5. Security Considerations
As is the case with every network, LLNs are exposed to routing
security threats that need to be addressed. The wireless and
distributed nature of these networks increases the spectrum of
potential routing security threats. This is further amplified by the
resource constraints of the nodes, thereby preventing resource-
intensive routing security approaches from being deployed. A viable
routing security approach SHOULD be sufficiently lightweight that it
may be implemented across all nodes in a LLN. These issues require
special attention during the design process, so as to facilitate a
commercially attractive deployment.
An attacker can snoop, replay, or originate arbitrary messages to a
node in an attempt to manipulate or disable the routing function.
To mitigate this, the LLN MUST be able to authenticate a new node
prior to allowing it to participate in the routing decision process.
The routing protocol MUST support message integrity.
A further example of routing security issues that may arise is the
abnormal behavior of nodes that exhibit an egoistic conduct, such as
not obeying network rules or forwarding no or false packets.
Other important issues may arise in the context of denial-of-service
(DoS) attacks, malicious address space allocations, advertisement of
variable addresses, a wrong neighborhood, etc. The routing
protocol(s) SHOULD support defense against DoS attacks and other
attempts to maliciously or inadvertently cause the mechanisms of the
routing protocol(s) to over-consume the limited resources of LLN
nodes, e.g., by constructing forwarding loops or causing excessive
routing protocol overhead traffic, etc.
The properties of self-configuration and self-organization that are
desirable in a LLN introduce additional routing security
considerations. Mechanisms MUST be in place to deny any node that
attempts to take malicious advantage of self-configuration and self-
organization procedures. Such attacks may attempt, for example, to
cause DoS, drain the energy of power-constrained devices, or to
hijack the routing mechanism. A node MUST authenticate itself to a
trusted node that is already associated with the LLN before the
former can take part in self-configuration or self-organization. A
node that has already authenticated and associated with the LLN MUST
deny, to the maximum extent possible, the allocation of resources to
any unauthenticated peer. The routing protocol(s) MUST deny service
to any node that has not clearly established trust with the HC-LLN.