Cross-layer security and resilience in wireless mesh networks

Transcription

1 Cross-layer security and resilience in wireless mesh networks By Ioannis Askoxylakis¹, Boldizsar Bencsath², Levente Buttyan², Laszlo Dora², Vasilios Siris¹ and Apostolos Traganitis¹ ¹ Foundation for Research and Technology Hellas Institute of Computer Science N. Plastira 100, GR 70013, Heraklion, Greece ² Budapest University of Technology and Economics Laboratory for Cryptography and System Security Magyar tudosk krt 2, H-1117 Budapest, Hungary 1. Introduction Security and Resilience has become an important concern in the security design and architecture of future wireless networking technologies like Wireless Mesh Networks (WMN) [1, 2]. Network operators and service providers consider mesh networking to be a serious candidate to solve the so called last mile problem based on their wider coverage than traditional wireless LANs and their lower deployment cost than 3G cellular networks. While there are several usage scenarios [3] and business opportunities [4] and there exist the so called community based mesh networks that are operated by individuals, the real business potential lies in operator based mesh networks. Such examples include Ozone's mesh network in Paris ( and The Cloud in the City of London ( If such pilot projects turn out to be successful, then mesh networking may become extremely popular and wide-spread. In order to turn the tremendous business potential represented by mesh networking into real profit, one needs to solve a number of technical problems related to the design and operation of mesh networks. In this chapter, we address one of those problems: securing mesh networks in a cross layer manner and ensuring resilient operation. It is evident that security and resilience issues need to be considered seriously and solved appropriately. Unlike the wireline networks, the unique characteristics of wireless networks pose a number of nontrivial challenges to resilience and security design, such as open peer-to-peer network architecture, shared wireless medium, stringent resource constraints, and highly dynamic network topology. More specifically, in this chapter, we identify the security requirements that are relevant for wireless mesh networks in general, and for multi-operator based QoSaware mesh networks in particular. While security issues are often application specific, this chapter focuses on the general security requirements of wireless mesh networks that are either independent of the applications or common to all applications and presents various design options for a security architecture that aims at satisfying those requirements. The approach to this direction follows a cross-layer concept, since this appears to be the only way to provide an aggregate framework for both proactive and reactive security approaches in a combined and balanced way. Several approaches of the security issues in wireless mesh networks can be found in [5, 6, 7]. However, none of those works address specifically QoS aware mesh networks 1

2 operated by multiple operators, neither they deal with proactive (cryptographic) and reactive (intrusion detection based) security measures in a combined manner as we do in this work. The discussion in [5] focuses on giving an overview of the various authentication mechanisms and secure routing protocols proposed for mobile ad hoc networks. Unfortunately, while the mechanisms and protocols proposed for mobile ad hoc networks are useful, they are not suitable for direct application in mesh networks. The authors of [6] discuss specific security issues in wireless mesh networks like the detection of compromised mesh routers, the security of routing, and the problem of fairness. However, although these are important issues, they represent only an small subset of the security problems in wireless mesh networks. The study in [7] is specific to wireless mesh network security and it is quite comprehensive in terms of identified security issues. In [8] there is a more detailed discussion on the available design choices for authentication and network access control, for the protection of wireless communications, and for intrusion and misbehavior detection, as well as a more QoS specific discussion of the routing security problem. The organization of this chapter is the following: a network system model is introduced in Section 2 and the network adversary model is described in Section 3. Based on these models, the general security and resilience requirements are indentified in Section 4. Next, there is a presentation of the design options for the elements of the security architecture that aim at satisfying the identified security requirements. More precisely, the mesh client authentication and network access control are addressed in Section 5, the protection of wireless communications in Section 6, key management issues in Section 7, secure routing in Section 8, and intrusion and misbehavior detection and recovery in Section 9. The chapter concludes with Section Network Model While several detailed surveys on mesh network architectures can be found in the literature [1, 2] in this chapter, we consider a system/network model as illustrated in Figure 1. This is the system model defined for the EU-MESH Project ( According to this model a mesh network consists of mesh routers that form a network with very similar networking attributes and characteristics of a static wireless ad hoc network. The mesh routers can function either as gateways to the wired Internet, or as wireless access points for mobile mesh clients. We assume that the mesh routers belong to multiple operators, and they cooperate for providing aggregate networking services to all of their mesh clients. Their cooperation model, which falls out of the scope of this study, can be based on business agreements similar to roaming agreements in the case of cellular networks. Mesh clients are mobile computing devices (smart phones, PDAs, netbooks etc) operated by customers that can be associated with one or more operators by contractual means. The mesh network provides various services to its clients like Internet access, realtime communications within the mesh network etc. In this model the mesh network is also designed to provide QoS applications with client mobility support. This requires that the mobile mesh clients have the capability to perform seamless handovers between access points. 2

3 Figure 1: System model of a wireless mesh network - the EU-MESH approach 3. Network Adversary Model A common initial approach in the identification of security requirements of a system is the understanding of the potential attacks against it. This understanding is summed up in the following adversary model that describes the classes of attackers, their objectives, and their means to attack the wireless mesh network. Classes of attackers: Taking into account the system model described before, we can categorize attackers in the following classes: External adversaries: They are external entities that have no legitimate access to the mesh network and its services. They are usually equipped with networking systems that have the ability to interfere with the operation of the mesh network in several 3

4 layers. Typical attacks of this category includes attempts to gain physical access to mesh routers that operate unsupervised in remote but accessible locations and then modify the operation and the behavior of these routers (by installing rogue software) according to their attack objectives. Dishonest network clients: They are misbehaving customers that have legitimate access to the mesh network and some of the network services, but they try to gain illegal access to services that are not subscribed to, or to obtain higher QoS in services already subscribed. Dishonest network operators: They are operators of the mesh infrastructure that do not honestly keep the business agreements. Objectives of attacks: The attacks of the adversaries described above may have the following objectives: Denial-of-Service (DoS): The objective of this type of attack is to degrade the QoS provided by the mesh network or even to completely disrupt the provided services. This is an objective of external adversaries. Unauthorized access to services: This objective is mainly related to external adversaries and dishonest clients. Common services include internet access and real-time communications. Unauthorized access to network client data and meta-data: Network client data are the messages exchanged in a service session and the corresponding objective is the violation of the confidentiality of the client, whereas meta-data is information related to the client s location and service usage profile and the objective is the violation of the privacy of the client. Primarily, this objective is related to external adversaries and dishonest network operators. Fraudulent increase of business competiveness: This could be the objective of dishonest operators that may mount attacks on the mesh network or specific network operators/competitors participating in the network in order to gain some advantage over them. This can be achieved either by reducing or destroying the reputation of the competitors, or by increasing their own reputation. Attack mechanisms: The previously described objectives can be reached through a variety of attack mechanisms. While such mechanisms can be used in a stand alone or combined manner, most of them fall into either one of the following two categories: Attacking the wireless communications by eavesdropping, jamming, replaying of messages, injection of messages and traffic analysis. Setting up fake mesh routers or compromising unattended existing mesh routers. 4. Security & Resilience Requirements 4

5 Next, based on the adversary model described above, we identify the main security (proactive) and resilience (reactive) requirements for wireless mesh networks. We classify them into two broad categories: the security requirements that refer to the proactive network protection requirements and the resilience requirements that refer to the reactive network protection requirements, 4.1 Security Requirements Authentication of mesh clients and access control. Prevention of unauthorized access to services of the mesh network requires authentication of mesh clients, and enforcement of access control rules in the system. While there exist many authentication protocols and authorization schemes, there are additional requirements that need to be satisfied, such as the need to support end-user mobility and QoS-aware applications, and the need to work in a multi-operator environment. Particularly, the support of user mobility and the provision of QoSaware applications requires fast re-authentication of mesh clients since the requirements of authentication and access control should not exclude the possibility of seamless handover between the access points. Moreover, in a multi-operator environment, such handovers may occur between access points belonging to different administrative domains, and hence, the authentication and access control scheme must be able to handle this situation Protection of wireless communications In the system model described before, wireless communications take place between several network entities such as between mesh clients and mesh routers, as well as among mesh routers and gateways. These wireless connections must be protected against various attacks and this leads to the following requirements: Message integrity and authenticity: messages must be protected against attacks that aim to insert fake messages, to modify of replay existing ones. This ideally should take place in a link-by-link manner, in order to identify and remove such messages at early stages. Confidentiality and integrity of the application data: Application data, such as user data must be protected against unauthorized access. While this can be done in an end-to-end manner, in case of some applications that are not prepared for such protection, the problem should be solved transparently to the applications within the mesh network. Traffic analysis prevention: It prevents unauthorized access to meta-data of the customers, and hence ensures some degree of privacy. Link-by-link encryption of messages could be a suitable approach because it can hide end-to-end addressing information. Another approach is the use of dummy traffic by neighboring mesh routers on idle links, in order to make the identification of communication profiles more difficult. 4.2 Resilience Requirements 5

6 Resilience is the ability of the network to provide and maintain an acceptable level of service in the face of various faults and challenges to normal operation. Resilient wireless networks aim to provide acceptable service to applications including: ability for mobile users and applications to access information when needed, maintenance of end-to-end communication association ability of distributed operation and networking We focus on two main reactive resilience requirements: robust networking and intrusion detection and recovery Increasing the networking robustness The increase of the robustness of basic networking mechanisms, such as the routing protocol, the medium access control scheme, the topology control and channel assignment mechanisms, etc, is very important since they are the main targets of DoS attacks against a network. Among them, securing the routing protocol seems to be the most important requirement, because interfering with the routing protocol may affect the entire network, whereas attacks on lower layers (e.g., on medium access control and channel assignment) have a localized effect. QoS-aware routing protocols provide functions such as proactive dissemination of routing information and local route computation, resource reservation on selected routes and recovery from errors during the data forwarding phase. Each of these functions has its resilience and security requirements. Routing information dissemination and route discovery requires the authentication and integrity protection of routing control messages, in order to prevent their manipulation by external adversaries. It may also be desirable to ensure non-repudiation of routing control messages in order to discourage operators to mount stealth attacks against each other, and to facilitate dispute resolution. Resource reservation messages must also need to be authenticated in order to avoid resource blocking DoS attacks and to guarantee that resources do not stay reserved forever. Finally, error recovery procedures should not be exploitable by attacks aiming at the disruption of communication Intrusion and misbehaviour detection and recovery. In general it is more or less impossible to identify misbehaving nodes of a WMN by cryptographic (proactive) means while at the same time cryptographic solutions are ineffective against jamming attacks. These challenges clearly make a case for building a second line of defence of cross-layer resilience solutions aiming at the detection and recovery from attacks based on intrusion and misbehavior that would achieve both broad protection and desirable network performance, in the situation where proactive security mechanisms either fail or are not sufficient to defend the networks against attacks. As misbehaviour can be observed at any layer of the communication stack, misbehaviour detection should target all layers. Moreover, cross-layer misbehaviour detection can increase the detection effectiveness by combining detection modules 6

