Internet-Draft | RPL | December 2020 |
Thubert & Winter | Expires 7 June 2021 | [Page] |
Low-Power and Lossy Networks (LLNs) are a class of network in which both the routers and their interconnect are constrained. LLN routers typically operate with constraints on processing power, memory, and energy (battery power). Their interconnects are characterized by high loss rates, low data rates, and instability. LLNs are comprised of anything from a few dozen to thousands of routers. Supported traffic flows include point-to-point (between devices inside the LLN), point-to-multipoint (from a central control point to a subset of devices inside the LLN), and multipoint-to-point (from devices inside the LLN towards a central control point). This document specifies the IPv6 Routing Protocol for Low-Power and Lossy Networks (RPL), which provides a mechanism whereby multipoint-to-point traffic from devices inside the LLN towards a central control point as well as point-to-multipoint traffic from the central control point to the devices inside the LLN are supported. Support for point-to-point traffic is also available.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 June 2021.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
Low-power and Lossy Networks (LLNs) consist largely of constrained nodes (with limited processing power, memory, and sometimes energy when they are battery operated or energy scavenging). These routers are interconnected by lossy links, typically supporting only low data rates, that are usually unstable with relatively low packet delivery rates. Another characteristic of such networks is that the traffic patterns are not simply point-to-point, but in many cases point-to- multipoint or multipoint-to-point. Furthermore, such networks may potentially comprise up to thousands of nodes. These characteristics offer unique challenges to a routing solution: the IETF ROLL working group has defined application-specific routing requirements for a Low-power and Lossy Network (LLN) routing protocol, specified in [RFC5867], [RFC5826], [RFC5673], and [RFC5548].¶
This document specifies the IPv6 Routing Protocol for LLNs (RPL). Note that although RPL was specified according to the requirements set forth in the aforementioned requirement documents, its use is in no way limited to these applications.¶
RPL was designed with the objective to meet the requirements spelled out in [RFC5867], [RFC5826], [RFC5673], and [RFC5548].¶
A network may run multiple instances of RPL concurrently. Each such instance may serve different and potentially antagonistic constraints or performance criteria. This document defines how a single instance operates.¶
In order to be useful in a wide range of LLN application domains, RPL separates packet processing and forwarding from the routing optimization objective. Examples of such objectives include minimizing energy, minimizing latency, or satisfying constraints. This document describes the mode of operation of RPL. Other companion documents specify routing Objective Functions. A RPL implementation, in support of a particular LLN application, will include the necessary Objective Function(s) as required by the application.¶
RPL operations require bidirectional links. In some LLN scenarios, those links may exhibit asymmetric properties. It is required that the reachability of a router be verified before the router can be used as a parent. RPL expects an external mechanism to be triggered during the parent selection phase in order to verify link properties and neighbor reachability. Neighbor Unreachability Detection (NUD) is such a mechanism, but alternates are possible, including Bidirectional Forwarding Detection (BFD) [RFC5881] and hints from lower layers via Layer 2 (L2) triggers like [RFC5184]. In a general fashion, a detection mechanism that is reactive to traffic is favored in order to minimize the cost of monitoring links that are not being used.¶
RPL also expects an external mechanism to access and transport some control information, referred to as the "RPL Packet Information", in data packets. The RPL Packet Information is defined in Section 11.2 and enables the association of a data packet with a RPL Instance and the validation of RPL routing states. The RPL option [RFC6553] is an example of such mechanism. The mechanism is required for all packets except when strict source routing is used (that is for packets going Downward in Non-Storing mode as detailed further in Section 9), which by nature prevents endless loops and alleviates the need for the RPL Packet Information. Future companion specifications may propose alternate ways to carry the RPL Packet Information in the IPv6 packets and may extend the RPL Packet Information to support additional features.¶
RPL provides a mechanism to disseminate information over the dynamically formed network topology. This dissemination enables minimal configuration in the nodes, allowing nodes to operate mostly autonomously. This mechanism uses Trickle [RFC6206] to optimize the dissemination as described in Section 8.3.¶
In some applications, RPL assembles topologies of routers that own independent prefixes. Those prefixes may or may not be aggregatable depending on the origin of the routers. A prefix that is owned by a router is advertised as on-link.¶
RPL also introduces the capability to bind a subnet together with a common prefix and to route within that subnet. A source can inject information about the subnet to be disseminated by RPL, and that source is authoritative for that subnet. Because many LLN links have non-transitive properties, a common prefix that RPL disseminates over the subnet must not be advertised as on-link.¶
In particular, RPL may disseminate IPv6 Neighbor Discovery (ND) information such as the [RFC4861] Prefix Information Option (PIO) and the [RFC4191] Route Information Option (RIO). ND information that is disseminated by RPL conserves all its original semantics for router to host, with limited extensions for router to router, though it is not to be confused with routing advertisements and it is never to be directly redistributed in another routing protocol. A RPL node often combines host and router behaviors. As a host, it will process the options as specified in [RFC4191], [RFC4861], [RFC4862], and [RFC6275]. As a router, the RPL node may advertise the information from the options as required for the specific link, for instance, in an ND Router Advertisement (RA) message, though the exact operation is out of scope.¶
A set of companion documents to this specification will provide further guidance in the form of applicability statements specifying a set of operating points appropriate to the Building Automation, Home Automation, Industrial, and Urban application scenarios.¶
In compliance with the layered architecture of IP, RPL does not rely on any particular features of a specific link-layer technology. RPL is designed to be able to operate over a variety of different link layers, including ones that are constrained, potentially lossy, or typically utilized in conjunction with highly constrained host or router devices, such as but not limited to, low-power wireless or PLC (Power Line Communication) technologies.¶
Implementers may find [RFC3819] a useful reference when designing a link-layer interface between RPL and a particular link-layer technology.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119].¶
Additionally, this document uses terminology from [ROLL-TERMS], and introduces the following terminology:¶
As they form networks, LLN devices often mix the roles of host and router when compared to traditional IP networks. In this document, "host" refers to an LLN device that can generate but does not forward RPL traffic; "router" refers to an LLN device that can forward as well as generate RPL traffic; and "node" refers to any RPL device, either a host or a router.¶
The aim of this section is to describe RPL in the spirit of [RFC4101]. Protocol details can be found in further sections.¶
This section describes the basic RPL topologies that may be formed, and the rules by which these are constructed, i.e., the rules governing DODAG formation.¶
LLNs, such as Radio Networks, do not typically have predefined topologies, for example, those imposed by point-to-point wires, so RPL has to discover links and then select peers sparingly.¶
In many cases, because Layer 2 ranges overlap only partially, RPL forms non-transitive / Non-Broadcast Multi-Access (NBMA) network topologies upon which it computes routes.¶
RPL routes are optimized for traffic to or from one or more roots that act as sinks for the topology. As a result, RPL organizes a topology as a Directed Acyclic Graph (DAG) that is partitioned into one or more Destination Oriented DAGs (DODAGs), one DODAG per sink. If the DAG has multiple roots, then it is expected that the roots are federated by a common backbone, such as a transit link.¶
RPL uses four values to identify and maintain a topology:¶
A RPL Instance contains one or more DODAG roots. A RPL Instance may provide routes to certain destination prefixes, reachable via the DODAG roots or alternate paths within the DODAG. These roots may operate independently, or they may coordinate over a network that is not necessarily as constrained as an LLN.¶
A RPL Instance may comprise:¶
a single DODAG with a single root¶
multiple uncoordinated DODAGs with independent roots (differing DODAGIDs)¶
a single DODAG with a virtual root that coordinates LLN sinks (with the same DODAGID) over a backbone network.¶
Each RPL packet is associated with a particular RPLInstanceID (see Section 11 ) and, therefore, RPL Instance (Section 5). The provisioning or automated discovery of a mapping between a RPLInstanceID and a type or service of application traffic is out of scope for this specification (to be defined in future companion specifications).¶
Figure 1 depicts an example of a RPL Instance comprising three DODAGs with DODAG roots R1, R2, and R3. Each of these DODAG roots advertises the same RPLInstanceID. The lines depict connectivity between parents and children.¶
Figure 2 depicts how a DODAGVersionNumber increment leads to a new DODAG Version. This depiction illustrates a DODAGVersionNumber increment that results in a different DODAG topology. Note that a new DODAG Version does not always imply a different DODAG topology. To accommodate certain topology changes requires a new DODAG Version, as described later in this specification.¶
In the following examples, please note that tree-like structures are depicted for simplicity, although the DODAG structure allows for each node to have multiple parents when the connectivity supports it.¶
RPL provisions routes Up towards DODAG roots, forming a DODAG optimized according to an Objective Function (OF). RPL nodes construct and maintain these DODAGs through DODAG Information Object (DIO) messages.¶
The Objective Function (OF) defines how RPL nodes select and optimize routes within a RPL Instance. The OF is identified by an Objective Code Point (OCP) within the DIO Configuration option. An OF defines how nodes translate one or more metrics and constraints, which are themselves defined in [RFC6551], into a value called Rank, which approximates the node's distance from a DODAG root. An OF also defines how nodes select parents. Further details may be found in Section 14, [RFC6551], [RFC6552], and related companion specifications.¶
A DODAG root institutes a global repair operation by incrementing the DODAGVersionNumber. This initiates a new DODAG Version. Nodes in the new DODAG Version can choose a new position whose Rank is not constrained by their Rank within the old DODAG Version.¶
RPL also supports mechanisms that may be used for local repair within the DODAG Version. The DIO message specifies the necessary parameters as configured from and controlled by policy at the DODAG root.¶
RPL supports message confidentiality and integrity. It is designed such that link-layer mechanisms can be used when available and appropriate; yet, in their absence, RPL can use its own mechanisms. RPL has three basic security modes.¶
In the first, called "unsecured", RPL control messages are sent without any additional security mechanisms. Unsecured mode does not imply that the RPL network is unsecure: it could be using other present security primitives (e.g., link-layer security) to meet application security requirements.¶
In the second, called "preinstalled", nodes joining a RPL Instance have preinstalled keys that enable them to process and generate secured RPL messages.¶
The third mode is called "authenticated". In authenticated mode, nodes have preinstalled keys as in preinstalled mode, but the preinstalled key may only be used to join a RPL Instance as a leaf. Joining an authenticated RPL Instance as a router requires obtaining a key from an authentication authority. The process by which this key is obtained is out of scope for this specification. Note that this specification alone does not provide sufficient detail for a RPL implementation to securely operate in authenticated mode. For a RPL implementation to operate securely in authenticated mode, it is necessary for a future companion specification to detail the mechanisms by which a node obtains/requests the authentication material (e.g., key, certificate) and to determine from where that material should be obtained. See also Section 10.3.¶
DODAGs can be grounded or floating: the DODAG root advertises which is the case. A grounded DODAG offers connectivity to hosts that are required for satisfying the application-defined goal. A floating DODAG is not expected to satisfy the goal; in most cases, it only provides routes to nodes within the DODAG. Floating DODAGs may be used, for example, to preserve interconnectivity during repair.¶
RPL nodes can optimize routes to a destination within an LLN by forming a Local DODAG whose DODAG root is the desired destination. Unlike global DAGs, which can consist of multiple DODAGs, local DAGs have one and only one DODAG and therefore one DODAG root. Local DODAGs can be constructed on demand.¶
An implementation/deployment may specify that some DODAG roots should be used over others through an administrative preference. Administrative preference offers a way to control traffic and engineer DODAG formation in order to better support application requirements or needs.¶
The low-power and lossy nature of LLNs motivates RPL's use of on- demand loop detection using data packets. Because data traffic can be infrequent, maintaining a routing topology that is constantly up to date with the physical topology can waste energy. Typical LLNs exhibit variations in physical connectivity that are transient and innocuous to traffic, but that would be costly to track closely from the control plane. Transient and infrequent changes in connectivity need not be addressed by RPL until there is data to send. This aspect of RPL's design draws from existing, highly used LLN protocols as well as extensive experimental and deployment evidence on its efficacy.¶
The RPL Packet Information that is transported with data packets includes the Rank of the transmitter. An inconsistency between the routing decision for a packet (Upward or Downward) and the Rank relationship between the two nodes indicates a possible loop. On receiving such a packet, a node institutes a local repair operation.¶
For example, if a node receives a packet flagged as moving in the Upward direction, and if that packet records that the transmitter is of a lower (lesser) Rank than the receiving node, then the receiving node is able to conclude that the packet has not progressed in the Upward direction and that the DODAG is inconsistent.¶
A high-level overview of the distributed algorithm, which constructs the DODAG, is as follows:¶
RPL uses Destination Advertisement Object (DAO) messages to establish Downward routes. DAO messages are an optional feature for applications that require point-to-multipoint (P2MP) or point-to- point (P2P) traffic. RPL supports two modes of Downward traffic: Storing (fully stateful) or Non-Storing (fully source routed); see Section 9. Any given RPL Instance is either storing or non-storing. In both cases, P2P packets travel Up toward a DODAG root then Down to the final destination (unless the destination is on the Upward route). In the Non-Storing case, the packet will travel all the way to a DODAG root before traveling Down. In the Storing case, the packet may be directed Down towards the destination by a common ancestor of the source and the destination prior to reaching a DODAG root.¶
As of the writing of this specification, no implementation is expected to support both Storing and Non-Storing modes of operation. Most implementations are expected to support either no Downward routes, Non-Storing mode only, or Storing mode only. Other modes of operation, such as a hybrid mix of Storing and Non-Storing mode, are out of scope for this specification and may be described in other companion specifications.¶
This specification describes a basic mode of operation in support of P2P traffic. Note that more optimized P2P solutions may be described in companion specifications.¶
Optionally, a RPL network can support on-demand discovery of DODAGs to specific destinations within an LLN. Such Local DODAGs behave slightly differently than Global DODAGs: they are uniquely defined by the combination of DODAGID and RPLInstanceID. The RPLInstanceID denotes whether a DODAG is a Local DODAG.¶
The Rank of a node is a scalar representation of the location of that node within a DODAG Version. The Rank is used to avoid and detect loops and, as such, must demonstrate certain properties. The exact calculation of the Rank is left to the Objective Function. Even though the specific computation of the Rank is left to the Objective Function, the Rank must implement generic properties regardless of the Objective Function.¶
In particular, the Rank of the nodes must monotonically decrease as the DODAG Version is followed towards the DODAG destination. In that regard, the Rank can be considered a scalar representation of the location or radius of a node within a DODAG Version.¶
The details of how the Objective Function computes Rank are out of scope for this specification, although that computation may depend, for example, on parents, link metrics, node metrics, and the node configuration and policies. See Section 14 for more information.¶
The Rank is not a path cost, although its value can be derived from and influenced by path metrics. The Rank has properties of its own that are not necessarily those of all metrics:¶
