Deep En-Route Filtering of Constrained Application Protocol (CoAP) Messages on 6LoWPAN Border Routers

Devices on the Internet of Things (IoT) are usually battery-powered and have limited resources. Hence, energy-efficient and lightweight protocols were designed for IoT devices, such as the popular Constrained Application Protocol (CoAP). Yet, CoAP itself does not include any defenses against denial-of-sleep attacks, which are attacks that aim at depriving victim devices of entering low-power sleep modes. For example, a denial-of-sleep attack against an IoT device that runs a CoAP server is to send plenty of CoAP messages to it, thereby forcing the IoT device to expend energy for receiving and processing these CoAP messages. All current security solutions for CoAP, namely Datagram Transport Layer Security (DTLS), IPsec, and OSCORE, fail to prevent such attacks. To fill this gap, Seitz et al. proposed a method for filtering out inauthentic and replayed CoAP messages "en-route" on 6LoWPAN border routers. In this paper, we expand on Seitz et al.’s proposal in two ways. First, we revise Seitz et al.’s software architecture so that 6LoWPAN border routers can not only check the authenticity and freshness of CoAP messages, but can also perform a wide range of further checks. Second, we propose a couple of such further checks, which, as compared to Seitz et al.’s original checks, more reliably protect IoT devices that run CoAP servers from remote denial-of-sleep attacks, as well as from remote exploits. We prototyped our solution and successfully tested its compatibility with Contiki-NG’s CoAP implementation.

[1]  Jeffrey H. Meyerson,et al.  The Go Programming Language , 2014, IEEE Softw..

[2]  M. Brownfield,et al.  Wireless sensor network denial of sleep attack , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[3]  Sheila Frankel,et al.  IP Security (IPsec) and Internet Key Exchange (IKE) Document Roadmap , 2011, RFC.

[4]  Brian W. Kernighan,et al.  The Go Programming Language , 2015 .

[5]  Eric Rescorla,et al.  Datagram Transport Layer Security , 2006, RFC.

[6]  Christoph Meinel,et al.  Enabling En-Route Filtering for End-to-End Encrypted CoAP Messages , 2017, SenSys.

[7]  Gennaro Boggia,et al.  Standardized Protocol Stack for the Internet of (Important) Things , 2013, IEEE Communications Surveys & Tutorials.

[8]  Shivakant Mishra,et al.  Defending against path-based DoS attacks in wireless sensor networks , 2005, SASN '05.

[9]  Martin H. Weik Computer Science and Communications Dictionary , 2000 .

[10]  Shiuh-Pyng Shieh,et al.  Emerging Security Threats and Countermeasures in IoT , 2015, AsiaCCS.

[11]  Syed Obaid Amin,et al.  A novel Intrusion Detection Framework for IP-based sensor networks , 2009, 2009 International Conference on Information Networking.

[12]  Carsten Bormann,et al.  The Constrained Application Protocol (CoAP) , 2014, RFC.

[13]  Zach Shelby,et al.  Constrained RESTful Environments (CoRE) Link Format , 2012, RFC.

[14]  Ludwig Seitz,et al.  Object Security for Constrained RESTful Environments (OSCORE) , 2019, RFC.

[15]  Siarhei Kuryla,et al.  RPL: IPv6 Routing Protocol for Low power and Lossy Networks , 2010 .

[16]  David E. Culler,et al.  Transmission of IPv6 Packets over IEEE 802.15.4 Networks , 2007, RFC.

[17]  Carsten Bormann,et al.  Block-Wise Transfers in the Constrained Application Protocol (CoAP) , 2016, RFC.

[18]  Pascal Thubert,et al.  Compression Format for IPv6 Datagrams over IEEE 802.15.4-Based Networks , 2011, RFC.