7 employed in different layers. An important requirement to this direction is the need for some level of node cooperation, since in misbehaviour detection and recovery processes nodes should be able to monitor to some extend the activity of each other. 5 Client authentication and access control enforcement In a multi-operator mesh network, and especially in business driven mesh networks, an important requirement is that only authorized users should be able to access its services. In order to fulfill this requirement, authentication and access control enforcement is required. In the authentication process, the mesh client proves its identity using an authentication key. In addition, during the authentication process, a short-term connection key is established between the mesh client and the access control enforcement point. This connection key serves as the basis for access control enforcement on the follow-up traffic originating from the mesh client. In this section, we first introduce a detailed list of requirements for authentication and access control enforcement in QoS aware multi-operator maintained mesh networks. Then, we give an overview of the authentication and access control enforcement mechanisms proposed for WiFi and mesh networks, and we analyze them with respect to the identified requirements. 5.1 Requirements The main requirements for authentication and access control enforcement in a QoS aware multi-operator mesh network are the following: Fast authentication process that supports user mobility: As a main requirement, the authentication method has to support mobility of mesh clients which may use QoS aware services like VoIP. When a mesh client moves from one access point to another, re-authentication due to the handover must be supported. Forward security of the connection keys: The connection keys should not reveal long term keys. It is an important requirement for the multi-operator environment, since the mesh clients may associate to access points operated by foreign operators. Independence of connection keys: As the neighboring access points may not trust fully each other due to the multi-operator environment, the authentication and the key generation mechanism have to prevent an access point from deriving connection keys that are used at another access point. Key Freshness: It must be ensured that the connection keys derived at every authentication process are fresh. DoS resistance: The authentication method should not provide space for new types of DoS attacks. Compatibility with standards: In a multi-operator environment, where clients move among different operators, it is essential that the protocols used in the authentication mechanism are standardized or consist of standardized elements. 7

8 Scalability: One of the main advantages of mesh networks is the dynamically increased coverage which is translated to dynamically increased number of network modules such as mesh routers, access points, and mesh clients. The authentication method employed in such networks should be able to follow the network extensions. Independent elements: In a multi-operator environment, the most probable scenario is that each operator would run its own authentication server(s), without relying to a central authentication entity. 5.2 Taxonomy While many authentication and access control enforcement methods have been proposed, we initially categorize them according to the place of the access control enforcement and the place and type of the authentication. Depending on the place where the access control is enforced we have the following categories: Central access control enforcement: The access control is enforced in a centralized manner by an entity outside of the mesh. Access control enforcement at the border: The access control is enforced by the gateways that are located at the border of the mesh network. Distributed access control enforcement: The access control is enforced by the access points. When the access control is enforced by a central entity or at the gateways, the mesh clients cannot be authenticated inside the network. If the access control enforcement is distributed, the mesh client can be authenticated at the following network entities: The remote authentication servers that are placed outside of the mesh network. The local authentication servers that are placed near to the access points within the mesh network. In this case they can be reached by the access points within a few wireless hops. The access points that act as distributed authentication servers. During the handover process, the authentication process can be initiated in a reactive or in a proactive manner. During reactive authentication the mesh clients are authenticated to the next access point and the establishment of the connection keys is carried out when the mesh client has already associated with the next access point, while in proactive authentication the connection keys are distributed to the potential next access point before the handover process is initiated. Next, we classify the proactive solutions depending on the participant who controls the key distribution: 8

9 Mesh client driven key distribution where the mesh clients create security associations with the next or with each potential next access point before the handover process. Authentication server driven key distribution where the authentication servers distribute mesh client specific keys among the potential next access points in a proactive manner, and thus the keys are available before the mesh clients associate with the next access point. In Table I, we categorized the proposed authentication methods found in the literature according to the above described taxonomy. Authentication at the borders Central authentication Distributed Access control enforcement [10] [11] [9] [10] [11] Authenticator Type of Key distribution Reactive Proactive Authentication server driven Mesh client driven Access Points - [27] [26] Local authentication server [17] [18] [13] [19] [15] [16] [21] Remote authentication server [21] [20] [22] [23] [24] Table I : Taxonomy of authentication methods Centralized access control enforcement When the access control enforcement is centralized, no authentication is required at the access points during the handover process. In such cases, the mesh client is able to associate to any access point, and the access control is enforced by redirecting the traffic of the mesh client to a central access control enforcement entity. The central entity makes forwarding decisions based on the origin of the traffic, such as the MAC and/or IP addresses of the mesh client. This solution is often used in WiFi hotspots, for instance, using the Chilispot implementation [9]. The main disadvantage is that no connection key is established and an attacker can easily gain access by spoofing the MAC and IP addresses of an already authenticated client. A similar centralized solution is presented in [10, 11], where the architecture based on the Protocol for carrying Authentication for Network Access (PANA) [12] is proposed. In this approach the mesh clients are authenticated only once, when they first associate with an access point. Having the clients been successfully authenticated, IPSec tunnels are established between the mesh clients and the central access control enforcement entity, which obtains the connection key from the authentication server. The main advantage of central access control enforcement is that no key material is stored in the access points and therefore potential attackers are not able to obtain any keys by compromising an access point. The main drawback is that such architectures are vulnerable to DoS attacks, because it is not possible to deny the access before a message arrives to the central access control enforcement unit. This can be exploited 9

10 by attackers by injecting fake messages into the system and therefore decreasing the QoS levels. Another drawback is that the central unit is a bottleneck resulting in a potential scalability problem Access control enforcement at the gateways When the access control is enforced at the border of the wired and the mesh network, mesh client authentication can take place either at the gateway or at a central authentication server. While an authentication scheme, where the gateway authenticates the mesh client, would be technically interesting and challenging, so far no such proposal exists. For the case, where the mesh client is authenticated to a central authentication server but the access control is enforced at the gateways the PANA protocol proposed in [10, 11] could be employed. PANA allows the existence of multiple access control enforcement entities and in such a scenario, each gateway can be an access control enforcement entity that obtains the keys for access control enforcement from the authentication server. This mechanism would improve the scalability of the centralized access control enforcement; however it would not eliminate the DoS vulnerability described earlier Distributed access control enforcement with reactive authentication using remote authentication server A typical example of this category is the IEEE 802.1X [12] authentication and access control model as described in the IEEE i standard [13]. According to this model, access control is enforced by the access points in a distributed manner. In this model, a remote authentication server is responsible for client authentication, by informing the access point about the result of the authentication, and for distribution the connection key. The connection key itself or future keys derived from it, can be used to secure the oncoming communication at the link layer. The messages of the authentication protocol are carried by the Extensible Authentication Protocol (EAP) [14]. While many authentication protocols have been standardized in this framework (e.g., EAP-TLS, EAP-FAST, EAP-SIM), none of them are optimized for fast handoff. Recently, a new EAP method has been described for fast re-authentication in [15] and [16]. The main disadvantage of this scheme is that the round trip time may increase significantly the distance (measured in wireless hops) between the access point and the authentication server increases. This way the round trip time can become higher than the time that a QoS aware service can tolerate. Moreover the scheme is vulnerable to DoS attacks as the central authentication server can easily become a single point of failure Distributed access control enforcement with reactive authentication using local authentication servers The drawbacks of the distributed access control enforcement with reactive authentication using remote authentication server can be solved if local authentication 10

11 servers are placed close to the access points. To this direction there are two extensions of the EAP standard in [17, 18]. Both proposals aim to reduce the round trip time of the authentication messages by using local authentication servers placed between the access points and the central authentication server. In both schemes the central authentication server shares the authentication key or a key derived from the authentication key with the local authentication servers. This way, when an access point turns to any of the local authentication servers, that authentication server generates the connection key and sends it to the access point. The main disadvantage of this scheme is that the local authentication servers which are placed within the mesh network are, in most of the cases, physically unprotected. It is obvious that it would not be wise to keep long-term authentication information on them Server driven proactive authentication with distributed access control enforcement In server driven proactive authentication methods, the authentication server is responsible for distributing connection keys prior to the handover. In this case, during the handover process, the access points make access control decisions locally without interacting with the authentication server. In [19], the connection keys generation is based on the authentication key, the MAC addresses of the mesh client and the access point, and the connection key used at the current access point. The new connection keys will be used at the neighbouring access points, which are the potential next access points that the mesh client may associate with, and for this purpose they are distributed to them by the authentication server. In this solution, it is essential that the authentication server is aware of the location of the mesh clients in order to determine which access points need the next connection keys. The IEEE s [20] and r [21] standards approach the same issue by dividing the network into domains, where every single domain maintains a keydistributor. Each distributor obtains its keys from the authentication server while the connection keys are created based on the authentication keys. At the same time, every access point belonging to a domain, receives dedicated keys, generated by the key distributor. In [22], there is a description for the adoption/adjustment of the GSM authentication model to wireless networks. According to this scheme, the authentication server generates triplets of keys which contain authentication information and a connection key. Each triplet is proactively sent to the potential next access point. This way, an access point can use the authentication information of the triplet to authenticate the mesh client that is under a handover process, and at the same time use the connection key of the triplet for access control enforcement Mesh client driven proactive authentication with distributed access control enforcement In this type of authentication the mesh clients themselves are responsible for getting the connection keys to the access points. According to the pre-authentication scheme, 11

12 included in the IEEE i [21], mesh clients perform full authentication with their current access point and then create connection keys with the potential next access points before the handover process. While it is important that this mechanism is standardized and supports QoS services, this pre-authentication mechanism demands the existence of link connections between access points and therefore only one-hop neighbouring access points can participate. Another solution of this category, in the case where multiple radios are available for mesh clients, is described in [16]. When a client device supports multiple radio interfaces it can use one radio to associate with the current access point while the rest of its radio interfaces can independently establish connection keys with other access points within radio range. During a handover process the active radios change roles with the radio which was used for the security association with the next access point becoming now responsible for the data traffic while the other radio(s) continue to establish security associations with new access points. While such a solution deals with problems previously described, its main drawback is the need for multi-radio dedicated hardware on the clients side. In [15, 23] the key distribution mechanism of the IEEE 802.1X model is modified. According to this proposal, the authentication server and the mesh client establish a new connection key, which is then distributed by the authentication server to the potential next access points. The main drawback of this approach is that it is incompatible with the IEEE i standard. The idea presented in [24] is that after a full authentication, the authentication server generates tickets for each access point where the mesh client could move according to its mobility pattern. The tickets are sent in one proposed solution to the potential next access points and in another proposed solution directly to the mesh client. In the former case, the communication between the access points is based on the IEEE f protocol, also known as Inter Access Point Protocol (IAPP) [25]. In the latter case, the mesh client sends the tickets to the access point at the time of the handoff. The tickets are encrypted using unique shared secrets between each access point and the authentication server and this way the access points can obtain only those keys that are related to their own connections. The main disadvantage is the fact that the solution relies very much on the mobility prediction mechanism. If this mechanism is not very precise, no connection keys may be established at the access points that the client wants to associate with. The IAPP protocol was withdrawn in Distributed access control enforcement with proactive authentication to the access point. In this category the mesh clients instead of authenticating to a remote or local authentication server, they authenticate to the access points in a proactive pattern. In [26], the currently used connection key is distributed to the potential next access points by the current access point, and it is re-used there when the handover process initiates. While this solution does not satisfy the requirement of independence of connection keys, its main disadvantage is that the access points must trust each other and this is not always possible, especially when access points belong to different operators. 12

13 In [27] the authors propose a solution where the mesh clients carry the new connection key in a credential. The access points send the credential encrypted to the mesh clients before the handover. The encryption key of the credential is shared between the current access point and the other access points. After associating with the next access point, the mesh client shows its credential, and the new access point decodes the connection key. To overcome time constraints, the use of symmetric cryptography, for encryption/decryption of the credential, is proposed. The main disadvantage of this approach is that the proposed mechanism does not comply with any standard. 5.3 Summary Table II, summarizes the various approaches for authentication and access control enforcement described above and how they satisfy the corresponding requirements. Independence of elements Scalability Compatibility with standards DoS resistance Fast reauthentication Distributed access control enforcement Central access control enforcement Χ Χ Boundary access control enforcement Χ Reactive Local authentication Χ Χ server Reactive Remote authentication Χ Χ Χ server Central Proactive Authentication server Χ Client Proactive Authentication server Reactive Access Point - Χ Central Proactive Access Point Χ Χ Client Proactive Access Point Χ Χ Table II : Types of authentication and access control enforcement vs requirements Some general conclusions for the categories described in detail above are the following: When access control is enforced at a central entity or at the border of the mesh network, the system is not able to deny the forwarding of packets coming from unauthorized mesh clients and consequently it is DoS vulnerable. In the case of central access control enforcement, the network is not scalable, because the central access control enforcement unit becomes a bottleneck. 13

