Secure Autoconfiguration and Routing in an IPv 6

  • Slides: 41
Download presentation
Secure Autoconfiguration and Routing in an IPv 6 -Based Ad Hoc Network Jehn-Ruey Jiang

Secure Autoconfiguration and Routing in an IPv 6 -Based Ad Hoc Network Jehn-Ruey Jiang National Central University

Outline v IPv 6 Overview v Ad Hoc Networks v IP Autoconfiguration v CGA

Outline v IPv 6 Overview v Ad Hoc Networks v IP Autoconfiguration v CGA v S-DSR v Conclusion

Outline v IPv 6 Overview v Ad Hoc Networks v IP Autoconfiguration v CGA

Outline v IPv 6 Overview v Ad Hoc Networks v IP Autoconfiguration v CGA v S-DSR v Conclusion

Internet History 1969: ARPANET (using Network Control Protocol, NCP) v 1974: TCP/IP (by Vinton

Internet History 1969: ARPANET (using Network Control Protocol, NCP) v 1974: TCP/IP (by Vinton Cerf and Bob Kahn) v 1981: IPv 4 (RFC 791) v 1984: NSFNet (using Transmission Control Protocol/Internet Protocol, TCP/IP) v 1990: ARPANET retired v 1991: WWW (World Wide Web) (by Tim Berners-Lee) v 1993: NCSA Mosaic (by Mark Andreesen) → Netscape Navigator v 1990 s: Internet v 2000 s: internet v

IPv 6 History v v 1992: IPng (Next Generation IP) began in IETF (Internet

IPv 6 History v v 1992: IPng (Next Generation IP) began in IETF (Internet Engineering Task Force) working groups 1994: IPv 6, announced by IESG(Internet Engineering Steering Group) (RFC 1752) (IPv 5 is for a stream protocol) 1998: IP Version 6 Addressing Architecture [July] (RFC 2373) 1998: Internet Protocol, Version 6 (IPv 6) Specification [December] (RFC 2460)

IPv 6 Features v v v Expanded address space 128 bits ( 3. 4*1038

IPv 6 Features v v v Expanded address space 128 bits ( 3. 4*1038 IP Addresses) Auto-configuration Stateless (Prefix + EUI-64), Stateful (DHCPv 6), Addressing Lifetime (Age for renumbering) Quality of Service 20 -bit Flow Label enables identification of traffic flows for real-time Voice and Video stream Integrated Security Support IPSec(AH Header+ESP Header) Mobility No Foreign Agent, Free of Triangle routing, Plug&Play (Care-of Address)

IPv 6 Vision IPv 6 Anything, Anytime, Anywhere Connection to Internet Source: NDHU

IPv 6 Vision IPv 6 Anything, Anytime, Anywhere Connection to Internet Source: NDHU

Outline v IPv 6 Overview v Ad Hoc Networks v IP Autoconfiguration v CGA

Outline v IPv 6 Overview v Ad Hoc Networks v IP Autoconfiguration v CGA v S-DSR v Conclusion

Ad hoc Networks v Ad hoc: formed, arranged, or done (often temporarily) for a

Ad hoc Networks v Ad hoc: formed, arranged, or done (often temporarily) for a particular purpose only v Ad Hoc Network (MANET): A collection of wireless mobile hosts forming a temporary network without the aid of established infrastructure or centralized administration

Infrastructure vs Ad-hoc Modes infrastructure network AP AP wired network AP Multi-hop ad hoc

Infrastructure vs Ad-hoc Modes infrastructure network AP AP wired network AP Multi-hop ad hoc network ad-hoc network

Applications of MANETs v. Battlefields v. Disaster rescue v. Spontaneous v. Outdoor meetings activities

Applications of MANETs v. Battlefields v. Disaster rescue v. Spontaneous v. Outdoor meetings activities

MANET Routing Protocols v Table Driven (Proactive) DSDV, FSR v On Demand (Reactive) AODV,

MANET Routing Protocols v Table Driven (Proactive) DSDV, FSR v On Demand (Reactive) AODV, TORA, ABR, SSA v Hybrid ZRP

