Routing Security in Ad Hoc Networks

Transcription

1 Routing Security in Ad Hoc Networks Janne Lundberg Helsinki University of Technology Telecommunications Software and Multimedia Laboratory Abstract The existing ad hoc routing protocols do not accommodate any security and are highly vulnerable to attacks. We discuss threats and attacks against ad hoc routing under several areas of application. We also look at some suggested solutions that could be used when secure protocols are designed. The current protocols should not be used in hostile environments unless the applications are especially designed to operate under insecure routing or until protocols with enhanced security are introduced. 1 Introduction An ad hoc network is an infrastructureless network where the nodes themselves are responsible for routing the packets. In the traditional Internet, routers within the central parts of the network are owned by a few well known operators and are therefore assumed to be somewhat trustworthy. This assumption no longer holds in an ad hoc network since all nodes entering the network are expected to take part in routing. Also, because the links are usually wireless, any security that was gained because of the difficulty of tapping into a network is lost. Furthermore, because the topology in such a network can be highly dynamic, traditional routing protocols can no longer be used. The routing protocol sets an upper limit to security in any packet network. If routing can be misdirected, the entire network can be paralyzed. The problem is enlarged by the fact that routing usually needs to rely on the trustworthiness of all the nodes that are participating in the routing process. It is hard to distinguish compromised nodes from nodes that are suffering from bad links. The main objective of this paper is to discuss ad hoc routing security with respect to the area of application. We limit our study to IP based networks. The rest of this paper is organized as follows. In Section 2 we define some criteria that can be used to evaluate ad hoc routing protocols. Different types of threats against routing are discussed in Section 3, and the effects of the area of application are discussed in Section 4. Some of the current ad hoc routing protocols are introduced in Section 5, and some suggested solutions to known problems are introduced in Section 6. Section 7 concludes the paper. 1

2 2 Criteria In this section we list criteria for a secure routing protocol. Some of the obvious requirements for all routing protocols such as loop-freedom have been omitted for brevity. From the standpoint of security, an optimal routing protocol should fulfill the following criteria. Certain discovery. If a route between two points in a network exists, it should always be possible to find it. Also, the node which requested the route should be able to be sure it has found a route to the correct node. Isolation. The protocol should be able to identify misbehaving nodes and make them unable to interfere with routing. Alternatively, the routing protocol should be designed to be immune to malicious nodes. Lightweight computations. Many devices connected to an ad hoc network are assumed to be battery powered with limited computational abilities. Such a node cannot be expected to be able to carry out expensive computations. If operations such as public key cryptography or shortest path algorithms for large networks prove necessary, they should be confined to the least possible number of nodes; preferrably only the route endpoints at route creation time. This requirement is needed to protect against trivial denial-of-service attacks. Location privacy. Often, the information carried in message headers is just as valuable as the message itself. The routing protocol should protect information about the location of nodes in a network and the network structure. Self-stabilization. The self-stabilization property requires that a routing protocol should be able to automatically recover from any problem in a finite amount of time without human intervention. That is, it must not be possible to permanently disable a network by injecting a small number of malformed packets. If the routing protocol is selfstabilizing, an attacker who wishes to inflict continuous damage must remain in the network and continue sending malicious data to the nodes, which makes the attacker easier to locate. Byzantine robustness. A routing protocol should be able to function correctly even if some of the nodes participating in routing are intentionally disrupting its operation. Byzantine robustness can be seen as a stricter version of the self-stabilization property: the routing protocol must not only automatically recover from an attack, it should not cease from functioning even during the attack. Clearly, if a routing protocol does not have the self-stabilization property it cannot have byzantine robustness either. 3 Vulnerabilities and Attacks Operation in an ad hoc network introduces some new security problems in addition to the ones already present in fixed networks. Some new vulnerabilities include the following. 2