14 When a central authentication server is used with reactive authentication, the round trip time of the message exchanges of the authentication protocol may exceed the time that the QoS aware services could tolerate. Moreover, if the authentication server is DoS attacked, no authentication can be performed during handoffs in the entire network. The DoS problems previously described are solved when local authentication servers are used. However, in this case the problem is that those servers reside in the mesh network and they can be physically attacked and compromised. Distributed access control enforcement with proactive authentication methods satisfies all the requirements. However, not all phases of the connection key distribution process are handled in a standardized way when the key distribution process is server driven. Moreover, in the case of mesh client driven proactive authentication, the proposed mechanisms often require conditions that are difficult to satisfy, such as the use of multiple radios in mesh clients. The requirement of independence of elements is not satisfied when the previous access point authenticates the mesh client during or before the handover, because an access point must trust the previous access point as an authenticator even if it belongs to another operator. 6. Protecting the wireless communications Wireless communications among all network entities as described in the network model, including wireless links between mesh clients and mesh routers, as well as among mesh routers and gateways, must be protected against various attacks. There are three ways for protecting wireless communications in out network model: End-to-end protection: The information exchange is protected from the mesh client to the other endpoint of the communication, which can be another mesh client within the mesh network of a fixed internet user. Link-by-link protection: The information exchange is protected only on the wireless links between entities of the mesh network such as between the mesh routers and between the mesh clients and the access points. It is possible to employ different protection mechanisms for each link. Protection of route segments: This is an intermediate solution between end-to-end and link-by-link protection. The information exchange is protected on a segment of the route between the mesh client and the other communication party. This can be useful in the multi-operator environment where parts of the mesh network belonging to other operators may be considered as untrusted. 6.1 End-to-end protection When end-to-end protection is employed, the mesh clients use cryptographic methods to protect their information exchange with other parties located either inside the mesh network or on the Internet and their communicating parties perform the inverse 14

15 operation for two-way communications. End-to end protection has the following properties: It is transparent to the mesh routers, since they only forward encrypted information and therefore there is no need for modification/adjustment of their operation. At the same time this transparency creates new threats since the mesh routers cannot check the integrity of the packets while they are in-transit and therefore any modified, spoofed or fabricated packet is only detectable at the endpoint. When a mesh client communicates with a party within the Internet, end-toend protection can cover also this path. This is a very important property since the mesh network operators cannot protect the traffic on the Internet. The endpoints must support the same protection method employed by the mesh clients and this may not be convenient, as most of the end devices are typically owned by end users. When end-to-end protection is fully employed, the network traffic between the mesh clients and the end systems, both within the mesh network and the Internet, can be protected by mechanisms on the application layer, such as TLS [28] or SSH [29]. There is also the option to introduce a network sub-layer that can provide general security services for all network traffic. Such solutions include off-the-shelf VPN (Virtual Private Networking) tools such as IPSec [30]. 6.2 Link-by-link protection In link-by-link protection the information within the mesh network is protected hopby-hop. These hops include the link between the mesh client and the access point, and the links between the mesh routers. The operator or pairs of operators that share a link can decide separately for each link the protection mechanisms, algorithms and keys that will be used. They can even choose what part of the traffic will be protected. The wide choice of the protection mechanisms that can be used as well as the level of the protection that will be provided is the main advantage of link-by-link protection. At the same time the protection at the link level is transparent to the end clients and endpoints, and it can be proven helpful against traffic analysis. Since the mesh routers are not physically protected they cannot be considered as trusted entities. As the link-by-link protection relies on dedicated protection mechanism on the routers, using stand alone link-by-link protection is not convenient. At the same time, link-by-link protection is the only solution against traffic analysis. In particular, link-by-link encryption can protect network meta-data, such as high level addresses and names, from disclosure to external attackers, and link - by- link integrity protection can help to detect modified or spoofed packets immediately, and therefore, it helps to avoid that modified or spoofed packets eat up bandwidth in the mesh network. By combining the use of link-by-link protection with end-to-end 15

16 protection we can overcome the lack of trust of the mesh routers, while gaining protection against traffic analysis. Link level protection can and should be based on standardized cryptographic algorithms, such as HMAC [31] for integrity protection and AES [32] for encryption. For the protection of the link between the mesh client and the access point, standard solutions based on WPA or WPA2 [33] should be used. Finally, since integrity protection includes the protection against replay attacks, the use of sequence numbers and flow identifiers, and their implicitly or explicitly inclusion in the MAC computation would be a solution. 6.3 Protection of route segments An approach in between the end-to-end and the link-by-link protection is the protection of route segments, where a segment of the communication path is protected. This intermediate solution my proven very useful in a multi-operator environment. There exist the following options for route segment protection: Protection of the client-access point links: Considering that the network operators or the entire mesh network may have used other protection mechanisms such as linkby-link protection, and/or the use of dedicated hardware like directional antennas that can significantly reduce security threats, the most vulnerable parts of the networks may be the wireless links between the mesh clients and the access points. Protection of segments that belong to other network operators: In a multi-operator mesh network, it is possible that some parts of the client's traffic is handled by mesh routers that belong to other network operators. If the client's trust is lower in those operators, then he may wish to protect the traffic in those foreign parts of the network. Protection of the client-gateway segments: Beyond the gateway, the Internet may be considered as a less vulnerable environment, as the links are generally physically protected. Therefore, the traffic may only be protected within the mesh network from the mesh client up to the gateway. Protection between the client and a traffic aggregation point outside of the mesh network: One typical goal of a mesh network is to provide larger bandwidth to the customers than it would be possible with a single link. For this reason, packets belonging to a single flow may be sent through multiple gateways, and then aggregated into a single flow again at some aggregation point within the Internet. In this case, the communication between the aggregator and the mesh client can be protected using standard protocols such as IPSec [30]. Route segment protection inherits some of the drawbacks of end-to-end protection. In particular, if the integrity of the packets can only be verified at the endpoints of the route segment, then modified or spoofed packets may waste valuable network resources, and thus, degrade the QoS provided to the users. In order to address this problem, one could use a broadcast authentication scheme, for instance digital signature, to ensure that the authenticity and integrity of the packets can be verified by the intermediate nodes on the route segment, while the encryption can still be used between the endpoints of the route segment. Furthermore, in order to avoid the 16

17 increased overhead caused by the verification of the digital signatures, this approach can be used in a probabilistic manner, or it can be turned on only if a large number of modified or spoofed packets are detected at the endpoints of the route segment. 7 Cryptographic key management In order to secure the operation of any network the usage of cryptographic mechanisms is required. Such cryptographic mechanisms include the use of cryptographic algorithms and protocols and rely on cryptographic keys. The protection of wireless communications within the mesh network includes the protection of the communications between the mesh clients and the access points, the protection of the routing protocols, the protection of the messages of the mesh client authentication protocols, and in some cases the protection of for mesh client authentication itself. For all the above cases, the employment of cryptographic key material is required. The protection of the wireless communications within the mesh network requires the establishment of shared keys between the entities of the network including neighbouring mesh routers in case of link-by-link protection, between remote mesh routers, and between mesh routers and remote gateways in the case of route segment protection. For the protection of the communication of mesh clients with the mesh network shared keys need to be established between mesh clients and access points. When a mesh client requests to connect to an access point of the mesh network, it has to authenticate itself to an authentication server, which will inform the access point about the result of the authentication. At the same time, the server may generate key material that will be used for the protection of the communication between the mesh client and the access point in case of successful authentication, and sends these keys to the access point. There are several options for the generation of these keys: they can be generated by the client, by the server or even by both in a contributory manner. All previous processes should take place only if it is ensured that the communication between the authentication server and the access point is protected. This means that the server and the access point should already maintain a shared key between them. Alternatively, the authentication of the mesh client can be based on a public key cryptographic protocol like the EAP-TLS where the public keys of the mesh client and the authentication server need to be distributed to the server and the client, respectively. Regarding the protection of the routing mechanisms, relying on shared keys established between mesh routers may not be enough. To this direction, a basic building block for securing routing could be a broadcast authentication scheme. As the mesh routers are not, at some extend, resource constrained, it would be convenient to employ broadcast authentication in mesh networks with digital signatures. This would require the distribution of the public signature verification keys corresponding to the mesh routers within the mesh network. To summarize, cryptographic protection mechanisms in mesh networks require both the establishment of shared symmetric keys between various network entities and the distribution of the public keys among some of them. Both key mechanisms can be supported by a public key infrastructure (PKI) established and maintained by the 17

18 mesh network operators. For the multi-operator environment considered here a PKI approach seems to be more simple and convenient. Next we describe a general framework for the employment of such PKI architecture in multi-operator based wireless mesh networks. PKI for multi-operator based mesh networks: A PKI for multi-operator based mesh networks could be established in the following way: Each operator maintains its own Certification Authority (CA) that issues certificates for the public keys of the mesh routers, the access points, the gateways, and the various servers operated by the given mesh network operator. In the case that operators use public key cryptographic protocols for the authentication of their customers, the CAs of the corresponding operators issue certificates for the mesh clients' public keys too. All network entities including mesh routers, access points, gateways, servers, and mesh clients store their own certificates, and the public key of their CA. At the same time, the CAs of the different operators cross-certify the public key of each other on a bilateral basis. The resulting certificates are stored in a publicly available storage, or alternatively, each mesh router, access point, gateway, and server can periodically download and locally store the certificates issued by its CA for the public keys of the other CAs. Given such a PKI, any two entities, say A and B, can easily establish a shared key. For this, each of them can send its public key certificate to the other. A can verify B's certificate using the certificate issued by A's CA for the public key of B's CA, and the public key of A's CA. B can verify A's certificate in a similar manner. Once they have obtained each other's public key, A and B can run any public key based session key establishment protocol to establish a shared secret. In [61] there is an extensive discussion of such available protocols. Moreover, any entity can generate digital signatures, which can be verified by all other entities using its public key, which can be obtained and verified as described above. Each CA can renew certificates on a regular basis depending on its own security policy. In addition, each CA can maintain a certificate revocation list (CRL) where it publishes revoked certificates. Each operator can obtain the CRL of all the other operators, and distribute all CRLs to its mesh routers, access points, gateways, and servers. Mesh clients can obtain CRLs from access points when they connect to them. 8 Secure Routing As we mentioned before, securing the routing layer in mesh networks is an important requirement, because an attacker can easily jeopardize the operation of the network and its services by manipulating the routing protocol. Hence, in this section, we address the problem of routing security in wireless mesh networks. We put special emphasis on the QoS-aware and multi-operator aspects of routing. 8.1 Attacker model for routing Attacks on routing may target the control plane or the data plane, where the control plane is responsible for disseminating, acquiring, and maintaining routing information in the network, and the data plane is responsible for forwarding data packets using the 18