Secure Routing Protocols v SAODV v SRP v SAR v CSER v SEAD v

Secure Routing Protocols v SAODV v SRP v SAR v CSER v SEAD v Ariadene v BSAR

Outline v IPv 6 Overview v Ad Hoc Networks v IP Autoconfiguration v CGA

Outline v IPv 6 Overview v Ad Hoc Networks v IP Autoconfiguration v CGA v S-DSR v Conclusion

Stateful vs. Stateless v Stateful DHCPv 6 v Stateless DAD (Duplicate Address Detection)

Stateful vs. Stateless v Stateful DHCPv 6 v Stateless DAD (Duplicate Address Detection)

DAD (1/3) v. A function of NDP (Neighbor Discovery Protocol) v Two types of

DAD (1/3) v. A function of NDP (Neighbor Discovery Protocol) v Two types of messages z NS (Neighbor Solicitation) z NA (Neighbor Advertisement)

Ethernet Header: Dest. MAC is 33 -33 -FF-22 -22 -22 IPv 6 Header: Source

Ethernet Header: Dest. MAC is 33 -33 -FF-22 -22 -22 IPv 6 Header: Source Address is : : Destination address is FF 02: : 1 NS Header : Target Address is FE 80: : 2 AA: FF: FE 22: 2222 DAD (2/3) Tentative IP: FE 80: : 2 AA: FF: FE 22: 2222 (multicast) Neighbor Solicitation Host B IP : FE 80: : 2 AA: FF: FE 22: 2222 Host A

Ethernet Header: Dest. MAC is 33 -33 -00 -00 -00 -01 IPv 6 Header:

Ethernet Header: Dest. MAC is 33 -33 -00 -00 -00 -01 IPv 6 Header: Source Address is FE 80: : 2 AA: FF: FE 22: 2222 Destination address is FF 02: : 1 NA Header : Target Address is FE 80: : 2 AA: FF: FE 22: 2222 DAD (3/3) Tentative IP: FE 80: : 2 AA: FF: FE 22: 2222 Neighbor Advertisement Host B (multicast) IP : FE 80: : 2 AA: FF: FE 22: 2222 Host A

Outline v IPv 6 Overview v Ad Hoc Networks v IP Autoconfiguration v CGA

Outline v IPv 6 Overview v Ad Hoc Networks v IP Autoconfiguration v CGA v S-DSR v Conclusion

What is a CGA v Cryptographically Generated Address v Also known as SUCV (Statistically

What is a CGA v Cryptographically Generated Address v Also known as SUCV (Statistically Unique and Cryptographically Verifiable) address v It associates a host's address with its public key in order for other hosts to verify the ownership of the address

Public Key and a CGA

Public Key and a CGA

Outline v IPv 6 Overview v Ad Hoc Networks v IP Autoconfiguration v CGA

Outline v IPv 6 Overview v Ad Hoc Networks v IP Autoconfiguration v CGA v S-DSR v Conclusion

S-DSR Overview (1/2) v Secure Dynamic Source Routing Protocol v It incorporates z DSR

S-DSR Overview (1/2) v Secure Dynamic Source Routing Protocol v It incorporates z DSR protocol z CGA z Address autoconfiguration z DNS autoregistration and discovery

S-DSR Overview (2/2) v It allows the network to be bootstrapped without manual administration

S-DSR Overview (2/2) v It allows the network to be bootstrapped without manual administration v It can resist a variety of attacks, including z black hole attack z replay attack z message forging attack z message tampering attack z DNS impersonation attack

S-DSR Assumption v v v There is a publicly known one-way, collision-resistant hashing function

S-DSR Assumption v v v There is a publicly known one-way, collision-resistant hashing function H, and there exists an IPv 6 DNS server in the MANET. The DNS server has a public-private key pair, which is known by all mobile nodes prior to entering the MANET. For a mobile which intends to own a permanent domain name, an entry (domain name, IP address) should have been placed at the DNS server before the network is formed. In this case, impersonate such hosts would be impossible. For a mobile node which dose not intend to own a permanent domain name, its (domain name, IP address) entry can be registered with the DNS server on-line after the network is formed. We adopt the first-come-first-serve policy for registration of new domain names.

