Networking Working Group T. Tsao, Ed. Internet-Draft R. Alexander, Ed. Intended status: Informational Eka Systems Expires: August 20, 2009 M. Dohler, Ed. CTTC V. Daza, Ed. A. Lozano, Ed. Universitat Pompeu Fabra February 16, 2009 A Security Framework for Routing over Low Power and Lossy Networks draft-tsao-roll-security-framework-00 Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt. The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. This Internet-Draft will expire on August 20, 2009. Copyright Notice Copyright (c) 2009 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Tsao, et al. Expires August 20, 2009 [Page 1] Internet-Draft Security Framework for ROLL February 2009 Abstract This document presents a security framework for routing over low power and lossy networks. The development of the framework builds upon previous work on routing security and adapts the security assessments to the issues and constraints specific to low power and lossy networks. A systematic approach is used in defining and assessing the security threats and identifying applicable countermeasures. These assessments provide the basis of the security recommendations for incorporation into low power, lossy network routing protocols. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119]. Tsao, et al. Expires August 20, 2009 [Page 2] Internet-Draft Security Framework for ROLL February 2009 Table of Contents 1. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5 3. Considerations on ROLL Security . . . . . . . . . . . . . . . 5 3.1. Routing Assets and Points of Access . . . . . . . . . . . 6 3.2. The CIA Security Reference Model . . . . . . . . . . . . . 8 3.3. Issues Specific to or Magnified in LLNs . . . . . . . . . 10 4. Threats and Attacks . . . . . . . . . . . . . . . . . . . . . 11 4.1. Threats and Attacks on Confidentiality . . . . . . . . . . 12 4.1.1. Routing Exchange Exposure . . . . . . . . . . . . . . 12 4.1.2. Routing Information (Routes and Network Topology) Exposure . . . . . . . . . . . . . . . . . . . . . . . 12 4.2. Threats and Attacks on Integrity . . . . . . . . . . . . . 13 4.2.1. Routing Information Manipulation . . . . . . . . . . . 13 4.2.2. Node Identity Misappropriation . . . . . . . . . . . . 13 4.3. Threats and Attacks on Availability . . . . . . . . . . . 14 4.3.1. Routing Exchange Interference or Disruption . . . . . 14 4.3.2. Network Traffic Forwarding Disruption . . . . . . . . 14 4.3.3. Communications Resource Disruption . . . . . . . . . . 14 4.3.4. Node Resource Exhaustion . . . . . . . . . . . . . . . 15 5. Countermeasures . . . . . . . . . . . . . . . . . . . . . . . 15 5.1. Confidentiality Attack Countermeasures . . . . . . . . . . 16 5.1.1. Countering Deliberate Exposure Attacks . . . . . . . . 16 5.1.2. Countering Sniffing Attacks . . . . . . . . . . . . . 16 5.1.3. Countering Traffic Analysis . . . . . . . . . . . . . 17 5.1.4. Countering Physical Device Compromise . . . . . . . . 18 5.1.5. Countering Remote Device Access Attacks . . . . . . . 20 5.2. Integrity Attack Countermeasures . . . . . . . . . . . . . 20 5.2.1. Countering Tampering Attacks . . . . . . . . . . . . . 21 5.2.2. Countering Overclaiming and Misclaiming Attacks . . . 21 5.2.3. Countering Identity (including Sybil) Attacks . . . . 21 5.2.4. Countering Routing Information Replay Attacks . . . . 22 5.3. Availability Attack Countermeasures . . . . . . . . . . . 22 5.3.1. Countering HELLO Flood Attacks and ACK Spoofing Attacks . . . . . . . . . . . . . . . . . . . . . . . 22 5.3.2. Countering Overload Attacks . . . . . . . . . . . . . 24 5.3.3. Countering Selective Forwarding Attacks . . . . . . . 25 5.3.4. Countering Sinkhole Attacks . . . . . . . . . . . . . 25 5.3.5. Countering Wormhole Attacks . . . . . . . . . . . . . 26 6. ROLL Security Features . . . . . . . . . . . . . . . . . . . . 26 6.1. Confidentiality Features . . . . . . . . . . . . . . . . . 27 6.2. Integrity Features . . . . . . . . . . . . . . . . . . . . 27 6.3. Availability Features . . . . . . . . . . . . . . . . . . 27 6.4. Additional Considerations . . . . . . . . . . . . . . . . 27 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 28 8. Security Considerations . . . . . . . . . . . . . . . . . . . 28 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 28 Tsao, et al. Expires August 20, 2009 [Page 3] Internet-Draft Security Framework for ROLL February 2009 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 28 10.1. Normative References . . . . . . . . . . . . . . . . . . . 28 10.2. Informative References . . . . . . . . . . . . . . . . . . 28 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 30 Tsao, et al. Expires August 20, 2009 [Page 4] Internet-Draft Security Framework for ROLL February 2009 1. Terminology This document conforms to the terminology defined in [I-D.ietf-roll-terminology], with the following additions. Link Cost A quantification of chosen characteristics of a link. Node A base unit of a network, e.g., a router or a host on a low power and lossy network. Routing Metric A function of link costs along routes, whose value gives rise to preference of routing choices. 2. Introduction In recent times, networked wireless devices have found an increasing number of applications in various fields. Yet, for reasons ranging from operational application to economics, these wireless devices are often supplied with minimum physical resources, e.g., limited power reserve, slow speed or low capability computation, or small memory size. As a consequence, the resulting networks are more prone to loss of traffic and other vulnerabilities. The proliferation of these low power and lossy networks (LLNs), however, are drawing efforts to examine and address their potential networking challenges. This document presents a framework for securing routing over low power and lossy networks (ROLL) through an analysis that starts from the routing basics. The objective is two-fold. First, the framework will be used to identify pertinent security issues. Second, it will facilitate both the assessment of a protocol's security threats and the identification of the necessary features for development of secure protocols for ROLL. The approach adopted in this effort proceeds in four steps, to examine ROLL security issues, to analyze threats and attacks, to consider the countermeasures, and then to make recommendations for securing ROLL. The basis is found on identifying the assets and points of access of routing and evaluating their security needs based on the Confidentiality, Integrity, and Availability (CIA) model in the context of LLN. 3. Considerations on ROLL Security This section sets the stage for the development of the framework by applying the systematic approach proposed in [Myagmar2005] to the routing security problem, while also drawing references from other Tsao, et al. Expires August 20, 2009 [Page 5] Internet-Draft Security Framework for ROLL February 2009 reviews and assessments found in the literature, particularly, [RFC4593] and [Karlof2003]. The subsequent subsections begin with a focus on the elements of a generic routing process that is used to establish routing assets and points of access of the routing functionality. Next, the CIA security model is briefly described. Then, consideration is given to issues specific to or magnified in LLNs. 3.1. Routing Assets and Points of Access An asset implies important system component (including information, process, or physical resource), the access to, corruption or loss of which