ROLL De-Yun Gao Internet Draft Jun-Qi Duan Expires: July 1, 2014 Wan-Ting Zhu Wei-Cheng Zhao Hong-Ke Zhang Beijing Jiaotong University January 2, 2014 Cross-domain Access Control in Low Power and Lossy Networks draft-gao-crossdomain-access-00.txt Abstract Access control is one of the major security concerns for Low power and Lossy Networks (LLN). As LLNs are normally highly distributed and resource-constrained, conventional access control systems that rely on the central Certificate Authority (CA) and sophisticated cryptographic algorithms are not suitable for them. Furthermore, LLNs may consist of embedded devices with limited power, memory, and processing resources from different manufacturers or service providers. Due to the different specifications and designs, it is difficult to ensure consistency in security implementation among all devices. This document proposes a distributed access control method based on local authorization decisions, which takes both the single- domain and the multi-domain situation into account. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress". The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt Gao et al. Expires July 1, 2014 [Page 1] Internet-Draft Cross-domain Access Control in LLN January 2014 The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on July 1, 2014. Copyright Notice Copyright (c) 2013 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction.................................................3 2. Problem statement............................................3 3. Basic framework of access control model......................4 4. Centrality degree evaluation.................................5 5. Access control in a single-domain situation..................7 6. Access control in cross-domain situation.....................8 7. Security Considerations.....................................10 8. References..................................................10 8.1. Normative References...................................10 8.2. Informative References.................................10 Acknowledgment.................................................11 Gao et al. Expires July 1, 2014 [Page 2] Internet-Draft Cross-domain Access Control in LLN January 2014 1. Introduction LLNs are typically composed of many embedded devices with limited power, memory, and processing resources interconnected by a variety of links, such as IEEE 802.15.4 or Low Power WiFi [I-D.ietf-roll- terminology], [RFC6550]. The low-cost and low-power field devices have the ability to cooperatively perceive characteristics of the physical world, which can provide a wide scope of applications, including intelligent buildings, industrial monitoring [RFC5673], battlefield surveillance [Newman2010]. LLNs are usually deployed in a highly distributed manner in an open and remote environment. In this case, LLNs are highly vulnerable to various attacks due to the open, distributed and dynamic nature. Consequently, ensuring the quickly establishment and maintenance of network security among these deployed devices becomes one of key challenges [I-D.ietf-roll-security-threats]. Access control is the first line of defense in LLNs, which can be defined as the process of limiting access to sensitive information only to trusted field devices. Granting proper access to legitimate devices is essential to ensure correct operation of LLNs. A proper design of an access control ensures that information is accessible only to any authorized and trustworthy devices. Different models of access control have been proposed over the years [Xiao2005], [Yang2011]. However, most access control models were developed for some specific systems not suitable for a resource-constrained system such as a LLN. In this document, a distributed and cross-domain access control method based on local authorization decisions is proposed and analyzed. 2. Problem statement Certain supports are required for the access control that targets LLNs. In the following, we summarize the unique challenges of LLNs to design a proper access control system. Firstly, LLNs are often deployed in a remote and open environment. It is difficult to prevent foreign devices from being physically present in the network, especially when they remain passive. Besides, legitimate field devices that are unattended can be physically compromised. Secondly, LLNs usually rely on multi-hop wireless channels for communication. As wireless communication uses a broadcast channel, eavesdropping by foreign or compromised nodes cannot be prevented. Thirdly, fixed infrastructure in LLNs is not a Gao et al. Expires July 1, 2014 [Page 3] Internet-Draft Cross-domain Access Control in LLN January 2014 necessary component. As a result, conventional access control models, such as role-based access control (RBAC) [Sandhu1996], which