draft-ietf-roll-indus-routing-reqs-06.txt   rfc5673.txt 
Networking Working Group K. Pister, Ed. Network Working Group K. Pister, Ed.
Internet-Draft Dust Networks Request for Comments: 5673 Dust Networks
Intended status: Informational P. Thubert, Ed. Category: Informational P. Thubert, Ed.
Expires: December 7, 2009 Cisco Systems Cisco Systems
S. Dwars S. Dwars
Shell Shell
T. Phinney T. Phinney
June 5, 2009 Consultant
October 2009
Industrial Routing Requirements in Low Power and Lossy Networks
draft-ietf-roll-indus-routing-reqs-06
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Industrial Routing Requirements in Low-Power and Lossy Networks
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Abstract
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The wide deployment of lower-cost wireless devices will significantly
http://www.ietf.org/ietf/1id-abstracts.txt. improve the productivity and safety of industrial plants while
increasing the efficiency of plant workers by extending the
information set available about the plant operations. The aim of
this document is to analyze the functional requirements for a routing
protocol used in industrial Low-power and Lossy Networks (LLNs) of
field devices.
The list of Internet-Draft Shadow Directories can be accessed at Status of This Memo
http://www.ietf.org/shadow.html.
This Internet-Draft will expire on December 7, 2009. This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of Provisions Relating to IETF Documents
publication of this document (http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info) in effect on the date of
Please review these documents carefully, as they describe your rights publication of this document. Please review these documents
and restrictions with respect to this document. carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
Abstract include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
The wide deployment of lower cost wireless devices will significantly described in the BSD License.
improve the productivity and safety of the plants while increasing
the efficiency of the plant workers by extending the information set
available about the plant operations. The aim of this document is to
analyze the functional requirements for a routing protocol used in
industrial Low power and Lossy Networks (LLN) of field devices.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", RFC 5673 Industrial Routing Reqs in LLNs October 2009
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
3.1. Applications and Traffic Patterns . . . . . . . . . . . . 5 3.1. Applications and Traffic Patterns . . . . . . . . . . . . 5
3.2. Network Topology of Industrial Applications . . . . . . . 8 3.2. Network Topology of Industrial Applications . . . . . . . 9
3.2.1. The Physical Topology . . . . . . . . . . . . . . . . 10 3.2.1. The Physical Topology . . . . . . . . . . . . . . . . 10
3.2.2. Logical Topologies . . . . . . . . . . . . . . . . . . 12 3.2.2. Logical Topologies . . . . . . . . . . . . . . . . . . 12
4. Requirements related to Traffic Characteristics . . . . . . . 13 4. Requirements Related to Traffic Characteristics . . . . . . . 13
4.1. Service Requirements . . . . . . . . . . . . . . . . . . . 14 4.1. Service Requirements . . . . . . . . . . . . . . . . . . . 14
4.2. Configurable Application Requirement . . . . . . . . . . . 15 4.2. Configurable Application Requirement . . . . . . . . . . . 15
4.3. Different Routes for Different Flows . . . . . . . . . . . 15 4.3. Different Routes for Different Flows . . . . . . . . . . . 15
5. Reliability Requirements . . . . . . . . . . . . . . . . . . . 16 5. Reliability Requirements . . . . . . . . . . . . . . . . . . . 16
6. Device-Aware Routing Requirements . . . . . . . . . . . . . . 18 6. Device-Aware Routing Requirements . . . . . . . . . . . . . . 18
7. Broadcast/Multicast requirements . . . . . . . . . . . . . . . 19 7. Broadcast/Multicast Requirements . . . . . . . . . . . . . . . 19
8. Protocol Performance requirements . . . . . . . . . . . . . . 20 8. Protocol Performance Requirements . . . . . . . . . . . . . . 20
9. Mobility requirements . . . . . . . . . . . . . . . . . . . . 20 9. Mobility Requirements . . . . . . . . . . . . . . . . . . . . 21
10. Manageability requirements . . . . . . . . . . . . . . . . . . 21 10. Manageability Requirements . . . . . . . . . . . . . . . . . . 21
11. Antagonistic requirements . . . . . . . . . . . . . . . . . . 22 11. Antagonistic Requirements . . . . . . . . . . . . . . . . . . 22
12. Security Considerations . . . . . . . . . . . . . . . . . . . 23 12. Security Considerations . . . . . . . . . . . . . . . . . . . 23
13. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 25
14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 25 14. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25
15. References . . . . . . . . . . . . . . . . . . . . . . . . . . 25 14.1. Normative References . . . . . . . . . . . . . . . . . . . 25
15.1. Normative References . . . . . . . . . . . . . . . . . . . 25 14.2. Informative References . . . . . . . . . . . . . . . . . . 25
15.2. Informative References . . . . . . . . . . . . . . . . . . 25
15.3. External Informative References . . . . . . . . . . . . . 25 RFC 5673 Industrial Routing Reqs in LLNs October 2009
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 25
1. Introduction 1. Introduction
Information Technology (IT) is already, and increasingly will be Information Technology (IT) is already, and increasingly will be
applied to industrial Control Technology (CT) in application areas applied to industrial Control Technology (CT) in application areas
where those IT technologies can be constrained sufficiently by where those IT technologies can be constrained sufficiently by
Service Level Agreements (SLA) or other modest change that they are Service Level Agreements (SLA) or other modest changes that they are
able to meet the operational needs of industrial CT. When that able to meet the operational needs of industrial CT. When that
happens, the CT benefits from the large intellectual, experiential happens, the CT benefits from the large intellectual, experiential,
and training investment that has already occurred in those IT and training investment that has already occurred in those IT
precursors. One can conclude that future reuse of additional IT precursors. One can conclude that future reuse of additional IT
protocols for industrial CT will continue to occur due to the protocols for industrial CT will continue to occur due to the
significant intellectual, experiential and training economies which significant intellectual, experiential, and training economies that
result from that reuse. result from that reuse.
Following that logic, many vendors are already extending or replacing Following that logic, many vendors are already extending or replacing
their local field-bus technology with Ethernet and IP-based their local fieldbus [IEC61158] technology with Ethernet and IP-based
solutions. Examples of this evolution include CIP EtherNet/IP, solutions. Examples of this evolution include Common Industrial
Modbus/TCP, Foundation Fieldbus HSE, PROFInet and Invensys/Foxboro Protocol (CIP) EtherNet/IP, Modbus/TCP, Fieldbus Foundation High
FOXnet. At the same time, wireless, low power field devices are Speed Ethernet (HSE), PROFInet, and Invensys/Foxboro FOXnet. At the
being introduced that facilitate a significant increase in the amount same time, wireless, low-power field devices are being introduced
of information which industrial users can collect and the number of that facilitate a significant increase in the amount of information
control points that can be remotely managed. that industrial users can collect and the number of control points
that can be remotely managed.
IPv6 appears as a core technology at the conjunction of both trends, IPv6 appears as a core technology at the conjunction of both trends,
as illustrated by the current [ISA100.11a] industrial Wireless Sensor as illustrated by the current [ISA100.11a] industrial Wireless Sensor
Networking (WSN) specification, where layers 1-4 technologies Networking specification, where technologies for layers 1-4 that were
developed for purposes other than industrial CT -- IEEE 802.15.4 PHY developed for purposes other than industrial CT -- [IEEE802.15.4] PHY
and MAC, 6LoWPAN and IPv6, and UDP - are adapted to industrial CT and MAC, IPv6 over Low-Power Wireless Personal Area Networks
use. But due to the lack of open standards for routing in Low power (6LoWPANs) [RFC4919], and UDP -- are adapted to industrial CT use.
and Lossy Networks (LLN), even ISA100.11a leaves the routing But due to the lack of open standards for routing in Low-power and
operation to proprietary methods. Lossy Networks (LLNs), even ISA100.11a leaves the routing operation
to proprietary methods.
The aim of this document is to analyze the requirements from the The aim of this document is to analyze the requirements from the
industrial environment for a routing protocol in Low power and Lossy industrial environment for a routing protocol in Low power and Lossy
Networks (LLN) based on IP version 6 to power the next generation of Networks (LLNs) based on IPv6 to power the next generation of Control
Control Technology. Technology.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
RFC 5673 Industrial Routing Reqs in LLNs October 2009
2. Terminology 2. Terminology
This document employes terminology defined in the ROLL terminology This document employs terminology defined in the ROLL (Routing Over
document [I-D.ietf-roll-terminology]. This document also refers to Low-power and Lossy networks) terminology document [ROLL-TERM]. This
industrial standards: document also refers to industrial standards:
HART: "Highway Addressable Remote Transducer", a group of HART: Highway Addressable Remote Transducer, a group of
specifications for industrial process and control devices specifications for industrial process and control devices
administered by the HART Foundation (see [HART]). The latest version administered by the HART Communication Foundation (see [HART]). The
for the specifications is HART7 which includes the additions for latest version for the specifications is HART7, which includes the
WirelessHART. additions for WirelessHART [IEC62591].
ISA: "International Society of Automation". ISA is an ANSI ISA: International Society of Automation, an ANSI-accredited
accredited standards-making society. ISA100 is an ISA committee standards-making society. ISA100 is an ISA committee whose charter
whose charter includes defining a family of standards for industrial includes defining a family of standards for industrial automation.
automation. [ISA100.11a] is a working group within ISA100 that is [ISA100.11a] is a working group within ISA100 that is working on a
working on a standard for monitoring and non-critical process control standard for monitoring and non-critical process control
applications. applications.
3. Overview 3. Overview
Wireless, low-power field devices enable industrial users to Wireless, low-power field devices enable industrial users to
significantly increase the amount of information collected and the significantly increase the amount of information collected and the
number of control points that can be remotely managed. The number of control points that can be remotely managed. The
deployment of these wireless devices will significantly improve the deployment of these wireless devices will significantly improve the
productivity and safety of the plants while increasing the efficiency productivity and safety of the plants while increasing the efficiency
of the plant workers. IPv6 is perceived as a key technology to of the plant workers. IPv6 is perceived as a key technology to
provide the scalability and interoperability that are required in provide the scalability and interoperability that are required in
that space and is being more and more present in standards and that space, and it is more and more present in standards and products
products under development and early deployments. under development and early deployments.
Cable is perceived as a more proven, safer techhnology, and existing, Cable is perceived as a more proven, safer technology, and existing,
operational deployments are very stable in time. For these reasons, operational deployments are very stable in time. For these reasons,
it is not expected that wireless will replace wire in any foreseeable it is not expected that wireless will replace wire in any foreseeable
future; the consensus in the industrial space is rather that wireless future; the consensus in the industrial space is rather that wireless
will tremendously augment the scope and benefits of automation by will tremendously augment the scope and benefits of automation by
enabling the control of devices that were not connected in the past enabling the control of devices that were not connected in the past
for reasons of cost and/or deployment complexities. But for LLN to for reasons of cost and/or deployment complexities. But for LLNs to
be adopted in the industrial environment, the wireless network needs be adopted in the industrial environment, the wireless network needs
to have three qualities: low power, high reliability, and easy to have three qualities: low power, high reliability, and easy
installation and maintenance. The routing protocol used for low installation and maintenance. The routing protocol used for LLNs is
power and lossy networks (LLN) is important to fulfilling these important to fulfilling these goals.
goals.
