Internet DRAFT - draft-gao-crossdomain-access
draft-gao-crossdomain-access
ROLL De-Yun Gao
Internet Draft Jun-Qi Duan
Expires: July 1, 2014 Wan-Ting Zhu
Wei-Cheng Zhao
Hong-Ke Zhang
Beijing Jiaotong University
January 2, 2014
Cross-domain Access Control in Low Power and Lossy Networks
draft-gao-crossdomain-access-00.txt
Abstract
Access control is one of the major security concerns for Low power
and Lossy Networks (LLN). As LLNs are normally highly distributed and
resource-constrained, conventional access control systems that rely
on the central Certificate Authority (CA) and sophisticated
cryptographic algorithms are not suitable for them. Furthermore, LLNs
may consist of embedded devices with limited power, memory, and
processing resources from different manufacturers or service
providers. Due to the different specifications and designs, it is
difficult to ensure consistency in security implementation among all
devices. This document proposes a distributed access control method
based on local authorization decisions, which takes both the single-
domain and the multi-domain situation into account.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress".
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
Gao et al. Expires July 1, 2014 [Page 1]
Internet-Draft Cross-domain Access Control in LLN January 2014
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on July 1, 2014.
Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction.................................................3
2. Problem statement............................................3
3. Basic framework of access control model......................4
4. Centrality degree evaluation.................................5
5. Access control in a single-domain situation..................7
6. Access control in cross-domain situation.....................8
7. Security Considerations.....................................10
8. References..................................................10
8.1. Normative References...................................10
8.2. Informative References.................................10
Acknowledgment.................................................11
Gao et al. Expires July 1, 2014 [Page 2]
Internet-Draft Cross-domain Access Control in LLN January 2014
1. Introduction
LLNs are typically composed of many embedded devices with limited
power, memory, and processing resources interconnected by a variety
of links, such as IEEE 802.15.4 or Low Power WiFi [I-D.ietf-roll-
terminology], [RFC6550]. The low-cost and low-power field devices
have the ability to cooperatively perceive characteristics of the
physical world, which can provide a wide scope of applications,
including intelligent buildings, industrial monitoring [RFC5673],
battlefield surveillance [Newman2010].
LLNs are usually deployed in a highly distributed manner in an open
and remote environment. In this case, LLNs are highly vulnerable to
various attacks due to the open, distributed and dynamic nature.
Consequently, ensuring the quickly establishment and maintenance of
network security among these deployed devices becomes one of key
challenges [I-D.ietf-roll-security-threats].
Access control is the first line of defense in LLNs, which can be
defined as the process of limiting access to sensitive information
only to trusted field devices. Granting proper access to legitimate
devices is essential to ensure correct operation of LLNs. A proper
design of an access control ensures that information is accessible
only to any authorized and trustworthy devices. Different models of
access control have been proposed over the years [Xiao2005],
[Yang2011]. However, most access control models were developed for
some specific systems not suitable for a resource-constrained system
such as a LLN.
In this document, a distributed and cross-domain access control
method based on local authorization decisions is proposed and
analyzed.
2. Problem statement
Certain supports are required for the access control that targets
LLNs. In the following, we summarize the unique challenges of LLNs to
design a proper access control system.
Firstly, LLNs are often deployed in a remote and open environment. It
is difficult to prevent foreign devices from being physically present
in the network, especially when they remain passive. Besides,
legitimate field devices that are unattended can be physically
compromised. Secondly, LLNs usually rely on multi-hop wireless
channels for communication. As wireless communication uses a
broadcast channel, eavesdropping by foreign or compromised nodes
cannot be prevented. Thirdly, fixed infrastructure in LLNs is not a
Gao et al. Expires July 1, 2014 [Page 3]
Internet-Draft Cross-domain Access Control in LLN January 2014
necessary component. As a result, conventional access control models,
such as role-based access control (RBAC) [Sandhu1996], which
generally rely on a central Certificate Authority (CA) for
authorization, are not applicable. Fourthly, sophisticated
cryptographic methods and authentication mechanisms require high
memory usage and power consumption because of their complex
algorithms and processes [Yu2009], which is not practical for a
resource-constrained LLN. Finally, LLNs may consist of embedded
devices from two or more manufacturers. Due to the different
specifications and designs, it is difficult to ensure consistency in
security implementation among all sensor nodes. This gives rise to
the need for cross-domain access control, which is also considered in
our proposed design.
