Download presentation
Presentation is loading. Please wait.
1
ROLL RPL Security IETF 77 status
draft-sdt-roll-rpl-security Kris Pister, Security Design Team Slide #1 IETF 77 – Roll WG – March 2010
2
Status Drafts: Related: draft-tsao-roll-security-framework-02
draft-sdt-roll-rpl-security-00 draft-struik-roll-rpl-security-design-00 Related: Draft-oflynn-6lowapp-bootstrapping-00 Slide #2 IETF 77 – Roll WG – March 2010
3
Scope Routing Security Later or out of scope
Provide mechanisms to protect RPL {DIS, DIO, DAO, “flow label”} from outsider attack Later or out of scope Policy Key distribution Insider attack Relationship to other security (L2, L4, …)
4
Range of RPL Applications
Toys No security ok? Consumer/commercial Perception of risk varies widely Enterprise-critical Appropriate paranoia Need to satisfy “enterprise-critical” without driving away “consumer/commercial”
5
“Protect” DIO, DIS, DAO, flow label
Packets are not modified during transport Participant IDs are authentic Retransmissions are detected Content optionally encrypted
6
Mechanisms AES128 CCM* Where to draw the “MUST support” line?
1) no security 2) shared instance-wide key 3) shared pair-wise keys 4) digital signatures
7
Authentication Proposed 4 levels No authentication
Pre-configured, instance-wide join key Pre-configured join key(s) with access control list at LBR Public key certificate
8
Implementation Still several options for where to put security material DIS, DIO, DAO Sub-option “security-field-present” bit Flow label Hop-by-hop option (hui-6man-rpl-option) TLV or “security present” bit | Option Type | Opt Data Len | | (sub-TLVs) |
9
Example Packet format (1)
March 22, 2010 Example Packet format (1) RPL Control Message Security bit indicates whether packet is secured, and auxiliary security header is present. octets: 1 1 2 variable Type Code Checksum Message Body RPL Type Description 0x00 DODAG Information Solicitation 0x01 DODAG Information Object 0x02 Destination Advertisement Object 0x03 Reserved bits: 0-2 3 4-7 RPL Type Security Reserved Code field Slide 9 Page 9 <author>, <company>
10
Example packet format (2)
March 22, 2010 Example packet format (2) Auxiliary Security Header (cont’d) - Only present if security field set Security control field: indication as to which security services enabled Granularity: specific combinations of data confidentiality & data integrity Counter field: indication of non-repeating value used in crypto construct Compression option provided (if devices have clock on board and timeliness possible) Key Identifier field: indication as to which key was used to secure packet Granularity: peer-to-peer key, group key, network-wide key, {signature key} MIC: message integrity code octets: 1 1/4 0/1/9 Security Control Counter Key Identifier Auxiliary Security Header 1/2/4? MIC Slide 10 Page 10 <author>, <company>
11
Summary Can provide simple, standard, lightweight mechanisms to protect routing information Min 2B? per data packet (flow label) Typ 5B? per DIS/DIO/DAO Still lots of detail work to do Open issues Insider attack: LBR consistency checking? Error/alarm messages
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.