17th May, 2000
Vesa Kärpijoki
Department of Computer Science
Helsinki University of Technology
Vesa.Karpijoki@hut.fi
Mobile ad-hoc networking (MANET) is a new field of communication taking place in extremely unpredictable and dynamic environments. Due to such characteristics, the MANET networks have much harder security requirements than the traditional, wired and static Internet. The routing in MANET networks is an especially hard task to accomplish securely, robustly and efficiently at the same time. One of the most severe threats to the routing in MANET networks is the possibility of compromised nodes, which inflict unpredictable and undetectable byzantine failures. The contemporary MANET and Mobile IP routing protocols do seem to manage the dynamically changing conditions rather well. In contrary, they offer either no integrated security mechanisms at all, or have only partial solutions for protecting the routing. This paper presents common security problems related to routing. It also discusses some of the contemporary solutions that are seemingly inadequate for protecting the routing in MANET networks.
In recent years the concern over the security of computer networks has been widely discussed and popularized. The discussion has, however, typically involved only static and wired networking while the mobile or ad-hoc networking issues have not been handled extensively. The emergence of such new networking approaches sets new challenges even for the fundamentals of routing, since the mobile and ad-hoc networks (MANET) are significantly different from the wired networks. Moreover, the traditional routing protocols of the Internet have been designed for routing the traffic between wired hosts connected to a static backbone, thus applying relatively static routing fabrics without any support for mobility or dynamic ad-hoc networking.
Therefore the well-known and traditional approaches to routing are inadequate in MANET environments. This implies that the security mechanisms applied within the routing protocols also require completely new approaches in the design. The traditional routing protocols typically apply very limited or possibly even non-existent security mechanisms. In addition, even if some routing protocols supported integrated security mechanisms, they have often offered only partial protection mechanisms such as authentication services. The security mechanisms have often been retrofitted to the original routing protocol, since the designers of the protocol have presumably not originally envisioned any demand for such mechanisms. Finally, these are not, however, the only concerns related to MANET routing. The problem of unpredictable failures, inflicted by malicious nodes is an essential issue to be noted within MANET networking.
In this paper the security requirements for the MANET routing protocols and the problems related to them are discussed. Moreover, security solutions envisioned to protect the routing in MANET networks are presented and evaluated. The paper does not, however, offer any detailed discussion of the fundamentals of security in networking or the characteristics of the routing in Mobile IP, traditional Internet or MANET networks.
The paper is structured into eight sections as follows. Section one gives a brief introduction to the problem field and the topic of the paper. Section two offers a general overview of the traditional, Mobile IP and MANET routing protocols. Section three briefly lists the fundamental security aspects of routing. The most severe threats related to MANET routing, especially the problems involving compromised nodes and byzantine failures, are presented. Section four represents the basic contemporary solutions for protecting routing in traditional, mobile and ad-hoc networks. Section five discusses problems related to mobile and ad-hoc routing. Section six gives an overview of various solutions that have been proposed for preventing or mitigating the discussed security problems in MANET routing. Finally, section seven emphasizes the most important issues to be managed in the future and draws conclusions for the paper.
Mobile IP and MANET routing protocols are represented in this paper using the common terminology as defined in [22] (Mobile IP), [20] (MANET terminology) and [5] (MANET performance issues). This paper discusses mobile nodes (MN), entities that exchange routing with other MNs and may request services from other nodes in MANET networks. Moreover, mobile hosts (MH) are MNs that have typically client functionality with only a subset of possible routing functions. In addition, corresponding node (CN) is the node that the MH tries to communicate with. Finally, it should be noted that in MANET environments the roles of the clients, servers and routers are typically somewhat mixed up with each other. [5, 20, 22]
Mobile networks can either apply a hierarchical or a cellular routing architecture. The latter approach is typically in use within the cellular phone networks. The former approach is a somewhat less known innovation, which will in some cases offer substantial advantages - see e.g. [7]. Mobility has so far typically involved MNs connected to fixed backbones and static base stations which offer the MNs the necessary access points to the network and perform handovers and other routing functions required to maintain the routing fabric. Finally, MNs are naturally most often wireless due to the mobility requirements.
Ad-hoc networks are typically defined with characteristics such as purpose-specific, autonomous, dynamic and transient. Moreover, ad-hoc networks may not have the routers or servers in the traditional way at all. They do not even need fixed backbones to form the necessary routing fabric - the fabric can be formed directly between the nodes that exchange routing information. Since ad-hoc networks typically support mobility, such networks also have MANET properties such as dynamic topologies, bandwidth-constrained variable capacity links, power-constrained operations and limited physical security. The last property is the most interesting from the security point of view: the MNs, especially wireless ones, are typically significantly more susceptible to physical attacks than their wired and fixed counterparts. Moreover, MANET routing protocols are vulnerable without any link- or network-level security measures, partly due to the poor physical security of the mobile nodes. [5, 7, 11, 18, 19]
In the contemporary Internet there are quite many routing protocols that have been designed for wired and fixed networks. They are not, however, seemingly able to meet the necessary requirements of the dynamic and security-critical MANET networks well enough. Such routing protocols have typically been divided into distance-vector, link state and possibly hybrid protocols, depending on how the routing topology is formed [21]. The traditional routing protocols include the distance-vector protocols such as RIP (Routing Information Protocol) and RIP Version 2 as well as link-state protocols such as OSPF and OSPFv2 (Open Shortest-Path First protocol). Of these protocols, RIP and RIPv2 have basically become obsolete in most of the networks in the Internet. On the other hand, OSPFv2 is in wide use and moreover, there are some implementations of the OSPF protocol in the MANET environments as well [21]. RIP and OSPF are covered in this paper to illustrate the differences between the routing in the traditional and MANET networks. [9, 13, 15, 21]
Mobile IP is an extension for the IP protocol suite originally designed for fixed and wired networks. IP mobility support must meet a few fundamental requirements, as stated in [22]. Of these the most important from the viewpoint of the secure routing is that "All messages used to update another node as to the location of a mobile node must be authenticated in order to protect against remote redirection attacks." These requirements apply to the whole IP protocol suite in general. It should, however, be noted that IPv6 has a couple of advantages over IPv4 especially in respect of MANET networking. First, IPv6 has mobility support - all IPv6 nodes must be able to automatically configure themselves in the current point of attachment in the Internet. Secondly, the flexible and large IPv6 address space allows the foreign agents (FA) to omit mobility support functions, if demanded. Finally, all IPv6 nodes must support privacy and authentication mechanisms, since IPv6 applies IPSEC (IP Security) as an integral feature. Basic Mobile IP functionality is described in [22], as well as introductory papers like [21]. While the basic IP mobility for IPv4 and IPv6 is still being developed further, there are also several Mobile IP extension proposals. For instance, the extensions may either add a specific feature like an authentication mechanism to the protocol suite as described in [10] and [25] or extend the protocol framework like the hierarchical routing approach presented in [7]. [7, 10, 17, 21, 22, 25]
