Wireless Ad Hoc and Sensor Networks

Download Report

Transcript Wireless Ad Hoc and Sensor Networks

Secure Autoconfiguration and
Routing in an
IPv6-Based Ad Hoc Network
Jehn-Ruey Jiang
National Central University
Outline
 IPv6
Overview
 Ad Hoc Networks
 IP Autoconfiguration
 CGA
 S-DSR
 Conclusion
Outline
 IPv6
Overview
 Ad Hoc Networks
 IP Autoconfiguration
 CGA
 S-DSR
 Conclusion
Internet History









1969: ARPANET (using Network Control Protocol, NCP)
1974: TCP/IP (by Vinton Cerf and Bob Kahn)
1981: IPv4 (RFC 791)
1984: NSFNet (using Transmission Control
Protocol/Internet Protocol, TCP/IP)
1990: ARPANET retired
1991: WWW (World Wide Web) (by Tim Berners-Lee)
1993: NCSA Mosaic (by Mark Andreesen) → Netscape
Navigator
1990s: Internet
2000s: internet
IPv6 History




1992: IPng (Next Generation IP) began in IETF (Internet
Engineering Task Force) working groups
1994: IPv6, announced by IESG(Internet Engineering
Steering Group) (RFC 1752) (IPv5 is for a stream
protocol)
1998: IP Version 6 Addressing Architecture
[July] (RFC2373)
1998: Internet Protocol, Version 6 (IPv6) Specification
[December] (RFC2460)
IPv6 Features





Expanded address space
128 bits ( 3.4*1038 IP Addresses)
Auto-configuration
Stateless (Prefix + EUI-64), Stateful (DHCPv6), Addressing
Lifetime (Age for renumbering)
Quality of Service
20-bit Flow Label enables identification of traffic flows for
real-time Voice and Video stream
Integrated Security Support
IPSec(AH Header+ESP Header)
Mobility
No Foreign Agent, Free of Triangle routing, Plug&Play
(Care-of Address)
IPv6 Vision
IPv6  Anything, Anytime, Anywhere
Connection to Internet
Source: NDHU
Outline
 IPv6
Overview
 Ad Hoc Networks
 IP Autoconfiguration
 CGA
 S-DSR
 Conclusion
Ad hoc Networks
 Ad
hoc: formed, arranged, or done (often
temporarily) for a particular purpose only
 Ad
Hoc Network (MANET):
A collection of wireless mobile hosts forming
a temporary network without the aid of
established infrastructure or centralized
administration
Infrastructure vs Ad-hoc Modes
infrastructure
network
AP
AP
wired network
AP
Multi-hop ad hoc network
ad-hoc network
ad-hoc network
Applications of MANETs
Battlefields
Disaster
rescue
Spontaneous
Outdoor
meetings
activities
MANET Routing Protocols
 Table
Driven (Proactive)
DSDV, FSR
 On
Demand (Reactive)
AODV, TORA, ABR, SSA
 Hybrid
ZRP
Secure Routing Protocols
 SAODV
 SRP
 SAR
 CSER
 SEAD
 Ariadene
 BSAR
Outline
 IPv6
Overview
 Ad Hoc Networks
 IP Autoconfiguration
 CGA
 S-DSR
 Conclusion
Stateful vs. Stateless
 Stateful
DHCPv6
 Stateless
DAD (Duplicate Address Detection)
DAD (1/3)
 A function
of NDP (Neighbor Discovery
Protocol)
 Two
types of messages
 NS (Neighbor Solicitation)
 NA (Neighbor Advertisement)
Ethernet Header:
Dest. MAC is 33-33-FF-22-22-22
IPv6Header:
Source Address is ::
Destination address is
FF02::1
NS Header :
Target Address is
FE80::2AA:FF:FE22:2222
DAD (2/3)
Tentative IP: FE80::2AA:FF:FE22:2222
(multicast)
Neighbor Solicitation
Host B
IP : FE80::2AA:FF:FE22:2222
Host A
Ethernet Header:
Dest. MAC is 33-33-00-00-00-01
IPv6Header:
Source Address is
FE80::2AA:FF:FE22:2222
Destination address is
FF02::1
NA Header :
Target Address is
FE80::2AA:FF:FE22:2222
DAD (3/3)
Tentative IP: FE80::2AA:FF:FE22:2222
Neighbor Advertisement
Host B
(multicast)
IP : FE80::2AA:FF:FE22:2222
Host A
Outline
 IPv6
Overview
 Ad Hoc Networks
 IP Autoconfiguration
 CGA
 S-DSR
 Conclusion
What is a CGA
 Cryptographically
Generated Address
 Also known as SUCV
(Statistically Unique and Cryptographically
Verifiable) address
 It associates a host's address with its public
key in order for other hosts to verify the
ownership of the address
Public Key and a CGA
Outline
 IPv6
Overview
 Ad Hoc Networks
 IP Autoconfiguration
 CGA
 S-DSR
 Conclusion
S-DSR Overview (1/2)
 Secure
Dynamic Source Routing Protocol
 It incorporates
 DSR protocol
 CGA
 Address autoconfiguration
 DNS autoregistration and discovery
S-DSR Overview (2/2)
 It
allows the network to be bootstrapped
without manual administration
 It can resist a variety of attacks, including
 black hole attack
 replay attack
 message forging attack
 message tampering attack
 DNS impersonation attack