Industrial automation is segmented into two distinct application Industrial automation is segmented into two distinct application
spaces, known as "process" or "process control" and "discrete spaces, known as "process" or "process control" and "discrete
manufacturing" or "factory automation". In industrial process manufacturing" or "factory automation". In industrial process
control, the product is typically a fluid (oil, gas, chemicals ...). control, the product is typically a fluid (oil, gas, chemicals,
In factory automation or discrete manufacturing, the products are etc.). In factory automation or discrete manufacturing, the products
individual elements (screws, cars, dolls). While there is some
RFC 5673 Industrial Routing Reqs in LLNs October 2009
are individual elements (screws, cars, dolls). While there is some
overlap of products and systems between these two segments, they are overlap of products and systems between these two segments, they are
surprisingly separate communities. The specifications targeting surprisingly separate communities. The specifications targeting
industrial process control tend to have more tolerance for network industrial process control tend to have more tolerance for network
latency than what is needed for factory automation. latency than what is needed for factory automation.
Irrespective of this different 'process' and 'discrete' plant nature Irrespective of this different 'process' and 'discrete' plant nature,
both plant types will have similar needs for automating the both plant types will have similar needs for automating the
collection of data that used to be collected manually, or was not collection of data that used to be collected manually, or was not
collected before. Examples are wireless sensors that report the collected before. Examples are wireless sensors that report the
state of a fuse, report the state of a luminary, HVAC status, report state of a fuse, report the state of a luminary, HVAC status, report
vibration levels on pumps, report man-down, and so on. vibration levels on pumps, report man-down, and so on.
Other novel application arenas that equally apply to both 'process' Other novel application arenas that equally apply to both 'process'
and 'discrete' involve mobile sensors that roam in and out of plants, and 'discrete' involve mobile sensors that roam in and out of plants,
such as active sensor tags on containers or vehicles. such as active sensor tags on containers or vehicles.
Some if not all of these applications will need to be served by the Some if not all of these applications will need to be served by the
same low power and lossy wireless network technology. This may mean same low-power and lossy wireless network technology. This may mean
several disconnected, autonomous LLN networks connecting to multiple several disconnected, autonomous LLNs connecting to multiple hosts,
hosts, but sharing the same ether. Interconnecting such networks, if but sharing the same ether. Interconnecting such networks, if only
only to supervise channel and priority allocations, or to fully to supervise channel and priority allocations, or to fully
synchronize, or to share path capacity within a set of physical synchronize, or to share path capacity within a set of physical
network components may be desired, or may not be desired for network components may be desired, or may not be desired for
practical reasons, such as e.g. cyber security concerns in relation practical reasons, such as e.g., cyber security concerns in relation
to plant safety and integrity. to plant safety and integrity.
All application spaces desire battery operated networks of hundreds All application spaces desire battery-operated networks of hundreds
of sensors and actuators communicating with LLN access points. In an of sensors and actuators communicating with LLN access points. In an
oil refinery, the total number of devices might exceed one million, oil refinery, the total number of devices might exceed one million,
but the devices will be clustered into smaller networks that in most but the devices will be clustered into smaller networks that in most
cases interconnect and report to an existing plant network cases interconnect and report to an existing plant network
infrastructure. infrastructure.
Existing wired sensor networks in this space typically use Existing wired sensor networks in this space typically use
communication protocols with low data rates, from 1,200 baud (e.g. communication protocols with low data rates, from 1200 baud (e.g.,
wired HART) to the one to two hundred Kbps range for most of the wired HART) to the 100-200 kbps range for most of the others. The
others. The existing protocols are often master/slave with command/ existing protocols are often master/slave with command/response.
response.
3.1. Applications and Traffic Patterns 3.1. Applications and Traffic Patterns
The industrial market classifies process applications into three The industrial market classifies process applications into three
broad categories and six classes. broad categories and six classes.
o Safety o Safety
* Class 0: Emergency action - Always a critical function * Class 0: Emergency action - Always a critical function
RFC 5673 Industrial Routing Reqs in LLNs October 2009
o Control o Control
* Class 1: Closed loop regulatory control - Often a critical * Class 1: Closed-loop regulatory control - Often a critical
function function
* Class 2: Closed loop supervisory control - Usually non-critical * Class 2: Closed-loop supervisory control - Usually a non-
function critical function
* Class 3: Open loop control - Operator takes action and controls * Class 3: Open-loop control - Operator takes action and controls
the actuator (human in the loop) the actuator (human in the loop)
o Monitoring o Monitoring
* Class 4: Alerting - Short-term operational effect (for example * Class 4: Alerting - Short-term operational effect (for example,
event-based maintenance) event-based maintenance)
* Class 5: Logging and downloading / uploading - No immediate * Class 5: Logging and downloading / uploading - No immediate
operational consequence (e.g., history collection, sequence-of- operational consequence (e.g., history collection, sequence-of-
events, preventive maintenance) events, preventive maintenance)
Safety critical functions effect the basic safety integrity of the Safety-critical functions effect the basic safety integrity of the
plant. These normally dormant functions kick in only when process plant. These normally dormant functions kick in only when process
control systems, or their operators, have failed. By design and by control systems, or their operators, have failed. By design and by
regular interval inspection, they have a well-understood probability regular interval inspection, they have a well-understood probability
of failure on demand in the range of typically once per 10-1000 of failure on demand in the range of typically once per 10-1000
years. years.
In-time deliveries of messages becomes more relevant as the class In-time deliveries of messages become more relevant as the class
number decreases. number decreases.
Note that for a control application, the jitter is just as important Note that for a control application, the jitter is just as important
as latency and has a potential of destabilizing control algorithms. as latency and has a potential of destabilizing control algorithms.
Industrial users are interested in deploying wireless networks for Industrial users are interested in deploying wireless networks for
the monitoring classes 4 and 5, and in the non-critical portions of the monitoring classes 4 and 5, and in the non-critical portions of
classes 3 through 2. classes 2 through 3.
Classes 4 and 5 also include asset monitoring and tracking which Classes 4 and 5 also include asset monitoring and tracking, which
include equipment monitoring and are essentially separate from include equipment monitoring and are essentially separate from
process monitoring. An example of equipment monitoring is the process monitoring. An example of equipment monitoring is the
recording of motor vibrations to detect bearing wear. However, recording of motor vibrations to detect bearing wear. However,
similar sensors detecting excessive vibration levels could be used as similar sensors detecting excessive vibration levels could be used as
safeguarding loops that immediately initiate a trip, and thus end up safeguarding loops that immediately initiate a trip, and thus end up
being class 0. being class 0.
In the near future, most LLN systems in industrial automation In the near future, most LLN systems in industrial automation
environments will be for low frequency data collection. Packets environments will be for low-frequency data collection. Packets
containing samples will be generated continuously, and 90% of the containing samples will be generated continuously, and 90% of the
market is covered by packet rates of between 1/s and 1/hour, with the
average under 1/min. In industrial process, these sensors include RFC 5673 Industrial Routing Reqs in LLNs October 2009
temperature, pressure, fluid flow, tank level, and corrosion. Some
sensors are bursty, such as vibration monitors that may generate and market is covered by packet rates of between 1/second and 1/hour,
transmit tens of kilo-bytes (hundreds to thousands of packets) of with the average under 1/minute. In industrial process, these
time-series data at reporting rates of minutes to days. sensors include temperature, pressure, fluid flow, tank level, and
corrosion. Some sensors are bursty, such as vibration monitors that
may generate and transmit tens of kilobytes (hundreds to thousands of
packets) of time-series data at reporting rates of minutes to days.
Almost all of these sensors will have built-in microprocessors that Almost all of these sensors will have built-in microprocessors that
may detect alarm conditions. Time-critical alarm packets are may detect alarm conditions. Time-critical alarm packets are
expected to be granted a lower latency than periodic sensor data expected to be granted a lower latency than periodic sensor data
streams. streams.
Some devices will transmit a log file every day, again with typically Some devices will transmit a log file every day, again with typically
tens of Kbytes of data. For these applications there is very little tens of kilobytes of data. For these applications, there is very
"downstream" traffic coming from the LLN access point and traveling little "downstream" traffic coming from the LLN access point and
to particular sensors. During diagnostics, however, a technician may traveling to particular sensors. During diagnostics, however, a
be investigating a fault from a control room and expect to have "low" technician may be investigating a fault from a control room and
latency (human tolerable) in a command/response mode. expect to have "low" latency (human tolerable) in a command/response
mode.
Low-rate control, often with a "human in the loop" (also referred to Low-rate control, often with a "human in the loop" (also referred to
as "open loop"), is implemented via communication to a control room as "open loop"), is implemented via communication to a control room
because that's where the human in the loop will be. The sensor data because that's where the human in the loop will be. The sensor data
makes its way through the LLN access point to the centralized makes its way through the LLN access point to the centralized
controller where it is processed, the operator sees the information controller where it is processed, the operator sees the information
and takes action, and the control information is then sent out to the and takes action, and the control information is then sent out to the
actuator node in the network. actuator node in the network.
In the future, it is envisioned that some open loop processes will be In the future, it is envisioned that some open-loop processes will be
automated (closed loop) and packets will flow over local loops and automated (closed loop) and packets will flow over local loops and
not involve the LLN access point. These closed loop controls for not involve the LLN access point. These closed-loop controls for
non-critical applications will be implemented on LLNs. Non-critical non-critical applications will be implemented on LLNs. Non-critical
closed loop applications have a latency requirement that can be as closed-loop applications have a latency requirement that can be as
low as 100 ms but many control loops are tolerant of latencies above low as 100 milliseconds but many control loops are tolerant of
1 s. latencies above 1 second.
More likely though is that loops will be closed in the field More likely though is that loops will be closed in the field
entirely, and in such a case, having wireless links within the entirely, and in such a case, having wireless links within the
control loop does not usually present actual value. Most control control loop does not usually present actual value. Most control
loops have sensors and actuators within such proximity that a wire loops have sensors and actuators within such proximity that a wire
between them remains the most sensible option from an economic point between them remains the most sensible option from an economic point
of view. This 'control in the field' architecture is already common of view. This 'control in the field' architecture is already common
practice with wired field busses. An 'upstream' wireless link would practice with wired fieldbusses. An 'upstream' wireless link would
only be used to influence the in-field controller settings, and to only be used to influence the in-field controller settings and to
occasionally capture diagnostics. Even though the link back to a occasionally capture diagnostics. Even though the link back to a
control room might be a wireless, this architecture reduces the tight control room might be wireless, this architecture reduces the tight
latency and availability requirements for the wireless links. latency and availability requirements for the wireless links.
RFC 5673 Industrial Routing Reqs in LLNs October 2009
Closing loops in the field: Closing loops in the field:
o does not prevent the same loop from being closed through a remote o does not prevent the same loop from being closed through a remote
multi-variable controller during some modes of operation, while multivariable controller during some modes of operation, while
being closed directly in the field during other modes of operation being closed directly in the field during other modes of operation
(e.g., fallback, or when timing is more critical) (e.g., fallback, or when timing is more critical)
o does not imply that the loop will be closed with a wired o does not imply that the loop will be closed with a wired
connection, or that the wired connection is more energy efficient connection, or that the wired connection is more energy efficient
even when it exists as an alternate to the wireless connection. even when it exists as an alternate to the wireless connection.