19 routing information obtained from the control plane. In addition, an attacker can be an outsider or an insider. An outsider attacker has no control over any of the legitimate nodes of the network, but he tries to interfere with the operation of the protocol by exploiting the properties of the wireless communication medium. Outsider attacks on the control plane include the injection of fake routing control packets in the network or the replay of previously eavesdropped ones, as well as the deletion of control packets by jamming. Such attacks may prevent the proper dissemination of correct routing information in the network or they may result in the dissemination of incorrect routing information. Ultimately, all these attacks may lead to the disruption of communication in large parts of the network. Outsider attacks on the data plane include deletion of data packets by jamming, reordering data packets by eavesdropping, jamming, and replay, as well as injection of fake or modified data packets. Such attacks have narrower scope than attacks on the control plane, because they usually affect only those communications that use the attacked links. An insider attacker has all the capabilities of an outsider attacker, and in addition, he can fully control some of the nodes in the network. This means that the attacker can learn the cryptographic secrets of those nodes (if such secrets are used) and he can arbitrarily re-program those nodes. For this reason, the nodes controlled by the attacker are often called corrupted nodes. Consequently, corrupted nodes can send messages that look genuine (e.g., they can be authenticated by cryptographic means), and they can exhibit arbitrary behavior, meaning any deviation from the rules of the routing protocol. Insider attacks on the control plane include all deviations from the rules of disseminating, acquiring, and maintaining routing information in the network, while insider attacks on the data plane include dropping, delaying, re-ordering data packets, modifying their content before forwarding them, misrouting them, or any combinations of these misdeeds. Note that the model of insider attackers is realistic, because mesh networks often operate in an environment where physical protection of the nodes is not possible or very costly, and therefore, the nodes can be approached and attacked physically. 8.2 Security requirements for routing To defend against outsider attackers at the control plane, routing control messages used for the dissemination, acquiring, and maintenance of routing information must be authenticated, their integrity must be protected, and one must also be able to detect replays. Standard message authentication and replay protection techniques can be used for this purpose. However, those techniques will not protect against malicious deletion of control messages by jamming. As jamming cannot be prevented, the routing protocol must be robust against loss or deletion of some control messages. In particular, a jamming attacker in a given geographic area should not be able to prevent the dissemination and acquiring of routing information by routers outside the jammed area. Insider attacks at the control plane are impossible or extremely difficult to detect. For instance, two corrupted routers may announce each other as a neighbor although they are not within each other's transmission range, thereby creating a fake link in the 19

20 network topology graph perceived by other nodes. Such a link cannot be immediately identified as being fake by the other nodes. As this and similar kinds of attacks are very difficult to detect at the control plane, one must tolerate them there. However, if the resulting incorrect routing state has an effect at the data plane, one may detect the attack at that level. Continuing our example above, the fake link may be identified as a non-functioning link in the packet forwarding phase. Outsider and insider attacks at the data plane have similar effects, and they are concerned with the injection, manipulation, deletion, re-ordering, replay, and misrouting of data packets. In order to prevent some of these misdeeds, data packets must be sequence numbered, authenticated, and integrity protected. To cope with malicious dropping of data packets by corrupted routers, misbehaving routers must be identified and avoided in the route selection process. 8.3 State-of-the-art on secure routing Securing the control plane A number of secure routing protocols for wireless ad hoc networks have been proposed in the literature; a survey can be found in [34]. In addition, Chapter 7 of [35] discusses in detail the design principles of secure routing protocols for multi-hop wireless networks. Here, we summarize some design options for securing the control plane and refer to some prominent proposals for secure routing protocols as examples. Very few ad hoc routing protocols address security and QoS support at the same time; we complete this part by reporting on two such proposals [36, 37]. Control message authentication: Many of the attacks against the control plane are based on spoofing or modifying routing control messages. The usual way to thwart these types of misdeeds is to authenticate control messages. Since typically, a routing control message is processed by several (or all) nodes in the network, the authentication mechanism should enable broadcast authentication. Such broadcast authentication mechanisms include the digital signature and the TESLA protocol [38], which provides similar services to digital signatures, but uses only symmetric key primitives. Mutable information in control messages: In many routing protocols, notably in ondemand protocols, the intermediate nodes add information to the routing control messages before forwarding or re-broadcasting them. For instance, in on-demand source routing protocols, the intermediate nodes extend the list of identifiers in route request packets with their own identifiers. Likewise, in on-demand distance vector protocols, the hop count field in the routing messages is updated by each intermediate node. Since other nodes will act upon this added information, it must also be protected somehow from being forged and modified. However, control message origin authentication will not solve this problem, because the information that we are talking about is added after the originator has sent the control message. Additions can be traceable or untraceable. For instance, extending the list of identifiers accumulated in the route request in an on-demand source routing protocol is a traceable addition, because each modification preserves the previous state of the message, therefore, anyone can see who added information to it. In contrast to this, 20

21 incrementing the hop count in routing messages is an untraceable addition of information, because it is impossible to tell just from the hop count value who contributed to it. Authenticating traceable additions to control messages: A seemingly simple solution for authenticating traceable additions to a control messages is that each intermediate node that adds information signs the entire updated message. However, there are some problems with this approach. Firstly, the signature and the added information can be removed, and such removal will be undetected, because all the remaining signatures verify correctly. Indeed, in case of traceable additions, the control message preserves its previous states, and the adversary can exploit this by enforcing a previous correct state. Some proposals (e.g., Ariadne [39]) use a per hop hash value in the packet, which is re-hashed by each intermediate node, thereby introducing an untraceable element in the packet, which prevents the adversary to revert to a previous correct state. However, this per hop hash approach does not provide a perfect solution [40]. Another interesting countermeasure against removing signatures from the end of a signature list is to replace the signature list with an aggregate signature. Aggregate signatures make it possible to compact multiple signatures from different parties into a single signature in such a way that it is very hard to remove any of the signatures from the aggregate signature, but at the same time, anybody can still verify who signed the message. A second problem of authenticating traceable additions by re-signing the entire control message is that verification of those signatures increases the computing overhead of the nodes considerably. This is so, because those control messages are often broadcasted and received by all nodes in the network. In order to overcome this problem some protocols (e.g., SDSR [41] and endaira [42]) avoid signing the route request. In some other protocols (e.g., in SRP [43] and in Ariadne [39]}), the intermediate nodes are actually not required to verify the authenticity of the information added by other intermediate nodes to control messages; however, this has some obvious disadvantages. A third problem with authenticating traceable additions by re-signing the control message is that, in fact, authentication will not solve every problem. In particular, misbehaving nodes can add incorrect information to control messages, and then sign them. As a result, the packet will be verified as authentic, but the information inside can still be incorrect. Protecting untraceable additions to control messages: Typically, untraceable additions are used by distance vector protocols (both proactive and reactive). In reactive distance vector protocols, intermediate nodes increase the hop count in control messages (i.e., in route requests and route replies). In proactive distance vector protocols, control messages are not forwarded or re-broadcast explicitly, but still nodes broadcast their routing tables, which can cause some changes in the routing tables of their neighbors who will then broadcast their routing tables, and so on. Thus, the principle is the same and, in both cases, the same problem arises: the nodes update their routing state based on untraceable information (received in control packets or accumulated in the routing tables of their neighbors). 21

22 Some protocols (e.g., SAODV [44] and SEAD [45]) use hash chains to solve the problem. The idea is the following: Control messages (in the case of SAODV) or routing table entries (in the case of SEAD) contain not only a hop count, but also a hash value that is initialized by the originator of the given control message or the destination corresponding to the given routing table entry. In the case of SAODV, each intermediate node that forwards or re-broadcasts a control message, increments the hop count and computes the one-way hash of the hash value that it received in the control message. Likewise in SEAD, when a node updates an entry in its routing table, it increments the hop count and hashes the hash value that it received in the corresponding entry of the routing table of its neighbor. As a result, adversarial nodes cannot decrease the hop count in control messages (in SAODV) and in routing table entries (in SEAD) that they process, because they cannot invert the hash function. However, they can always increase the hop count, and this can also lead to incorrect routing state. A detailed treatment of using hash chains in routing protocols can be found in [46]. Discussion on QoS-aware routing metrics: Instead of a simple hop count, in QoSaware routing, the aggregated routing metric value of a path is computed from the link quality metric values that correspond to the links of that path. There are various link quality metrics proposed in the literature for mesh networks; most of them are based on general quality metrics such as bandwidth, delay, jitter, bit error rate, etc. However, all known link quality metrics fall in any of the following three classes: (a) additive, (b) multiplicative, and (c) transitive metrics. In case of additive metrics, the aggregated routing metric of a path is computed as the sum of the link quality metric values. Examples for such metrics are the delay, the jitter, and also the hop-count. In case of multiplicative metrics, the aggregated routing metric is computed as the product of the link quality metric values. An example for such a metric is the bit error rate. Finally, in case of transitive metrics, the aggregated routing metric is either the minimum or the maximum of the link quality metric values. A transitive metric where the minimum is used is the bandwidth. We make the observation that multiplicative metrics can be transformed into additive metrics by taking the logarithm of the metric values. Similarly, any transitive metric that uses the minimum can be converted into a transitive metric that uses the maximum by multiplying the metric values with -1. Therefore, it is sufficient to develop protection techniques for either additive or multiplicative metrics, and for the transitive metric that uses either the minimum or the maximum. In addition, another observation is that routing metrics are usually monotonic, meaning that either f(x, x) X or f(x, x) X for any aggregated metric value X and any link quality metric value x, where f denotes the aggregation operator (i.e., addition, multiplication, minimum, or maximum). Clearly, the minimum and the maximum are always monotonically decreasing and increasing, respectively. Moreover, if the link quality metric values are non-negative, then additive metrics are monotonically increasing, while if link quality values are non-positive, then additive metrics are monotonically decreasing. Similarly, if the link quality metric values are not smaller than one, then multiplicative metrics are monotonically increasing, while if they are not greater than one, then multiplicative metrics are monotonically decreasing. 22

23 The use of hash chains can be extended to protect not only the hop count, but also the monotonic routing metrics against manipulation by misbehaving routers. More specifically, monotonically increasing metrics can be protected against malicious decrease, and monotonically decreasing metrics against malicious increase. Summary on the protection of mutable information: As we saw above, the protection of mutable information in routing control messages is not a trivial problem, and there's no perfect solution: While hash chains are efficient, they can prevent only a subset of the possible misdeeds. At the same time, traditional authentication mechanisms cannot be used efficiently when the protocol allows for untraceable modifications of control messages by intermediate routers, and they have a large overhead even in the case of traceable modifications. Protocols that do not use mutable information in routing control messages: For the reasons mentioned above, protocols that do not use mutable information in the routing control messages, such as link-state routing, are particularly interesting. In those protocols, control message origin authentication provides adequate protection at the control plane. A well-known link-state routing protocol proposed for ad hoc networks is OLSR [47], and a number of security extensions to it have been proposed based on the authentication of control messages using either digital signatures or MACs [48, 49, 50]. In [48] and in [49], the authors use digital signatures for authenticating each OLSR control message. The signature is encapsulated and transmitted as an ordinary OLSR message. To protect against replay attacks, they propose time-stamping messages, and to support this, they also propose a clock synchronization protocol. The work [48] also contains proposals for a public key infrastructure. In [50], the authors use MACs which are included in each OLSR control message. They also use timestamps against replay attacks. A working implementation of this latter proposal can be found in olsrd ( as an extension plug-in. Specific secure QoS-aware routing protocols: In [36], the authors discuss general mechanisms for securing QoS routing in on-demand routing protocols for ad hoc networks, and they apply these mechanisms to create a new secure QoS routing protocol that they call SQoS. Since most QoS metrics of interest are monotone, SQoS is designed to prevent an attacker from arbitrarily reducing metrics that should be monotonically increasing, and to prevent an attacker from arbitrarily increasing a metric that should be monotonically decreasing. As a result, an attacker cannot claim a metric significantly better than it has heard. SQoS uses a novel, generally applicable technique that combines route request authentication and rate-limiting, and it provides the initiator of a route discovery with control over which request packets to forward at each node. This prevents DoS type attacks, where a potentially exponential number of requests is forwarded in response to a single route discovery as is possible in other protocols. The operation of SQoS is based on DSR's QoS-guided Route Discovery technique. To use this QoS-Guided Route Discovery mechanism, a node sending a route request also inserts in the request an optional QoS Request Header for each type of resource required. Each QoS Request Header indicates the type of resource, the minimum acceptable resource level, and the resource level of the current path. The resource 23