S-DSR Messages (1/2) 8 types of messages:

S-DSR Messages (1/2) 8 types of messages:

S-DSR Messages (2/2) Definitions of symbols:

S-DSR Messages (2/2) Definitions of symbols:

S-DSR DAD (1/4) v On receiving AREQ(SIP, seq, DN, ch, RR), each intermediate node

S-DSR DAD (1/4) v On receiving AREQ(SIP, seq, DN, ch, RR), each intermediate node appends its address into the route record RR and rebroadcasts the message. v When a node R receives an AREQ with SIP equal to its own IP address, it unicasts an address reply message AREP(SIP, seq, RR, [SIP, seq, ch]RSK, RPK, Rrn) to S along the reverse route derived from RR.

S-DSR DAD (2/4) v The AREP message should also be delivered to the DNS

S-DSR DAD (2/4) v The AREP message should also be delivered to the DNS server through unicast v When a DNS server N receives the AREQ message and finds that the domain name in the DN field has already been registered by another host of address different from SIP, it will also unicast a DREP message (SIP, seq, RR, [SIP, seq, ch]NSK) to S.

S-DSR DAD (3/4) v When the node S with a pending address request receives

S-DSR DAD (3/4) v When the node S with a pending address request receives the AREP message, it authenticates the integrity of the message as follows: z It verifies if SIP matches with H(RPK, Rrn). z It decrypts [SIP, seq, ch]RSK by RPK and verifies if the decrypted result matches with [SIP, seq, ch]. v If both checks pass, the AREP message is considered valid.

S-DSR DAD (4/4)

S-DSR DAD (4/4)

S-DSR Routing (1/5) v On receiving (SIP, DIP, seq, SRR, [SIP, DIP, seq] SSK,

S-DSR Routing (1/5) v On receiving (SIP, DIP, seq, SRR, [SIP, DIP, seq] SSK, SPK, Snd), each intermediate node I appends [SIP, seq]ISK, IIP, IPK, Irn into the secure route record SRR and rebroadcasts the message.

S-DSR Routing (2/5) v On receiving RREQ (SIP, DIP, seq, SRR, [SIP, DIP, seq]

S-DSR Routing (2/5) v On receiving RREQ (SIP, DIP, seq, SRR, [SIP, DIP, seq] SSK, SPK, Snd), it authenticates the message as follows: 1. It verifies if SIP matches with H(SPk, Srn). 2. It decrypts [SIP, DIP, seq]SSK by SPK and verifies if the decrypted result matches with [SIP, DIP, seq] indicated in the message.

S-DSR Routing (3/5) 3. It verifies every IP address appearing in SRR. For an

S-DSR Routing (3/5) 3. It verifies every IP address appearing in SRR. For an IP address IIP, whose corresponding information is [SIP, seq]ISK, IIP, IPK, Irn, the verification is done by checking if IIP matches with H(IPK, Irn), and if [SIP, seq]ISK can be decrypted by IPk to be [SIP, seq]. 4. It verifies if seq is greater than the sequence number of any RREQ message sent by S.

S-DSR Routing (4/5) v v If all the verifications are passed, the RREQ message

S-DSR Routing (4/5) v v If all the verifications are passed, the RREQ message is considered valid. The destination node D then unicasts a RREP Message (SIP, DIP, seq, RR, SR(D-S), [SIP, seq, SR(D-S)]DSK, DPK, Drn) to S along source route SR(D-S), which is derived form SRR.

S-DSR Routing (5/5)

S-DSR Routing (5/5)

Outline v IPv 6 Overview v Ad Hoc Networks v IP Autoconfiguration v CGA

Outline v IPv 6 Overview v Ad Hoc Networks v IP Autoconfiguration v CGA v S-DSR v Conclusion

Conclusion (1/2) v S-DSR can resist z Black hole attack z Route request (RREQ)

Conclusion (1/2) v S-DSR can resist z Black hole attack z Route request (RREQ) message reply attack z Forged route request (RREQ) message attack z Forged address reply (AREP) message attack z Forged route error (RERR) message attack z Tampered control message attacks z DNS server impersonation attack

Conclusion (2/2) v Future work: To extend S-DSR to be a credit-based protocol with

Conclusion (2/2) v Future work: To extend S-DSR to be a credit-based protocol with the help of CGAs, in which each node keeps a record for each IP address to differentiate between favorable nodes and unfavorable nodes.