A realistic future scenario is for a field device with a battery or A realistic future scenario is for a field device with a battery or
ultra-capacitor power storage to have both wireless and unpowered ultra-capacitor power storage to have both wireless and unpowered
wired communications capability (e.g., galvanically isolated RS-485), wired communications capability (e.g., galvanically isolated RS-485),
where the wireless communication is more flexible and, for local loop where the wireless communication is more flexible and, for local loop
operation, more energy efficient, and the wired communication operation, more energy efficient. The wired communication capability
capability serves as a backup interconnect among the loop elements, serves as a backup interconnect among the loop elements, but without
but without a wired connection back to the operations center a wired connection back to the operations center blockhouse. In
blockhouse. In other words, the loop elements are interconnected other words, the loop elements are interconnected through wiring to a
through wiring to a nearby junction box, but the 2 km home-run link nearby junction box, but the 2 km home-run link from the junction box
from the junction box to the control center does not exist. to the control center does not exist.
When wireless communication conditions are good, devices use wireless When wireless communication conditions are good, devices use wireless
for loop interconnect, and either one wireless device reports alarms for loop interconnect, and either one wireless device reports alarms
and other status to the control center for all elements of the loop and other status to the control center for all elements of the loop,
or each element reports independently. When wireless communications or each element reports independently. When wireless communications
are sporadic, the loop interconnect uses the self-powered are sporadic, the loop interconnect uses the self-powered
galvanically-isolated RS-485 link and one of the devices with good galvanically isolated RS-485 link and one of the devices with good
wireless communications to the control center serves as a router for wireless communications to the control center serves as a router for
those devices which are unable to contact the control center those devices that are unable to contact the control center directly.
directly.
The above approach is particularly attractive for large storage tanks The above approach is particularly attractive for large storage tanks
in tank farms, where devices may not all have good wireless in tank farms, where devices may not all have good wireless
visibility of the control center, and where a home run cable from the visibility of the control center, and where a home-run cable from the
tank to the control center is undesirable due to the electro- tank to the control center is undesirable due to the electro-
potential differences between the tank location and the distant potential differences between the tank location and the distant
control center that arise during lightning storms. control center that arise during lightning storms.
In fast control, tens of milliseconds of latency is typical. In many In fast control, tens of milliseconds of latency is typical. In many
of these systems, if a packet does not arrive within the specified of these systems, if a packet does not arrive within the specified
interval, the system enters an emergency shutdown state, often with interval, the system enters an emergency shutdown state, often with
substantial financial repercussions. For a one-second control loop substantial financial repercussions. For a one-second control loop
in a system with a mean-time between shutdowns target of 30 years, in a system with a target of 30 years for the mean time between
the latency requirement implies nine 9s of reliability. Given such shutdowns, the latency requirement implies nine 9s of reliability
exposure, given the intrinsic vulnerability of wireless link (aka 99.9999999% reliability). Given such exposure, given the
availability, and given the emergence of control in the field intrinsic vulnerability of wireless link availability, and given the
architectures, most users tend not to aim for fast closed loop
control with wireless links within that fast loop. RFC 5673 Industrial Routing Reqs in LLNs October 2009
emergence of control in the field architectures, most users tend not
to aim for fast closed-loop control with wireless links within that
fast loop.
3.2. Network Topology of Industrial Applications 3.2. Network Topology of Industrial Applications
Although network topology is difficult to generalize, the majority of Although network topology is difficult to generalize, the majority of
existing applications can be met by networks of 10 to 200 field existing applications can be met by networks of 10 to 200 field
devices and maximum number of hops of twenty. It is assumed that the devices and a maximum number of hops of 20. It is assumed that the
field devices themselves will provide routing capability for the field devices themselves will provide routing capability for the
network, and additional repeaters/routers will not be required in network, and additional repeaters/routers will not be required in
most cases. most cases.
For the vast majority of industrial applications, the traffic is For the vast majority of industrial applications, the traffic is
mostly composed of real time publish/subscribe sensor data also mostly composed of real-time publish/subscribe sensor data also
referred to as buffered, from the field devices over a LLN towards referred to as buffered, from the field devices over an LLN towards
one or more sinks. Increasingly over time, these sinks will be a one or more sinks. Increasingly over time, these sinks will be a
part of a backbone but today they are often fragmented and isolated. part of a backbone, but today they are often fragmented and isolated.
The wireless sensor network is a LLN of field devices for which two The wireless sensor network (WSN) is an LLN of field devices for
logical roles are defined, the field routers and the non routing which two logical roles are defined, the field routers and the non-
devices. It is acceptable and even probable that the repartition of routing devices. It is acceptable and even probable that the
the roles across the field devices change over time to balance the repartition of the roles across the field devices changes over time
cost of the forwarding operation amongst the nodes. to balance the cost of the forwarding operation amongst the nodes.
In order to scale a control network in terms of density, one possible In order to scale a control network in terms of density, one possible
architecture is to deploy a backbone as a canopy that aggregates architecture is to deploy a backbone as a canopy that aggregates
multiple smaller LLNs. The backbone is a high-speed infrastructure multiple smaller LLNs. The backbone is a high-speed infrastructure
network that may interconnect multiple WSNs through backbone routers. network that may interconnect multiple WSNs through backbone routers.
Infrastructure devices can be connected to the backbone. A gateway / Infrastructure devices can be connected to the backbone. A gateway/
manager that interconnects the backbone to the plant network of the manager that interconnects the backbone to the plant network of the
corporate network can be viewed as collapsing the backbone and the corporate network can be viewed as collapsing the backbone and the
infrastructure devices into a single device that operates all the infrastructure devices into a single device that operates all the
required logical roles. The backbone is likely to become an option required logical roles. The backbone is likely to become an option
in the industrial network. in the industrial network.
Typically, such backbones interconnect to the 'legacy' wired plant Typically, such backbones interconnect to the 'legacy' wired plant
infrastructure, the plant network, also known as the 'Process Control infrastructure, which is known as the plant network or Process
Domain', the PCD. These plant automation networks are domain wise Control Domain (PCD). These plant automation networks are segregated
segregated from the office network or office domain (OD), which in domain-wise from the office network or office domain (OD), which in
itself is typically segregated from the Internet. itself is typically segregated from the Internet.
Sinks for LLN sensor data reside on both the plant network PCD, the Sinks for LLN sensor data reside on the plant network (the PCD), the
business network OD, and on the Internet. Applications close to business network (the OD), and on the Internet. Applications close
existing plant automation, such as wired process control and to existing plant automation, such as wired process control and
monitoring systems running on fieldbusses, that require high monitoring systems running on fieldbusses, that require high
availability and low latencies, and that are managed by 'Control and availability and low latencies, and that are managed by 'Control and
Automation' departments typically reside on the PCD. Other Automation' departments typically reside on the PCD. Other
RFC 5673 Industrial Routing Reqs in LLNs October 2009
applications such as automated corrosion monitoring, cathodic applications such as automated corrosion monitoring, cathodic
protection voltage verification, or machine condition (vibration) protection voltage verification, or machine condition (vibration)
monitoring where one sample per week is considered over sampling, monitoring where one sample per week is considered over-sampling,
would more likely deliver their sensor readings in the office domain. would more likely deliver their sensor readings in the OD. Such
Such applications are 'owned' by e.g. maintenance departments. applications are 'owned' by, e.g., maintenance departments.
Yet other applications like third party maintained luminaries, or Yet other applications like third-party-maintained luminaries, or
vendor managed inventory systems, where a supplier of chemicals needs vendor-managed inventory systems, where a supplier of chemicals needs
access to tank level readings at his customer's site, will be best access to tank level readings at his customer's site, will be best
served with direct Internet connectivity all the way to its sensor at served with direct Internet connectivity all the way to its sensor at
his customer's site. Temporary 'Babysitting sensors' deployed for his customer's site. Temporary 'babysitting sensors' deployed for
just a few days, say during startup or troubleshooting or for ad-hoc just a few days, say during startup or troubleshooting or for ad hoc
measurement campaigns for R and D purposes are other examples where measurement campaigns for research and development purposes, are
Internet would be the domain where wireless sensor data shall land, other examples where Internet would be the domain where wireless
and other domains such as office and plant should preferably be sensor data would land, and other domains such as the OD and PCD
circumvented if quick deployment without potentially impacting plant should preferably be circumvented if quick deployment without
safety integrity is required. potentially impacting plant safety integrity is required.
This multiple domain multiple applications connectivity creates a This multiple-domain multiple-application connectivity creates a
significant challenge. Many different applications will all share significant challenge. Many different applications will all share
the same medium, the ether, within the fence, preferably sharing the the same medium, the ether, within the fence, preferably sharing the
same frequency bands, and preferably sharing the same protocols, same frequency bands, and preferably sharing the same protocols,
preferably synchronized to optimize co-existence challenges, yet preferably synchronized to optimize coexistence challenges, yet
logically segregated to avoid creation of intolerable short cuts logically segregated to avoid creation of intolerable shortcuts
between existing wired domains. between existing wired domains.
Given this challenge, LLN networks are best to be treated as all Given this challenge, LLNs are best to be treated as all sitting on
sitting on yet another segregated domain, segregated from all other yet another segregated domain, segregated from all other wired
wired domains where conventional security is organized by perimeter. domains where conventional security is organized by perimeter.
Moving away from the traditional perimeter security mindset means Moving away from the traditional perimeter-security mindset means
moving towards stronger end-device identity authentication, so that moving towards stronger end-device identity authentication, so that
LLN access points can split the various wireless data streams and LLN access points can split the various wireless data streams and
interconnect back to the appropriate domain pending identity and interconnect back to the appropriate domain (pending the gateways'
trust established by the gateways in the authenticity of message establishment of the message originators' identity and trust).
originators.
Similar considerations are to be given to how multiple applications Similar considerations are to be given to how multiple applications
may or may not be allowed to share routing devices and their may or may not be allowed to share routing devices and their
potentially redundant bandwidth within the network. Challenges here potentially redundant bandwidth within the network. Challenges here
are to balance available capacity, required latencies, expected are to balance available capacity, required latencies, expected
priorities, and last but not least available (battery) energy within priorities, and (last but not least) available (battery) energy
the routing devices. within the routing devices.
3.2.1. The Physical Topology 3.2.1. The Physical Topology
There is no specific physical topology for an industrial process There is no specific physical topology for an industrial process
control network. control network.