MANET routing protocols can be divided in a similar way as the traditional ones. Table-driven or proactive protocols require the periodical refreshing or updating of the routing information so that every node can operate with consistent and up-to-date routing tables. The advantage of the proactive approach is that once a route is formed, its use is efficient [19]. The pure proactive protocols do not suite ad-hoc networks due to the requirements for constant and heavy routing information exchange. Source-initiated on-demand driven or reactive protocols, in contrary, do not periodically update the routing information - the data is propagated to the necessary nodes only when necessary. Many of the MANET routing protocols are on-demand driven for optimization purposes, since they create network traffic only when the routing fabric must really be changed. The disadvantage of the reactive protocols is that they create a lot of overhead when the route is being determined, since the routes are not necessarily up-to-date when required. There are also hybrid protocols that make use of both approaches, possibly dynamically by adapting the protocol to the specific conditions. For instance, table-driven protocols could be used between networks and on-demand protocols inside the networks or vice versa. [19, 23]
The fundamental aspects of computer security - confidentiality, integrity, authentication and non-repudiation are valid also when the protection of routing in MANET networks is discussed. Detailed descriptions and examples of these issues can be found throughout the literature, for instance from [14] and [24]. Confidentiality of routing information is important so that not only the payload data but also the routing message headers carrying e.g. the location information of the MNs can be exchanged securely. Moreover, the integrity and authentication of the routing messages must be guaranteed so that every piece of routing information can always be confirmed to be valid and to have originated from the correct sender. Non-repudiation means that the node cannot deny having sent or handled certain piece of routing information in the past. Authentication mechanisms allow partial non-repudiation, but typically additional means like time-stamping services are also required to protect the routing traffic from tampering attacks such as the replaying or delaying of routing messages. Finally, it should be noted that authentication gets often confused with authorization issues that involve more or less the control of policy and that are typically implemented only in the application layer and not in the network layer to which this paper concentrates on. [5, 26]
Availability is a central issue in MANET systems due to the dynamic and unpredictable conditions in MANET environments: the nodes may not be available for communication all the time. Thus the MANET routing protocol used must not make any assumptions about availability of specific nodes at certain times. The routing framework must guarantee the robustness of the routing fabric so that the services are available even in dynamically changing conditions with the possibility of compromised nodes. Moreover, the routing fabric must scale up and down efficiently when the network topology changes, e.g. due to network partitions or merges. The distribution of services is naturally an essential property of MANET networks. Finally, all key-oriented functions like encryption, signing and keyed hashing always require key management mechanisms of some kind. Key management is a complex area, especially in the case of MANET networking, in which the trust relationships are significantly different from the traditional networks. Many routing systems rely on centralized server nodes, possibly having replicated copies of the keys stored in other backup nodes. The other way to implement the key management service is to distribute the responsibility among several server nodes - seemingly a more suitable approach for securing the routing in MANET networks. [5, 8, 14, 24, 26]
The protection of security always involves the identification of potential attacks, threats and vulnerabilities of a certain system. These concepts are defined e.g. in [1]. The most severe vulnerabilities in ad-hoc networks are the poor physical security of the mobile nodes and the trust on any centralized resource. Potential attacks against routing can be divided into two groups: passive attacks typically involve only eavesdropping of the routing messages, while active attacks involve actions performed by adversaries such as routing message replication and deletion. Moreover, external attacks are typically active attacks that may e.g. lead to the sending of false routing information, generation of routing loops, network partitioning and merging and congestion. External attacks can typically be prevented by using standard security mechanisms. Internal attacks are more severe attacks, since the malicious nodes sending incorrect routing traffic are already protected with the security mechanisms the routing framework offers. Thus such malicious insiders who may even operate in a group may use the standard security means to actually protect their attacks. [1, 8, 26]
Threats can be divided into three groups, as e.g. proposed by Amoroso [1]. This division is somewhat obsolete, since other kinds of attacks, like impersonation, cannot be directly categorized within any of the following classes. Denial of Service (DoS) threats involve the exhaustion of explicitly or arbitrarily chosen nodes. The more catastrophic attacks of today, the Distributed DoS (DDoS) threats involve a large amount of distributed hosts attacking the system simultaneously. Such attacks are almost impossible to be prevented - the best alternative may sometimes be the closing or disconnection the node from the network or the blocking of malicious traffic received from certain network addresses. The problem with MANET networks is that the network addresses are not fixed, so the latter approach cannot be used efficiently. Within any system the DoS attacks will most likely be targeted at any centralized resource, if any. Therefore in MANET systems there should be only distributed services. Integrity threats involve tampering with routing information. Since the integrity of routing information is crucial for maintaining the routing fabric of the dynamic MANET networks, the consequences of these attacks may quickly propagate to the whole MANET network, if the routing protocol does not define a robust enough scheme for recovering from such malicious actions. Finally, disclosure threats mean the gathering of information by an eavesdropper who is trying to break the confidentiality of routing information. [1, 26]
The possibility of compromised nodes forms one of the most central security threats in MANET systems, since the whole routing fabric is being generated and maintained by the nodes themselves, without any help from fixed backbones or base stations. In environments where there are centralized services, managed by individual or replicated nodes, the problem of the compromised nodes is most severe: the security of the whole system may be broken with an attack on a single point of the system. For instance, if the MANET routing fabric relied on a single or replicated server node that performs certifications with its own private key, the MANET network could be entirely compromised by attacking that single node. Therefore distributed security services are needed to prevent such problems.