adversely affects the system. In network routing, assets lie in the routing information, routing process, and node's physical resources. That is, the access to, corruption, or loss of these elements adversely affects system routing. In network routing, a point of access refers to the point of entry facilitating communication with or other interaction with a system component in order to use system resources to either manipulate information or gain knowledge of the information contained within the system. Security of the routing protocol must be focused on the assets of the routing nodes and the points of access of the information exchanges and information storage that may permit routing compromise. The identification of routing assets and points of access hence provides a basis for the identification of associated threats and attacks. This subsection identifies assets and points of access of a generic routing process with a level-0 data flow diagram. The use of the data flow diagram allows for a clear, concise model of the routing functionality; it also has the benefit of showing the manner in which nodes participate in the routing process, thus providing context when later threats and attacks are considered. The goal of the model is to be as detailed as possible so that corresponding components and mechanisms in an individual routing protocol can be readily identified, but also to be as general as possible to maximize the relevancy of this effort for the various existing and future protocols. Nevertheless, there may be discrepancies, likely in the form of additional elements, when the model is applied to some protocols. For such cases, the analysis approach laid out in this document should still provide a valid and illustrative path for their security assessment. Figure 1 shows that nodes participating in the routing process transmit messages to determine their neighbors (neighbor discovery). Using the neighboring relationships, routing protocols may exchange network topology (including link-specific information) to generate routes or may exchange routes directly as part of a routing exchange; nodes which do not directly participate in the process with a given Tsao, et al. Expires August 20, 2009 [Page 6] Internet-Draft Security Framework for ROLL February 2009 node will get the route/topology information relayed from others. It is likely that a node will store some or all of the routes and topology information according to tradeoffs of node resources and latency associated with the particular routing protocol. The nodes use the derived routes for making forwarding decisions. ................................................... : : : _________________ : |Node_i|<------->(Neighbor Discovery)--->Neighbor Topology : : ----------------- : : | : |Node_j|<------->(Route/Topology +--------+ : : Exchange ) | : : | V ______ : : +---->(Route Generation)--->Routes : : ------ : : | : : Routing on a Node Node_k | : ................................................... | |Forwarding | On Node_k |<------------------------------------------+ Notation: (Proc) A process Proc ________ DataBase A data storage DataBase -------- |Node_n| An external entity Node_n -------> Data flow Figure 1: Data Flow Diagram of a Generic Routing Process It is seen from Figure 1 that o Assets include * routing and/or topology information; Tsao, et al. Expires August 20, 2009 [Page 7] Internet-Draft Security Framework for ROLL February 2009 * communication channel resources (bandwidth); * node resources (computing capacity, memory, and remaining energy); * node identifiers (including node identity and ascribed attributes such as relative or absolute node location). o Points of access include * neighbor discovery; * route/topology exchange; * node physical interfaces (including access to data storage). A focus on the above list of assets and points of access enables a more directed assessment of routing security. 3.2. The CIA Security Reference Model At the conceptual level, security within an information system in general and applied to ROLL in particular is concerned with the primary issues of confidentiality, integrity, and availability. In the context of ROLL: Confidentiality Confidentiality involves the protection of routing information as well as routing neighbor maintenance exchanges so that only authorized and intended network entities may view or access it. Because of the wireless, and sometimes ad hoc, nature of the network, confidentiality also extends to the neighbor state and database information within the routing device since the deployment of the network creates the potential for unauthorized access to the physical devices themselves. Integrity Integrity, as a security principle, entails the protection of routing information and routing neighbor maintenance exchanges, as well as derived information maintained in the database, from misuse or unauthorized and improper modification. In addition, integrity also requires the authenticity of claimed identity in the origin and destination of a message, access and removal of data, execution of the routing process, and use of computing and energy resources. Tsao, et al. Expires August 20, 2009 [Page 8] Internet-Draft Security Framework for ROLL February 2009 Availability Availability ensures that routing information exchanges and forwarding services need to be available when they are required for the functioning of the serving network. Availability will apply to maintaining efficient and correct operation of routing and neighbor discovery exchanges (including needed information) and forwarding services so as not to impair or limit the network's central traffic flow function. It is noted that, besides those captured in the CIA model, non- repudiation is another security concern evaluated. With respect to routing, non-repudiation will involve providing some ability to allow traceability or network management review of participants of the routing process including the ability to determine the events and actions leading to a particular routing state. Non-repudiation implies after the fact and thus relies on the logging or other capture of on-going routing exchanges. Given the limited resources of a node and potentially the communication channel, and considering the operating mode associated with LLNs, routing transaction logging or auditing process communication overhead will not be practical; as such, non-repudiation is not further considered as a relevant ROLL security issue. Based upon the CIA model, a high-level assessment of the security needs of the assets found in Section 3.1 shows that o routing/topology information needs to be integrity protected, maintained with confidentiality, and prevented from unauthorized use; o neighbor discovery process needs to operate without undermining routing availability; o routing/topology exchange process needs to ensure that the participants are authenticated, the communication of information is integrity protected and confidential; o communication channels and node resources need to have their availability maintained; o the internal and external interfaces of a node need to be protected to ensure that integrity and confidentiality of stored information is maintained as well as the integrity of routing and route generation processes is assured. Each individual system's use and environment will dictate how the above general assessments are applied, including the choices of security services as well as the strengths of the mechanisms that Tsao, et al. Expires August 20, 2009 [Page 9] Internet-Draft Security Framework for ROLL February 2009 must be implemented. The next subsection brings LLN-related issues to light. 