RFC 5673 Industrial Routing Reqs in LLNs October 2009
One extreme example is a multi-square-kilometer refinery where One extreme example is a multi-square-kilometer refinery where
isolated tanks, some of them with power but most with no backbone isolated tanks, some of them with power but most with no backbone
connectivity, compose a farm that spans over of the surface of the connectivity, compose a farm that spans over of the surface of the
plant. A few hundred field devices are deployed to ensure the global plant. A few hundred field devices are deployed to ensure the global
coverage using a wireless self-forming self-healing mesh network that coverage using a wireless self-forming self-healing mesh network that
might be 5 to 10 hops across. Local feedback loops and mobile might be 5 to 10 hops across. Local feedback loops and mobile
workers tend to be only one or two hops. The backbone is in the workers tend to be only 1 or 2 hops. The backbone is in the refinery
refinery proper, many hops away. Even there, powered infrastructure proper, many hops away. Even there, powered infrastructure is also
is also typically several hops away. In that case, hopping to/from typically several hops away. In that case, hopping to/from the
the powered infrastructure may often be more costly than the direct powered infrastructure may often be more costly than the direct
route. route.
In the opposite extreme case, the backbone network spans all the In the opposite extreme case, the backbone network spans all the
nodes and most nodes are in direct sight of one or more backbone nodes and most nodes are in direct sight of one or more backbone
router. Most communication between field devices and infrastructure routers. Most communication between field devices and infrastructure
devices as well as field device to field device occurs across the devices, as well as field device to field device, occurs across the
backbone. From afar, this model resembles the WIFI ESS (Extended backbone. From afar, this model resembles the WiFi ESS (Extended
Service Set). But from a layer 3 perspective, the issues are the Service Set). But from a layer-3 (L3) perspective, the issues are
default (backbone) router selection and the routing inside the the default (backbone) router selection and the routing inside the
backbone whereas the radio hop towards the field device is in fact a backbone, whereas the radio hop towards the field device is in fact a
simple local delivery. simple local delivery.
---------+---------------------------- ---------+----------------------------
| Plant Network | Plant Network
| |
+-----+ +-----+
| | Gateway M : Mobile device | | Gateway M : Mobile device
| | o : Field device | | o : Field device
+-----+ +-----+
| |
skipping to change at page 11, line 38 skipping to change at page 11, line 52
| | router | | router | | router | | router | | router | | router
+-----+ +-----+ +-----+ +-----+ +-----+ +-----+
o o o o o o o o o o o o o o o o o o o o o o o o o o
o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o o
o o o o o o o o o o o M o o o o o o o o o o o o o o o o M o o o o o
o o M o o o o o o o o o o o o o o o M o o o o o o o o o o o o o
o o o o o o o o o o o o o o o o o o
o o o o o o o o o o
LLN LLN
Figure 1: Backbone-based Physical Topology Figure 1: Backbone-Based Physical Topology
RFC 5673 Industrial Routing Reqs in LLNs October 2009
An intermediate case is illustrated in Figure 1 with a backbone that An intermediate case is illustrated in Figure 1 with a backbone that
spans the Wireless Sensor Network in such a fashion that any WSN node spans the Wireless Sensor Network in such a fashion that any WSN node
is only a few wireless hops away from the nearest Backbone Router. is only a few wireless hops away from the nearest backbone router.
WSN nodes are expected to organize into self-forming self-healing WSN nodes are expected to organize into self-forming, self-healing,
self-optimizing logical topologies that enable leveraging the self-optimizing logical topologies that enable leveraging the
backbone when it is most efficient to do so. backbone when it is most efficient to do so.
It must be noted that the routing function is expected to be so It must be noted that the routing function is expected to be so
simple that any field device could assume the role of a router, simple that any field device could assume the role of a router,
depending on the self-discovery of the topology and the power status depending on the self-discovery of the topology and the power status
of the neighbors. On the other hand, only devices equipped with the of the neighbors. On the other hand, only devices equipped with the
appropriate hardware and software combination could assume the role appropriate hardware and software combination could assume the role
of an end point for a given purpose, such as sensor or actuator. of an endpoint for a given purpose, such as sensor or actuator.
3.2.2. Logical Topologies 3.2.2. Logical Topologies
Most of the traffic over the LLN is publish/subscribe of sensor data Most of the traffic over the LLN is publish/subscribe of sensor data
from the field device towards a sink that can be a backbone router, a from the field device towards a sink that can be a backbone router, a
gateway, or a controller/manager. The destination of the sensor data gateway, or a controller/manager. The destination of the sensor data
is an Infrastructure devices that sits on the backbone and is is an infrastructure device that sits on the backbone and is
reachable via one or more backbone router. reachable via one or more backbone routers.
For security, reliability, availability or serviceability reasons, it For security, reliability, availability, or serviceability reasons,
is often required that the logical topologies are not physically it is often required that the logical topologies are not physically
congruent over the radio network, that is they form logical congruent over the radio network; that is, they form logical
partitions of the LLN. For instance, a routing topology that is set partitions of the LLN. For instance, a routing topology that is set
up for control should be isolated from a topology that reports the up for control should be isolated from a topology that reports the
temperature and the status of the vents, if that second topology has temperature and the status of the vents, if that second topology has
lesser constraints for the security policy. This isolation might be lesser constraints for the security policy. This isolation might be
implemented as Virtual LANs and Virtual Routing Tables in shared implemented as Virtual LANs and Virtual Routing Tables in shared
nodes in the backbone, but correspond effectively to physical nodes nodes in the backbone, but correspond effectively to physical nodes
in the wireless network. in the wireless network.
Since publishing the data is the raison d'etre for most of the Since publishing the data is the raison d'etre for most of the
sensors, in some cases it makes sense to build proactively a set of sensors, in some cases it makes sense to build proactively a set of
routes between the sensors and one or more backbone router and routes between the sensors and one or more backbone routers and
maintain those routes at all time. Also, because of the lossy nature maintain those routes at all time. Also, because of the lossy nature
of the network, the routing in place should attempt to propose of the network, the routing in place should attempt to propose
multiple paths in the form of Directed Acyclic Graphs oriented multiple paths in the form of Directed Acyclic Graphs oriented
towards the destination. towards the destination.
In contrast with the general requirement of maintaining default In contrast with the general requirement of maintaining default
routes towards the sinks, the need for field device to field device routes towards the sinks, the need for field device to field device
connectivity is very specific and rare, though the traffic associated (FD-to-FD) connectivity is very specific and rare, though the traffic
might be of foremost importance. Field device to field device routes associated might be of foremost importance. FD-to-FD routes are
are often the most critical, optimized and well-maintained routes. A often the most critical, optimized, and well-maintained routes. A
class 0 control loop requires guaranteed delivery and extremely tight class 0 safeguarding loop requires guaranteed delivery and extremely
response times. Both the respect of criteria in the route tight response times. Both the respect of criteria in the route
RFC 5673 Industrial Routing Reqs in LLNs October 2009
computation and the quality of the maintenance of the route are computation and the quality of the maintenance of the route are
critical for the field devices operation. Typically, a control loop critical for the field devices' operation. Typically, a control loop
will be using a dedicated direct wire that has very different will be using a dedicated direct wire that has very different
capabilities, cost and constraints than the wireless medium, with the capabilities, cost, and constraints than the wireless medium, with
need to use a wireless path as a back up route only in case of loss the need to use a wireless path as a backup route only in case of
of the wired path. loss of the wired path.
Considering that though each field device to field device route Considering that each FD-to-FD route computation has specific
computation has specific constraints in terms of latency and constraints in terms of latency and availability, it can be expected
availability it can be expected that the shortest path possible will that the shortest path possible will often be selected and that this
often be selected and that this path will be routed inside the LLN as path will be routed inside the LLN as opposed to via the backbone.
opposed to via the backbone. It can also be noted that the lifetimes It can also be noted that the lifetimes of the routes might range
of the routes might range from minutes for a mobile workers to tens from minutes for a mobile worker to tens of years for a command and
of years for a command and control closed loop. Finally, time- control closed loop. Finally, time-varying user requirements for
varying user requirements for latency and bandwidth will change the latency and bandwidth will change the constraints on the routes,
constraints on the routes, which might either trigger a constrained which might either trigger a constrained route recomputation, a
route recomputation, a reprovisioning of the underlying L2 protocols, reprovisioning of the underlying L2 protocols, or both in that order.
or both in that order. For instance, a wireless worker may initiate For instance, a wireless worker may initiate a bulk transfer to
a bulk transfer to configure or diagnose a field device. A level configure or diagnose a field device. A level sensor device may need
sensor device may need to perform a calibration and send a bulk file to perform a calibration and send a bulk file to a plant.
to a plant.
4. Requirements related to Traffic Characteristics 4. Requirements Related to Traffic Characteristics
[ISA100.11a] selected IPv6 as its Network Layer for a number of [ISA100.11a] selected IPv6 as its network layer for a number of
reasons, including the huge address space and the large potential reasons, including the huge address space and the large potential
size of a subnet, which can range up to 10K nodes in a plant size of a subnet, which can range up to 10K nodes in a plant
deployment. In the ISA100 model, industrial applications fall into deployment. In the ISA100 model, industrial applications fall into
four large service categories: four large service categories:
1. Periodic data (aka buffered). Data that is generated 1. Periodic data (aka buffered). Data that is generated
periodically and has a well understood data bandwidth periodically and has a well understood data bandwidth
requirement, both deterministic and predictable. Timely delivery requirement, both deterministic and predictable. Timely delivery
of such data is often the core function of a wireless sensor of such data is often the core function of a wireless sensor
network and permanent resources are assigned to ensure that the network and permanent resources are assigned to ensure that the
required bandwidth stays available. Buffered data usually required bandwidth stays available. Buffered data usually
exhibits a short time to live, and the newer reading obsoletes exhibits a short time to live, and the newer reading obsoletes
the previous. In some cases, alarms are low priority information the previous. In some cases, alarms are low-priority information
that gets repeated over and over. The end-to-end latency of this that gets repeated over and over. The end-to-end latency of this
data is not as important as the regularity with which the data is data is not as important as the regularity with which the data is
presented to the plant application. presented to the plant application.
2. Event data. This category includes alarms and aperiodic data 2. Event data. This category includes alarms and aperiodic data
reports with bursty data bandwidth requirements. In certain reports with bursty data bandwidth requirements. In certain
cases, alarms are critical and require a priority service from cases, alarms are critical and require a priority service from
the network. the network.
RFC 5673 Industrial Routing Reqs in LLNs October 2009
3. Client/Server. Many industrial applications are based on a 3. Client/Server. Many industrial applications are based on a
client/server model and implement a command response protocol. client/server model and implement a command response protocol.
The data bandwidth required is often bursty. The acceptable The data bandwidth required is often bursty. The acceptable
round-trip latency for some legacy systems was based on the time round-trip latency for some legacy systems was based on the time
to send tens of bytes over a 1200 baud link. Hundreds of to send tens of bytes over a 1200 baud link. Hundreds of
milliseconds is typical. This type of request is statistically milliseconds is typical. This type of request is statistically
multiplexed over the LLN and cost-based fair-share best-effort multiplexed over the LLN and cost-based, fair-share, best-effort
service is usually expected. service is usually expected.
4. Bulk transfer. Bulk transfers involve the transmission of blocks 4. Bulk transfer. Bulk transfers involve the transmission of blocks
of data in multiple packets where temporary resources are of data in multiple packets where temporary resources are
assigned to meet a transaction time constraint. Transient assigned to meet a transaction time constraint. Transient
resources are assigned for a limited time (related to file size resources are assigned for a limited time (related to file size
and data rate) to meet the bulk transfers service requirements. and data rate) to meet the bulk transfers service requirements.
