Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network
-
Upload
cilicia-romeo -
Category
Documents
-
view
30 -
download
1
description
Transcript of Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network
![Page 1: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/1.jpg)
Secure Autoconfiguration and Routing in an
IPv6-Based Ad Hoc Network
Jehn-Ruey JiangNational Central University
![Page 2: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/2.jpg)
Outline IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion
![Page 3: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/3.jpg)
Outline IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion
![Page 4: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/4.jpg)
Internet History 1969: ARPANET (using Network Control Protocol, NCP) 1974: TCP/IP (by Vinton Cerf and Bob Kahn) 1981: IPv4 (RFC 791) 1984: NSFNet (using Transmission Control
Protocol/Internet Protocol, TCP/IP) 1990: ARPANET retired 1991: WWW (World Wide Web) (by Tim Berners-Lee) 1993: NCSA Mosaic (by Mark Andreesen) → Netscape
Navigator 1990s: Internet 2000s: internet
![Page 5: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/5.jpg)
IPv6 History 1992: IPng (Next Generation IP) began in IETF (Internet
Engineering Task Force) working groups 1994: IPv6, announced by IESG(Internet Engineering
Steering Group) (RFC 1752) (IPv5 is for a stream protocol)
1998: IP Version 6 Addressing Architecture [July] (RFC2373)
1998: Internet Protocol, Version 6 (IPv6) Specification [December] (RFC2460)
![Page 6: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/6.jpg)
IPv6 Features Expanded address space
128 bits ( 3.4*1038 IP Addresses) Auto-configuration
Stateless (Prefix + EUI-64), Stateful (DHCPv6), Addressing Lifetime (Age for renumbering)
Quality of Service 20-bit Flow Label enables identification of traffic flows for real-time Voice and Video stream
Integrated Security SupportIPSec(AH Header+ESP Header)
MobilityNo Foreign Agent, Free of Triangle routing, Plug&Play (Care-of Address)
![Page 7: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/7.jpg)
IPv6 Vision
Source: NDHU
IPv6 IPv6 Anything, Anytime, Anywhere Anything, Anytime, AnywhereConnection to Internet Connection to Internet
![Page 8: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/8.jpg)
Outline IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion
![Page 9: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/9.jpg)
Ad hoc Networks Ad hoc: formed, arranged, or done (often
temporarily) for a particular purpose only
Ad Hoc Network (MANET):A collection of wireless mobile hosts forming a temporary network without the aid of established infrastructure or centralized administration
![Page 10: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/10.jpg)
Infrastructure vs Ad-hoc Modesinfrastructure network
ad-hoc network
APAP
AP
wired network
ad-hoc network
Multi-hop ad hoc network
![Page 11: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/11.jpg)
Applications of MANETs
Battlefields
Disaster rescue
Spontaneous meetings
Outdoor activities
![Page 12: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/12.jpg)
MANET Routing Protocols
Table Driven (Proactive)
DSDV, FSR
On Demand (Reactive)
AODV, TORA, ABR, SSA
Hybrid
ZRP
![Page 13: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/13.jpg)
Secure Routing ProtocolsSAODVSRPSARCSERSEADAriadeneBSAR
![Page 14: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/14.jpg)
Outline IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion
![Page 15: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/15.jpg)
Stateful vs. Stateless
Stateful
DHCPv6
Stateless
DAD (Duplicate Address Detection)
![Page 16: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/16.jpg)
DAD (1/3)
A function of NDP (Neighbor Discovery
Protocol)
Two types of messages
NS (Neighbor Solicitation)
NA (Neighbor Advertisement)
![Page 17: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/17.jpg)
DAD (2/3)
Neighbor Solicitation
Host B
Host ATentative IP: FE80::2AA:FF:FE22:2222
IP : FE80::2AA:FF:FE22:2222
(multicast)
Ethernet Header: Dest. MAC is 33-33-FF-22-22-22IPv6Header: Source Address is :: Destination address is FF02::1NS Header : Target Address is FE80::2AA:FF:FE22:2222
![Page 18: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/18.jpg)
DAD (3/3)
Neighbor Advertisement
Host B
Host ATentative IP: FE80::2AA:FF:FE22:2222
IP : FE80::2AA:FF:FE22:2222
(multicast)
Ethernet Header: Dest. MAC is 33-33-00-00-00-01IPv6Header: Source Address is FE80::2AA:FF:FE22:2222 Destination address is FF02::1NA Header : Target Address is FE80::2AA:FF:FE22:2222
![Page 19: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/19.jpg)
Outline IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion
![Page 20: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/20.jpg)
What is a CGA Cryptographically Generated Address Also known as SUCV
(Statistically Unique and Cryptographically Verifiable) address
It associates a host's address with its public key in order for other hosts to verify the ownership of the address
![Page 21: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/21.jpg)
Public Key and a CGA
![Page 22: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/22.jpg)
Outline IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion
![Page 23: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/23.jpg)
S-DSR Overview (1/2) Secure Dynamic Source Routing Protocol It incorporates
DSR protocolCGAAddress autoconfigurationDNS autoregistration and discovery
![Page 24: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/24.jpg)
S-DSR Overview (2/2) It allows the network to be bootstrapped
without manual administration It can resist a variety of attacks, including
black hole attackreplay attackmessage forging attackmessage tampering attackDNS impersonation attack
![Page 25: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/25.jpg)
S-DSR Assumption There is a publicly known one-way, collision-resistant
hashing function H, and there exists an IPv6 DNS server in the MANET. The DNS server has a public-private key pair, which is known by all mobile nodes prior to entering the MANET.