generally rely on a central Certificate Authority (CA) for authorization, are not applicable. Fourthly, sophisticated cryptographic methods and authentication mechanisms require high memory usage and power consumption because of their complex algorithms and processes [Yu2009], which is not practical for a resource-constrained LLN. Finally, LLNs may consist of embedded devices from two or more manufacturers. Due to the different specifications and designs, it is difficult to ensure consistency in security implementation among all sensor nodes. This gives rise to the need for cross-domain access control, which is also considered in our proposed design. Sections 3 to Section 5 provide the solutions to the problems mentioned above. 3. Basic framework of access control model In this paper, we propose a distributed and fine-grained access control model based on the RBAC. The basic framework of our model is presented in Fig. 1. Our main idea is that introducing security level based on centrality degree attributes and other security policies into the RBAC model to make it practical for LLNs. +----------------------+ +-------------------+ +-----------------------+ |-| Permissions (PE) |<--> | Administrators (A)|<--> | Privileges (PR) |-| | +----------------------+ +-------------------+ +-----------------------+ | | | | | +-------------------+ | | |---------------| Constraints (C) |----------------| | | | +-------------------+ | | | | | | | | +----------------------+ +-------------------+ +-----------------------+ | | |Centrality Degree (CD)| --> | Security Level(SL)| <-- | Security Policies (SP | | | +----------------------+ +-------------------+ +-----------------------+ | | | | | | +----------------------+<----------------------------> +-----------------------+ | |-| Users (U) |<----------------------------> | Roles (R) |-| +----------------------+<----------------------------> +-----------------------+ Figure 1: Basic framework of access control model The access control framework consists of the following components: Gao et al. Expires July 1, 2014 [Page 4] Internet-Draft Cross-domain Access Control in LLN January 2014 Administrators (A): The entities that include constraints to adjust the set of permissions, privileges, centrality degree, security level and security policies. Permissions (PE): A description of authorized interactions that determine whether a new access request can be granted. The results of the permissions can be fed back to the administrators, enabling dynamic adjustment of constraints for the network. Privileges (PR): The rights approved in the network, which are related to the users' roles. Constraints (C): The clauses that can modify security policies, security level and centrality degree, which is instituted by the administrators. Security Level (SL): The measure for the security of a node. The security level is also a part of the input to the calculation and granting of permissions. It is associated with specific roles. Centrality Degree (CD): It is used to analyze the relations among the entities in the network, which represents the importance of the access point. Security Policies (SP): A set of rules used to limit the security risk. Users (U): The entities who want to join the network. In this model, the users are simply embedded devices in LLNs. Roles (R): The job functions that describe the authority and responsibility of the users. A user who joins the network must be assigned to a specific role. 4. Centrality degree evaluation In our model, security level is used to measure for the security of a node. It consists of centrality degree and other conventional security policies, such as key encryption-decryption algorithm and trust evaluation methods. The conventional security policies are not specified in this document. The concept of centrality degree comes from social networks. It is used to analyze the relations among the entities in the network. For example, a higher centrality degree for a given person may imply that he attracts more attention than usual from other people. Instead of using the centrality degree to measure the relations between devices, Gao et al. Expires July 1, 2014 [Page 5] Internet-Draft Cross-domain Access Control in LLN January 2014 we utilize it in our access control model to evaluate the security level when adopting the distributed systems. In this section, we propose a method to measure the device's centrality degree. As is shown in Fig. 2, the device's centrality degree in the network is composed of the access rank and the number of the device's neighbors. The access rank can be defined as the set of field devices which have the same routing distance from the sink node (device S). For example, the access rank of device E is ranked at layer two, and device E has four neighbors which are devices B, D, F