An additional problem related to the compromised nodes is the potential byzantine failures encountered within MANET routing protocols. A set of the nodes could be compromised in such a way that the incorrect and malicious behaviour cannot be directly noted at all. The compromised nodes may seemingly operate correctly, but at the same time they may make use of the flaws and inconsistencies in the routing protocol to undetectably distort the routing fabric of the network. In addition, such malicious nodes can also create new routing messages and advertise non-existent links, provide incorrect link state information and flood other nodes with routing traffic, thus inflicting byzantine failures to the system. Such failures are severe especially because they may come from seemingly trusted nodes, whose malicious intentions have not yet been noted. Even if the compromised nodes were noticed and prevented from performing incorrect actions, the erroneous information generated by the byzantine failures may have already been propagated in the whole network. [26]
The traditional routing protocols like RIP [9], RIP Version 2 [12, 13]) have been designed for traditional networks, without any mobility requirements. Moreover, these protocols do not typically offer security means at all or they define simple mechanisms that are inadequate for use in the Internet. For example RIP Version 2 defines a simple authentication scheme in which the routing information can be authenticated with simple cleartext passwords up to 16 byte. The passwords are not protected from tampering or eavesdropping in any way in the RIP level as such and thus additional security means and associations must be applied within the routing. There are extensions for RIP-2 authentication that e.g. use keyed MD5 (Message Digest) hash functions. This particular extension naturally requires proper key management mechanisms involving secret key generation, negotiation and storage protection. The authenticity of the messages is further confirmed with unique 4-octet sequence numbers. The protocol extension does not, however, define any general methods for key management or support any security means for protecting confidentiality of the keys. [2, 9, 12, 13]
The OSPF protocol suite has similar problems as the RIP suite. The current OSPF version 2 does allow the verification of the origin of the routing messages, but the proposals apply only 16-bit checksums and optional 64-bit authentication fields. The only extra authentication method supported in the basic OSPFv2 is the use of simple plaintext passwords. Moreover, the privacy of the routing information is not protected with any integrated method, which forces the introduction of some external confidentiality protection mechanism. There are extensions to handle the authentication in more sophisticated ways, for instance with MD5 hashes or digital signature schemes. The problem is that such approaches do not note the necessary privacy and key management issues in any integrated or standard enough way either. The OSPF proposals do include one interesting new extension, the use of OSPF with IPv6. Such an approach can provide much better security for the routing than the previously discussed extensions, since IPv6 includes IPSEC as an obligatory part of the protocol suite. Thus the well-defined and implemented IPSEC authentication, encryption and key management services can be used within OSPF, in which case the protection of the OSPF routing would not require any further security means. Moreover, the fundamental OSPF features would remain unchanged, since for instance the OSPF for IPv6 supports the OSPF optional features like on-demand links as well. Only the IPv6-specific issues like the large address space have lead to some changes to the protocol. [3, 4, 15, 16, 17]
RIP and OSPF protocols have seemingly many characteristics that are useful in static environments and inadequate in the mobile and dynamically changing environments of MANET networks. The represented routing protocol suites have been discussed here only to illustrate the insufficient security means these protocols would provide in dynamic MANET environments. Moreover, since the RIP protocol suite is somewhat obsolete in the current Internet and the use of RIP protocols is typically discouraged, these traditional and simple protocols should not be considered when a secure MANET routing protocol is being designed. The OSPF protocol suite can, however, have a future since its integration within the IPv6 protocol suite may turn out to provide robust and secure enough routing framework for mobile environments.
Mobile IP does not define any privacy-protection mechanism whatsoever. The protection of the privacy of MNs and the confidentiality of the protocol messages must be managed with external services, such as link-layer encryption or IPSEC, which may be somewhat orthogonal solutions to the Mobile IP protocol. Moreover, Mobile IP does not provide privacy protection mechanisms for critical information like the location of MNs. Such services must be implemented for instance with tunnels between the home agent (HA) and the MN. [17, 22]
The traffic between MN and HA must be authenticated with a keyed MD5 MACs. Since the tunnelling of traffic to the MN residing in a foreign network has potential vulnerabilities, enabling possibly e.g. impersonation attacks, foreign registration operations must also be authenticated. In Mobile IP the authentication of both HA-FA and MN-FA registration are, however, only optional features. Moreover, the trust on the originator of the Registration Requests in Mobile IP is implicit. When the CN detects that the MN has a proper shared secret and it can verify the MAC in the request properly, it automatically assumes that the MN really belongs to the given HA and is who he claims to be. The use of keyed MD5 authentication requires proper key management so that the generated keys can be distributed to their users in a secure fashion. Mobile IP does not, however, offer a standard key management protocol. For instance, in basic Mobile IP the shared secret keys must be configured manually a priori between every pair of communicating nodes - dynamic secret negotiation mechanisms are not supported. Such dynamic methods do, however, form a complex problem, since they also increase the need for more secure, distributed and robust key management services and generate more overhead to the computational resources and network traffic. [10, 22]
While strong authentication with for instance MACs provides integrity and authenticity protection in Mobile IP, the routing protocol messages can still be replayed, thus violating non-repudiation. An additional mechanism for achieving replay protection must be used. Mobile IP requires the use of at least time stamps. Time stamps are also used as sequence numbers by the HA) so they must be exchanged in ascending order. In addition, Mobile IP allows the use of other replay protection services if they can be properly negotiated between MNs and HAs. Such services include nonces, 32-bit random-looking numbers that identify the messages uniquely enough. Timestamps and nonces require the application of secure and efficient clock synchronization services, which on the other hand produces additional overhead for the MNs as well as the network and forms another vulnerability to the system. Moreover, since the time synchronization information must be distributed securely, the time synchronization messages must also be authenticated, yielding additional resource-demanding operations. [22]
According to Zhou and Haas [26], the MANET routing protocols can seemingly manage the dynamically changing conditions of the networks. None of these protocols, however, seems to be able to handle the security aspects properly. Some drafts currently ignore the problem by stating that the necessary security means are to be determined. In this case one can get the impression that the security mechanisms will later be retrofitted to the routing protocol after the protocol core has been tested to be robust enough. The retrofitting of the security mechanisms might, however, leave unpredictable and undetectable vulnerabilities in the system, if the protection mechanisms are not designed concurrently with the basic protocol. Moreover, some MANET routing protocols have ignored the security issues completely. For instance in the DSRP (Dynamic Source Routing Protocol) draft it is currently assumed that the nodes always operate without malicious intentions!
