Internet Engineering Task Force (IETF)                           T. Tsao
Request for Comments: 7416                                  R. Alexander
Category: Informational            Eaton's Cooper Power Systems Business
ISSN: 2070-1721                                                M. Dohler
                                                                    CTTC
                                                                 V. Daza
                                                               A. Lozano
                                                Universitat Pompeu Fabra
                                                      M. Richardson, Ed.
                                                Sandelman Software Works
                                                            January 2015
        
Internet Engineering Task Force (IETF)                           T. Tsao
Request for Comments: 7416                                  R. Alexander
Category: Informational            Eaton's Cooper Power Systems Business
ISSN: 2070-1721                                                M. Dohler
                                                                    CTTC
                                                                 V. Daza
                                                               A. Lozano
                                                Universitat Pompeu Fabra
                                                      M. Richardson, Ed.
                                                Sandelman Software Works
                                                            January 2015
        

A Security Threat Analysis for the Routing Protocol for Low-Power and Lossy Networks (RPLs)

低功耗有损网络路由协议(RPLs)的安全威胁分析

Abstract

摘要

This document presents a security threat analysis for the Routing Protocol for Low-Power and Lossy Networks (RPLs). The development builds upon previous work on routing security and adapts the assessments to the issues and constraints specific to low-power and lossy networks. A systematic approach is used in defining and evaluating the security threats. Applicable countermeasures are application specific and are addressed in relevant applicability statements.

本文档介绍低功耗有损网络(RPL)路由协议的安全威胁分析。这一发展建立在以前关于路由安全的工作的基础上,并使评估适应低功率和有损网络特有的问题和限制。系统方法用于定义和评估安全威胁。适用对策针对具体应用,并在相关适用性声明中予以说明。

Status of This Memo

关于下段备忘

This document is not an Internet Standards Track specification; it is published for informational purposes.

本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。

This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.

本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。

Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7416.

有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7416.

Copyright Notice

版权公告

Copyright (c) 2015 IETF Trust and the persons identified as the document authors. All rights reserved.

版权所有(c)2015 IETF信托基金和确定为文件作者的人员。版权所有。

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.

本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。

Table of Contents

目录

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Relationship to Other Documents . . . . . . . . . . . . . . .   4
   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Considerations on RPL Security  . . . . . . . . . . . . . . .   5
     4.1.  Routing Assets and Points of Access . . . . . . . . . . .   6
     4.2.  The ISO 7498-2 Security Reference Model . . . . . . . . .   8
     4.3.  Issues Specific to or Amplified in LLNs . . . . . . . . .  10
     4.4.  RPL Security Objectives . . . . . . . . . . . . . . . . .  12
   5.  Threat Sources  . . . . . . . . . . . . . . . . . . . . . . .  13
   6.  Threats and Attacks . . . . . . . . . . . . . . . . . . . . .  13
     6.1.  Threats Due to Failures to Authenticate . . . . . . . . .  14
       6.1.1.  Node Impersonation  . . . . . . . . . . . . . . . . .  14
       6.1.2.  Dummy Node  . . . . . . . . . . . . . . . . . . . . .  14
       6.1.3.  Node Resource Spam  . . . . . . . . . . . . . . . . .  15
     6.2.  Threats Due to Failure to Keep Routing Information
           Confidential  . . . . . . . . . . . . . . . . . . . . . .  15
       6.2.1.  Routing Exchange Exposure . . . . . . . . . . . . . .  15
       6.2.2.  Routing Information (Routes and Network Topology)
               Exposure  . . . . . . . . . . . . . . . . . . . . . .  15
     6.3.  Threats and Attacks on Integrity  . . . . . . . . . . . .  16
       6.3.1.  Routing Information Manipulation  . . . . . . . . . .  16
       6.3.2.  Node Identity Misappropriation  . . . . . . . . . . .  17
     6.4.  Threats and Attacks on Availability . . . . . . . . . . .  18
       6.4.1.  Routing Exchange Interference or Disruption . . . . .  18
       6.4.2.  Network Traffic Forwarding Disruption . . . . . . . .  18
       6.4.3.  Communications Resource Disruption  . . . . . . . . .  20
       6.4.4.  Node Resource Exhaustion  . . . . . . . . . . . . . .  20
        
   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Relationship to Other Documents . . . . . . . . . . . . . . .   4
   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   5
   4.  Considerations on RPL Security  . . . . . . . . . . . . . . .   5
     4.1.  Routing Assets and Points of Access . . . . . . . . . . .   6
     4.2.  The ISO 7498-2 Security Reference Model . . . . . . . . .   8
     4.3.  Issues Specific to or Amplified in LLNs . . . . . . . . .  10
     4.4.  RPL Security Objectives . . . . . . . . . . . . . . . . .  12
   5.  Threat Sources  . . . . . . . . . . . . . . . . . . . . . . .  13
   6.  Threats and Attacks . . . . . . . . . . . . . . . . . . . . .  13
     6.1.  Threats Due to Failures to Authenticate . . . . . . . . .  14
       6.1.1.  Node Impersonation  . . . . . . . . . . . . . . . . .  14
       6.1.2.  Dummy Node  . . . . . . . . . . . . . . . . . . . . .  14
       6.1.3.  Node Resource Spam  . . . . . . . . . . . . . . . . .  15
     6.2.  Threats Due to Failure to Keep Routing Information
           Confidential  . . . . . . . . . . . . . . . . . . . . . .  15
       6.2.1.  Routing Exchange Exposure . . . . . . . . . . . . . .  15
       6.2.2.  Routing Information (Routes and Network Topology)
               Exposure  . . . . . . . . . . . . . . . . . . . . . .  15
     6.3.  Threats and Attacks on Integrity  . . . . . . . . . . . .  16
       6.3.1.  Routing Information Manipulation  . . . . . . . . . .  16
       6.3.2.  Node Identity Misappropriation  . . . . . . . . . . .  17
     6.4.  Threats and Attacks on Availability . . . . . . . . . . .  18
       6.4.1.  Routing Exchange Interference or Disruption . . . . .  18
       6.4.2.  Network Traffic Forwarding Disruption . . . . . . . .  18
       6.4.3.  Communications Resource Disruption  . . . . . . . . .  20
       6.4.4.  Node Resource Exhaustion  . . . . . . . . . . . . . .  20
        
   7.  Countermeasures . . . . . . . . . . . . . . . . . . . . . . .  21
     7.1.  Confidentiality Attack Countermeasures  . . . . . . . . .  21
       7.1.1.  Countering Deliberate Exposure Attacks  . . . . . . .  21
       7.1.2.  Countering Passive Wiretapping Attacks  . . . . . . .  22
       7.1.3.  Countering Traffic Analysis . . . . . . . . . . . . .  22
       7.1.4.  Countering Remote Device Access Attacks . . . . . . .  23
     7.2.  Integrity Attack Countermeasures  . . . . . . . . . . . .  24
       7.2.1.  Countering Unauthorized Modification Attacks  . . . .  24
       7.2.2.  Countering Overclaiming and Misclaiming Attacks . . .  24
       7.2.3.  Countering Identity (including Sybil) Attacks . . . .  25
       7.2.4.  Countering Routing Information Replay Attacks . . . .  25
       7.2.5.  Countering Byzantine Routing Information Attacks  . .  26
     7.3.  Availability Attack Countermeasures . . . . . . . . . . .  26
       7.3.1.  Countering HELLO Flood Attacks and ACK Spoofing
               Attacks . . . . . . . . . . . . . . . . . . . . . . .  27
       7.3.2.  Countering Overload Attacks . . . . . . . . . . . . .  27
       7.3.3.  Countering Selective Forwarding Attacks . . . . . . .  29
       7.3.4.  Countering Sinkhole Attacks . . . . . . . . . . . . .  29
       7.3.5.  Countering Wormhole Attacks . . . . . . . . . . . . .  30
   8.  RPL Security Features . . . . . . . . . . . . . . . . . . . .  31
     8.1.  Confidentiality Features  . . . . . . . . . . . . . . . .  32
     8.2.  Integrity Features  . . . . . . . . . . . . . . . . . . .  32
     8.3.  Availability Features . . . . . . . . . . . . . . . . . .  33
     8.4.  Key Management  . . . . . . . . . . . . . . . . . . . . .  34
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  34
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  34
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  34
     10.2.  Informative References . . . . . . . . . . . . . . . . .  35
   Acknowledgments  . . . . . .  . . . . . . . . . . . . . . . . . .  39
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  40
        
   7.  Countermeasures . . . . . . . . . . . . . . . . . . . . . . .  21
     7.1.  Confidentiality Attack Countermeasures  . . . . . . . . .  21
       7.1.1.  Countering Deliberate Exposure Attacks  . . . . . . .  21
       7.1.2.  Countering Passive Wiretapping Attacks  . . . . . . .  22
       7.1.3.  Countering Traffic Analysis . . . . . . . . . . . . .  22
       7.1.4.  Countering Remote Device Access Attacks . . . . . . .  23
     7.2.  Integrity Attack Countermeasures  . . . . . . . . . . . .  24
       7.2.1.  Countering Unauthorized Modification Attacks  . . . .  24
       7.2.2.  Countering Overclaiming and Misclaiming Attacks . . .  24
       7.2.3.  Countering Identity (including Sybil) Attacks . . . .  25
       7.2.4.  Countering Routing Information Replay Attacks . . . .  25
       7.2.5.  Countering Byzantine Routing Information Attacks  . .  26
     7.3.  Availability Attack Countermeasures . . . . . . . . . . .  26
       7.3.1.  Countering HELLO Flood Attacks and ACK Spoofing
               Attacks . . . . . . . . . . . . . . . . . . . . . . .  27
       7.3.2.  Countering Overload Attacks . . . . . . . . . . . . .  27
       7.3.3.  Countering Selective Forwarding Attacks . . . . . . .  29
       7.3.4.  Countering Sinkhole Attacks . . . . . . . . . . . . .  29
       7.3.5.  Countering Wormhole Attacks . . . . . . . . . . . . .  30
   8.  RPL Security Features . . . . . . . . . . . . . . . . . . . .  31
     8.1.  Confidentiality Features  . . . . . . . . . . . . . . . .  32
     8.2.  Integrity Features  . . . . . . . . . . . . . . . . . . .  32
     8.3.  Availability Features . . . . . . . . . . . . . . . . . .  33
     8.4.  Key Management  . . . . . . . . . . . . . . . . . . . . .  34
   9.  Security Considerations . . . . . . . . . . . . . . . . . . .  34
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .  34
     10.1.  Normative References . . . . . . . . . . . . . . . . . .  34
     10.2.  Informative References . . . . . . . . . . . . . . . . .  35
   Acknowledgments  . . . . . .  . . . . . . . . . . . . . . . . . .  39
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  40
        
1. Introduction
1. 介绍

In recent times, networked electronic devices have found an increasing number of applications in various fields. Yet, for reasons ranging from operational application to economics, these wired and wireless devices are often supplied with minimum physical resources; the constraints include those on computational resources (RAM, clock speed, and storage) and communication resources (duty cycle, packet size, etc.) but also form factors that may rule out user-access interfaces (e.g., the housing of a small stick-on switch) or simply safety considerations (e.g., with gas meters). As a consequence, the resulting networks are more prone to loss of traffic and other vulnerabilities. The proliferation of these Low-Power and Lossy Networks (LLNs), however, are drawing efforts to examine and address their potential networking challenges. Securing the establishment and maintenance of network connectivity among these deployed devices becomes one of these key challenges.

近年来,网络化电子设备在各个领域的应用越来越多。然而,从操作应用到经济性,这些有线和无线设备的物理资源通常是最少的;这些约束包括计算资源(RAM、时钟速度和存储)和通信资源(占空比、数据包大小等)上的约束,但也形成了可能排除用户访问接口(例如,小型固定开关的外壳)或简单安全考虑(例如,燃气表)的因素。因此,由此产生的网络更容易出现流量损失和其他漏洞。然而,这些低功耗和有损网络(LLN)的扩散正促使人们努力研究和解决其潜在的网络挑战。确保这些已部署设备之间的网络连接的建立和维护成为这些关键挑战之一。

This document presents a threat analysis for securing the Routing Protocol for LLNs (RPL). The process requires two steps. First, the analysis will be used to identify pertinent security issues. The second step is to identify necessary countermeasures to secure RPL. As there are multiple ways to solve the problem and the specific trade-offs are deployment specific, the specific countermeasure to be used is detailed in applicability statements.

本文档介绍了保护LLN路由协议(RPL)安全的威胁分析。这个过程需要两个步骤。首先,分析将用于确定相关的安全问题。第二步是确定保护RPL的必要对策。由于有多种解决问题的方法,并且具体的权衡是针对部署的,因此要使用的具体对策在适用性声明中有详细说明。

This document uses a model based on [ISO.7498-2.1989], which describes authentication, access control, data confidentiality, data integrity, and non-repudiation security services. This document expands the model to include the concept of availability. As explained below, non-repudiation does not apply to routing protocols.

本文档使用基于[ISO.7498-2.1989]的模型,该模型描述了身份验证、访问控制、数据机密性、数据完整性和不可否认安全服务。本文档扩展了模型,包括可用性的概念。如下所述,不可否认性不适用于路由协议。

Many of the issues in this document were also covered in the IAB Smart Object Workshop [RFC6574] and the IAB Smart Object Security Workshop [RFC7397].

IAB智能对象研讨会[RFC6574]和IAB智能对象安全研讨会[RFC7397]也讨论了本文档中的许多问题。

This document concerns itself with securing the control-plane traffic. As such, it does not address authorization or authentication of application traffic. RPL uses multicast as part of its protocol; therefore, mechanisms that RPL uses to secure this traffic might also be applicable to the Multicast Protocol for Low-Power and Lossy Networks (MPL) control traffic as well: the important part is that the threats are similar.

本文件涉及控制飞机交通安全。因此,它不处理应用程序流量的授权或身份验证。RPL使用多播作为其协议的一部分;因此,RPL用于保护此流量的机制也可能适用于低功耗和有损网络(MPL)控制流量的多播协议:重要的是,这些威胁是相似的。

2. Relationship to Other Documents
2. 与其他文件的关系

Routing Over Low-Power and Lossy (ROLL) networks has specified a set of routing protocols for LLNs [RFC6550]. A number of applicability texts describe a subset of these protocols and the conditions that make the subset the correct choice. The text recommends and motivates the accompanying parameter value ranges. Multiple applicability domains are recognized, including Building and Home and Advanced Metering Infrastructure. The applicability domains distinguish themselves in the way they are operated, by their performance requirements, and by the most probable network structures. Each applicability statement identifies the distinguishing properties according to a common set of subjects described in as many sections.

低功耗和有损(ROLL)网络上的路由为LLN指定了一组路由协议[RFC6550]。许多适用性文本描述了这些协议的子集以及使子集成为正确选择的条件。文本建议并激励附带的参数值范围。多个适用领域得到认可,包括建筑、家庭和高级计量基础设施。适用性域以其操作方式、性能要求和最可能的网络结构区分开来。每个适用性声明根据尽可能多的章节中描述的一组共同主题来确定区别属性。

The common set of security threats herein are referred to by the applicability statements, and that series of documents describes the preferred security settings and solutions within the applicability statement conditions. This applicability statement may recommend more lightweight security solutions and specify the conditions under which these solutions are appropriate.

适用性声明引用了本文中常见的一组安全威胁,该系列文档描述了适用性声明条件下的首选安全设置和解决方案。本适用性声明可能会推荐更轻量级的安全解决方案,并指定这些解决方案适用的条件。

3. Terminology
3. 术语

This document adopts the terminology defined in [RFC6550], [RFC4949], and [RFC7102].