and I. Based on this information, we propose the following method to evaluate the centrality degree of device i, CD(i): CD(i)=w* Max(R(N))/R(i)+k*|N(i)| (1) where w + k = 1, w > 0, k > 0. The function R(i) represents the access rank of device i. The quantity N is the set of devices in the network, Max(R(N)) represents the largest value of access rank in the network, and |N(i)| is the number of the neighbors of device i. +------+ | S | Sink Node +------+ | +------+ +------+ +------+ | A |-----| B |-----| C | Layer 1 +------+ +------+ +------+ | | +------+ +------+ +------+ +------+ | D |-----| E |-----| F |-----| G | Layer 2 +------+ +------+ +------+ +------+ | | | +------+ +------+ +------+ | H | | I | | J | Layer 3 +------+ +------+ +------+ | +------+ +------+ +------+ +------+ | K |-----| L |-----| M |-----| N | Layer 4 +------+ +------+ +------+ +------+ Figure 2: Centrality degree in LLNs There are two main reasons for choosing this mechanism for assessing the security level. First, it is intuitive that with a shorter distance to the sink node, a malicious device can be more successful in intercepting communications and launching attacks. Secondly, a Gao et al. Expires July 1, 2014 [Page 6] Internet-Draft Cross-domain Access Control in LLN January 2014 malicious device with more neighbors generally has higher influence in the network. A malicious device may use this influence to quickly affect the network performance by launching an attack. 5. Access control in a single-domain situation The security level is a crucial parameter for determining whether a device is acceptable. The higher the security level a device has, the easier it can join the network. Not all devices in the network have the privilege to allow the newly arrived device to join the network. Depending on the context, this privilege is set by the administrators. In addition, the proposed model is a flexible access control model. It is not only designed for LLNs without central CA for authorization, but is also an optional scheme for the one that has the complete authentication system. If a newly arriving device has the key-join (a key used to join the network), it will obtain a high security level immediately. In a single domain, each device has the same security policies. The process that a newly arriving device follows to join LLNs in a single domain is shown in Fig. 3. The detailed descriptions are given as follows: 1) The newly arriving device (NAD) sends the access request to the destination device (DD). In this model, the access request is a 4-ary tuple, and is denoted as U = , where u-id is the source device's ID, r is the role that the device request to activate, and t is the timestamp. Furthermore, the request device may include the key-join if it has one. 2) When the destination device receives the request, it should check whether it has the rights to allow the new device to join the network. If it has, it will send a security level request to the neighbors of the new device (NND) to obtain their recommendations (broadcast the request with finite TTL). 3) The devices that receive the security level request will check whether they are the requested objects. If they are, they will send a reply including a variety of security metrics. Otherwise, they simply keep silent. 4) After obtaining the recommendations, the destination device to compute the overall security level of the new device. In addition, the new device that has the key-join must be considered as owning a high security level when it has no history records in the network. Gao et al. Expires July 1, 2014 [Page 7] Internet-Draft Cross-domain Access Control in LLN January 2014 5) The destination device should decide whether to grant permission to the newly arriving device. As the destination device may be corrupted, we think that it is unsafe if the decision to give or not give permission to a new arrival device to join the network is made by only one device. In accordance with the above process, the newly arriving device will have access to LLNs and obtain the corresponding privileges when it receives more than two certificates from different destination devices. +-----+ +-----+ +-----+ | NAD | | DD | | NND | +-----+ +-----+ +-----+ | | | |----- Access Request------>| | | | | | | | | |--Security Level Request -->| | | | | | | | |<-- Security Level Reply ---| | | | | | | | Security Level Computation | | | | | | | | Decision Making | |<------- Access Reply------| | | | | Figure 3: Procedure of access control in a single-domain 6. Access control in cross-domain situation The access control model in cross-domain is important because LLNs may be formed by several autonomous groups wishing to share resources. However, each domain is likely to own the individual security policies. So a mapping mechanism is designed for