Sections 3 to Section 5 provide the solutions to the problems
mentioned above.
3. Basic framework of access control model
In this paper, we propose a distributed and fine-grained access
control model based on the RBAC. The basic framework of our model is
presented in Fig. 1. Our main idea is that introducing security level
based on centrality degree attributes and other security policies
into the RBAC model to make it practical for LLNs.
+----------------------+ +-------------------+ +-----------------------+
|-| Permissions (PE) |<--> | Administrators (A)|<--> | Privileges (PR) |-|
| +----------------------+ +-------------------+ +-----------------------+ |
| | |
| +-------------------+ |
| |---------------| Constraints (C) |----------------| |
| | +-------------------+ | |
| | | | |
| +----------------------+ +-------------------+ +-----------------------+ |
| |Centrality Degree (CD)| --> | Security Level(SL)| <-- | Security Policies (SP | |
| +----------------------+ +-------------------+ +-----------------------+ |
| | | |
| +----------------------+<----------------------------> +-----------------------+ |
|-| Users (U) |<----------------------------> | Roles (R) |-|
+----------------------+<----------------------------> +-----------------------+
Figure 1: Basic framework of access control model
The access control framework consists of the following components:
Gao et al. Expires July 1, 2014 [Page 4]
Internet-Draft Cross-domain Access Control in LLN January 2014
Administrators (A): The entities that include constraints to adjust
the set of permissions, privileges, centrality degree, security level
and security policies.
Permissions (PE): A description of authorized interactions that
determine whether a new access request can be granted. The results of
the permissions can be fed back to the administrators, enabling
dynamic adjustment of constraints for the network.
Privileges (PR): The rights approved in the network, which are
related to the users' roles.
Constraints (C): The clauses that can modify security policies,
security level and centrality degree, which is instituted by the
administrators.
Security Level (SL): The measure for the security of a node. The
security level is also a part of the input to the calculation and
granting of permissions. It is associated with specific roles.
Centrality Degree (CD): It is used to analyze the relations among the
entities in the network, which represents the importance of the
access point.
Security Policies (SP): A set of rules used to limit the security
risk.
Users (U): The entities who want to join the network. In this model,
the users are simply embedded devices in LLNs.
Roles (R): The job functions that describe the authority and
responsibility of the users. A user who joins the network must be
assigned to a specific role.
4. Centrality degree evaluation
In our model, security level is used to measure for the security of a
node. It consists of centrality degree and other conventional
security policies, such as key encryption-decryption algorithm and
trust evaluation methods. The conventional security policies are not
specified in this document.
The concept of centrality degree comes from social networks. It is
used to analyze the relations among the entities in the network. For
example, a higher centrality degree for a given person may imply that
he attracts more attention than usual from other people. Instead of
using the centrality degree to measure the relations between devices,
Gao et al. Expires July 1, 2014 [Page 5]
Internet-Draft Cross-domain Access Control in LLN January 2014
we utilize it in our access control model to evaluate the security
level when adopting the distributed systems. In this section, we
propose a method to measure the device's centrality degree. As is
shown in Fig. 2, the device's centrality degree in the network is
composed of the access rank and the number of the device's neighbors.
The access rank can be defined as the set of field devices which have
the same routing distance from the sink node (device S). For example,
the access rank of device E is ranked at layer two, and device E has
four neighbors which are devices B, D, F and I. Based on this
information, we propose the following method to evaluate the
centrality degree of device i, CD(i):
CD(i)=w* Max(R(N))/R(i)+k*|N(i)| (1)
where w + k = 1, w > 0, k > 0. The function R(i) represents the
access rank of device i. The quantity N is the set of devices in the
network, Max(R(N)) represents the largest value of access rank in the
network, and |N(i)| is the number of the neighbors of device i.
