]> Sandelman Software Works

mcr+ietf@sandelman.ca

Huawei Tech

rahul.ietf@gmail.com

Independent

pascal.thubert@gmail.com

University of Warsaw

iwanicki@mimuw.edu.pl

Internet ROLL Working Group Internet-Draft The Routing Protocol for Low-Power and Lossy Networks (RPL) manages the routing topology but lacks a mechanism to globally regulate how many new nodes, known as Pledges, can join a node in a 6TiSCH network at any given time. Currently, Join Proxies (6LowPAN Routers) make local decisions about whether to facilitate a Pledge's enrollment based only on their immediate resources. This document introduces RPL extensions to ensure that enrollment remains orderly, prevents localized congestion at specific Join Proxies, and allows the network to stay within its operational capacity limits. About This Document Status information for this document may be found at . Discussion of this document takes place on the roll Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .

Introduction The adaption of the Time-Slotted Channel Hopping (TSCH) mode of for use in 6TiSCH networks is described in . The security and onboarding framework for these networks, described in and , allows a new node, known as a "Pledge", to utilize a nearby 6LowPAN Router as a Join Proxy. To facilitate discovery, specifies extensions to the IEEE 802.15.4 Enhanced Beacon that allow a Join Proxy to announce its presence, enabling Pledges to identify and select an appropriate entry point into the network. Currently, Join Proxies make local decisions about whether to facilitate a Pledge's enrollment based only on their immediate resources. This document introduces Routing Protocol for Low-Power and Lossy Networks (RPL) extensions to ensure that enrollment remains orderly, prevents localized congestion at specific Join Proxies, and allows the network to stay within its operational capacity limits.

Motivation and Overview Not every routing member of a mesh ought to announce itself as a Join Proxy. The constructed Destination Oriented Directed Acyclic Graph (DODAG) can become unbalanced if many nodes join in one part. This can be the result of optimization decisions based upon local information only. If nodes could get more information about the global view, then they could make different choices that would result in more balanced resource usage. There are a variety of local metrics which a 6LowPAN Router (6LR) can use to determine if it should provide the Join Proxy function. These reasons include low available battery power, already high committed network bandwidth, and lack of available free memory for Neighbor Cache Entry (NCE) slots . An NCE is needed in order to maintain communication with the Pledge nodes trying to enroll. See and for a deeper analysis of NCE exhaustion. In addition to the local per-node constraints, if the network around a 6LR is congested then adding more nodes to that part of the network would make the congestion worse. The attachment might not even succeed if other non-local resources are in short supply. For instance, in storing-mode and mixed mode LLNs, routing table entries at other levels could become exhausted. Enrollment of new nodes into the DODAG involves having the Join Proxy forward traffic from unknown nodes into the DODAG. These unknown nodes are not yet known to be trustworthy, the introduction of a lot of traffic from could be part of a denial of service attack. This extension includes a mechanism to allow the network operator to send a signal that no new nodes are expected at that time, and for all join proxy operations to be turned off by forcing the minimum enrollment priority to the maximum (worst) value. The RPL Destination Information Object (DIO) option described here contains new metrics that propogate down the DODAG, informing each layer of the conditions in the DODAG above the node. This new metric, the minimum enrollment priority, is updated by each 6LR to reflect conditions in that 6LR. This metric is only increased based upon local conditions, and the new value is sent as within the DIO that this node emits. Additionally, this new metric forms the basis for the proxy priority described in . The minumum enrollment priority value is derived from multiple constraining factors, for instance, the size of the DODAG, the occupancy of the bandwidth at the DODAG Root, the memory capacity at the Root, or an administrative decision. This minimum enrollment priority is used by each 6LR node to determine whether or not it will operate as a Join Proxy for nodes that want to enroll. For nodes which are already enrolled, but which need to reconnect to a DODAG, the DODAG Size information helps the node decide between different DODAGs which might be visible. This minimum enrollment priority expresses the ability of RPL DODAG globally to accept new joins: lower numerical priority values indicate increased ability to accept new child nodes. Moreover, when a RPL domain is composed of multiple DODAGs, a node at the edge of more than one such DODAG may join any of the DODAGs it sees. It can also use this information to move between DODAGs in order to help keep the relative sizes balanced. For this, the approximate knowledge of the size of the DODAGs is also an essential metric. Depending on the network policy, the size of the DODAG may or may not affect the minimum enrollment priority. Therefore, since making one proportional to the other would be limiting their value, the current size of the DODAG is advertised separately in the new option. Updates to the option propagate through the network according to the trickle algorithm. Other than the minimum enrollment priority value, the contents of the option are generated at the DODAG Root, and are not changed. If the contents represent an update that is considered important (e.g., quickly disabling any enrollments), the option can trigger trickle timer resets at the nodes to speed up its propagation.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here. The term 6LR means 6LowPAN Router, and is defined in . It refers to a router that forwards packets in a 6LowPAN network. The terms DAO, DODAG, DODAG root, DIO, trickle timer are from . The lollipop counter function comes from . The term (1)"Join" has been used in documents such as to denote the activity of a new node authenticating itself to the network to obtain authorization to become a member of the network. In the context of the RPL protocol, the term (2)"Join" has an alternative meaning: that of a node (already authenticated to the network, and already authorized to be a member of the network), deciding which part of the RPL DODAG to attach to. This term "Join" has to do with preferred parent selection processes. In order to avoid the ambiguity of this term, this document refers to the process (1)"Join" as enrollment, leaving the term "Join" to mean (2)"Join". The term "onboarding" (or "IoT Onboarding") is increasingly used to describe what is now called (1)Join in other documents, and is called enrollment in this document. However, the term Join Proxy is retained with its (1)"Join" meaning from .

