Title: Routing Security in Ad Hoc Networks
1Routing Security in Ad Hoc Networks
- Justin Lomheim
- Shirshanka Das
2Outline
- Ad Hoc Networks
- DSR Review
- AODV Review
- Specific Attacks on DSR and AODV
- ARAN Protocol (e.g. secure AODV)
- Questions
- References
3Ad Hoc Networks
- infrastructureless
- dynamic topologies (in mobile ad hoc nets)
- variable capacity, limited bandwidth links
- energy constrained operation
- unicast, multicast, broadcast traffic
- physical security considerations
- currently AODV DSR routing under consideration
for IETF MANET specification
4Ad Hoc On Demand Distance Vector (AODV) Review
- distance vector algorithm using sequence numbers
for updates (based on DSDV) - generates routes on-demand, reducing total number
of broadcasts required - classified as a pure on-demand scheme, since
nodes not involved in routing do not maintain
routing info or participate in table exchanges
5Dynamic Source Routing (DSR) Review
- on-demand protocol based upon source routing
- designed for scenarios where only a few source
nodes flow to a few destination nodes - source and destination nodes gather routing info
into caches, through exchange of flooded query
and reply packets with full routing information - once discovered, routes are as needed until they
fail due to lost message transmissions
6AODV and DSR Route Discovery
No Route To D !!
RREQ
RREQ
RREQ
RREP
D
RREP
RREP
S
RREP
RREQ
RREP
I
RREQ
Cache Hit !!
7AODV Link Failure Mgmt
- infinite metric assigned to broken links
- if a node along a route moves, its upstream
neighbor detects it and forwards a notification
message (RREQ w/ infinite metric) - link breakage triggers notification back to users
of formerly active links until source is reached,
which may then re-initiate route discovery.
8AODV versus DSR
- Both use a similar mechanism of RREP , RREQ and
route caching - AODV maintains DV type next hop forwarding
tables - DSR relies on source routing
9Specific Attacks on AODV DSR
- modification
- sequence numbers
- hop counts
- source routes
- tunneling
- impersonation
- fabrication
- error messages
- source routes (cache poisoning)
- DoS
- trivial DoS
10Modification of Sequence Numbers
- In AODV
- a malicious node may divert traffic through
itself by advertising a route (via a RREP) with a
much higher sequence number than actual RREP
11Modification of Hop Counts
- In AODV
- since routing decisions can involve hop count
metric, a malicious node can request the hop
count to zero so make itself more likely to be
chosen along the path to the destination - A selfish node could use a high hop count to
ensure no one routes through it in case it wants
to save power
12Modification of Source Routes
- In DSR
- as packets are delivered, a malicious node can
simply remove necessary source route entries in
the packet header - malicious node can drop any error messages coming
back along the path
13Tunneling
Falsely tunneled path
M2
M1
Decap
Encap
S
D
14Impersonation to create loops
A
D
M
E
C
B
X
15Impersonation to create loops
A
D
M
E
C
B
X
16Impersonation to create loops
A
D
M
E
C
B
X
17Impersonation to create loops
A
D
E
C
B
X
M
18Fabrication Attacks
- False route error messages in AODV and DSR
- Route Cache poisoning
19Challenges
- No centrally administered secure routers
- No strict security policies
- Highly dynamic nature of mobile ad hoc networks
- Current ad hoc routing protocols trust all
participating nodes
20Problem
- Secure ad hoc routing protocols are difficult to
design - - Existing protocols are optimized to spread
routing information quickly as the network
changes - - Security mechanisms consume resources and can
delay or even prevent successful exchanges of
routing information
21Specific attacks
- Location disclosure reveals information
regarding the location of nodes, or the structure
of the network - Black hole an attacker advertises a zero metric
for all destinations causing all nodes around it
to route packets towards it - Replay attack an attacker sends old
advertisements to a node causing it to update its
routing table with stale routes - Wormhole an attacker records packets at one
location in the network, and tunnels them to
another location, routing can be disrupted when
only routing control messages are tunneled
22Requirements for a secure ad hoc routing protocol
- Prevents the exploits discussed
- Route signaling cannot be spoofed
- Fabricated routing messages cannot be injected
- Routing messages cannot be altered in transit
except in accordance with the functionality of
the routing protocol - Routing loops cannot be formed through malicious
action - Routes cannot be redirected from the shortest
path - Unauthorized nodes should be excluded from route
computation and discovery - Network topology should not be exposed neither to
adversaries not to authorized nodes
23Authenticated Routing for Ad Hoc Networks (ARAN)
Protocol
- Effectively basic AODV, except route
discovery/setup/maintenance are authenticated - Utilizes public-key cryptography to verify
hop-by-hop all route request RDP route reply
REP packets - Eliminates most routing security problems except
for tunneling trivial DoS attacks
24ARAN Initial Setup
Certificate B
Certificate C
Certificate D
C
B
D
A
Trusted certificate server T
25ARAN Route Discovery
Initial RDP packet
C
B
D
A
26ARAN Route Discovery
Intermediate RDP Packet
verified
C
B
D
A
27ARAN Route Discovery
Signature by C
verified
verified
C
B
D
A
28ARAN Route Setup
Initial REP packet
REP A-gtD
verified
verified
verified
C
B
D
A
Replies to first RDP packet
29ARAN Route Setup
Intermediate REP Packet
REP A -gt D
Signature by C
CertificateC
REP A-gtD
verified
verified
verified
verified
C
B
D
A
30ARAN Route Setup
REP A-gtD
verified
verified
verified
verified
verified
C
B
D
A
31ARAN Route Complete
verified
verified
verified
verified
verified
verified
C
B
D
A
32ARAN Route Maintenance
ERR A-gtD
C
B
D
A
Link broken!
33Questions
- Conflict between small weight nodes, cryptography
is there any reason to implement ARAN? - Any way to avoid centralized trust certificate
server T? - Key revocation issues
- Sensor network security?