4.1. Service Requirements 4.1. Service Requirements
The following service parameters can affect routing decisions in a The following service parameters can affect routing decisions in a
resource-constrained network: resource-constrained network:
o Data bandwidth - the bandwidth might be allocated permanently or o Data bandwidth - the bandwidth might be allocated permanently or
for a period of time to a specific flow that usually exhibits well for a period of time to a specific flow that usually exhibits
defined properties of burstiness and throughput. Some bandwidth well-defined properties of burstiness and throughput. Some
will also be statistically shared between flows in a best effort bandwidth will also be statistically shared between flows in a
fashion. best-effort fashion.
o Latency - the time taken for the data to transit the network from o Latency - the time taken for the data to transit the network from
the source to the destination. This may be expressed in terms of the source to the destination. This may be expressed in terms of
a deadline for delivery. Most monitoring latencies will be in a deadline for delivery. Most monitoring latencies will be in
seconds to minutes. seconds to minutes.
o Transmission phase - process applications can be synchronized to o Transmission phase - process applications can be synchronized to
wall clock time and require coordinated transmissions. A common wall clock time and require coordinated transmissions. A common
coordination frequency is 4 Hz (250 ms). coordination frequency is 4 Hz (250 ms).
o Service contract type - revocation priority. LLNs have limited o Service contract type - revocation priority. LLNs have limited
network resources that can vary with time. This means the system network resources that can vary with time. This means the system
can become fully subscribed or even over subscribed. System can become fully subscribed or even over-subscribed. System
policies determine how resources are allocated when resources are policies determine how resources are allocated when resources are
over subscribed. The choices are blocking and graceful over-subscribed. The choices are blocking and graceful
degradation. degradation.
o Transmission priority - the means by which limited resources o Transmission priority - the means by which limited resources
within field devices are allocated across multiple services. For within field devices are allocated across multiple services. For
transmissions, a device has to select which packet in its queue transmissions, a device has to select which packet in its queue
will be sent at the next transmission opportunity. Packet will be sent at the next transmission opportunity. Packet
priority is used as one criterion for selecting the next packet. priority is used as one criterion for selecting the next packet.
For reception, a device has to decide how to store a received For reception, a device has to decide how to store a received
packet. The field devices are memory constrained and receive
RFC 5673 Industrial Routing Reqs in LLNs October 2009
packet. The field devices are memory-constrained and receive
buffers may become full. Packet priority is used to select which buffers may become full. Packet priority is used to select which
packets are stored or discarded. packets are stored or discarded.
The routing protocol MUST also support different metric types for The routing protocol MUST also support different metric types for
each link used to compute the path according to some objective each link used to compute the path according to some objective
function (e.g. minimize latency) depending on the nature of the function (e.g., minimize latency) depending on the nature of the
traffic. traffic.
For these reasons, the ROLL routing infrastructure is REQUIRED to For these reasons, the ROLL routing infrastructure is REQUIRED to
compute and update constrained routes on demand, and it can be compute and update constrained routes on demand, and it can be
expected that this model will become more prevalent for field device expected that this model will become more prevalent for FD-to-FD
to field device connectivity as well as for some field device to connectivity as well as for some FD-to-infrastructure-device
Infrastructure devices over time. connectivity over time.
Industrial application data flows between field devices are not Industrial application data flows between field devices are not
necessarily symmetric. In particular, asymmetrical cost and necessarily symmetric. In particular, asymmetrical cost and
unidirectional routes are common for published data and alerts, which unidirectional routes are common for published data and alerts, which
represent the most part of the sensor traffic. The routing protocol represent the most part of the sensor traffic. The routing protocol
MUST be able to compute a set of unidirectional routes with MUST be able to compute a set of unidirectional routes with
potentially different costs that are composed of one or more non- potentially different costs that are composed of one or more non-
congruent paths. congruent paths.
As multiple paths are set up and a variety of flows traverse the As multiple paths are set up and a variety of flows traverse the
network towards a same destination, for instance a node acting as a network towards a same destination (for instance, a node acting as a
sink for the LLN, the use of an additional marking/tagging mechanism sink for the LLN), the use of an additional marking/tagging mechanism
based on an upper layer information will be REQUIRED for intermediate based on upper-layer information will be REQUIRED for intermediate
routers to discriminate the flows and perform the appropriate routing routers to discriminate the flows and perform the appropriate routing
decision using only the content of the IPv6 packet (e.g. use of DSCP, decision using only the content of the IPv6 packet (e.g., use of
Flow Label). DSCP, Flow Label).
4.2. Configurable Application Requirement 4.2. Configurable Application Requirement
Time-varying user requirements for latency and bandwidth may require Time-varying user requirements for latency and bandwidth may require
changes in the provisioning of the underlying L2 protocols. A changes in the provisioning of the underlying L2 protocols. A
technician may initiate a query/response session or bulk transfer to technician may initiate a query/response session or bulk transfer to
diagnose or configure a field device. A level sensor device may need diagnose or configure a field device. A level sensor device may need
to perform a calibration and send a bulk file to a plant. The to perform a calibration and send a bulk file to a plant. The
routing protocol MUST support the ability to recompute paths based on routing protocol MUST support the ability to recompute paths based on
Network Layer abstractions of the underlying link attributes/metric network-layer abstractions of the underlying link attributes/metrics
that may change dynamically. that may change dynamically.
4.3. Different Routes for Different Flows 4.3. Different Routes for Different Flows
Because different services categories have different service Because different services categories have different service
requirements, it is often desirable to have different routes for requirements, it is often desirable to have different routes for
different data flows between the same two endpoints. For example, different data flows between the same two endpoints. For example,
alarm or periodic data from A to Z may require path diversity with alarm or periodic data from A to Z may require path diversity with
RFC 5673 Industrial Routing Reqs in LLNs October 2009
specific latency and reliability. A file transfer between A and Z specific latency and reliability. A file transfer between A and Z
may not need path diversity. The routing algorithm MUST be able to may not need path diversity. The routing algorithm MUST be able to
generate different routes with different characteristics (e.g. generate different routes with different characteristics (e.g.,
Optimized according to different cost, etc...). optimized according to different costs, etc.).
Dynanic or configured states of links and nodes influence the Dynamic or configured states of links and nodes influence the
capability of a given path to fulfill operational requirements such capability of a given path to fulfill operational requirements such
as stability, battery cost or latency. Constraints such as battery as stability, battery cost, or latency. Constraints such as battery
lifetime derive from the application itself, and because industrial lifetime derive from the application itself, and because industrial
applications data flows are typically well-defined and well- applications data flows are typically well-defined and well-
controlled, it is usually possible to estimate the battery controlled, it is usually possible to estimate the battery
consumption of a router for a given topology. consumption of a router for a given topology.
The routing protocol MUST support the ability to (re)compute paths The routing protocol MUST support the ability to (re)compute paths
based on Network Layer abstractions of upper layer constraints to based on network-layer abstractions of upper-layer constraints to
maintain the level of operation within required parameters. Such maintain the level of operation within required parameters. Such
information MAY be advertised by the routing protocol as metrics that information MAY be advertised by the routing protocol as metrics that
enable routing algorithms to establish appropriate paths that fit the enable routing algorithms to establish appropriate paths that fit the
upper layer constraints. upper-layer constraints.
The handling of an IPv6 packet by the Network Layer operates on the The handling of an IPv6 packet by the network layer operates on the
standard properties and the settings of the IPv6 packet header standard properties and the settings of the IPv6 packet header
fields. These fields include the 3-tuple of the Flow Label and the fields. These fields include the 3-tuple of the Flow Label and the
Source and Destination Address that can be used to identify a flow Source and Destination Address that can be used to identify a flow
and the Traffic Class octet that can be used to influence the Per Hop and the Traffic Class octet that can be used to influence the Per Hop
Behavior in intermediate routers. Behavior in intermediate routers.
An application MAY choose how to set those fields for each packet or An application MAY choose how to set those fields for each packet or
for streams of packets, and the routing protocol specification SHOULD for streams of packets, and the routing protocol specification SHOULD
state how different field settings will be handled to perform state how different field settings will be handled to perform
different routing decisions. different routing decisions.
5. Reliability Requirements 5. Reliability Requirements
LLN reliability constitutes several unrelated aspects: LLN reliability constitutes several unrelated aspects:
1) Availability of source to destination connectivity when the 1) Availability of source-to-destination connectivity when the
application needs it, expressed in number of succeses / number of application needs it, expressed in number of successes divided by
attempts number of attempts.
2) Availability of source to destination connectivity when the 2) Availability of source-to-destination connectivity when the
application might need it, expressed in number of potential application might need it, expressed in number of potential
failures / available bandwidth, failures / available bandwidth,
3) Ability, expressed in number of successes divided by number of 3) Ability, expressed in number of successes divided by number of
attempts to get data delivered from source to destination within attempts to get data delivered from source to destination within
a capped time, a capped time,
RFC 5673 Industrial Routing Reqs in LLNs October 2009
4) How well a network (serving many applications) achieves end-to- 4) How well a network (serving many applications) achieves end-to-
end delivery of packets within a bounded latency end delivery of packets within a bounded latency,
5) Trustworthiness of data that is delivered to the sinks. 5) Trustworthiness of data that is delivered to the sinks,
6) and others depending on the specific case... 6) and others depending on the specific case.
This makes quantifying reliability the equivalent of plotting it on a This makes quantifying reliability the equivalent of plotting it on a
three plus dimensional graph. Different applications have different three (or more) dimensional graph. Different applications have
requirements, and expressing reliability as a one dimensional different requirements, and expressing reliability as a one
parameter, like 'reliability my wireless network is 99.9%' is often dimensional parameter, like 'reliability on my wireless network is
creating more confusion than clarity. 99.9%' often creates more confusion than clarity.
The impact of not receiving sensor data due to sporadic network The impact of not receiving sensor data due to sporadic network
outages can be devastating if this happens unnoticed. However, if outages can be devastating if this happens unnoticed. However, if
destinations that expect periodic sensor data or alarm status destinations that expect periodic sensor data or alarm status updates
updates, fail to get them, then automatically these systems can take fail to get them, then automatically these systems can take
appropriate actions that prevent dangerous situations. Pending the appropriate actions that prevent dangerous situations. Pending the
wireless application, appropriate action ranges from initiating a wireless application, appropriate action ranges from initiating a
shut down within 100 ms, to using a last known good value for as much shutdown within 100 ms, to using a last known good value for as much
as N successive samples, to sending out an operator into the plant to as N successive samples, to sending out an operator into the plant to
collect monthly data in the conventional way, i.e. some portable collect monthly data in the conventional way, i.e., some portable
sensor, paper and a clipboard. sensor, or paper and a clipboard.
