secure autoconfiguration and routing in an ipv6-based ad hoc network
DESCRIPTION
Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network. Jehn-Ruey Jiang National Central University. Outline. IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion. Outline. IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion. - PowerPoint PPT PresentationTRANSCRIPT
Secure Autoconfiguration and Routing in an
IPv6-Based Ad Hoc Network
Jehn-Ruey Jiang
National Central University
Outline IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion
Outline IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion
Internet History 1969: ARPANET (using Network Control Protocol, NCP) 1974: TCP/IP (by Vinton Cerf and Bob Kahn) 1981: IPv4 (RFC 791) 1984: NSFNet (using Transmission Control
Protocol/Internet Protocol, TCP/IP) 1990: ARPANET retired 1991: WWW (World Wide Web) (by Tim Berners-Lee) 1993: NCSA Mosaic (by Mark Andreesen) → Netscape
Navigator 1990s: Internet 2000s: internet
IPv6 History 1992: IPng (Next Generation IP) began in IETF (Internet
Engineering Task Force) working groups 1994: IPv6, announced by IESG(Internet Engineering
Steering Group) (RFC 1752) (IPv5 is for a stream protocol)
1998: IP Version 6 Addressing Architecture [July] (RFC2373)
1998: Internet Protocol, Version 6 (IPv6) Specification [December] (RFC2460)
IPv6 Features Expanded address space
128 bits ( 3.4*1038 IP Addresses) Auto-configuration
Stateless (Prefix + EUI-64), Stateful (DHCPv6), Addressing Lifetime (Age for renumbering)
Quality of Service 20-bit Flow Label enables identification of traffic flows for real-time Voice and Video stream
Integrated Security SupportIPSec(AH Header+ESP Header)
MobilityNo Foreign Agent, Free of Triangle routing, Plug&Play (Care-of Address)
IPv6 Vision
Source: NDHU
IPv6 IPv6 Anything, Anytime, Anywhere Anything, Anytime, AnywhereConnection to Internet Connection to Internet
Outline IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion
Ad hoc Networks
Ad hoc: formed, arranged, or done (often temporarily) for a particular purpose only
Ad Hoc Network (MANET):A collection of wireless mobile hosts forming a temporary network without the aid of established infrastructure or centralized administration
Infrastructure vs Ad-hoc Modesinfrastructure network
ad-hoc network
APAP
AP
wired network
ad-hoc network
Multi-hop ad hoc network
Applications of MANETs
Battlefields
Disaster rescue
Spontaneous meetings
Outdoor activities
MANET Routing Protocols
Table Driven (Proactive)
DSDV, FSR
On Demand (Reactive)
AODV, TORA, ABR, SSA
Hybrid
ZRP
Secure Routing Protocols
SAODVSRPSARCSERSEADAriadeneBSAR
Outline IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion
Stateful vs. Stateless
Stateful
DHCPv6
Stateless
DAD (Duplicate Address Detection)
DAD (1/3)
A function of NDP (Neighbor Discovery
Protocol)
Two types of messages
NS (Neighbor Solicitation)
NA (Neighbor Advertisement)
DAD (2/3)
Neighbor Solicitation
Host B
Host ATentative IP: FE80::2AA:FF:FE22:2222
IP : FE80::2AA:FF:FE22:2222
(multicast)
Ethernet Header: Dest. MAC is 33-33-FF-22-22-22IPv6Header: Source Address is :: Destination address is FF02::1NS Header : Target Address is FE80::2AA:FF:FE22:2222
DAD (3/3)
Neighbor Advertisement
Host B
Host ATentative IP: FE80::2AA:FF:FE22:2222
IP : FE80::2AA:FF:FE22:2222
(multicast)
Ethernet Header: Dest. MAC is 33-33-00-00-00-01IPv6Header: Source Address is FE80::2AA:FF:FE22:2222 Destination address is FF02::1NA Header : Target Address is FE80::2AA:FF:FE22:2222
Outline IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion
What is a CGA
Cryptographically Generated Address Also known as SUCV
(Statistically Unique and Cryptographically Verifiable) address
It associates a host's address with its public key in order for other hosts to verify the ownership of the address
Public Key and a CGA
Outline IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion
S-DSR Overview (1/2) Secure Dynamic Source Routing Protocol It incorporates
DSR protocolCGAAddress autoconfigurationDNS autoregistration and discovery
S-DSR Overview (2/2) It allows the network to be bootstrapped
without manual administration It can resist a variety of attacks, including
black hole attackreplay attackmessage forging attackmessage tampering attackDNS impersonation attack
S-DSR Assumption There is a publicly known one-way, collision-resistant
hashing function H, and there exists an IPv6 DNS server in the MANET. The DNS server has a public-private key pair, which is known by all mobile nodes prior to entering the MANET.