+------+
| S | Sink Node
+------+
|
+------+ +------+ +------+
| A |-----| B |-----| C | Layer 1
+------+ +------+ +------+
| |
+------+ +------+ +------+ +------+
| D |-----| E |-----| F |-----| G | Layer 2
+------+ +------+ +------+ +------+
| | |
+------+ +------+ +------+
| H | | I | | J | Layer 3
+------+ +------+ +------+
|
+------+ +------+ +------+ +------+
| K |-----| L |-----| M |-----| N | Layer 4
+------+ +------+ +------+ +------+
Figure 2: Centrality degree in LLNs
There are two main reasons for choosing this mechanism for assessing
the security level. First, it is intuitive that with a shorter
distance to the sink node, a malicious device can be more successful
in intercepting communications and launching attacks. Secondly, a
Gao et al. Expires July 1, 2014 [Page 6]
Internet-Draft Cross-domain Access Control in LLN January 2014
malicious device with more neighbors generally has higher influence
in the network. A malicious device may use this influence to quickly
affect the network performance by launching an attack.
5. Access control in a single-domain situation
The security level is a crucial parameter for determining whether a
device is acceptable. The higher the security level a device has, the
easier it can join the network.
Not all devices in the network have the privilege to allow the newly
arrived device to join the network. Depending on the context, this
privilege is set by the administrators. In addition, the proposed
model is a flexible access control model. It is not only designed for
LLNs without central CA for authorization, but is also an optional
scheme for the one that has the complete authentication system. If a
newly arriving device has the key-join (a key used to join the
network), it will obtain a high security level immediately.
In a single domain, each device has the same security policies. The
process that a newly arriving device follows to join LLNs in a single
domain is shown in Fig. 3. The detailed descriptions are given as
follows:
1) The newly arriving device (NAD) sends the access request to the
destination device (DD). In this model, the access request is a
4-ary tuple, and is denoted as U = <u-id, r, t, key-join>, where
u-id is the source device's ID, r is the role that the device
request to activate, and t is the timestamp. Furthermore, the
request device may include the key-join if it has one.
2) When the destination device receives the request, it should check
whether it has the rights to allow the new device to join the
network. If it has, it will send a security level request to the
neighbors of the new device (NND) to obtain their recommendations
(broadcast the request with finite TTL).
3) The devices that receive the security level request will check
whether they are the requested objects. If they are, they will
send a reply including a variety of security metrics. Otherwise,
they simply keep silent.
4) After obtaining the recommendations, the destination device to
compute the overall security level of the new device. In addition,
the new device that has the key-join must be considered as owning
a high security level when it has no history records in the
network.
Gao et al. Expires July 1, 2014 [Page 7]
Internet-Draft Cross-domain Access Control in LLN January 2014
5) The destination device should decide whether to grant permission
to the newly arriving device. As the destination device may be
corrupted, we think that it is unsafe if the decision to give or
not give permission to a new arrival device to join the network
is made by only one device. In accordance with the above process,
the newly arriving device will have access to LLNs and obtain the
corresponding privileges when it receives more than two
certificates from different destination devices.
+-----+ +-----+ +-----+
| NAD | | DD | | NND |
+-----+ +-----+ +-----+
| | |
|----- Access Request------>| |
| | |
| | |
| |--Security Level Request -->|
| | |
| | |
| |<-- Security Level Reply ---|
| | |
| | |
| Security Level Computation |
| | |
| | |
| Decision Making |
|<------- Access Reply------| |
| | |
Figure 3: Procedure of access control in a single-domain
6. Access control in cross-domain situation
The access control model in cross-domain is important because LLNs
may be formed by several autonomous groups wishing to share resources.
However, each domain is likely to own the individual security
policies. So a mapping mechanism is designed for the situation that a
device in one domain that wishes to gain an access to a network in a
different domain. In this case, the sink node is responsible for
negotiating and maintaining the information with other domains.
The process of a new device to join the network in a cross-domain
situation is shown in Fig. 4.
Gao et al. Expires July 1, 2014 [Page 8]
Internet-Draft Cross-domain Access Control in LLN January 2014
NY DX SDX SNY NNY
| | | | |
|-- Access Request->| | | |
| | | | |
| |-Security Level Request->| | |
| | | | |
| | |-Security Level Request->| |
| | | | |
| | | |-Security Level Request->|
| | | | |
| | | |<-Security Level Reply-- |
| | | | |
| | |<-Security Level Reply-- | |
| | | | |
| |<-Security Level Reply-- | | |
| | | | |
| Security Level Computation | | |
| | | | |
|<- Access Request- | | | |
| | | | |
Figure 4: Procedure of access control in a cross-domain situation
1) Step 1. A newly arriving device, say device N, in domain Y (NY)
sends a access request to the destination device D in domain X
(DX). The request contains the necessary information of device N.