All the MANET routing protocol proposals do not, however, ignore the security aspects completely. In a few protocol proposals IPSEC is assumed to be able to provide good enough privacy and authentication protection mechanisms so that these issues would not need to be handled by the routing protocol itself. Some authors - e.g. Sufatrio and Lam [25] - do criticize this approach, since it produces additional configuration overhead and is more or less another form of retrofitting security. The discussed aspects about the security of the MANET routing protocols are not a good sign as such, but they certainly give a clarified picture of the MANET routing protocols: the security issues form a very complicated task to be solved within the dynamic MANET routing architectures. There are papers that have evaluated and compared these protocols, for example [23], which, however, does not directly discuss security aspects related to these protocols. [17, 23, 25]
There are a couple of problems in the current proposals that are related to DoS threats. Since the pure reactive protocols react to the experienced changes in network conditions, an adversary could force the nodes to send a lot of routing information updates by shutting down, setting up or even moving other compromised nodes. This is not a very feasible attack, however. In contrary, in the pure proactive approach the routing information is propagated periodically. Thus if the adversary can change or configure the protocol within some compromised nodes, he could exhaust the nodes in the network by setting the updating periods very low and requiring the sending of the 'updated' routing information throughout the network. It is questionable whether all the protocols can prevent or recover from such attacks and their consequences well enough. Finally, in some proposals the reactive and proactive approaches are either used concurrently or they can be dynamically interchanged when the conditions require changes to the routing policy. It is, however, unclear, whether the security problems discussed here are accumulated or counter each other in these hybrid solutions. [19]
Interestingly, some routing protocols like TORA (Temporally-Ordered Routing Algorithms) support multicasting. But for example, in TORA the multicast property is not an integral part of the protocol and requires the involvement of an additional protocol and synchronized clocks. This naturally leads to the problem of the centralized resource: the use of such a time-dependent protocol requires a reliable external time source. Such a synchronization service naturally forms a serious vulnerability, since the routing protocol will not function properly if an adversary can shut down or distort the operation of the service. [6]
DoS threats form a substantial risk for any distributed system, as was discussed before. Therefore in MANET networking the distributed model concerning both the trust management, key management and the provision of services is absolutely vital. With centralized approaches to e.g. key storing and distribution, the problem of compromised nodes and byzantine failures may produce significant vulnerabilities to the system. Thus any MANET or mobile routing architecture having centralized approaches is obliged have additional security mechanisms retrofitted to the system to protect the vulnerable nodes from attackers. The mechanical replication of the data or services of the node is an inadequate protection approach, since e.g. the private keys of the nodes simply have then a multiple possibility to be compromised. Thus the MANET routing framework must apply a distributed approach even in the most fundamental services like key management. Moreover, redundancies in the communication increase the possibility that each node can receive proper routing information. Such approaches do, however, produce more overhead in both computation resources and network traffic. The redundancies allow the compromised nodes to be detected and prevented from performing malicious actions, possibly so that the whole network can continue operating consistently. [26]
MANET and Mobile IP networks apply binding mechanisms so that the correct routing information, such as the location of MNs, can be maintained and exchanged between the nodes correctly. This kind of information is absolutely essential for maintaining the consistency in the dynamically changing routing fabric. Therefore such binding operations form serious vulnerabilities, unless protected adequately. For example, in Mobile IP the registrations and binding updates must be authenticated. But as was discussed, basic Mobile IP requires authentication only between MN and HA. Thus if no other authentication mechanisms are used, the direct binding updates between FA and MN as well as between FA and HA would be vulnerable to bogus binding update problem. For instance, if the routing messages are not strongly authenticated, an adversary could tamper with the messages to redirect the traffic arbitrarily or to cause congestion, router resource exhaustion and unpredictable changes to the network topology, thus compromising both integrity and authenticity. [10, 21, 22]
Additional problems may be encountered when using smooth handoffs that involve the buffering of packets and caching of binding information within route optimizations. The caches are required to store the binding information, say, a couple hundreds of milliseconds after a MH has started the binding and registration to another node. The cache itself does not presumably form a serious vulnerability due to its short lifetime, but there are other potential problems. Since when using direct binding updates, the MN and FA do not have a priori negotiated security associations, the dynamic application of secret sharing and other similar services can be hard. Some proposals apply for instance dynamic secret negotiation with the Diffie-Hellman (DH) algorithm, but such approaches are prone to man-in-the-middle attacks. [14, 21, 22, 24]
The routing information must be protected from eavesdropping. As was discussed, in many applications of MANET networking the exchanged routing information is absolutely essential in respect of the security of the routing. Sometimes the routing information in packet headers such as the location of the MNs can even be more valuable than the actual exchanged data, especially in critical military applications [6]. Thus privacy forms another necessary aspect that must be handled by the routing architecture: the MNs do not typically want to reveal their identities or whereabouts to outsiders. Even though the routing protocol itself would not support privacy protection, such mechanisms can be retrofitted to the system e.g. by introducing IPSEC. This kind of a solution is not a perfect one, however, since these kind of approaches may produce integration problems as well as substantial configuration requirements to the system, which are especially unwanted features in MANET networking. [6, 17, 21, 26]
Fasbender et al. [6] discuss the protection against traffic analysis, which most often means the securing of location information in MANET networks. Traffic analysis is traditionally protected with link encryption, by generating false traffic and using bi-directional links, but all of these solutions are inadequate. If link-to-link encryption is applied, the key management system is indeed scalable even when shared secret keys are used. On the one hand, the nodes decrypt data and handle it in cleartext form, which further underlines the problem of compromised nodes. On the other hand, end-to-end encryption is not scalable, since all nodes require the configuration of a priori negotiated and authenticated shared secrets. The Chaum mix mode, which applies the false traffic generation approach is non-scalable and produces great overhead, as shown by Fasbender et al. Finally, using bi-directional tunnels in inter-network routing is unsafe, since traffic through such tunnels between the networks is observable. In addition, due to the MANET requirements the bi-directionality of links cannot always be guaranteed. [6, 21, 22]
Even though the protection of location and other confidential information is a vital issue, an additional and somewhat controversial aspect must be brought up here: The protection of location information is not always a totally wanted feature for mobile networks that are envisioned to be used commercially. For example, the operator of cellular phone services as well as the content and service providers do want to find out the current locations of the user agents - such requirements are of course understandably important from the business point of view. But even if the use of location information and other similar parameters are restricted to be used strictly for a certain user, a certain user agent and a certain service, there are always additional technical as well as moral problems related to such approaches. The details of these issues are, however, beyond the scope of this paper.