本文件采用[RFC6550]、[RFC4949]和[RFC7102]中定义的术语。

The terms "control plane" and "forwarding plane" are used in a manner consistent with Section 1 of [RFC6192].

术语“控制平面”和“转发平面”的使用方式与[RFC6192]第1节一致。

The term "Destination-Oriented DAG (DODAG)" is from [RFC6550].

术语“面向目的地的DAG(DODAG)”来自[RFC6550]。

Extensible Authentication Protocol - Transport Layer Security (EAP-TLS) is defined in [RFC5216].

可扩展身份验证协议-传输层安全性(EAP-TLS)在[RFC5216]中定义。

The Protocol for Carrying Authentication for Network Access (PANA) is defined in [RFC5191].

[RFC5191]中定义了用于承载网络访问身份验证(PANA)的协议。

Counter with CBC-MAC (CCM) mode is defined in [RFC3610].

[RFC3610]中定义了具有CBC-MAC(CCM)模式的计数器。

The term "sleepy node", introduced in [RFC7102], refers to a node that may sometimes go into a low-power state, suspending protocol communications.

[RFC7102]中引入的术语“休眠节点”指的是有时可能进入低功率状态、暂停协议通信的节点。

The terms Service Set Identifier (SSID), Extended Service Set Identifier (ESSID), and Personal Area Network (PAN) refer to network identifiers, defined in [IEEE.802.11] and [IEEE.802.15.4].

术语服务集标识符(SSID)、扩展服务集标识符(ESSID)和个人局域网(PAN)是指[IEEE.802.11]和[IEEE.802.15.4]中定义的网络标识符。

Although this is not a protocol specification, the key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] in order to clarify and emphasize the guidance and directions to implementers and deployers of LLN nodes that utilize RPL.

尽管本规范不是协议规范,但本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“建议”、“不建议”、“可”和“可选”应按照[RFC2119]中的说明进行解释为了澄清和强调对使用RPL的LLN节点的实施者和部署者的指导和指导。

4. Considerations on RPL Security
4. 关于RPL安全性的思考

Routing security, in essence, ensures that the routing protocol operates correctly. It entails implementing measures to ensure controlled state changes on devices and network elements, both based on external inputs (received via communications) or internal inputs (physical security of the device itself and parameters maintained by the device, including, e.g., clock). State changes would thereby involve not only authorization of the injector's actions, authentication of injectors, and potentially confidentiality of routing data, but also proper order of state changes through timeliness, since seriously delayed state changes, such as commands or updates of routing tables, may negatively impact system operation. A security assessment can, therefore, begin with a focus on the assets [RFC4949] that may be the target of the state changes and the

路由安全本质上确保路由协议正确运行。它需要实施措施,以确保基于外部输入(通过通信接收)或内部输入(设备本身的物理安全性和设备维护的参数,包括例如时钟)的设备和网络元件上的受控状态变化。因此,状态更改不仅涉及对注入器操作的授权、注入器的身份验证和路由数据的潜在保密性,而且还涉及通过及时性对状态更改的正确顺序,因为严重延迟的状态更改(如命令或路由表的更新)可能会对系统运行产生负面影响。因此,安全评估可以从关注可能是状态更改和

access points in terms of interfaces and protocol exchanges through which such changes may occur. In the case of routing security, the focus is directed towards the elements associated with the establishment and maintenance of network connectivity.

接口和协议交换方面的接入点,通过这些接口和协议交换可能发生此类更改。在路由安全的情况下,重点是与网络连接的建立和维护相关的元素。

This section sets the stage for the development of the analysis by applying the systematic approach proposed in [Myagmar2005] to the routing security, while also drawing references from other reviews and assessments found in the literature, particularly [RFC4593] and [Karlof2003] (i.e., selective forwarding, wormhole, and sinkhole attacks). The subsequent subsections begin with a focus on the elements of a generic routing process that is used to establish routing assets and points of access to the routing functionality. Next, the security model based on [ISO.7498-2.1989] is briefly described. Then, consideration is given to issues specific to or amplified in LLNs. This section concludes with the formulation of a set of security objectives for RPL.

本节通过将[Myagmar2005]中提出的系统方法应用于路由安全性,为分析的发展奠定了基础,同时还参考了文献中的其他评论和评估,特别是[RFC4593]和[Karlof2003](即选择性转发、虫洞和天坑攻击)。接下来的小节将重点介绍用于建立路由资产和路由功能访问点的通用路由过程的元素。接下来,简要描述基于[ISO.7498-2.1989]的安全模型。然后,考虑特定于LLN或在LLN中放大的问题。本节最后为RPL制定了一套安全目标。

4.1. Routing Assets and Points of Access
4.1. 路由资产和访问点

An asset is an important system resource (including information, process, or physical resource); the access to and corruption or loss of an asset adversely affects the system. In the control-plane context, an asset is information about the network, processes used to manage and manipulate this data, and the physical devices on which this data is stored and manipulated. The corruption or loss of these assets may adversely impact the control plane of the network. Within the same context, a point of access is an interface or protocol that facilitates interaction between control-plane assets. Identifying these assets and points of access will provide a basis for enumerating the attack surface of the control plane.

资产是重要的系统资源(包括信息、流程或物理资源);资产的访问、损坏或丢失会对系统产生不利影响。在控制平面上下文中,资源是有关网络、用于管理和操作此数据的进程以及存储和操作此数据的物理设备的信息。这些资产的损坏或损失可能会对网络的控制平面产生不利影响。在同一上下文中,访问点是一个接口或协议,用于促进控制平面资产之间的交互。识别这些资产和访问点将为列举控制平面的攻击面提供基础。

A level-0 data flow diagram [Yourdon1979] is used here to identify the assets and points of access within a generic routing process. The use of a data flow diagram allows for a clear and concise model of the way in which routing nodes interact and process information; hence, it provides a context for threats and attacks. The goal of the model is to be as detailed as possible so that corresponding assets, points of access, and processes in an individual routing protocol can be readily identified.

这里使用0级数据流图[Yourdon1979]来标识通用路由过程中的资产和访问点。数据流图的使用允许对路由节点交互和处理信息的方式建立清晰简洁的模型;因此,它为威胁和攻击提供了环境。该模型的目标是尽可能详细,以便能够容易地识别单个路由协议中的相应资产、访问点和进程。

Figure 1 shows that nodes participating in the routing process transmit messages to discover neighbors and to exchange routing information; routes are then generated and stored, which may be maintained in the form of the protocol forwarding table. The nodes use the derived routes for making forwarding decisions.

图1显示了参与路由过程的节点发送消息以发现邻居并交换路由信息;然后生成并存储路由,这些路由可以协议转发表的形式进行维护。节点使用导出的路由进行转发决策。

                    ...................................................
                    :                                                 :
                    :                                                 :
        |Node_i|<------->(Routing Neighbor       _________________    :
                    :     Discovery)------------>Neighbor Topology    :
                    :                            -------+---------    :
                    :                                   |             :
        |Node_j|<------->(Route/Topology       +--------+             :
                    :     Exchange)            |                      :
                    :           |              V            ______    :
                    :           +---->(Route Generation)--->Routes    :
                    :                                       ---+--    :
                    :                                          |      :
                    : Routing on Node_k                        |      :
                    ...................................................
                                                               |
        |Forwarding                                            |
        |on Node_l|<-------------------------------------------+
        
                    ...................................................
                    :                                                 :
                    :                                                 :
        |Node_i|<------->(Routing Neighbor       _________________    :
                    :     Discovery)------------>Neighbor Topology    :
                    :                            -------+---------    :
                    :                                   |             :
        |Node_j|<------->(Route/Topology       +--------+             :
                    :     Exchange)            |                      :
                    :           |              V            ______    :
                    :           +---->(Route Generation)--->Routes    :
                    :                                       ---+--    :
                    :                                          |      :
                    : Routing on Node_k                        |      :
                    ...................................................
                                                               |
        |Forwarding                                            |
        |on Node_l|<-------------------------------------------+
        

Notation:

符号:

(Proc) A process Proc

(Proc)过程Proc

   ________
   topology   A structure storing neighbor adjacency (parent/child)
   --------
   ________
    routes    A structure storing the forwarding information base (FIB)
   --------
        
   ________
   topology   A structure storing neighbor adjacency (parent/child)
   --------
   ________
    routes    A structure storing the forwarding information base (FIB)
   --------
        

|Node_n| An external entity Node_n

|节点|外部实体节点|n

   ------->   Data flow
        
   ------->   Data flow
        

Figure 1: Data Flow Diagram of a Generic Routing Process

图1:通用路由过程的数据流图

Figure 1 shows the following:

图1显示了以下内容:

o Assets include

o 资产包括

* routing and/or topology information;

* 路由和/或拓扑信息;

* route generation process;

* 路由生成过程;

* communication channel resources (bandwidth);

* 通信信道资源(带宽);

* node resources (computing capacity, memory, and remaining energy); and

* 节点资源(计算能力、内存和剩余能量);和

* node identifiers (including node identity and ascribed attributes such as relative or absolute node location).

* 节点标识符(包括节点标识和属性,如相对或绝对节点位置)。

o Points of access include

o 访问点包括

* neighbor discovery;

* 邻居发现;

* route/topology exchange; and

* 路由/拓扑交换;和

* node physical interfaces (including access to data storage).

* 节点物理接口(包括对数据存储的访问)。

A focus on the above list of assets and points of access enables a more directed assessment of routing security; for example, it is readily understood that some routing attacks are in the form of attempts to misrepresent routing topology. Indeed, the intention of the security threat analysis is to be comprehensive. Hence, some of the discussion that follows is associated with assets and points of access that are not directly related to routing protocol design but are nonetheless provided for reference since they do have direct consequences on the security of routing.

将重点放在上述资产和访问点列表上,可以更直接地评估路由安全性;例如,很容易理解,一些路由攻击的形式是试图歪曲路由拓扑。事实上,安全威胁分析的目的是全面的。因此,下面的一些讨论与资产和接入点相关,这些资产和接入点与路由协议设计没有直接关系,但可供参考,因为它们对路由的安全性有直接影响。

4.2. The ISO 7498-2 Security Reference Model
4.2. ISO 7498-2安全参考模型

At the conceptual level, security within an information system, in general, and applied to RPL in particular is concerned with the primary issues of authentication, access control, data confidentiality, data integrity, and non-repudiation. In the context of RPL:

在概念层面上,信息系统内的安全性,尤其是应用于RPL的安全性,涉及身份验证、访问控制、数据机密性、数据完整性和不可否认性等主要问题。在RPL的上下文中:

Authentication Authentication involves the mutual authentication of the routing peers prior to exchanging route information (i.e., peer authentication) as well as ensuring that the source of the route data is from the peer (i.e., data origin authentication). LLNs can be drained by unauthenticated peers before configuration per [RFC5548]. Availability of open and untrusted side channels for new joiners is required by [RFC5673], and strong and automated authentication is required so that networks can automatically accept or reject new joiners.

认证涉及在交换路由信息(即,对等认证)之前路由对等方的相互认证,以及确保路由数据的源来自对等方(即,数据源认证)。在按照[RFC5548]进行配置之前,未经验证的对等方可以排空LLN。[RFC5673]要求为新加入者提供开放且不受信任的侧信道,并且需要强大且自动的身份验证,以便网络能够自动接受或拒绝新加入者。

Access Control Access Control provides protection against unauthorized use of the asset and deals with the authorization of a node.

访问控制访问控制提供防止未经授权使用资产的保护,并处理节点的授权。

Confidentiality Confidentiality involves the protection of routing information as well as routing neighbor maintenance exchanges so that only authorized and intended network entities may view or access it. Because LLNs are most commonly found on a publicly accessible shared medium, e.g., air or wiring in a building, and are sometimes formed ad hoc, confidentiality also extends to the neighbor state and database information within the routing device since the deployment of the network creates the potential for unauthorized access to the physical devices themselves.

机密性涉及对路由信息的保护以及路由邻居维护交换,以便只有授权的和预期的网络实体才能查看或访问它。因为LLN最常见于公共可访问的共享介质上,例如建筑物中的空气或电线,并且有时是临时形成的,保密性还扩展到路由设备内的邻居状态和数据库信息,因为网络的部署可能会导致未经授权访问物理设备本身。

Integrity Integrity entails the protection of routing information and routing neighbor maintenance exchanges, as well as derived information maintained in the database, from unauthorized modifications, insertions, deletions, or replays to be addressed beyond the routing protocol.

完整性需要保护路由信息和路由邻居维护交换,以及数据库中维护的派生信息,使其免受路由协议之外的未经授权的修改、插入、删除或重放。

Non-repudiation Non-repudiation is the assurance that the transmission and/or reception of a message cannot later be denied. The service of non-repudiation applies after the fact; thus, it relies on the logging or other capture of ongoing message exchanges and signatures. Routing protocols typically do not have a notion of repudiation, so non-repudiation services are not required. Further, with the LLN application domains as described in [RFC5867] and [RFC5548], proactive measures are much more critical than retrospective protections. Finally, given the significant practical limits to ongoing routing transaction logging and storage and individual device digital signature verification for each exchange, non-repudiation in the context of routing is an unsupportable burden that bears no further consideration as an RPL security issue.

不可抵赖性不可抵赖性是指保证消息的传输和/或接收在以后不会被拒绝。不可抵赖性服务在事后适用;因此,它依赖于正在进行的消息交换和签名的日志记录或其他捕获。路由协议通常没有否认的概念,因此不需要不否认服务。此外,对于[RFC5867]和[RFC5548]中所述的LLN应用领域,主动措施比回顾性保护更为关键。最后,考虑到正在进行的路由事务日志记录和存储以及每个交换的单个设备数字签名验证的重大实际限制,路由上下文中的不可否认性是一个不可承受的负担,不需要进一步考虑RPL安全问题。

It is recognized that, besides those security issues captured in the ISO 7498-2 model, availability is a security requirement:

人们认识到,除了ISO 7498-2模型中捕获的安全问题外,可用性是一项安全要求:

Availability Availability ensures that routing information exchanges and forwarding services are available when they are required for the functioning of the serving network. Availability will apply to maintaining efficient and correct operation of routing and neighbor discovery exchanges (including needed information) and forwarding services so as not to impair or limit the network's central traffic flow function.

可用性确保路由信息交换和转发服务在服务网络运行需要时可用。可用性将适用于维持路由和邻居发现交换(包括所需信息)和转发服务的高效和正确运行,以不损害或限制网络的中央交通流功能。

It should be emphasized here that for RPL security, the above requirements must be complemented by the proper security policies and enforcement mechanisms to ensure that security objectives are met by a given RPL implementation.

这里应该强调的是,对于RPL安全性,必须通过适当的安全策略和执行机制来补充上述要求,以确保给定的RPL实现满足安全目标。

4.3. Issues Specific to or Amplified in LLNs
4.3. 特定于LLN或在LLN中放大的问题

The requirements work detailed in Urban Requirements [RFC5548], Industrial Requirements [RFC5673], Home Automation [RFC5826], and Building Automation [RFC5867] have identified specific issues and constraints of routing in LLNs. The following is a list of observations from those requirements and evaluations of their impact on routing security considerations.

城市要求[RFC5548]、工业要求[RFC5673]、家庭自动化[RFC5826]和楼宇自动化[RFC5867]中详述的要求工作已经确定了LLN中路由的具体问题和限制。以下是这些需求的观察结果列表,以及对其对路由安全考虑的影响的评估。

Limited energy, memory, and processing node resources As a consequence of these constraints, the need to evaluate the kinds of security that can be provided needs careful study. For instance, security provided at one level could be very memory efficient yet might also be very energy costly for the network (as a whole) if it requires significant effort to synchronize the security state. Synchronization of security states with sleepy nodes [RFC7102] is a complex issue. A non-rechargeable battery-powered node may well be limited in energy for it's lifetime: once exhausted, it may well never function again.