2) When the destination device D receives the request, it should
check whether it has the privilege to allow a device in another
domain to join the network. If it has, it will send security
level request to its sink device SDX. Node SD that receives the
security level request will forward the request to the sink node
of domain Y, say node SNY. Then node SN evaluates the security
level of device N in its local domain (request the neighbors of
device N in domain Y for recommendations, NNY).
3) After the security level evaluation process, the sink node SN
sends reply to the sink node SD. Adding in the assessment results
from domain Y to domain X, the sink node SD forwards the reply to
device D.
4) Then the destination device D computes the overall security level
of device N.
Gao et al. Expires July 1, 2014 [Page 9]
Internet-Draft Cross-domain Access Control in LLN January 2014
5) If the access request is accepted, the device D should issues a
certificate to new device N. If the device N receives more than
two certificates from different destination devices, it will join
the network and obtain the privileges corresponding to its role.
7. Security Considerations
This document does not specify any security considerations.
8. References
8.1. Normative References
[I-D.ietf-roll-terminology]
Vasseur, J., "Terminology in Low power And Lossy
Networks", draft-ietf-roll-terminology-13, September
2013.
[I-D.ietf-roll-security-threats]
Tsao, T., et al., "A Security Threat Analysis for
Routing over Low-Power and Lossy Networks", draft-
ietf-roll-security-threats-05, October 2013.
[Sandhu1996] Sandhu, R., Coyne, E., Feinstein, H., Youman, C.,
"Role-based access control models", Computer, Vol.29:
p. 38-47, 1996.
8.2. Informative References
[RFC6550] Winter, T., Thubert, P., Brandt, A., Hui, J., Kelsey,
R., Levis, P., Pister, K., Struik, R., Vasseur, JP.,
and R. Alexander, "RPL: IPv6 Routing Protocol for Low-
Power and Lossy Networks", RFC 6550, March 2012.
[RFC5673] Pister, K., Dust Networks, Ed., Thubert, P., Cisco
Systems, Ed., Dwars Shell, S., and Phinney, T., "
Industrial Routing Requirements in Low-Power and Lossy
Networks", RFC 5673, October 2009.
[Newman2010] Newman, T., Hasan, S., DePoy, D., Bose, T., Reed, J.,
"Designing and deploying a building-wide cognitive
radio network testbed", IEEE Communications Magazine,
Vol.48: p. 106-112, 2010.
Gao et al. Expires July 1, 2014 [Page 10]
Internet-Draft Cross-domain Access Control in LLN January 2014
[Xiao2005] Xiaopeng, W., Junzhou, L., Aibo, S., Teng, M., Reed, J.,
"Semantic access control in grid computing",
Proceedings of 11th International Conference on
Parallel and Distributed Systems, Vol.1: p. 661-667,
2005.
[Yang2011] Yang, R., Lin, C., Jiang, Y., Chu, X., "Trust based
access control in infrastructure-centric environment",
Proceedings of IEEE International Conference on
Communications 2011 (ICC), Vol.1: p. 1-5, 2011.
[Yu2009] Yu, S., Ren, K., Lou, W., Chu, X., " FDAC: toward fine-
grained distributed data access control in wireless
sensor networks", Proceedings of IEEE INFOCOM 2009,
Vol.1: p. 963-971, 2009.
Authors' Addresses
De-Yun Gao, Jun-Qi Duan, Wan-Ting Zhu, Wei-Cheng Zhao, Hong-Ke Zhang
National Engineering Lab for NGI Interconnection Devices
Beijing Jiaotong University, China
Phone: +8613521693762
Email: gaody@bjtu.edu.cn
duanjunqi@bjtu.edu.cn
11111019@bjtu.edu.cn
11111018@bjtu.edu.cn
hkzhang@bjtu.edu.cn
Acknowledgment
This work was supported by the National Major Projects of China
(Grant No. 2012ZX03005003), the National Natural Science Foundation
of China (NSFC) (Grants No. 61272504) and the Fundamental Research
Funds for the Central Universities (Grant No.2012YJS016 and Grant
No.2013YJS002).
Gao et al. Expires July 1, 2014 [Page 11]