The Rank value feeds into DODAG parent selection, according to the RPL loop-avoidance strategy. Once a parent has been added, and a Rank value for the node within the DODAG has been advertised, the node's further options with regard to DODAG parent selection and movement within the DODAG are restricted in favor of loop avoidance.¶
Rank may be thought of as a fixed-point number, where the position of the radix point between the integer part and the fractional part is determined by MinHopRankIncrease. MinHopRankIncrease is the minimum increase in Rank between a node and any of its DODAG parents. A DODAG root provisions MinHopRankIncrease. MinHopRankIncrease creates a trade-off between hop cost precision and the maximum number of hops a network can support. A very large MinHopRankIncrease, for example, allows precise characterization of a given hop's effect on Rank but cannot support many hops.¶
When an Objective Function computes Rank, the Objective Function operates on the entire (i.e., 16-bit) Rank quantity. When Rank is compared, e.g., for determination of parent relationships or loop detection, the integer portion of the Rank is to be used. The integer portion of the Rank is computed by the DAGRank() macro as follows, where floor(x) is the function that evaluates to the greatest integer less than or equal to x:¶
DAGRank(rank) = floor(rank/MinHopRankIncrease)¶
For example, if a 16-bit Rank quantity is decimal 27, and the MinHopRankIncrease is decimal 16, then DAGRank(27) = floor(1.6875) = 1. The integer part of the Rank is 1 and the fractional part is 11/16.¶
Following the conventions in this document, using the macro DAGRank(node) may be interpreted as DAGRank(node.rank), where node.rank is the Rank value as maintained by the node.¶
A Node A has a Rank less than the Rank of a Node B if DAGRank(A) is less than DAGRank(B).¶
A Node A has a Rank equal to the Rank of a Node B if DAGRank(A) is equal to DAGRank(B).¶
A Node A has a Rank greater than the Rank of a Node B if DAGRank(A) is greater than DAGRank(B).¶
Rank computations maintain the following properties for any nodes M and N that are neighbors in the LLN:¶
As an example, the Rank could be computed in such a way so as to closely track ETX (expected transmission count, a fairly common routing metric used in LLN and defined in [RFC6551]) when the metric that an Objective Function minimizes is ETX, or latency, or in a more complicated way as appropriate to the Objective Function being used within the DODAG.¶
Routing metrics are used by routing protocols to compute shortest paths. Interior Gateway Protocols (IGPs) such as IS-IS ([RFC5120]) and OSPF ([RFC4915]) use static link metrics. Such link metrics can simply reflect the bandwidth or can also be computed according to a polynomial function of several metrics defining different link characteristics. Some routing protocols support more than one metric: in the vast majority of the cases, one metric is used per (sub-)topology. Less often, a second metric may be used as a tiebreaker in the presence of Equal Cost Multiple Paths (ECMPs). The optimization of multiple metrics is known as an NP-complete problem and is sometimes supported by some centralized path computation engine.¶
In contrast, LLNs do require the support of both static and dynamic metrics. Furthermore, both link and node metrics are required. In the case of RPL, it is virtually impossible to define one metric, or even a composite metric, that will satisfy all use cases.¶
In addition, RPL supports constraint-based routing where constraints may be applied to both link and nodes. If a link or a node does not satisfy a required constraint, it is "pruned" from the candidate neighbor set, thus leading to a constrained shortest path.¶
An Objective Function specifies the objectives used to compute the (constrained) path. Furthermore, nodes are configured to support a set of metrics and constraints and select their parents in the DODAG according to the metrics and constraints advertised in the DIO messages. Upstream and Downstream metrics may be merged or advertised separately depending on the OF and the metrics. When they are advertised separately, it may happen that the set of DIO parents is different from the set of DAO parents (a DAO parent is a node to which unicast DAO messages are sent). Yet, all are DODAG parents with regard to the rules for Rank computation.¶
The Objective Function is decoupled from the routing metrics and constraints used by RPL. Whereas the OF dictates rules such as DODAG parent selection, load balancing, and so on, the set of metrics and/or constraints used, and thus those that determine the preferred path, are based on the information carried within the DAG container option in DIO messages.¶
The set of supported link/node constraints and metrics is specified in [RFC6551].¶
RPL tries to avoid creating loops when undergoing topology changes and includes Rank-based data-path validation mechanisms for detecting loops when they do occur (see Section 11 for more details). In practice, this means that RPL guarantees neither loop-free path selection nor tight delay convergence times, but it can detect and repair a loop as soon as it is used. RPL uses this loop detection to ensure that packets make forward progress within the DODAG Version and trigger repairs when necessary.¶
A node is greedy if it attempts to move deeper (increase Rank) in the DODAG Version in order to increase the size of the parent set or improve some other metric. Once a node has joined a DODAG Version, RPL disallows certain behaviors, including greediness, in order to prevent resulting instabilities in the DODAG Version.¶
Suppose a node is willing to receive and process a DIO message from a node in its own sub-DODAG and, in general, a node deeper than itself. In this case, a possibility exists that a feedback loop is created, wherein two or more nodes continue to try and move in the DODAG Version while attempting to optimize against each other. In some cases, this will result in instability. It is for this reason that RPL limits the cases where a node may process DIO messages from deeper nodes to some form of local repair. This approach creates an "event horizon", whereby a node cannot be influenced beyond some limit into an instability by the action of nodes that may be in its own sub-DODAG.¶
Figure 3 depicts a DODAG in three different configurations. A usable link between (B) and (C) exists in all three configurations. In Figure 3-1, Node (A) is a DODAG parent for Nodes (B) and (C). In Figure 3-2, Node (A) is a DODAG parent for Nodes (B) and (C), and Node (B) is also a DODAG parent for Node (C). In Figure 3-3, Node (A) is a DODAG parent for Nodes (B) and (C), and Node (C) is also a DODAG parent for Node (B).¶
If a RPL node is too greedy, in that it attempts to optimize for an additional number of parents beyond its most preferred parents, then an instability can result. Consider the DODAG illustrated in Figure 3-1. In this example, Nodes (B) and (C) may most prefer Node (A) as a DODAG parent, but we will consider the case when they are operating under the greedy condition that will try to optimize for two parents.¶
This cycle can be averted through mechanisms in RPL:¶
These mechanisms are further described in Section 8.2.2.4.¶
A DODAG loop may occur when a node detaches from the DODAG and reattaches to a device in its prior sub-DODAG. In particular, this may happen when DIO messages are missed. Strict use of the DODAGVersionNumber can eliminate this type of loop, but this type of loop may possibly be encountered when using some local repair mechanisms.¶
For example, consider the local repair mechanism that allows a node to detach from the DODAG, advertise a Rank of INFINITE_RANK (in order to poison its routes / inform its sub-DODAG), and then reattach to the DODAG. In some of these cases, the node may reattach to its own prior-sub-DODAG, causing a DODAG loop, because the poisoning may fail if the INFINITE_RANK advertisements are lost in the LLN environment. (In this case, the Rank-based data-path validation mechanisms would eventually detect and trigger correction of the loop).¶
A DAO loop may occur when the parent has a route installed upon receiving and processing a DAO message from a child, but the child has subsequently cleaned up the related DAO state. This loop happens when a No-Path (a DAO message that invalidates a previously announced prefix, see Section 6.4.3) was missed and persists until all state has been cleaned up. RPL includes an optional mechanism to acknowledge DAO messages, which may mitigate the impact of a single DAO message being missed. RPL includes loop detection mechanisms that mitigate the impact of DAO loops and trigger their repair. (See Section 11.2.2.3).¶
RPL supports three basic traffic flows: multipoint-to-point (MP2P), point-to-multipoint (P2MP), and point-to-point (P2P).¶
Multipoint-to-point (MP2P) is a dominant traffic flow in many LLN applications ([RFC5867], [RFC5826], [RFC5673], and [RFC5548]). The destinations of MP2P flows are designated nodes that have some application significance, such as providing connectivity to the larger Internet or core private IP network. RPL supports MP2P traffic by allowing MP2P destinations to be reached via DODAG roots.¶
Point-to-multipoint (P2MP) is a traffic pattern required by several LLN applications ([RFC5867], [RFC5826], [RFC5673], and [RFC5548]). RPL supports P2MP traffic by using a destination advertisement mechanism that provisions Down routes toward destinations (prefixes, addresses, or multicast groups), and away from roots. Destination advertisements can update routing tables as the underlying DODAG topology changes.¶
RPL DODAGs provide a basic structure for point-to-point (P2P) traffic. For a RPL network to support P2P traffic, a root must be able to route packets to a destination. Nodes within the network may also have routing tables to destinations. A packet flows towards a root until it reaches an ancestor that has a known route to the destination. As pointed out later in this document, in the most constrained case (when nodes cannot store routes), that common ancestor may be the DODAG root. In other cases, it may be a node closer to both the source and destination.¶
RPL also supports the case where a P2P destination is a 'one-hop' neighbor.¶
RPL neither specifies nor precludes additional mechanisms for computing and installing potentially more optimal routes to support arbitrary P2P traffic.¶
Within a given LLN, there may be multiple, logically independent RPL Instances. A RPL node may belong to multiple RPL Instances, and it may act as a router in some and as a leaf in others. This document describes how a single instance behaves.¶
There are two types of RPL Instances: Local and Global. RPL divides the RPLInstanceID space between Global and Local instances to allow for both coordinated and unilateral allocation of RPLInstanceIDs. Global RPL Instances are coordinated, have one or more DODAGs, and are typically long-lived. Local RPL Instances are always a single DODAG whose singular root owns the corresponding DODAGID and allocates the local RPLInstanceID in a unilateral manner. Local RPL Instances can be used, for example, for constructing DODAGs in support of a future on-demand routing solution. The mode of operation of Local RPL Instances is out of scope for this specification and may be described in other companion specifications.¶
The definition and provisioning of RPL Instances are out of scope for this specification. Guidelines may be application and implementation specific, and they are expected to be elaborated in future companion specifications. Those operations are expected to be such that data packets coming from the outside of the RPL network can unambiguously be associated to at least one RPL Instance and be safely routed over any instance that would match the packet.¶
Control and data packets within RPL network are tagged to unambiguously identify of which RPL Instance they are a part.¶
Every RPL control message has a RPLInstanceID field. Some RPL control messages, when referring to a local RPLInstanceID as defined below, may also include a DODAGID.¶
Data packets that flow within the RPL network expose the RPLInstanceID as part of the RPL Packet Information that RPL requires, as further described in Section 11.2. For data packets coming from outside the RPL network, the ingress router determines the RPLInstanceID and places it into the resulting packet that it injects into the RPL network.¶
A global RPLInstanceID MUST be unique to the whole LLN. Mechanisms for allocating and provisioning global RPLInstanceID are out of scope for this specification. There can be up to 128 Global instance in the whole network. Local instances are always used in conjunction with a DODAGID (which is either given explicitly or implicitly in some cases), and up 64 Local instances per DODAGID can be supported. Local instances are allocated and managed by the node that owns the DODAGID, without any explicit coordination with other nodes, as further detailed below.¶
A global RPLInstanceID is encoded in a RPLInstanceID field as follows:¶
A local RPLInstanceID is autoconfigured by the node that owns the DODAGID and it MUST be unique for that DODAGID. The DODAGID used to configure the local RPLInstanceID MUST be a reachable IPv6 address of the node, and it MUST be used as an endpoint of all communications within that Local instance.¶
A local RPLInstanceID is encoded in a RPLInstanceID field as follows:¶
The 'D' flag in a local RPLInstanceID is always set to 0 in RPL control messages. It is used in data packets to indicate whether the DODAGID is the source or the destination of the packet. If the 'D' flag is set to 1, then the destination address of the IPv6 packet MUST be the DODAGID. If the 'D' flag is cleared, then the source address of the IPv6 packet MUST be the DODAGID.¶
For example, consider a Node A that is the DODAG root of a Local RPL Instance, and has allocated a local RPLInstanceID. By definition, all traffic traversing that Local RPL Instance will either originate or terminate at Node A. In this case, the DODAGID will be the reachable IPv6 address of Node A. All traffic will contain the address of Node A, and thus the DODAGID, in either the source or destination address. Thus, the local RPLInstanceID may indicate that the DODAGID is equivalent to either the source address or the destination address by setting the 'D' flag appropriately.¶
This document defines the RPL control message, a new ICMPv6 [RFC4443] message. A RPL control message is identified by a code and composed of a base that depends on the code (and a series of options).¶
Most RPL control messages have the scope of a link. The only exception is for the DAO / DAO-ACK messages in Non-Storing mode, which are exchanged using a unicast address over multiple hops and thus uses global or unique-local addresses for both the source and destination addresses. For all other RPL control messages, the source address is a link-local address, and the destination address is either the all-RPL-nodes multicast address or a link-local unicast address of the destination. The all-RPL-nodes multicast address is a new address with a value of ff02::1a.¶
In accordance with [RFC4443], the RPL Control Message consists of an ICMPv6 header followed by a message body. The message body is comprised of a message base and possibly a number of options as illustrated in Figure 6.¶
The RPL control message is an ICMPv6 information message with a Type of 155.¶
The Code field identifies the type of RPL control message. This document defines codes for the following RPL control message types (see Section 20.2)):¶
If a node receives a RPL control message with an unknown Code field, the node MUST discard the message without any further processing, MAY raise a management alert, and MUST NOT send any messages in response.¶
The checksum is computed as specified in [RFC4443]. It is set to zero for the RPL security operations specified below and computed once the rest of the content of the RPL message including the security fields is all set.¶
The high order bit (0x80) of the code denotes whether the RPL message has security enabled. Secure RPL messages have a format to support confidentiality and integrity, illustrated in Figure 7.¶
The remainder of this section describes the currently defined RPL control message Base formats followed by the currently defined RPL Control Message options.¶
Each RPL message has a secure variant. The secure variants provide integrity and replay protection as well as optional confidentiality and delay protection. Because security covers the base message as well as options, in secured messages the security information lies between the checksum and base, as shown in Figure 7.¶
The level of security and the algorithms in use are indicated in the protocol messages as described below:¶
Message Authentication Codes (MACs) and signatures provide authentication over the entire unsecured ICMPv6 RPL control message, including the Security section with all fields defined, but with the ICMPv6 checksum temporarily set to zero. Encryption provides confidentiality of the secured RPL ICMPv6 message starting at the first byte after the Security section and continuing to the last byte of the packet. The security transformation yields a secured ICMPv6 RPL message with the inclusion of the cryptographic fields (MAC, signature, etc.). In other words, the security transformation itself (e.g., the Signature and/or Algorithm in use) will detail how to incorporate the cryptographic fields into the secured packet. The Security section itself does not explicitly carry those cryptographic fields. Use of the Security section is further detailed in Sections 19 and 10.¶
The Security Algorithm field specifies the encryption, MAC, and signature scheme the network uses. Supported values of this field are as follows:¶
Section 10.9 describes the algorithms in greater detail.¶
The Key Identifier Mode is a 2-bit field that indicates whether the key used for packet protection is determined implicitly or explicitly and indicates the particular representation of the Key Identifier field. The Key Identifier Mode is set one of the values from the table below:¶
In Mode 3 (KIM=11), the presence or absence of the Key Source and Key Identifier depends on the Security Level (LVL) described below. If the Security Level indicates there is encryption, then the fields are present; if it indicates there is no encryption, then the fields are not present.¶
