340 likes | 509 Views
Routing Security in Ad Hoc Networks. Justin Lomheim Shirshanka Das. Outline. Ad Hoc Networks DSR Review AODV Review Specific Attacks on DSR and AODV ARAN Protocol (e.g. secure AODV) Questions References. Ad Hoc Networks. infrastructureless dynamic topologies (in mobile ad hoc nets)
E N D
Routing Security in Ad Hoc Networks Justin Lomheim Shirshanka Das
Outline • Ad Hoc Networks • DSR Review • AODV Review • Specific Attacks on DSR and AODV • ARAN Protocol (e.g. secure AODV) • Questions • References
Ad Hoc Networks • infrastructureless • dynamic topologies (in mobile ad hoc nets) • variable capacity, limited bandwidth links • energy constrained operation • unicast, multicast, broadcast traffic • physical security considerations • currently AODV & DSR routing under consideration for IETF MANET specification
Ad Hoc On Demand Distance Vector (AODV) Review • distance vector algorithm using sequence numbers for updates (based on DSDV) • generates routes on-demand, reducing total number of broadcasts required • classified as a pure on-demand scheme, since nodes not involved in routing do not maintain routing info or participate in table exchanges
Dynamic Source Routing (DSR) Review • on-demand protocol based upon source routing • designed for scenarios where only a few source nodes flow to a few destination nodes • source and destination nodes gather routing info into caches, through exchange of flooded query and reply packets with full routing information • once discovered, routes are as needed until they fail due to lost message transmissions
AODV and DSR Route Discovery No Route To D !! RREQ RREQ RREQ RREP D RREP RREP S RREP RREQ RREP I RREQ Cache Hit !!
AODV Link Failure Mgmt • infinite metric assigned to broken links • if a node along a route moves, its upstream neighbor detects it and forwards a notification message (RREQ w/ infinite metric) • link breakage triggers notification back to users of formerly active links until source is reached, which may then re-initiate route discovery.
AODV versus DSR • Both use a similar mechanism of RREP , RREQ and route caching • AODV : maintains DV type next hop forwarding tables • DSR : relies on source routing
Specific Attacks on AODV & DSR • modification • sequence numbers • hop counts • source routes • tunneling • impersonation • fabrication • error messages • source routes (cache poisoning) • DoS • trivial DoS*
Modification of Sequence Numbers • In AODV • a malicious node may divert traffic through itself by advertising a route (via a RREP) with a much higher sequence number than actual RREP
Modification of Hop Counts • In AODV • since routing decisions can involve hop count metric, a malicious node can request the hop count to zero so make itself more likely to be chosen along the path to the destination • A selfish node could use a high hop count to ensure no one routes through it in case it wants to save power
Modification of Source Routes • In DSR • as packets are delivered, a malicious node can simply remove necessary source route entries in the packet header • malicious node can drop any error messages coming back along the path
Tunneling Falsely tunneled path M2 M1 Decap Encap S D
Impersonation to create loops A D M B C E X
Impersonation to create loops A D M B C E X
Impersonation to create loops A D M B C E X
Impersonation to create loops A D B C E X M
Fabrication Attacks • False route error messages in AODV and DSR • Route Cache poisoning
Challenges • No centrally administered secure routers • No strict security policies • Highly dynamic nature of mobile ad hoc networks • Current ad hoc routing protocols trust all participating nodes
Problem • Secure ad hoc routing protocols are difficult to design: - Existing protocols are optimized to spread routing information quickly as the network changes - Security mechanisms consume resources and can delay or even prevent successful exchanges of routing information
Specific attacks • Location disclosure: reveals information regarding the location of nodes, or the structure of the network • Black hole: an attacker advertises a zero metric for all destinations causing all nodes around it to route packets towards it • Replay attack: an attacker sends old advertisements to a node causing it to update its routing table with stale routes • Wormhole: an attacker records packets at one location in the network, and tunnels them to another location, routing can be disrupted when only routing control messages are tunneled
Requirements for a secure ad hoc routing protocol • Prevents the exploits discussed • Route signaling cannot be spoofed • Fabricated routing messages cannot be injected • Routing messages cannot be altered in transit except in accordance with the functionality of the routing protocol • Routing loops cannot be formed through malicious action • Routes cannot be redirected from the shortest path • Unauthorized nodes should be excluded from route computation and discovery • Network topology should not be exposed neither to adversaries not to authorized nodes
Authenticated Routing for Ad Hoc Networks (ARAN) Protocol • Effectively basic AODV, except route discovery/setup/maintenance are authenticated • Utilizes public-key cryptography to verify hop-by-hop all route request “RDP” & route reply “REP” packets • Eliminates most routing security problems except for tunneling & trivial DoS attacks
Certificate A Public Key A IP Address A Create Time Expiry Time Signature by T ARAN – Initial Setup Certificate B Certificate C Certificate D C B D A Trusted certificate server T
IP Address D Certificate A Nonce A Create Time Signature by A RDP: A -> D ARAN – Route Discovery Initial RDP packet C B D A
Signature by B Certificate B RDP: A -> D RDP: A -> D ARAN – Route Discovery Intermediate RDP Packet verified C B D A
Certificate C RDP: A -> D RDP: A -> D ARAN – Route Discovery Signature by C verified verified C B D A
IP Address A Certificate D Nonce A Create Time Signature by D ARAN – Route Setup Initial REP packet REP: A->D verified verified verified C B D A *Replies to first RDP packet*
ARAN – Route Setup Intermediate REP Packet REP: A -> D Signature by C CertificateC REP: A->D verified verified verified verified C B D A
REP: A -> D Signature by B CertificateB ARAN – Route Setup REP: A->D verified verified verified verified verified C B D A
ARAN – Route Complete verified verified verified verified verified verified C B D A
IP Address A IP Address D Certificate C Nonce C Create Time Signature by C ARAN – Route Maintenance ERR: A->D C B D A Link broken!
Questions • Conflict between small weight nodes, cryptography – is there any reason to implement ARAN? • Any way to avoid centralized trust certificate server T? • Key revocation issues… • Sensor network security?