3.3. Issues Specific to or Magnified in LLNs Four other concurrent efforts, [I-D.ietf-roll-urban-routing-reqs], [I-D.ietf-roll-indus-routing-reqs], [I-D.ietf-roll-home-routing-reqs], and [I-D.ietf-roll-building-routing-reqs], have identified ROLL specific requirements and constraints; the following is a list of observations and evaluation of their impact on routing security considerations. Limited energy reserve, memory, and processing resources As a consequence of these constraints, there is an even more critical need than usual for a careful trade study on which and what level of security services are to be afforded during the system design process. In addition, routing schemes based on various metrics have been proposed, e.g., geographic location. Transmission and exchanging such metrics may have security and/or privacy concerns. Large scale of rolled out network The possibly numerous nodes to be deployed, as well as the general level of expertise of the installers, make manual on- site configuration unlikely. Prolonged rollout and delayed addition of nodes, which may be from old inventory, over the lifetime of the network, also complicate the operations of key management. Autonomous operations Self-forming and self-organizing are commonly prescribed requirements of ROLL. In other words, a ROLL protocol needs to contain elements of ad hoc networking and cannot rely on manual configuration for initialization or local filtering rules. Highly directional traffic Some types of LLNs see a high percentage of their total traffic traverse between the nodes and the gateways where the LLNs connect to wired networks. The special routing status of and the greater volume of traffic near the gateways have routing security consequences. Unattended locations and limited physical security Many applications have the nodes deployed in unattended or remote locations; furthermore, the nodes themselves are often built with minimal physical protection. These constraints lower the barrier of accessing the data or security material stored on the nodes through physical means. Tsao, et al. Expires August 20, 2009 [Page 10] Internet-Draft Security Framework for ROLL February 2009 Support for mobility On the one hand, only a number of applications require the support of mobile nodes, e.g., a home LLN that includes nodes on wearable health care devices or an industry LLN that includes nodes on cranes and vehicles. On the other hand, if a routing protocol is indeed used in such applications, it will clearly need to have corresponding security mechanisms. Support for multicast and anycast ROLL support for multicast and anycast is called out chiefly for large-scale networks. As these are relatively new routing technologies, there has been an ongoing effort devoted to their security mechanisms, e.g., from the IETF Multicast Security working group. However, the threat model and attack analysis are still areas not fully evaluated, and hence their impact is not yet fully understood, whether in a wired, wireless, or LLN. The above list considers how a LLN's physical constraints, size, operations, and varieties of application areas may impact security. It is noted here also that LLNs commonly have the majority, if not all, of their nodes equipped to route. One of the consequences is that the distinction between the link and network layers become artificial in some respects. Similarly, the distinction between a host and a router is blurred, especially when the set of applications running on a node is small. The continued evolution of ROLL and its security functionality requirements need close attention. 4. Threats and Attacks This section outlines general categories of threats under the CIA model and highlights the specific attacks in each of these categories for ROLL. As defined in [RFC4949], a threat is "a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm." An attack is "an assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system." The subsequent subsections consider the threats and their realizing attacks that can cause security breaches under the CIA model to the assets identified in Section 3.1. The analysis steps through the security concerns of each routing asset and looks at the attacks that can exploit points of access. The manifestation of the attacks is assumed to be from either inside or outside attackers, whose capabilities may be limited to node-equivalent or more sophisticated computing platforms. Tsao, et al. Expires August 20, 2009 [Page 11] Internet-Draft Security Framework for ROLL February 2009 4.1. Threats and Attacks on Confidentiality The assessment in Section 3.2 indicates that information assets are exposed to confidentiality threats from all points of access. 4.1.1. Routing Exchange Exposure Routing exchanges include both routing information as well as information associated with the establishment and maintenance of neighbor state information. The exposure of routing information exchanged will allow unauthorized sources to gain access to the content of the exchanges between communicating nodes. The exposure of neighbor state information will allow unauthorized sources to gain knowledge of communication links between routing nodes that are necessary to maintain routing information exchanges. The forms of attack that allow unauthorized access or exposure of routing exchange information, as reported in the literature, include o Deliberate exposure; o Sniffing; o Traffic analysis. 4.1.2. Routing Information (Routes and Network Topology) Exposure Routes and neighbor topology information are the products of the routing process that are stored within the node device databases. The exposure of this information will allow unauthorized sources to gain direct access to the configuration and connectivity of the network thereby exposing routing to targeted attacks on key nodes or links. Since routes and neighbor topology information is stored within the node device, threats or attacks on the confidentiality of the information will apply to the physical device including specified and unspecified internal and external interfaces. The forms of attack that allow unauthorized access or exposure of the routing information (other than occurring through explicit node exchanges) will include o Physical device compromise; o Remote device access attacks (including those occurring through remote network management or software/field upgrade interfaces). Tsao, et al. Expires August 20, 2009 [Page 12] Internet-Draft Security Framework for ROLL February 2009 More detailed descriptions of the exposure attacks on routing exchange and information will be given in Section 5 together with the corresponding countermeasures. 4.2. Threats and Attacks on Integrity The assessment in Section 3.2 indicates that information and identity assets are exposed to integrity threats from all points of access. 4.2.1. Routing Information Manipulation Manipulation of routing information will allow unauthorized sources to influence the operation and convergence of the routing protocols and ultimately impact the forwarding decisions made in the network. Manipulation of neighbor state (topology) information will allow unauthorized sources to influence the nodes with which routing information is exchanged and updated. The consequence of manipulating routing exchanges can thus lead to sub-optimality and fragmentation or partitioning of the network by restricting the universe of routers with which associations can be established and maintained. The forms of attack that allow manipulation of routing information include o Falsification, including overclaiming and misclaiming; o Routing information replay; o Physical device compromise. 