Protocol Definition This document uses the extensions mechanism specified by . As explained in , no mechanism is needed to enable it.

Option Format The following option is defined for transmission in DIOs issued by the DODAG Root to be propagated within the DODAG.

Type

To be assigned by IANA.

Version Number

An 8-bit unsigned integer set by the DODAG root and denoting the version number of the contents of the option. The version number is interpreted as a lollipop counter (see Section 7.2 of ). This is abbreviated as VR below.

T

A bit indicating whether the particular version of the option is important in that adopting its contents should trigger a trickle timer reset at the node

Min Priority

The minimum enrollment priority. This is a 7-bit field providing a base value for the Enhanced Beacon Join priority. A value of 0x7f (127) is considered infinity, and this disables the Join Proxy function entirely.

Exp

A 4-bit unsigned integer indicating the power of 2 that defines the unit of the DODAG Size, such that (unit = 2^Exp).

DODAGSz

A 4-bit unsigned integer expressing the size of the DODAG in units that depend on the Exp field.

The DODAG Size is calculated as (DODAGSz * 2^Exp). The DODAG Size can be measured by the Root based on the DAO activity. In such a case, it represents the number of routes not the number of nodes, and can thus be used to infer the load only in a network where each node advertises roughly the same number of addresses and generates roughly the same amount of traffic. As the DODAG Size is always a multiple of a power of 2, when the actual size falls between two such values, the DODAG Root is to always round up. In any case, the DODAG Size may slightly change between one DIO and the next, so the value transmitted is considered as an approximation. A 6LR node uses the contents of this option from whichever parent it selects as the basis for the option that it sends. When that parent increments its minimum enrollment priority above the previous value that was seen, then this MUST be considered an "inconsistent" value for the purposes of the trickle timer. A parent that decrements its minimum enrollment priority to a lower value MAY be considered "inconsistent", or a node MAY wait retransmit according to the trickle timer's redundancy constant. This is consistent with paragraph one of , which considers lower Rank to be consistent.

Option Processing The contents of the option MUST be generated by the DODAG Root. A 6LR MUST NOT change the option when propagating it. Whenever the DODAG root changes the values of the minimum enrollment priority or DODAG Size in the option, it MUST also increment the value of Version Number. Moreover, if the change is considered important (i.e., it is expected to propagate in the DODAG quickly), the DODAG Root MUST also set the T bit to 1; otherwise, it MUST set the bit to 0. Upon receiving the option, a 6LR first checks the value of the Version Number field in the option, vr, versus the value of the Version Number it has last adopted locally, vl.