The Security Level is a 3-bit field that indicates the provided packet protection. This value can be adapted on a per-packet basis and allows for varying levels of data authenticity and, optionally, for data confidentiality. The KIM field indicates whether signatures are used and the meaning of the Level field. Note that the assigned values of Security Level are not necessarily ordered -- a higher value of LVL does not necessarily equate to increased security. The Security Level is set to one of the values in the tables below:¶
The MAC attribute indicates that the message has a MAC of the specified length. The ENC attribute indicates that the message is encrypted. The Sign attribute indicates that the message has a signature of the specified length.¶
The Key Identifier field indicates which key was used to protect the packet. This field provides various levels of granularity of packet protection, including peer-to-peer keys, group keys, and signature keys. This field is represented as indicated by the Key Identifier Mode field and is formatted as follows:¶
Unassigned bits of the Security section are reserved. They MUST be set to zero on transmission and MUST be ignored on reception.¶
The DODAG Information Solicitation (DIS) message may be used to solicit a DODAG Information Object from a RPL node. Its use is analogous to that of a Router Solicitation as specified in IPv6 Neighbor Discovery; a node may use DIS to probe its neighborhood for nearby DODAGs. Section 8.3 describes how nodes respond to a DIS.¶
Unassigned bits of the DIS Base are reserved. They MUST be set to zero on transmission and MUST be ignored on reception.¶
A Secure DIS message follows the format in Figure 7, where the base format is the DIS message shown in Figure 13.¶
The DIS message MAY carry valid options.¶
This specification allows for the DIS message to carry the following options:¶
The DODAG Information Object carries information that allows a node to discover a RPL Instance, learn its configuration parameters, select a DODAG parent set, and maintain the DODAG.¶
The Mode of Operation (MOP) field identifies the mode of operation of the RPL Instance as administratively provisioned at and distributed by the DODAG root. All nodes who join the DODAG must be able to honor the MOP in order to fully participate as a router, or else they must only join as a leaf. MOP is encoded as in the figure below:¶
Unassigned bits of the DIO Base are reserved. They MUST be set to zero on transmission and MUST be ignored on reception.¶
A Secure DIO message follows the format in Figure 7, where the base format is the DIO message shown in Figure 14.¶
The DIO message MAY carry valid options.¶
This specification allows for the DIO message to carry the following options:¶
The Destination Advertisement Object (DAO) is used to propagate destination information Upward along the DODAG. In Storing mode, the DAO message is unicast by the child to the selected parent(s). In Non-Storing mode, the DAO message is unicast to the DODAG root. The DAO message may optionally, upon explicit request or error, be acknowledged by its destination with a Destination Advertisement Acknowledgement (DAO-ACK) message back to the sender of the DAO.¶
Unassigned bits of the DAO Base are reserved. They MUST be set to zero on transmission and MUST be ignored on reception.¶
A Secure DAO message follows the format in Figure 7, where the base format is the DAO message shown in Figure 16.¶
The DAO message MAY carry valid options.¶
This specification allows for the DAO message to carry the following options:¶
A special case of the DAO message, termed a No-Path, is used in Storing mode to clear Downward routing state that has been provisioned through DAO operation. The No-Path carries a Target option and an associated Transit Information option with a lifetime of 0x00000000 to indicate a loss of reachability to that Target.¶
The DAO-ACK message is sent as a unicast packet by a DAO recipient (a DAO parent or DODAG root) in response to a unicast DAO message.¶
Indicates the completion. Status 0 is defined as unqualified acceptance in this specification. The remaining status values are reserved as rejection codes. No rejection status codes are defined in this specification, although status codes SHOULD be allocated according to the following guidelines in future specifications:¶
Unassigned bits of the DAO-ACK Base are reserved. They MUST be set to zero on transmission and MUST be ignored on reception.¶
A Secure DAO-ACK message follows the format in Figure 7, where the base format is the DAO-ACK message shown in Figure 17.¶
This specification does not define any options to be carried by the DAO-ACK message.¶
The CC message is used to check secure message counters and issue challenge-responses. A CC message MUST be sent as a secured RPL message.¶
Unassigned bits of the CC Base are reserved. They MUST be set to zero on transmission and MUST be ignored on reception.¶
The Destination Counter value allows new or recovered nodes to resynchronize through CC message exchanges. This is important to ensure that a Counter value is not repeated for a given security key even in the event of devices recovering from a failure that created a loss of Counter state. For example, where a CC request or other RPL message is received with an initialized counter within the message Security section, the provision of the Incoming Counter within the CC response message allows the requesting node to reset its Outgoing Counter to a value greater than the last value received by the responding node; the Incoming Counter will also be updated from the received CC response.¶
This specification allows for the CC message to carry the following options:¶
RPL Control Message options all follow this format:¶
When processing a RPL message containing an option for which the Option Type value is not recognized by the receiver, the receiver MUST silently ignore the unrecognized option and continue to process the following option, correctly handling any remaining options in the message.¶
RPL message options may have alignment requirements. Following the convention in IPv6, options with alignment requirements are aligned in a packet such that multi-octet values within the Option Data field of each option fall on natural boundaries (i.e., fields of width n octets are placed at an integer multiple of n octets from the start of the header, for n = 1, 2, 4, or 8).¶
The Pad1 option MAY be present in DIS, DIO, DAO, DAO-ACK, and CC messages, and its format is as follows:¶
The Pad1 option is used to insert a single octet of padding into the message to enable options alignment. If more than one octet of padding is required, the PadN option should be used rather than multiple Pad1 options.¶
NOTE! The format of the Pad1 option is a special case -- it has neither Option Length nor Option Data fields.¶
The PadN option MAY be present in DIS, DIO, DAO, DAO-ACK, and CC messages, and its format is as follows:¶
The PadN option is used to insert two or more octets of padding into the message to enable options alignment. PadN option data MUST be ignored by the receiver.¶
The DAG Metric Container option MAY be present in DIO or DAO messages, and its format is as follows:¶
The DAG Metric Container is used to report metrics along the DODAG. The DAG Metric Container may contain a number of discrete node, link, and aggregate path metrics and constraints specified in [RFC6551] as chosen by the implementer.¶
The DAG Metric Container MAY appear more than once in the same RPL control message, for example, to accommodate a use case where the Metric Data is longer than 256 bytes. More information is in [RFC6551].¶
The processing and propagation of the DAG Metric Container is governed by implementation specific policy functions.¶
The Route Information Option (RIO) MAY be present in DIO messages, and it carries the same information as the IPv6 Neighbor Discovery (ND) RIO as defined in [RFC4191]. The root of a DODAG is authoritative for setting that information and the information is unchanged as propagated down the DODAG. A RPL router may trivially transform it back into an ND option to advertise in its own RAs so a node attached to the RPL router will end up using the DODAG for which the root has the best preference for the destination of a packet. In addition to the existing ND semantics, it is possible for an Objective Function to use this information to favor a DODAG whose root is most preferred for a specific destination. The format of the option is modified slightly (Type, Length, Prefix) in order to be carried as a RPL option as follows:¶
The RIO is used to indicate that connectivity to the specified destination prefix is available from the DODAG root.¶
In the event that a RPL control message may need to specify connectivity to more than one destination, the RIO may be repeated.¶
[RFC4191] should be consulted as the authoritative reference with respect to the RIO. The field descriptions are transcribed here for convenience:¶
Unassigned bits of the RIO are reserved. They MUST be set to zero on transmission and MUST be ignored on reception.¶
The DODAG Configuration option MAY be present in DIO messages, and its format is as follows:¶
The DODAG Configuration option is used to distribute configuration information for DODAG Operation through the DODAG.¶
The information communicated in this option is generally static and unchanging within the DODAG, therefore it is not necessary to include in every DIO. This information is configured at the DODAG root and distributed throughout the DODAG with the DODAG Configuration option. Nodes other than the DODAG root MUST NOT modify this information when propagating the DODAG Configuration option. This option MAY be included occasionally by the DODAG root (as determined by the DODAG root), and MUST be included in response to a unicast request, e.g. a unicast DODAG Information Solicitation (DIS) message.¶
The RPL Target option MAY be present in DAO messages, and its format is as follows:¶
The RPL Target option is used to indicate a Target IPv6 address, prefix, or multicast group that is reachable or queried along the DODAG. In a DAO, the RPL Target option indicates reachability.¶
A RPL Target option MAY optionally be paired with a RPL Target Descriptor option (Figure 30) that qualifies the target.¶
A set of one or more Transit Information options (Section 6.7.8) MAY directly follow a set of one or more Target options in a DAO message (where each Target option MAY be paired with a RPL Target Descriptor option as above). The structure of the DAO message, detailing how Target options are used in conjunction with Transit Information options is further described in Section 9.4.¶
The RPL Target option may be repeated as necessary to indicate multiple targets.¶
The Transit Information option MAY be present in DAO messages, and its format is as follows:¶
The Transit Information option is used for a node to indicate attributes for a path to one or more destinations. The destinations are indicated by one or more Target options that immediately precede the Transit Information option(s).¶
The Transit Information option can be used for a node to indicate its DODAG parents to an ancestor that is collecting DODAG routing information, typically, for the purpose of constructing source routes. In the Non-Storing mode of operation, this ancestor will be the DODAG root, and this option is carried by the DAO message. In the Storing mode of operation, the DODAG Parent Address subfield is not needed, since the DAO message is sent directly to the parent. The option length is used to determine whether or not the DODAG Parent Address subfield is present.¶
A non-storing node that has more than one DAO parent MAY include a Transit Information option for each DAO parent as part of the non- storing destination advertisement operation. The node may distribute the bits in the Path Control field among different groups of DAO parents in order to signal a preference among parents. That preference may influence the decision of the DODAG root when selecting among the alternate parents/paths for constructing Downward routes.¶
One or more Transit Information options MUST be preceded by one or more RPL Target options. In this manner, the RPL Target option indicates the child node, and the Transit Information option(s) enumerates the DODAG parents. The structure of the DAO message, further detailing how Target options are used in conjunction with Transit Information options, is further described in Section 9.4.¶
A typical non-storing node will use multiple Transit Information options, and it will send the DAO message thus formed directly to the root. A typical storing node will use one Transit Information option with no parent field and will send the DAO message thus formed, with additional adjustments, to Path Control as detailed later, to one or multiple parents.¶
For example, in a Non-Storing mode of operation let Tgt(T) denote a Target option for a Target T. Let Trnst(P) denote a Transit Information option that contains a parent address P. Consider the case of a non-storing Node N that advertises the self-owned targets N1 and N2 and has parents P1, P2, and P3. In that case, the DAO message would be expected to contain the sequence ((Tgt(N1), Tgt(N2)), (Trnst(P1), Trnst(P2), Trnst(P3))), such that the group of Target options {N1, N2} is described by the Transit Information options as having the parents {P1, P2, P3}. The non-storing node would then address that DAO message directly to the DODAG root and forward that DAO message through one of the DODAG parents: P1, P2, or P3.¶
8-bit bit field. The Path Control field limits the number of DAO parents to which a DAO message advertising connectivity to a specific destination may be sent, as well as providing some indication of relative preference. The limit provides some bound on overall DAO message fan-out in the LLN. The assignment and ordering of the bits in the Path Control also serves to communicate preference. Not all of these bits may be enabled as according to the PCS in the DODAG Configuration. The Path Control field is divided into four subfields that contain two bits each: PC1, PC2, PC3, and PC4, as illustrated in Figure 27. The subfields are ordered by preference, with PC1 being the most preferred and PC4 being the least preferred. Within a subfield, there is no order of preference. By grouping the parents (as in ECMP) and ordering them, the parents may be associated with specific bits in the Path Control field in a way that communicates preference.¶
Unassigned bits of the Transit Information option are reserved. They MUST be set to zero on transmission and MUST be ignored on reception.¶
The Solicited Information option MAY be present in DIS messages, and its format is as follows:¶
The Solicited Information option is used for a node to request DIO messages from a subset of neighboring nodes. The Solicited Information option may specify a number of predicate criteria to be matched by a receiving node. This is used by the requester to limit the number of replies from "non-interesting" nodes. These predicates affect whether a node resets its DIO Trickle timer, as described in Section 8.3.¶
The Solicited Information option contains flags that indicate which predicates a node should check when deciding whether to reset its Trickle timer. A node resets its Trickle timer when all predicates are true. If a flag is set, then the RPL node MUST check the associated predicate. If a flag is cleared, then the RPL node MUST NOT check the associated predicate. (If a flag is cleared, the RPL node assumes that the associated predicate is true.)¶
Unassigned bits of the Solicited Information option are reserved. They MUST be set to zero on transmission and MUST be ignored on reception.¶
The Prefix Information Option (PIO) MAY be present in DIO messages, and carries the information that is specified for the IPv6 ND Prefix Information option in [RFC4861], [RFC4862], and [RFC6275] for use by RPL nodes and IPv6 hosts. In particular, a RPL node may use this option for the purpose of Stateless Address Autoconfiguration (SLAAC) from a prefix advertised by a parent as specified in [RFC4862], and advertise its own address as specified in [RFC6275]. The root of a DODAG is authoritative for setting that information. The information is propagated down the DODAG unchanged, with the exception that a RPL router may overwrite the Interface ID if the 'R' flag is set to indicate its full address in the PIO. The format of the option is modified (Type, Length, Prefix) in order to be carried as a RPL option as follows:¶
If the only desired effect of a received PIO in a DIO is to provide the global address of the parent node to the receiving node, then the sender resets the 'A' and 'L' bits and sets the 'R' bit. Upon receipt, the RPL will not autoconfigure an address or a connected route from the prefix [RFC4862]. As in all cases, when the 'L' bit is not set, the RPL node MAY include the prefix in PIOs it sends to its children.¶
The PIO may be used to distribute the prefix in use inside the DODAG, e.g., for address autoconfiguration.¶
[RFC4861] and [RFC6275] should be consulted as the authoritative reference with respect to the PIO. The field descriptions are transcribed here for convenience:¶
Unassigned bits of the PIO are reserved. They MUST be set to zero on transmission and MUST be ignored on reception.¶
The RPL Target option MAY be immediately followed by one opaque descriptor that qualifies that specific target.¶
The RPL Target Descriptor option is used to qualify a target, something that is sometimes called "tagging".¶
At most, there can be one descriptor per target. The descriptor is set by the node that injects the Target in the RPL network. It MUST be copied but not modified by routers that propagate the Target Up the DODAG in DAO messages.¶
This section describes the general scheme for bootstrap and operation of sequence counters in RPL, such as the DODAGVersionNumber in the DIO message, the DAOSequence in the DAO message, and the Path Sequence in the Transit Information option.¶
This specification utilizes three different sequence numbers to validate the freshness and the synchronization of protocol information:¶
RPL sequence counters are subdivided in a 'lollipop' fashion [Perlman83], where the values from 128 and greater are used as a linear sequence to indicate a restart and bootstrap the counter, and the values less than or equal to 127 used as a circular sequence number space of size 128 as in [RFC1982]. Consideration is given to the mode of operation when transitioning from the linear region to the circular region. Finally, when operating in the circular region, if sequence numbers are detected to be too far apart, then they are not comparable, as detailed below.¶
A window of comparison, SEQUENCE_WINDOW = 16, is configured based on a value of 2^N, where N is defined to be 4 in this specification.¶