4.2.2. Node Identity Misappropriation Falsification or misappropriation of node identity between routing participants opens the door for other attacks; it can also cause incorrect routing relationships to form and/or topologies to emerge. Routing attacks may also be mounted through less sophisticated node identity misappropriation in which the valid information broadcast or exchanged by a node is replayed without modification. The receipt of seemingly valid information that is however no longer current can result in routing disruption, and instability (including failure to converge). Without measures to authenticate the routing participants and to ensure the freshness and validity of the received information the protocol operation can be compromised. The forms of attack that misuse node identity include o Identity (including Sybil) attacks; Tsao, et al. Expires August 20, 2009 [Page 13] Internet-Draft Security Framework for ROLL February 2009 o Routing information replay. 4.3. Threats and Attacks on Availability The assessment in Section 3.2 indicates that the process and resources assets are exposed to availability threats; attacks of this category may exploit directly or indirectly information exchange or forwarding. 4.3.1. Routing Exchange Interference or Disruption Interference or disruption of routing information exchanges will allow unauthorized sources to influence the operation and convergence of the routing protocols by impeding the regularity of routing information exchange. The forms of attack that allow interference or disruption of routing exchange include o Routing information replay; o HELLO flood attacks and ACK spoofing; o Overload attacks. 4.3.2. Network Traffic Forwarding Disruption The disruption of the network traffic forwarding capability of the network will undermine the central function of network routers and the ability to handle user traffic. This threat and the associated attacks affect the availability of the network because of the potential to impair the primary capability of the network. The forms of attack that allows disruption of network traffic forwarding include o Selective forwarding attacks; o Sinkhole attacks; o Wormhole attacks. 4.3.3. Communications Resource Disruption Attacks mounted against the communication channel resource assets needed by the routing protocol can be used as a means of disrupting its operation. However, while various forms of Denial of Service (DoS) attacks on the underlying transport subsystem will affect Tsao, et al. Expires August 20, 2009 [Page 14] Internet-Draft Security Framework for ROLL February 2009 routing protocol exchanges and operation (for example physical layer RF jamming in a wireless network or link layer attacks), these attacks cannot be countered by the routing protocol. As such, the threats to the underlying transport network that supports routing is considered beyond the scope of the current document. Nonetheless, attacks on the subsystem will affect routing operation and so must be directly addressed within the underlying subsystem and its implemented protocol layers. 4.3.4. Node Resource Exhaustion A potential security threat to routing can arise from attempts to exhaust the node resource asset by initiating exchanges that can lead to the undue utilization of exhaustion of processing, memory or energy resources. The establishment and maintenance of routing neighbors opens the routing process to engagement and potential acceptance of multiple neighboring peers. Association information must be stored for each peer entity and for the wireless network operation provisions made to periodically update and reassess the associations. An introduced proliferation of apparent routing peers can therefore have a negative impact on node resources. Node resources may also be unduly consumed by the attackers attempting uncontrolled topology peering or routing exchanges, routing replays, or the generating of other data traffic floods. Beyond the disruption of communications channel resources, these threats may be able to exhaust node resources only where the engagements are able to proceed with the peer routing entities. Routing operation and network forwarding functions can thus be adversely impacted by node resources exhaustion that stems from attacks that include o Identity (including Sybil) attacks; o Routing information replay attacks; o HELLO flood attacks and ACK spoofing; o Overload attacks. 5. Countermeasures By recognizing the characteristics of LLNs that may impact routing and identifying potential countermeasures, this framework provides the basis for developing capabilities within ROLL protocols to deter the identified attacks and mitigate the threats. The following subsections consider such countermeasures by grouping the attacks Tsao, et al. Expires August 20, 2009 [Page 15] Internet-Draft Security Framework for ROLL February 2009 according to the classification of the CIA model so that associations with the necessary security services are more readily visible. 5.1. Confidentiality Attack Countermeasures Attacks on confidentiality may be mounted at the level of the routing information assets, at the points of access associated with routing exchanges between nodes, or through device interface access. To gain access to routing/topology information, the attacker may rely on a compromised node that deliberately exposes the information during the routing exchange process, may rely on passive sniffing or analysis of routing traffic, or may attempt access through a component or device interface of a tampered routing node. 5.1.1. Countering Deliberate Exposure Attacks A deliberate exposure attack is one in which an entity that is party to the routing process or topology exchange allows the routing/ topology information or generated route information to be exposed to an unauthorized entity during the exchange. A prerequisite to countering this type of confidentiality attacks associated with the routing/topology exchange is to ensure that the communicating nodes are authenticated prior to data encryption applied in the routing exchange. Authentication ensures that the nodes are who they claim to be even though it does not provide an indication of whether the node has been compromised. To prevent deliberate exposure, the process that communicating nodes use for establishing communication session keys must be symmetric at each node so that neither node can independently weaken the confidentiality of the exchange without the knowledge of its communicating peer. A deliberate exposure attack will therefore require more overt and independent action on the part of the offending node. Note that the same measures which apply to securing routing/topology exchanges between operational nodes must also extend to field tools and other devices used in a deployed network where such devices can be configured to participate in routing exchanges. 