[aodvv2-discuss] Re: [manet] AODVv2: Security considerations update

• From: Charlie Perkins <charles.perkins@xxxxxxxxxxxxx>
• To: Lotte Steenbrink <lotte.steenbrink@xxxxxxxxxxxx>
• Date: Wed, 2 Mar 2016 08:38:33 -0800

Hello Lotte,

How about this:

On 2/21/2016 1:37 PM, Jiazi YI wrote:

Hi,

Regarding the trust model:

    13.4 Trust Model
       Since routing information is distributed to neighbours on a
    hop-by-hop basis,
       and route messages are regenerated at each router, AODVv2
    assumes a security
model of transitive trust.

"information distributed on hop-by-hop basis" applies to almost all multi-hop networks.

The intention here is that the information is distributed to each neighbor for processing by that neighbor.

"route messages are regenerated at each router" is questionable and has been discussed in previous sessions. I couldn't remember that it was accepted by the WG.

Could you please explain what is the question about this? It is a very accurate verb to specify the action taken at each router.

Especially, the reasons justifying this trust model seems to be more because of the limitation of a protocol design, rather than the requirements from real applications.

Ad hoc networks are expected to form on the fly without administration, and so the trust model follows from the use case, not the "application" that might be launched on the nodes of the ad hoc network.

    The sender of a message must be trusted in order
       for receiving one-hop neighbours to store the routing
    information it
       provides and regenerate the message to their own one-hop
neighbours.
       Routes are installed based on information received from trusted
    neighbours.
       Therefore a chain of trust back to the originator of a message
    is assumed
       by any router using the routing information received.



In ad hoc networks, it's hard to avoid having compromised routers, especially in adverse environments (which is an important application scenario of MANETs).

If the devices establish security associations and use them properly, then there is a good chance that nodes having those security associations can be trusted. If there is danger of the devices falling into the wrong hands, then the lifetime of the security association has to be made shorter to take that into account.

For AODV, the RREQ/RREP messages are designed to be end-to-end. Especially, RREQ is to be disseminated to the whole networks. Using the transit trust model means, if there is a single compromised router, the whole network is compromised. Even worse, there is no way (like identity based signature) can be used as countermeasures because of the limitation of the trust model.

The route discovery messages are by definition intended to establish end-to-end routes. Indeed, a malicious router that has security associations with devices in the ad hoc network can have very bad effects. Nevertheless, in environments made adverse by various emergency conditions, it is important to enable ad hoc networks. For military applications in which a stronger trust model is required, the security associations can be refreshed or verified by various means outside the jurisdiction of AODVv2. What's important for AODVv2 is to enable connectivity without preventing further measures to be taken as needed for special cases.

Regards,
Charlie P.

best

Jiazi


On Fri, Feb 19, 2016 at 4:05 PM, Lotte Steenbrink <lotte.steenbrink@xxxxxxxxxxxx <mailto:lotte.steenbrink@xxxxxxxxxxxx>> wrote:

    Hi all,
    in the interest of transparency, we (the AODVv2 author team) want
    to send out more updates on what we've been doing, and this is the
    first of these e-mails. We've restructured (and sometimes
    rewritten) our security considerations a bit and added a
    subsection about the Trust Model, and we'd love to hear your
    opinions on those changes. You can find the result and a diff to
    the current considerations in the attachments. (the formatting was
    done manually, so it might be a bit wonky)

    Some notes:
    * This is all work in progress, so please poke holes into it where
    you can!
    * While (afaik) the Availability/Confidentiality/Integrity model
    may be considered a bit dated, I thought it might be a good
    starting point.
    * I was wondering if “Encryption will not only protect against
    unauthorized devices obtaining
       information about network topology” isn't a tad too short and
    bold– maybe we could add a clarification along the lines of:

       Encryption will not only make it more difficult for
    unauthorized devices to obtain
       information about network topology but will also ensure that
    only trusted
       routers participate in routing operations: When messages are
    encrypted,
       a malicious observer would have to monitor the entire network
    to understand
       its topology and traffic flow. And even then, due to the hop by hop
       nature of the protocol and the fact that messages are
    regenerated rather
       than forwarded (resulting in a different payload every time),
       following the path of a message would be hard if its
    transmission is not
       the only encrypted traffic produced by the network.

    Regards,
    Lotte


    _______________________________________________
    manet mailing list
    manet@xxxxxxxx <mailto:manet@xxxxxxxx>
    https://www.ietf.org/mailman/listinfo/manet




_______________________________________________
manet mailing list
manet@xxxxxxxx
https://www.ietf.org/mailman/listinfo/manet

Other related posts:

• » [aodvv2-discuss] Re: [manet] AODVv2: Security considerations update- Lotte Steenbrink
• » [aodvv2-discuss] Re: [manet] AODVv2: Security considerations update- Lotte Steenbrink
• » [aodvv2-discuss] Re: [manet] AODVv2: Security considerations update - Charlie Perkins
• » [aodvv2-discuss] Re: [manet] AODVv2: Security considerations update- Victoria Mercieca

1. Home
2. aodvv2-discuss
3. Archive
4. 03-2016

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---