>
</section>
<section anchor="add" title="Additional Related Features">
<t>If a LLN employs multicast and/or anycast, it MUST secure these
protocols with the services listed in this sections. Furthermore, the
nodes MUST provide adequate physical tamper resistance to ensure the
integrity of stored routing information.</t>
<t>The functioning of the security services requires keys and
credentials. Therefore, even though not directly a ROLL security
requirement, a LLN must include a process for key and credential
distribution; a LLN is encouraged to have procedures for their
revocation and replacement.</t>
</section>
<section anchor="conm"
title="Consideration on Matching Application Domain Needs">
<t>The development so far takes into account collectively the impacts
of the issues gathered from <xref target="RFC5548"></xref>, <xref
target="I-D.ietf-roll-indus-routing-reqs"></xref>, <xref
target="I-D.ietf-roll-home-routing-reqs"></xref>, and <xref
target="I-D.ietf-roll-building-routing-reqs"></xref>. The following
two subsections first consider from an architectural perspective how
the security design of a ROLL protocol may be made to adapt to the
four application domains, and then examine mechanism and protocol
operations issues.</t>
<section anchor="parc" title="Architecture">
<t>The first challenge for a ROLL protocol security design is to
have an architecture that can adequately address a set of very
diversified needs. It is mainly a consequence of the fact that there
are both common and non-overlapping requirements from the four
application domains, while, conceivably, each individual application
will present yet its own unique constraints.</t>
<t>A ROLL protocol MUST be made flexible with a design which allows
the user to choose the security configurations that match the
application's needs. The construct may be, e.g., a header containing
security material of configurable security primitives in the fashion
of OSPFv2 <xref target="RFC2328"></xref> or RIPv2 <xref
target="RFC2453"></xref>. On the other hand, it is more desirable
from a LLN device perspective that the ROLL protocol specifies the
necessity of an overall system architecture in which security
facility may be shared by different applications and/or across
layers for efficiency, while security policy and settings can be
consistently made, e.g., RIPng <xref target="RFC2080"></xref> or the
approach presented in <xref target="Messerges2003"></xref>.</t>
</section>
<section anchor="mech" title="Mechanisms and Operations">
<t>With an architecture allowing different configurations to meet
the application domain needs, the task is then to find suitable
mechanisms. This subsection considers the security properties of a
number of mechanisms found in widely employed routing protocols, as
well as how some of their protocol operations affect security. The
discussion is based on analyses found in the open literature. The
intention is to offer a stepping stone for the security design of a
ROLL protocol, as well as to be useful for preventing oversights,
but not an exhaustive in-depth survey</t>
<t>There has been quite an amount of effort applied to the
assessment of the security of routing protocols, e.g., Section 2 of
<xref target="Wan2004"></xref> and Section 2 of <xref
target="Babakhouya2006"></xref> consider the security properties of
RIP as well as distance vector protocols in general. There are two
issues worth taking note. <list hangIndent="6" style="hanging">
<t hangText="Authentication"><vspace />The current version of
RIP allows two options of authentication, i.e., clear-text
password and cryptographic authentication, which includes
keyed-MD5 <xref target="RFC4822"></xref>. On the one hand,
transporting clear-text passwords without protection is
ineffective for authentication. On the other hand, the key for
the MD5 operation is in a suffix position only and as such the
key may be vulnerable to cryptanalysis <xref
target="Kaliski1995"></xref>.</t>
<t hangText="Information Aggregation"><vspace />Distance vector
routers periodically exchange route updates that is the output
of a computation on information gathered locally, making it
difficult for the receiver to verify the correctness or resolve
the sources of the information that went into the updates.</t>
</list></t>
<t>There are also plenty of analyses on link state based protocols,
especially on OSPF, e.g., <xref target="Wang1998"></xref> and <xref
target="I-D.ietf-rpsec-ospf-vuln"></xref> are both entirely on this
protocol. The following issues about OSPF are of interest. <list
hangIndent="6" style="hanging">
<t hangText="The Age Field"><vspace />The Age field in the Link