For a given sequence counter:¶
When comparing two sequence counters, the following rules MUST be applied:¶
When a first sequence counter A is in the interval [128..255] and a second sequence counter B is in [0..127]:¶
For example, if A is 240, and B is 5, then (256 + 5 - 240) is 21. 21 is greater than SEQUENCE_WINDOW (16); thus, 240 is greater than 5. As another example, if A is 250 and B is 5, then (256 + 5 - 250) is 11. 11 is less than SEQUENCE_WINDOW (16); thus, 250 is less than 5.¶
In the case where both sequence counters to be compared are less than or equal to 127, and in the case where both sequence counters to be compared are greater than or equal to 128:¶
This section describes how RPL discovers and maintains Upward routes. It describes the use of DODAG Information Objects (DIOs), the messages used to discover and maintain these routes. It specifies how RPL generates and responds to DIOs. It also describes DODAG Information Solicitation (DIS) messages, which are used to trigger DIO transmissions.¶
As mentioned in Section 3.2.8, nodes that decide to join a DODAG MUST provision at least one DODAG parent as a default route for the associated instance. This default route enables a packet to be forwarded Upward until it eventually hits a common ancestor from which it will be routed Downward to the destination. If the destination is not in the DODAG, then the DODAG root may be able to forward the packet using connectivity to the outside of the DODAG; if it cannot forward the packet outside, then the DODAG root has to drop it.¶
A DIO message can also transport explicit routing information:¶
For the following DIO Base fields, a node that is not a DODAG root MUST advertise the same values as its preferred DODAG parent (defined in Section 8.2.1). In this way, these values will propagate Down the DODAG unchanged and advertised by every node that has a route to that DODAG root. These fields are as follows:¶
A node MAY update the following fields at each hop:¶
Upward route discovery allows a node to join a DODAG by discovering neighbors that are members of the DODAG of interest and identifying a set of parents. The exact policies for selecting neighbors and parents is implementation dependent and driven by the OF. This section specifies the set of rules those policies must follow for interoperability.¶
RPL's Upward route discovery algorithms and processing are in terms of three logical sets of link-local nodes. First, the candidate neighbor set is a subset of the nodes that can be reached via link- local multicast. The selection of this set is implementation and OF dependent. Second, the parent set is a restricted subset of the candidate neighbor set. Finally, the preferred parent is a member of the parent set that is the preferred next hop in Upward routes. Conceptually, the preferred parent is a single parent; although, it may be a set of multiple parents if those parents are equally preferred and have identical Rank.¶
More precisely:¶
These rules ensure that there is a consistent partial order on nodes within the DODAG. As long as node Ranks do not change, following the above rules ensures that every node's route to a DODAG root is loop- free, as Rank decreases on each hop to the root.¶
The OF can guide candidate neighbor set and parent set selection, as discussed in [RFC6552].¶
The above rules govern a single DODAG Version. The rules in this section define how RPL operates when there are multiple DODAG Versions.¶
When the DODAG parent set becomes empty on a node that is not a root, (i.e., the last parent has been removed, causing the node no longer to be associated with that DODAG), then the DODAG information should not be suppressed until after the expiration of an implementation- specific local timer. During the interval prior to suppression of the "old" DODAG state, the node will be able to observe if the DODAGVersionNumber has been incremented should any new parents appear. This will help protect against the possibility of loops that may occur if that node were to inadvertently rejoin the old DODAG Version in its own prior sub-DODAG.¶
As the DODAGVersionNumber is incremented, a new DODAG Version spreads outward from the DODAG root. A parent that advertises the new DODAGVersionNumber cannot belong to the sub-DODAG of a node advertising an older DODAGVersionNumber. Therefore, a node can safely add a parent of any Rank with a newer DODAGVersionNumber without forming a loop.¶
For example, suppose that a node has left a DODAG with DODAGVersionNumber N. Suppose that a node had a sub-DODAG and did attempt to poison that sub-DODAG by advertising a Rank of INFINITE_RANK, but those advertisements may have become lost in the LLN. Then, if the node did observe a candidate neighbor advertising a position in that original DODAG at DODAGVersionNumber N, that candidate neighbor could possibly have been in the node's former sub- DODAG, and there is a possible case where adding that candidate neighbor as a parent could cause a loop. In this case, if that candidate neighbor is observed to advertise a DODAGVersionNumber N+1, then that candidate neighbor is certain to be safe, since it is certain not to be in that original node's sub-DODAG, as it has been able to increment the DODAGVersionNumber by hearing from the DODAG root while that original node was detached. For this reason, it is useful for the detached node to remember the original DODAG information, including the DODAGVersionNumber N.¶
Exactly when a DODAG root increments the DODAGVersionNumber is implementation dependent and out of scope for this specification. Examples include incrementing the DODAGVersionNumber periodically, upon administrative intervention, or on application-level detection of lost connectivity or DODAG inefficiency.¶
After a node transitions to and advertises a new DODAG Version, the rules above make it unable to advertise the previous DODAG Version (prior DODAGVersionNumber) once it has committed to advertising the new DODAG Version.¶
In a deployment that uses non-LLN links to federate a number of LLN roots, it is possible to run RPL over those non-RPL links and use one router as a "backbone root". The backbone root is the virtual root of the DODAG and exposes a Rank of BASE_RANK over the backbone. All the LLN roots that are parented to that backbone root, including the backbone root if it also serves as the LLN root itself, expose a Rank of ROOT_RANK to the LLN. These virtual roots are part of the same DODAG and advertise the same DODAGID. They coordinate DODAGVersionNumbers and other DODAG parameters with the virtual root over the backbone. The method of coordination is out of scope for this specification (to be defined in future companion specifications).¶
The Objective Function and the set of advertised routing metrics and constraints of a DAG determine how a node selects its neighbor set, parent set, and preferred parents. This selection implicitly also determines the DODAG within a DAG. Such selection can include administrative preference (Prf) as well as metrics or other considerations.¶
If a node has the option to join a more preferred DODAG while still meeting other optimization objectives, then the node will generally seek to join the more preferred DODAG as determined by the OF. All else being equal, it is left to the implementation to determine which DODAG is most preferred (since, as a reminder, a node must only join one DODAG per RPL Instance).¶
Conceptually, an implementation is maintaining a DODAG parent set within the DODAG Version. Movement entails changes to the DODAG parent set. Moving Up does not present the risk to create a loop but moving Down might, so that operation is subject to additional constraints.¶
When a node migrates to the next DODAG Version, the DODAG parent set needs to be rebuilt for the new Version. An implementation could defer to migrate for some reasonable amount of time, to see if some other neighbors with potentially better metrics but higher Rank announce themselves. Similarly, when a node jumps into a new DODAG, it needs to construct a new DODAG parent set for this new DODAG.¶
If a node needs to move Down a DODAG that it is attached to, increasing its Rank, then it MAY poison its routes and delay before moving as described in Section 8.2.2.5.¶
A node is allowed to join any DODAG Version that it has never been a prior member of without any restrictions, but if the node has been a prior member of the DODAG Version, then it must continue to observe the rule that it may not advertise a Rank higher than L+DAGMaxRankIncrease at any point in the life of the DODAG Version. This rule must be observed so as not to create a loophole that would allow the node to effectively increment its Rank all the way to INFINITE_RANK, which may have impact on other nodes and create a resource-wasting count-to-infinity scenario.¶
Although an implementation may advertise INFINITE_RANK for the purposes of poisoning, doing so is not the same as setting Rank to INFINITE_RANK. For example, a node may continue to send data packets whose RPL Packet Information includes a Rank that is not INFINITE_RANK, yet still advertise INFINITE_RANK in its DIOs.¶
When a (former) parent is observed to advertise a Rank of INFINITE_RANK, that (former) parent has detached from the DODAG and is no longer able to act as a parent, nor is there any way that another node may be considered to have a Rank greater-than INFINITE_RANK. Therefore, that (former) parent cannot act as a parent any longer and is removed from the parent set.¶
A DODAG parent may have moved, migrated to the next DODAG Version, or jumped to a different DODAG. A node ought to give some preference to remaining in the current DODAG, if possible via an alternate parent, but ought to follow the parent if there are no other options.¶
When a DIO message is received, the receiving node must first determine whether or not the DIO message should be accepted for further processing, and subsequently present the DIO message for further processing if eligible.¶
As DIO messages are received from candidate neighbors, the neighbors may be promoted to DODAG parents by following the rules of DODAG discovery as described in Section 8.2. When a node places a neighbor into the DODAG parent set, the node becomes attached to the DODAG through the new DODAG parent node.¶
The most preferred parent should be used to restrict which other nodes may become DODAG parents. Some nodes in the DODAG parent set may be of a Rank less than or equal to the most preferred DODAG parent. (This case may occur, for example, if an energy-constrained device is at a lesser Rank but should be avoided per an optimization objective, resulting in a more preferred parent at a greater Rank.)¶
RPL nodes transmit DIOs using a Trickle timer [RFC6206]. A DIO from a sender with a lesser DAGRank that causes no changes to the recipient's parent set, preferred parent, or Rank SHOULD be considered consistent with respect to the Trickle timer.¶
The following packets and events MUST be considered inconsistencies with respect to the Trickle timer, and cause the Trickle timer to reset:¶
Note that this list is not exhaustive, and an implementation MAY consider other messages or events to be inconsistencies.¶
A node SHOULD NOT reset its DIO Trickle timer in response to unicast DIS messages. When a node receives a unicast DIS without a Solicited Information option, it MUST unicast a DIO to the sender in response. This DIO MUST include a DODAG Configuration option. When a node receives a unicast DIS message with a Solicited Information option and matches the predicates of that Solicited Information option, it MUST unicast a DIO to the sender in response. This unicast DIO MUST include a DODAG Configuration option. Thus, a node MAY transmit a unicast DIS message to a potential DODAG parent in order to probe for DODAG Configuration and other parameters.¶
The configuration parameters of the Trickle timer are specified as follows:¶
The DODAG selection is implementation and OF dependent. In order to limit erratic movements, and all metrics being equal, nodes SHOULD keep their previous selection. Also, nodes SHOULD provide a means to filter out a parent whose availability is detected as fluctuating, at least when more stable choices are available.¶
When connection to a grounded DODAG is not possible or preferable for security or other reasons, scattered DODAGs MAY aggregate as much as possible into larger DODAGs in order to allow connectivity within the LLN.¶
A node SHOULD verify that bidirectional connectivity and adequate link quality is available with a candidate neighbor before it considers that candidate as a DODAG parent.¶
In some cases, a RPL node may attach to a DODAG as a leaf node only. One example of such a case is when a node does not understand or does not support (policy) the RPL Instance's OF or advertised metric/ constraint. As specified in Section 18.6, related to policy function, the node may either join the DODAG as a leaf node or may not join the DODAG. As mentioned in Section 18.5, it is then recommended to log a fault.¶
A leaf node does not extend DODAG connectivity; however, in some cases, the leaf node may still need to transmit DIOs on occasion, in particular, when the leaf node may not have always been acting as a leaf node and an inconsistency is detected.¶
A node operating as a leaf node must obey the following rules:¶
A particular case that requires a leaf node to send a DIO is if that leaf node was a prior member of another DODAG and another node forwards a message assuming the old topology, triggering an inconsistency. The leaf node needs to transmit a DIO in order to repair the inconsistency. Note that due to the lossy nature of LLNs, even though the leaf node may have optimistically poisoned its routes by advertising a Rank of INFINITE_RANK in the old DODAG prior to becoming a leaf node, that advertisement may have become lost and a leaf node must be capable to send a DIO later in order to repair the inconsistency.¶
In the general case, the leaf node MUST NOT advertise itself as a router (i.e., send DIOs).¶
In some cases, it might be beneficial to adjust the Rank advertised by a node beyond that computed by the OF based on some implementation-specific policy and properties of the node. For example, a node that has a limited battery should be a leaf unless there is no other choice, and may then augment the Rank computation specified by the OF in order to expose an exaggerated Rank.¶
This section describes how RPL discovers and maintains Downward routes. RPL constructs and maintains Downward routes with Destination Advertisement Object (DAO) messages. Downward routes support P2MP flows, from the DODAG roots toward the leaves. Downward routes also support P2P flows: P2P messages can flow toward a DODAG root (or a common ancestor) through an Upward route, then away from the DODAG root to a destination through a Downward route.¶
This specification describes the two modes a RPL Instance may choose from for maintaining Downward routes. In the first mode, called "Storing", nodes store Downward routing tables for their sub-DODAG. Each hop on a Downward route in a storing network examines its routing table to decide on the next hop. In the second mode, called "Non-Storing", nodes do not store Downward routing tables. Downward packets are routed with source routes populated by a DODAG root [RFC6554].¶
RPL allows a simple one-hop P2P optimization for both storing and non-storing networks. A node may send a P2P packet destined to a one-hop neighbor directly to that node.¶
To establish Downward routes, RPL nodes send DAO messages Upward. The next-hop destinations of these DAO messages are called "DAO parents". The collection of a node's DAO parents is called the "DAO parent set".¶
The selection of DAO parents is implementation and Objective Function specific.¶
Destination Advertisement may be configured to be entirely disabled, or operate in either a Storing or Non-Storing mode, as reported in the MOP in the DIO message.¶
A DODAG can have one of several possible modes of operation, as defined by the MOP field. Either it does not support Downward routes, it supports Downward routes through source routing from DODAG roots, or it supports Downward routes through in-network routing tables.¶
When Downward routes are supported through source routing from DODAG roots, it is generally expected that the DODAG root has stored the source routing information learned from DAOs in order to construct the source routes. If the DODAG root fails to store some information, then some destinations may be unreachable.¶
When Downward routes are supported through in-network routing tables, the multicast operation defined in this specification may or may not be supported, also as indicated by the MOP field.¶
When Downward routes are supported through in-network routing tables, as described in this specification, it is expected that nodes acting as routers have been provisioned sufficiently to hold the required routing table state. If a node acting as a router is unable to hold the full routing table state then the routing state is not complete, messages may be dropped as a consequence, and a fault may be logged (Section 18.5). Future extensions to RPL may elaborate on refined actions/behaviors to manage this case.¶
As of the writing of this specification, RPL does not support mixed- mode operation, where some nodes source route and other store routing tables: future extensions to RPL may support this mode of operation.¶
For each Target that is associated with (owned by) a node, that node is responsible to emit DAO messages in order to provision the Downward routes. The Target+Transit information contained in those DAO messages subsequently propagates Up the DODAG. The Path Sequence counter in the Transit information option is used to indicate freshness and update stale Downward routing information as described in Section 7.¶
For a Target that is associated with (owned by) a node, that node MUST increment the Path Sequence counter, and generate a new DAO message, when:¶
For a Target that is associated with (owned by) a node, that node MAY increment the Path Sequence counter, and generate a new DAO message, on occasion in order to refresh the Downward routing information. In Storing mode, the node generates such a DAO to each of its DAO parents in order to enable multipath. All DAOs generated at the same time for the same Target MUST be sent with the same Path Sequence in the Transit Information.¶