Some MANET routing protocols like DSRP apply source routing. As commonly known, source routing is not a welcomed feature in the Internet, since it may allow adversaries to redirect and spoof traffic arbitrarily. Thus most routers of today deny service from all source routing requests. Source routing was originally introduced also within Mobile IP, in the form of loose source routing, in which the FA would have sent the packets directly to the MN if the FA had been on the loose source route. Such approach is, however, inadequate: Since IP expects the higher protocol layers to perform source route reversals at the receiver node, authentication is required, but such services are typically not supported at all. This kind of approach leads to similar bogus routing message threats encountered in the Internet of today. Thus the MNs must either prevent source routing, thus making the approach unusable or authenticate all source routing traffic, which produces substantial overhead especially when implemented with public-key cryptography. Thus source routing should not be applied in mobile routing as the only alternative. In IPv6 source routing should presumably also be prevented, since IPv6 supports both IPSEC - offering authentication and privacy protection - and dynamic address binding features, as was discussed before. [17, 21, 22]
Dynamics, the hierarchical system for distributing mobility agents that is proposed by Forsberg et al. [7] mainly focuses on the distribution of nodes and routing issues, but includes security features as well. The basic assumption of the proposal is that the HA and MN have a mutual trust relationship and can establish a security association within the registration process. Due to the hierarchical location management system, however, there may be other security associations as well. The associations are protected with a priori negotiated shared secrets (session keys) and if no such associations exist e.g. between HA and FA, RSA (Rivest-Shamir-Adleman) public-key encryption is applied to protect the routing traffic. The public keys are not certified, but their MACs are used to associate a public key with its owner. Routing message replay protection and sequence detection are performed using either nonces or timestamps. [7]
The represented approach does, however, have some questionable features, similar to the ones many other proposals also have. For instance, the use of session keys requires the a priori negotiated shared secret between the nodes wanting to use the keys, thus reducing the flexibility and scalability of the system. This not a hard problem between the HA and MH, since they have mutual trust relationship and thus have a fixed security association as such. The use of RSA along with the secret-key cryptography requires the configuration and use of two totally different cryptographic approaches, which sets additional requirements on the nodes in the system. In addition, the nodes must be able to exactly determine when to use which approach. Moreover, the public keys are not certified by any trusted authority, decreasing the trust on the keys. The MAC calculated by the FA may not be correct since FA may be a compromised node. Finally, it is questionable how this kind of hybrid approach can tolerate the byzantine failures. [7]
Sufatrio and Lam [25] have introduced a lightweight and scalable authentication protocol called Minimal Public-Key Based Authentication (Min-PKA) for Mobile IP that does not require any changes to the protocol. Its main purpose is to secure the registration process and it makes use of AAA (Authentication-Authorization-Accounting) server nodes (AAAH for AAA home agent and AAAF for AAA foreign agent). The authors argue that since a single protocol cannot meet all the requirements of different Mobile IP environments, the support for several protocols must be built. They criticize approaches that rely on only one protocol in securing the routing between the AAAH and AAAF, since e.g. the use of IPSEC requires substantial configuration and may lead to poor handoff times. They also note the problems in basic Mobile IP for instance in the scalability of the key negotiations. Moreover, they criticize the Jacobs' approach [10] that uses only public-key cryptography, since it is dependent on that the MNs can perform the heavy computations of the required security operations. [10, 17, 25]
In contrary the Sufatrio and Lam proposal Min-PKA uses two different approaches, secret-and public-key -based of which the former requires manual configuration, as was discussed. Since such approach may, however, offer substantial optimizations in some routing scenarios, they suggest the use of public-key cryptography to be applied in the interdomain authentication. The MH and AAAH can, however, use shared secrets like in Dynamics (between HA and MH), since the nodes have a security association. Their approach introduces three services: Authentication services provide digital signatures and MACs between MH and AAAH to protect the routing traffic. The services rely on the correct actions performed by AAAH in the indirect MN-AAAF communication. Integrity services rely on the authentication services to assure the integrity when the authenticity is confirmed. FA agent discoveries form a problem since FA and MH may have no security associations. This problem is, however, solved by putting the advertisements into the Registration Requests from which a MAC can be calculated and which can thus then be authenticated. Finally, anti-replay protection services guarantee the freshness and authenticity of the registrations. The mechanism uses nonces to achieve the goals but has a flaw since adversaries can fool the AAAFs to sign arbitrary data. Nonces in the message to be signed somewhat reduce the severity of the problem, but do not completely remove it. [10, 17, 25]
Fasbender et al. [6] have introduced a solution to the confidentiality of location problem - the Non-Disclosure Method (NDM). In this approach, every Security Agent (SA) (node) has a public-private key pair. When a sender A wants to send a message M to the receiver B, the message is forwarded to the destination by using a route (A, SA1, ..., SAn, B) as defined by the intermediate security agents from SA1 to SAn. It should be noted that A and B may not be real locations, but e.g. Mobile IP addresses. The route is constructed by performing n encryptions E_SAi with the public keys of the intermediate nodes: M' = E_SA1(SA2, E_SA2(SA3, ...(SAn, E_SAn(B, M)))). When the sender A sends the encrypted message M', the first security agent SA1 decrypts the message, thus finding only the location of the next hop in the route SA2, and so on. Thus the security agents see only the location information (addresses) of the next and previous security agents. In addition, the nodes cannot determine where they actually are located in the route and who the receiver B is. In this approach the last intermediate node SAn would know the location and identity of the receiver B, but not M, if it can be assumed that the sender A can encrypt the message with B's public key also. Finally, it should be noted that the method can of course be applied to protect any other vulnerable header information than just the location of the nodes. [6]