Publication Yu-Chee Tseng, Jehn-Ruey Jiang, and Jih-Hsin Lee, “Secure Bootstrapping and Routing in an

Publication Yu-Chee Tseng, Jehn-Ruey Jiang, and Jih-Hsin Lee, “Secure Bootstrapping and Routing in an IPv 6 -Based Ad Hoc Network, ” ICPP Workshop on Wireless Security and Privacy 2003, 2003. v Yu-Chee Tseng, Jehn-Ruey Jiang*, and Jih-Hsin Lee, “Secure Bootstrapping and Routing in an IPv 6 -Based Ad Hoc Network, ” Journal of Internet Technology, Vol. 5, No. 2, pp. 123 -130, Feb. 2004. v

Q&A

Q&A

IPv 6 Stateless Autoconfiguration IPv 6 Stateless AutoconfigurationIPv 6 Stateless Autoconfiguration IPv 6 Stateless Autoconfiguration
IPv 6 Stateless Autoconfiguration IPv 6 Stateless AutoconfigurationIPv 6 Stateless Autoconfiguration IPv 6 Stateless Autoconfiguration
Secure Autoconfiguration and Routing in an IPv 6Secure Autoconfiguration and Routing in an IPv 6
IPv 6 Routing Describing IPv 6 Routing 2IPv 6 Routing Describing IPv 6 Routing 2
SECURE INTERNET SECURE GENERATIONS SECURE INTERNET SECURE GENERATIONSSECURE INTERNET SECURE GENERATIONS SECURE INTERNET SECURE GENERATIONS
IP ROUTING 1 STATIC ROUTING DEFAULT ROUTING RoutingIP ROUTING 1 STATIC ROUTING DEFAULT ROUTING Routing
Routing Routing Basics Distance Vector Routing LinkState RoutingRouting Routing Basics Distance Vector Routing LinkState Routing
Metoda Routing NextHop Routing NextHop Routing Tabel routingMetoda Routing NextHop Routing NextHop Routing Tabel routing
APAN 2003 Autoconfiguration Technologies in IPv 6 MobileAPAN 2003 Autoconfiguration Technologies in IPv 6 Mobile
User Network Interface autoconfiguration mechanism Toshi Yamasaki IPvUser Network Interface autoconfiguration mechanism Toshi Yamasaki IPv
Lesson 8 Address Autoconfiguration Understanding IPv 6 SlideLesson 8 Address Autoconfiguration Understanding IPv 6 Slide
IPv 4 and IPv 6 IPv 4 AIPv 4 and IPv 6 IPv 4 A
IPv 6 Using IPv 6 and IPv 4IPv 6 Using IPv 6 and IPv 4
IPv 4 and IPv 6 IPv 6 inIPv 4 and IPv 6 IPv 6 in
IPv 6 The successor of IPv 4 IPvIPv 6 The successor of IPv 4 IPv
IPv 6 IPv 6 q IPv 4 10101100IPv 6 IPv 6 q IPv 4 10101100
SCTP Translater VRRP IPv 6SCTPSIPPHP IPv 6SCTPSIPC IPvSCTP Translater VRRP IPv 6SCTPSIPPHP IPv 6SCTPSIPC IPv
IPv 6 9715242 HONGIK UNIVERSITY IPv 4 IPvIPv 6 9715242 HONGIK UNIVERSITY IPv 4 IPv
IPV 4 IPv 4 Using IPv 4 aIPV 4 IPv 4 Using IPv 4 a
IPv 6 IPv 6 Prefix IPv 6 PrefixIPv 6 IPv 6 Prefix IPv 6 Prefix
IPv 6 IPv 6 IPv 4 Dual stackIPv 6 IPv 6 IPv 4 Dual stack
IPv 6 l ipv 6 routestatic ipv 6IPv 6 l ipv 6 routestatic ipv 6
Routing IPv 4 Embedded IPv 6 Packets draftietfospfipvRouting IPv 4 Embedded IPv 6 Packets draftietfospfipv
Segment Routing with IPv 6 Leveraging IPv 6Segment Routing with IPv 6 Leveraging IPv 6