A node might send DAO messages when it receives DAO messages, as a result of changes in its DAO parent set, or in response to another event such as the expiry of a related prefix lifetime. In the case of receiving DAOs, it matters whether the DAO message is "new" or contains new information. In Non-Storing mode, every DAO message a node receives is "new". In Storing mode, a DAO message is "new" if it satisfies any of these criteria for a contained Target:¶
A node that receives a DAO message from its sub-DODAG MAY suppress scheduling a DAO message transmission if that DAO message is not new.¶
Unlike the Version field of a DIO, which is incremented only by a DODAG root and repeated unchanged by other nodes, DAOSequence values are unique to each node. The sequence number space for unicast and multicast DAO messages can be either the same or distinct. It is RECOMMENDED to use the same sequence number space.¶
DAOs follow a common structure in both storing and non-storing networks. In the most general form, a DAO message may include several groups of options, where each group consists of one or more Target options followed by one or more Transit Information options.¶
The entire group of Transit Information options applies to the entire group of Target options. Later sections describe further details for each mode of operation.¶
In Non-Storing mode, the root builds a strict source routing header, hop-by-hop, by recursively looking up one-hop information that ties a Target (address or prefix) and a transit address together. In some cases, when a child address is derived from a prefix that is owned and advertised by a parent, that parent-child relationship may be inferred by the root for the purpose of constructing the source routing header. In all other cases, it is necessary to inform the root of the transit-Target relationship from a reachable target, so as to later enable the recursive construction of the routing header. An address that is advertised as a Target in a DAO message MUST be collocated in the same router, or reachable on-link by the router that owns the address that is indicated in the associated Transit Information. The following additional rules apply to ensure the continuity of the end-to-end source route path:¶
A child node that has autoconfigured an address from a parent PIO with the 'L' flag set does not need to advertise that address as a DAO Target since the parent ensures that the whole prefix is already reachable from the root. However, if the 'L' flag is not set, then it is necessary, in Non-Storing mode, for the child node to inform the root of the parent-child relationship, using a reachable address of the parent, so as to enable the recursive construction of the routing header. This is done by associating an address of the parent as transit with the address of the child as Target in a DAO message.¶
Because DAOs flow Upward, receiving a unicast DAO can trigger sending a unicast DAO to a DAO parent.¶
DelayDAO's value and calculation is implementation dependent. A default value of DEFAULT_DAO_DELAY is defined in this specification.¶
Nodes can trigger their sub-DODAG to send DAO messages. Each node maintains a DAO Trigger Sequence Number (DTSN), which it communicates through DIO messages.¶
In a Storing mode of operation, as part of routine routing table updates and maintenance, a storing node MAY increment DTSN in order to reliably trigger a set of DAO updates from its immediate children.¶
In a Storing mode of operation, it is not necessary to trigger DAO updates from the entire sub-DODAG, since that state information will propagate hop-by-hop Up the DODAG.¶
In a Non-Storing mode of operation, a DTSN increment will also cause the immediate children of a node to increment their DTSN in turn, triggering a set of DAO updates from the entire sub-DODAG. Typically, in a Non-Storing mode of operation, only the root would independently increment the DTSN when a DAO refresh is needed but a global repair (such as by incrementing DODAGVersionNumber) is not desired. Typically, in a Non-Storing mode of operation, all non-root nodes would increment their DTSN only when their parent(s) are observed to do so.¶
In general, a node may trigger DAO updates according to implementation-specific logic, such as based on the detection of a Downward route inconsistency or occasionally based upon an internal timer.¶
In a storing network, selecting a proper DelayDAO for triggered DAOs can greatly reduce the number of DAOs transmitted. The trigger flows Down the DODAG; in the best case, the DAOs flow Up the DODAG such that leaves send DAOs first, with each node sending a DAO message only once. Such a scheduling could be approximated by setting DelayDAO inversely proportional to Rank. Note that this suggestion is intended as an optimization to allow efficient aggregation (it is not required for correct operation in the general case).¶
In Non-Storing mode, RPL routes messages Downward using IP source routing. The following rule applies to nodes that are in Non-Storing mode. Storing mode has a separate set of rules, described in Section 9.8.¶
In Non-Storing mode, a node uses DAOs to report its DAO parents to the DODAG root. The DODAG root can piece together a Downward route to a node by using DAO parent sets from each node in the route. The Path Sequence information may be used to detect stale DAO information. The purpose of this per-hop route calculation is to minimize traffic when DAO parents change. If nodes reported complete source routes, then on a DAO parent change, the entire sub-DODAG would have to send new DAOs to the DODAG root. Therefore, in Non- Storing mode, a node can send a single DAO, although it might choose to send more than one DAO message to each of multiple DAO parents.¶
Nodes pack DAOs by sending a single DAO message with multiple RPL Target options. Each RPL Target option has its own, immediately following, Transit Information options.¶
In Storing mode, RPL routes messages Downward by the IPv6 destination address. The following rules apply to nodes that are in Storing mode:¶
DAOs advertise to which destination addresses and prefixes a node has routes. Unlike in Non-Storing mode, these DAOs do not communicate information about the routes themselves: that information is stored within the network and is implicit from the IPv6 source address. When a storing node generates a DAO, it uses the stored state of DAOs it has received to produce a set of RPL Target options and their associated Transmit Information options.¶
Because this information is stored within each node's routing tables, in Storing mode, DAOs are communicated directly to DAO parents, who store this information.¶
A DAO message from a node contains one or more Target options. Each Target option specifies either a prefix advertised by the node, a prefix of addresses reachable outside the LLN, the address of a destination in the node's sub-DODAG, or a multicast group to which a node in the sub-DODAG is listening. The Path Control field of the Transit Information option allows nodes to request or allow for multiple Downward routes. A node constructs the Path Control field of a Transit Information option as follows:¶
The Path Control field allows a node to bound how many Downward routes will be generated to it. It sets a number of bits in the Path Control field equal to the maximum number of Downward routes it prefers. At most, each bit is sent to one DAO parent; clusters of bits can be sent to a single DAO parent for it to divide among its own DAO parents.¶
A node that provisions a DAO route for a Target that has an associated Path Control field SHOULD use the content of that Path Control field in order to determine an order of preference among multiple alternative DAO routes for that Target. The Path Control field assignment is derived from preference (of the DAO parents), as determined on the basis of this node's best knowledge of the "end-to-end" aggregated metrics in the Downward direction as per the Objective Function. In Non-Storing mode the root can determine the Downward route by aggregating the information from each received DAO, which includes the Path Control indications of preferred DAO parents.¶
Suppose that there is an LLN operating in Storing mode that contains a Node N with four parents, P1, P2, P3, and P4. Let N have three children, C1, C2, and C3 in its sub-DODAG. Let PCS be 7, such that there will be 8 active bits in the Path Control field: 11111111b. Consider the following example:¶
The Path Control field is split into four subfields, PC1 (11000000b), PC2 (00110000b), PC3 (00001100b), and PC4 (00000011b), such that those four subfields represent four different levels of preference per Figure 27. The implementation at Node N, in this example, groups {P1, P2} to be of equal preference to each other and the most preferred group overall. {P3} is less preferred to {P1, P2}, and more preferred to {P4}. Let Node N then perform its Path Control mapping such that:¶
{P1, P2} -> PC1 (11000000b) in the Path Control field {P3} -> PC2 (00110000b) in the Path Control field {P4} -> PC3 (00001100b) in the Path Control field {P4} -> PC4 (00000011b) in the Path Control field¶
Note that the implementation repeated {P4} in order to get complete coverage of the Path Control field.¶
A special case of DAO operation, distinct from unicast DAO operation, is multicast DAO operation that may be used to populate '1-hop' routing table entries.¶
This section describes the generation and processing of secure RPL messages. The high-order bit of the RPL message code identifies whether or not a RPL message is secure. In addition to secure versions of basic control messages (DIS, DIO, DAO, DAO-ACK), RPL has several messages that are relevant only in networks that are security enabled.¶
Implementation complexity and size is a core concern for LLNs such that it may be economically or physically impossible to include sophisticated security provisions in a RPL implementation. Furthermore, many deployments can utilize link-layer or other security mechanisms to meet their security requirements without requiring the use of security in RPL.¶
Therefore, the security features described in this document are OPTIONAL to implement. A given implementation MAY support a subset (including the empty set) of the described security features, for example, it could support integrity and confidentiality, but not signatures. An implementation SHOULD clearly specify which security mechanisms are supported, and it is RECOMMENDED that implementers carefully consider security requirements and the availability of security mechanisms in their network.¶
RPL supports three security modes:¶
Whether or not the RPL Instance uses unsecured mode is signaled by whether it uses secure RPL messages. Whether a secured network uses the preinstalled or authenticated mode is signaled by the 'A' bit of the DAG Configuration option.¶
This specification specifies CCM -- Counter with CBC-MAC (Cipher Block Chaining - Message Authentication Code) -- as the cryptographic basis for RPL security [RFC3610]. In this specification, CCM uses AES-128 as its underlying cryptographic algorithm. There are bits reserved in the Security section to specify other algorithms in the future.¶
All secured RPL messages have either a MAC or a signature. Optionally, secured RPL messages also have encryption protection for confidentiality. Secured RPL message formats support both integrated encryption/authentication schemes (e.g., CCM) as well as schemes that separately encrypt and authenticate packets.¶
RPL security assumes that a node wishing to join a secured network has been pre-configured with a shared key for communicating with neighbors and the RPL root. To join a secure RPL network, a node either listens for secure DIOs or triggers secure DIOs by sending a secure DIS. In addition to the DIO/DIS rules in Section 8, secure DIO and DIS messages have these rules:¶
The above rules allow a node to join a secured RPL Instance using the pre-configured shared key. Once a node has joined the DODAG using the pre-configured shared key, the 'A' bit of the Configuration option determines its capabilities. If the 'A' bit of the Configuration option is cleared, then nodes can use this preinstalled, shared key to exchange messages normally: it can issue DIOs, DAOs, etc.¶
If the 'A' bit of the Configuration option is set and the RPL Instance is operating in authenticated mode:¶
The above rules mean that in RPL Instances where the 'A' bit is set, using Key Index 0x00, a node can join the RPL Instance as a host but not a router. A node must communicate with a key authority to obtain a key that will enable it to act as a router.¶
Authenticated mode requires a would-be router to dynamically install new keys once they have joined a network as a host. Having joined as a host, the node uses standard IP messaging to communicate with an authorization server, which can provide new keys.¶
The protocol to obtain such keys is out of scope for this specification and to be elaborated in future specifications. That elaboration is required for RPL to securely operate in authenticated mode.¶
RPL nodes send Consistency Check (CC) messages to protect against replay attacks and synchronize counters.¶
Consistency Check messages allow nodes to issue a challenge-response to validate a node's current counter value. Because the CC nonce is generated by the challenger, an adversary replaying messages is unlikely to be able to generate a correct response. The counter in the Consistency Check response allows the challenger to validate the counter values it hears.¶
In the simplest case, the counter value is an unsigned integer that a node increments by one or more on each secured RPL transmission. The counter MAY represent a timestamp that has the following properties:¶
If a node supports such timestamps and it receives a message with the 'T' flag set, it MAY apply the temporal check on the received message described in Section 10.7.1. If a node receives a message without the 'T' flag set, it MUST NOT apply this temporal check. A node's security policy MAY, for application reasons, include rejecting all messages without the 'T' flag set.¶
The 'T' flag is present because many LLNs today already maintain global time synchronization at sub-millisecond granularity for security, application, and other reasons. Allowing RPL to leverage this existing functionality when present greatly simplifies solutions to some security problems, such as delay protection.¶
Given an outgoing RPL control packet and the required security protection, this section describes how RPL generates the secured packet to transmit. It also describes the order of cryptographic operations to provide the required protection.¶
The requirement for security protection and the level of security to be applied to an outgoing RPL packet shall be determined by the node's security policy database. The configuration of this security policy database for outgoing packet processing is implementation specific.¶
Where secured RPL messages are to be transmitted, a RPL node MUST set the Security section (T, Sec, KIM, and LVL) in the outgoing RPL packet to describe the protection level and security settings that are applied (see Section 6.1). The Security subfield bit of the RPL Message Code field MUST be set to indicate the secure RPL message.¶
The counter value used in constructing the AES-128 CCM nonce (Figure 31) to secure the outgoing packet MUST be an increment of the last counter transmitted to the particular destination address.¶
Where security policy specifies the application of delay protection, the Timestamp counter used in constructing the CCM nonce to secure the outgoing packet MUST be incremented according to the rules in Section 10.5. Where a Timestamp counter is applied (indicated with the 'T' flag set), the locally maintained Timestamp counter MUST be included as part of the transmitted secured RPL message.¶
The cryptographic algorithm used in securing the outgoing packet shall be specified by the node's security policy database and MUST be indicated in the value of the Sec field set within the outgoing message.¶
The security policy for the outgoing packet shall determine the applicable KIM and Key Identifier specifying the security key to be used for the cryptographic packet processing, including the optional use of signature keys (see Section 6.1). The security policy will also specify the algorithm (Algorithm) and level of protection (Level) in the form of authentication or authentication and encryption, and potential use of signatures that shall apply to the outgoing packet.¶
Where encryption is applied, a node MUST replace the original packet payload with that payload encrypted using the security protection, key, and CCM nonce specified in the Security section of the packet.¶
All secured RPL messages include integrity protection. In conjunction with the security algorithm processing, a node derives either a MAC or signature that MUST be included as part of the outgoing secured RPL packet.¶
This section describes the reception and processing of a secured RPL packet. Given an incoming secured RPL packet, where the Security subfield bit of the RPL Message Code field is set, this section describes how RPL generates an unencrypted variant of the packet and validates its integrity.¶
The receiver uses the RPL security control fields to determine the necessary packet security processing. If the described level of security for the message type and originator is unknown or does not meet locally maintained security policies, a node MUST discard the packet without further processing, MAY raise a management alert, and MUST NOT send any messages in response. These policies can include security levels, keys used, source identifiers, or the lack of timestamp-based counters (as indicated by the 'T' flag). The configuration of the security policy database for incoming packet processing is out of scope for this specification (it may, for example, be defined through DIO Configuration or through out-of-band administrative router configuration).¶
Where the message Security Level (LVL) indicates an encrypted RPL message, the node uses the key information identified through the KIM field as well as the CCM nonce as input to the message payload decryption processing. The CCM nonce shall be derived from the message Counter field and other received and locally maintained information (see Section 10.9.1). The plaintext message contents shall be obtained by invoking the inverse cryptographic mode of operation specified by the Sec field of the received packet.¶
The receiver shall use the CCM nonce and identified key information to check the integrity of the incoming packet. If the integrity check fails against the received MAC, a node MUST discard the packet.¶