In the NDM approach the location information as well as the actual message is hidden from the intermediate nodes (SAs). The approach has, however, a problem respect of MANET networking: the sender must know all the public keys K_SAi and the identities of the security agents in the route to be able to construct the route. Thus this kind of proposal does look like a source routing mechanism as such. Moreover, the intermediate compromised nodes (or outsiders) can inspect the sizes of the sent packets and try in that way to determine the length of the route. This problem can mitigated by allowing the SAs to use padding mechanisms with random data to hide the actual length of the payload. Finally, as the NDM proposal uses public-key cryptography rather heavily, it is questionable whether such approach can be applied within MANET networks due to the previously discussed constraints they have. [6]
Zhou and Haas [26] have introduced a distributed key management service to be applied within MANET networks (referred to ZH from now on). The ZH proposal applies redundancies in the network topology to provide reliable enough key management mechanism the routing. The idea is to divide the task for transmitting routing information in such a redundant way so that if some route fails or a relatively small amount of nodes become compromised, the nodes can still exchange correct routing information reliably. The approach does require that the routing protocol can manage multiple routes - many of the current MANET proposals like TORA can indeed achieve this. The trust model applied in the ZH proposal is distributed: if the upper limit for the number of compromised server nodes can be set to T, at least N = 3 * T + 1 nodes are ideally needed to maintain the adequate security level and trust relationships. It is, however, questionable whether such thresholds can be set properly enough in different MANET environments. [26]
The ZH proposal applies public-key cryptography to get the benefits of public key management services and digital signatures that offer integrity and non-repudiation protection. Thus every server node has a public-private key pair of which the private key must naturally be individual and well-protected, while the public key must be certified by a trusted server. Centralized certification services are totally unacceptable in MANET systems and therefore the ZH proposal does not rely in any such approach - the responsibility is distributed and shared within several nodes. The ZH service also uses shared secret keys for establishing secure sessions with fast encryption services. To protect the sessions from tampering, impersonation and eavesdropping attacks, the ZH proposal requires the authentication and encryption of the session keys using the asymmetric key pairs the server nodes have. [26]
The ZH proposal assumes that the underlying network can be asynchronous, as the ad-hoc networks typically are. Zhou and Haas state that if synchronicity of the services is assumed, the adversary could perform DoS attacks to slow or shut server nodes down, thus violating the assumption. The ZH key management system performs correctly, if the service is able to process query and update requests correctly. In the query mode the node requests the public keys from other nodes, while in the update mode the node advertises its own (changed) public key to the others. Moreover, to provide enough security the private key of the service must never disclosed to an adversary so that the certificates generated by using the ZH service can always assumed to be valid. The ZH proposal is not, however, safe as such, since mobile adversaries could attack a large enough number of nodes to gather enough secret shares to be able to gain access to the private key of the server. Thus proactive security schemes are required for periodical refreshing of the shared secrets among the server nodes. The advantage of this mechanism is that since the new shares are totally independent of the old shares, the private key needs not be revealed when the shares are updated to the new ones. [26]
As was discussed before, the comprehensive protection of the exchanged routing information may produce large amounts of computational and network traffic overhead, especially when public-key mechanisms are applied extensively. According to Hauser et al., a large portion of the link state updates (LSU) are just replicates of the previously exchanged LSUs. Thus LSUs need not be generated each time the routing information is exchanged for instance because of the expiration of the routing information or periodical refreshing. Since every LSU requires resource-greedy security operations, such as authentication with digital signatures, any optimizations would be certainly welcomed. They have proposed a mechanism for allowing the nodes to send substantially lighter routing information packets when the LSUs would be redundant in respect of the previously exchanged information. The resources are saved by applying a hash chain from the node that sends the routing information to the other nodes with the heavy security mechanisms. The message includes a computation of h(h(...(h(R)))) of some randomly chosen data R, which is hashed N times. After the first original message, the origin node can then refresh the redundant routing information by sending the nodes the random data R hashed only N - 1 times. In this way the receiver nodes can refresh their routing information by computing the hash of the chain and verifying that the result is indeed equal to the original hash chain associated with the routing information that was authenticated within the first routing information exchange. After that, if the same routing information is still valid, the origin node sends a hash chain of N - 2 hashes and so on, until the number of hashes in the chain N is zero, in which case the routing information must be renewed totally. [8]
This kind of approach still substantially reduces the computational overhead, if the routing information is typically redundant, since hash functions are extremely fast when compared to the digital signatures and other public-key methods. The proposal does, however, require that the random-number generators that produce the random data are strong. Moreover, the length of the hash chain must be set to be very long. An advantage of this method is that it does not include any source routing approaches. In addition, the length of the hash chain is always the same, no matter how many hashes are computed. Thus an adversary cannot determine the length of the chain by just inspecting it. On the other hand, in the dynamically changing MANET environments having the severe problems with compromised nodes inflicting undetectable byzantine failures the approach seems to be inadequate. This is because the routing information is sent as such from individual nodes, thus allowing the nodes to send any kind of malicious routing information they want. If the receiver nodes accept such incorrect information, the origin node may be able to maintain the incorrect states for a long time by setting the hash chain to be very long.