5.1.2. Countering Sniffing Attacks A sniffing attack seeks to breach routing confidentiality through passive, direct analysis and processing of the information exchanges between nodes. A sniffing attack in an LLN that is not based on a physical device compromise will rely on the attacker attempting to directly derive information from the over-the-air routing/topology Tsao, et al. Expires August 20, 2009 [Page 16] Internet-Draft Security Framework for ROLL February 2009 communication exchange (neighbor discovery exchanges may of necessity be conducted in the clear thus limiting the extent to which the information can be kept confidential). Sniffing attacks can be directly countered through the use of data encryption for all routing exchanges. Only when a validated and authenticated node association is completed will routing exchange be allowed to proceed using established session confidentiality keys and an agreed confidentiality algorithm. The level of security applied in providing confidentiality will determine the minimum requirement for an attacker mounting this passive security attack. Because of the resource constraints of LLN devices, symmetric (private) key session security will provide the best tradeoff in terms of node and channel resource overhead and the level of security achieved. This will of course not preclude the use of asymmetric (public) key encryption during the session key establishment phase. As with the key establishment process, data encryption must include an authentication prerequisite to ensure that each node is implementing a level of security that prevents deliberate or inadvertent exposure. The authenticated key establishment will ensure that confidentiality is not compromised by providing the information to an unauthorized entity (see also [Huang2003]). Based on the current state of the art, a minimum 128-bit key length should be applied where robust confidentiality is demanded for routing protection. This session key shall be applied in conjunction with an encryption algorithm that has been publicly vetted and where applicable approved for the level of security desired. Algorithms such as AES (adopted by the U.S. government) or Kasumi-Misty (adopted by the 3GPP 3rd generation wireless mobile consortium) are examples of symmetric-key algorithms capable of ensuring robust confidentiality for routing exchanges. The key length, algorithm and mode of operation will be selected as part of the overall security tradeoff that also achieves a balance with the level of confidentiality afforded by the physical device in protecting the routing assets (see Section 5.1.4 below). As with any encryption algorithm, the use of ciphering synchronization parameters and limitations to the usage duration of established keys should be part of the security specification to reduce the potential for brute force analysis. 5.1.3. Countering Traffic Analysis Traffic analysis provides an indirect means of subverting confidentiality and gaining access to routing information by allowing an attacker to indirectly map the connectivity or flow patterns Tsao, et al. Expires August 20, 2009 [Page 17] Internet-Draft Security Framework for ROLL February 2009 (including link-load) of the network from which other attacks can be mounted. The traffic analysis attack on a LLN may be passive and relying on the ability to read the immutable source/destination routing information that must remain unencrypted to permit network routing. Alternatively, attacks can be active through the injection of unauthorized discovery traffic into the network. By implementing authentication measures between communicating nodes, active traffic analysis attacks can be prevented within the LLN thereby reducing confidentiality vulnerabilities to those associated with passive analysis. One way in which passive traffic analysis attacks can be muted is through the support of load balancing that allows traffic to a given destination to be sent along diverse routing paths. Where the routing protocol supports load balancing along multiple links at each node, the number of routing permutations in a wide area network surges thus increasing the cost of traffic analysis. Network analysis through this passive attack will require a wider array of analysis points and additional processing on the part of the attacker. In LLNs, the diverse radio connectivity and dynamic links (including potential frequency hopping) will help to further mitigate traffic analysis attacks when load balancing is implemented. The only means of fully countering a traffic analysis attack is through the use of tunneling (encapsulation) where encryption is applied across the entirety of the original packet source/destination addresses. With tunneling there is a further requirement that the encapsulating intermediate nodes apply an additional layer of routing so that traffic arrives at the destination through dynamic routes. For LLNs, memory and processing constraints as well as the limitations of the communication channel will preclude both the additional routing traffic overhead and the node implementation required for tunneling countermeasures to traffic analysis. 5.1.4. Countering Physical Device Compromise Given the distributed nature of LLNs, confidentiality of routing assets and points of access will rely heavily on the security of the routing devices. One means of precluding attacks on the physical device is to prevent physical access to the node through other external security means. However, given the environment in which LLNs operate, preventing unauthorized access to the physical device cannot be assured. Countermeasures must therefore be employed at the device and component level so that routing/topology or neighbor information and stored route information cannot be accessed even if physical access to the node is obtained. With the physical device in the possession of an attacker, Tsao, et al. Expires August 20, 2009 [Page 18] Internet-Draft Security Framework for ROLL February 2009 unauthorized information access can be attempted by probing internal interfaces or device components. Device security must therefore move to preventing the reading of device processor code or memory locations without the appropriate security keys and in preventing the access to any information exchanges occurring between individual components. Information access will then be restricted to external interfaces in which confidentiality, integrity and authentication measures can be applied. To prevent component information access, deployed routing devices must ensure that their implementation avoids address or data buses being connected to external general purpose input/output (GPIO) pins. Beyond this measure, an important component interface to be protected against attack is the Joint Test Action Group (JTAG) interface used for component and populated circuit board testing after manufacture. To provide security on the routing devices, components should be employed that allow fuses on the JTAG interfaces to be blown to disable access. This will raise the bar on unauthorized component information access within a captured device. At the device level a key component information exchange is between the microprocessor and it associated external memory. While encryption can be implemented to secure data bus exchanges, the use of integrated physical packaging which avoids inter-component exchanges (other than secure external device exchanges) will increase routing security against a physical device interface attack. With an integrated package and disabled internal component interfaces, the level of physical device security can be controlled by managing the degree to which the device packaging is protected against expert physical decomposition