Secure autoconfiguration and routing in an ipv6 based ad hoc network
Download
1 / 41

Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network - PowerPoint PPT Presentation


  • 106 Views
  • Uploaded on

Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network. Jehn-Ruey Jiang National Central University. Outline. IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion. Outline. IPv6 Overview Ad Hoc Networks IP Autoconfiguration CGA S-DSR Conclusion.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Secure Autoconfiguration and Routing in an IPv6-Based Ad Hoc Network' - cilicia-romeo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Secure autoconfiguration and routing in an ipv6 based ad hoc network

Secure Autoconfiguration and Routing in anIPv6-Based Ad Hoc Network

Jehn-Ruey Jiang

National Central University


Outline
Outline

IPv6 Overview

Ad Hoc Networks

IP Autoconfiguration

CGA

S-DSR

Conclusion


Outline1
Outline

IPv6 Overview

Ad Hoc Networks

IP Autoconfiguration

CGA

S-DSR

Conclusion


Internet history
Internet History

  • 1969:ARPANET (using Network Control Protocol, NCP)

  • 1974: TCP/IP (by Vinton Cerf and Bob Kahn)

  • 1981: IPv4 (RFC 791)

  • 1984: NSFNet (using Transmission Control Protocol/Internet Protocol, TCP/IP)

  • 1990: ARPANET retired

  • 1991: WWW (World Wide Web) (by Tim Berners-Lee)

  • 1993: NCSA Mosaic (by Mark Andreesen) → Netscape Navigator

  • 1990s: Internet

  • 2000s: internet


Ipv6 history
IPv6 History

  • 1992: IPng (Next Generation IP) began in IETF (Internet Engineering Task Force)working groups

  • 1994: IPv6, announced by IESG(Internet Engineering Steering Group) (RFC 1752) (IPv5 is for a stream protocol)

  • 1998: IP Version 6 Addressing Architecture [July] (RFC2373)

  • 1998: Internet Protocol, Version 6 (IPv6) Specification [December] (RFC2460)


Ipv6 features
IPv6 Features

  • Expanded address space128 bits ( 3.4*1038 IP Addresses)

  • Auto-configurationStateless (Prefix + EUI-64), Stateful (DHCPv6),Addressing Lifetime (Age for renumbering)

  • Quality of Service 20-bit Flow Label enables identification of traffic flows for real-time Voice and Video stream

  • Integrated Security SupportIPSec(AH Header+ESP Header)

  • MobilityNo Foreign Agent, Free of Triangle routing, Plug&Play (Care-of Address)


IPv6 Vision

IPv6  Anything, Anytime, Anywhere

Connection to Internet

Source: NDHU


Outline2
Outline

IPv6 Overview

Ad Hoc Networks

IP Autoconfiguration

CGA

S-DSR

Conclusion


Ad hoc networks
Ad hoc Networks

  • Ad hoc: formed, arranged, or done (often temporarily) for a particular purpose only

  • Ad Hoc Network (MANET):A collection of wireless mobile hosts forming a temporary network without the aid of established infrastructure or centralized administration


Infrastructure vs ad hoc modes
Infrastructure vs Ad-hoc Modes

infrastructure network

AP

AP

wired network

AP

Multi-hop ad hoc network

ad-hoc network

ad-hoc network


Applications of manets
Applications of MANETs

  • Battlefields

  • Disaster rescue

  • Spontaneous meetings

  • Outdoor activities


Manet routing protocols
MANET Routing Protocols

  • Table Driven (Proactive) DSDV, FSR

  • On Demand (Reactive)AODV, TORA, ABR, SSA

  • HybridZRP


Secure routing protocols
Secure Routing Protocols

  • SAODV

  • SRP

  • SAR

  • CSER

  • SEAD

  • Ariadene

  • BSAR


Outline3
Outline

IPv6 Overview

Ad Hoc Networks

IP Autoconfiguration

CGA

S-DSR

Conclusion


Stateful vs stateless
Stateful vs. Stateless

  • Stateful DHCPv6

  • StatelessDAD (Duplicate Address Detection)


Dad 1 3
DAD (1/3)

  • A function of NDP (Neighbor Discovery Protocol)

  • Two types of messages

    • NS (Neighbor Solicitation)

    • NA (Neighbor Advertisement)


Dad 2 3

Ethernet Header:

Dest. MAC is 33-33-FF-22-22-22

IPv6Header:

Source Address is ::

Destination address is

FF02::1

NS Header:

Target Address is

FE80::2AA:FF:FE22:2222

DAD (2/3)

Tentative IP: FE80::2AA:FF:FE22:2222

Host A

(multicast)

Neighbor Solicitation

IP : FE80::2AA:FF:FE22:2222

Host B


Dad 3 3

Ethernet Header:

Dest. MAC is 33-33-00-00-00-01

IPv6Header:

Source Address is

FE80::2AA:FF:FE22:2222

Destination address is

FF02::1

NA Header:

Target Address is

FE80::2AA:FF:FE22:2222

DAD (3/3)

Tentative IP: FE80::2AA:FF:FE22:2222

Host A

Neighbor Advertisement

(multicast)

Host B

IP : FE80::2AA:FF:FE22:2222


Outline4
Outline

IPv6 Overview

Ad Hoc Networks

IP Autoconfiguration

CGA

S-DSR

Conclusion


What is a cga
What is a CGA

  • Cryptographically Generated Address

  • Also known as SUCV(Statistically Unique and Cryptographically Verifiable) address