The most severe problem especially within MANET routing seems to be the potential byzantine failures inflicted by compromised nodes, due to the complexity and extremely hard requirements of such protocols. Since malicious nodes can subvert the routing protocol so that the malicious actions cannot be detected until perhaps the damage has been done, sometimes the attack is never noted or it may be identified incorrectly as a configuration, network or hardware error. Byzantine failures can be prevented by some secure routing proposals, e.g. Phalanx [26]. Moreover, Perlman's PhD thesis, Network-layer Protocol with Byzantine Robustness (NPBR) proposes a theoretical but robust routing protocol applying two modes: flooding and link state modes. In the former NPBR mode the routing robustness is guaranteed by flooding packets, performing public-key encryptions per packet and link and ignoring significant state in routers. The link state NPBR is less robust, but it allows N - 1 compromised routes in case of N redundant routes per two nodes. Although the NPBR protocol and a few other proposals seemingly offer enough robustness and security for the routing, the overhead produced by the necessary security mechanisms prevent their large-scale implementations at least in typical MANET networks having low-powered mobile terminal devices. [8, 26]
MANET and Mobile IP routing protocol proposals seem to meet the basic requirements for the protocols like dynamically changing network topologies rather well. The security issues have, however, been left for small notice, especially within the MANET protocols - Mobile IP extension proposals do have various approaches for enhancing the security. The MANET routing protocols must be secured from the viewpoint of the authentication, integrity, non-repudiation and privacy. These requirements can be at least partially met for instance by using strong encryption mechanisms, digital signatures, nonces and timestamps. Moreover, the protection means can be optimized by analyzing potential redundancies in the routing protocol and applying efficient mechanisms such as secret-key cryptography, hashing functions and MACs. The use of any keyed method will, however, require a distributed, robust and secure key management service so that the necessary keys can be generated, distributed and applied securely.
The choice of the security mechanisms involves also the selection between secret and public-key cryptography. While shared secret keys offer significant efficiency, such an approach will require static and manual key negotiations or complex secure dynamic key negotiation services between the nodes. Moreover, the use of secret keys is highly dependent on the assumed security associations and trust relationships between the network nodes, which may produce unpredictable vulnerabilities to the system. On the other hand, the mere use of public-key cryptography requires extensive key management. Such services may produce too much overhead especially for the energy- and computational power -constrained MANET nodes and thus the concurrent use of both public- and shared secret key techniques may have to be supported. The integration of these approaches may, however, produce additional risks, as was discussed.
Some MANET routing protocol developers suggest the application of IPSEC within the protocol to achieve the necessary security goals. This kind of approach is not totally adequate, due to the problems with e.g. configuration requirements and the retrofitting of security mechanisms. Moreover, as was discussed, the traditional security mechanisms such as link-level encryption or bi-directional tunnels are not adequate, due to the dynamic and unpredictable nature of MANET networks. The possibility of byzantine failures and other malicious action performed by compromised nodes requires a distributed approach both in abstract level - trust model - and in the security mechanism level, such as the necessary key management. Byzantine robustness can indeed be achieved adequately, but at the expense of huge computational and network traffic overheads. Therefore such an approach cannot directly be applied within MANET networking.
Finally, it can be concluded that while the protection of MANET routing is indeed a huge and nontrivial task, at least feasible partial solutions do exist for specific MANET environments. There may be many coexisting solutions and proposals that may be orthogonal or mutually incompatible, although interoperability of the solutions may become an important issue in the future. A routing protocol that offers complete security, byzantine robustness and adequate efficiency at the same time may not yet even exist. It is, however, possible that such proposals will never be published, since such a protocol would have an inconceivably huge value in securing the routing in the various critical environments requiring MANET approaches, such as military battlefields and areas of natural disasters. Therefore the difficulties in the development towards a secure MANET routing mechanism may not totally arise from technical problems - there are other factors in the field of MANET networking as well.
For comments and advice the author wishes to thank his tutor Camillo Särs, professor Pekka Nikander, administrative assistant Marja-Leena Markkula and the opponent Risto Määttä.
| [1] | Amoroso, E., Fundamentals of Computer Security Technology, Prentice-Hall, Englewood Cliffs, New Jersey, USA, 1994, 404 p. |
| [2] | Baker, F. & Atkinson, R.,
RFC 2082 - RIP-2 MD5 Authentication,
January 1997, Internet Society. [referred 28.2.2000] <ftp://ftp.funet.fi/pub/standards/RFC/rfc2082.txt> [in ASCII format] |
| [3] | Coltun, R.,
RFC 2370 - The OSPF Opaque LSA Option, July 1998, Internet Society.
[referred 3.4.2000] <ftp://ftp.funet.fi/pub/standards/RFC/rfc2370.txt> [in ASCII format] |
| [4] | Coltun, R. et al.,
RFC 2740 - OSPF for IPv6, December 1999, Internet Society.
[referred 3.4.2000] <ftp://ftp.funet.fi/pub/standards/RFC/rfc2740.txt> [in ASCII format] |
| [5] | Corson, S. & Macker, J.,
RFC 2501 - Mobile Ad Hoc Networking (MANET): Routing Protocol Performance
Issues and Evaluation Considerations, January 1999, Internet Society.