and analysis. The device package should be hardened such that attempts to remove the integrated components will result in damage to access interfaces, ports or pins that prevent retrieval of code or stored information. The degree of VLSI or PCB package security through manufacture can be selected as a tradeoff or desired security consistent with the level of security achieved by measures applied for other routing assets and points of access. With package hardening and restricted component access countermeasures, the security level will be raised to that provided by measures employed at the external communications interfaces. Another area of node interface vulnerability is that associated with interfaces provided for remote software or firmware upgrades. This may impact both routing information and routing/topology exchange security where it leads to unauthorized upgrade or change to the routing protocol running on a given node as this type of attack can allow for the execution of compromised or intentionally malicious Tsao, et al. Expires August 20, 2009 [Page 19] Internet-Draft Security Framework for ROLL February 2009 routing code on multiple nodes. Countermeasures to this device interface confidentiality attack needs to be addressed in the larger context of node remote access security. This will ensure not only the authenticity of the provided code (including routing protocol) but that the process is initiated by an authorized (authenticated) entity. The above identified countermeasures against attacks on routing information confidentiality through internal device interface compromise must be part of the larger LLN system security as they cannot be addressed within the routing protocol itself. Similarly, the use of field tools or other devices that allow explicit access to node information must implement security mechanisms to ensure that routing information can be protected against unauthorized access. These protections will also be external to the routing protocol and hence not part of ROLL. 5.1.5. Countering Remote Device Access Attacks Where LLN nodes are deployed in the field, measures are introduced to allow for remote retrieval of routing data and for software or field upgrades. These paths create the potential for a device to be remotely accessed across the network or through a provided field tool. In the case of network management a node can be directly requested to provide routing tables and neighbor information. To ensure confidentiality of the node routing information against attacks through remote access, any device local or remote requesting routing information must be authenticated to ensure authorized access. Since remote access is not invoked as part of a routing protocol security of routing information stored on the node against remote access will not be addressable as part of the routing protocol. 5.2. Integrity Attack Countermeasures Integrity attack countermeasures address routing information manipulation, as well as node identity and routing information misuse. Manipulation can occur in the form of falsification attack and physical compromise. To be effective, the following development considers the two aspects of falsification, namely, the tampering actions and the overclaiming and misclaiming content. The countering of physical compromise was considered in the previous section and is not repeated here. With regard to misuse, there are two types of attacks to be deterred, identity attacks and replay attacks. Tsao, et al. Expires August 20, 2009 [Page 20] Internet-Draft Security Framework for ROLL February 2009 5.2.1. Countering Tampering Attacks Tampering may occur in the form of altering the message being transferred or the data stored. Therefore, it is necessary to ensure that only authorized nodes can change the portion of the information that is allowed to be mutable, while the integrity of the rest of the information is protected, e.g., through well-studied cryptographic mechanisms. Tampering may also occur in the form of insertion or deletion of messages during protocol changes. Therefore, the protocol needs to ensure the integrity of the sequence of the exchange sequence. The countermeasure to tampering needs to o implement access control on storage; o provide data integrity service to transferred messages and stored data; o include sequence number under integrity protection. 5.2.2. Countering Overclaiming and Misclaiming Attacks Both overclaiming and misclaiming aim to introduce false routes or topology that would not be generated by the network otherwise, while there is not necessarily tampering. The requisite for a counter is the capability to determine unreasonable routes or topology. The counter to overclaiming and misclaiming may employ o comparison with historical routing/topology data; o designs which restrict realizable network topologies. 5.2.3. Countering Identity (including Sybil) Attacks Identity attacks, sometimes simply called spoofing, seek to gain or damage assets whose access is controlled through identity. In routing, an identity attacker can illegitimately participate in routing exchanges, distribute false routing information, or cause an invalid outcome of a routing process. A perpetrator of Sybil attacks assumes multiple identities. The result is not only an amplification of the damage to routing, but extension to new areas, e.g., where geographic distribution is explicit or implicit an asset to an application running on the LLN. Tsao, et al. Expires August 20, 2009 [Page 21] Internet-Draft Security Framework for ROLL February 2009 The counter of identity attacks need to ensure the authenticity and liveness of the parties of a message exchange; the measure may use shared key or public key based authentication scheme. On the one hand, the large-scale nature of the LLNs makes the network-wide shared key scheme undesirable from a security perspective; on the other hand, public-key based approaches generally require more computational resources. Each system will need to make trade-off decisions based on its security requirements. 5.2.4. Countering Routing Information Replay Attacks In routing, message replay can result in false topology and/or routes. The counter of replay attacks need to ensure the freshness of the message. On the one hand, there are a number of mechanisms commonly used for countering replay. On the other hand, the choice should take into account how a particular mechanism is made available in a LLN. For example, many LLNs have a central source of time and have it distributed by relaying, such that secured time distribution becomes a prerequisite of using timestamping to counter replay. 5.3. Availability Attack Countermeasures As alluded to before, availability requires that routing information exchanges and forwarding mechanisms be available when needed so as to guarantee a proper functioning of the network. This may, e.g., include the correct operation of routing information and neighbor state information exchanges, among others. We will highlight the key features of the security threats along with typical countermeasures to prevent or at least mitigate them. We will also note that an availability attack may be facilitated by an identity attack as well as a replay attack, as was addressed in Section 5.2.3 and Section 5.2.4, respectively. 