Hello Lotte,
How about this:
On 2/21/2016 1:37 PM, Jiazi YI wrote:
Hi,
Regarding the trust model:
13.4 Trust Model
Since routing information is distributed to neighbours on a
hop-by-hop basis,
and route messages are regenerated at each router, AODVv2
assumes a security
model of transitive trust.
"information distributed on hop-by-hop basis" applies to almost all multi-hop networks.
"route messages are regenerated at each router" is questionable and has been discussed in previous sessions. I couldn't remember that it was accepted by the WG.
Especially, the reasons justifying this trust model seems to be more because of the limitation of a protocol design, rather than the requirements from real applications.
The sender of a message must be trusted in order
for receiving one-hop neighbours to store the routing
information it
provides and regenerate the message to their own one-hop
neighbours.
Routes are installed based on information received from trusted
neighbours.
Therefore a chain of trust back to the originator of a message
is assumed
by any router using the routing information received.
In ad hoc networks, it's hard to avoid having compromised routers, especially in adverse environments (which is an important application scenario of MANETs).
For AODV, the RREQ/RREP messages are designed to be end-to-end. Especially, RREQ is to be disseminated to the whole networks. Using the transit trust model means, if there is a single compromised router, the whole network is compromised. Even worse, there is no way (like identity based signature) can be used as countermeasures because of the limitation of the trust model.
best
Jiazi
On Fri, Feb 19, 2016 at 4:05 PM, Lotte Steenbrink <lotte.steenbrink@xxxxxxxxxxxx <mailto:lotte.steenbrink@xxxxxxxxxxxx>> wrote:
Hi all,
in the interest of transparency, we (the AODVv2 author team) want
to send out more updates on what we've been doing, and this is the
first of these e-mails. We've restructured (and sometimes
rewritten) our security considerations a bit and added a
subsection about the Trust Model, and we'd love to hear your
opinions on those changes. You can find the result and a diff to
the current considerations in the attachments. (the formatting was
done manually, so it might be a bit wonky)
Some notes:
* This is all work in progress, so please poke holes into it where
you can!
* While (afaik) the Availability/Confidentiality/Integrity model
may be considered a bit dated, I thought it might be a good
starting point.
* I was wondering if “Encryption will not only protect against
unauthorized devices obtaining
information about network topology” isn't a tad too short and
bold– maybe we could add a clarification along the lines of:
Encryption will not only make it more difficult for
unauthorized devices to obtain
information about network topology but will also ensure that
only trusted
routers participate in routing operations: When messages are
encrypted,
a malicious observer would have to monitor the entire network
to understand
its topology and traffic flow. And even then, due to the hop by hop
nature of the protocol and the fact that messages are
regenerated rather
than forwarded (resulting in a different payload every time),
following the path of a message would be hard if its
transmission is not
the only encrypted traffic produced by the network.
Regards,
Lotte
_______________________________________________
manet mailing list
manet@xxxxxxxx <mailto:manet@xxxxxxxx>
https://www.ietf.org/mailman/listinfo/manet
_______________________________________________
manet mailing list
manet@xxxxxxxx
https://www.ietf.org/mailman/listinfo/manet