If the received message has an initialized (zero value) counter value and the receiver has an incoming counter currently maintained for the originator of the message, the receiver MUST initiate a counter resynchronization by sending a Consistency Check response message (see Section 6.6) to the message source. The Consistency Check response message shall be protected with the current full outgoing counter maintained for the particular node address. That outgoing counter will be included within the security section of the message while the incoming counter will be included within the Consistency Check message payload.¶
Based on the specified security policy, a node MAY apply replay protection for a received RPL message. The replay check SHOULD be performed before the authentication of the received packet. The counter, as obtained from the incoming packet, shall be compared against the watermark of the incoming counter maintained for the given origination node address. If the received message counter value is non-zero and less than the maintained incoming counter watermark, a potential packet replay is indicated and the node MUST discard the incoming packet.¶
If delay protection is specified as part of the incoming packet security policy checks, the Timestamp counter is used to validate the timeliness of the received RPL message. If the incoming message Timestamp counter value indicates a message transmission time prior to the locally maintained transmission time counter for the originator address, a replay violation is indicated and the node MUST discard the incoming packet. If the received Timestamp counter value indicates a message transmission time that is earlier than the Current time less the acceptable packet delay, a delay violation is indicated and the node MUST discard the incoming packet.¶
Once a message has been decrypted, where applicable, and has successfully passed its integrity check, replay check, and optionally delay-protection checks, the node can update its local security information, such as the source's expected counter value for replay comparison.¶
A node MUST NOT update its security information on receipt of a message that fails security policy checks or other applied integrity, replay, or delay checks.¶
If the 'T' flag of a message is set and a node has a local timestamp that follows the requirements in Section 10.5, then a node MAY check the temporal consistency of the message. The node computes the transmit time of the message by adding the counter value to the start time of the associated key. If this transmit time is past the end time of the key, the node MAY discard the message without further processing. If the transmit time is too far in the past or future compared to the local time on the receiver, it MAY discard the message without further processing.¶
For a RPL ICMPv6 message, the entire packet is within the scope of RPL security.¶
MACs and signatures are calculated over the entire unsecured IPv6 packet. When computing MACs and signatures, mutable IPv6 fields are considered to be filled with zeroes, following the rules in Section 3.3.3.1 of [RFC4302] (IPsec Authenticated Header). MAC and signature calculations are performed before any compression that lower layers may apply.¶
When a RPL ICMPv6 message is encrypted, encryption starts at the first byte after the Security section and continues to the last byte of the packet. The IPv6 header, ICMPv6 header, and RPL message up to the end of the Security section are not encrypted, as they are needed to correctly decrypt the packet.¶
For example, a node sending a message with LVL=1, KIM=0, and Algorithm=0 uses the CCM algorithm [RFC3610] to create a packet with attributes ENC-MAC-32: it encrypts the packet and appends a 32-bit MAC. The block cipher key is determined by the Key Index. The CCM nonce is computed as described in Section 10.9.1; the message to authenticate and encrypt is the RPL message starting at the first byte after the Security section and ends with the last byte of the packet. The additional authentication data starts with the beginning of the IPv6 header and ends with the last byte of the RPL Security section.¶
The cryptographic mode of operation described in this specification (Algorithm = 0) is based on CCM and the block-cipher AES-128 [RFC3610]. This mode of operation is widely supported by existing implementations. CCM mode requires a nonce (CCM nonce).¶
A RPL node constructs a CCM nonce as follows:¶
Unassigned bits of the CCM nonce are reserved. They MUST be set to zero when constructing the CCM nonce.¶
All fields of the CCM nonce are represented in most significant octet and most significant bit first order.¶
If the KIM indicates the use of signatures (a value of 3), then a node appends a signature to the data payload of the packet. The Security Level (LVL) field describes the length of this signature. The signature scheme in RPL for Security Mode 3 is an instantiation of the RSA algorithm (RSASSA-PSS) as defined in Section 8.1 of [RFC3447]. As public key, it uses the pair (n,e), where n is a 2048-bit or 3072-bit RSA modulus and where e=2^{16}+1. It uses CCM mode [RFC3610] as the encryption scheme with M=0 (as a stream- cipher). Note that although [RFC3610] disallows the CCM mode with M=0, RPL explicitly allows the CCM mode with M=0 when used in conjunction with a signature, because the signature provides sufficient data authentication. Here, the CCM mode with M=0 is specified as in [RFC3610], but where the M' field in Section 2.2 MUST be set to 0. It uses the SHA-256 hash function specified in Section 6.2 of [FIPS180]. It uses the message encoding rules of Section 8.1 of [RFC3447].¶
Let 'a' be a concatenation of a 6-byte representation of counter and the message header. The packet payload is the right-concatenation of packet data 'm' and the signature 's'. This signature scheme is invoked with the right-concatenation of the message parts a and m, whereas the signature verification is invoked with the right- concatenation of the message parts a and m and with signature s.¶
RSA signatures of this form provide sufficient protection for RPL networks. If needed, alternative signature schemes that produce more concise signatures is out of scope for this specification and may be the subject of a future specification.¶
An implementation that supports RSA signing with either 2048-bit or 3072-bit signatures SHOULD support verification of both 2048-bit and 3072-bit RSA signatures. This is in consideration of providing an upgrade path for a RPL deployment.¶
This document specifies a routing protocol. These non-normative suggestions are provided to aid in the design of a forwarding implementation by illustrating how such an implementation could work with RPL.¶
When forwarding a packet to a destination, precedence is given to selection of a next-hop successor as follows:¶
Hop Limit MUST be decremented when forwarding per [RFC2460].¶
Note that the chosen successor MUST NOT be the neighbor that was the predecessor of the packet (split horizon), except in the case where it is intended for the packet to change from an Upward to a Downward direction, as determined by the routing table of the node making the change, such as switching from DIO routes to DAO routes as the destination is neared in order to continue traveling toward the destination.¶
RPL loop avoidance mechanisms are kept simple and designed to minimize churn and states. Loops may form for a number of reasons, e.g., control packet loss. RPL includes a reactive loop detection technique that protects from meltdown and triggers repair of broken paths.¶
RPL loop detection uses RPL Packet Information that is transported within the data packets, relying on an external mechanism such as [RFC6553] that places in the RPL Packet Information in an IPv6 Hop- by-Hop option header.¶
The content of RPL Packet Information is defined as follows:¶
If the source is aware of the RPLInstanceID that is preferred for the packet, then it MUST set the RPLInstanceID field associated with the packet accordingly; otherwise, it MUST set it to the RPL_DEFAULT_INSTANCE.¶
The RPLInstanceID is associated by the source with the packet. This RPLInstanceID MUST match the RPL Instance onto which the packet is placed by any node, be it a host or router. The RPLInstanceID is part of the RPL Packet Information.¶
A RPL router that forwards a packet in the RPL network MUST check if the packet includes the RPL Packet Information. If not, then the RPL router MUST insert the RPL Packet Information. If the router is an ingress router that injects the packet into the RPL network, the router MUST set the RPLInstanceID field in the RPL Packet Information. The details of how that router determines the mapping to a RPLInstanceID are out of scope for this specification and left to future specification.¶
A router that forwards a packet outside the RPL network MUST remove the RPL Packet Information.¶
When a router receives a packet that specifies a given RPLInstanceID and the node can forward the packet along the DODAG associated to that instance, then the router MUST do so and leave the RPLInstanceID value unchanged.¶
If any node cannot forward a packet along the DODAG associated with the RPLInstanceID, then the node SHOULD discard the packet and send an ICMP error message.¶
The DODAG is inconsistent if the direction of a packet does not match the Rank relationship. A receiver detects an inconsistency if it receives a packet with either:¶
When the DODAG root increments the DODAGVersionNumber, a temporary Rank discontinuity may form between the next DODAG Version and the prior DODAG Version, in particular, if nodes are adjusting their Rank in the next DODAG Version and deferring their migration into the next DODAG Version. A router that is still a member of the prior DODAG Version may choose to forward a packet to a (future) parent that is in the next DODAG Version. In some cases, this could cause the parent to detect an inconsistency because the Rank-ordering in the prior DODAG Version is not necessarily the same as in the next DODAG Version, and the packet may be judged not to be making forward progress. If the sending router is aware that the chosen successor has already joined the next DODAG Version, then the sending router MUST update the SenderRank to INFINITE_RANK as it forwards the packets across the discontinuity into the next DODAG Version in order to avoid a false detection of Rank inconsistency.¶
One inconsistency along the path is not considered a critical error and the packet may continue. However, a second detection along the path of the same packet should not occur and the packet MUST be dropped.¶
This process is controlled by the Rank-Error bit associated with the packet. When an inconsistency is detected on a packet, if the Rank- Error bit was not set, then the Rank-Error bit is set. If it was set the packet MUST be discarded and the Trickle timer MUST be reset.¶
DAO inconsistency loop recovery is a mechanism that applies to Storing mode of operation only.¶
In Non-Storing mode, the packets are source routed to the destination, and DAO inconsistencies are not corrected locally. Instead, an ICMP error with a new code "Error in Source Routing Header" is sent back to the root. The "Error in Source Routing Header" message has the same format as the "Destination Unreachable Message", as specified in [RFC4443]. The portion of the invoking packet that is sent back in the ICMP message should record at least up to the routing header, and the routing header should be consumed by this node so that the destination in the IPv6 header is the next hop that this node could not reach.¶
A DAO inconsistency happens when a router has a Downward route that was previously learned from a DAO message via a child, but that Downward route is not longer valid in the child, e.g., because that related state in the child has been cleaned up. With DAO inconsistency loop recovery, a packet can be used to recursively explore and clean up the obsolete DAO states along a sub-DODAG.¶
In a general manner, a packet that goes Down should never go Up again. If DAO inconsistency loop recovery is applied, then the router SHOULD send the packet back to the parent that passed it with the Forwarding-Error 'F' bit set and the 'O' bit left untouched. Otherwise, the router MUST silently discard the packet.¶
Upon receiving a packet with a Forwarding-Error bit set, the node MUST remove the routing states that caused forwarding to that neighbor, clear the Forwarding-Error bit, and attempt to send the packet again. The packet may be sent to an alternate neighbor, after the expiration of a user-configurable implementation-specific timer. If that alternate neighbor still has an inconsistent DAO state via this node, the process will recurse, this node will set the Forwarding-Error 'F' bit, and the routing state in the alternate neighbor will be cleaned up as well.¶
This section describes a multicast routing operation over an IPv6 RPL network and, specifically, how unicast DAOs can be used to relay group registrations. The same DODAG construct can be used to forward unicast and multicast traffic. This section is limited to a description of how group registrations may be exchanged and how the forwarding infrastructure operates. It does not provide a full description of multicast within an LLN and, in particular, does not describe the generation of DODAGs specifically targeted at multicast or the details of operating RPL for multicast -- that will be the subject of further specifications.¶
The multicast group registration uses DAO messages that are identical to unicast except for the type of address that is transported. The main difference is that the multicast traffic going down is copied to all the children that have registered with the multicast group, whereas unicast traffic is passed to one child only.¶
Nodes that support the RPL Storing mode of operation SHOULD also support multicast DAO operations as described below. Nodes that only support the Non-Storing mode of operation are not expected to support this section.¶
The multicast operation is controlled by the MOP field in the DIO.¶
A router might select to pass a listener registration DAO message to its preferred parent only; in which case, multicast packets coming back might be lost for all of its sub-DODAGs if the transmission fails over that link. Alternatively, the router might select copying additional parents as it would do for DAO messages advertising unicast destinations; in which case, there might be duplicates that the router will need to prune.¶
As a result, multicast routing states are installed in each router on the way from the listeners to the DODAG root, enabling the root to copy a multicast packet to all its children routers that had issued a DAO message including a Target option for that multicast group.¶
For a multicast packet sourced from inside the DODAG, the packet is passed to the preferred parents, and if that fails, then to the alternates in the DODAG. The packet is also copied to all the registered children, except for the one that passed the packet. Finally, if there is a listener in the external infrastructure, then the DODAG root has to further propagate the packet into the external infrastructure.¶
As a result, the DODAG root acts as an automatic proxy Rendezvous Point for the RPL network and as source towards the non-RPL domain for all multicast flows started in the RPL domain. So, regardless of whether the root is actually attached to a non-RPL domain, and regardless of whether the DODAG is grounded or floating, the root can serve inner multicast streams at all times.¶
The selection of successors, along the default paths Up along the DODAG, or along the paths learned from destination advertisements Down along the DODAG, leads to the formation of routing adjacencies that require maintenance.¶
In IGPs, such as OSPF [RFC4915] or IS-IS [RFC5120], the maintenance of a routing adjacency involves the use of keepalive mechanisms (Hellos) or other protocols such as the Bidirectional Forwarding Detection (BFD) [RFC5881] and the MANET Neighborhood Discovery Protocol (NHDP) [RFC6130]. Unfortunately, such a proactive approach is often not desirable in constrained environments where it would lead to excessive control traffic in light of the data traffic with a negative impact on both link loads and nodes resources.¶
By contrast with those routing protocols, RPL does not define any keepalive mechanisms to detect routing adjacency failures: this is because in many cases, such a mechanism would be too expensive in terms of bandwidth and, even more importantly, energy (a battery- operated device could not afford to send periodic keepalives). Still RPL requires an external mechanisms to detect that a neighbor is no longer reachable. Such a mechanism should preferably be reactive to traffic in order to minimize the overhead to maintain the routing adjacency and focus on links that are actually being used.¶
Example reactive mechanisms that can be used include:¶
An Objective Function (OF), in conjunction with routing metrics and constraints, allows for the selection of a DODAG to join, and a number of peers in that DODAG as parents. The OF is used to compute an ordered list of parents. The OF is also responsible to compute the Rank of the device within the DODAG Version.¶
The Objective Function is indicated in the DIO message using an Objective Code Point (OCP), and it indicates the method that must be used to construct the DODAG. The Objective Code Points are specified in [RFC6552] and related companion specifications.¶
Most Objective Functions are expected to follow the same abstract behavior at a node:¶
An OF computes Rank of a node for comparison by adding to the Rank of the candidate a value representing the relative locations of the node and the candidate in the DODAG Version.¶
As it scans all the candidate neighbors, the OF keeps the current best parent and compares its capabilities with the current candidate neighbor. The OF defines a number of tests that are critical to reach the objective. A test between the routers determines an order relation.¶
Other rounds of scans might be necessary to elect alternate parents. In the next rounds:¶
This specification directly borrows the Prefix Information Option (PIO) and the Route Information Option (RIO) from IPv6 ND. It is envisioned that, as future specifications build on this base, there may be additional cause to leverage parts of IPv6 ND. This section provides some suggestions for future specifications.¶