For a mobile which intends to own a permanent domain name, an entry (domain name, IP address) should have been placed at the DNS server before the network is formed. In this case, impersonate such hosts would be impossible.
For a mobile node which dose not intend to own a permanent domain name, its (domain name, IP address) entry can be registered with the DNS server on-line after the network is formed. We adopt the first-come-first-serve policy for registration of new domain names.
![Page 26: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/26.jpg)
S-DSR Messages (1/2)8 types of messages:
![Page 27: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/27.jpg)
S-DSR Messages (2/2)Definitions of symbols:
![Page 28: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/28.jpg)
S-DSR DAD (1/4) On receiving AREQ(SIP,seq,DN,ch,RR), each
intermediate node appends its address into the route record RR and rebroadcasts the message.
When a node R receives an AREQ with SIP equal to its own IP address, it unicasts an address reply message AREP(SIP,seq,RR, [SIP,seq,ch]RSK, RPK,Rrn) to S along the reverse route derived from RR.
![Page 29: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/29.jpg)
S-DSR DAD (2/4) The AREP message should also be
delivered to the DNS server through unicast When a DNS server N receives the AREQ
message and finds that the domain name in the DN field has already been registered by another host of address different from SIP, it will also unicast a DREP message (SIP, seq,RR, [SIP,seq,ch]NSK) to S.
![Page 30: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/30.jpg)
S-DSR DAD (3/4) When the node S with a pending address
request receives the AREP message, it authenticates the integrity of the message as follows:It verifies if SIP matches with H(RPK,Rrn).It decrypts [SIP,seq,ch]RSK by RPK and verifies if the
decrypted result matches with [SIP,seq,ch]. If both checks pass, the AREP message is
considered valid.
![Page 31: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/31.jpg)
S-DSR DAD (4/4)
![Page 32: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/32.jpg)
S-DSR Routing (1/5) On receiving (SIP,DIP,seq,SRR,[SIP,DIP,seq]
SSK,SPK,Snd), each intermediate node I appends [SIP,seq]ISK,IIP,IPK,Irn into the secure route record SRR and rebroadcasts the message.
![Page 33: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/33.jpg)
S-DSR Routing (2/5) On receiving RREQ (SIP,DIP,seq,SRR,
[SIP,DIP,seq] SSK,SPK,Snd), it authenticates the message as follows:
1. It verifies if SIP matches with H(SPk, Srn).
2. It decrypts [SIP,DIP,seq]SSK by SPK and verifies if the decrypted result matches with [SIP,DIP,seq] indicated in the message.
![Page 34: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/34.jpg)
S-DSR Routing (3/5)3. It verifies every IP address appearing in SRR.
For an IP address IIP, whose corresponding information is [SIP,seq]ISK, IIP, IPK,Irn, the verification is done by checking if IIP matches with H(IPK,Irn), and if [SIP,seq]ISK can be decrypted by IPk to be [SIP,seq].
4. It verifies if seq is greater than the sequence number of any RREQ message sent by S.
![Page 35: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/35.jpg)
S-DSR Routing (4/5) If all the verifications are passed, the
RREQ message is considered valid. The destination node D then unicasts a
RREP Message (SIP,DIP,seq,RR,SR(D-S), [SIP,seq,SR(D-S)]DSK,DPK,Drn) to S along source route SR(D-S), which is derived form SRR.
![Page 36: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/36.jpg)
S-DSR Routing (5/5)
![Page 37: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/37.jpg)
Outline IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion
![Page 38: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/38.jpg)
Conclusion (1/2) S-DSR can resist
Black hole attackRoute request (RREQ) message reply attackForged route request (RREQ) message attackForged address reply (AREP) message attackForged route error (RERR) message attackTampered control message attacksDNS server impersonation attack
![Page 39: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/39.jpg)
Conclusion (2/2)Future work:
To extend S-DSR to be a credit-based protocol with the help of CGAs, in which each node keeps a record for each IP address to differentiate between favorable nodes and unfavorable nodes.
![Page 40: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/40.jpg)
Publication Yu-Chee Tseng, Jehn-Ruey Jiang, and Jih-Hsin
Lee, “Secure Bootstrapping and Routing in an IPv6-Based Ad Hoc Network,” ICPP Workshop on Wireless Security and Privacy 2003, 2003.
Yu-Chee Tseng, Jehn-Ruey Jiang*, and Jih-Hsin Lee, “Secure Bootstrapping and Routing in an IPv6-Based Ad Hoc Network,” Journal of Internet Technology, Vol. 5, No. 2, pp.123-130, Feb. 2004.
![Page 41: Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network](https://reader035.fdocuments.us/reader035/viewer/2022070502/56812db8550346895d92ecf5/html5/thumbnails/41.jpg)
Q&A