3 Easy theft of nodes. Many nodes are expected to be small in size and thus vulnerable to theft. From a routing perspective this means that a node may easily become compromised. Thus, a previously well-behaving node can unexpectedly become hostile. Vulnerability to tampering. This difficulty is related to the problem of easy theft. It must not be trivial for example to recover private keys from the device. A less stringent version of tamper proofness is tamper evidence where it is only required that a tampered node can be distinguished from the rest. Limited computational abilities. Nodes can be devices with limited computing power. This may exclude techniques such as frequent public key cryptography during normal operation. However, symmetric cryptography is likely to be feasible in authenticating or encrypting routing message exchanges. Battery powered operation. Many devices in an ad hoc network are assumed to be battery powered. An attacker may attempt a denial-of-service attack by creating additional transmissions or expensive computations to be carried out by a node in an attempt to exhaust its batteries. Transient nature of services and devices. Because an ad hoc network consists of nodes that may frequently move, the set of nodes that are connected to some particular ad hoc network frequently changes. This can create problems for example with key management if cryptography is used in the routing protocol. 3.1 Attacks Passive Attacks In a passive attack, the attacker does not disrupt the operation of a routing protocol but only attempts to discover valuable information by listening to the routing traffic. The major advantage for the attacker in passive attacks is that in a wireless environment the attack is usually impossible to detect. This also makes defending against such attacks difficult. Furthermore, routing information can reveal relationships between nodes or disclose their IP addresses. If a route to a particular node is requested more often than to other nodes, the attacker might expect that the node is important for the functioning of the network, and disabling it could bring the entire network down. Other interesting information that is disclosed by routing data is the location of nodes. Even when it might not be possible to pinpoint the exact location of a node, one may be able to discover information about the network topology. It is worth noting that in an IP network one cannot defend against these attacks for example by only using IPsec [8]. The packets still have most of their IP headers in plaintext, and it may not even be feasible to have symmetric keys distributed to every node in a network. 3

4 3.1.2 Active Attacks To perform an active attack the attacker must be able to inject arbitrary packets into the network. The goal may be to attract packets destined to other nodes to the attacker for analysis or just to disable the network. A major difference in comparison with passive attacks is that an active attack can sometimes be detected. This makes active attacks a less inviting option for most attackers. Yet, it may still be a real alternative when large amounts of money is at stake such as in commercial or military environments. Next we present some types of active attacks that can usually be easily performed against an ad hoc network. Black hole. The black hole attack is briefly introduced in [12]. In the attack, a malicious node uses the routing protocol to advertise itself as having the shortest path to the node whose packets it wants to intercept. In a flooding based protocol such as AODV [10] the attacker listens to requests for routes. When the attacker receives a request for a route to the target node, the attacker creates a reply where an extremely short route is advertised. If the malicious reply reaches the requesting node before the reply from the actual node, a forged route has been created. Once the malicious device has been able to insert itself between the communicating nodes, it is able to do anything with the packets passing between them. It can choose to drop the packets to perform a denial-of-service attack, or alternatively use its place on the route as the first step in a man-in-the-middle attack. Routing table overflow. In a routing table overflow attack the attacker attempts to create routes to nonexistent nodes. The goal is to create enough routes to prevent new routes from being created or to overwhelm the protocol implementation. Proactive routing algorithms attempt to discover routing information even before it is needed while a reactive algorithm creates a route only once it is needed. This property appears to make proactive algorithms more vulnerable to table overflow attacks. An attacker can simply send excessive route advertisements to the routers in a network. Reactive protocols, on the other hand, do not collect routing data in advance. For example in AODV, two or more malicious nodes would need to cooperate to create false data efficiently: The other node requests routes and the other one replies with forged addresses. Sleep deprevation. The sleep deprevation torture is briefly introduced in [11]. Usually, this attack is practical only in ad hoc networks, where battery life is a critical parameter. Battery powered devices try to conserve energy by transmitting only when absolutely necessary. An attacker can attempt to consume batteries by requesting routes, or by forwarding unnecessary packets to the node using, for example, a black hole attack. This attack is especially suitable against devices that do not offer any services to the network or offer services only to those who have some special credentials. Regardless of the properties of the services, a node must participate in the routing process unless it is willing to risk becoming unreachable to the network. Location disclosure. A location disclosure attack can reveal something about the locations of nodes or the structure of the network. The information gained might reveal 4