24 level of the current path is initialized to the desired resource level, but may be reduced as the route request traverses the network. A node receiving a route request containing one or more QoS Request Headers processes each QoS Request Header to determine whether or not the node can support a new flow with resources at a level at least equal to the minimum requested. If it is unable to support the minimum requested resource level for any requested resource, the node silently discards the request. If it is unable to support the current level specified in any QoS Request Header in the packet, the node modifies the header by setting the current level equal to the maximum resource level it can support, and then forwards the route request normally. A node able to support the current level specified in all QoS Request Headers contained in the packet forwards the request packet normally without modifying the QoS Request Header. Thus, the QoS Request Headers in a route request determines if the requested resources are available along the path, limiting the Route Discovery to return only paths that meet at least the minimum levels of resources requested. A node that propagates a route request containing QoS Request Headers may also temporarily reserve the resources specified in the request in order to improve the likelihood that the resources will still be available when the flow begins using this route. SQoS uses the Merkle-Winternitz one-time signature scheme for authenticating route request messages and for rate limiting, and hash chains for ensuring the monotonicity of QoS metrics. It also provides the source with control over which route requests are re-forwarded. For this, a node can include an evaluation function in each request, which takes as input the metrics of interest and a maximum value, and returns an integer between zero and a maximum value specified in the request. A node then can forward an additional request only when the evaluation function returns a larger value than it did the previous time, thus allowing each node to restrict the number of times it forwards a request from any single Discovery. In [37], the authors propose a QoS-aware variant of SRP (Secure Routing Protocol [43]). In general, the protocol's objective is to defend against adversaries manipulating link and route metrics and, thus, to prevent them from influencing the route selection. More specifically, the protocol ensures the following three properties of the discovered route: loop-freedom, freshness, and accuracy. For us, the most important property is accuracy, which provides the assurance that the quantitative description of a route reflects its actual attributes. The operation of SRP-QoS is similar to the basic SRP. Route request and route reply messages are authenticated in an end-to-end manner by the source and the destination of the route discovery. Intermediate nodes do not perform cryptographic checks, they simply append their own address and link metric values to the route request, and verify those values in the route reply that is returned by the destination. The authors prove that SRP-QoS discovers accurate routes in the presence of independent adversaries with respect to path metrics based on additive and transitive link metrics. Here, the term independent adversaries mean that the adversarial nodes can modify, forge, or replay routing or data packets, but they ignore received traffic that does not comply with the operation of the networking protocols. On the other 24

25 hand, accuracy is not ensured in the presence of stronger adversaries. In particular, if at least two arbitrary adversaries M1, M2 are part of a discovered route, then at least one link of the route may have never been up during the route discovery. This is possible if M1 and M2 tunnel RREQ and RREP packets to each other Misbehavior detection at the data plane Approaches for misbehavior detection at the data plane of routing fall into three families: (1) acknowledgement schemes, (2) traffic monitoring, and (3) neighbor monitoring. Acknowledgement schemes: These schemes use acknowledgements to detect data packet dropping on a route. Such schemes have been proposed for both wired [51, 52, 53] and wireless [54, 55] networks. Their general disadvantage is the high overhead due to sending an acknowledgement for each and every data packet, and their relatively slow detection speed due to the fact that an acknowledgement can be considered missing only after some time-out, whose value must be chosen sufficiently large in order to keep the false positive detection rate low. Another disadvantage is that these schemes usually deal only with data packet dropping, and they do not address modifications, re-ordering, and delay. An interesting adaptive acknowledgement scheme for detecting misbehavior at the data plane in ad hoc networks is proposed in [54]. This approach requires that the nodes use source routing, and therefore, the source knows the entire route to the destination. The idea is the following: The destination is required to return an acknowledgement for every packet that it receives successfully. Based on these acknowledgements, the source keeps track of the loss rate in a time window of a given size. If the loss rate exceeds a threshold, the source starts a binary search on the route to identify the misbehaving node, or more precisely, the link that causes the delivery failure of the packets. For this, the source adaptively specifies a list of intermediate nodes in the subsequent packets that should also return an acknowledgment for the packets that they successfully processed. These nodes are called probe nodes. First, one probe node is selected in the middle of the path between the source and the destination. If the acknowledgements arrive from this node but not from the destination, then the bad link must be between the probe node and the destination. Otherwise, if the acknowledgements do not arrive from the probe node either, then the bad link must be between the source and the probe node. Once the sub-path that contains the bad link is identified, a new probe node is specified in the middle of that sub-path. This procedure is continued until the sub-path that contains the bad link is narrowed down to a single link, which must be the bad link. The misbehaving node can be either end of the identified bad link. The main disadvantage of this method seems to be its extended detection time when faced with colluding misbehaving nodes that are placed strategically on a route. For example, it needs a lot of time to locate a path segment of colluding misbehaving nodes that overlaps at least two binary probing intervals. In [53], a theoretical framework is proposed for constructing acknowledgement schemes that try to minimize the time needed for detecting misbehaving routers in wired networks. The main premise of this approach is that the actual delivery time of 25

26 a message over a link is usually much smaller than the a priori known upper bound on that delivery time. By taking advantage of this observation, the authors develop an abstract model for various time-optimal or communication-optimal acknowledgement schemes that detect and locate any misbehaving link or path segment. Another acknowledgement scheme is called 2ACK [55], because each router on a path sends acknowledgements to its two-hop neighbour on the path in the reverse direction (i.e., opposite to the direction of data forwarding). Only a fraction of the received data packets are acknowledged to reduce overhead. The main disadvantage here is that this approach cannot detect three or more colluding misbehaving routers in a row. Traffic monitoring: These approaches are based on the Conservation of Flow principle, which says that if a router behaves correctly, then the amount of transit traffic entering in the router should be equal to the amount of transit traffic leaving that router. In order to verify that this principle is respected in the network, each router counts data packets of different types, periodically exchanges its counters with other routers, and checks if the counters are consistent with each other and with the Conservation of Flow principle. This approach has a low overhead and can be effective if implemented correctly. However, in its basic form, it does not detect packet modifications, re-ordering, and delay [56]. Several specific misbehavior detection mechanisms based on this traffic monitoring approach have been proposed for wired networks, including WATCHERS [57] and FATIH [58], and for wireless networks [59]. Neighbor monitoring: These approaches exploit the broadcast nature of the wireless communication medium, by requiring that routers continuously monitor the activities of their neighbors and try to detect misbehavior. More specifically, a correctly behaving node can detect that one of its neighbors has received a packet that it should forward, but it does not. This kind of monitoring can be implemented by putting the network interface of the nodes in promiscuous mode (most interface cards allow this) and by listening to everything in the wireless channel. If a node does not overhear the retransmission of a packet by its neighbor, then that neighbor can be suspected to misbehave. This sounds simple, but in practice, there may be many issues that make this approach difficult to use. For instance, if the nodes use multiple channels and radios, then they may not hear their neighbors retransmitting the packets. Similar problems may arise, when the nodes use power control to adaptively adjust their transmission range. There are also issues related to the hidden terminal problem and to skipping re-transmissions after an unsuccessful transmission. Watchdog and Pathrater [60] are two mechanisms that together implement a misbehavior detection and mitigation tool based on neighbor monitoring. Watchdog is in charge of continuously monitoring neighbors and trying to identify misbehaving nodes that do not forward data packets that they should forward. Pathrater is used to select routes that likely avoid those misbehaving nodes. The operation of Watchdog is based on listening in the promiscuous mode and trying to catch the transmission of the data packet by the neighbor to whom it was forwarded. Pathrater assumes that each node maintains a rating in the interval [0, 1] for all the other nodes it knows in the network. Then, the reliability of a route is quantified by the source of a data packet by 26

27 averaging the ratings of the nodes in that route. The nodes prefer routes with a higher average rating. 8.4 Secure routing in EU-MESH In the EU-MESH Project ( we developed a secure routing protocol specifically adapted to QoS-aware wireless mesh networks. In this subsection, we briefly describe this protocol Overall architecture and operation In EU-MESH, we have chosen a link state routing approach for the following reasons: Link-state routing protocols appear to be easier to secure against control message manipulation attacks, because the link-state update messages do not need to be modified by the intermediate nodes that re-broadcast them. Therefore, a link-state update message can be authenticated by simply requiring the originating node to digitally sign it. All other nodes can verify the signature as the message is flooded in the network. The flooding of link-state update messages makes the protocol robust against control message deletion attacks (e.g., local jamming). Indeed, this feature ensures that each node can learn about the links of all other nodes from which there is at least one working path in the network to the first node. The availability of network topology information in link-state routing makes it possible for the nodes to control the route selection process. In particular, it is easy to select multiple disjoint routes if multi-path forwarding is required for increased QoS, and it is also easy to quickly select alternative routes when some error or misbehavior is detected at the data plane. In addition, due to the proactive nature of link-state routing, routing information is readily available when needed, and therefore, the delay to setup an end-to-end communication session is reduced. Figure 2 illustrates the main functional components of our secure link-state routing protocol. At the control plane, the Topology Discovery component is responsible for link quality estimation and dissemination of link information within a certain number n of hops in the network. Based on the disseminated link quality information, each router discovers the topology of the network within its n-hop neighborhood. We call the partial network topology obtained by a router i the topology view of router i, and the hop number n the view radius. Note that the topology view of a router can be represented as a weighted graph, where the vertices are the discovered routers, the edges are the discovered links, and the edges are weighted by the announced link quality values. We assume that the density of gateways in the network is sufficiently large, such that each router has in its topology view at least one gateway. 27

28 Figure 2: Functional view of the EU-MESH secure routing protocol. The Path Management component uses the Topology View Graph and the Router Trust Values obtained from the Misbehaving Router Detection component to select a path to each discovered gateway, and to setup state in the routers along the selected paths that allows for efficient traffic forwarding later on. Intuitively, one can think of these pre-selected and pre-established paths as virtual circuits, on which different traffic flows are multiplexed. This approach makes sense, because the routers are static and there is a need to support QoS aware applications. Indeed, our path setup procedure can be combined with admission control and resource reservations. Selecting paths to every gateway allows for multi-path/multi-gateway routing, as data traffic at the data plane can then be dispatched to different paths, and hence, to different gateways. The Path Management component is also responsible for tearing down the unused paths by deleting the related state information and de-allocating the reserved resources. The path selection and setup procedures result in a Path Table that contains the routing information used by the Traffic Management component. This component is responsible for choosing one of the pre-established paths on which a new packet received from the application will be forwarded, and then for relaying the packet towards its destination. Packets that are received correctly and forwarded by the Packet Forwarding module on a given path are counted by each router on the path. On request, these counters are available to the Misbehaving Router Detection component in the gateway at the end of the path, which runs our misbehaving router detection algorithm. The counters are requested by the gateway periodically. As a result of the misbehaving router detection mechanism, the gateway computes Router Trust Values for the routers in its topology view, which are then disseminated within the gateway's view by limited scope flooding. Flooding ensures the robustness of the dissemination mechanism. 28