有限的能量、内存和处理节点资源由于这些限制,需要仔细研究评估可以提供的安全性。例如,在一个级别上提供的安全性可能非常节省内存,但如果需要大量工作来同步安全状态,则网络(作为一个整体)的能耗也可能非常高。与休眠节点同步安全状态[RFC7102]是一个复杂的问题。非可充电电池供电的节点在其生命周期内的能量可能会受到限制:一旦耗尽,它很可能再也无法工作。

Large scale of rolled out network The possibly numerous nodes to be deployed make manual on-site configuration unlikely. For example, an urban deployment can see several hundreds of thousands of nodes being installed by many installers with a low level of expertise. Nodes may be installed and not activated for many years, and additional nodes may be added later on, which may be from old inventory. The lifetime of the network is measured in decades, and this complicates the operation of key management.

大规模的网络部署可能需要部署大量节点,因此不太可能进行手动现场配置。例如,在城市部署中,许多专业水平较低的安装人员可以安装数十万个节点。节点可能已安装且多年未激活,以后可能会添加其他节点,这些节点可能来自旧库存。网络的生命周期以几十年为单位,这使得密钥管理的操作复杂化。

Autonomous operations Self-forming and self-organizing are commonly prescribed requirements of LLNs. In other words, a routing protocol designed for LLNs needs to contain elements of ad hoc networking and, in most cases, cannot rely on manual configuration for initialization or local filtering rules. Network topology/ownership changes, partitioning or merging, and node replacement can all contribute to complicating the operations of key management.

自主操作自形成和自组织是LLN的常见要求。换句话说,为LLN设计的路由协议需要包含特设网络的元素,并且在大多数情况下,不能依赖手动配置进行初始化或本地筛选规则。网络拓扑/所有权更改、分区或合并以及节点替换都可能导致密钥管理操作复杂化。

Highly directional traffic Some types of LLNs see a high percentage of their total traffic traverse between the nodes and the LLN Border Routers (LBRs) where the LLNs connect to non-LLNs. The special routing status of and the greater volume of traffic near the LBRs have routing security consequences as a higher-valued attack target. In fact, when Point-to-MultiPoint (P2MP) and MultiPoint-to-Point (MP2P) traffic represents a majority of the traffic, routing attacks consisting of advertising incorrect preferred routes can cause serious damage.

高度定向的流量某些类型的LLN在节点和LLN边界路由器(LBR)之间看到其总流量的高百分比,其中LLN连接到非LLN。LBR的特殊路由状态和LBR附近更大的流量作为更高价值的攻击目标具有路由安全后果。事实上,当点对多点(P2MP)和多点对点(MP2P)流量代表大部分流量时,由广告错误首选路由组成的路由攻击可能会造成严重损害。

While it might seem that nodes higher up in the acyclic graph (i.e., those with lower rank) should be secured in a stronger fashion, it is not, in general, easy to predict which nodes will occupy those positions until after deployment. Issues of redundancy and inventory control suggest that any node might wind up in such a sensitive attack position, so all nodes are to be capable of being fully secured.

虽然在非循环图中较高的节点(即具有较低秩的节点)似乎应该以更强有力的方式进行保护,但通常不容易预测哪些节点将在部署后占据这些位置。冗余和库存控制问题表明,任何节点都可能处于如此敏感的攻击位置,因此所有节点都能够完全安全。

In addition, even if it were possible to predict which nodes will occupy positions of lower rank and provision them with stronger security mechanisms, in the absence of a strong authorization model, any node could advertise an incorrect preferred route.

此外,即使可以预测哪些节点将占据较低级别的位置并为其提供更强的安全机制,但在缺乏强授权模型的情况下,任何节点都可能公布错误的首选路由。

Unattended locations and limited physical security In many applications, the nodes are deployed in unattended or remote locations; furthermore, the nodes themselves are often built with minimal physical protection. These constraints lower the barrier of accessing the data or security material stored on the nodes through physical means.

无人值守位置和有限的物理安全在许多应用程序中,节点部署在无人值守或远程位置;此外,节点本身通常是在物理保护最小的情况下构建的。这些约束降低了通过物理手段访问存储在节点上的数据或安全材料的障碍。

Support for mobility On the one hand, only a limited number of applications require the support of mobile nodes, e.g., a home LLN that includes nodes on wearable health care devices or an industry LLN that includes nodes on cranes and vehicles. On the other hand, if a routing protocol is indeed used in such applications, it will clearly need to have corresponding security mechanisms.

对移动性的支持一方面,只有有限数量的应用程序需要移动节点的支持,例如,包括可穿戴医疗设备上的节点的家庭LLN或包括起重机和车辆上的节点的行业LLN。另一方面,如果路由协议确实用于此类应用中,则显然需要有相应的安全机制。

Additionally, nodes may appear to move from one side of a wall to another without any actual motion involved, which is the result of changes to electromagnetic properties, such as the opening and closing of a metal door.

此外,节点可能看起来从墙的一侧移动到另一侧,而不涉及任何实际运动,这是电磁特性变化的结果,例如打开和关闭金属门。

Support for multicast and anycast Support for multicast and anycast is called out chiefly for large-scale networks. Since application of these routing mechanisms in autonomous operations of many nodes is new, the consequence on security requires careful consideration.

支持多播和选播支持多播和选播主要用于大规模网络。由于这些路由机制在许多节点的自治操作中的应用是新的,因此对安全性的影响需要仔细考虑。

The above list considers how an LLN's physical constraints, size, operations, and variety of application areas may impact security. However, it is the combinations of these factors that particularly stress the security concerns. For instance, securing routing for a large number of autonomous devices that are left in unattended locations with limited physical security presents challenges that are not found in the common circumstance of administered networked routers. The following subsection sets up the security objectives for the routing protocol designed by the ROLL WG.

上面的列表考虑了LLN的物理约束、大小、操作和应用程序区域的多样性如何影响安全性。然而,正是这些因素的组合特别强调了安全问题。例如,为大量留在无人值守位置且物理安全性有限的自主设备提供安全路由带来了在受管网络路由器的常见情况下无法发现的挑战。以下小节为ROLL WG设计的路由协议设定了安全目标。

4.4. RPL Security Objectives
4.4. RPL安全目标

This subsection applies the ISO 7498-2 model to routing assets and access points, taking into account the LLN issues, to develop a set of RPL security objectives.

本小节将ISO 7498-2模型应用于路由资产和接入点,同时考虑LLN问题,以制定一套RPL安全目标。

Since the fundamental function of a routing protocol is to build routes for forwarding packets, it is essential to ensure that:

由于路由协议的基本功能是建立转发数据包的路由,因此必须确保:

o routing/topology information integrity remains intact during transfer and in storage;

o 路由/拓扑信息完整性在传输和存储期间保持不变;

o routing/topology information is used by authorized entities; and

o 授权实体使用路由/拓扑信息;和

o routing/topology information is available when needed.

o 路由/拓扑信息在需要时可用。

In conjunction, it is necessary to be assured that:

同时,必须确保:

o Authorized peers authenticate themselves during the routing neighbor discovery process.

o 授权对等方在路由邻居发现过程中对自己进行身份验证。

o The routing/topology information received is generated according to the protocol design.

o 接收到的路由/拓扑信息根据协议设计生成。

However, when trust cannot be fully vested through authentication of the principals alone, i.e., concerns of an insider attack, assurance of the truthfulness and timeliness of the received routing/topology information is necessary. With regard to confidentiality, protecting the routing/topology information from unauthorized exposure may be desirable in certain cases but is in itself less pertinent, in general, to the routing function.

然而,当仅通过主体身份验证无法完全授予信任时,即担心内部攻击,则必须确保接收到的路由/拓扑信息的真实性和及时性。关于机密性,在某些情况下,保护路由/拓扑信息免受未经授权的暴露可能是可取的,但其本身通常与路由功能不太相关。

One of the main problems of synchronizing security states of sleepy nodes, as listed in the last subsection, lies in difficulties in authentication; these nodes may not have received the most recent update of security material in time. Similarly, the issues of minimal manual configuration, prolonged rollout and delayed addition of nodes, and network topology changes also complicate key management. Hence, routing in LLNs needs to bootstrap the authentication process and allow for a flexible expiration scheme of authentication credentials.

如上一小节所列,同步休眠节点的安全状态的主要问题之一在于身份验证困难;这些节点可能没有及时收到安全资料的最新更新。类似地,最少的手动配置、长时间的卷展和延迟添加节点以及网络拓扑更改等问题也使密钥管理复杂化。因此,LLN中的路由需要引导身份验证过程,并允许灵活的身份验证凭据过期方案。

The vulnerability brought forth by some special-function nodes, e.g., LBRs, requires the assurance, particularly in a security context, of the following:

某些特殊功能节点(如LBR)带来的漏洞需要保证(尤其是在安全上下文中):

o The availability of communication channels and node resources.

o 通信通道和节点资源的可用性。

o The neighbor discovery process operates without undermining routing availability.

o 邻居发现过程在不影响路由可用性的情况下运行。

There are other factors that are not part of RPL but directly affect its function. These factors include a weaker barrier of accessing the data or security material stored on the nodes through physical means; therefore, the internal and external interfaces of a node need to be adequate for guarding the integrity, and possibly the confidentiality, of stored information, as well as the integrity of routing and route generation processes.

还有其他不属于RPL的因素,但直接影响其功能。这些因素包括通过物理手段访问存储在节点上的数据或安全材料的障碍较弱;因此,节点的内部和外部接口需要足以保护存储信息的完整性(可能是机密性),以及路由和路由生成过程的完整性。

Each individual system's use and environment will dictate how the above objectives are applied, including the choices of security services as well as the strengths of the mechanisms that must be implemented. The next two sections take a closer look at how the RPL security objectives may be compromised and how those potential compromises can be countered.

每个系统的使用和环境将决定如何应用上述目标,包括安全服务的选择以及必须实施的机制的优势。接下来的两部分将更详细地了解RPL安全目标可能受到的危害以及如何应对这些潜在的危害。

5. Threat Sources
5. 威胁源

[RFC4593] provides a detailed review of the threat sources: outsiders and Byzantine. RPL has the same threat sources.

[RFC4593]详细回顾了威胁来源:局外人和拜占庭人。RPL具有相同的威胁源。

6. Threats and Attacks
6. 威胁和攻击

This section outlines general categories of threats under the ISO 7498-2 model and highlights the specific attacks in each of these categories for RPL. As defined in [RFC4949], a threat is "a potential for violation of security, which exists when there is a circumstance, capability, action, or event that could breach security and cause harm."

本节概述了ISO 7498-2模型下的威胁的一般类别,并重点介绍了RPL在这些类别中的具体攻击。正如[RFC4949]中所定义的,威胁是“当存在可能破坏安全并造成伤害的情况、能力、行动或事件时,存在违反安全的可能性。”

Per [RFC3067], an attack is "an assault on system security that derives from an intelligent threat, i.e., an intelligent act that is a deliberate attempt (especially in the sense of a method or technique) to evade security services and violate the security policy of a system."

根据[RFC3067],攻击是“源自智能威胁的对系统安全的攻击,即故意试图(尤其是在方法或技术意义上)逃避安全服务并违反系统安全策略的智能行为。”

The subsequent subsections consider the threats and the attacks that can cause security breaches under the ISO 7498-2 model to the routing assets and via the routing points of access identified in Section 4.1. The assessment reviews the security concerns of each routing asset and looks at the attacks that can exploit routing points of access. The threats and attacks identified are based on the routing model analysis and associated review of the existing literature. The source of the attacks is assumed to be from either inside or outside attackers. While some attackers inside the network will be using compromised nodes and, therefore, are only able to do what an ordinary node can ("node-equivalent"), other attacks may not be limited in memory, CPU, power consumption, or long-term storage. Moore's law favors the attacker with access to the latest capabilities, while the defenders will remain in place for years to decades.

随后的小节考虑了在ISO 798-2模型下对路由资产造成安全破坏的威胁和攻击,以及通过在第4.1节中标识的访问路由点。评估将审查每个路由资产的安全问题,并查看可能利用路由访问点的攻击。确定的威胁和攻击基于路由模型分析和现有文献的相关回顾。假设攻击源来自内部或外部攻击者。虽然网络中的一些攻击者将使用受损节点,因此只能执行普通节点可以执行的操作(“节点等效”),但其他攻击可能不限于内存、CPU、功耗或长期存储。摩尔定律有利于攻击者获得最新的能力,而防御者将在几年到几十年内保持在位。

6.1. Threats Due to Failures to Authenticate
6.1. 由于身份验证失败而造成的威胁
6.1.1. Node Impersonation
6.1.1. 节点模拟

If an attacker can join a network using any identity, then it may be able to assume the role of a legitimate (and existing node). It may be able to report false readings (in metering applications) or provide inappropriate control messages (in control systems involving actuators) if the security of the application is implied by the security of the routing system.

如果攻击者可以使用任何身份加入网络,那么它可能会扮演合法(和现有节点)的角色。如果路由系统的安全性暗示应用的安全性,则它可能会报告错误读数(在计量应用中)或提供不适当的控制消息(在涉及致动器的控制系统中)。

Even in systems where there is application-layer security, the ability to impersonate a node would permit an attacker to direct traffic to itself. This may permit various on-path attacks that would otherwise be difficult, such as replaying, delaying, or duplicating (application) control messages.

即使在存在应用层安全性的系统中,模拟节点的能力也会允许攻击者将流量指向自身。这可能会允许各种路径攻击,否则很难进行,例如重放、延迟或复制(应用程序)控制消息。

6.1.2. Dummy Node
6.1.2. 虚拟节点

If an attacker can join a network using any identify, then it can pretend to be a legitimate node, receiving any service legitimate nodes receive. It may also be able to report false readings (in metering applications), provide inappropriate authorizations (in control systems involving actuators), or perform any other attacks that are facilitated by being able to direct traffic towards itself.

如果攻击者可以使用任何标识加入网络,则可以假装为合法节点,接收合法节点接收的任何服务。它还可以报告错误读数(在计量应用中),提供不适当的授权(在涉及执行器的控制系统中),或执行任何其他攻击,这些攻击是通过将流量指向自身而实现的。

6.1.3. Node Resource Spam
6.1.3. 节点资源垃圾邮件

If an attacker can join a network with any identity, then it can continuously do so with new (random) identities. This act may drain down the resources of the network (battery, RAM, bandwidth). This may cause legitimate nodes of the network to be unable to communicate.

如果攻击者可以使用任何身份加入网络,则可以使用新的(随机)身份继续加入网络。此操作可能会耗尽网络资源(电池、RAM、带宽)。这可能会导致网络的合法节点无法通信。

6.2. Threats Due to Failure to Keep Routing Information Confidential
6.2. 由于未能对路由信息保密而造成的威胁

The assessment in Section 4.2 indicates that there are attacks against the confidentiality of routing information at all points of access. This threat may result in disclosure, as described in Section 3.1.2 of [RFC4593], and may involve a disclosure of routing information.

第4.2节中的评估表明,在所有访问点都存在对路由信息保密性的攻击。如[RFC4593]第3.1.2节所述,该威胁可能导致泄露,并可能涉及路由信息的泄露。

6.2.1. Routing Exchange Exposure
6.2.1. 路由交换风险

Routing exchanges include both routing information as well as information associated with the establishment and maintenance of neighbor state information. As indicated in Section 4.1, the associated routing information assets may also include device-specific resource information, such as available memory, remaining power, etc., that may be metrics of the routing protocol.