First and foremost, RPL is a routing protocol. One should take great care to preserve architecture when mapping functionalities between RPL and ND. RPL is for routing only. That said, there may be persuading technical reasons to allow for sharing options between RPL and IPv6 ND in a particular implementation/deployment.¶
In general, the following guidelines apply:¶
This section summarizes basic interoperability and references normative text for RPL implementations operating in one of three major modes. Implementations are expected to support either no Downward routes, Non-Storing mode only, or Storing mode only. A fourth mode, operation as a leaf, is also possible.¶
Implementations conforming to this specification may contain different subsets of capabilities as appropriate to the application scenario. It is important for the implementer to support a level of interoperability consistent with that required by the application scenario. To this end, further guidance may be provided beyond this specification (e.g., as applicability statements), and it is understood that in some cases such further guidance may override portions of this specification.¶
In a general case, the greatest level of interoperability may be achieved when all of the nodes in a RPL LLN are cooperating to use the same MOP, OF, metrics, and constraints, and are thus able to act as RPL routers. When a node is not capable of being a RPL router, it may be possible to interoperate in a more limited manner as a RPL leaf.¶
All RPL implementations need to support the use of RPL Packet Information transported within data packets (Section 11.2). One such mechanism is described in [RFC6553].¶
RPL implementations will need to support the use of Neighbor Unreachability Detection (NUD), or an equivalent mechanism, to maintain the reachability of neighboring RPL nodes (Section 8.2.1). Alternate mechanisms may be optimized to the constrained capabilities of the implementation, such as hints from the link layer.¶
This specification provides means to obtain a PIO and thus form an IPv6 address. When that mechanism is used, it may be necessary to perform address resolution and duplicate address detection through an external process, such as IPv6 ND [RFC4861] or 6LoWPAN ND [6LOWPAN-ND].¶
If further guidance is not available then a RPL router implementation MUST at least support the metric-less OF0 [RFC6552].¶
For consistent operation a RPL router implementation needs to support the MOP in use by the DODAG.¶
All RPL routers will need to implement Trickle [RFC6206].¶
An implementation of a RPL router that supports only Upward routes supports the following:¶
An implementation of a RPL router that supports Upward routes and Downward routes in Non-Storing mode supports the following:¶
An implementation of a RPL router that supports Upward routes and Downward routes in Storing mode supports the following:¶
A Storing mode implementation may be enhanced with basic multicast support through the following additions:¶
A number of items are left to future specification, including but not limited to the following:¶
The following is a summary of RPL constants and variables:¶
The aim of this section is to give consideration to the manageability of RPL, and how RPL will be operated in an LLN. The scope of this section is to consider the following aspects of manageability: configuration, monitoring, fault management, accounting, and performance of the protocol in light of the recommendations set forth in [RFC5706].¶
Most of the existing IETF management standards are MIB modules (data models based on the Structure of Management Information (SMI)) to monitor and manage networking devices.¶
For a number of protocols, the IETF community has used the IETF Standard Management Framework, including the Simple Network Management Protocol [RFC3410], the Structure of Management Information [RFC2578], and MIB data models for managing new protocols.¶
As pointed out in [RFC5706], the common policy in terms of operation and management has been expanded to a policy that is more open to a set of tools and management protocols rather than strictly relying on a single protocol such as SNMP.¶
In 2003, the Internet Architecture Board (IAB) held a workshop on Network Management [RFC3535] that discussed the strengths and weaknesses of some IETF network management protocols and compared them to operational needs, especially configuration.¶
One issue discussed was the user-unfriendliness of the binary format of SNMP [RFC3410]. In the case of LLNs, it must be noted that at the time of writing, the CoRE working group is actively working on resource management of devices in LLNs. Still, it is felt that this section provides important guidance on how RPL should be deployed, operated, and managed.¶
A management information model should include a discussion of what is manageable, which aspects of the protocol need to be configured, what types of operations are allowed, what protocol- specific events might occur, which events can be counted, and for which events an operator should be notified.¶
These aspects are discussed in detail in the following sections.¶
RPL will be used on a variety of devices that may have resources such as memory varying from a few kilobytes to several hundreds of kilobytes and even megabytes. When memory is highly constrained, it may not be possible to satisfy all the requirements listed in this section. Still it is worth listing all of these in an exhaustive fashion, and implementers will then determine which of these requirements could be satisfied according to the available resources on the device.¶
This section discusses the configuration management, listing the protocol parameters for which configuration management is relevant.¶
Some of the RPL parameters are optional. The requirements for configuration are only applicable for the options that are used.¶
"Architectural Principles of the Internet" [RFC1958], Section 3.8, states: "Avoid options and parameters whenever possible. Any options and parameters should be configured or negotiated dynamically rather than manually". This is especially true in LLNs where the number of devices may be large and manual configuration is infeasible. This has been taken into account in the design of RPL whereby the DODAG root provides a number of parameters to the devices joining the DODAG, thus avoiding cumbersome configuration on the routers and potential sources of misconfiguration (e.g., values of Trickle timers, etc.). Still, there are additional RPL parameters that a RPL implementation should allow to be configured, which are discussed in this section.¶
When a node is first powered up:¶
A RPL implementation SHOULD allow configuring the preferred mode of operation listed above along with the required parameters (in the second mode: the number of DIS messages and related timer).¶
RPL specifies a number of protocol parameters considering the large spectrum of applications where it will be used. That said, particular attention has been given to limiting the number of these parameters that must be configured on each RPL router. Instead, a number of the default values can be used, and when required these parameters can be provided by the DODAG root thus allowing for dynamic parameter setting.¶
A RPL implementation SHOULD allow configuring the following routing protocol parameters. As pointed out above, note that a large set of parameters is configured on the DODAG root.¶
A RPL implementation MUST allow configuring the following RPL parameters:¶
A RPL implementation MUST allow configuring the Target prefix [DAO message, in RPL Target option].¶
Furthermore, there are circumstances where a node may want to designate a Target to allow for specific processing of the Target (prioritization, etc.). Such processing rules are out of scope for this specification. When used, a RPL implementation SHOULD allow configuring the Target Descriptor on a per-Target basis (for example, using access lists).¶
A node whose DODAG parent set is empty may become the DODAG root of a floating DODAG. It may also set its DAGPreference such that it is less preferred. Thus, a RPL implementation MUST allow configuring the set of actions that the node should initiate in this case:¶
In addition, several other parameters are configured only on the DODAG root and advertised in options carried in DIO messages.¶
As specified in Section 8.3, a RPL implementation makes use of Trickle timers to govern the sending of DIO messages. The operation of the Trickle algorithm is determined by a set of configurable parameters, which MUST be configurable and that are then advertised by the DODAG root along the DODAG in DIO messages.¶
In addition, a RPL implementation SHOULD allow for configuring the following set of RPL parameters:¶
DAG root behavior: in some cases, a node may not want to permanently act as a floating DODAG root if it cannot join a grounded DODAG. For example, a battery-operated node may not want to act as a floating DODAG root for a long period of time. Thus, a RPL implementation MAY support the ability to configure whether or not a node could act as a floating DODAG root for a configured period of time.¶
DAG Version Number Increment: a RPL implementation may allow, by configuration at the DODAG root, refreshing the DODAG states by updating the DODAGVersionNumber. A RPL implementation SHOULD allow configuring whether or not periodic or event triggered mechanisms are used by the DODAG root to control DODAGVersionNumber change (which triggers a global repair as specified in Section 3.2.2).¶
DAO messages are optional and used in DODAGs that require Downward routing operation. This section deals with the set of parameters related to DAO messages and provides recommendations on their configuration.¶
As stated in Section 9.5, it is recommended to delay the sending of DAO message to DAO parents in order to maximize the chances to perform route aggregation. Upon receiving a DAO message, the node should thus start a DelayDAO timer. The default value is DEFAULT_DAO_DELAY. A RPL implementation MAY allow for configuring the DelayDAO timer.¶
In a Storing mode of operation, a storing node may increment DTSN in order to reliably trigger a set of DAO updates from its immediate children, as part of routine routing table updates and maintenance. A RPL implementation MAY allow for configuring a set of rules specifying the triggers for DTSN increment (manual or event-based).¶
When a DAO entry times out or is invalidated, a node SHOULD make a reasonable attempt to report a No-Path to each of the DAO parents. That number of attempts MAY be configurable.¶
An implementation should support rate-limiting the sending of DAO messages. The related parameters MAY be configurable.¶
As described in Section 10, the security features described in this document are optional to implement and a given implementation may support a subset (including the empty set) of the described security features.¶
To this end, an implementation supporting described security features may conceptually implement a security policy database. In support of the security mechanisms, a RPL implementation SHOULD allow for configuring a subset of the following parameters:¶
In addition, a RPL implementation SHOULD allow for configuring a DODAG root with a subset of the following parameters:¶
This document specifies default values for the following set of RPL variables:¶
It is recommended to specify default values in protocols; that being said, as discussed in [RFC5706], default values may make less and less sense. RPL is a routing protocol that is expected to be used in a number of contexts where network characteristics such as the number of nodes and link and node types are expected to vary significantly. Thus, these default values are likely to change with the context and as the technology evolves. Indeed, LLNs' related technology (e.g., hardware, link layers) have been evolving dramatically over the past few years and such technologies are expected to change and evolve considerably in the coming years.¶
The proposed values are not based on extensive best current practices and are considered to be conservative.¶
Several RPL parameters should be monitored to verify the correct operation of the routing protocol and the network itself. This section lists the set of monitoring parameters of interest.¶
A RPL implementation SHOULD provide information about the following parameters:¶
Trickle parameters:¶
Values that may be monitored only on the DODAG root:¶
Detection of DODAG inconsistencies is particularly critical in RPL networks. Thus, it is recommended for a RPL implementation to provide appropriate monitoring tools. A RPL implementation SHOULD provide a counter reporting the number of a times the node has detected an inconsistency with respect to a DODAG parent, e.g., if the DODAGID has changed.¶
When possible more granular information about inconsistency detection should be provided. A RPL implementation MAY provide counters reporting the number of following inconsistencies:¶
A node in the candidate neighbor list is a node discovered by the same means and qualified to potentially become a parent (with high enough local confidence). A RPL implementation SHOULD provide a way to allow for the candidate neighbor list to be monitored with some metric reflecting local confidence (the degree of stability of the neighbors) as measured by some metrics.¶
A RPL implementation MAY provide a counter reporting the number of times a candidate neighbor has been ignored, should the number of candidate neighbors exceed the maximum authorized value.¶
For each DODAG, a RPL implementation is expected to keep track of the following DODAG table values:¶
A RPL implementation SHOULD allow for monitoring the set of parameters listed above.¶
A RPL implementation maintains several information elements related to the DODAG and the DAO entries (for storing nodes). In the case of a non-storing node, a limited amount of information is maintained (the routing table is mostly reduced to a set of DODAG parents along with characteristics of the DODAG as mentioned above); whereas in the case of storing nodes, this information is augmented with routing entries.¶
A RPL implementation SHOULD allow for the following parameters to be monitored:¶
A DAO Routing Table entry conceptually contains the following elements (for storing nodes only):¶
Logical equivalent of DAO Content:¶
A RPL implementation SHOULD provide information about the state of each DAO Routing Table entry states.¶
Fault management is a critical component used for troubleshooting, verification of the correct mode of operation of the protocol, and network design; also, it is a key component of network performance monitoring. A RPL implementation SHOULD allow the provision of the following information related to fault managements:¶
It is RECOMMENDED to report faults via at least error log messages. Other protocols may be used to report such faults.¶
Policy rules can be used by a RPL implementation to determine whether or not the node is allowed to join a particular DODAG advertised by a neighbor by means of DIO messages.¶
This document specifies operation within a single DODAG. A DODAG is characterized by the following tuple (RPLInstanceID, DODAGID). Furthermore, as pointed out above, DIO messages are used to advertise other DODAG characteristics such as the routing metrics and constraints used to build to the DODAG and the Objective Function in use (specified by OCP).¶
The first policy rules consist of specifying the following conditions that a RPL node must satisfy to join a DODAG:¶
A RPL implementation MUST allow configuring these parameters and SHOULD specify whether the node must simply ignore the DIO if the advertised DODAG is not compliant with the local policy or whether the node should join as the leaf node if only the list of supported routing metrics and constraints, and the OF is not supported. Additionally, a RPL implementation SHOULD allow for the addition of the DODAGID as part of the policy.¶
A RPL implementation SHOULD allow configuring the set of acceptable or preferred Objective Functions (OFs) referenced by their Objective Code Points (OCPs) for a node to join a DODAG, and what action should be taken if none of a node's candidate neighbors advertise one of the configured allowable Objective Functions, or if the advertised metrics/constraint is not understood/supported. Two actions can be taken in this case:¶
A node in an LLN may learn routing information from different routing protocols including RPL. In this case, it is desirable to control, via administrative preference, which route should be favored. An implementation SHOULD allow for the specification of an administrative preference for the routing protocol from which the route was learned.¶
Internal Data Structures: some RPL implementations may limit the size of the candidate neighbor list in order to bound the memory usage; in which case, some otherwise viable candidate neighbors may not be considered and simply dropped from the candidate neighbor list.¶
A RPL implementation MAY provide an indicator on the size of the candidate neighbor list.¶
It is RECOMMENDED to quarantine neighbors that start emitting malformed messages at unacceptable rates.¶
RPL has very limited impact on other protocols. Where more than one routing protocol is required on a router, such as an LBR, it is expected for the device to support routing redistribution functions between the routing protocols to allow for reachability between the two routing domains. Such redistribution SHOULD be governed by the use of user configurable policy.¶
With regard to the impact in terms of traffic on the network, RPL has been designed to limit the control traffic thanks to mechanisms such as Trickle timers (Section 8.3). Thus, the impact of RPL on other protocols should be extremely limited.¶
Performance management is always an important aspect of a protocol, and RPL is not an exception. Several metrics of interest have been specified by the IP Performance Monitoring (IPPM) working group: that being said, they will be hardly applicable to LLN considering the cost of monitoring these metrics in terms of resources on the devices and required bandwidth. Still, RPL implementations MAY support some of these, and other parameters of interest are listed below:¶
There may be situations where a node should be placed in "verbose" mode to improve diagnostics. Thus, a RPL implementation SHOULD provide the ability to place a node in and out of verbose mode in order to get additional diagnostic information.¶