• If vl is greater than vr (in the lollipop counter order), then the 6LR MUST ignore the received option.
• Otherwise, the 6LR MUST adopt the contents of the option (i.e., the values of Version Number, Min Priority, DODAG Size, and the T bit) as its local ones. Moreover, if vl was smaller than vr (in the lollipop counter order) and the T bit in the received option was set, then the 6LR MUST reset its DIO trickle timer.

A 6LR, which would otherwise be willing to act as a Join Proxy, will examine the locally adopted value of minimum enrollment priority and to that number add any additional local consideration (such as upstream congestion, number of NCE slots available, etc.). The maximum resulting value any 6LR can obtain this way is 0x7f. The resulting minimum enrollment priority, if less than 0x7f, should enable the Join Proxy function. Note that the calculated local value vl does not update the value vr in the option.

Operational Considerations The RPL ecosystem has not included a management protocols to date. A future mechanisms, such as could enable assessment and configuration of node features. If/when such a thing became available, a node would still need to be connected before it configuration parameters could be adjusted. Until such a mechanism becomes available, the only way an operator can change any defaults in the node is via a custom firmware load, or a vendor proprietary mechanism. For instance, a vendor might do this via custom programming of a configuration section in memory using some kind of cable. This kind of per-node tuning is very expensive to do, and runs counter to the goals of zero-touch mechanisms. RPL nodes therefore need to come with sensible defaults that allow a node to join a DODAG. Many current deployments have been single vendor with consistent features and well-tested defaults. However, even within such an environment, incremental deployment of firmware updates might still cause feature skew among nodes. Intermediate nodes in a DODAG might not be upgraded at the same time as nodes further down the leaf, and therefore might not support this new metric container. It is therefore necessary to consider how the lack of this metric container can be compensated for nodes further away from the root.

Incremental deployment Considerations A 6LR that did not support this option would not act on it or propagate it in its DIO messages. In effect, the 6LR's subtree below a node without support for this option could not receive any information about the DODAG size or minimum enrollment priority. In the absense of of this metric, a 6LR will need to base decisions on how to act based upon information about local resources only. This document therefore establishes that a 6LRs that support this option but do not receive it via any path SHOULD assume a default value of 0x40 as their base value for the Enhanced Beacon Join Priority. This half-way value has been chosen to allow for the best reaction. A 6LR downstream of a 6LR where there was such an interruption in the metric could err in two directions:

• If the value implied by the base value of 0x40 was too low, then the 6LR might continue to attract enrollment traffic when none should have been collected. This is a stressor for the network, but the similiar behaviour would occur if no option existed.
• If the value implied by the base value of 0x40 was too high, then the 6LR might deflect enrollment traffic to other parts of the DODAG, possibly refusing any enrollment traffic at all.

In order for this to happen, some significant congestion must exist in the sub-DODAG where the implied 0x40 was introduced. The 0x40 is only the half-way point, so if such an amount of congestion was present, then this sub-DODAG of the DODAG simply winds up being more cautious than it needed to be. There is an additional possibility of having more than one interruption of information if multiple nodes in the DODAG were lacking a firmware update to enable this option. Such alternation of the above two situations might introduce some pathology of cycles of accepting and then rejecting enrollment traffic: This is something an operator should consider if they incrementally deploy this option to an existing Low-power/Lossy-Network (LLN). In addition, due to these interruptions, an operator would be unable to turn off enrollment traffic by sending a maximum value enrollment priority to the sub-DODAG. This situation is unfortunate, but without this option, the situation would occur all over the DODAG, rather than just in the sub-DODAG that the option did not reach. So this problem is not a new problem.