路由交换包括路由信息以及与邻居状态信息的建立和维护相关的信息。如第4.1节所示,相关联的路由信息资产还可以包括设备特定的资源信息,例如可用内存、剩余功率等,这些信息可以是路由协议的度量。

The routing exchanges will contain reachability information, which would identify the relative importance of different nodes in the network. Nodes higher up in the DODAG, to which more streams of information flow, would be more interesting targets for other attacks, and routing exchange exposures could identify them.

路由交换将包含可达性信息,该信息将识别网络中不同节点的相对重要性。DODAG中更高的节点(更多信息流流向这些节点)将是其他攻击更有趣的目标,路由交换暴露可以识别它们。

6.2.2. Routing Information (Routes and Network Topology) Exposure
6.2.2. 路由信息(路由和网络拓扑)公开

Routes (which may be maintained in the form of the protocol forwarding table) and neighbor topology information are the products of the routing process that are stored within the node device databases.

路由(可以以协议转发表的形式维护)和邻居拓扑信息是存储在节点设备数据库中的路由过程的产物。

The exposure of this information will allow attackers to gain direct access to the configuration and connectivity of the network, thereby exposing routing to targeted attacks on key nodes or links. Since routes and neighbor topology information are stored within the node device, attacks on the confidentiality of the information will apply to the physical device, including specified and unspecified internal and external interfaces.

此信息的暴露将允许攻击者直接访问网络的配置和连接,从而暴露路由,使关键节点或链路遭受有针对性的攻击。由于路由和邻居拓扑信息存储在节点设备内,因此对信息机密性的攻击将应用于物理设备,包括指定和未指定的内部和外部接口。

The forms of attack that allow unauthorized access or disclosure of the routing information will include:

允许未经授权访问或披露路由信息的攻击形式包括:

o Physical device compromise.

o 物理设备泄露。

o Remote device access attacks (including those occurring through remote network management or software/field upgrade interfaces).

o 远程设备访问攻击(包括通过远程网络管理或软件/现场升级接口发生的攻击)。

Both of these attack vectors are considered a device-specific issue and are out of scope for RPL to defend against. In some applications, physical device compromise may be a real threat, and it may be necessary to provide for other devices to securely detect a compromised device and react quickly to exclude it.

这两种攻击向量都被视为特定于设备的问题,超出了RPL的防御范围。在某些应用程序中,物理设备泄露可能是一个真正的威胁,可能需要为其他设备提供安全检测泄露设备并快速做出反应以排除它。

6.3. Threats and Attacks on Integrity
6.3. 对诚信的威胁和攻击

The assessment in Section 4.2 indicates that information and identity assets are exposed to integrity threats from all points of access. In other words, the integrity threat space is defined by the potential for exploitation introduced by access to assets available through routing exchanges and the on-device storage.

第4.2节中的评估表明,信息和身份资产面临来自所有访问点的完整性威胁。换句话说,完整性威胁空间是由通过路由交换和设备存储访问可用资产所带来的潜在利用率定义的。

6.3.1. Routing Information Manipulation
6.3.1. 路由信息操纵

Manipulation of routing information that ranges from neighbor states to derived routes will allow unauthorized sources to influence the operation and convergence of the routing protocols and ultimately impact the forwarding decisions made in the network.

操纵从邻居状态到派生路由的路由信息将允许未经授权的源影响路由协议的操作和收敛,并最终影响网络中做出的转发决策。

Manipulation of topology and reachability information will allow unauthorized sources to influence the nodes with which routing information is exchanged and updated. The consequence of manipulating routing exchanges can thus lead to suboptimality and fragmentation or partitioning of the network by restricting the universe of routers with which associations can be established and maintained.

对拓扑和可达性信息的操纵将允许未经授权的源影响与之交换和更新路由信息的节点。因此,操纵路由交换的结果可能会通过限制可建立和维护关联的路由器的范围而导致网络的次优性和碎片化或分区。

A suboptimal network may use too much power and/or may congest some routes leading to premature failure of a node and a denial of service (DoS) on the entire network.

次优网络可能会使用过多电源和/或阻塞某些路由,从而导致节点过早故障和整个网络上的拒绝服务(DoS)。

In addition, being able to attract network traffic can make a black-hole attack more damaging.

此外,能够吸引网络流量会使黑洞攻击更具破坏性。

The forms of attack that allow manipulation to compromise the content and validity of routing information include:

允许操纵以损害路由信息的内容和有效性的攻击形式包括:

o falsification, including overclaiming and misclaiming (claiming routes to devices that the device cannot in fact reach);

o 伪造,包括多报和误报(声称设备实际上无法到达的设备路线);

o routing information replay;

o 路由信息回放;

o Byzantine (internal) attacks that permit corruption of routing information in the node even when the node continues to be a validated entity within the network (see, for example, [RFC4593] for further discussions on Byzantine attacks); and

o 拜占庭式(内部)攻击,允许节点中的路由信息损坏,即使该节点仍然是网络中的有效实体(例如,有关拜占庭式攻击的进一步讨论,请参见[RFC4593]);和

o physical device compromise or remote device access attacks.

o 物理设备泄露或远程设备访问攻击。

6.3.2. Node Identity Misappropriation
6.3.2. 节点身份盗用

Falsification or misappropriation of node identity between routing participants opens the door for other attacks; it can also cause incorrect routing relationships to form and/or topologies to emerge. Routing attacks may also be mounted through less-sophisticated node identity misappropriation in which the valid information broadcasted or exchanged by a node is replayed without modification. The receipt of seemingly valid information that is, however, no longer current can result in routing disruption and instability (including failure to converge). Without measures to authenticate the routing participants and to ensure the freshness and validity of the received information, the protocol operation can be compromised. The forms of attack that misuse node identity include:

伪造或盗用路由参与者之间的节点身份为其他攻击打开了大门;它还可能导致形成不正确的路由关系和/或出现拓扑。路由攻击也可能通过不太复杂的节点身份盗用来发起,在这种盗用中,节点广播或交换的有效信息在不作修改的情况下被重播。接收看似有效但不再是最新的信息可能会导致路由中断和不稳定(包括无法收敛)。如果不采取措施对路由参与者进行身份验证并确保所接收信息的新鲜性和有效性,协议操作可能会受到影响。滥用节点标识的攻击形式包括:

o Identity attacks, including Sybil attacks (see [Sybil2002]) in which a malicious node illegitimately assumes multiple identities.

o 身份攻击,包括Sybil攻击(参见[Sybil2002]),其中恶意节点非法使用多个身份。

o Routing information replay.

o 路由信息重播。

6.4. Threats and Attacks on Availability
6.4. 对可用性的威胁和攻击

The assessment in Section 4.2 indicates that the process and resource assets are exposed to threats against availability; attacks in this category may exploit directly or indirectly information exchange or forwarding (see [RFC4732] for a general discussion).

第4.2节中的评估表明,流程和资源资产面临可用性威胁;此类攻击可直接或间接利用信息交换或转发(有关一般性讨论,请参阅[RFC4732])。

6.4.1. Routing Exchange Interference or Disruption
6.4.1. 路由交换干扰或中断

Interference is the threat action and disruption is the threat consequence that allows attackers to influence the operation and convergence of the routing protocols by impeding the routing information exchange.

干扰是一种威胁行为,中断是一种威胁后果,使得攻击者能够通过阻碍路由信息交换来影响路由协议的操作和收敛。

The forms of attack that allow interference or disruption of routing exchange include:

允许干扰或中断路由交换的攻击形式包括:

o routing information replay;

o 路由信息回放;

o ACK spoofing; and

o ACK欺骗;和

o overload attacks (Section 7.3.2).

o 过载攻击(第7.3.2节)。

In addition, attacks may also be directly conducted at the physical layer in the form of jamming or interfering.

此外,还可以在物理层以干扰或干扰的形式直接进行攻击。

6.4.2. Network Traffic Forwarding Disruption
6.4.2. 网络流量转发中断

The disruption of the network traffic forwarding capability will undermine the central function of network routers and the ability to handle user traffic. This affects the availability of the network because of the potential to impair the primary capability of the network.

网络流量转发能力的中断将破坏网络路由器的中心功能和处理用户流量的能力。这会影响网络的可用性,因为可能会损害网络的主要功能。

In addition to physical-layer obstructions, the forms of attack that allow disruption of network traffic forwarding include [Karlof2003]:

除了物理层障碍外,允许中断网络流量转发的攻击形式包括[Karlof2003]:

o selective forwarding attacks;

o 选择性转发攻击;

         |Node_1|--(msg1|msg2|msg3)-->|Attacker|--(msg1|msg3)-->|Node_2|
        
         |Node_1|--(msg1|msg2|msg3)-->|Attacker|--(msg1|msg3)-->|Node_2|
        

Figure 2: Selective Forwarding Example

图2:选择性转发示例

o wormhole attacks; and

o 虫洞攻击;和

               |Node_1|-------------Unreachable---------x|Node_2|
                  |                                         ^
                  |               Private Link              |
                  '-->|Attacker_1|===========>|Attacker_2|--'
        
               |Node_1|-------------Unreachable---------x|Node_2|
                  |                                         ^
                  |               Private Link              |
                  '-->|Attacker_1|===========>|Attacker_2|--'
        

Figure 3: Wormhole Attacks

图3:虫洞攻击

o sinkhole attacks.

o 天坑攻击。

                |Node_1|     |Node_4|
                    |            |
                    `--------.   |
                Falsify as    \  |
                Good Link \   |  |
                to Node_5  \  |  |
                            \ V  V
                |Node_2|-->|Attacker|--Not Forwarded---x|Node_5|
                              ^  ^ \
                              |  |  \ Falsify as
                              |  |   \Good Link
                              /  |    to Node_5
                     ,-------'   |
                     |           |
                |Node_3|     |Node_i|
        
                |Node_1|     |Node_4|
                    |            |
                    `--------.   |
                Falsify as    \  |
                Good Link \   |  |
                to Node_5  \  |  |
                            \ V  V
                |Node_2|-->|Attacker|--Not Forwarded---x|Node_5|
                              ^  ^ \
                              |  |  \ Falsify as
                              |  |   \Good Link
                              /  |    to Node_5
                     ,-------'   |
                     |           |
                |Node_3|     |Node_i|
        

Figure 4: Sinkhole Attack Example

图4:天坑攻击示例

These attacks are generally done to both control- and forwarding-plane traffic. A system that prevents control-plane traffic (RPL messages) from being diverted in these ways will also prevent actual data from being diverted.

这些攻击通常针对控制和转发飞机流量。以这些方式防止控制平面通信(RPL消息)被转移的系统也将防止实际数据被转移。

6.4.3. Communications Resource Disruption
6.4.3. 通信资源中断

Attacks mounted against the communication channel resource assets needed by the routing protocol can be used as a means of disrupting its operation. However, while various forms of DoS attacks on the underlying transport subsystem will affect routing protocol exchanges and operation (for example, physical-layer Radio Frequency (RF) jamming in a wireless network or link-layer attacks), these attacks cannot be countered by the routing protocol. As such, the threats to the underlying transport network that supports routing is considered beyond the scope of the current document. Nonetheless, attacks on the subsystem will affect routing operation and must be directly addressed within the underlying subsystem and its implemented protocol layers.

针对路由协议所需的通信信道资源资产发起的攻击可作为中断其运行的手段。然而,尽管对底层传输子系统的各种形式的DoS攻击将影响路由协议交换和操作(例如,无线网络中的物理层射频(RF)干扰或链路层攻击),但路由协议无法对抗这些攻击。因此,对支持路由的底层传输网络的威胁超出了当前文档的范围。尽管如此,对子系统的攻击将影响路由操作,必须在底层子系统及其实现的协议层中直接解决。

6.4.4. Node Resource Exhaustion
6.4.4. 节点资源耗尽

A potential threat consequence can arise from attempts to overload the node resource asset by initiating exchanges that can lead to the exhaustion of processing, memory, or energy resources. The establishment and maintenance of routing neighbors opens the routing process to engagement and potential acceptance of multiple neighboring peers. Association information must be stored for each peer entity and for the wireless network operation provisions made to periodically update and reassess the associations. An introduced proliferation of apparent routing peers can, therefore, have a negative impact on node resources.

通过启动可能导致处理、内存或能量资源耗尽的交换,试图使节点资源资产过载,可能会产生潜在的威胁后果。路由邻居的建立和维护为多个相邻对等点的参与和潜在接受打开了路由过程。必须为每个对等实体以及为定期更新和重新评估关联而制定的无线网络操作规定存储关联信息。因此,引入的明显路由对等点的激增可能会对节点资源产生负面影响。

Node resources may also be unduly consumed by attackers attempting uncontrolled topology peering or routing exchanges, routing replays, or the generating of other data-traffic floods. Beyond the disruption of communications channel resources, these consequences may be able to exhaust node resources only where the engagements are able to proceed with the peer routing entities. Routing operation and network forwarding functions can thus be adversely impacted by node resources exhaustion that stems from attacks that include:

攻击者还可能过度消耗节点资源,试图进行不受控制的拓扑对等或路由交换、路由重放或生成其他数据流量洪水。除了通信信道资源的中断之外,这些后果可能仅在业务能够继续进行对等路由实体的情况下才能耗尽节点资源。因此,路由操作和网络转发功能可能会受到节点资源耗尽的不利影响,节点资源耗尽源于以下攻击:

o identity (including Sybil) attacks (see [Sybil2002]);

o 身份(包括Sybil)攻击(见[Sybil2002]);

o routing information replay attacks;

o 路由信息重放攻击;

o HELLO-type flood attacks; and

o HELLO型洪水袭击;和

o overload attacks (Section 7.3.2).

o 过载攻击(第7.3.2节)。

7. Countermeasures
7. 对策

By recognizing the characteristics of LLNs that may impact routing, this analysis provides the basis for understanding the capabilities within RPL used to deter the identified attacks and mitigate the threats. The following subsections consider such countermeasures by grouping the attacks according to the classification of the ISO 7498-2 model so that associations with the necessary security services are more readily visible.

通过识别可能影响路由的LLN的特征,该分析为理解RPL中用于阻止已识别攻击和缓解威胁的能力提供了基础。下面的小节通过根据ISO798-2模型的分类对攻击进行分组,从而使得与必要的安全服务的关联更容易被看到。

7.1. Confidentiality Attack Countermeasures
7.1. 保密攻击对策

Attacks to disclosure routing information may be mounted at the level of the routing information assets, at the points of access associated with routing exchanges between nodes, or through device interface access. To gain access to routing/topology information, the attacker may rely on a compromised node that deliberately exposes the information during the routing exchange process, on passive wiretapping or traffic analysis, or on attempting access through a component or device interface of a tampered routing node.

对公开路由信息的攻击可在路由信息资产级别、与节点之间的路由交换相关联的访问点或通过设备接口访问进行。为了获得对路由/拓扑信息的访问,攻击者可能依赖于在路由交换过程中故意暴露信息的受损节点、被动窃听或流量分析,或者试图通过被篡改路由节点的组件或设备接口进行访问。

7.1.1. Countering Deliberate Exposure Attacks
7.1.1. 应对蓄意曝光攻击

A deliberate exposure attack is one in which an entity that is party to the routing process or topology exchange allows the routing/ topology information or generated route information to be exposed to an unauthorized entity.

蓄意暴露攻击是指作为路由过程或拓扑交换一方的实体允许将路由/拓扑信息或生成的路由信息暴露给未经授权的实体。

For instance, due to misconfiguration or inappropriate enabling of a diagnostic interface, an entity might be copying ("bridging") traffic from a secured ESSID/PAN to an unsecured interface.

例如,由于错误配置或不适当启用诊断接口,实体可能正在将“桥接”流量从安全的ESSID/PAN复制到不安全的接口。

A prerequisite to countering this attack is to ensure that the communicating nodes are authenticated prior to data encryption applied in the routing exchange. The authentication ensures that the LLN starts with trusted nodes, but it does not provide an indication of whether the node has been compromised.