The impact of receiving corrupted data, and not being able to detect The impact of receiving corrupted data, and not being able to detect
that received data is corrupt, is often more dangerous. Data that received data is corrupt, is often more dangerous. Data
corruption can either come from random bit errors due to white noise, corruption can either come from random bit errors due to white noise,
or from occasional bursty interference sources like thunderstorms or or from occasional bursty interference sources like thunderstorms or
leaky microwave ovens, but also from conscious attacks by leaky microwave ovens, but also from conscious attacks by
adversaries. adversaries.
Another critical aspect for the routing is the capability to ensure Another critical aspect for the routing is the capability to ensure
maximum disruption time and route maintainance. The maximum maximum disruption time and route maintenance. The maximum
disruption time is the time it takes at most for a specific path to disruption time is the time it takes at most for a specific path to
be restored when broken. Route maintainance ensures that a path is be restored when broken. Route maintenance ensures that a path is
monitored to be restored when broken within the maximum disruption monitored cannot stay disrupted for more than the maximum disruption
time. Maintenance should also ensure that a path continues to time. Maintenance should also ensure that a path continues to
provide the service for which it was established for instance in provide the service for which it was established, for instance, in
terms of bandwidth, jitter and latency. terms of bandwidth, jitter, and latency.
In industrial applications, availability is usually defined with In industrial applications, availability is usually defined with
respect to end-to-end delivery of packets within a bounded latency. respect to end-to-end delivery of packets within a bounded latency.
availability requirements vary over many orders of magnitude. Some Availability requirements vary over many orders of magnitude. Some
non-critical monitoring applications may tolerate a availability of non-critical monitoring applications may tolerate an availability of
less than 90% with hours of latency. Most industrial standards, such less than 90% with hours of latency. Most industrial standards, such
as HART7, have set user availability expectations at 99.9%. as HART7 [IEC62591], have set user availability expectations at
Regulatory requirements are a driver for some industrial 99.9%. Regulatory requirements are a driver for some industrial
applications. Regulatory monitoring requires high data integrity applications. Regulatory monitoring requires high data integrity
RFC 5673 Industrial Routing Reqs in LLNs October 2009
because lost data is assumed to be out of compliance and subject to because lost data is assumed to be out of compliance and subject to
fines. This can drive up either availability, or thrustworthiness fines. This can drive up either availability or trustworthiness
requirements. requirements.
Because LLN link stability is often low, path diversity is critical. Because LLN link stability is often low, path diversity is critical.
Hop-by-hop link diversity is used to improve latency-bounded Hop-by-hop link diversity is used to improve latency-bounded
reliability by sending data over diverse paths. reliability by sending data over diverse paths.
Because data from field devices are aggregated and funneled at the Because data from field devices are aggregated and funneled at the
LLN access point before they are routed to plant applications, LLN LLN access point before they are routed to plant applications, LLN
access point redundancy is an important factor in overall access point redundancy is an important factor in overall
availability. A route that connects a field device to a plant availability. A route that connects a field device to a plant
application may have multiple paths that go through more than one LLN application may have multiple paths that go through more than one LLN
access point. The routing protocol MUST be able to compute paths of access point. The routing protocol MUST be able to compute paths of
not-necessarily-equal cost toward a given destination so as to enable not-necessarily-equal cost toward a given destination so as to enable
load balancing across a variety of paths. The availability of each load-balancing across a variety of paths. The availability of each
path in a multipath route can change over time. Hence, it is path in a multipath route can change over time. Hence, it is
important to measure the availability on a per-path basis and select important to measure the availability on a per-path basis and select
a path (or paths) according to the availability requirements. a path (or paths) according to the availability requirements.
6. Device-Aware Routing Requirements 6. Device-Aware Routing Requirements
Wireless LLN nodes in industrial environments are powered by a Wireless LLN nodes in industrial environments are powered by a
variety of sources. Battery operated devices with lifetime variety of sources. Battery-operated devices with lifetime
requirements of at least five years are the most common. Battery requirements of at least five years are the most common. Battery
operated devices have a cap on their total energy, and typically can operated devices have a cap on their total energy, and typically can
report an estimate of remaining energy, and typically do not have report an estimate of remaining energy, and typically do not have
constraints on the short-term average power consumption. Energy constraints on the short-term average power consumption. Energy-
scavenging devices are more complex. These systems contain both a scavenging devices are more complex. These systems contain both a
power scavenging device (such as solar, vibration, or temperature power-scavenging device (such as solar, vibration, or temperature
difference) and an energy storage device, such as a rechargeable difference) and an energy storage device, such as a rechargeable
battery or a capacitor. These systems, therefore, have limits on battery or a capacitor. These systems, therefore, have limits on
both long-term average power consumption (which cannot exceed the both long-term average power consumption (which cannot exceed the
average scavenged power over the same interval) as well as the short- average scavenged power over the same interval) as well as the short-
term limits imposed by the energy storage requirements. For solar- term limits imposed by the energy storage requirements. For solar-
powered systems, the energy storage system is generally designed to powered systems, the energy storage system is generally designed to
provide days of power in the absence of sunlight. Many industrial provide days of power in the absence of sunlight. Many industrial
sensors run off of a 4-20 mA current loop, and can scavenge on the sensors run off of a 4-20 mA current loop, and can scavenge on the
order of milliwatts from that source. Vibration monitoring systems order of milliwatts from that source. Vibration monitoring systems
are a natural choice for vibration scavenging, which typically only are a natural choice for vibration scavenging, which typically only
provides tens or hundreds of microwatts. Due to industrial provides tens or hundreds of microwatts. Due to industrial
temperature ranges and desired lifetimes, the choices of energy temperature ranges and desired lifetimes, the choices of energy
storage devices can be limited, and the resulting stored energy is storage devices can be limited, and the resulting stored energy is
often comparable to the energy cost of sending or receiving a packet often comparable to the energy cost of sending or receiving a packet
rather than the energy of operating the node for several days. And rather than the energy of operating the node for several days. And
of course, some nodes will be line-powered. of course, some nodes will be line-powered.
RFC 5673 Industrial Routing Reqs in LLNs October 2009
Example 1: solar panel, lead-acid battery sized for two weeks of Example 1: solar panel, lead-acid battery sized for two weeks of
rain. rain.
Example 2: vibration scavenger, 1mF tantalum capacitor. Example 2: vibration scavenger, 1 mF tantalum capacitor.
Field devices have limited resources. Low-power, low-cost devices Field devices have limited resources. Low-power, low-cost devices
have limited memory for storing route information. Typical field have limited memory for storing route information. Typical field
devices will have a finite number of routes they can support for devices will have a finite number of routes they can support for
their embedded sensor/actuator application and for forwarding other their embedded sensor/actuator application and for forwarding other
devices packets in a mesh network slotted-link. devices packets in a mesh network slotted-link.
Users may strongly prefer that the same device have different Users may strongly prefer that the same device have different
lifetime requirements in different locations. A sensor monitoring a lifetime requirements in different locations. A sensor monitoring a
non-critical parameter in an easily accessed location may have a non-critical parameter in an easily accessed location may have a
lifetime requirement that is shorter and tolerate more statistical lifetime requirement that is shorter and may tolerate more
variation than a mission-critical sensor in a hard-to-reach place statistical variation than a mission-critical sensor in a hard-to-
that requires a plant shutdown in order to replace. reach place that requires a plant shutdown in order to replace.
The routing algorithm MUST support node-constrained routing (e.g. The routing algorithm MUST support node-constrained routing (e.g.,
taking into account the existing energy state as a node constraint). taking into account the existing energy state as a node constraint).
Node constraints include power and memory, as well as constraints Node constraints include power and memory, as well as constraints
placed on the device by the user, such as battery life. placed on the device by the user, such as battery life.
7. Broadcast/Multicast requirements 7. Broadcast/Multicast Requirements
Some existing industrial plant applications do not use broadcast or Some existing industrial plant applications do not use broadcast or
multicast addressing to communicate to field devices. Unicast multicast addressing to communicate to field devices. Unicast
address support is sufficient for them. address support is sufficient for them.
In some other industrial process automation environments, multicast In some other industrial process automation environments, multicast
over IP is used to deliver to multiple nodes that may be over IP is used to deliver to multiple nodes that may be functionally
functionally-similar or not. Example usages are: similar or not. Example usages are:
1) Delivery of alerts to multiple similar servers in an automation 1) Delivery of alerts to multiple similar servers in an automation
control room. Alerts are multicast to a group address based on control room. Alerts are multicast to a group address based on
the part of the automation process where the alerts arose (e.g., the part of the automation process where the alerts arose (e.g.,
the multicast address "all-nodes-interested-in-alerts-for- the multicast address "all-nodes-interested-in-alerts-for-
process-unit-X"). This is always a restricted-scope multicast, process-unit-X"). This is always a restricted-scope multicast,
not a broadcast not a broadcast.
2) Delivery of common packets to multiple routers over a backbone, 2) Delivery of common packets to multiple routers over a backbone,
where the packets results in each receiving router initiating where the packets result in each receiving router initiating
multicast (sometimes as a full broadcast) within the LLN. For multicast (sometimes as a full broadcast) within the LLN. For
instance, This can be a byproduct of having potentially instance, this can be a byproduct of having potentially
physically separated backbone routers that can inject messages physically separated backbone routers that can inject messages
into different portions of the same larger LLN. into different portions of the same larger LLN.
RFC 5673 Industrial Routing Reqs in LLNs October 2009
3) Publication of measurement data to more than one subscriber. 3) Publication of measurement data to more than one subscriber.
This feature is useful in some peer to peer control applications. This feature is useful in some peer-to-peer control applications.
For example, level position may be useful to a controller that For example, level position may be useful to a controller that
operates the flow valve and also to the overfill alarm indicator. operates the flow valve and also to the overfill alarm indicator.
Both controller and alarm indicator would receive the same Both controller and alarm indicator would receive the same
publication sent as a multicast by the level gauge. publication sent as a multicast by the level gauge.
All of these uses require an 1:N security mechanism as well; they All of these uses require an 1:N security mechanism as well; they
aren't of any use if the end-to-end security is only point-to-point. aren't of any use if the end-to-end security is only point-to-point.
It is quite possible that first-generation wireless automation field It is quite possible that first-generation wireless automation field
networks can be adequately useful without either of these networks can be adequately useful without either of these
capabilities, but in the near future, wireless field devices with capabilities, but in the near future, wireless field devices with
communication controllers and protocol stacks will require control communication controllers and protocol stacks will require control
and configuration, such as firmware downloading, that may benefit and configuration, such as firmware downloading, that may benefit
from broadcast or multicast addressing. from broadcast or multicast addressing.
The routing protocol SHOULD support multicast addressing. The routing protocol SHOULD support multicast addressing.
8. Protocol Performance requirements 8. Protocol Performance Requirements
The routing protocol MUST converge after the addition of a new device The routing protocol MUST converge after the addition of a new device
within several minutes, and SHOULD converge within tens of seconds within several minutes, and SHOULD converge within tens of seconds
such that a device is able to establish connectivity to any other such that a device is able to establish connectivity to any other
point in the network or determine that there is a connectivity issue. point in the network or determine that there is a connectivity issue.