29 8.4.2 Topology Discovery The Topology Discovery component consists of two sub-components: Link Quality Estimation and Link Information Dissemination. We did not specify Link Quality Estimation; it can be based on any metric including RTT, ETX, and the airtime link metric of s. Link Information Dissemination is based on controlled flooding of Link-State Update (LSU) messages. An LSU contains the most recent estimated link quality values of the links adjacent to a given router, where each link is identified as a pair of interface addresses. Flooding of an LSU is limited to the topology view of the originator of the LSU. Technically, the LSU contains a TTL value, which is decremented by each router that re-broadcasts the LSU, and we use a TTL value that is equal to the view radius. In addition, to ensure its authenticity, integrity, and freshness, the LSU contains a timestamp and a digital signature of the issuing router, and it may also contain the public key certificate of the issuing router. In fact, the functionality of our Link Information Dissemination component is very similar to that provided by the OLSR protocol [47], therefore, we decided to adopt OLSR and to extend it with the needed security mechanisms (i.e., a timestamp and a digital signature). A similar extension to OLSR has been proposed in [49]; the difference here is that we propose to use ECDSA, a digital signature scheme based on elliptic curves. The advantage of using ECDSA is that it generates short signatures. The modifications needed in OLSR to support our security extension are minimal. First of all, for each OLSR message type, we need to introduce a new type which will be the secured variant of the original type. Messages of these new types are expected to contain our security extension. Processing of these messages starts with the verification of the timestamp and the digital signature (and the certificate if present). If these verifications are successful, then the message is processed as a normal OLSR message, otherwise, the message is silently dropped. The output of the Topology Discovery component is the Network Topology Graph for each router. More precisely, as flooding of control messages is limited in depth, each router will have a partial view of this topology graph. Each router will also learn which nodes in its view are the gateways Path Management The Path Management component is responsible for selecting a path to and from each known gateway, and setting up a state along the selected paths that allows for efficient use of those paths later on. Path selection is based on the information in the Topology View Graph and on the Router Trust Values obtained from the Misbehaving Router Detection component. Let us assume that node S has selected a path p = (S, R 1, R 2,, R n, T) to a target node T, where the R i 's are the intermediate routers on p. Node S may be an access point and T may be a gateway, or vice versa. We define a path setup protocol, in which S establishes a shared key with each R i and T. These keys are used later in the packet forwarding phase to ensure the authenticity and protect the integrity of the data packets. The path setup protocol can also be combined with admission control and 29

30 resource reservation mechanisms. In particular, successful execution of the protocol means that all routers on the path agree to forward the traffic specified in the path setup request message of the protocol. Although, the links may be symmetric (or, more generally, bidirectional), path p has a direction, which points from S to T. If T also needs to send traffic to S, than a logically different path p' needs to be established, by running the path setup protocol between T and S. In reality, p' may be independent from p, but it may also be the reverse of p. Our path setup protocol has three types of messages: PS-REQ (Path Setup Request), PS-REP (Path Setup Reply), and PS-DEC (Path Setup Decline). S starts the protocol by sending a PS-REQ message on path p using source routing. This message contains key setup material for each R i and for T. Key establishment is based on the Diffie- Hellman (DH) protocol, and therefore, the key setup material is essentially a public DH value. Each intermediate node is expected to forward this message towards T if it agrees to be on the path, or to send a PS-DEC message back to S if it does not want to participate. When T receives the PS-REQ message, it responds with a PS-REP message, which contains T's key setup material (public DH value). Each intermediate node is now supposed to extend this message with its own key setup material (public DH value), and relay it back to S. When S receives the PS-REP message, the protocol completes, and the shared keys are established. The PS-REQ message is digitally signed by S, while the PS-REP message is digitally signed by T, and then iteratively by each intermediate node R i, to ensure key authentication Traffic Management This component is responsible, in the source router, for dispatching data packets to the different pre-established paths, and in the intermediate routers, for forwarding data packets on those paths. In order to support packet forwarding, data packets have a routing header that contains the identifiers of the source S and the target T, a path identifier PathID, a packet sequence number, and a sequence of Message Authentication Codes (MACs), where each MAC i is computed by S with the key K i that it shares with router R i over the data packet and this header not including the MAC values. When sending a data packet on a path, S increments its sequence number variable corresponding to that path. Each intermediate node R i that receives a data packet uses the triplet (S, T, PathID) from the routing header to identify the path, which this packet belongs to, and it retrieves the corresponding state information from its Path Table. In particular, R i keeps track of the last received sequence numbers in a window of a certain size, such that it can check if the received data packet is a replay. If this is not the case, R i verifies MAC i with K i. If the MAC value is not correct, then R i drops the packet, otherwise, it records its sequence number and forwards the packet to R i+1. Router R i also counts the number of correct packets forwarded on a path as described in the following part on misbehaving router detection and reaction Misbehaving router detection and avoidance 30

31 Our misbehaving router detection protocol consists of three phases. In the first phase, called traffic validation, each gateway collects information about the forwarding behavior of the routers on the paths belonging to the given gateway. In the second phase, called router evaluation, the gateways attempt to identify suspicious routers based on the traffic information collected in the previous phase. As a result of the router evaluation phase, the gateways compute Router Trust Values, and disseminate those within their topology view. Finally, in the third phase, called reaction, the routers select new routes by taking into account the Router Trust Values of the other routers in their topology view. In order to support traffic validation, we require each node to maintain a counter for each path it is part of to count the number of data packets that it forwards on a given path. Recall that each data packet has a routing header that contains a packet sequence number and message authentication codes. Thus, intermediate routers can verify the data packets and they count only intact packets that arrive in order. The packet counters that belong to a given path are requested by the gateway in a regular manner, and the routers report them to the gateway. As misbehaving routers may report fake counter values, the gateway does not use the reported counters directly in the computation of the router trust values. Instead, the gateway considers different explanations for a set of received counter values. In each explanation, each intermediate router is either accused for misbehavior or considered honest, thus explanations are essentially binary vectors. The router trust value of a given router is computed as a weighted sum of its accusations, where explanations that contain fewer accusations have higher weights. The computed router trust values are fed back in the system by limited scope flooding. A router may receive multiple different trust values for another given router from different gateways. The router aggregates those trust values by either averaging them or taking the minimum of the received values. The resulting aggregate trust value q i computed for router i is then used as follows: the router excludes router i from its topology view with probability q i and establishes new paths using this reduced topology view. Thus, less trusted routers are less likely to be considered as potential intermediate routers on the selected paths. 9 Intrusion detection and recovery While typical protection approaches are focusing on proactive security architecture mechanisms such as authentication, access control and cryptographic algorithms and protocols for protecting the wireless communications, they are proven not sufficient enough, since new attack methods appear and exploit the proactive measures taken. In real world environments, where security attacks appear often, the goal is to build resilient architectures through reactive mechanisms that will be able to adapt and resist at an acceptable level, based on predefined requirements for the security levels. In this section we focus on the fundamental resilience mechanisms of protecting the multihop network connectivity between nodes in WMNs in terms of detecting and recovering from attacks or failures. 31

32 Intrusion detection involves the automated identification of abnormal activity by collecting audit data, and comparing it with reference data. A fundamental approach of intrusion detection is that a network's normal behaviour is distinct from abnormal or intrusive behaviour, which can be a result of a DoS attack. Various approaches to intrusion detection differ in the features (or measures or metrics) they consider, in the way and that these features are measured and the network entities that participate in the process. Identifying the features to be monitored and selecting the most suitable is important, because the amount of monitored data can be particularly large and its collection can consume a significant amount of wireless resources. Depending on the reference data that is used for detecting unusual activity, intrusion detection schemes can be classified into three categories [62]: Misuse detection that examines signatures of unusual activity, anomaly detection that is based on a profile of normal behavior, and specification-based detection that considers a set of constraints that could characterize the normal behavior for a specific protocol or set of software instructions. Below, we describe the basic operation and properties of the above three intrusion detection categories: Misuse detection: This scheme, also known as signature-based detection, compares audit data with signatures of abnormal or intrusive behavior. Hence, systems implementing misuse detection require a priori knowledge of such signatures, which limit them to the detection of known attacks. Misuse detection is independent, of normal background traffic as it does not require pre-defining and characterizing what normal behaviour is. Anomaly detection: This scheme initially requires the characterization of the normal or legal network traffic profile. This profile can be estimated either directly using statistical measurements, or indirectly using analytical models. Unlike misuse detection, anomaly detection may detect previously unknown attacks, given that the characterization or training for the normal network behaviour has been provided. The main drawback of this method is that, if deviations from normal behavior arise due to reasons other than attacks, we may suffer high false positives. Protocol-based detection: This approach, also known as specification-based detection, requires a set of constraints that describe the correct operation of a protocol or program. According this method, an event is characterized as an attack if the audit data does not comply with one or more constraints. Protocol based detection can be considered a special case of anomaly detection and while it can identify previously unknown attacks, its operation is protocol specific and within the limits of the correct protocol operation. In other words, protocol based detection, will not detect attacks that do not affect the correct operation of the protocols. A weakness originating from the nature of wireless networks is that they are vulnerable to jamming or DoS attacks. Such attacks can be performed in different layers, including the physical layer, MAC layer, and network layer [63]. In some cases there might be attacks that are performed simultaneously in multiple layers or 32

33 originating from multiple locations, making detection extremely difficult. Next we categorize the attacks according the layer they target: Physical layer attacks: On the physical layer we may observe the less sophisticated attacks that are the jamming attacks. The simplest form of jamming attack is the continuous jammer, which generates a continuous high power signal across the entire channel bandwidth. Little more sophisticated jammers have the ability to transmit a periodic or random signal [64, 65]. MAC layer attacks: Also referred to as virtual jamming, MAC layer attacks involve transmitting spurious or modified MAC layer control signals like RTS, CTS, ACK or even data packets. In this category fall the attacks conducted by manipulating the Network Allocation Vector (NAV) value of control and data packets, which influences the back off time of well-behaving nodes. Such virtual jamming attacks can be performed in a continuous, periodic, random, or even intelligent manner [64, 65, 66, 67]. Intelligent attacks are channel and protocol-aware and utilize the semantics of data transmission. Their main advantage is that they need less energy compared to the rest of the jammers. Network layer attacks: The attacks on this layer involve sending spurious routing messages, modified routing information, or tampering with packet forwarding. Higher layer attacks: They are transport to application layer attacks which are independent of the underlying network technology and therefore they are faced in a similar way with attacks in wired networks. Since intrusion detection is a hot research area, there is significant related work. In [68, 69] the authors propose a distributed and cooperative architecture for anomaly detection based on the characterization of normal behaviour using an informationtheoretic metric that involves entropy and conditional entropy. The detection involves the identification of routing attacks and considers multiple features that correspond to manipulating routing information and influencing the packet forwarding behavior. [70] combines multiple networking features, to detect or to improve detection of routing attacks. Such features include route additions, removals, repairs, and traffic related features such as packet interarrivals. [71] examines the route lifetime and frequency of routing events to detect abnormal behavior. In [72] it is proposed a new detection scheme for MAC-layer misbehaviour based on the exploitation of the sequential probability ratio test, which is applied to the time series of backoff times. Misbehavior detection in the MAC layer is also considered in [73]. The authors of [73] propose a protocol-based approach that detects deviations of the values of MAC-layer parameters, such as inter-frame spacing, NAV, and backoff. In [64] is demonstrated the need for cross-layer and cross-feature intrusion detection since single metrics, such as the signal strength, packet delivery ratio, or channel access time, alone do not efficiently detect wireless jamming. 33