对抗此攻击的先决条件是确保在路由交换中应用数据加密之前对通信节点进行身份验证。身份验证确保LLN从受信任的节点开始,但它不提供节点是否已受损的指示。

Reputation systems could be used to help when some nodes may sleep for extended periods of time. It is also unclear if resulting datasets would even fit into constrained devices.

当某些节点可能长时间睡眠时,信誉系统可用于提供帮助。还不清楚生成的数据集是否适合受约束的设备。

To mitigate the risk of deliberate exposure, the process that communicating nodes use to establish session keys must be peer-to-peer (i.e., between the routing initiating and responding nodes). As is pointed out in [RFC4107], automatic key management is critical for good security. This helps ensure that neither node is exchanging routing information with another peer without the

为了降低故意暴露的风险,通信节点用于建立会话密钥的过程必须是对等的(即,路由发起节点和响应节点之间)。正如[RFC4107]中指出的,自动密钥管理对于良好的安全性至关重要。这有助于确保两个节点在没有

knowledge of both communicating peers. For a deliberate exposure attack to succeed, the comprised node will need to be more overt and take independent actions in order to disclose the routing information to a third party.

具备与同伴沟通的知识。为了使故意暴露攻击成功,组成节点需要更加公开并采取独立的行动,以便将路由信息披露给第三方。

Note that the same measures that apply to securing routing/topology exchanges between operational nodes must also extend to field tools and other devices used in a deployed network where such devices can be configured to participate in routing exchanges.

注意,用于保护操作节点之间的路由/拓扑交换的相同措施也必须扩展到部署网络中使用的现场工具和其他设备,这些设备可以配置为参与路由交换。

7.1.2. Countering Passive Wiretapping Attacks
7.1.2. 对抗被动窃听攻击

A passive wiretap attack seeks to breach routing confidentiality through passive, direct analysis and processing of the information exchanges between nodes.

被动窃听攻击试图通过对节点之间的信息交换进行被动、直接的分析和处理来破坏路由保密性。

Passive wiretap attacks can be directly countered through the use of data encryption for all routing exchanges. Only when a validated and authenticated node association is completed will routing exchange be allowed to proceed using established session keys and an agreed encryption algorithm. The mandatory-to-implement CCM mode AES-128 method, described in [RFC3610], is believed to be secure against a brute-force attack by even the most well-equipped adversary.

通过对所有路由交换使用数据加密,可以直接对抗被动窃听攻击。只有在验证和身份验证的节点关联完成后,才允许使用已建立的会话密钥和约定的加密算法继续进行路由交换。[RFC3610]中描述的强制实施CCM模式AES-128方法被认为是安全的,即使是装备最精良的对手也能抵御暴力攻击。

The significant challenge for RPL is in the provisioning of the key, which in some modes of RFC 6550 is used network wide. This problem is not solved in RFC 6550, and it is the subject of significant future work: see, for instance, [AceCharterProposal], [SolaceProposal], and [SmartObjectSecurityWorkshop].

RPL面临的重大挑战是密钥的提供,在RFC 6550的某些模式中,密钥在网络范围内使用。这个问题在RFC 6550中没有得到解决,它是未来重要工作的主题:例如,请参见[AceCharterProposal]、[SolaceProposal]和[SmartObjectSecurityWorkshop]。

A number of deployments, such as [ZigBeeIP] specify no Layer 3 (L3) / RPL encryption or authentication and rely upon similar security at Layer 2 (L2). These networks are immune to outside wiretapping attacks but are vulnerable to passive (and active) routing attacks through compromises of nodes (see Section 8.2).

许多部署,例如[ZigBeeIP]没有指定第3层(L3)/RPL加密或身份验证,并且依赖于第2层(L2)的类似安全性。这些网络不受外部窃听攻击的影响,但容易受到通过节点妥协的被动(和主动)路由攻击(见第8.2节)。

Section 10.9 of [RFC6550] specifies AES-128 in CCM mode with a 32-bit Message Authentication Code (MAC).

[RFC6550]第10.9节规定了在CCM模式下使用32位消息认证码(MAC)的AES-128。

Section 5.6 of ZigBee IP [ZigBeeIP] specifies use of CCM, with PANA and EAP-TLS for key management.

ZigBee IP[ZigBeeIP]第5.6节规定了CCM的使用,PANA和EAP-TLS用于密钥管理。

7.1.3. Countering Traffic Analysis
7.1.3. 反流量分析

Traffic analysis provides an indirect means of subverting confidentiality and gaining access to routing information by allowing an attacker to indirectly map the connectivity or flow patterns (including link load) of the network from which other attacks can be

流量分析通过允许攻击者间接映射网络的连接或流模式(包括链路负载),从而提供了一种间接手段,可以破坏机密性并获得对路由信息的访问权,从而可以防止其他攻击

mounted. The traffic-analysis attack on an LLN, especially one founded on a shared medium, is passive and relies on the ability to read the immutable source/destination L2 and/or L3 routing information that must remain unencrypted to permit network routing.

安装。对LLN的流量分析攻击,尤其是基于共享介质的攻击,是被动的,并且依赖于读取不可变的源/目标L2和/或L3路由信息的能力,这些信息必须保持未加密才能允许网络路由。

One way in which passive traffic-analysis attacks can be muted is through the support of load balancing that allows traffic to a given destination to be sent along diverse routing paths. RPL does not generally support multipath routing within a single DODAG. Multiple DODAGs are supported in the protocol, and an implementation could make use of that. RPL does not have any inherent or standard way to guarantee that the different DODAGs would have significantly diverse paths. Having the diverse DODAGs routed at different border routers might work in some instances, and this could be combined with a multipath technology like Multipath TCP (MPTCP) [RFC6824]. It is unlikely that it will be affordable in many LLNs, as few deployments will have memory space for more than a few sets of DODAG tables.

被动流量分析攻击可以静音的一种方式是通过支持负载平衡,允许通过不同的路由路径发送到给定目的地的流量。RPL通常不支持单个DODAG中的多路径路由。该协议支持多个DoDAG,一个实现可以利用这一点。RPL没有任何固有的或标准的方式来保证不同的DoDAG会有显著不同的路径。在某些情况下,在不同的边界路由器上路由不同的DoDAG可能会起作用,这可以与多径TCP(MPTCP)等多径技术相结合[RFC6824]。在许多LLN中,它不太可能是负担得起的,因为很少有部署具有超过几组DODAG表的内存空间。

Another approach to countering passive traffic analysis could be for nodes to maintain a constant amount of traffic to different destinations through the generation of arbitrary traffic flows; the drawback of course would be the consequent overhead and energy expenditure.

对抗被动流量分析的另一种方法可以是节点通过生成任意流量流来维持到不同目的地的恒定流量;缺点当然是随之而来的开销和能源消耗。

The only means of fully countering a traffic-analysis attack is through the use of tunneling (encapsulation) where encryption is applied across the entirety of the original packet source/destination addresses. Deployments that use L2 security that includes encryption already do this for all traffic.

完全对抗流量分析攻击的唯一方法是使用隧道(封装),其中加密应用于整个原始数据包源/目标地址。使用L2安全性(包括加密)的部署已对所有流量执行此操作。

7.1.4. Countering Remote Device Access Attacks
7.1.4. 对抗远程设备访问攻击

Where LLN nodes are deployed in the field, measures are introduced to allow for remote retrieval of routing data and for software or field upgrades. These paths create the potential for a device to be remotely accessed across the network or through a provided field tool. In the case of network management, a node can be directly requested to provide routing tables and neighbor information.

在现场部署LLN节点的情况下,引入了允许远程检索路由数据和软件或现场升级的措施。这些路径可以通过网络或提供的现场工具远程访问设备。在网络管理的情况下,可以直接请求节点提供路由表和邻居信息。

To ensure confidentiality of the node routing information against attacks through remote access, any local or remote device requesting routing information must be authenticated and must be authorized for that access. Since remote access is not invoked as part of a routing protocol, security of routing information stored on the node against remote access will not be addressable as part of the routing protocol.

为了确保节点路由信息的机密性,防止通过远程访问进行攻击,任何请求路由信息的本地或远程设备都必须经过身份验证,并且必须获得访问授权。由于远程访问不是作为路由协议的一部分调用的,因此存储在节点上的路由信息的远程访问安全性将不能作为路由协议的一部分寻址。

7.2. Integrity Attack Countermeasures
7.2. 完整性攻击对策

Integrity attack countermeasures address routing information manipulation, as well as node identity and routing information misuse. Manipulation can occur in the form of a falsification attack and physical compromise. To be effective, the following development considers the two aspects of falsification, namely, the unauthorized modifications and the overclaiming and misclaiming content. The countering of physical compromise was considered in the previous section and is not repeated here. With regard to misuse, there are two types of attacks to be deterred: identity attacks and replay attacks.

完整性攻击对策解决路由信息操纵以及节点标识和路由信息滥用问题。操纵可以以伪造攻击和物理妥协的形式发生。为了有效,以下发展考虑了伪造的两个方面,即未经授权的修改和过度投诉和误报内容。在上一节中考虑了反对物理妥协,此处不再重复。关于滥用,有两种类型的攻击需要阻止:身份攻击和重放攻击。

7.2.1. Countering Unauthorized Modification Attacks
7.2.1. 对抗未经授权的修改攻击

Unauthorized modifications may occur in the form of altering the message being transferred or the data stored. Therefore, it is necessary to ensure that only authorized nodes can change the portion of the information that is allowed to be mutable, while the integrity of the rest of the information is protected, e.g., through well-studied cryptographic mechanisms.

未经授权的修改可能以更改正在传输的消息或存储的数据的形式发生。因此,有必要确保只有经过授权的节点才能更改允许可变的信息部分,而其他信息的完整性则受到保护,例如,通过经过充分研究的加密机制。

Unauthorized modifications may also occur in the form of insertion or deletion of messages during protocol changes. Therefore, the protocol needs to ensure the integrity of the sequence of the exchange sequence.

在协议更改期间,未经授权的修改也可能以插入或删除消息的形式发生。因此,协议需要保证交换序列序列的完整性。

The countermeasure to unauthorized modifications needs to:

针对未经授权的修改的对策需要:

o implement access control on storage;

o 对存储设备实施访问控制;

o provide data integrity service to transferred messages and stored data; and

o 为传输的消息和存储的数据提供数据完整性服务;和

o include a sequence number under integrity protection.

o 包括完整性保护下的序列号。

7.2.2. Countering Overclaiming and Misclaiming Attacks
7.2.2. 打击滥发和误发攻击

Both overclaiming and misclaiming aim to introduce false routes or a false topology that would not occur otherwise, while there are not necessarily unauthorized modifications to the routing messages or information. In order to counter overclaiming, the capability to determine unreasonable routes or topology is required.

过度计费和错误计费的目的都是引入错误的路由或错误的拓扑,否则不会发生,而不一定会对路由消息或信息进行未经授权的修改。为了防止过度收费,需要能够确定不合理的路由或拓扑。

The counter to overclaiming and misclaiming may employ:

防止多报和误报的柜台可采用:

o Comparison with historical routing/topology data.

o 与历史路由/拓扑数据进行比较。

o Designs that restrict realizable network topologies.

o 限制可实现网络拓扑的设计。

RPL includes no specific mechanisms in the protocol to counter overclaims or misclaims. An implementation could have specific heuristics implemented locally.

RPL在协议中没有针对过度投诉或误报的具体机制。一个实现可以在本地实现特定的启发式。

7.2.3. Countering Identity (including Sybil) Attacks
7.2.3. 对抗身份(包括Sybil)攻击

Identity attacks, sometimes simply called spoofing, seek to gain or damage assets whose access is controlled through identity. In routing, an identity attacker can illegitimately participate in routing exchanges, distribute false routing information, or cause an invalid outcome of a routing process.

身份攻击,有时简称为欺骗,旨在获取或破坏通过身份控制访问的资产。在路由中,身份攻击者可以非法参与路由交换、分发错误的路由信息或导致路由过程的无效结果。

A perpetrator of Sybil attacks assumes multiple identities. The result is not only an amplification of the damage to routing but extension to new areas, e.g., where geographic distribution is explicitly or implicitly an asset to an application running on the LLN, for example, the LBR in a P2MP or MP2P LLN.

Sybil攻击的实施者具有多重身份。其结果不仅扩大了对路由的破坏,而且扩展到了新的领域,例如,地理分布明确或隐含地成为在LLN上运行的应用程序的资产,例如,P2MP或MP2P LLN中的LBR。

RPL includes specific public key-based authentication at L3 that provides for authorization. Many deployments use L2 security that includes admission controls at L2 using mechanisms such as PANA.

RPL包括在L3提供授权的特定基于公钥的身份验证。许多部署使用L2安全性,包括使用PANA等机制在L2上进行准入控制。

7.2.4. Countering Routing Information Replay Attacks
7.2.4. 对抗路由信息重放攻击

In many routing protocols, message replay can result in false topology and/or routes. This is often counted with some kind of counter to ensure the freshness of the message. Replay of a current, literal RPL message is, in general, idempotent to the topology. If replayed, an older (lower DODAGVersionNumber) message would be rejected as being stale. If the trickle algorithm further dampens the effect of any such replay, as if the message was current, then it would contain the same information as before, and it would cause no network changes.

在许多路由协议中,消息重放可能导致错误的拓扑和/或路由。为了确保信息的新鲜度,通常会使用某种计数器对其进行计数。通常,当前文本RPL消息的重播对于拓扑是幂等的。如果重播,较旧的(较低的DODAGVersionNumber)消息将被拒绝为过时消息。如果trickle算法进一步减弱了任何此类重播的效果,就像消息是最新的一样,那么它将包含与以前相同的信息,并且不会导致网络更改。

Replays may well occur in some radio technologies (though not very likely; see [IEEE.802.15.4]) as a result of echos or reflections, so some replays must be assumed to occur naturally.

由于回声或反射,在某些无线电技术中很可能会发生重放(虽然可能性不大;请参见[IEEE.802.15.4]),因此必须假定某些重放是自然发生的。

Note that for there to be no effect at all, the replay must be done with the same apparent power for all nodes receiving the replay. A change in apparent power might change the metrics through changes to the Expected Transmission Count (ETX); therefore, it might affect the routing even though the contents of the packet were never changed. Any replay that appears to be different should be analyzed as a selective forwarding attack, sinkhole attack, or wormhole attack.

请注意,为了不产生任何影响,必须使用接收重播的所有节点相同的视在功率进行重播。视在功率的变化可能通过改变预期传输计数(ETX)来改变度量;因此,即使数据包的内容从未更改,它也可能会影响路由。任何看起来不同的重播都应被分析为选择性转发攻击、天坑攻击或虫洞攻击。

7.2.5. Countering Byzantine Routing Information Attacks
7.2.5. 抵御拜占庭式路由信息攻击

Where a node is captured or compromised but continues to operate for a period with valid network security credentials, the potential exists for routing information to be manipulated. This compromise of the routing information could thus exist in spite of security countermeasures that operate between the peer routing devices.

如果一个节点被捕获或被破坏,但使用有效的网络安全凭据继续运行一段时间,则存在操纵路由信息的可能性。因此,尽管在对等路由设备之间操作安全对策,路由信息的这种危害仍然可能存在。

Consistent with the end-to-end principle of communications, such an attack can only be fully addressed through measures operating directly between the routing entities themselves or by means of external entities accessing and independently analyzing the routing information. Verification of the authenticity and liveliness of the routing entities can, therefore, only provide a limited counter against internal (Byzantine) node attacks.