5.3.1. Countering HELLO Flood Attacks and ACK Spoofing Attacks HELLO Flood [Karlof2003],[I-D.suhopark-hello-wsn] and ACK Spoofing attacks are different but highly related forms of attacking a LLN. They essentially lead nodes to believe that suitable routes are available even though they are not and hence constitute a serious availability attack. The origin of facilitating a HELLO flood attack lies in the fact that many wireless routing protocols require nodes to send HELLO packets either upon joining or in regular intervals so as to announce or confirm their existence to the network. Those nodes that receive the HELLO packet assume that they are within radio range of the transmitter by means of a bidirectional communication link. Tsao, et al. Expires August 20, 2009 [Page 22] Internet-Draft Security Framework for ROLL February 2009 With this in mind, a malicious node can send or replay HELLO packets using a higher transmission power. That creates the false illusion of being a neighbor to an increased number of nodes in the network, thereby effectively increasing its unidirectional neighborhood cardinality. The high quality of the falsely advertised link may coerce nodes to route data via the malicious node. However, those affected nodes, for which the malicious node is out of radio range, never succeed in their delivery and the packets are effectively dropped. The symptoms are hence similar to those of a sinkhole, wormhole and selective forwarding attack. A malicious HELLO flood attack clearly distorts the network topology. It thus affects protocols building and maintaining the network topology as well as routing protocols as such, since the attack is primarily targeted on protocols that require sharing of information for topology maintenance or flow control. To counter HELLO flood attacks, several mutually non-exclusive methods are feasible: o restricting neighborhood cardinality; o facilitating multipath routing; o verifying bidirectionality. Restricting the neighborhood cardinality prevents malicious nodes from having an extended set of neighbors beyond some tolerated threshold and thereby preventing topologies to be built where malicious nodes have an extended neighborhood set. Furthermore, as shown in [I-D.suhopark-hello-wsn], if the routing protocol supports multiple paths from a sensing node towards several gateways then HELLO flood attacks can also be diminished; however, the energy- efficiency of such approach is clearly sub-optimal. Finally, verifying that the link is truly bidirectional by means of, e.g., an ACK handshake and appropriate security measures ensures that a communication link is only established if not only the affected node is within range of the malicious node but also vice versa. Whilst this does not really eliminate the problem of HELLO flooding, it greatly reduces the number of affected nodes and the probability of such an attack succeeding. As for the latter, the adversary may spoof the ACK messages to convince the affected node that the link is truly bidirectional and thereupon drop, tunnel or selectively forward messages. Such ACK spoofing attack is possible if the malicious node has a receiver which is significantly more sensitive than that of a normal node, thereby effectively extending its range. Since an ACK spoofing Tsao, et al. Expires August 20, 2009 [Page 23] Internet-Draft Security Framework for ROLL February 2009 attack facilitates a HELLO flood attack, similar countermeasure are applicable here. Viable counter and security measures for both attacks have been exposed in [I-D.suhopark-hello-wsn]. 5.3.2. Countering Overload Attacks Overload attacks are a form of DoS attack in that a malicious node overloads the network with irrelevant traffic, thereby draining the nodes' energy budget quicker. It thus significantly shortens the network lifetime and hence constitutes another serious availability attack. With energy being one of the most precious assets of LLNs, targeting its availability is a fairly obvious attack. Another way of depleting the energy of a LLN node is to have the malicious node overload the network with irrelevant traffic. This impacts availability since certain routes get congested which o renders them useless for affected nodes and data can hence not be delivered; o makes routes longer as shortest path algorithms work with the congested network; o depletes nodes quicker and thus shortens the network's availability at large. Overload attacks can be countered by deploying a series of mutually non-exclusive security measures: o introduce quotas on the traffic rate each node is allowed to send; o isolate nodes which send traffic above a certain threshold; o allow only trusted data to be received and forwarded. As for the first one, a simple approach to minimize the harmful impact of an overload attack is to introduce traffic quotas. This prevents a malicious node from injecting a large amount of traffic into the network, even though it does not prevent said node from injecting irrelevant traffic at all. Another method is to isolate nodes from the network once it has been detected that more traffic is injected into the network than allowed by a prior set or dynamically adjusted threshold. Finally, if communication is sufficiently secured, only trusted nodes can receive and forward traffic which also lowers the risk of an overload attack. Tsao, et al. Expires August 20, 2009 [Page 24] Internet-Draft Security Framework for ROLL February 2009 5.3.3. Countering Selective Forwarding Attacks Selective forwarding attacks are another form of DoS attack which impacts the routing path availability. An insider malicious node basically blends neatly in with the network but then may decide to forward and/or manipulate certain packets. If all packets are dropped, then this attacker is also often referred to as a "black hole". Such a form of attack is particularly dangerous if coupled with sinkhole attacks since inherently a large amount of traffic is attracted to the malicious node and thereby causing significant damage. An outside malicious node would selectively jam overheard data flows, where the thus caused collisions incur selective forwarding. Selective Forwarding attacks can be countered by deploying a series of mutually non-exclusive security measures: o multipath routing of the same message over disjoint paths; o dynamically select the next hop from a set of candidates. The first measure basically guarantees that if a message gets lost on a particular routing path due to a malicious selective forwarding attack, there will be another route which successfully delivers the data. Such method is inherently suboptimal from an energy consumption point of view. The second method basically involves a constantly changing routing topology in that next-hop routers are chosen from a dynamic set in the hope that the number of malicious nodes in this set is negligible. 