34 A broad range of attacks, from continuous physical layer jamming up to reactive jamming, can be detected if measurements of packet delivery ratio are combined with ones of location information or signal strength. Such attacks are more sophisticated since the attacker transmits a jamming signal only when he detects the existence of a legitimate transmission. [75] exploits the combination of such measurements, including the physical carrier sense time, the rate of RTS/CTS transmissions, the channel idle period, and the number of transmissions together with the channel utilization time and shows that efficient combination of such cross-layer metrics can improve detection. 9.1 Mesh specific networking features for intrusion detection In this section we outline the unique features of wireless mesh networks that should be considered in the design and implementation of intrusion detection and recovery methods and mechanisms. Fixed network topology. Unlike other wireless networks like mobile ad hoc networks, where nodes are typically mobile, in wireless mesh networks nodes are typically located in fixed places. The stationary topology of mesh networks is advantageous as location information can be used for intrusion detection while it yields less overhead for statistical anomaly detection approaches that require (re-) estimating the normal behavior when the network topology changes. Moreover, fixed mesh nodes typically do not have energy constrains as in most cases they are connected to some power supply and they have higher processing capability and storage capacity. All these attributes reduce the burden for estimating the normal traffic behavior compared to resource (processing, storage, and battery) constrained mobile devices. Despite the stable network topology, intrusion detection in wireless mesh networks imposes new challenges compared to broadly used and known intrusion detection systems for wired networks. In wireless mesh networks we face variations and impairments of the wireless channel and the interference between wireless links due to the broadcast and open access nature of the wireless spectrum. Moreover there is limited physical protection of mesh nodes that may impose additional security considerations. Internetworking with wired infrastructures: Wireless mesh networks have numerous gateways connected to wired networks. The existence of multiple gateways provides higher protection to intrusion attacks. Moreover, operator-owned mesh networks have centralized management. Central/Hierarchical Management: In typical intrusion detection systems for wired networks there is centralized management and control employed for the collection of intrusion and audit data and results,. This approach may not be efficient for wireless mesh networks due to the consumption of the limited wireless resources. Multi-radio and multi-channel operation: Multi-radio and multi-channel operation is advantageous for wireless mesh networks, since it reduces the interference between wireless links that involve different wireless interfaces. Their use is beneficiary for 34

35 anomaly detection applications that use statistics for estimating the normal network behavior. Use of directional antennas: Reduction of interference between wireless links that involve different wireless interfaces is also achieved by the use of directional antennas. Usually the employment of directional antennas is combined with multiradio and multi-channel operation. Especially in the case of combined use of these methods multiple paths between mesh nodes that contain disjoint links can be supported and the availability of such multiple paths can facilitate attack recovery and mitigation. 9.2 Resilience requirements for intrusion detection In a high level approach, the resilience requirements for intrusion detection in wireless mesh networks are similar to the resilience requirements in other networking environments such as wired networks. The resilience requirements of wireless mesh networks include: Cross-feature and cross-layer intrusion detection: The performance of intrusion detection systems for wireless networks can be improved by combining multiple features and measurements (cross-feature) and measurements at different layers (cross-layer). Such approaches can significantly reduce the number of false positives [64, 74] in anomaly detection schemes. The combination of multiple features from multiple layers is performed both for hierarchical and for cascaded systems: In the hierarchical approach the system recursively combines or fuses multiple alerts, like deviations of individual features. This way the number of false positives is reduced. In a cascaded approach, an alert for one feature can trigger a detector for another feature. This way we experience not only reduction of the number of false positives, but also reduction of the overhead of intrusion detection. Features that can be used for intrusion detection in the Physical layer include measures/metrics like signal strength, packet delivery ratio (or packet error ratio), physical carrier sensing time and location information. Features for intrusion detection in the MAC layer can be channel access delay, backoff time, channel idle time, RTS/CTS transmission rate and channel utilization. In the Network layer we can use route update frequency (or route lifetime), route update message rate and route length. Network layer metrics can be monitored for each node that participates in routing. Finally, features of the application layer include throughput, goodput, delay and jitter. Distributed detection based on correlation of measurements originating from multiple locations: This approach exploits the broadcast nature of wireless transmissions, where the transmission from one node can be received by multiple nodes within its range. The efficient combination of measurements from multiple monitoring locations can improve the performance of intrusion detection, by reducing the number of false positives. The main drawback of this approach is the additional requirement of assigning to a central entity the responsibility to collect and combine the measurements from multiple locations. This approach can be perceived as a twolayer intrusion detection system, where local information is processed in the nodes, and the correlation of detection results from different monitoring locations is performed by the centralized entity. In a multi-operator environment each operator 35

36 may have such centralized entity and all these entities may collaborate in a distributed manner. Finally general resilience requirements include effectiveness in terms of high detection probability and low false positives and false negatives, and low collecting and processing overhead for monitoring data. 9.3 Attack recovery and mitigation techniques As soon as an intrusion has been detected, there should be a reaction of the network to it in order either to prevent it, or to minimize its consequences and to lead back the network to normal operation. Intrusion detection may trigger several networking mechanisms for attack recovery and mitigation. Channel hopping: One of the easiest approaches for a wireless system to react to a detected attack is to change the communication channel. There are several approaches to this direction including [75, 76, 77]. This operation, known as channel hopping (or channel switching) is an existing feature of the networking mechanisms of wireless systems. The main difference with normal network operation is that in attack recovery channel switching occurs on-demand, rather than in a predefined or pseudo-random manner. The concept is to force the intruder to jam a much larger frequency band which demands more power and makes the attack more difficult. Channel switching requires coordination between interfaces operating in the same channel and such coordination differs between single-radio and multi-radio (mesh) wireless networks. In the multi-radio case, where each mesh node contains multiple radio interfaces operating in different channels channel hopping is more complex. Power and rate control: Another approach for attack recovery is to modify the power and/or the rate of the nodes of a wireless network. Increasing the transmission power or reducing the transmission rate increases the energy per bit that reaches the receiver. The increased energy per bit in the receiver increases its ability for successful packet decoding. However increasing the transmission power should be done carefully and under consideration of the rest of the network as it can increase the level of interference induced on other receiving interfaces. Mechanism-switching: Mechanisms switching can be viewed as a generalized approach that combines attack recovery mechanisms of different layers. [78] describes a method for combined use of channel hopping, and power and rate control. Mechanism switching for attack reaction my include any combination of switching mechanisms from the physical, link and network layer. Physical layer switching mechanisms include power and rate control, link layer switching mechanisms include medium access mechanisms with different parameters and the network layer switching mechanisms include several routing algorithms and forwarding strategies. A mechanism switching approach may use any subset of switching mechanisms from different layers. Multi-path routing: While channel hopping exploits channel/frequency diversity, the existence of multiple paths between nodes in wireless mesh networks enables space diversity. This way, the reaction to an intrusion can be rerouting of traffic to other 36

37 existing paths. In this case the impact of an attack is related to the detection and rerouting delay. Moreover, multiple paths provide the means for path hopping in response to an attack. Routing can be also used to isolate some portion of the wireless network that has been previously identified by the intrusion detection system as the target of an attack. A more advanced approach that can avoid or reduce data loss is to combine multi-path redundancy with network coding. Wired Internet gateways switching: Another form of space diversity is the existence of multiple gateways that connect the wireless network to a wired network infrastructure. The existence of multiple coordinating gateways, through the use of anycasting, can help mitigate intrusion attacks. Note that the above actions and mechanisms pertain to the physical, link, and network layers which are specific to wireless networks. These can be also combined with higher layer mechanisms that are common for both wired and wireless networks, such as filtering, rate limiting, and caching. This cross-layer approach involves all layers and can further enhance attack recovery and mitigation. 10 Conclusion In this chapter, we addressed the security requirements that are relevant for wireless mesh networks in general, and for multi-operator based QoS-aware mesh networks in particular. While security issues are often application specific, this chapter focused on the general security requirements of wireless mesh networks that are either independent of the applications or common to all applications and presents various design options for a security architecture that aims at satisfying those requirements. The approach followed a cross-layer concept, since this appears to be the only way to provide an aggregate framework for both proactive and reactive security approaches in a combined and balanced way. More specifically, in terms of proactive security, we discussed in detail the problems of mesh client authentication and access control, protection of wireless communications, as well as key management, while in term of reactive protection we discussed the secure routing issues and methods for intrusion and misbehavior detection and recovery. We show that a considerable amount of related work has already been carried out for securing WiFi networks and mobile ad hoc networks. The results of those works can be the starting point of the design of a cross-layer security and resilience architecture for mesh networks. However, we identified some unique characteristics of mesh networks that make difficult the direct application of those results in mesh networks. Acknowledgements This work was supported in part by the European Commission in the context of the 7th Framework Programme through the EU-MESH Project (Enhanced, Ubiquitous, and Dependable Broadband Access using MESH Networks, ICT , by the Mobile Innovation Center ( at the Budapest University of Technology and Economics and by the Telecommunications and Networks Laboratory ( and the Computer Emergency Response Team FORTHcert ( of FORTH-ICS. 37

38 References 1. Akyildiz IF, Wang X, Wang W. Wireless mesh networks: a survey. Computer Networks March 2005; 47(4): Bruno R, Conti M, Gregori E. Mesh networks: commodity multihop ad hoc networks. IEEE Communications Magazine 2005; 43(3): Ioannis G. Askoxylakis, Nicolas Mechin, George Perantinos, George Vasilakis, Apostolos Traganitis "Usage Scenarios and Application Requirements for Wireless Mesh Networks, 10th IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks, June 2009, Kos, Greece 4. George Vasilakis, George Perantinos, Ioannis G. Askoxylakis, Nicolas Mechin, Vassilis Spitadakis, Apostolos Traganitis, "Business Opportunities and Considerations on Wireless Mesh Networks"10th IEEE International Symposium on a World of Wireless, Mobile and Multimedia Networks, June 2009, Kos, Greece 5. Zhang W, Wang Z, Das SK, Hassan M. Security issues in wireless mesh networks. Wireless Mesh Networks: Architectures and Protocols, Hossain E, Leung KK (eds.), Springer, Ben Salem N, Hubaux JP. Securing wireless mesh networks. IEEE Wireless Communications April 2006; 7. Falk R, Huang CT, Kohlmayer F, Sui AF. Security in wireless mesh networks. Wireless Mesh Networking: Architectures, Protocols and Standards, Zhang Y, Luo J, Hu H (eds.), Auerbach Publications, Taylor & Francis Group, I.G. Askoxylakis, B. Bencsath, L. Buttyan, L. Dora, V.A. Siris, D. Szili, I. Vajda, "Securing Multi-operator Based QoS-aware Mesh Networks: Requirements and Design Options", to appear in Wireless Communications and Mobile Computing (Special Issue on QoS and Security in Wireless Networks). 9. ChilliSpot - Open Source Wireless LAN Access Point Controller Cheikhrouhou O, Laurent-Maknavicius M, Chaouchi H. Security architecture in a multi-hop mesh network. In Proc. 5th Conference on Security and Network Architectures (SAR 2006), Khan K, Akbar M. Authentication in Multi-Hop Wireless Mesh Networks. World Academy Of Science, Engineering And Technology 2006; : Forsberg D, Ohba Y, Patil B, Tschofenig H, Yegin A. Protocol for Carrying Authentication for Network Access (PANA) (work in progress). 13. IEEE 80211rTM/D90. Draft amendment to standard IEEE TM: Fast BSS Transition January (work in progress). 14. Aboba B, Blunk L, Vollbrecht J, Carlson J, Levkowetz H. Extensible Authentication Protocol (EAP). RFC 3748 (Proposed Standard) Jun URL Aboudagga N, Eltoweissy M, Quisquater JJ. Fast Roaming Authentication in Wireless LANs. 2nd International Computer Engineering Conference: Engineering the Information Society, Cairo, Egypt, Brik V, Mishra A, Banerjee S. Eliminating handoff latencies in WLANs using multiple radios: applications, experience, and evaluation. IMC'05: Proceedings of the Internet Measurement Conference 2005 on Internet Measurement Conference, USENIX Association: Berkeley, CA, USA, 2005;