与端到端通信原则一致,此类攻击只能通过在路由实体本身之间直接操作的措施或通过外部实体访问和独立分析路由信息的方式来完全解决。因此,对路由实体的真实性和活跃性的验证只能对内部(拜占庭式)节点攻击提供有限的反击。

For link-state routing protocols where information is flooded with, for example, areas (OSPF [RFC2328]) or levels (IS-IS [RFC7142]), countermeasures can be directly applied by the routing entities through the processing and comparison of link-state information received from different peers. By comparing the link information from multiple sources, decisions can be made by a routing node or external entity with regard to routing information validity; see Chapter 2 of [Perlman1988] for a discussion on flooding attacks.

对于信息充斥例如区域(OSPF[RFC2328])或级别(is-is[RFC7142])的链路状态路由协议,路由实体可以通过处理和比较从不同对等方接收的链路状态信息直接应用对策。通过比较来自多个来源的链路信息,路由节点或外部实体可以做出关于路由信息有效性的决策;有关洪水袭击的讨论,请参见[Perlman 1988]第2章。

For distance vector protocols, such as RPL, where information is aggregated at each routing node, it is not possible for nodes to directly detect Byzantine information manipulation attacks from the routing information exchange. In such cases, the routing protocol must include and support indirect communications exchanges between non-adjacent routing peers to provide a secondary channel for performing routing information validation. S-RIP [Wan2004] is an example of the implementation of this type of dedicated routing protocol security where the correctness of aggregate distance vector information can only be validated by initiating confirmation exchanges directly between nodes that are not routing neighbors.

对于距离向量协议,如RPL,其中信息在每个路由节点聚合,节点不可能直接从路由信息交换检测拜占庭式信息操纵攻击。在这种情况下,路由协议必须包括并支持非相邻路由对等方之间的间接通信交换,以提供用于执行路由信息验证的辅助信道。S-RIP[Wan2004]是此类专用路由协议安全性实现的一个示例,其中聚合距离向量信息的正确性只能通过在非路由邻居的节点之间直接发起确认交换来验证。

RPL does not provide any direct mechanisms like S-RIP. It does listen to multiple parents and may switch parents if it begins to suspect that it is being lied to.

RPL不提供任何直接机制,如S-RIP。它确实会听取多位家长的意见,如果开始怀疑自己被欺骗,它可能会更换家长。

7.3. Availability Attack Countermeasures
7.3. 可用性攻击对策

As alluded to before, availability requires that routing information exchanges and forwarding mechanisms be available when needed so as to guarantee proper functioning of the network. This may, e.g., include the correct operation of routing information and neighbor state information exchanges, among others. We will highlight the key

如前所述,可用性要求路由信息交换和转发机制在需要时可用,以保证网络的正常运行。这例如可以包括路由信息和邻居状态信息交换的正确操作等。我们将突出重点

features of the security threats along with typical countermeasures to prevent or at least mitigate them. We will also note that an availability attack may be facilitated by an identity attack as well as a replay attack, as was addressed in Sections 7.2.3 and 7.2.4, respectively.

安全威胁的特征以及防止或至少缓解这些威胁的典型对策。我们还将注意到,如第7.2.3节和第7.2.4节所述,身份攻击和重放攻击可能会促进可用性攻击。

7.3.1. Countering HELLO Flood Attacks and ACK Spoofing Attacks
7.3.1. 对抗HELLO洪水攻击和ACK欺骗攻击

HELLO Flood [Karlof2003], [HELLO], and ACK spoofing attacks are different but highly related forms of attacking an LLN. They essentially lead nodes to believe that suitable routes are available even though they are not and hence constitute a serious availability attack.

HELLO Flood[Karlof2003]、[HELLO]和ACK欺骗攻击是攻击LLN的不同但高度相关的形式。它们基本上会使节点相信,即使没有合适的路由,也有合适的路由可用,因此构成严重的可用性攻击。

A HELLO attack mounted against RPL would involve sending out (or replaying) DODAG Information Object (DIO) messages by the attacker. Lower-power LLN nodes might then attempt to join the DODAG at a lower rank than they would otherwise.

针对RPL的HELLO攻击将涉及攻击者发送(或重播)DODAG信息对象(DIO)消息。然后,功率较低的LLN节点可能会尝试以较低的秩加入DODAG。

The most effective method from [HELLO] is bidirectional verification. A number of L2 links are arranged in controller/spoke arrangements and are continuously validating connectivity at layer 2.

[HELLO]中最有效的方法是双向验证。许多L2链路以控制器/辐条排列,并在第2层连续验证连接。

In addition, in order to calculate metrics, the ETX must be computed, and this involves, in general, sending a number of messages between nodes that are believed to be adjacent. One such protocol is [MESH-LINK].

此外,为了计算度量,必须计算ETX,这通常涉及在被认为是相邻的节点之间发送大量消息。一个这样的协议是[MESH-LINK]。

In order to join the DODAG, a Destination Advertisement Object (DAO) message is sent upwards. In RPL, the DAO is acknowledged by the DAO-ACK message. This clearly checks bidirectionality at the control plane.

为了加入DODAG,向上发送目标广告对象(DAO)消息。在RPL中,DAO由DAO-ACK消息确认。这清楚地检查了控制平面上的双向性。

As discussed in Section 5.1 of [HELLO], a receiver with a sensitive receiver could well hear the DAOs and even send DAO-ACKs as well. Such a node is a form of wormhole attack.

如[HELLO]第5.1节所述,具有敏感接收器的接收器可以很好地听到DAO,甚至发送DAO确认。这种节点是虫洞攻击的一种形式。

These attacks are also all easily defended against using either L2 or L3 authentication. Such an attack could only be made against a completely open network (such as might be used for provisioning new nodes) or by a compromised node.

使用L2或L3身份验证也可以轻松抵御这些攻击。这种攻击只能针对完全开放的网络(例如可能用于提供新节点的网络)或受危害的节点进行。

7.3.2. Countering Overload Attacks
7.3.2. 对抗过载攻击

Overload attacks are a form of DoS attack in that a malicious node overloads the network with irrelevant traffic, thereby draining the nodes' energy store more quickly when the nodes rely on batteries or energy scavenging. Thus, it significantly shortens the lifetime of

过载攻击是DoS攻击的一种形式,恶意节点通过不相关的流量使网络过载,从而在节点依赖电池或能量清除时更快地耗尽节点的能量存储。因此,它大大缩短了电池的寿命

networks of energy-constrained nodes and constitutes another serious availability attack.

能量受限节点的网络构成了另一种严重的可用性攻击。

With energy being one of the most precious assets of LLNs, targeting its availability is a fairly obvious attack. Another way of depleting the energy of an LLN node is to have the malicious node overload the network with irrelevant traffic. This impacts availability since certain routes get congested, which:

由于能源是LLN最宝贵的资产之一,瞄准其可用性是一个相当明显的攻击。另一种耗尽LLN节点能量的方法是让恶意节点使用无关流量使网络过载。这会影响可用性,因为某些路线会变得拥挤,这:

o renders them useless for affected nodes; hence, data cannot be delivered;

o 使它们对受影响的节点无效;因此,无法交付数据;

o makes routes longer as the shortest path algorithms work with the congested network; and

o 当最短路径算法在拥挤的网络中工作时,使路由变长;和

o depletes battery and energy scavenging nodes more quickly and thus shortens the network's availability at large.

o 更快地耗尽电池和能量清除节点,从而大大缩短网络的可用性。

Overload attacks can be countered by deploying a series of mutually non-exclusive security measures that:

可以通过部署一系列互不排斥的安全措施来应对过载攻击,这些措施包括:

o introduce quotas on the traffic rate each node is allowed to send;

o 对每个节点允许发送的流量率引入配额;

o isolate nodes that send traffic above a certain threshold based on system operation characteristics; and

o 根据系统运行特点,隔离发送流量超过某个阈值的节点;和

o allow only trusted data to be received and forwarded.

o 只允许接收和转发受信任的数据。

As for the first one, a simple approach to minimize the harmful impact of an overload attack is to introduce traffic quotas. This prevents a malicious node from injecting a large amount of traffic into the network, even though it does not prevent the said node from injecting irrelevant traffic at all. Another method is to isolate nodes from the network at the network layer once it has been detected that more traffic is injected into the network than allowed by a prior set or dynamically adjusted threshold. Finally, if communication is sufficiently secured, only trusted nodes can receive and forward traffic, which also lowers the risk of an overload attack.

对于第一种方法,将过载攻击的有害影响降至最低的简单方法是引入流量配额。这可以防止恶意节点向网络中注入大量流量,即使它根本无法阻止所述节点注入无关流量。另一种方法是,一旦检测到注入网络的流量超过先前设置或动态调整的阈值所允许的流量,则在网络层将节点与网络隔离。最后,如果通信足够安全,则只有受信任的节点才能接收和转发流量,这也降低了过载攻击的风险。

Receiving nodes that validate signatures and sending nodes that encrypt messages need to be cautious of cryptographic processing usage when validating signatures and encrypting messages. Where feasible, certificates should be validated prior to use of the associated keys to counter potential resource overloading attacks. The associated design decision needs to also consider that the validation process requires resources; thus, it could be exploited for attacks. Alternatively, resource management limits can be placed

在验证签名和加密消息时,验证签名的接收节点和加密消息的发送节点需要谨慎使用加密处理。在可行的情况下,在使用相关密钥对抗潜在的资源过载攻击之前,应验证证书。相关的设计决策还需要考虑验证过程需要资源;因此,它可以被用来进行攻击。或者,可以设置资源管理限制

on routing security processing events (see the comment in Section 6, paragraph 4, of [RFC5751]).

关于路由安全处理事件(参见[RFC5751]第6节第4段中的注释)。

7.3.3. Countering Selective Forwarding Attacks
7.3.3. 对抗选择性转发攻击

Selective forwarding attacks are a form of DoS attack that impacts the availability of the generated routing paths.

选择性转发攻击是DoS攻击的一种形式,会影响生成的路由路径的可用性。

A selective forwarding attack may be done by a node involved with the routing process, or it may be done by what otherwise appears to be a passive antenna or other RF feature or device, but is in fact an active (and selective) device. An RF antenna/repeater that is not selective is not a threat.

选择性转发攻击可以由涉及路由过程的节点执行,也可以由看似无源天线或其他射频特性或设备但实际上是有源(和选择性)设备的节点执行。没有选择性的射频天线/中继器不是威胁。

An insider malicious node basically blends in neatly with the network but then may decide to forward and/or manipulate certain packets. If all packets are dropped, then this attacker is also often referred to as a "black hole". Such a form of attack is particularly dangerous if coupled with sinkhole attacks since inherently a large amount of traffic is attracted to the malicious node, thereby causing significant damage. In a shared medium, an outside malicious node would selectively jam overheard data flows, where the thus caused collisions incur selective forwarding.

内部恶意节点基本上与网络融为一体,但随后可能决定转发和/或操纵某些数据包。如果所有数据包都被丢弃,那么该攻击者也通常被称为“黑洞”。如果这种形式的攻击与天坑攻击相结合,则特别危险,因为恶意节点固有地会吸引大量流量,从而造成重大损害。在共享介质中,外部恶意节点会选择性地阻塞无意中听到的数据流,由此引起的冲突会导致选择性转发。

Selective forwarding attacks can be countered by deploying a series of mutually non-exclusive security measures:

可通过部署一系列互不排斥的安全措施来反击选择性转发攻击:

o Multipath routing of the same message over disjoint paths.

o 不相交路径上相同消息的多路径路由。

o Dynamically selecting the next hop from a set of candidates.

o 从一组候选中动态选择下一跳。

The first measure basically guarantees that if a message gets lost on a particular routing path due to a malicious selective forwarding attack, there will be another route that successfully delivers the data. Such a method is inherently suboptimal from an energy consumption point of view; it is also suboptimal from a network utilization perspective. The second method basically involves a constantly changing routing topology in that next-hop routers are chosen from a dynamic set in the hope that the number of malicious nodes in this set is negligible. A routing protocol that allows for disjoint routing paths may also be useful.

第一种措施基本上保证,如果由于恶意的选择性转发攻击,消息在特定的路由路径上丢失,则会有另一条路由成功地传递数据。从能源消耗的角度来看,这种方法本质上是次优的;从网络利用率的角度来看,这也是次优的。第二种方法基本上涉及不断变化的路由拓扑,即从动态集合中选择下一跳路由器,希望该集合中的恶意节点数量可以忽略不计。允许不相交路由路径的路由协议也可能有用。

7.3.4. Countering Sinkhole Attacks
7.3.4. 对抗天坑攻击

In sinkhole attacks, the malicious node manages to attract a lot of traffic mainly by advertising the availability of high-quality links even though there are none [Karlof2003]. Hence, it constitutes a serious attack on availability.

在天坑攻击中,恶意节点主要通过宣传高质量链接的可用性来吸引大量流量,即使没有[Karlof2003]。因此,它构成了对可用性的严重攻击。

The malicious node creates a sinkhole by attracting a large amount of, if not all, traffic from surrounding neighbors by advertising in and outwards links of superior quality. Hence, affected nodes eagerly route their traffic via the malicious node that, if coupled with other attacks such as selective forwarding, may lead to serious availability and security breaches. Such an attack can only be executed by an inside malicious node and is generally very difficult to detect. An ongoing attack has a profound impact on the network topology and essentially becomes a problem of flow control.

恶意节点通过向高质量链接内外投放广告,吸引大量(如果不是全部的话)来自周围邻居的流量,从而制造了一个天坑。因此,受影响的节点急切地通过恶意节点路由其流量,如果与其他攻击(如选择性转发)结合,可能导致严重的可用性和安全漏洞。此类攻击只能由内部恶意节点执行,通常很难检测到。正在进行的攻击对网络拓扑有着深远的影响,本质上成为流量控制问题。

Sinkhole attacks can be countered by deploying a series of mutually non-exclusive security measures to:

通过部署一系列互不排斥的安全措施,可以应对天坑攻击:

o use geographical insights for flow control;

o 使用地理信息进行流量控制;

o isolate nodes that receive traffic above a certain threshold;

o 隔离接收流量超过某个阈值的节点;

o dynamically pick up the next hop from a set of candidates; and

o 动态地从一组候选者中拾取下一跳;和

o allow only trusted data to be received and forwarded.

o 只允许接收和转发受信任的数据。

A canary node could periodically call home (using a cryptographic process) with the home system, noting if it fails to call in. This provides detection of a problem, but does not mitigate it, and it may have significant energy consequences for the LLN.

金丝雀节点可以通过家庭系统周期性地呼叫家庭(使用加密过程),注意它是否无法呼叫。这提供了对问题的检测,但不能缓解问题,并且可能对LLN产生重大的能源影响。

Some LLNs may provide for geolocation services, often derived from solving triangulation equations from radio delay calculation; such calculations could in theory be subverted by a sinkhole that transmitted at precisely the right power in a node-to-node fashion.

一些LLN可能提供地理定位服务,通常是通过求解无线电延迟计算的三角测量方程得出的;理论上,这种计算可能会被一个落水洞所颠覆,这个落水洞以节点到节点的方式精确地以正确的功率传输。

While geographic knowledge could help assure that traffic always goes in the physical direction desired, it would not assure that the traffic is taking the most efficient route, as the lowest cost real route might match the physical topology, such as when different parts of an LLN are connected by high-speed wired networks.

虽然地理知识有助于确保流量始终按照所需的物理方向运行,但无法确保流量采用最有效的路由,因为最低成本的实际路由可能与物理拓扑匹配,例如当LLN的不同部分通过高速有线网络连接时。

7.3.5. Countering Wormhole Attacks
7.3.5. 对抗虫洞攻击

In wormhole attacks, at least two malicious nodes claim to have a short path between themselves [Karlof2003]. This changes the availability of certain routing paths and hence constitutes a serious security breach.