S-DSR Assumption
There is a publicly known one-way, collision-resistant
hashing function H, and there exists an IPv6 DNS server in
the MANET. The DNS server has a public-private key pair,
which is known by all mobile nodes prior to entering the
MANET.
For a mobile which intends to own a permanent domain
name, an entry (domain name, IP address) should have
been placed at the DNS server before the network is
formed. In this case, impersonate such hosts would be
impossible.
For a mobile node which dose not intend to own a
permanent domain name, its (domain name, IP address)
entry can be registered with the DNS server on-line after
the network is formed. We adopt the first-come-first-serve
policy for registration of new domain names.
S-DSR Messages (1/2)
8 types of messages:
S-DSR
Messages
(2/2)
Definitions of symbols:
S-DSR DAD (1/4)
 On
receiving AREQ(SIP,seq,DN,ch,RR),
each intermediate node appends its address
into the route record RR and rebroadcasts
the message.
 When a node R receives an AREQ with SIP
equal to its own IP address, it unicasts an
address reply message AREP(SIP,seq,RR,
[SIP,seq,ch]RSK, RPK,Rrn) to S along the
reverse route derived from RR.
S-DSR DAD (2/4)
 The AREP
message should also be
delivered to the DNS server through unicast
 When a DNS server N receives the AREQ
message and finds that the domain name in
the DN field has already been registered by
another host of address different from SIP, it
will also unicast a DREP message (SIP,
seq,RR, [SIP,seq,ch]NSK) to S.
S-DSR DAD (3/4)
 When
the node S with a pending address
request receives the AREP message, it
authenticates the integrity of the message
as follows:
 It verifies if SIP matches with H(RPK,Rrn).
 It decrypts [SIP,seq,ch]RSK by RPK and verifies if
the decrypted result matches with [SIP,seq,ch].
 If
both checks pass, the AREP message is
considered valid.
S-DSR DAD (4/4)
S-DSR Routing (1/5)
 On
receiving (SIP,DIP,seq,SRR,[SIP,DIP,seq]
SSK,SPK,Snd), each intermediate node I
appends [SIP,seq]ISK,IIP,IPK,Irn into the secure
route record SRR and rebroadcasts the
message.
S-DSR Routing (2/5)

On receiving RREQ
(SIP,DIP,seq,SRR,[SIP,DIP,seq] SSK,SPK,Snd),
it authenticates the message as follows:
1. It verifies if SIP matches with H(SPk, Srn).
2. It decrypts [SIP,DIP,seq]SSK by SPK and verifies
if the decrypted result matches with
[SIP,DIP,seq] indicated in the message.
S-DSR Routing (3/5)
3. It verifies every IP address appearing in SRR.
For an IP address IIP, whose corresponding
information is [SIP,seq]ISK, IIP, IPK,Irn, the
verification is done by checking if IIP matches
with H(IPK,Irn), and if [SIP,seq]ISK can be
decrypted by IPk to be [SIP,seq].
4. It verifies if seq is greater than the sequence
number of any RREQ message sent by S.
S-DSR Routing (4/5)


If all the verifications are passed, the
RREQ message is considered valid.
The destination node D then unicasts a
RREP Message (SIP,DIP,seq,RR,SR(D-S),
[SIP,seq,SR(D-S)]DSK,DPK,Drn) to S along
source route SR(D-S), which is derived
form SRR.
S-DSR Routing (5/5)
Outline
 IPv6
Overview
 Ad Hoc Networks
 IP Autoconfiguration
 CGA
 S-DSR
 Conclusion
Conclusion (1/2)
 S-DSR
can resist
 Black hole attack
 Route request (RREQ) message reply attack
 Forged route request (RREQ) message attack
 Forged address reply (AREP) message attack
 Forged route error (RERR) message attack
 Tampered control message attacks
 DNS server impersonation attack
Conclusion (2/2)
 Future
work:
To extend S-DSR to be a credit-based
protocol with the help of CGAs, in which
each node keeps a record for each IP
address to differentiate between favorable
nodes and unfavorable nodes.
Publication
Yu-Chee Tseng, Jehn-Ruey Jiang, and Jih-Hsin
Lee, “Secure Bootstrapping and Routing in an
IPv6-Based Ad Hoc Network,” ICPP Workshop on
Wireless Security and Privacy 2003, 2003.
 Yu-Chee Tseng, Jehn-Ruey Jiang*, and Jih-Hsin
Lee, “Secure Bootstrapping and Routing in an
IPv6-Based Ad Hoc Network,” Journal of Internet
Technology, Vol. 5, No. 2, pp.123-130, Feb. 2004.

Q&A