39 17. Narayanan V, Dondeti L. EAP Extensions for EAP Reauthentication Protocol (ERP) Lopez RM, Skarmeta AG, Bournelle J, Laurent-Maknavicus M, Combes JM. Improved EAP keying framework for a secure mobility access service. IWCMC '06: Proceedings of the 2006 international conference on Wireless communications and mobile computing, ACM: New York, NY, USA, 2006; , doi: 19. Mishra A, Shin MH, Petroni J NL, Clancy T, Arbaugh W. Proactive key distribution using neighbor graphs. Wireless Communications, IEEE [see also IEEE Personal Communications] Feb 2004; 11(1):26.36, doi: /MWC IEEE 80211sTM/D109. Draft amendment to standard IEEE TM: ESS Mesh Networking March IEEE Std 80211iTM. Medium Access Control (MAC) security enhancements, amendment 6 to IEEE Standard for local and metropolitan area networks part 11: Wireless Medium Access Control (MAC) and Physical Layer (PHY) specifications. July Bohak A, Buttyan L, Dora L. An User Authentication Scheme for Fast Handover Between WiFi Access Points. In Proceedings of the Third Annual International Wireless Internet Conference, ACM: Austin, Texas, USA, Pack S, Choi Y. Pre-Authenticated Fast Handoff in a Public Wireless LAN Based on IEEE 802.1x Model. PWC '02: Proceedings of the IFIP TC6/WG6.8 Working Conference on Personal Wireless Communications, Kluwer, B.V.: Deventer, The Netherlands, The Netherlands, 2002; Pack S, Choi Y. Fast handoff scheme based on mobility prediction in public wireless LAN systems. IEE Proceedings Communications, vol. 151, IEEE, 2004; IEEE Std 80211fTM. IEEE Trial-Use Recommended Practice for Multi-Vendor Access Point Interoperability via an Inter-Access Point Protocol Across Distribution Systems Supporting IEEE Operation July (withdrawal in 2006). 26. Mishra A, ho Shin M, Arbaugh WA. Context Caching using Neighbor Graphs for Fast Handoffs in a Wireless Network. INFOCOM, IEEE, Aura T, Roe M. Reducing Reauthentication Delay in Wireless Networks. SECURECOMM '05: Proceedings of the First International Conference on Security and Privacy for Emerging Areas in Communications Networks (SECURECOMM'05), IEEE Computer Society: Washington, DC, USA, 2005; , doi: Dierks T, Allen C. The tls protocol RFC Ylonen T, C Lonvick E. The secure shell (ssh) protocol architecture RFC Kent S, Seo K. Security architecture for the internet protocol RFC Krawczyk BM H, Canetti R. Hmac: Keyed-hashing for message authentication RFC FIPS 197. Advanced Encryption Standard. Federal Information Processing Standards Publication 197, US Department of Commerce, Bureau of Standards, National Technical Information Service (NIST) IEEE Std 80211TM Revision of IEEE Std : Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications June

40 34. Y.-C. Hu and A. Perrig, A survey of secure wireless ad hoc routing, IEEE Security and Privacy Magazine, May/June L. Buttyan and J-P. Hubaux, Security and Cooperation in Wireless Networks, Cambridge University Press, Y.-C. Hu and D. B. Johnson Securing quality-of-service route discovery in ondemand routing for ad hoc networks, In Proceedings of the ACM workshop on Security of Ad hoc and Sensor Networks (SASN), P. Papadimitratos and Z. Haas, Secure Route Discovery for QoS-Aware Routing in Ad Hoc Networks, In Proceedings of the IEEE Sarnoff Symposium, A. Perrig, R. Canetti, J. D. Tygar and D. Song, Efficient authentication and signing of multicast streams over lossy channels, In Proceedings of the IEEE Symposium on Security and Privacy, Y.-C. Hu, A. Perrig and D. Johnson, Ariadne: A secure on-demand routing protocol for ad hoc networks, Wireless Networks, 11(1-2), January L. Buttyan and I. Vajda, Towards provable security for ad hoc routing protocols, In Proceedings of the ACM Workshop on Security of Ad hoc and Sensor Networks (SASN), October F. Kargl, A. Geiss, S. Schlott and M. Weber, Secure Dynamic Source Routing, In Proceedings of the 38th Annual Hawaii International Conference on System Sciences (HICSS), G. Acs, L. Buttyan and I. Vajda, Provably secure on-demand source routing in mobile ad hoc networks, IEEE Transaction on Mobile Computing, 5(11), November P. Papadimitratos and Z. Haas, Secure routing for mobile ad hoc networks, In Proceedings of SCS Communication Networks and Distributed Systems Modelling Simulation Conference (CNDS), M. G. Zapata and N. Asokan, Securing ad hoc routing protocols, In Proceedings of the ACM Workshop on Wireless Network Security (WiSe), Y.-C. Hu, D. Johnson and A. Perrig, SEAD: Secure efficient distance vector routing for mobile wireless ad hoc networks, In Proceedings of the IEEE Workshop on Mobile Computing Systems and Applications (WMCSA), Y-C. Hu, A. Perrig and D. Johnson, Efficient Security Mechanisms for Routing Protocols, In Proceedings of the Network and Distributed System Security Symposium (NDSS), T. Clausen and P. Jacquet, Optimized Link State Routing Protocol (OLSR), Request for Comments 3626, C. Adjih, T. Clausen, A. Laouiti, P. Muhlethaler and D. Raffo, Securing the OLSR protocol, In Proceedings of the IFIP Annual Mediterranean Ad Hoc Networking Workshop (Med-Hoc-Net 2003), D. Raffo, C. Adjih, T. Clausen and P. Muhlethaler, An advanced signature system for OLSR, In Proceedings of the ACM Workshop on Security of Ad hoc and Sensor Networks (SASN), A. Hafslund, A. Tonnesen, R. B. Rotvik, J. Andersson and O. Kure, Secure extension to the OLSR protocol, 2004 OLSR Interop and Workshop, R. Perlman, Routing with {Byzantine} robustness, Sun Microsystems, TR , I. Avramopoulos, H. Kobayashi, R. Wang and A. Krishnamurthy, Highly secure and efficient routing, In Proceedings of INFOCOM, A. Herzberg and S. Kutten, Early detection of message forwarding faults, SIAM Journal on Computing, 30(4),

41 54. B. Awerbuch, R. Curtmola, D. Holmer, C. Nita-Rotaru and H. Rubens, ODSBR: An On-Demand Secure {Byzantine} Resilient Routing Protocol for Wireless Ad Hoc Networks, ACM Transactions on Information Systems Security, K. Liu, J. Deng, P. K. Varshney and K. Balakrishnan, An Acknowledgment-Based Approach for the Detection of Routing Misbehavior in {MANETs}, IEEE Transactions on Mobile Computing, 6(5), May J. R. Hughes, T. Aura and M. Bishop, Using Conservation of Flow as a Security Mechanism in Network Protocols, In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), K. A. Bradley, S. Cheung, N. Puketza, B. Mukherjee and R. A. Olsson, Detecting Disruptive Routers: A Distributed Network Monitoring Approach, In Proceedings of the IEEE Symposium on Security and Privacy (Oakland), A. T. Mizrak, Y. Cheng, K. Marzullo, S. Savage, Detecting and Isolating Malicious Routers, IEEE Transactions on Dependable and Secure Computing, 3(3), July/September O. F. Gonzalez, G. Ansa, M. Howarth and G. Pavlou, Detection and Accusation of Packet Forwarding Misbehavior in Mobile Ad-Hoc Networks, Journal of Internet Engineering, 2(1), June S. Marti, T. J. Giuli, K. Lai, M. Baker, Mitigating Routing Misbehavior in Mobile Ad Hoc Networks, In Proceedings of the ACM Conference on Mobile Computing and Networking (MobiCom), Boyd C, Mathuria A. Protocols for Authentication and Key Establishment. Springer, Mishra A, Nadkarni K, Patcha A. Intrusion Detection in Wireless Ad Hoc Networks. IEEE Wireless Communications February 2004; : Wood A, Stankovic J. Denial of Service in Sensor Networks. IEEE Computer 2002; 35: Xu W, Trappe W, Zhang Y, Wood T. The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks. Proc. of ACM MobiHoc, Thuente D, Acharya M. Intelligent Jamming in Wireless Networks with Applications to b and Other Networks. Proc. of IEEE MILCOM, Gupta V, Krishnamurthy S, Faloutsos M. Denial of service attacks at the MAC layer in wireless ad hoc networks. Proc. of IEEE MILCOM, Bayraktaroglu E, King C, Liu X, Noubir G, Rajaraman R, Thapa B. On the Performance of IEEE under Jamming. Proc. of IEEE INFOCOM, Zhang Y, Lee W. Intrusion Detection in Wireless Ad-Hoc Networks. Proc. of ACM MobiCom, Zhang Y, Lee W, Huang YA. Intrusion Detection Techniques for Mobile Wireless Networks. Wireless Networks September 2003; 9(5): Huang YA, Fan W, Lee W, Yu P. Cross-feature analysis for detecting ad-hoc routing anomalies. Proc. of 23rd Intl Conference on Distributed Computing Systems, Liu H, Gupta R. Temporal Analysis of Routing Activity for Anomaly Detection in Ad hoc Networks. IEEE International Conference on Mobile Ad-hoc and Sensor Systems (MASS), Radosavac S, Moustakides G, Baras J, Koutsopoulos I. An analytic framework for modeling and detecting access layer misbehavior in wireless networks. ACM Transactions on Information and System Security November 2008; 11(4). 41

42 73. Raya M, Aad I, Hubaux JP, Fawal AE. DOMINO: Detecting MAC layer greedy behavior in IEEE hotspots. IEEE Transactions on Mobile Computing 2006; 5(12). 74. ans S Mishra GT, Sridhar R. A Cross-layer Approach to Detect Jamming Attacks in Wireless Ad Hoc Networks. Proc. Of IEEE MILCOM, Xu W, Wood T, Trappe W, Zhang Y. Channel Surfing and Spatial Retreats: Defenses against Wireless Denial of Service. Proc. of ACM Workshop on Wireless Security (WiSe), XuW, Ma K, TrappeW, Zhang Y. Jamming Sensor Networks: Attack and Defense Strategies. IEEE Network May/June 2006; : Navda V, Bohra A, Ganguly S, Rubenstein D. Using Channel Hopping to Increase Resilience to Jamming Attacks. Proc. of IEEE INFOCOM, Liu X, Noubir G, Sundaram R, Tan S. SPREAD: Foiling Smart Jammers using Multi-layer Agility. Proc. of IEEE INFOCOM,