在虫洞攻击中,至少有两个恶意节点声称它们之间有一条短路径[Karlof2003]。这会改变某些路由路径的可用性,因此构成严重的安全漏洞。

Essentially, two malicious insider nodes use another, more powerful, transmitter to communicate with each other and thereby distort the would-be-agreed routing path. This distortion could involve shortcutting and hence paralyzing a large part of the network; it

本质上,两个恶意内部节点使用另一个更强大的发送器彼此通信,从而扭曲了约定的路由路径。这种失真可能会导致短路,从而使大部分网络瘫痪;信息技术

could also involve tunneling the information to another region of the network where there are, e.g., more malicious nodes available to aid the intrusion or where messages are replayed, etc.

还可能涉及将信息通过隧道传输到网络的另一个区域,在该区域存在更多恶意节点以帮助入侵或重播消息等。

In conjunction with selective forwarding, wormhole attacks can create race conditions that impact topology maintenance and routing protocols as well as any security suits built on "time of check" and "time of use".

结合选择性转发,虫洞攻击可以创造竞争条件,影响拓扑维护和路由协议以及基于“检查时间”和“使用时间”的任何安全防护。

A pure wormhole attack is nearly impossible to detect. A wormhole that is used in order to subsequently mount another kind of attack would be defeated by defeating the other attack. A perfect wormhole, in which there is nothing adverse that occurs to the traffic, would be difficult to call an attack. The worst thing that a benign wormhole can do in such a situation is to cease to operate (become unstable), causing the network to have to recalculate routes.

纯粹的虫洞攻击几乎不可能被发现。用于随后发动另一种攻击的虫洞将通过击败另一种攻击而被击败。一个完美的虫洞,其中没有对交通产生不利影响,很难称之为攻击。在这种情况下,良性虫洞所能做的最糟糕的事情就是停止运行(变得不稳定),导致网络不得不重新计算路由。

A highly unstable wormhole is no different than a radio opaque (i.e., metal) door that opens and closes a lot. RPL includes hysteresis in its objective functions [RFC6719] in an attempt to deal with frequent changes to the ETX between nodes.

一个高度不稳定的虫洞和一个经常打开和关闭的无线电不透明(即金属)门没有区别。RPL在其目标函数[RFC6719]中包含滞后现象,试图处理节点之间ETX的频繁变化。

8. RPL Security Features
8. RPL安全特性

The assessments and analysis in Section 6 examined all areas of threats and attacks that could impact routing, and the countermeasures presented in Section 7 were reached without confining the consideration to means only available to routing. This section puts the results into perspective, dealing with those threats that are endemic to this field, that have been mitigated through RPL protocol design, and that require specific decisions to be made as part of provisioning a network.

第6节中的评估和分析检查了可能影响路由的所有威胁和攻击领域,第7节中提出的对策没有将考虑局限于路由可用的手段。本节将分析结果,处理该领域特有的威胁,这些威胁已通过RPL协议设计得到缓解,并且需要作为网络供应的一部分做出具体决策。

The first part of this section, Sections 8.1 to 8.3, presents a description of RPL security features that address specific threats. The second part of this section, Section 8.4, discusses issues of the provisioning of security aspects that may impact routing but that also require considerations beyond the routing protocol, as well as potential approaches.

本节第一部分第8.1至8.3节介绍了针对特定威胁的RPL安全功能。本节的第二部分,即第8.4节,讨论了可能影响路由但也需要考虑路由协议之外的安全方面的供应问题,以及可能的方法。

RPL employs multicast, so these alternative communications modes MUST be secured with the same routing security services specified in this section. Furthermore, irrespective of the modes of communication, nodes MUST provide adequate physical tamper resistance commensurate with the particular application-domain environment to ensure the confidentiality, integrity, and availability of stored routing information.

RPL采用多播,因此这些备用通信模式必须使用本节中指定的相同路由安全服务进行保护。此外,无论通信模式如何,节点必须提供与特定应用程序域环境相称的足够的物理抗篡改能力,以确保存储的路由信息的机密性、完整性和可用性。

8.1. Confidentiality Features
8.1. 保密特征

With regard to confidentiality, protecting the routing/topology information from unauthorized disclosure is not directly essential to maintaining the routing function. Breaches of confidentiality may lead to other attacks or the focusing of an attacker's resources (see Section 6.2) but does not of itself directly undermine the operation of the routing function. However, to protect against and reduce consequences from other more direct attacks, routing information should be protected. Thus, to secure RPL:

关于机密性,保护路由/拓扑信息不被未经授权的披露对于维护路由功能来说不是直接必要的。违反保密性可能导致其他攻击或攻击者资源的集中(见第6.2节),但其本身不会直接破坏路由功能的运行。但是,为了防止和减少其他更直接的攻击的后果,应该保护路由信息。因此,为了确保RPL的安全:

o Implement payload encryption using L3 mechanisms described in [RFC6550] or

o 使用[RFC6550]中描述的L3机制实施有效负载加密;或

o Implement L2 confidentiality

o 实现二级机密性

Where confidentiality is incorporated into the routing exchanges, encryption algorithms and key lengths need to be specified in accordance with the level of protection dictated by the routing protocol and the associated application-domain transport network. For most networks, this means use of AES-128 in CCM mode, but this needs to be specified clearly in the applicability statement.

如果路由交换中包含机密性,则需要根据路由协议和相关应用域传输网络规定的保护级别指定加密算法和密钥长度。对于大多数网络,这意味着在CCM模式下使用AES-128,但这需要在适用性声明中明确规定。

In terms of the lifetime of the keys, the opportunity to periodically change the encryption key increases the offered level of security for any given implementation. However, where strong cryptography is employed, physical, procedural, and logical data access protection considerations may have a more significant impact on cryptoperiod selection than algorithm and key size factors. Nevertheless, in general, shorter cryptoperiods, during which a single key is applied, will enhance security.

就密钥的生命周期而言,定期更改加密密钥的机会增加了为任何给定实现提供的安全级别。然而,在采用强加密的情况下,物理、程序和逻辑数据访问保护考虑因素对加密周期选择的影响可能比算法和密钥大小因素更大。然而,一般来说,应用单个密钥的较短加密周期将增强安全性。

Given the mandatory protocol requirement to implement routing node authentication as part of routing integrity (see Section 8.2), key exchanges may be coordinated as part of the integrity verification process. This provides an opportunity to increase the frequency of key exchange and shorten the cryptoperiod as a complement to the key length and encryption algorithm required for a given application domain.

鉴于强制协议要求将路由节点认证作为路由完整性的一部分实施(见第8.2节),密钥交换可作为完整性验证过程的一部分进行协调。这为增加密钥交换频率和缩短加密周期提供了机会,作为对给定应用程序域所需密钥长度和加密算法的补充。

8.2. Integrity Features
8.2. 完整性特征

The integrity of routing information provides the basis for ensuring that the function of the routing protocol is achieved and maintained. To protect integrity, RPL must run either using only the secure versions of the messages or over a L2 that uses channel binding between node identity and transmissions.

路由信息的完整性为确保实现和维护路由协议的功能提供了基础。为了保护完整性,RPL必须仅使用消息的安全版本运行,或者通过在节点标识和传输之间使用通道绑定的L2运行。

Some L2 security mechanisms use a single key for the entire network, and these networks cannot provide a significant amount of integrity protection, as any node that has that key may impersonate any other node. This mode of operation is likely acceptable when an entire deployment is under the control of a single administrative entity.

一些L2安全机制对整个网络使用单个密钥,而这些网络无法提供大量的完整性保护,因为拥有该密钥的任何节点都可能模拟任何其他节点。当整个部署由单个管理实体控制时,这种操作模式可能是可以接受的。

Other L2 security mechanisms form a unique session key for every pair of nodes that needs to communicate; this is often called a per-link key. Such networks can provide a strong degree of origin authentication and integrity on unicast messages.

其他L2安全机制为需要通信的每对节点形成唯一的会话密钥;这通常称为每链接密钥。这样的网络可以在单播消息上提供很强的源身份验证和完整性。

However, some RPL messages are broadcast, and even when per-node L2 security mechanisms are used, the integrity and origin authentication of broadcast messages cannot be as trusted due to the proliferation of the key used to secure them.

但是,有些RPL消息是广播的,即使使用了每节点L2安全机制,广播消息的完整性和原始身份验证也不能被信任,因为用于保护它们的密钥大量增加。

RPL has two specific options that are broadcast in RPL Control Messages: the DIO and the DODAG Information Solicitation (DIS). The purpose of the DIS is to cause potential parents to reply with a DIO, so the integrity of the DIS is not of great concern. The DIS may also be unicast.

RPL有两个在RPL控制消息中广播的特定选项:DIO和DODAG信息请求(DIS)。DIS的目的是让潜在的父母回复DIO,因此DIS的完整性不太重要。DIS也可以是单播的。

The DIO is a critical piece of routing and carries many critical parameters. RPL provides for asymmetric authentication at L3 of the RPL Control Message carrying the DIO, and this may be warranted in some deployments. A node could, if it felt that the DIO that it had received was suspicious, send a unicast DIS message to the node in question, and that node would reply with a unicast DIS. Those messages could be protected with the per-link key.

DIO是路由的关键部分,包含许多关键参数。RPL在承载DIO的RPL控制消息的L3处提供非对称身份验证,这在某些部署中可能得到保证。如果一个节点觉得它收到的DIO可疑,它可以向该节点发送单播DIS消息,并且该节点将使用单播DIS进行回复。这些消息可以使用每链接密钥进行保护。

8.3. Availability Features
8.3. 可用性特征

Availability of routing information is linked to system and network availability, which in the case of LLNs require a broader security view beyond the requirements of the routing entities. Where availability of the network is compromised, routing information availability will be accordingly affected. However, to specifically assist in protecting routing availability, nodes MAY:

路由信息的可用性与系统和网络的可用性相关联,在LLN的情况下,这需要一个超出路由实体要求的更广泛的安全视图。当网络的可用性受到损害时,路由信息的可用性将受到相应的影响。然而,为了特别有助于保护路由可用性,节点可以:

o restrict neighborhood cardinality;

o 限制邻域基数;

o use multiple paths;

o 使用多条路径;

o use multiple destinations;

o 使用多个目的地;

o choose randomly if multiple paths are available;

o 如果有多条路径可用,则随机选择;

o set quotas to limit transmit or receive volume; and

o 设置配额以限制传输或接收量;和

o use geographic information for flow control.

o 使用地理信息进行流量控制。

8.4. Key Management
8.4. 密钥管理

The functioning of the routing security services requires keys and credentials. Therefore, even though it's not directly an RPL security requirement, an LLN MUST have a process for initial key and credential configuration, as well as secure storage within the associated devices. Anti-tampering SHOULD be a consideration in physical design. Beyond initial credential configuration, an LLN is also encouraged to have automatic procedures for the revocation and replacement of the maintained security credentials.

路由安全服务的功能需要密钥和凭据。因此,即使它不是直接的RPL安全要求,LLN也必须有一个初始密钥和凭证配置的过程,以及相关设备中的安全存储。物理设计中应考虑防篡改。除了初始凭据配置之外,还鼓励LLN具有自动撤销和替换维护的安全凭据的过程。

While RPL has secure modes, some modes are impractical without the use of public key cryptography, which is believed to be too expensive by many. RPL L3 security will often depend upon existing LLN L2 security mechanisms, which provide for node authentication but little in the way of node authorization.

虽然RPL有安全模式,但如果不使用公钥密码,某些模式是不切实际的,许多人认为公钥密码过于昂贵。RPL L3安全性通常依赖于现有的LLN L2安全机制,这些机制提供节点身份验证,但很少提供节点授权。

9. Security Considerations
9. 安全考虑

The analysis presented in this document provides security analysis and design guidelines with a scope limited to RPL. Security services are identified as requirements for securing RPL. The specific mechanisms to be used to deal with each threat is specified in link-Land deployment-specific applicability statements.

本文档中的分析提供了安全分析和设计指南,其范围仅限于RPL。安全服务被确定为保护RPL的要求。处理每种威胁所使用的具体机制在link Land deployment特定适用性声明中有详细说明。

10. References
10. 工具书类
10.1. Normative References
10.1. 规范性引用文件

[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997, <http://www.rfc-editor.org/info/rfc2119>.

[RFC2119]Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月<http://www.rfc-editor.org/info/rfc2119>.

[RFC4107] Bellovin, S. and R. Housley, "Guidelines for Cryptographic Key Management", BCP 107, RFC 4107, June 2005, <http://www.rfc-editor.org/info/rfc4107>.

[RFC4107]Bellovin,S.和R.Housley,“加密密钥管理指南”,BCP 107,RFC 4107,2005年6月<http://www.rfc-editor.org/info/rfc4107>.

[RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur, JP., and R. Alexander, "RPL: IPv6 Routing Protocol for Low-Power and Lossy Networks", RFC 6550, March 2012, <http://www.rfc-editor.org/info/rfc6550>.

[RFC6550]温特,T.,图伯特,P.,布兰特,A.,许,J.,凯尔西,R.,列维斯,P.,皮斯特,K.,斯特鲁克,R.,瓦塞尔,JP.,和R.亚历山大,“RPL:低功耗和有损网络的IPv6路由协议”,RFC 65502012年3月<http://www.rfc-editor.org/info/rfc6550>.

[RFC6719] Gnawali, O. and P. Levis, "The Minimum Rank with Hysteresis Objective Function", RFC 6719, September 2012, <http://www.rfc-editor.org/info/rfc6719>.

[RFC6719]Gnawali,O.和P.Levis,“具有滞后目标函数的最小秩”,RFC 6719,2012年9月<http://www.rfc-editor.org/info/rfc6719>.

[RFC7102] Vasseur, JP., "Terms Used in Routing for Low-Power and Lossy Networks", RFC 7102, January 2014, <http://www.rfc-editor.org/info/rfc7102>.

[RFC7102]Vasseur,JP.,“低功耗和有损网络路由中使用的术语”,RFC 7102,2014年1月<http://www.rfc-editor.org/info/rfc7102>.

[ZigBeeIP] ZigBee Alliance, "ZigBee IP Specification", Public Document 15-002r00, March 2013.

[ZigBeeIP]ZigBee联盟,“ZigBee IP规范”,公开文件15-002r00,2013年3月。

10.2. Informative References
10.2. 资料性引用

[AceCharterProposal] Li, Kepeng., Ed., "Draft Charter V0.9c - Authentication and Authorization for Constrained Environment Charter", Work in Progress, December 2013, <http://trac.tools.ietf.org/wg/core/trac/wiki/ ACE_charter>.

[AceCharterProposal]李克鹏主编,“宪章草案V0.9c-受限环境宪章的认证和授权”,正在进行的工作,2013年12月<http://trac.tools.ietf.org/wg/core/trac/wiki/ ACE\U章程>。

[HELLO] Park, S., "Routing Security in Sensor Network: HELLO Flood Attack and Defense", Work in Progress, draft-suhopark-hello-wsn-00, December 2005.

[HELLO]Park,S.,“传感器网络中的路由安全:HELLO洪水攻击和防御”,正在进行的工作,草稿-suhopark-HELLO-wsn-00,2005年12月。

[IEEE.802.11] IEEE, "IEEE Standard for Information Technology - Telecommunications and information exchange between systems - Local and metropolitan area networks - Specific requirements Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications", IEEE Std 802.11-2012, March 2012, <http://standards.ieee.org/about/get/802/802.11.html>.

[IEEE.802.11]IEEE,“IEEE信息技术标准-系统间电信和信息交换-局域网和城域网-特定要求第11部分:无线局域网介质访问控制(MAC)和物理层(PHY)规范”,IEEE标准802.11-2012,2012年3月, <http://standards.ieee.org/about/get/802/802.11.html>.