Security Considerations As per , RPL control frames either run over a secured layer 2 or use the Secure DIO methods at layer 3. This option can be placed into either a "clear" (layer-2 secured) DIO or a layer-3 Secure DIO. In most deployments involving wireless technology, layer 2 is always encrypted using a layer-2 specific technology, and so privacy of this option is available. However, a malicious node that was part of the RPL control plane (i.e., had been enrolled into the layer-2 security) would be able to see the values of this option and, based upon the observed minimal enrollment priority, could signal a confederate that it was a good time to send malicious join traffic. What is more, such a malicious node, being already part of the RPL control plane, could also send DIOs with a different minimal enrollment priority, which would cause downstream mesh routers to change their Join Proxy behavior: lower minimal priorities would cause downstream nodes to accept more Pledges than the network was expecting; higher minimal priorities could cause the enrollment process to stall. The use of layer-2 or layer-3 security for RPL control messages prevents the two aforementioned attacks by non-participating nodes by preventing malicious nodes from becoming part of the control plane. Nevertheless, a node that is attacked and has malware placed on it creates vulnerabilities in the same way such an attack on any node involved in Internet routing protocol does. The rekeying provisions of exist to permit an operator to remove such nodes from the network.

IANA Considerations Please allocate a new entry, TBD01 from Registry RPL Control Message Options at https://www.iana.org/assignments/rpl/rpl.xhtml#control-message-options This entry should be called Minimum Enrollment Priority, and the reference should be to this document.

Acknowledgements This has been reviewed by Charlie Perkins, Rifaat Shehk-Yusek, Dave Thaler, and Thomas Watteyne. Huimin She contributed text about expressing the DODAG size. Ketan Talaulika was the responsible AD and provided many editoral improvements.