5 which other nodes are adjacent to the target, or the physical location of a node. The attack can be as simple as using an equivalent of the traceroute command on Unix systems. Routing messages are sent with inadequate hop-limit values and the addresses of the devices sending the ICMP error-messages are recorded. In the end, the attacker knows which nodes are situated on the route to the target node. If the locations of some of the intermediary nodes are known, one can gain information about the location of the target as well. 4 Area of Application The area of application can necessitate some additional security from the routing protocol, or it is possible that no security is needed at all. In this section we present some probable uses for ad hoc networks and discuss how the security requirements may vary in the different cases. 4.1 Home network A home network consists of various kinds of household appliances. The devices may be for example VCRs, remote controllers and washing machines. Their operation environment is fairly friendly. As always in security, protections should be built according to the value of the asset to be protected. Because of the nature of home networks, a denial-of-service attack targeted at routing would typically only be experienced as annoyance by the user, not as a serious financial or security problem. There are, however, some applications that require more robust quality of service, for example a burglar alarm. A criminal must not be able to disable an alarm system from outside the building by disrupting routing between the alarm and a gateway router. These special applications need some additional security measures. For example, the burglar alarm may optionally use broadcasting to reduce dependency from routing. Even building a fixed link between the alarm and the router may be feasible since a installing a burglar alarm will require special skills anyway. The effectiveness of routing attacks against home networks is also mitigated by the fact that a typical home network is likely to be of no more than 20 meters in diameter. This means that most of the existing equipment will be within direct radio link distance from one another and no real routing is usually needed. Also, the usefulness of passive attacks against home networks is minimal, because the number of routing packets can be small, especially if reactive protocols are used. Even, if multi-hop routing is actually needed, the routing tables would most likely be fairly static because most nodes are unlikely to change location too often. People do not carry their refridgerator to the bathroom and their TVs do not move around the house by themselves. The devices that actually move in a home environment are the ones people carry with them: mobile phones, remote controllers and in the future possibly your wearable computer. The only thing that is disclosed to the passive attacker outside the building appears to be that somebody is moving within the building. The same information can be gained even without any specialized equipment by watching the building from the outside. 5

6 4.2 Emergency and Rescue Emergency situations are another area of application where routing security is not necessarily of paramount importance. In many papers [1] [2] [4] it is envisioned that an ad hoc network could be used in areas where fixed infrastructure does not exist or it has been destroyed by a natural disaster. In these situations, interoperability between the participating services is likely to be a more important requirement that security. The two major differences in comparison with home networks are that the network may span over several square kilometers and that nodes often move rapidly. The result is a real need for multi-hop routes and an increase in the number of routing messages. However, since the routing data appears to be of little monetary value to anyone, the threat from passive as well as active attacks is limited. One possible event where routing security could potentially be important is a terrorist attack. In this scenario, an attack against routing might be used as a way to maximize the amount of damage inflicted. Another possible need for security is in the use of ad hoc networks in police-communications. It is not obvious, whether or not it is feasible to replace encrypted radios with ad hoc networks, but clearly some security is needed. 4.3 Military A network used by the military needs maximum security. The expected adversary can be highly skilled, motivated and usually backed up by huge resources. In a military environment, routing attacks can be divided into two types: strategic and tactical attacks Strategic Routing Attacks Encyclopedia Britannica defines strategy as the science and art of military command exercised to meet the enemy in combat under advantageous conditions. The definition covers areas such as intelligence gathering. It might also cover destruction of enemy networks in preparation for battle. However, once a routing attack has ended, the network can usually be brought back into use in a short amount of time. Additionally, because of the attack, the target could gain some information about where the enemy is about to strike next. Thus, active attacks are probably best suited to tactical use while passive attacks can be effective in gathering information. Passive routing attacks have a wide range of use. One can deduce things about the location of nodes, and the roles of each node in the network. Obvious targets include command and control nodes. They may be distinguishable from other nodes by traffic analysis targeted at the routing protocol, since routes to them are likely to be needed more often than to a typical node in a network Tactical Routing Attacks Tactics is the science of disposing and maneuvering forces in combat. Tactical routing attacks could be used most effectively during battle. The attacks might use information 6