[IEEE.802.15.4] IEEE, "IEEE Standard for Local and metropolitan area networks - Specific requirements - Part 15.4: Low-Rate Wireless Personal Area Networks (LR-WPANs)", IEEE Std 802.15.4-2011, September 2011, <http://standards.ieee.org/getieee802/802.15.html>.

[IEEE.802.15.4]IEEE,“局域网和城域网的IEEE标准-特定要求-第15.4部分:低速无线个人区域网(LR WPAN)”,IEEE标准802.15.4-2011,2011年9月<http://standards.ieee.org/getieee802/802.15.html>.

[ISO.7498-2.1989] International Organization for Standardization, "Information processing systems - Open Systems Interconnection -- Basic Reference Model - Part 2: Security Architecture", ISO Standard 7498-2, 1989.

[ISO.7498-2.1989]国际标准化组织,“信息处理系统-开放系统互连-基本参考模型-第2部分:安全体系结构”,ISO标准7498-219989。

[Karlof2003] Karlof, C. and D. Wagner, "Secure Routing in Wireless Sensor Networks: Attacks and Countermeasures", Elsevier Ad Hoc Networks Journal, Special Issue on Sensor Network Applications and Protocols, 1(2):293-315, September 2003, <http://nest.cs.berkeley.edu/papers/ sensor-route-security.pdf>.

[Karlof2003]Karlof,C.和D.Wagner,“无线传感器网络中的安全路由:攻击和对策”,《Elsevier Ad Hoc Networks期刊》,传感器网络应用和协议专刊,1(2):293-315,2003年9月<http://nest.cs.berkeley.edu/papers/ 传感器路由安全性.pdf>。

[MESH-LINK] Kelsey, R., "Mesh Link Establishment", Work in Progress, draft-kelsey-intarea-mesh-link-establishment-06, May 2014.

[MESH-LINK]Kelsey,R.,“MESH-LINK建立”,正在进行的工作,草稿-Kelsey-intarea-MESH-LINK-Establish-062014年5月。

[Myagmar2005] Myagmar, S., Lee, AJ., and W. Yurcik, "Threat Modeling as a Basis for Security Requirements", in Proceedings of the Symposium on Requirements Engineering for Information Security (SREIS'05), Paris, France pp. 94-102, August 2005.

[Myagmar2005]Myagmar,S.,Lee,AJ.,和W.Yurcik,“作为安全需求基础的威胁建模”,载于《信息安全需求工程研讨会论文集》(SREIS'05),法国巴黎,第94-102页,2005年8月。

[Perlman1988] Perlman, R., "Network Layer Protocols with Byzantine Robustness", MIT LCS Tech Report, 429, August 1988.

[Perlman 1988]Perlman,R.,“具有拜占庭鲁棒性的网络层协议”,麻省理工学院LCS技术报告,4292988年8月。

[RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April 1998, <http://www.rfc-editor.org/info/rfc2328>.

[RFC2328]Moy,J.,“OSPF版本2”,STD 54,RFC 23281998年4月<http://www.rfc-editor.org/info/rfc2328>.

[RFC3067] Arvidsson, J., Cormack, A., Demchenko, Y., and J. Meijer, "TERENA'S Incident Object Description and Exchange Format Requirements", RFC 3067, February 2001, <http://www.rfc-editor.org/info/rfc3067>.

[RFC3067]Arvidsson,J.,Cormack,A.,Demchenko,Y.,和J.Meijer,“TERENA事件对象描述和交换格式要求”,RFC 3067,2001年2月<http://www.rfc-editor.org/info/rfc3067>.

[RFC3610] Whiting, D., Housley, R., and N. Ferguson, "Counter with CBC-MAC (CCM)", RFC 3610, September 2003, <http://www.rfc-editor.org/info/rfc3610>.

[RFC3610]Whiting,D.,Housley,R.,和N.Ferguson,“CBC-MAC(CCM)计数器”,RFC 36102003年9月<http://www.rfc-editor.org/info/rfc3610>.

[RFC4593] Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to Routing Protocols", RFC 4593, October 2006, <http://www.rfc-editor.org/info/rfc4593>.

[RFC4593]Barbir,A.,Murphy,S.,和Y.Yang,“路由协议的一般威胁”,RFC 4593,2006年10月<http://www.rfc-editor.org/info/rfc4593>.

[RFC4732] Handley, M., Rescorla, E., and IAB, "Internet Denial-of-Service Considerations", RFC 4732, December 2006, <http://www.rfc-editor.org/info/rfc4732>.

[RFC4732]Handley,M.,Rescorla,E.,和IAB,“互联网拒绝服务注意事项”,RFC 47322006年12月<http://www.rfc-editor.org/info/rfc4732>.

[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC 4949, August 2007, <http://www.rfc-editor.org/info/rfc4949>.

[RFC4949]Shirey,R.,“互联网安全词汇表,第2版”,RFC 49492007年8月<http://www.rfc-editor.org/info/rfc4949>.

[RFC5191] Forsberg, D., Ohba, Y., Patil, B., Tschofenig, H., and A. Yegin, "Protocol for Carrying Authentication for Network Access (PANA)", RFC 5191, May 2008, <http://www.rfc-editor.org/info/rfc5191>.

[RFC5191]Forsberg,D.,Ohba,Y.,Patil,B.,Tschofenig,H.,和A.Yegin,“承载网络接入认证(PANA)的协议”,RFC 51912008年5月<http://www.rfc-editor.org/info/rfc5191>.

[RFC5216] Simon, D., Aboba, B., and R. Hurst, "The EAP-TLS Authentication Protocol", RFC 5216, March 2008, <http://www.rfc-editor.org/info/rfc5216>.

[RFC5216]Simon,D.,Aboba,B.和R.Hurst,“EAP-TLS认证协议”,RFC 52162008年3月<http://www.rfc-editor.org/info/rfc5216>.

[RFC5548] Dohler, M., Watteyne, T., Winter, T., and D. Barthel, "Routing Requirements for Urban Low-Power and Lossy Networks", RFC 5548, May 2009, <http://www.rfc-editor.org/info/rfc5548>.

[RFC5548]Dohler,M.,Watteyne,T.,Winter,T.,和D.Barthel,“城市低功率和有损网络的路由要求”,RFC 5548,2009年5月<http://www.rfc-editor.org/info/rfc5548>.

[RFC5673] Pister, K., Thubert, P., Dwars, S., and T. Phinney, "Industrial Routing Requirements in Low-Power and Lossy Networks", RFC 5673, October 2009, <http://www.rfc-editor.org/info/rfc5673>.

[RFC5673]Pister,K.,Thubert,P.,Dwars,S.,和T.Phinney,“低功率和有损网络中的工业路由要求”,RFC 5673,2009年10月<http://www.rfc-editor.org/info/rfc5673>.

[RFC5751] Ramsdell, B. and S. Turner, "Secure/Multipurpose Internet Mail Extensions (S/MIME) Version 3.2 Message Specification", RFC 5751, January 2010, <http://www.rfc-editor.org/info/rfc5751>.

[RFC5751]Ramsdell,B.和S.Turner,“安全/多用途Internet邮件扩展(S/MIME)版本3.2消息规范”,RFC 57512010年1月<http://www.rfc-editor.org/info/rfc5751>.

[RFC5826] Brandt, A., Buron, J., and G. Porcu, "Home Automation Routing Requirements in Low-Power and Lossy Networks", RFC 5826, April 2010, <http://www.rfc-editor.org/info/rfc5826>.

[RFC5826]Brandt,A.,Buron,J.,和G.Porcu,“低功率和有损网络中的家庭自动化路由要求”,RFC 5826,2010年4月<http://www.rfc-editor.org/info/rfc5826>.

[RFC5867] Martocci, J., De Mil, P., Riou, N., and W. Vermeylen, "Building Automation Routing Requirements in Low-Power and Lossy Networks", RFC 5867, June 2010, <http://www.rfc-editor.org/info/rfc5867>.

[RFC5867]Martocci,J.,De Mil,P.,Riou,N.,和W.Vermeylen,“低功率和有损网络中的楼宇自动化布线要求”,RFC 58672010年6月<http://www.rfc-editor.org/info/rfc5867>.

[RFC6192] Dugal, D., Pignataro, C., and R. Dunn, "Protecting the Router Control Plane", RFC 6192, March 2011, <http://www.rfc-editor.org/info/rfc6192>.

[RFC6192]Dugal,D.,Pignataro,C.,和R.Dunn,“保护路由器控制平面”,RFC 61922011年3月<http://www.rfc-editor.org/info/rfc6192>.

[RFC6574] Tschofenig, H. and J. Arkko, "Report from the Smart Object Workshop", RFC 6574, April 2012, <http://www.rfc-editor.org/info/rfc6574>.

[RFC6574]Tschofenig,H.和J.Arkko,“智能对象研讨会的报告”,RFC 6574,2012年4月<http://www.rfc-editor.org/info/rfc6574>.

[RFC6824] Ford, A., Raiciu, C., Handley, M., and O. Bonaventure, "TCP Extensions for Multipath Operation with Multiple Addresses", RFC 6824, January 2013, <http://www.rfc-editor.org/info/rfc6824>.

[RFC6824]Ford,A.,Raiciu,C.,Handley,M.,和O.Bonaventure,“多地址多路径操作的TCP扩展”,RFC 68242013年1月<http://www.rfc-editor.org/info/rfc6824>.

[RFC7142] Shand, M. and L. Ginsberg, "Reclassification of RFC 1142 to Historic", RFC 7142, February 2014, <http://www.rfc-editor.org/info/rfc7142>.

[RFC7142]Shand,M.和L.Ginsberg,“将RFC 1142重新分类为历史”,RFC 7142,2014年2月<http://www.rfc-editor.org/info/rfc7142>.

[RFC7397] Gilger, J. and H. Tschofenig, "Report from the Smart Object Security Workshop", RFC 7397, November 2014, <http://www.rfc-editor.org/info/rfc7397>.

[RFC7397]Gilger,J.和H.Tschofenig,“智能对象安全研讨会报告”,RFC 7397,2014年11月<http://www.rfc-editor.org/info/rfc7397>.

[SmartObjectSecurityWorkshop] Klausen, T., Ed., "Workshop on Smart Object Security", March 2012, <http://www.lix.polytechnique.fr/hipercom/ SmartObjectSecurity>.

[SmartObjectSecurityWorkshop]Klausen,T.,Ed.,“智能对象安全研讨会”,2012年3月<http://www.lix.polytechnique.fr/hipercom/ SmartObjectSecurity>。

[SolaceProposal] Bormann, C., Ed., "Notes from the SOLACE ad hoc at IETF 85", November 2012, <http://www.ietf.org/ mail-archive/web/solace/current/msg00015.html>.

[SolaceProposal]Bormann,C.,Ed.,“IETF 85上SOLACE特别会议记录”,2012年11月<http://www.ietf.org/ 邮件存档/web/solace/current/msg00015.html>。

[Sybil2002] Douceur, J., "The Sybil Attack", First International Workshop on Peer-to-Peer Systems, March 2002.

[Sybil2002]Douceur,J.,“Sybil攻击”,第一届对等系统国际研讨会,2002年3月。

[Wan2004] Wan, T., Kranakis, E., and PC. van Oorschot, "S-RIP: A Secure Distance Vector Routing Protocol", in Proceedings of the 2nd International Conference on Applied Cryptography and Network Security, pp. 103-119, June 2004.

[Wan2004]Wan,T.,Kranakis,E.,和PC.van Oorschot,“S-RIP:安全距离向量路由协议”,载于《第二届应用密码学和网络安全国际会议记录》,第103-119页,2004年6月。

[Yourdon1979] Yourdon, E. and L. Constantine, "Structured Design: Fundamentals of a Discipline of Computer Program and Systems Design", Yourdon Press, New York, Chapter 10, pp. 187-222, 1979.

[Yourdon 1979]Yourdon,E.和L.Constantine,“结构化设计:计算机程序和系统设计学科的基础”,Yourdon出版社,纽约,第10章,第187-222页,1979年。

Acknowledgments

致谢

The authors would like to acknowledge the review and comments from Rene Struik and JP Vasseur. The authors would also like to acknowledge the guidance and input provided by the ROLL Chairs, David Culler and JP Vasseur, and Area Director Adrian Farrel.

作者希望感谢Rene Struik和JP Vasseur的评论和评论。作者还想感谢滚动主席David Culler和JP Vasseur以及区域主任Adrian Farrel提供的指导和意见。

This document started out as a combined threat and solutions document. As a result of a series of security reviews performed by Steve Kent, the document was split up by ROLL Co-Chair Michael Richardson and Security Area Director Sean Turner as it went through the IETF publication process. The solutions to the threats are application and L2 specific and have, therefore, been moved to the relevant applicability statements.

本文档一开始是一份威胁和解决方案的综合文档。史蒂夫·肯特(Steve Kent)进行了一系列安全审查后,该文件在IETF发布过程中被ROLL联席主席迈克尔·理查森(Michael Richardson)和安全区域主任肖恩·特纳(Sean Turner)拆分。这些威胁的解决方案是针对应用程序和二级语言的,因此已转移到相关的适用性声明中。

Ines Robles and Robert Cragie kept track of the many issues that were raised during the development of this document.

Ines Robles和Robert Cragie记录了本文件编制过程中提出的许多问题。

Authors' Addresses

作者地址

Tzeta Tsao Eaton's Cooper Power Systems Business 910 Clopper Rd., Suite 201S Gaithersburg, Maryland 20878 United States EMail: tzetatsao@eaton.com

Tzeta Tsao Eaton的库珀电力系统公司美国马里兰州盖瑟斯堡市克洛珀路910号201S室20878电子邮件:tzetatsao@eaton.com

Roger K. Alexander Eaton's Cooper Power Systems Business 910 Clopper Rd., Suite 201S Gaithersburg, Maryland 20878 United States EMail: rogeralexander@eaton.com

Roger K.Alexander Eaton的库珀电力系统公司,地址:美国马里兰州盖瑟斯堡市克洛珀路910号201S室,邮编:20878电子邮件:rogeralexander@eaton.com

Mischa Dohler CTTC Parc Mediterrani de la Tecnologia, Av. Canal Olimpic S/N Castelldefels, Barcelona 08860 Spain EMail: mischa.dohler@kcl.ac.uk

Misha Dohler CTTC Mediterrani de la Tecnologia公园,Av。巴塞罗那卡斯特尔德费尔斯运河奥林匹克公园S/N 08860西班牙电子邮件:米沙。dohler@kcl.ac.uk

Vanesa Daza Universitat Pompeu Fabra P/ Circumval.lacio 8, Oficina 308 Barcelona 08003 Spain EMail: vanesa.daza@upf.edu

蓬佩乌法布拉大学瓦内萨·达扎P/Circival.lacio 8,Oficina 308巴塞罗那08003西班牙电子邮件:瓦内萨。daza@upf.edu

Angel Lozano Universitat Pompeu Fabra P/ Circumval.lacio 8, Oficina 309 Barcelona 08003 Spain EMail: angel.lozano@upf.edu

蓬佩法布拉天使洛扎诺大学P/Circival.lacio 8,Oficina 309巴塞罗那08003西班牙电子邮件:Angel。lozano@upf.edu

Michael Richardson (editor) Sandelman Software Works 470 Dawson Avenue Ottawa, ON K1Z5V7 Canada EMail: mcr+ietf@sandelman.ca

迈克尔·理查森(编辑)桑德曼软件公司位于渥太华道森大道470号,地址:K1Z5V7加拿大电子邮件:mcr+ietf@sandelman.ca