Transcript Slide 1
Secure Routing and
Intrusion Detection For
Mobile Ad Hoc Networks
Anand Patwardhan
Jim Parker
Anupam Joshi
March 10, 2005
Kauai Island, Hawaii
National Institute
for Standards
and Technology
Michaela Iorga
Tom Karygiannis
Challenges
• Wireless communication
• Short range (802.11, Bluetooth etc.)
• Open medium
• Identification and Authentication
• PKI based solutions infeasible
• No prior trust relationships
• Routing
• Based on dynamic cooperative peer relations
• Key to survival of MANET
• Device constraints
• Power Conservation
• Finite Storage
• Computation power
AODV
• Ad hoc On-demand Distance Vector routing protocol
• All up to date routes are not maintained at every node
• Minimizes number of broadcasts by creating routes ondemand
• Routes are created as and when required
• Route remains valid until destination is unreachable or
the route is no longer needed
• Adaptation to dynamic link conditions
• Low processing and Memory Overhead
• Low Network Utilization
AODV Messaging
• Source Node – node originating routing request
• Destination Node – sends route reply
• Sequence Numbers – used to avoid loops/replay
• Route Request – route discovery message
• Route Reply – destination to source message
• Route Error – destination node unreachable
• Intermediate Node Path List – list of nodes traversed
along message path
Attacks
• Attacks can be broadly classified into
• Routing disruption attacks
• Resource consumption attacks
• Attacks on data traffic
• Objective: Isolate and deny resources to
intrusive and/or chronically faulty nodes
Routing disruptions
• Malicious nodes may:
• convince nodes that it is routing packets to
the correct destination when it is not,
• fabricate route-maintenance messages,
• refuse to forward or simply drop packets,
• spoof routing addresses,
• and/or modify messages.
Secure Routing in MANETs
• Each node is a Router
• Identification and Authentication
• Statistically Unique and Cryptographically Verifiable
(SUCV) identifiers
• No prior trust relationships required
• Large address space of IPv6 suitable for SUCVs
• Secure binding between IPv6 address and Public
key
Secure Routing in MANETs
• Routing state
• Additional fields in control messages to protect data
• SUCV: IPv6 address and Public Key
• Secure binding, computationally infeasible to compute private
key in order to spoof
• Routing messages protected against mangling and
masquerading
Securing the IPv6 AODV
MESSAGE:
MESSAGE:
RSA Public Key
RSA Public Key
Signature
Signature
64-bit Network Specific ID
64-bit Network Specific ID 64-bit Hash of Public Key
IP:
IP:
2003:13:0:0:16ba:ae7f:8aea:dab3
Binding IP Address
and RSA Public Key
64-bit Hash of Public Key
2003:33:0:0:31ba:af0f:82ea:a0b
Intrusion Detection
• Wired Networks
– Traffic monitoring at routers, gateways,
firewalls
– Static routes
– Physical security
• MANETs
– Mobile nodes
– Other radio interference
– Reliance on cooperative mechanisms for
routing
– Intrusion detection limited to devices within
radio-range
Intrusion Detection Challenges
• Identity
– Use SUCVs
• Mobility
– False positives
• Scalability
– Large radio-ranges or dense networks
• Aggregation of data
– Communicate intrusions data to warn others
Packet Forwarding
dgram_in
B
A
dgram_out
C
Datagram dgram_in has:
Source IPv6 address, x U – {B,C}
Destination IPv6 address, y U – {B,C}
MAC source, mac(u), u U – {B,C}
MAC destination, mac(B)
Corresponding dgram_out must have:
Source IPv6 address, x
Destination IPv6 address, y
MAC source, mac(B)
MAC destination, mac(u), u ε U – {B,C}
Stateful Packet Monitoring
{ TCP Sequence no.,
TCP checksum }
{ RREQ, RREP, RERR }
Build and
Maintain
Neighbor table
(mac, ipv6) pairs
And route status
AODV
TCP
Update
in-memory
Hash table
Packets that should be
forwarded
IPv6
Ethernet Frame
From the packet capture library (pcap)
Example Scenario
Future Work
• Active Response
• Nodes send out accusations on events that they directly
observe
• Accusations are signed so accuser is accountable
• No Hearsay is propagated
• All nodes have same information on which to base
decisions
• Combine cross layer evidence to evaluate trust between
MANET nodes
• Design and develop a secure trust routing protocol
Additional Information
• UMBC
• http://ebiquity.umbc.edu
• NIST
• http://csrc.nist.gov/manet