7 about the network topology or relationships between nodes as well as other information that has been collected earlier using passive attacks. The main goal could be to temporarily disable some important part of a network using denial-of-service attacks. 5 Current Protocols One thing in common with all existing ad hoc routing protocols is the lack of any built-in security [13]. In this section, we briefly examine two ad hoc routing protocols and make observations about their strengths and weaknesses. The first protocol, Ad Hoc On Demand routing Protocol (AODV) [10] was chosen because of its simplicity while it demonstrates the problems with routing security in an ad hoc network. The second protocol we discuss is the Zone Routing Protocol (ZRP) [5]. ZRP is discussed because it appears to be one of the most efficient protocols that are currently available [4], and its operation differs significantly from AODV. 5.1 AODV AODV is a purely reactive distance vector routing protocol. That is, a route is discovered only once it is needed. To request a route, AODV sends a Route Request message (RREQ). The RREQ is broadcast to all the nodes in the network within some hop limit. Each RREQmessage has a unique sequence number. Before a node rebroadcasts the RREQ, it saves the sequence number of the message. The sequence number is needed to ensure that one node does not broadcast the same message repeatedly. When the RREQ message reaches the host to which a route is requested, that host constructs a Route Reply message (RREP) and sends it to the node where it received the RREQ message. The RREP message is unicasted back to the original requestor using the same sequence number and the reverse route through which the RREQ was received. A route to the node that sent the RREP is created into the forwarding nodes. 5.2 ZRP The Zone Routing Protocol [4] is a hierarchial protocol with both proactive and reactive elements. A network is divided into zones, which operate independently from one another. The zones are connected to each other using another protocol through one of the members in each zone. Thus, ZRP consists of two separate routing protocols. The protocol which is used within each zone is called the Intrazone Routing Protocol (IARP). The IARP has currently not been specified, and the ZRP specification sets few limits to the protocol; the most important requirement is that the protocol must be proactive. OSPF [9] is used as an example in the specification. The Interzone Routing Protocol (IERP) is used by ZRP to find routes between zones. Like AODV, the IERP is a completely reactive protocol. A more detailed desrciption of ZRP can be found in [4] and [5]. 7

8 5.3 Analysis of the Protocols Neither one of the protocols discussed above provides a solution to the requirements of certain discovery, isolation or byzantine robustness. Certain discovery requires that a node requesting the route must be able to verify that the route has indeed been created to the intended node. Both AODV and ZRP attempt to accomplish this using IP addresses as the identities of the nodes. However, in an IP network a node can advertise itself as having any IP address, and the address can be changed instantly using only software. Currently, if no other protections are used, the nodes in the network have no possibility of verifying the correctness of the discovered route. To gain any protection against forged addresses both algorithms should employ some kind of cryptographic means to ensure route validity. Isolation is another property which is not provided by the protocols. Neither specification introduces any way of excluding a misbehaving node from the network or even discuss ways of detecting such behavior. Both algorithms require only lightweight computations. While the ZRP specification mandates using a proactive intrazone routing protocol, the actual protocol is not described in the specification. One possible intrazone protocol which is mentioned in the specification is OSPF. OSPF uses Dijkstra s shortest path algorithm to compute routes, which may be an expensive process in large networks. Fortunately, ZRP allows changing the zone radius to control the number of nodes within zones and the therefore the heaviness of the OSPF computations. On the other hand, both AODV and the ZRP intrazone protocol are fully reactive, which is a beneficial property in decreasing computation complexity, since reactive algorithms usually require only forwarding received messages and storing some routing state. If the protocols are configured properly, the heaviness of computations are unlikely to be a problem for either protocol. Locations of nodes in relation to other nodes is provided liberally by both protocols. This is due to the fact that the routing packets are unencrypted, and some unwanted location information is always carried in routing messages. Some protection could be provided by encrypting routing message payloads. This would come at an additional cost in key distribution and the IP headers would still remain in plaintext. ZRP provides some crude location security by diving routing into zones which attempt to conceal their internal organization from the outside world. While this property is built to enhance performance, it also seems to benefit security. The self-stabilization characteristics of ZRP cannot be analyzed since the intrazone routing algorithm has not been specified. AODV, however, is prone to self-stabilization problems as sequence numbers are used to verify route validity times, and incorrect state may remain stored in the routing tables for a long time. Byzantine robustness is not provided by AODV either since it would require self-stabilization. A hierarchical routing structure can be favorable with respect to security since a well designed algorithm should be able to contain certain problems to a small portion of the hierarchy, leaving other portions mostly unaffected [12]. A reactive algorithm, on the other hand, may reveal relationships and use frequencies between nodes more than a proactive scheme while a proactive algorithm ensures that the locations of nodes are always known 8