From a security perspective, RPL networks are no different from any other network. They are vulnerable to passive eavesdropping attacks and, potentially, even active tampering when physical access to a wire is not required to participate in communications. The very nature of ad hoc networks and their cost objectives impose additional security constraints, which perhaps make these networks the most difficult environments to secure. Devices are low-cost and have limited capabilities in terms of computing power, available storage, and power drain; it cannot always be assumed they have a trusted computing base or a high-quality random number generator aboard.¶
Communications cannot rely on the online availability of a fixed infrastructure and might involve short-term relationships between devices that may never have communicated before. These constraints might severely limit the choice of cryptographic algorithms and protocols and influence the design of the security architecture because the establishment and maintenance of trust relationships between devices need to be addressed with care. In addition, battery lifetime and cost constraints put severe limits on the security overhead these networks can tolerate, something that is of far less concern with higher bandwidth networks. Most of these security architectural elements can be implemented at higher layers and may, therefore, be considered to be out of scope for this specification. Special care, however, needs to be exercised with respect to interfaces to these higher layers.¶
The security mechanisms in this standard are based on symmetric-key and public-key cryptography and use keys that are to be provided by higher-layer processes. The establishment and maintenance of these keys are out of scope for this specification. The mechanisms assume a secure implementation of cryptographic operations and secure and authentic storage of keying material.¶
The security mechanisms specified provide particular combinations of the following security services:¶
The actual protection provided can be adapted on a per-packet basis and allows for varying levels of data authenticity (to minimize security overhead in transmitted packets where required) and for optional data confidentiality. When nontrivial protection is required, replay protection is always provided.¶
Replay protection is provided via the use of a non-repeating value (CCM nonce) in the packet protection process and storage of some status information (originating device and the CCM nonce counter last received from that device), which allows detection of whether this particular CCM nonce value was used previously by the originating device. In addition, so-called delay protection is provided amongst those devices that have a loosely synchronized clock on board. The acceptable time delay can be adapted on a per-packet basis and allows for varying latencies (to facilitate longer latencies in packets transmitted over a multi-hop communication path).¶
Cryptographic protection may use a key shared between two peer devices (link key) or a key shared among a group of devices (group key), thus allowing some flexibility and application-specific trade- offs between key storage and key maintenance costs versus the cryptographic protection provided. If a group key is used for peer- to-peer communication, protection is provided only against outsider devices and not against potential malicious devices in the key- sharing group.¶
Data authenticity may be provided using symmetric-key-based or public-key-based techniques. With public-key-based techniques (via signatures), one corroborates evidence as to the unique originator of transmitted information, whereas with symmetric-key-based techniques, data authenticity is only provided relative to devices in a key- sharing group. Thus, public-key-based authentication may be useful in scenarios that require a more fine-grained authentication than can be provided with symmetric-key-based authentication techniques alone, such as with group communications (broadcast, multicast) or in scenarios that require non-repudiation.¶
The RPL control message is an ICMP information message type that is to be used carry DODAG Information Objects, DODAG Information Solicitations, and Destination Advertisement Objects in support of RPL operation.¶
IANA has defined an ICMPv6 Type Number Registry. The type value for the RPL control message is 155.¶
IANA has created a registry, RPL Control Codes, for the Code field of the ICMPv6 RPL control message.¶
New codes may be allocated only by an IETF Review. Each code is tracked with the following qualities:¶
The following codes are currently defined:¶
Code | Description | Reference |
---|---|---|
0x00 | DODAG Information Solicitation | RFC 6550 |
0x01 | DODAG Information Object | RFC 6550 |
0x02 | Destination Advertisement Object | RFC 6550 |
0x03 | Destination Advertisement Object Acknowledgment | RFC 6550 |
0x80 | Secure DODAG Information Solicitation | RFC 6550 |
0x81 | Secure DODAG Information Object | RFC 6550 |
0x82 | Secure Destination Advertisement Object | RFC 6550 |
0x83 | Secure Destination Advertisement Object Acknowledgment | RFC 6550 |
0x8A | Consistency Check | RFC 6550 |
IANA has created a registry for the 3-bit Mode of Operation (MOP), which is contained in the DIO Base.¶
New values may be allocated only by an IETF Review. Each value is tracked with the following qualities:¶
Four values are currently defined:¶
MOP value | Description | Reference |
---|---|---|
0 | No Downward routes maintained by RPL | RFC 6550 |
1 | Non-Storing Mode of Operation | RFC 6550 |
2 | Storing Mode of Operation with no multicast support | RFC 6550 |
3 | Storing Mode of Operation with multicast support | RFC 6550 |
The rest of the range, decimal 4 to 7, is currently unassigned.¶
IANA has created a registry for the RPL Control Message Options.¶
New values may be allocated only by an IETF Review. Each value is tracked with the following qualities:¶
Value | Meaning | Reference |
---|---|---|
0x00 | Pad1 | RFC 6550 |
0x01 | PadN | RFC 6550 |
0x02 | DAG Metric Container | RFC 6550 |
0x03 | Routing Information | RFC 6550 |
0x04 | DODAG Configuration | RFC 6550 |
0x05 | RPL Target | RFC 6550 |
0x06 | Transit Information | RFC 6550 |
0x07 | Solicited Information | RFC 6550 |
0x08 | Prefix Information | RFC 6550 |
0x09 | Target Descriptor | RFC 6550 |
IANA has created a registry to manage the codespace of the Objective Code Point (OCP) field.¶
No OCPs are defined in this specification.¶
New codes may be allocated only by an IETF Review. Each code is tracked with the following qualities:¶
IANA has created a registry for the values of the 8-bit Algorithm field in the Security section.¶
New values may be allocated only by an IETF Review. Each value is tracked with the following qualities:¶
The following value is currently defined:¶
Value | Encryption/MAC | Signature | Reference |
---|---|---|---|
0 | CCM with AES-128 | RSA with SHA-256 | RFC 6550 |
IANA has created a registry for the 8-bit Security Section Flags field.¶
New bit numbers may be allocated only by an IETF Review. Each bit is tracked with the following qualities:¶
No bit is currently defined for the Security Section Flags field.¶
IANA has created one registry for the 3-bit Security Level (LVL) field per allocated KIM value.¶
For a given KIM value, new levels may be allocated only by an IETF Review. Each level is tracked with the following qualities:¶
The following levels per KIM value are currently defined:¶
Level | KIM value | Description | Reference |
---|---|---|---|
0 | 0 | See Figure 11 | RFC 6550 |
1 | 0 | See Figure 11 | RFC 6550 |
2 | 0 | See Figure 11 | RFC 6550 |
3 | 0 | See Figure 11 | RFC 6550 |
0 | 1 | See Figure 11 | RFC 6550 |
1 | 1 | See Figure 11 | RFC 6550 |
2 | 1 | See Figure 11 | RFC 6550 |
3 | 1 | See Figure 11 | RFC 6550 |
0 | 2 | See Figure 11 | RFC 6550 |
1 | 2 | See Figure 11 | RFC 6550 |
2 | 2 | See Figure 11 | RFC 6550 |
3 | 2 | See Figure 11 | RFC 6550 |
0 | 3 | See Figure 11 | RFC 6550 |
1 | 3 | See Figure 11 | RFC 6550 |
2 | 3 | See Figure 11 | RFC 6550 |
3 | 3 | See Figure 11 | RFC 6550 |
IANA has created a registry for the DIS (DODAG Informational Solicitation) Flags field.¶
New bit numbers may be allocated only by an IETF Review. Each bit is tracked with the following qualities:¶
No bit is currently defined for the DIS (DODAG Informational Solicitation) Flags field.¶
IANA has created a registry for the 8-bit DODAG Information Object (DIO) Flags field.¶
New bit numbers may be allocated only by an IETF Review. Each bit is tracked with the following qualities:¶
No bit is currently defined for the DIS (DODAG Informational Solicitation) Flags.¶
IANA has created a registry for the 8-bit Destination Advertisement Object (DAO) Flags field.¶
New bit numbers may be allocated only by an IETF Review. Each bit is tracked with the following qualities:¶
The following bits are currently defined:¶
Bit number | Description | Reference |
---|---|---|
0 | DAO-ACK request (K) | RFC 6550 |
1 | DODAGID field is present (D) | RFC 6550 |
IANA has created a registry for the 8-bit Destination Advertisement Object (DAO) Acknowledgement Flags field.¶
New bit numbers may be allocated only by an IETF Review. Each bit is tracked with the following qualities:¶
The following bit is currently defined:¶
Bit number | Description | Reference |
---|---|---|
0 | DODAGID field is present (D) | RFC 6550 |
IANA has created a registry for the 8-bit Consistency Check (CC) Flags field.¶
New bit numbers may be allocated only by an IETF Review. Each bit is tracked with the following qualities:¶
The following bit is currently defined:¶
Bit number | Description | Reference |
---|---|---|
0 | CC Response (R) | RFC 6550 |
IANA has created a registry for the 8-bit DODAG Configuration Option Flags field.¶
New bit numbers may be allocated only by an IETF Review. Each bit is tracked with the following qualities:¶
The following bits are currently defined:¶
Bit number | Description | Reference |
---|---|---|
4 | Authentication Enabled (A) | RFC 6550 |
5-7 | Path Control Size (PCS) | RFC 6550 |
IANA has created a registry for the 8-bit RPL Target Option Flags field.¶
New bit numbers may be allocated only by an IETF Review. Each bit is tracked with the following qualities:¶
No bit is currently defined for the RPL Target Option Flags.¶
IANA has created a registry for the 8-bit Transit Information Option (TIO) Flags field.¶
New bit numbers may be allocated only by an IETF Review. Each bit is tracked with the following qualities:¶
The following bits are currently defined:¶
Bit number | Description | Reference |
---|---|---|
0 | External (E) | RFC 6550 |
IANA has created a registry for the 8-bit Solicited Information Option (SIO) Flags field.¶
New bit numbers may be allocated only by an IETF Review. Each bit is tracked with the following qualities:¶
The following bits are currently defined:¶
Bit number | Description | Reference |
---|---|---|
0 | Version Predicate match (V) | RFC 6550 |
1 | InstanceID Predicate match (I) | RFC 6550 |
2 | DODAGID Predicate match (D) | RFC 6550 |
In some cases RPL will return an ICMPv6 error message when a message cannot be delivered as specified by its source routing header. This ICMPv6 error message is "Error in Source Routing Header".¶
IANA has defined an ICMPv6 "Code" Fields Registry for ICMPv6 Message Types. ICMPv6 Message Type 1 describes "Destination Unreachable" codes. The "Error in Source Routing Header" code is has been allocated from the ICMPv6 Code Fields Registry for ICMPv6 Message Type 1, with a code value of 7.¶
The rules for assigning new IPv6 multicast addresses are defined in [RFC3307]. This specification requires the allocation of a new permanent multicast address with a link-local scope for RPL nodes called all-RPL-nodes, with a value of ff02::1a.¶
The authors would like to acknowledge the review, feedback, and comments from Emmanuel Baccelli, Dominique Barthel, Yusuf Bashir, Yoav Ben-Yehezkel, Phoebus Chen, Quynh Dang, Mischa Dohler, Mathilde Durvy, Joakim Eriksson, Omprakash Gnawali, Manhar Goindi, Mukul Goyal, Ulrich Herberg, Anders Jagd, JeongGil (John) Ko, Ajay Kumar, Quentin Lampin, Jerry Martocci, Matteo Paris, Alexandru Petrescu, Joseph Reddy, Michael Richardson, Don Sturek, Joydeep Tripathi, and Nicolas Tsiftes.¶
The authors would like to acknowledge the guidance and input provided by the ROLL Chairs, David Culler and JP. Vasseur, and the Area Director, Adrian Farrel.¶
The authors would like to acknowledge prior contributions of Robert Assimiti, Mischa Dohler, Julien Abeille, Ryuji Wakikawa, Teco Boot, Patrick Wetterwald, Bryan Mclaughlin, Carlos J. Bernardos, Thomas Watteyne, Zach Shelby, Caroline Bontoux, Marco Molteni, Billy Moon, Jim Bound, Yanick Pouffary, Henning Rogge, and Arsalan Tavakoli, who have provided useful design considerations to RPL.¶
RPL Security Design, found in Section 10, Section 19, and elsewhere throughout the document, is primarily the contribution of the Security Design Team: Tzeta Tsao, Roger Alexander, Dave Ward, Philip Levis, Kris Pister, Rene Struik, and Adrian Farrel.¶
Thanks also to Jari Arkko and Ralph Droms for their attentive reviews, especially with respect to interoperability considerations and integration with other IETF specifications.¶
Roger K. Alexander Cooper Power Systems 20201 Century Blvd., Suite 250 Germantown, MD 20874 USA Phone: +1 240 454 9817 EMail: roger.alexander@cooperindustries.com¶
Anders Brandt Sigma Designs Emdrupvej 26A, 1. Copenhagen DK-2100 Denmark EMail: abr@sdesigns.dk¶
Stephen Dawson-Haggerty UC Berkeley Soda Hall Berkeley, CA 94720 USA EMail: stevedh@cs.berkeley.edu¶
Jonathan W. Hui Arch Rock Corporation 501 2nd St., Suite 410 San Francisco, CA 94107 USA EMail: jhui@archrock.com¶
Richard Kelsey Ember Corporation Boston, MA USA Phone: +1 617 951 1225 EMail: kelsey@ember.com¶
Philip Levis Stanford University 358 Gates Hall, Stanford University Stanford, CA 94305-9030 USA EMail: pal@cs.stanford.edu¶
Kris Pister Dust Networks 30695 Huntwood Ave. Hayward, CA 94544 USA EMail: kpister@dustnetworks.com¶
Rene Struik Struik Security Consultancy EMail: rstruik.ext@gmail.com¶
JP. Vasseur Cisco Systems 11, Rue Camille Desmoulins Issy Les Moulineaux 92782 France EMail: jpv@cisco.com¶
This appendix provides some examples to illustrate the dissemination of addressing information and prefixes with RPL. The examples depict information being distributed with PIOs and RIOs and the use of DIO and DAO messages. Note that this appendix is not normative, and that the specific details of a RPL addressing plan and autoconfiguration may vary according to specific implementations. RPL merely provides a vehicle for disseminating information that may be built upon and used by other mechanisms.¶
Note that these examples illustrate use of address autoconfiguration schemes supported by information distributed within RPL. However, if an implementation includes another address autoconfiguration scheme, RPL nodes might be configured not to set the 'A' flag in PIO options, though the PIO can still be used to distribute prefix and addressing information.¶
Figure 32 illustrates the logical addressing architecture of a simple RPL network operating in Storing mode. In this example, each Node, A, B, C, and D, owns its own prefix and makes that prefix available for address autoconfiguration by on-link devices. (This is conveyed by setting the 'A' flag and the 'L' flag in the PIO of the DIO messages). Node A owns the prefix A::/64, Node B owns B::/64, and so on. Node B autoconfigures an on-link address with respect to Node A, A::B. Nodes C and D similarly autoconfigure on-link addresses from Node B's prefix, B::C and B::D, respectively. Nodes have the option of setting the 'R' flag and publishing their address within the Prefix field of the PIO.¶
Figure 33 illustrates the logical addressing architecture of a simple RPL network operating in Storing mode. In this example, the root Node A sources a prefix that is used for address autoconfiguration over the entire RPL subnet. (This is conveyed by setting the 'A' flag and clearing the 'L' flag in the PIO of the DIO messages.) Nodes A, B, C, and D all autoconfigure to the prefix A::/64. Nodes have the option of setting the 'R' flag and publishing their address within the Prefix field of the PIO.¶
Figure 34 illustrates the logical addressing architecture of a simple RPL network operating in Non-Storing mode. In this example, each Node, A, B, C, and D, owns its own prefix, and makes that prefix available for address autoconfiguration by on-link devices. (This is conveyed by setting the 'A' flag and the 'L' flag in the PIO of the DIO messages.) Node A owns the prefix A::/64, Node B owns B::/64, and so on. Node B autoconfigures an on-link address with respect to Node A, A::B. Nodes C and D similarly autoconfigure on-link addresses from Node B's prefix, B::C and B::D, respectively. Nodes have the option of setting the 'R' flag and publishing their address within the Prefix field of the PIO.¶
The PIO contained in the DIO messages in the Non-Storing mode with node-owned prefixes can be considered to be identical to those in the Storing mode with node-owned prefixes case (Appendix A.1.1).¶
Figure 35 illustrates the logical addressing architecture of a simple RPL network operating in Non-Storing mode. In this example, the root Node A sources a prefix that is used for address autoconfiguration over the entire RPL subnet. (This is conveyed by setting the 'A' flag and clearing the 'L' flag in the PIO of the DIO messages.) Nodes A, B, C, and D all autoconfigure to the prefix A::/64. Nodes must set the 'R' flag and publish their address within the Prefix field of the PIO, in order to inform their children which address to use in the transit option.¶
Consider the simple network illustrated in Figure 36. In this example, there are a group of routers participating in a RPL network: a DODAG root, Nodes A, Y, and Z. The DODAG root and Node Z also have connectivity to different external network domains (i.e., external to the RPL network). Note that those external networks could be RPL networks or another type of network altogether.¶
In this example, the DODAG root makes a prefix available to the RPL subnet for address autoconfiguration. Here, the entire RPL subnet uses that same prefix, RPL::/64, for address autoconfiguration, though in other implementations more complex/hybrid schemes could be employed.¶
The DODAG root has connectivity to an external (with respect to that RPL network) prefix EXT_1::/64. The DODAG root may have learned of connectivity to this prefix, for example, via explicit configuration or IPv6 ND on a non-RPL interface. The DODAG root is configured to announce information on the connectivity to this prefix.¶
Similarly, Node Z has connectivity to an external prefix EXT_2::/64. Node Z also has a sub-DODAG underneath of it.¶