For a mobile which intends to own a permanent domain name, an entry (domain name, IP address) should have been placed at the DNS server before the network is formed. In this case, impersonate such hosts would be impossible.
For a mobile node which dose not intend to own a permanent domain name, its (domain name, IP address) entry can be registered with the DNS server on-line after the network is formed. We adopt the first-come-first-serve policy for registration of new domain names.
S-DSR Messages (1/2)8 types of messages:
S-DSR Messages (2/2)Definitions of symbols:
S-DSR DAD (1/4) On receiving AREQ(SIP,seq,DN,ch,RR), each
intermediate node appends its address into the route record RR and rebroadcasts the message.
When a node R receives an AREQ with SIP equal to its own IP address, it unicasts an address reply message AREP(SIP,seq,RR, [SIP,seq,ch]RSK, RPK,Rrn) to S along the reverse route derived from RR.
S-DSR DAD (2/4) The AREP message should also be
delivered to the DNS server through unicast When a DNS server N receives the AREQ
message and finds that the domain name in the DN field has already been registered by another host of address different from SIP, it will also unicast a DREP message (SIP, seq,RR, [SIP,seq,ch]NSK) to S.
S-DSR DAD (3/4) When the node S with a pending address
request receives the AREP message, it authenticates the integrity of the message as follows:It verifies if SIP matches with H(RPK,Rrn).
It decrypts [SIP,seq,ch]RSK by RPK and verifies if the decrypted result matches with [SIP,seq,ch].
If both checks pass, the AREP message is considered valid.
S-DSR DAD (4/4)
S-DSR Routing (1/5) On receiving (SIP,DIP,seq,SRR,[SIP,DIP,seq]
SSK,SPK,Snd), each intermediate node I appends [SIP,seq]ISK,IIP,IPK,Irn into the secure route record SRR and rebroadcasts the message.
S-DSR Routing (2/5) On receiving RREQ (SIP,DIP,seq,SRR,
[SIP,DIP,seq] SSK,SPK,Snd), it authenticates the message as follows:
1. It verifies if SIP matches with H(SPk, Srn).
2. It decrypts [SIP,DIP,seq]SSK by SPK and verifies if the decrypted result matches with [SIP,DIP,seq] indicated in the message.
S-DSR Routing (3/5)3. It verifies every IP address appearing in SRR.
For an IP address IIP, whose corresponding information is [SIP,seq]ISK, IIP, IPK,Irn, the verification is done by checking if IIP matches with H(IPK,Irn), and if [SIP,seq]ISK can be decrypted by IPk to be [SIP,seq].
4. It verifies if seq is greater than the sequence number of any RREQ message sent by S.
S-DSR Routing (4/5) If all the verifications are passed, the
RREQ message is considered valid. The destination node D then unicasts a
RREP Message (SIP,DIP,seq,RR,SR(D-S), [SIP,seq,SR(D-S)]DSK,DPK,Drn) to S along source route SR(D-S), which is derived form SRR.
S-DSR Routing (5/5)
Outline IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion
Conclusion (1/2) S-DSR can resist
Black hole attackRoute request (RREQ) message reply attackForged route request (RREQ) message attackForged address reply (AREP) message attackForged route error (RERR) message attackTampered control message attacksDNS server impersonation attack
Conclusion (2/2)Future work:
To extend S-DSR to be a credit-based protocol with the help of CGAs, in which each node keeps a record for each IP address to differentiate between favorable nodes and unfavorable nodes.
Publication
Yu-Chee Tseng, Jehn-Ruey Jiang, and Jih-Hsin Lee, “Secure Bootstrapping and Routing in an IPv6-Based Ad Hoc Network,” ICPP Workshop on Wireless Security and Privacy 2003, 2003.
Yu-Chee Tseng, Jehn-Ruey Jiang*, and Jih-Hsin Lee, “Secure Bootstrapping and Routing in an IPv6-Based Ad Hoc Network,” Journal of Internet Technology, Vol. 5, No. 2, pp.123-130, Feb. 2004.
Q&A