Any routing algorithm used to determine how to route packets in the Any routing algorithm used to determine how to route packets in the
network, MUST be capable of routing packets to and from a newly added network, MUST be capable of routing packets to and from a newly added
device within the several minutes of its addition, and SHOULD be able device within several minutes of its addition, and SHOULD be able to
to perform this function within tens of seconds. perform this function within tens of seconds.
The routing protocol MUST distribute sufficient information about The routing protocol MUST distribute sufficient information about
link failures to enable traffic to be routed such that all service link failures to enable traffic to be routed such that all service
requirements (especially latency) continue to be met. This places a requirements (especially latency) continue to be met. This places a
requirement on the speed of distribution and convergence of this requirement on the speed of distribution and convergence of this
information as well as the responsiveness of any routing algorithms information as well as the responsiveness of any routing algorithms
used to determine how to route packets. This requirement only used to determine how to route packets. This requirement only
applies at normal link failure rates (see Section 5) and MAY degrade applies at normal link failure rates (see Section 5) and MAY degrade
during failure storms. during failure storms.
Any algorithm that computes routes for packets in the network MUST be Any algorithm that computes routes for packets in the network MUST be
able to perform route computations in advance of needing to use the able to perform route computations in advance of needing to use the
route. Since such algorithms are required to react to link failures, route. Since such algorithms are required to react to link failures,
link usage information, and other dynamic link properties as the link usage information, and other dynamic link properties as the
information is distributed by the routing protocol, the algorithms information is distributed by the routing protocol, the algorithms
SHOULD recompute route based on new the receipt of new information. SHOULD recompute route based on the receipt of new information.
9. Mobility requirements RFC 5673 Industrial Routing Reqs in LLNs October 2009
9. Mobility Requirements
Various economic factors have contributed to a reduction of trained Various economic factors have contributed to a reduction of trained
workers in the plant. The industry as a whole appears to be trying workers in the industrial plant. A very common problem is that of
to solve this problem with what is called the "wireless worker". the "wireless worker". Carrying a PDA or something similar, this
Carrying a PDA or something similar, this worker will be able to worker will be able to accomplish more work in less time than the
accomplish more work in less time than the older, better-trained older, better-trained workers that he or she replaces. Whether the
workers that he or she replaces. Whether the premise is valid, the premise is valid, the use case is commonly presented: the worker will
use case is commonly presented: the worker will be wirelessly be wirelessly connected to the plant IT system to download
connected to the plant IT system to download documentation, documentation, instructions, etc., and will need to be able to
instructions, etc., and will need to be able to connect "directly" to connect "directly" to the sensors and control points in or near the
the sensors and control points in or near the equipment on which he equipment on which he or she is working. It is possible that this
or she is working. It is possible that this "direct" connection "direct" connection could come via the normal LLNs data collection
could come via the normal LLNs data collection network. This network. This connection is likely to require higher bandwidth and
connection is likely to require higher bandwidth and lower latency lower latency than the normal data collection operation.
than the normal data collection operation.
PDAs are typically used as the user interfaces for plant historians, PDAs are typically used as the user interfaces for plant historians,
asset management systems, and the likes. Undecided yet is if these asset management systems, and the like. It is undecided if these
PDAs will use the LLN network directly to talk to field sensors, or PDAs will use the LLN directly to talk to field sensors, or if they
if they will rather use other wireless connectivity that proxys back will rather use other wireless connectivity that proxies back into
into the field, or to anywhere else. the field or to anywhere else.
The routing protocol SHOULD support the wireless worker with fast The routing protocol SHOULD support the wireless worker with fast
network connection times of a few of seconds, and low command and network connection times of a few of seconds, and low command and
response latencies to the plant behind the LLN access points, to response latencies to the plant behind the LLN access points, to
applications, and to field devices. The routing protocol SHOULD also applications, and to field devices. The routing protocol SHOULD also
support the bandwidth allocation for bulk transfers between the field support the bandwidth allocation for bulk transfers between the field
device and the handheld device of the wireless worker. The routing device and the handheld device of the wireless worker. The routing
protocol SHOULD support walking speeds for maintaining network protocol SHOULD support walking speeds for maintaining network
connectivity as the handheld device changes position in the wireless connectivity as the handheld device changes position in the wireless
network. network.
Some field devices will be mobile. These devices may be located on Some field devices will be mobile. These devices may be located on
moving parts such as rotating components or they may be located on moving parts such as rotating components, or they may be located on
vehicles such as cranes or fork lifts. The routing protocol SHOULD vehicles such as cranes or fork lifts. The routing protocol SHOULD
support vehicular speeds of up to 35 kmph. support vehicular speeds of up to 35 kmph.
10. Manageability requirements 10. Manageability Requirements
The process and control industry is manpower constrained. The aging The process and control industry is manpower constrained. The aging
demographics of plant personnel are causing a looming manpower demographics of plant personnel are causing a looming manpower
problem for industry across many markets. The goal for the problem for industry across many markets. The goal for the
industrial networks is to have the installation process not require industrial networks is to have the installation process not require
any new skills for the plant personnel. The person would install the any new skills for the plant personnel. The person would install the
wireless sensor or wireless actuator the same way the wired sensor or wireless sensor or wireless actuator the same way the wired sensor or
wired actuator is installed, except the step to connect wire is wired actuator is installed, except the step to connect wire is
eliminated. eliminated.
RFC 5673 Industrial Routing Reqs in LLNs October 2009
Most users in fact demand even much further simplified provisioning Most users in fact demand even much further simplified provisioning
methods, a plug and play operation that would be fully transparent to methods, a plug and play operation that would be fully transparent to
the user. This requires availability of open and untrusted side the user. This requires availability of open and untrusted side
channels for new joiners, and it requires strong and automated channels for new joiners, and it requires strong and automated
authentication so that networks can automatically accept or reject authentication so that networks can automatically accept or reject
new joiners. Ideally, for a user, adding new routing devices should new joiners. Ideally, for a user, adding new routing devices should
be as easy as dragging and dropping an icon from a pool of be as easy as dragging and dropping an icon from a pool of
authenticated new joiners into a pool for the wired domain that this authenticated new joiners into a pool for the wired domain that this
new sensor should connect to. Under the hood, invisible to the user, new sensor should connect to. Under the hood, invisible to the user,
auditable security mechanisms should take care of new device auditable security mechanisms should take care of new device
authentication, and secret join key distribution. These more authentication, and secret join key distribution. These more
sophisticated 'over the air' secure provisioning methods should sophisticated 'over the air' secure provisioning methods should
eliminate the use of traditional configuration tools for setting up eliminate the use of traditional configuration tools for setting up
devices prior to being ready to securely join a LLN access point. devices prior to being ready to securely join an LLN access point.
The routing protocol SHOULD be fully configurable over the air as The routing protocol SHOULD be fully configurable over the air as
part of the joining process of a new routing device. part of the joining process of a new routing device.
There will be many new applications where even without any human There will be many new applications where even without any human
intervention at the plant, devices that have never been on site intervention at the plant, devices that have never been on site
before, should be allowed, based on their credentials and crypto before, should be allowed, based on their credentials and
capabilities, to connect anyway. Examples are 3rd party road cryptographic capabilities, to connect anyway. Examples are third-
tankers, rail cargo containers with overfill protection sensors, or party road tankers, rail cargo containers with overfill protection
consumer cars that need to be refueled with hydrogen by robots at sensors, or consumer cars that need to be refueled with hydrogen by
future petrol stations. robots at future fueling stations.
The routing protocol for LLNs is expected to be easy to deploy and The routing protocol for LLNs is expected to be easy to deploy and
manage. Because the number of field devices in a network is large, manage. Because the number of field devices in a network is large,
provisioning the devices manually may not make sense. The proper provisioning the devices manually may not make sense. The proper
operation of the routing protocol MAY require that the node be operation of the routing protocol MAY require that the node be
commissioned with information about itself, like identity, security commissioned with information about itself, like identity, security
tokens, radio standards and frequencies, etc... tokens, radio standards and frequencies, etc.
The routing protocol SHOULD NOT require to preprovision information The routing protocol SHOULD NOT require to preprovision information
about the environment where the node will be deployed. The routing about the environment where the node will be deployed. The routing
protocol MUST enable the full discovery and setup of the environment protocol MUST enable the full discovery and setup of the environment
(available links, selected peers, reachable network). The protocol (available links, selected peers, reachable network). The protocol
MUST enable the distribution of its own configuration to be performed MUST enable the distribution of its own configuration to be performed
by some external mechanism from a centralized management controller. by some external mechanism from a centralized management controller.
11. Antagonistic requirements 11. Antagonistic Requirements
This document contains a number of strongly required constraints on This document contains a number of strongly required constraints on
the ROLL routing protocol. Some of those strong requirements might the ROLL routing protocol. Some of those strong requirements might
appear antagonistic and as such impossible to fulfill at a same time. appear antagonistic and, as such, impossible to fulfill at the same
time.
RFC 5673 Industrial Routing Reqs in LLNs October 2009
For instance, the strong requirement of power economy applies on For instance, the strong requirement of power economy applies on
general routing but is variant since it is reasonable to spend more general routing but is variant since it is reasonable to spend more
energy on ensuring the availability of a short emergency closed loop energy on ensuring the availability of a short emergency closed-loop
path than it is to maintain an alert path that is used for regular path than it is to maintain an alert path that is used for regular
updates on the operating status of the device. In a same fashion, updates on the operating status of the device. In the same fashion,
the strong requirement on easy provisionning does not match easily the strong requirement on easy provisioning does not match easily the
the strong security requirements that can be needed to implement a strong security requirements that can be needed to implement a
factory policy. Then again, a non default non trivial setup can be factory policy. Then again, a non-default non-trivial setup can be
acceptable long as the default enables to join without configuration acceptable as long as the default configuration enables a device to
and yet some degree of security. join with some degree of security.
Convergence time and network size are also antagonistic. The values Convergence time and network size are also antagonistic. The values
expressed in the Protocol Performance requirements section apply to expressed in Section 8 ("Protocol Performance Requirements") apply to
an average network with tens of devices. The use of a backbone can an average network with tens of devices. The use of a backbone can
maintain that level of performance and still enable to grow the maintain that level of performance and still enable to grow the
network to thousands of node. In any case, it is acceptable to grow network to thousands of node. In any case, it is acceptable to grow
reasonabily the convergence time with the network size. reasonably the convergence time with the network size.
12. Security Considerations 12. Security Considerations
Given that wireless sensor networks in industrial automation operate Given that wireless sensor networks in industrial automation operate
in systems that have substantial financial and human safety in systems that have substantial financial and human safety
implications, security is of considerable concern. Levels of implications, security is of considerable concern. Levels of
security violation that are tolerated as a "cost of doing business" security violation that are tolerated as a "cost of doing business"
in the banking industry are not acceptable when in some cases in the banking industry are not acceptable when in some cases
literally thousands of lives may be at risk. literally thousands of lives may be at risk.
