Visible to the public Deep En-Route Filtering of Constrained Application Protocol (CoAP) Messages on 6LoWPAN Border Routers

TitleDeep En-Route Filtering of Constrained Application Protocol (CoAP) Messages on 6LoWPAN Border Routers
Publication TypeConference Paper
Year of Publication2019
AuthorsSeidel, Felix, Krentz, Konrad-Felix, Meinel, Christoph
Conference Name2019 IEEE 5th World Forum on Internet of Things (WF-IoT)
Keywords6LoWPAN, 6LoWPAN border routers, CoAP messages, CoAP server, composability, constrained application protocol messages, Data security, deep en-route filtering, Denial-of-Sleep Attack, Internet of Things, IoT device, lightweight protocols, low-power sleep modes, Protocols, pubcrawl, Resiliency, Servers, telecommunication network routing, victim devices, wide area networks
AbstractDevices on the Internet of Things (IoT) are usually battery-powered and have limited resources. Hence, energy-efficient and lightweight protocols were designed for IoT devices, such as the popular Constrained Application Protocol (CoAP). Yet, CoAP itself does not include any defenses against denial-of-sleep attacks, which are attacks that aim at depriving victim devices of entering low-power sleep modes. For example, a denial-of-sleep attack against an IoT device that runs a CoAP server is to send plenty of CoAP messages to it, thereby forcing the IoT device to expend energy for receiving and processing these CoAP messages. All current security solutions for CoAP, namely Datagram Transport Layer Security (DTLS), IPsec, and OSCORE, fail to prevent such attacks. To fill this gap, Seitz et al. proposed a method for filtering out inauthentic and replayed CoAP messages "en-route" on 6LoWPAN border routers. In this paper, we expand on Seitz et al.'s proposal in two ways. First, we revise Seitz et al.'s software architecture so that 6LoWPAN border routers can not only check the authenticity and freshness of CoAP messages, but can also perform a wide range of further checks. Second, we propose a couple of such further checks, which, as compared to Seitz et al.'s original checks, more reliably protect IoT devices that run CoAP servers from remote denial-of-sleep attacks, as well as from remote exploits. We prototyped our solution and successfully tested its compatibility with Contiki-NG's CoAP implementation.
Citation Keyseidel_deep_2019