5.3.4. Countering Sinkhole Attacks In sinkhole attacks, the malicious node manages to attract a lot of traffic mainly by advertising the availability of high-quality links even though there are none. It hence constitutes a serious attack on availability. The malicious node creates a sinkhole by attracting a large amount of, if not all, traffic from surrounding neighbors by advertising in and outwards links of superior quality. Affected nodes hence eagerly route their traffic via the malicious node which, if coupled with other attacks such as selective forwarding, may lead to serious availability and security breaches. Such an attack can only be executed by an inside malicious node and is generally very difficult to detect. An ongoing attack has a profound impact on the network topology and essentially becomes a problem of flow control. Tsao, et al. Expires August 20, 2009 [Page 25] Internet-Draft Security Framework for ROLL February 2009 Sinkhole attacks can be countered by deploying a series of mutually non-exclusive security measures: o use geographical insights for flow control; o isolate nodes which receive traffic above a certain threshold; o dynamically pick up next hop from set of candidates; o allow only trusted data to be received and forwarded. Whilst most of these countermeasures have been discussed before, the use of geographical information deserves further attention. Essentially, if geographic positions of nodes are available, then the network can assure that data is actually routed towards the sink(s) and not elsewhere. On the other hand, geographic position is a sensitive information that may have security and/or privacy consequences. 5.3.5. Countering Wormhole Attacks In wormhole attacks at least two malicious nodes shortcut or divert the usual routing path by means of a low-latency out-of-band channel. This changes the availability of certain routing paths and hence constitutes a serious security breach. Essentially, two malicious insider nodes use another, more powerful, radio to communicate with each other and thereby distort the would- be-agreed routing path. This distortion could involve shortcutting and hence paralyzing a large part of the network; it could also involve tunneling the information to another region of the network where there are, e.g., more malicious nodes available to aid the intrusion or where messages are replayed, etc. In conjunction with selective forwarding, wormhole attacks can create race conditions which impact topology maintenance, routing protocols as well as any security suits built on "time of check" and "time of use". Wormhole attacks are very difficult to detect in general but can be mitigated using similar strategies as already outlined above in the context of sinkhole attacks. 6. ROLL Security Features The issues discussed in Section 4, together with the countermeasures described in Section 5, provide the basis for the requirements of the following ROLL security features; in conformance, the design of a secured ROLL protocol needs to use well-known mechanisms to implement Tsao, et al. Expires August 20, 2009 [Page 26] Internet-Draft Security Framework for ROLL February 2009 the services. 6.1. Confidentiality Features To protect confidentiality, a secured ROLL protocol o SHOULD provide payload encryption; o MAY provide tunneling; o MAY provide load balancing; o SHOULD provide privacy, e.g., when geographic information is used. 6.2. Integrity Features To protect integrity, a secured ROLL protocol o MUST verify the liveliness of both principals of a connection; o MUST verify message freshness; o MUST verify message sequence and integrity; 6.3. Availability Features To protect availability, a secured ROLL protocol o MAY restrict neighborhood cardinality; o MAY use multiple paths; o MAY use multiple destinations; o MAY choose randomly if multiple paths are available; o MAY set quotas to limit transmit or receive volume; o MAY use geographic insights for flow control. 6.4. Additional Considerations If a LLN employs multicast and/or anycast, it MUST secure these protocols with the services listed in this sections. Furthermore, the nodes MUST provide adequate physical tamper resistance to ensure the integrity of stored routing information. The functioning of the security services requires keys and Tsao, et al. Expires August 20, 2009 [Page 27] Internet-Draft Security Framework for ROLL February 2009 credentials. Therefore, even though not directly a ROLL security requirement, a LLN must include a process for key and credential distribution; a LLN is encouraged to have procedures for their revocation and replacement. 7. IANA Considerations This memo includes no request to IANA. 8. Security Considerations The framework presented in this document provides security analysis and design guidelines with a scope limited to ROLL. The investigation is at a high-level and not specific to a particular protocol. Security services, but not mechanisms, are identified as requirements for securing ROLL. 9. Acknowledgments 10. References 10.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997. 10.2. Informative References [Huang2003] Huang, Q., Cukier, J., Kobayashi, H., Liu, B., and J. Zhang, "Fast Authenticated Key Establishment Protocols for Self-Organizing Sensor Networks", in Proceedings of the 2nd ACM International Conference on Wireless Sensor Networks and Applications San Diego, CA, USA, pp. 141-150, Sept. 19 2003. [I-D.ietf-roll-building-routing-reqs] Martocci, J., Riou, N., Mil, P., and W. Vermeylen, "Building Automation Routing Requirements in Low Power and Lossy Networks", draft-ietf-roll-building-routing-reqs-05 (work in progress), February 2009. [I-D.ietf-roll-home-routing-reqs] Porcu, G., "Home Automation Routing Requirements in Low Tsao, et al. Expires August 20, 2009 [Page 28] Internet-Draft Security Framework for ROLL February 2009 Power and Lossy Networks", draft-ietf-roll-home-routing-reqs-06 (work in progress), November 2008. [I-D.ietf-roll-indus-routing-reqs] Networks, D., Thubert, P., Dwars, S., and T. Phinney, "Industrial Routing Requirements in Low Power and Lossy Networks", draft-ietf-roll-indus-routing-reqs-04 (work in progress), January 2009. [I-D.ietf-roll-terminology] Vasseur, J., "Terminology in Low power And Lossy Networks", draft-ietf-roll-terminology-00 (work in progress), October 2008. [I-D.ietf-roll-urban-routing-reqs] Dohler, M., Watteyne, T., Winter, T., Barthel, D., Jacquenet, C., Madhusudan, G., and G. Chegaray, "Urban WSNs Routing Requirements in Low Power and Lossy Networks", draft-ietf-roll-urban-routing-reqs-04 (work in progress), February 2009. [I-D.suhopark-hello-wsn] Park, S., "Routing Security in Sensor Network: HELLO Flood Attack and Defense", draft-suhopark-hello-wsn-00 (work in progress), December 2005. [Karlof2003] Karlof, C. and D. Wagner, "Secure routing in wireless sensor networks: attacks and countermeasures", Elsevier AdHoc Networks Journal, Special Issue on Sensor Network Applications and Protocols, 1(2):293-315, September 2003. [Myagmar2005] Myagmar, S., Lee, AJ., and W. Yurcik, "Threat Modeling as a Basis for Security Requirements", in Proceedings of the Symposium on Requirements Engineering for Information Security (SREIS'05), Paris, France, pp. 94-102, Aug 29, 2005. [RFC4593] Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to Routing Protocols", RFC 4593, October 2006. [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC 4949, August 2007. Tsao, et al. Expires August 20, 2009 [Page 29] Internet-Draft Security Framework for ROLL February 2009 Authors' Addresses Tzeta Tsao (editor) Eka Systems 20201 Century Blvd. Suite 250 Germantown, Maryland 20874 USA Email: tzeta.tsao@ekasystems.com Roger K. Alexander (editor) Eka Systems 20201 Century Blvd. Suite 250 Germantown, Maryland 20874 USA Email: roger.alexander@ekasystems.com Mischa Dohler (editor) CTTC Parc Mediterrani de la Tecnologia, Av. Canal Olimpic S/N Castelldefels, Barcelona 08860 Spain Email: mischa.dohler@cttc.es Vanesa Daza (editor) Universitat Pompeu Fabra P/ Circumval.lacio 8, Oficina 308 Barcelona 08003 Spain Email: vanesa.daza@upf.edu Angel Lozano (editor) Universitat Pompeu Fabra P/ Circumval.lacio 8, Oficina 309 Barcelona 08003 Spain Email: angel.lozano@upf.edu Tsao, et al. Expires August 20, 2009 [Page 30]