9 HUT TML 2000 to the entire network. ZRP has some features that appear to make it somewhat less susceptible to routing attacks than AODV. Since ZRP is hiearchial, some of the routing information is hidden within the zones. Also, because the interzone protocol is reactive, the amount of global information known to the entire network remains small. 6 Possible Solutions In this section we discuss some possible ways of protecting routing information integrity from malicious nodes. Also the disclosure threat and location privacy is considered. 6.1 IPsec In the next examples, node wants to discover a route to node, and a malicious node wants to have the packets delivered to itself. Different assumptions about cryptographic keys are made in the different cases. The amount of protection IPsec can provide against the creation of forged routes, when AODV is used as the routing protocol is also discussed. If none of the nodes in a network share cryptographic keys with one another, any node can claim itself the identity of another node and have the network route the packets to itself. In AODV this could proceed as follows: Node floods the network with a RREQ-message to find a route to. When node receives the RREQ-message, it forges a RREP-message in which it claims to have s address. If the RREP message sent by is forwarded back to before the reply from is, then a forged route has been created. The problem, it would seem, is that the lack of authentication in the protocols enables nodes to impersonate one another. We next discuss under what key distribution conditions IPsec Authentication Header (AH) [6] and the Encapsulating Security Payload (ESP) [7] could be used to secure routing. The situation we discuss first, is the case when and share a key which is known by them alone. In this case the RREQ-message must reach in order for a RREP to be created because none of the hostile nodes are assumed to be in possession of the key. Once the RREP is sent by, the message becomes vulnerable to interception by the attacker. listens to the RREP-message and replays the message into the node where it received the RREQ message. has, again, created a forged route to itself despite the IPsec protection, if the malicious message arrives before the correct message to the route requestor. Also, introducing a common symmetric key which is only known to the correctly behaving nodes does not help, because the malicious node does not need to alter the packet to perform a successful attack. The most demanding set of requirements we discuss, is the case where each pair of legitimate nodes in a network has got a pair of symmetric keys that is known only to the two nodes. broadcasts the RREQ-message to the network as usual. When the request reaches, it creates a RREP-message using IPsec AH or ESP with the key it shares with the node from whom the RREQ was received. The RREQ is forwarded back to the requesting node and the encryption or authentication is checked and recomputed between 9

10 HUT TML 2000 all hops. If encryption or authentication is used in this way, does not appear to have any way of subverting security. However, this scheme also fails if any of the trusted nodes are compromised. Another complication is the amount of key distribution that must be performed. 6.2 Non-Disclosure Method In [3] the Non-Disclosure Method (NDM) for protecting the location of nodes is introduced. In NDM a number of independent security agents (SA) are distributed over the network. Each of these agents owns a pair of asymmetric cryptographic keys and. Sender S wishes to transmit a message M to receiver R without disclosing his location. S sends the message using a number of SAs:. The message is encapsulated N times using the public keys as follows.!!!! To deliver the packet, S sends it to the first security agent which decrypts the outermost encapsulation and forwards the packet to the next agent. Each security agent knows only the addresses of the previous and the next hop. The last agent finally decrypts the message and forwards it to R. NDM may not be possible for routing because of the amount of additional overhead it introduces. Also, an obvious chicken and egg problem occurs if one attempts to discover routes to security agents using security agents. Finally, an attacker may be able to do traffic analysis based on packet lengths unless packets are randomly padded. 6.3 Redundant Paths Another solution for increasing route robustness that is mentioned in [13] is the use of redundant paths. Some current routing algorithms such as AODV could easily be modified to produce several routes to one node. If one of the routes fails, possibly due to a malicious node in the path, another one of the discovered routes could be used instead. The usefulness of this protection is also limited, since an attack cannot always be detected by the route endpoints, which would be necessary in order to switch to another route. 7 Conclusions In any multi-hop IP network, routing places an upper bound on the security of the entire network. If the security in the routing protocol is nonexistent, the network can have no security against denial-of-service attacks that can disable the entire network. Other serious threats resulting from routing protocols is the disclosure of some information about the network structure and the movement of the nodes within the network. Even though current ad hoc routing protocols are completely insecure, their use is not completely exluded in environments such as home networks where security is usually not 10