the situation that a device in one domain that wishes to gain an access to a network in a different domain. In this case, the sink node is responsible for negotiating and maintaining the information with other domains. The process of a new device to join the network in a cross-domain situation is shown in Fig. 4. Gao et al. Expires July 1, 2014 [Page 8] Internet-Draft Cross-domain Access Control in LLN January 2014 NY DX SDX SNY NNY | | | | | |-- Access Request->| | | | | | | | | | |-Security Level Request->| | | | | | | | | | |-Security Level Request->| | | | | | | | | | |-Security Level Request->| | | | | | | | | |<-Security Level Reply-- | | | | | | | | |<-Security Level Reply-- | | | | | | | | |<-Security Level Reply-- | | | | | | | | | Security Level Computation | | | | | | | | |<- Access Request- | | | | | | | | | Figure 4: Procedure of access control in a cross-domain situation 1) Step 1. A newly arriving device, say device N, in domain Y (NY) sends a access request to the destination device D in domain X (DX). The request contains the necessary information of device N. 2) When the destination device D receives the request, it should check whether it has the privilege to allow a device in another domain to join the network. If it has, it will send security level request to its sink device SDX. Node SD that receives the security level request will forward the request to the sink node of domain Y, say node SNY. Then node SN evaluates the security level of device N in its local domain (request the neighbors of device N in domain Y for recommendations, NNY). 3) After the security level evaluation process, the sink node SN sends reply to the sink node SD. Adding in the assessment results from domain Y to domain X, the sink node SD forwards the reply to device D. 4) Then the destination device D computes the overall security level of device N. Gao et al. Expires July 1, 2014 [Page 9] Internet-Draft Cross-domain Access Control in LLN January 2014 5) If the access request is accepted, the device D should issues a certificate to new device N. If the device N receives more than two certificates from different destination devices, it will join the network and obtain the privileges corresponding to its role. 7. Security Considerations This document does not specify any security considerations. 8. References 8.1. Normative References [I-D.ietf-roll-terminology] Vasseur, J., "Terminology in Low power And Lossy Networks", draft-ietf-roll-terminology-13, September 2013. [I-D.ietf-roll-security-threats] Tsao, T., et al., "A Security Threat Analysis for Routing over Low-Power and Lossy Networks", draft- ietf-roll-security-threats-05, October 2013. [Sandhu1996] Sandhu, R., Coyne, E., Feinstein, H., Youman, C., "Role-based access control models", Computer, Vol.29: p. 38-47, 1996. 8.2. Informative References [RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey, R., Levis, P., Pister, K., Struik, R., Vasseur, JP., and R. Alexander, "RPL: IPv6 Routing Protocol for Low- Power and Lossy Networks", RFC 6550, March 2012. [RFC5673] Pister, K., Dust Networks, Ed., Thubert, P., Cisco Systems, Ed., Dwars Shell, S., and Phinney, T., " Industrial Routing Requirements in Low-Power and Lossy Networks", RFC 5673, October 2009. [Newman2010] Newman, T., Hasan, S., DePoy, D., Bose, T., Reed, J., "Designing and deploying a building-wide cognitive radio network testbed", IEEE Communications Magazine, Vol.48: p. 106-112, 2010. Gao et al. Expires July 1, 2014 [Page 10] Internet-Draft Cross-domain Access Control in LLN January 2014 [Xiao2005] Xiaopeng, W., Junzhou, L., Aibo, S., Teng, M., Reed, J., "Semantic access control in grid computing", Proceedings of 11th International Conference on Parallel and Distributed Systems, Vol.1: p. 661-667, 2005. [Yang2011] Yang, R., Lin, C., Jiang, Y., Chu, X., "Trust based access control in infrastructure-centric environment", Proceedings of IEEE International Conference on Communications 2011 (ICC), Vol.1: p. 1-5, 2011. [Yu2009] Yu, S., Ren, K., Lou, W., Chu, X., " FDAC: toward fine- grained distributed data access control in wireless sensor networks", Proceedings of IEEE INFOCOM 2009, Vol.1: p. 963-971, 2009. Authors' Addresses De-Yun Gao, Jun-Qi Duan, Wan-Ting Zhu, Wei-Cheng Zhao, Hong-Ke Zhang National Engineering Lab for NGI Interconnection Devices Beijing Jiaotong University, China Phone: +8613521693762 Email: gaody@bjtu.edu.cn duanjunqi@bjtu.edu.cn 11111019@bjtu.edu.cn 11111018@bjtu.edu.cn hkzhang@bjtu.edu.cn Acknowledgment This work was supported by the National Major Projects of China (Grant No. 2012ZX03005003), the National Natural Science Foundation of China (NSFC) (Grants No. 61272504) and the Fundamental Research Funds for the Central Universities (Grant No.2012YJS016 and Grant No.2013YJS002). Gao et al. Expires July 1, 2014 [Page 11]