Security is easily confused with guarantee for availability. When Security is easily confused with guarantee for availability. When
discussing wireless security, it's important to distinguish clearly discussing wireless security, it's important to distinguish clearly
between the risks of temporarily losing connectivity, say due to a between the risks of temporarily losing connectivity, say due to a
thunderstorm, and the risks associated with knowledgeable adversaries thunderstorm, and the risks associated with knowledgeable adversaries
attacking a wireless system. The conscious attacks need to be split attacking a wireless system. The conscious attacks need to be split
between 1) attacks on the actual application served by the wireless between 1) attacks on the actual application served by the wireless
devices and 2) attacks that exploit the presence of a wireless access devices and 2) attacks that exploit the presence of a wireless access
point that may provide connectivity onto legacy wired plant networks, point that may provide connectivity onto legacy wired plant networks,
so attacks that have little to do with the wireless devices in the so these are attacks that have little to do with the wireless devices
LLNs. The second type of attack, access points that might be in the LLNs. In the second type of attack, access points that might
wireless backdoors that may allow an attacker outside the fence to be wireless backdoors that allow an attacker outside the fence to
access typically non-secured process control and/or office networks, access typically non-secured process control and/or office networks
are typically the ones that do create exposures where lives are at are typically the ones that do create exposures where lives are at
risk. This implies that the LLN access point on its own must possess risk. This implies that the LLN access point on its own must possess
functionality that guarantees domain segregation, and thus prohibits functionality that guarantees domain segregation, and thus prohibits
many types of traffic further upstream. many types of traffic further upstream.
Current generation industrial wireless device manufactures are The current generation of industrial wireless device manufacturers is
specifying security at the MAC layer and the transport layer. A specifying security at the MAC (Media Access Control) layer and the
shared key is used to authenticate messages at the MAC layer. At the transport layer. A shared key is used to authenticate messages at
transport layer, commands are encrypted with statistically unique the MAC layer. At the transport layer, commands are encrypted with
randomly-generated end-to-end Session keys. HART7 and ISA100.11a are
examples of security systems for industrial wireless networks. RFC 5673 Industrial Routing Reqs in LLNs October 2009
statistically unique randomly generated end-to-end session keys.
HART7 [IEC62591] and ISA100.11a are examples of security systems for
industrial wireless networks.
Although such symmetric key encryption and authentication mechanisms Although such symmetric key encryption and authentication mechanisms
at MAC and transport layers may protect reasonably well during the at MAC and transport layers may protect reasonably well during the
lifecycle, the initial network boot (provisioning) step in many cases lifecycle, the initial network boot (provisioning) step in many cases
requires more sophisticated steps to securely land the initial secret requires more sophisticated steps to securely land the initial secret
keys in field devices. It is vital that also during these steps, the keys in field devices. Also, it is vital that during these steps,
ease of deployment and the freedom of mixing and matching products the ease of deployment and the freedom of mixing and matching
from different suppliers does not complicate life for those that products from different suppliers does not complicate life for those
deploy and commission. Given average skill levels in the field, and that deploy and commission. Given the average skill levels in the
given serious resource constraints in the market, investing a little field and the serious resource constraints in the market, investing a
bit more in sensor node hardware and software so that new devices little bit more in sensor-node hardware and software so that new
automatically can be deemed trustworthy, and thus automatically join devices automatically can be deemed trustworthy, and thus
the domains that they should join, with just one drag and drop action automatically join the domains that they should join, with just one
for those in charge of deploying, will yield in faster adoption and drag-and-drop action for those in charge of deploying, will yield
proliferation of the LLN technology. faster adoption and proliferation of the LLN technology.
Industrial plants may not maintain the same level of physical Industrial plants may not maintain the same level of physical
security for field devices that is associated with traditional security for field devices that is associated with traditional
network sites such as locked IT centers. In industrial plants it network sites such as locked IT centers. In industrial plants, it
must be assumed that the field devices have marginal physical must be assumed that the field devices have marginal physical
security and might be compromised. The routing protocol SHOULD limit security and might be compromised. The routing protocol SHOULD limit
the risk incurred by one node being compromised, for instance by the risk incurred by one node being compromised, for instance by
proposing non congruent path for a given route and balancing the proposing a non-congruent path for a given route and balancing the
traffic across the network. traffic across the network.
The routing protocol SHOULD compartmentalize the trust placed in The routing protocol SHOULD compartmentalize the trust placed in
field devices so that a compromised field device does not destroy the field devices so that a compromised field device does not destroy the
security of the whole network. The routing MUST be configured and security of the whole network. The routing MUST be configured and
managed using secure messages and protocols that prevent outsider managed using secure messages and protocols that prevent outsider
attacks and limit insider attacks from field devices installed in attacks and limit insider attacks from field devices installed in
insecure locations in the plant. insecure locations in the plant.
The wireless environment typically forces the abandonment of The wireless environment typically forces the abandonment of
classical 'by perimeter' thinking when trying to secure network classical 'by perimeter' thinking when trying to secure network
domains. Wireless nodes in LLN networks should thus be regarded as domains. Wireless nodes in LLN networks should thus be regarded as
little islands with trusted kernels, situated in an ocean of little islands with trusted kernels, situated in an ocean of
untrusted connectivity, an ocean that might be full of pirate ships. untrusted connectivity, an ocean that might be full of pirate ships.
Consequently, confidence in node identity and ability to challenge Consequently, confidence in node identity and ability to challenge
authenticity of source node credentials gets more relevant. authenticity of source node credentials gets more relevant.
Cryptographic boundaries inside devices that clearly demark the Cryptographic boundaries inside devices that clearly demark the
border between trusted and untrusted areas need to be drawn. border between trusted and untrusted areas need to be drawn.
Protection against compromise of the cryptographic boundaries inside Protection against compromise of the cryptographic boundaries inside
the hardware of devices is outside of the scope this document. the hardware of devices is outside of the scope of this document.
RFC 5673 Industrial Routing Reqs in LLNs October 2009
Note that because nodes are usually expected to be capable of Note that because nodes are usually expected to be capable of
routing, the end node security requirements are usually a superset of routing, the end-node security requirements are usually a superset of
the router requirements, in order to prevent a end node from being the router requirements, in order to prevent a end node from being
used to inject forged information into the network that could alter used to inject forged information into the network that could alter
the plant operations. the plant operations.
Additional details of security across all application scenarios are Additional details of security across all application scenarios are
provided in the ROLL security Framework provided in the ROLL security framework [ROLL-SEC-FMWK].
[I-D.tsao-roll-security-framework]. Implications of these security Implications of these security requirements for the routing protocol
requirements for the routing protocol itself are a topic for future itself are a topic for future work.
work.
13. IANA Considerations 13. Acknowledgements
This document includes no request to IANA. Many thanks to Rick Enns, Alexander Chernoguzov, and Chol Su Kang for
their contributions.
14. Acknowledgements 14. References
Many thanks to Rick Enns, Alexander Chernoguzov and Chol Su Kang for 14.1. Normative References
their contributions.
15. References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
15.1. Normative References 14.2. Informative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [HART] HART (Highway Addressable Remote Transducer)
Requirement Levels", BCP 14, RFC 2119, March 1997. Communication Foundation, "HART Communication
Protocol and Foundation - Home Page",
<http://www.hartcomm.org>.
15.2. Informative References [IEC61158] IEC, "Industrial communication networks - Fieldbus
specifications", IEC 61158 series.
[I-D.ietf-roll-terminology] [IEC62591] IEC, "Industrial communication networks - Wireless
Vasseur, J., "Terminology in Low power And Lossy communication network and communication profiles -
Networks", draft-ietf-roll-terminology-01 (work in WirelessHART", IEC 62591.
progress), May 2009.
[I-D.tsao-roll-security-framework] [IEEE802.15.4] IEEE, "Telecommunications and information exchange
Tsao, T., Alexander, R., Dohler, M., Daza, V., and A. between systems -- Local and metropolitan area
Lozano, "A Security Framework for Routing over Low Power networks -- Specific requirements Part 15.4:
and Lossy Networks", draft-tsao-roll-security-framework-00 Wireless Medium Access Control (MAC) and Physical
(work in progress), February 2009. Layer (PHY) Specifications for Low-Rate Wireless
Personal Area Networks (WPANs)", IEEE 802.15.4,
2006.
15.3. External Informative References RFC 5673 Industrial Routing Reqs in LLNs October 2009
[HART] www.hartcomm.org, "Highway Addressable Remote Transducer", [ISA100.11a] ISA, "Wireless systems for industrial automation:
a group of specifications for industrial process and Process control and related applications",
control devices administered by the HART Foundation". ISA 100.11a, May 2008, <http://www.isa.org/
Community/SP100WirelessSystemsforAutomation>.
[ISA100.11a] [RFC4919] Kushalnagar, N., Montenegro, G., and C. Schumacher,
ISA, "ISA100, Wireless Systems for Automation", May 2008, "IPv6 over Low-Power Wireless Personal Area Networks
< http://www.isa.org/Community/ (6LoWPANs): Overview, Assumptions, Problem
SP100WirelessSystemsforAutomation>. Statement, and Goals", RFC 4919, August 2007.
[ROLL-SEC-FMWK] Tsao, T., Alexander, R., Dohler, M., Daza, V., and
A. Lozano, "A Security Framework for Routing over
Low Power and Lossy Networks", Work in Progress,
September 2009.
[ROLL-TERM] Vasseur, JP., "Terminology in Low power And Lossy
Networks", Work in Progress, October 2009.
RFC 5673 Industrial Routing Reqs in LLNs October 2009
Authors' Addresses Authors' Addresses
Kris Pister (editor) Kris Pister (editor)
Dust Networks Dust Networks
30695 Huntwood Ave. 30695 Huntwood Ave.
Hayward, 94544 Hayward, CA 94544
USA USA
Email: kpister@dustnetworks.com EMail: kpister@dustnetworks.com
Pascal Thubert (editor) Pascal Thubert (editor)
Cisco Systems Cisco Systems
Village d'Entreprises Green Side Village d'Entreprises Green Side
400, Avenue de Roumanille 400, Avenue de Roumanille
Batiment T3 Batiment T3
Biot - Sophia Antipolis 06410 Biot - Sophia Antipolis 06410
FRANCE FRANCE
Phone: +33 497 23 26 34 Phone: +33 497 23 26 34
Email: pthubert@cisco.com EMail: pthubert@cisco.com
Sicco Dwars Sicco Dwars
Shell Global Solutions International B.V. Shell Global Solutions International B.V.
Sir Winston Churchilllaan 299 Sir Winston Churchilllaan 299
Rijswijk 2288 DC Rijswijk 2288 DC
Netherlands Netherlands
Phone: +31 70 447 2660 Phone: +31 70 447 2660
Email: sicco.dwars@shell.com EMail: sicco.dwars@shell.com
Tom Phinney Tom Phinney
Consultant
5012 W. Torrey Pines Circle 5012 W. Torrey Pines Circle
Glendale, AZ 85308-3221 Glendale, AZ 85308-3221
USA USA
Phone: +1 602 938 3163 Phone: +1 602 938 3163
Email: tom.phinney@cox.net EMail: tom.phinney@cox.net
 End of changes. 186 change blocks. 
411 lines changed or deleted 470 lines changed or added

This html diff was produced by rfcdiff 1.37a. The latest version is available from http://tools.ietf.org/tools/rfcdiff/