  • It associates a host's address with its public key in order for other hosts to verify the ownership of the address



Outline5
Outline

IPv6 Overview

Ad Hoc Networks

IP Autoconfiguration

CGA

S-DSR

Conclusion


S dsr overview 1 2
S-DSR Overview (1/2)

  • Secure Dynamic Source Routing Protocol

  • It incorporates

    • DSR protocol

    • CGA

    • Address autoconfiguration

    • DNS autoregistration and discovery


S dsr overview 2 2
S-DSR Overview (2/2)

  • It allows the network to be bootstrapped without manual administration

  • It can resist a variety of attacks, including

    • black hole attack

    • replay attack

    • message forging attack

    • message tampering attack

    • DNS impersonation attack


S dsr assumption
S-DSR Assumption

  • There is a publicly known one-way, collision-resistant hashing function H, and there exists an IPv6 DNS server in the MANET. The DNS server has a public-private key pair, which is known by all mobile nodes prior to entering the MANET.

  • For a mobile which intends to own a permanent domain name, an entry (domain name, IP address) should have been placed at the DNS server before the network is formed. In this case, impersonate such hosts would be impossible.

  • For a mobile node which dose not intend to own a permanent domain name, its (domain name, IP address) entry can be registered with the DNS server on-line after the network is formed. We adopt the first-come-first-serve policy for registration of new domain names.


S dsr messages 1 2
S-DSR Messages (1/2)

8 types of messages:


S dsr messages 2 2
S-DSR Messages (2/2)

Definitions of symbols:


S dsr dad 1 4
S-DSR DAD (1/4)

  • On receiving AREQ(SIP,seq,DN,ch,RR), each intermediate node appends its address into the route record RR and rebroadcasts the message.

  • When a node R receives an AREQ with SIP equal to its own IP address, it unicasts an address reply message AREP(SIP,seq,RR, [SIP,seq,ch]RSK, RPK,Rrn) to S along the reverse route derived from RR.


S dsr dad 2 4
S-DSR DAD (2/4)

  • The AREP message should also be delivered to the DNS server through unicast

  • When a DNS server N receives the AREQ message and finds that the domain name in the DN field has already been registered by another host of address different from SIP, it will also unicast a DREP message (SIP, seq,RR, [SIP,seq,ch]NSK) to S.


S dsr dad 3 4
S-DSR DAD (3/4)

  • When the node S with a pending address request receives the AREP message, it authenticates the integrity of the message as follows:

    • It verifies if SIP matches with H(RPK,Rrn).

    • It decrypts [SIP,seq,ch]RSK by RPK and verifies if the decrypted result matches with [SIP,seq,ch].

  • If both checks pass, the AREP message is considered valid.



S dsr routing 1 5
S-DSR Routing (1/5)

  • On receiving (SIP,DIP,seq,SRR,[SIP,DIP,seq] SSK,SPK,Snd), each intermediate node I appends [SIP,seq]ISK,IIP,IPK,Irn into the secure route record SRR and rebroadcasts the message.


S dsr routing 2 5
S-DSR Routing (2/5)

  • On receiving RREQ (SIP,DIP,seq,SRR,[SIP,DIP,seq] SSK,SPK,Snd), it authenticates the message as follows:

    • It verifies if SIP matches with H(SPk, Srn).

    • It decrypts [SIP,DIP,seq]SSK by SPK and verifies if the decrypted result matches with [SIP,DIP,seq] indicated in the message.


S dsr routing 3 5
S-DSR Routing (3/5)

  • It verifies every IP address appearing in SRR. For an IP address IIP, whose corresponding information is [SIP,seq]ISK, IIP, IPK,Irn, the verification is done by checking if IIP matches with H(IPK,Irn), and if [SIP,seq]ISK can be decrypted by IPk to be [SIP,seq].

  • It verifies if seq is greater than the sequence number of any RREQ message sent by S.


S dsr routing 4 5
S-DSR Routing (4/5)

  • If all the verifications are passed, the RREQ message is considered valid.

  • The destination node D then unicasts a RREP Message (SIP,DIP,seq,RR,SR(D-S), [SIP,seq,SR(D-S)]DSK,DPK,Drn) to S along source route SR(D-S), which is derived form SRR.



Outline6
Outline

IPv6 Overview

Ad Hoc Networks

IP Autoconfiguration

CGA

S-DSR

Conclusion


Conclusion 1 2
Conclusion (1/2)

  • S-DSR can resist

    • Black hole attack

    • Route request (RREQ) message reply attack

    • Forged route request (RREQ) message attack

    • Forged address reply (AREP) message attack

    • Forged route error (RERR) message attack

    • Tampered control message attacks

    • DNS server impersonation attack


Conclusion 2 2
Conclusion (2/2)

  • Future work:To extend S-DSR to be a credit-based protocol with the help of CGAs, in which each node keeps a record for each IP address to differentiate between favorable nodes and unfavorable nodes.


Publication
Publication

  • Yu-Chee Tseng, Jehn-Ruey Jiang, and Jih-Hsin Lee, “Secure Bootstrapping and Routing in an IPv6-Based Ad Hoc Network,” ICPP Workshop on Wireless Security and Privacy 2003, 2003.

  • Yu-Chee Tseng, Jehn-Ruey Jiang*, and Jih-Hsin Lee, “Secure Bootstrapping and Routing in an IPv6-Based Ad Hoc Network,” Journal of Internet Technology, Vol. 5, No. 2, pp.123-130, Feb. 2004.



ad