[referred 13.2.2000] <ftp://ftp.funet.fi/pub/standards/RFC/rfc2501.txt> [in ASCII format] |
| [6] | Fasbender, A. et al., Variable and Scalable Security: Protection of Location Information in Mobile IP., Mobile Technology for the Human Race, IEEE 46th Vehicular Technology Conference, 1996. |
| [7] | Forsberg, D. et al.,
Distributing Mobility Agents Hierarchically Under Frequent Location
Updates, Sixth IEEE International Workshop on Mobile Multimedia
Communications, 1999. [referred 24.3.2000] <http://www.cs.hut.fi/Research/Dynamics/> [in PS format] |
| [8] | Hauser, R. et al.,
Lowering security overhead in link state routing,
Computer Networks, vol. 31, 1999, pp. 885-894. |
| [9] | Hedrick, C.,
RFC 1058 - Routing Information Protocol, June 1988, Internet Society.
[referred 14.3.2000] <ftp://ftp.funet.fi/pub/standards/RFC/rfc1058.txt> [in ASCII format] |
| [10] | Jacobs, S.,
Mobile IP Public Key Based Authentication, Internet draft, IETF,
March 1999. [referred 24.3.2000] <http://search.ietf.org/internet-drafts/draft-jacobs-mobileip-pki-auth-02.txt> |
| [11] | Macker, J. & Corson, S.,
Mobile Ad Hoc Networking and the IETF, in Mobile Computing and
Communications Review, Volume 2, Number 1, January 1998.
[referred 28.2.2000] <http://tonnant.itd.nrl.navy.mil/manet/manet_home.html> [in PostScript format] |
| [12] | Malkin, G.,
RFC 1721 - RIP Version 2 Protocol Analysis, November 1994, Internet
Society. [referred 14.3.2000] <ftp://ftp.funet.fi/pub/standards/RFC/rfc1721.txt> [in ASCII format] |
| [13] | Malkin, G.,
RFC 2453 - RIP Version 2, November 1998, Internet Society.
[referred 28.2.2000] <ftp://ftp.funet.fi/pub/standards/RFC/rfc2453.txt> [in ASCII format] |
| [14] | Menezes, A. et al., Handbook of Applied Cryptography, CRC Press, Boca Raton, Ca., USA, 1997, 780 p. |
| [15] | Moy, J.,
RFC 1247 - OSPF Version 2, July 1991, Internet Society.
[referred 3.4.2000] <ftp://ftp.funet.fi/pub/standards/RFC/rfc1247.txt> [in ASCII format] |
| [16] | Moy, J.,
RFC 2154 - OSPF with Digital Signatures, June 1997, Internet Society.
[referred 3.4.2000] <ftp://ftp.funet.fi/pub/standards/RFC/rfc2154.txt> [in ASCII format] |
| [17] | Moy, J.,
RFC 2401 - Security Architecture for the Internet Protocol,
November 1998, Internet Society. [referred 3.4.2000] <ftp://ftp.funet.fi/pub/standards/RFC/rfc2401.txt> [in ASCII format] |
| [18] | Nikander, P., Lecture about Mobile and Ad-Hoc Networks on the Network Application Frameworks course, 16.3.2000, Helsinki University of Technology, Otaniemi, Finland. |
| [19] | O'Reilly, P.,
Mobile Ad Hoc Networking (MANET), January 11, 1999.
[referred 13.2.2000] <http:\\www.varium.com\~pso\AdHocNetworking.html> [in HTML format] |
| [20] | Perkins, C..,
Mobile Ad Hoc Networking Terminology, Internet draft (expired), IETF,
1998. [referred 13.2.2000] <http://www.ctron.com/support/internet/Internet-Drafts/draft-ietf-manet-term-01.txt> |
| [21] | Perkins, C.,
Mobile networking in the Internet, Mobile Networks and Applications 3,
1998, p. 319-334. [referred 13.2.2000] <http://www.baltzer.nl/monet/articlesfree/1998/3-4/mnt071.pdf> [in PDF format] |
| [22] | Perkins, C. (editor),
RFC 2002 - IP Mobility Support, October 1996, Internet Society.
[referred 28.2.2000] <ftp://ftp.funet.fi/pub/standards/RFC/rfc2002.txt> [in ASCII format] |
| [23] | Royer, E. & Toh, C.-K.,
A Review of Current Routing Protocols for Ad-Hoc Mobile Wireless
Networks. [referred 13.2.2000] <http://www.ee.surrey.ac.uk/Personal/G.Aggelou/PAPERS/Adhoc_Review.ps.gz> [in PostScript format] |
| [24] | Schneier, B., Applied Cryptography - Protocols, Algorithms and Source Code in C., John Wiley & Sons. Inc., 2nd Edition, 1996, 758 p. |
| [25] | Sufatrio & Lam, K.-Y.,
Scalable Authentication Framework for Mobile-IP (SAFe-MIP),
Internet draft, IETF, November 1999. [referred 24.3.2000] <http://search.ietf.org/internet-drafts/draft-rio-mobileip-safe-mip-00.txt> |
| [26] | Zhou, L. & Haas, Z.,
Securing Ad Hoc Networks., 1998. [referred 13.2.2000] < http://www.ee.cornell.edu/~haas/Publications/network99.ps> [in PostScript format] |
| IETF Mobile IP drafts <http://www.ietf.org/ids.by.wg/mobileip.html> | |
| IETF MANET drafts <http://www.ietf.org/ids.by.wg/manet.html> | |
| INDEX Mobile Computing Papers <http://www-tkn.ee.tu-berlin.de/bibl/ps/index.html> | |
| Mobile Networking Paper Collection <http://www-tkn.ee.tu-berlin.de/bibl/ps/index.html> | |
| Mobile Security Links <http://www.cs.umass.edu/~lmccarth/mobile/security-links.htm> | |
| NRL Mobile Ad-Hoc Networking Page <http://tonnant.itd.nrl.navy.mil/manet/manet_home.html> |