References Normative References Low-Power and Lossy Networks (LLNs) are a class of network in which both the routers and their interconnect are constrained. LLN routers typically operate with constraints on processing power, memory, and energy (battery power). Their interconnects are characterized by high loss rates, low data rates, and instability. LLNs are comprised of anything from a few dozen to thousands of routers. Supported traffic flows include point-to-point (between devices inside the LLN), point-to-multipoint (from a central control point to a subset of devices inside the LLN), and multipoint-to-point (from devices inside the LLN towards a central control point). This document specifies the IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL), which provides a mechanism whereby multipoint-to-point traffic from devices inside the LLN towards a central control point as well as point-to-multipoint traffic from the central control point to the devices inside the LLN are supported. Support for point-to-point traffic is also available. [STANDARDS-TRACK] This document describes the minimal framework required for a new device, called a "pledge", to securely join a 6TiSCH (IPv6 over the Time-Slotted Channel Hopping mode of IEEE 802.15.4) network. The framework requires that the pledge and the JRC (Join Registrar/Coordinator, a central entity), share a symmetric key. How this key is provisioned is out of scope of this document. Through a single CoAP (Constrained Application Protocol) request-response exchange secured by OSCORE (Object Security for Constrained RESTful Environments), the pledge requests admission into the network, and the JRC configures it with link-layer keying material and other parameters. The JRC may at any time update the parameters through another request-response exchange secured by OSCORE. This specification defines the Constrained Join Protocol and its CBOR (Concise Binary Object Representation) data structures, and it describes how to configure the rest of the 6TiSCH communication stack for this join process to occur in a secure manner. Additional security mechanisms may be added on top of this minimal framework. In the Time-Slotted Channel Hopping (TSCH) mode of IEEE Std 802.15.4, opportunities for broadcasts are limited to specific times and specific channels. Routers in a TSCH network transmit Enhanced Beacon (EB) frames to announce the presence of the network. This document provides a mechanism by which additional information critical for new nodes (pledges) and long-sleeping nodes may be carried within the EB in order to conserve use of broadcast opportunities. n.d. The Trickle algorithm allows nodes in a lossy shared medium (e.g., low-power and lossy networks) to exchange information in a highly robust, energy efficient, simple, and scalable manner. Dynamically adjusting transmission windows allows Trickle to spread new information on the scale of link-layer transmission times while sending only a few messages per hour when information does not change. A simple suppression mechanism and transmission point selection allow Trickle's communication rate to scale logarithmically with density. This document describes the Trickle algorithm and considerations in its use. [STANDARDS-TRACK] In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References This document describes the environment, problem statement, and goals for using the Time-Slotted Channel Hopping (TSCH) Medium Access Control (MAC) protocol of IEEE 802.14.4e in the context of Low-Power and Lossy Networks (LLNs). The set of goals enumerated in this document form an initial set only. AccuKnox Sandelman Software Works The Routing Protocol for Low-Power and Lossy Networks (RPL, RFC 6550) enables data packet routing along a Destination-Oriented Directed Acyclic Graph . However, the default route establishment mechanism relies on hop-by-hop forwarding along the DODAG, which may not always provide optimal routing efficiency. This document introduces the concept of DAO Projection, a mechanism that allows a RPL root or an external controller to install optimized routes within the RPL domain. DAO Projections enable the creation of optimized unicast or multicast routes that do not strictly follow the DODAG structure, thereby improving routing efficiency, reliability, availability, and resource utilization in the RPL domain. The document specifies two types of projected routes—storing mode and non-storing mode projections—and outlines the signaling procedures necessary to establish, maintain, and remove these routes. This document extends RFC 6550, RFC 6553, and RFC 8138. This document provides specifications for existing TLS extensions. It is a companion document for RFC 5246, "The Transport Layer Security (TLS) Protocol Version 1.2". The extensions specified are server_name, max_fragment_length, client_certificate_url, trusted_ca_keys, truncated_hmac, and status_request. [STANDARDS-TRACK] This document specifies the Neighbor Discovery protocol for IP Version 6. IPv6 nodes on the same link use Neighbor Discovery to discover each other's presence, to determine each other's link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors. [STANDARDS-TRACK] The Neighbor Discovery (ND) protocol is a critical component of the IPv6 architecture. The protocol uses multicast in many messages. It also assumes a security model where all nodes on a link are trusted. Such a design might be inefficient in some scenarios (e.g., use of multicast in wireless networks) or when nodes are not trustworthy (e.g., public access networks). These security and operational issues and the associated mitigation solutions are documented in more than twenty RFCs. There is a need to track these issues and solutions in a single document. To that aim, this document summarizes the published ND issues and then describes how all these issues originate from three causes. Addressing the issues is made simpler by addressing the causes. This document also analyzes the mitigation solutions and demonstrates that isolating hosts into different subnets and links can help to address the three causes. Guidance is provided for selecting a suitable isolation method to prevent potential ND issues. In IPv4, subnets are generally small, made just large enough to cover the actual number of machines on the subnet. In contrast, the default IPv6 subnet size is a /64, a number so large it covers trillions of addresses, the overwhelming number of which will be unassigned. Consequently, simplistic implementations of Neighbor Discovery (ND) can be vulnerable to deliberate or accidental denial of service (DoS), whereby they attempt to perform address resolution for large numbers of unassigned addresses. Such denial-of-service attacks can be launched intentionally (by an attacker) or result from legitimate operational tools or accident conditions. As a result of these vulnerabilities, new devices may not be able to "join" a network, it may be impossible to establish new IPv6 flows, and existing IPv6 transported flows may be interrupted. This document describes the potential for DoS in detail and suggests possible implementation improvements as well as operational mitigation techniques that can, in some cases, be used to protect against or at least alleviate the impact of such attacks. [STANDARDS-TRACK] IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) are formed by devices that are compatible with the IEEE 802.15.4 standard. However, neither the IEEE 802.15.4 standard nor the 6LoWPAN format specification defines how mesh topologies could be obtained and maintained. Thus, it should be considered how 6LoWPAN formation and multi-hop routing could be supported. This document provides the problem statement and design space for 6LoWPAN routing. It defines the routing requirements for 6LoWPANs, considering the low-power and other particular characteristics of the devices and links. The purpose of this document is not to recommend specific solutions but to provide general, layer-agnostic guidelines about the design of 6LoWPAN routing that can lead to further analysis and protocol design. This document is intended as input to groups working on routing protocols relevant to 6LoWPANs, such as the IETF ROLL WG. This document is not an Internet Standards Track specification; it is published for informational purposes. Huawei Cisco Systems, Inc Sandelman Software Works Juniper This draft enables the discovery, advertisement and query of capabilities for RPL nodes. This document presents a security threat analysis for the Routing Protocol for Low-Power and Lossy Networks (RPLs). The development builds upon previous work on routing security and adapts the assessments to the issues and constraints specific to low-power and lossy networks. A systematic approach is used in defining and evaluating the security threats. Applicable countermeasures are application specific and are addressed in relevant applicability statements.