State Advertisement (LSA) is updated by each receiver; it is not
covered by the integrity protection mechanism in OSPFv2 and so
is exposed to forgery. OSPFv3 <xref target="RFC5340"></xref>
relegates security services to the underlying IPv6's security
mechanisms.</t>
<t hangText="LSA Flooding"><vspace />LSAs are disseminated
through flooding. The router corresponding to the claimed
advertiser of a LSA can either flush or update to correct
inconsistencies. However, this mechanism may be defeated by a
persistent attacker <xref
target="I-D.ietf-rpsec-ospf-vuln"></xref>, is ineffective when
the legitimate owner does not receive the altered LSA, or the
claimed advertiser does not exist.</t>
<t hangText="Hierarchical Routing"><vspace />Partitioning of the
autonomous system into areas facilitates scaling and also helps
the containment of incorrect information to within an area. On
the other hand, routing information from autonomous system
border routers are flooded throughout the autonomous system and
thus have significant security consequences.</t>
</list></t>
<t>The foregoing discussion has been based on widely employed
routing protocols for the many studies they received can contribute
to informed design decisions. In addition, the attention was limited
to those elements that are more relevant to a potential ROLL
protocol design.</t>
</section>
</section>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>This memo includes no request to IANA.</t>
</section>
<section anchor="Security" title="Security Considerations">
<t>The framework presented in this document provides security analysis
and design guidelines with a scope limited to ROLL. The investigation is
at a high-level and not specific to a particular protocol. Security
services, but not mechanisms, are identified as requirements for
securing ROLL.</t>
</section>
<!-- Possibly a 'Contributors' section ... -->
<section anchor="Acknowledgements" title="Acknowledgments"></section>
</middle>
<!-- *****BACK MATTER ***** -->
<back>
<!-- References split into informative and normative -->
<!-- There are 2 ways to insert reference entries from the citation libraries:
1. define an ENTITY at the top, and use "ampersand character"RFC2629; here (as shown)
2. simply use a PI "less than character"?rfc include="reference.RFC.2119.xml"?> here
(for I-Ds: include="reference.I-D.narten-iana-considerations-rfc2434bis.xml")
Both are cited textually in the same manner: by using xref elements.
If you use the PI option, xml2rfc will, by default, try to find included files in the same
directory as the including file. You can also define the XML_LIBRARY environment variable
with a value containing a set of directories to search. These can be either in the local
filing system or remote ones accessed by http (http://domain/dir/... ).-->
<references title="Normative References">
<!--?rfc include="http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml"?-->
&RFC2119;
&RFC2328;
&RFC2453;
&RFC2080;
&RFC5340;
&RFC4822;
</references>
<references title="Informative References">
<!-- Here we use entities that we defined at the beginning. -->
&I-D.ietf-roll-terminology;
&RFC4949;
&RFC4593;
<reference anchor="Karlof2003">
<front>
<title>Secure routing in wireless sensor networks: attacks and
countermeasures</title>
<author initials="C" surname="Karlof">
<organization></organization>
</author>
<author initials="D" surname="Wagner">
<organization></organization>
</author>
<date month="September" year="2003" />
</front>
<seriesInfo name="Elsevier AdHoc Networks Journal, Special Issue on Sensor Network Applications and Protocols,"
value="1(2):293-315" />
</reference>
&I-D.ietf-roll-indus-routing-reqs;
&I-D.ietf-roll-home-routing-reqs;
&I-D.ietf-roll-building-routing-reqs;
&RFC5548;
&I-D.suhopark-hello-wsn;
&I-D.ietf-rpsec-ospf-vuln;
<reference anchor="Myagmar2005">
<front>
<title>Threat Modeling as a Basis for Security Requirements</title>
<author initials="S" surname="Myagmar">
<organization></organization>
</author>
<author initials="AJ" surname="Lee">
<organization></organization>
</author>
<author initials="W" surname="Yurcik">
<organization></organization>
</author>
<date month="Aug 29," year="2005" />
</front>
<seriesInfo name="in Proceedings of the Symposium on Requirements Engineering for Information Security (SREIS'05),"
value="Paris, France" />
<seriesInfo name="pp." value="94-102" />
</reference>
<reference anchor="Huang2003">
<front>
<title>Fast Authenticated Key Establishment Protocols for
Self-Organizing Sensor Networks</title>
<author initials="Q" surname="Huang">
<organization></organization>
</author>
<author initials="J" surname="Cukier">