11 an absolute necessity. However, in environments such as law enforcement or the military, new protocols with strong security against, for example, location disclosure and active attacks are needed. In general, providing routing security in wireless networks appears to be a problem that cannot be solved trivially for example by using IPsec. Methods such as NDM are also probably too expensive to be used in ad hoc networks, and it also necessitates the use of security agents which need to be present in the network at all times. Hierarchy appears to be a desirable property in routing protocols because it can sometimes limit failures to smaller areas in a network. As it also limits the number of routing messages in comparison with flat routing, it may also limit the vulnerability against denial-of-service attacks based on excessive route requests. Currently, ad hoc routing protocols are vulnerable to several kinds of attacks, and none of the available protocols make any visible attempt at reducing their vulnerability. Also, existing security enhancement techniques such as the Non-Disclosure Method and IPsec are either too expensive or ineffective to be of value. Unless protection against routing attacks can be provided by the applications that are used in the network, current routing protocols should not be used in areas of applications where the threats of denial-of-service attacks, forged routes, or location disclosure are of any significant importance. 8 Acknowledgements We thank Catharina Candolin and Jonna Särs for their comments on this paper. References [1] Josh Broch, David A. Maltz, David B. Johnson, Yih-Chun Hu and Jorjeta Jetcheva. A Performance Comparison of Multi-Hop Wireless Ad Hoc Network Routing Protocols., ACM MOBICOM 98, 1998 [2] S. Corson and J. Macker Mobile Ad hoc Networking (MANET): Routing Protocol Performance Issues and Evaluation Considerations. RFC 2501, IETF Network Working Group, January [3] Andreas Fasbender, Dogan Kesdogan and Olaf Kubitz. Variable and Scalable Securiy: Protection of Location Information in Mobile IP Mobile Technology for the Human Race. IEEE 46th Vehicular Technology Conference, IEEE 1996 [4] Zygmunt J. Haas. A New Routing Protocol for the Reconfigurable Wireless Networks. ICUPC 97, October [5] Zygmunt J. Haas and Marc R. Pearlman. The Zone Routing Protocol (ZRP) for Ad Hoc Networks. Internet Draft, work in progress, Expired. [6] S. Kent and R. Atkinson. IP Authentication Header. RFC 2402, November [7] S. Kent and R. Atkinson. IP Encapsulating Security Payload (ESP). RFC 2406, November

12 [8] S. Kent and R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401, November [9] J. Moy. OSPF Version 2. RFC 2328, April [10] Charles E. Perkins, Elizabeth M. Royer and Samir R. Das. Ad hoc On-Demand Distance Vector (AODV) Routing. Internet Draft, work in progress, IETF Mobile Ad Hoc Networking Working Group, July [11] Frank Stajano and Ross Anderson. The Resurrecting Duckling: Security Issues for Ad-hoc Wireless Networks. In Security Protocols, 7th International Workshop Proceedings, Lecture Notes in Computer Science, Springer-Verlag. [12] Feiyi Wang, Brian Vetter and Shyhtsun Wu. Secure Routing Protocols: Theory and Practice. North Carolina State University, May [13] Lidong Zhou and Zygmunt J. Haas. Securing Ad Hoc Networks