<organization></organization>
</author>
<author initials="H" surname="Kobayashi">
<organization></organization>
</author>
<author initials="B" surname="Liu">
<organization></organization>
</author>
<author initials="J" surname="Zhang">
<organization></organization>
</author>
<date month="Sept. 19" year="2003" />
</front>
<seriesInfo name="in Proceedings of the 2nd ACM International Conference on Wireless Sensor Networks and Applications,"
value="San Diego, CA, USA" />
<seriesInfo name="pp." value="141-150" />
</reference>
<reference anchor="Messerges2003">
<front>
<title>Low-Power Security for Wireless Sensor Networks</title>
<author initials="T" surname="Messerges">
<organization></organization>
</author>
<author initials="J" surname="Cukier">
<organization></organization>
</author>
<author initials="T" surname="Kevenaar">
<organization></organization>
</author>
<author initials="L" surname="Puhl">
<organization></organization>
</author>
<author initials="R" surname="Struik">
<organization></organization>
</author>
<author initials="E" surname="Callaway">
<organization></organization>
</author>
<date month="Oct. 31" year="2003" />
</front>
<seriesInfo name="in Proceedings of the 1st ACM Workshop on Security of Ad Hoc and Sensor Networks,"
value="Fairfax, VA, USA" />
<seriesInfo name="pp." value="1-11" />
</reference>
<reference anchor="Wan2004">
<front>
<title>S-RIP: A Secure Distance Vector Routing Protocol</title>
<author initials="T" surname="Wan">
<organization></organization>
</author>
<author initials="E" surname="Kranakis">
<organization></organization>
</author>
<author initials="PC" surname="van Oorschot">
<organization></organization>
</author>
<date month="Jun. 8-11" year="2004" />
</front>
<seriesInfo name="in Proceedings of the 2nd International Conference on Applied Cryptography and Network Security,"
value="Yellow Mountain, China" />
<seriesInfo name="pp." value="103-119" />
</reference>
<reference anchor="Wang1998">
<front>
<title>On the Vulnerabilities and Protection of OSPF Routing
Protocol</title>
<author initials="F" surname="Wang">
<organization></organization>
</author>
<author initials="SF" surname="Wu">
<organization></organization>
</author>
<date month="Oct. 12-15" year="1998" />
</front>
<seriesInfo name="in Proceedings of the 7th International Conference on Computer Communications and Networks,"
value="Lafayette, LA, USA" />
<seriesInfo name="pp." value="148-152" />
</reference>
<reference anchor="Kaliski1995">
<front>
<title>Message Authentication with MD5</title>
<author initials="B" surname="Kaliski">
<organization></organization>
</author>
<author initials="M" surname="Robshaw">
<organization></organization>
</author>
<date year="1995" />
</front>
<seriesInfo name="RSA Labs' CryptoBytes," value="1(1):5-8" />
</reference>
<reference anchor="Babakhouya2006">
<front>
<title>SDV: A New Approach to Secure Distance Vector Routing
Protocols</title>
<author initials="A" surname="Babakhouya">
<organization></organization>
</author>
<author initials="Y" surname="Challal">
<organization></organization>
</author>
<author initials="M" surname="Bouabdallah">
<organization></organization>
</author>
<author initials="S" surname="Gharout">
<organization></organization>
</author>
<date month="Aug. 28-Sept. 1" year="2006" />
</front>
<seriesInfo name="IEEE Securecomm and Workshops,"
value="Baltimore, MD, USA" />
<seriesInfo name="pp." value="1-10" />
</reference>
</references>
<!-- Change Log
v00 2006-03-15 EBD Initial version
v01 2006-04-03 EBD Moved PI location back to position 1 -
v3.1 of XMLmind is better with them at this location.
v02 2007-03-07 AH removed extraneous nested_list attribute,
other minor corrections
v03 2007-03-09 EBD Added comments on null IANA sections and fixed heading capitalization.
Modified comments around figure to reflect non-implementation of
figure indent control. Put in reference using anchor="DOMINATION".
Fixed up the date specification comments to reflect current truth.
v04 2007-03-09 AH Major changes: shortened discussion of PIs,
added discussion of rfc include.
v05 2007-03-10 EBD Added preamble to C program example to tell about ABNF and alternative
images. Removed meta-characters from comments (causes problems). -->
</back>
</rfc>
<!-- Keep this comment at the end of the file
Local variables:
mode: xml
sgml-omittag:nil
sgml-shorttag:nil
sgml-namecase-general:nil
sgml-general-insert-case:lower
sgml-minimize-attributes:nil
sgml-always-quote-attributes:t
sgml-indent-step:2
sgml-indent-data:t
sgml-parent-document:nil
sgml-exposed-tags:nil
sgml-local-catalogs:nil
sgml-local-ecat-files:nil
End:
-->
| PAFTECH AB 2003-2026 | 2026-04-23 03:32:33 |