Ad hoc networks are built on the basis of a communication without infrastructure and major investigations have focused on the routing and autoconfiguration problems. However, there is a little progress in solving the secure autoconfiguration problems in mobile ad hoc networks (MANETs), which has led to the proliferation of threats given the vulnerabilities of MANETs. It is clear that ad hoc networks have no centralized mechanism for defense against threats, such as a firewall, an intrusion detection system, or a proxy. Therefore, it is necessary that the defense of interests of each of the ad hoc components is the responsibility of each member node. This paper shows the most common threats to ad hoc networks and reviews several proposals that attempt to minimize some of these threats, showing their protection ability and vulnerabilities in light of the threats that might arise.
MANET technology is used to immediately provide secure access between multiple mobile nodes without the need for a preset communications infrastructure achieving a multihop architecture. These networks are identified by two basic principles: routing and autoconfiguration.
While there is already quite a lot of established work undertaken on routing [
Insertion of a node to the MANET involves implementing initial configuration mechanisms [
In
In
The
All proposals have advantages and disadvantages in terms of solving the following problems: uniqueness of addresses, network initialization, node departure, network partitioning and network merging. However, all lack a mechanism to ensure the authenticity of the address owner at the time in which the auto-configuration is carried out. As a result, a malicious node can spoof any node already set up to hijack its traffic, preventing other nodes from entering the network, sending messages with false addresses, causing denial of service by flooding the network with unsolicited messages from fake addresses,rejecting the possibility that other nodes can access the network, or causing the refusal to accept the insertion of a new node, when the auto-configuration mechanism requires that all nodes confirm the entry of a new member to the MANET.
Although studies over the authenticity of the nodes entering the MANET during auto-configuration have been minimal, the aim of this paper is to show how they have presented some solutions to this problem and show some of its shortcomings from the perspective of the characteristics to be evaluated for potential threats within the auto-configuration process.
This piece of work, including the introduction, is organized into four sections as follows. Section
In the processes applied during the execution of the mechanisms of auto-configuration, predictable and reliable behaviour from the nodes that compose the MANET is expected, as much from those which enter as from those already inside. However, this is not always the case, as malicious nodes can potentially be causing some damage, such as interference of messages, node impersonation, denial of service, spoofing, and eavesdropping among others.
In this paper we use the classification proposed by Wang et al. [
The following are currently the most significant proposals that include secure IP address auto-configuration. The operation of each protocol and what threats they are capable of preventing are explained.
Wang et al. [
Identity authentication tries to avoid these threats and this paper proposes to relate every IP address to a public key by means of a one-way hash operation;therefore the owner node of a IP address must use the correspondent key public in order to be authenticated by the network of a unilateral way.
It initiates from the following assumption: the MANET is a network with completely private IP addresses. Therefore, all 32 bits (IPv4) or 131 bits (IPv6) can be used to address nodes in the MANET.
In general, in the proposed scheme, node A, which wants to participate in an existing MANET or start a new one, must first randomly generate a key pair (one public and one private) and one secret key. In the second instance, node A calculates a hash of 32 bits for IPv4 or 131 bits for IPv6.
After calculating the hash value, the node in question temporarily uses the resulting value as its IP address, starts a timer, and broadcasts a
If a node (node B) configured within the MANET, where Node A wants to enter, finds that the IP address contained in the DAP message issued by node A is equal to it, then it must verify the authenticity of the DAP message. First, node B must check that the IP is equal to the resulting hash of the received public key. Secondly, node B verifies the signature of node A, if it finds that such a signature is correct, then node B checks if public key of node A is equal to it and finally verifies the decryption function. If at least one of the last two checks is not fulfilled, it can be confirmed that there has been an address spoofing attack and therefore node B sends an
Node A, in turn, waits as long as configured in an internal timer. If it does not receive an ACN message, it assumes that the IP is not in use and permanently assigns the address. If instead it receives an ACN message from some node, before starting the process again, it must verify the authenticity of the ACN message received and the signature of the node issuing the ACN. If these checks are correct, node A is safe that the IP address is assigned to another node and must start the procedure to generate a new pair of public/private keys and secret key; otherwise node A simply discards the ACN message and thus prevents
It is clear that the proposed methodology in the auto-configuration process forces a potential attacker to find, before launching an attack, the public key for which the hash function result is equal to the IP address of the victim, since the controls in the nodes include verification of the identity of the sender node. This process must be applied for each message sent; however the protocol clearly controls address conflict, negative reply, and address spoofing attacks but does not counteract the address exhaustion attack since it does not have a way to specify which node is given which IP addresses, allowing one node to repeat the process as often as desired. This process should be subject to an ACN message which certifies that the node will repeat the process because of IP address duplication.
Buiati et al. [
For the security model, an adversary is defined as any node that produces messages with incorrect auto-configuration protocol information. It then specifies that an adversary can attack the network in two ways: request attacks, where the adversary creates a great number of anomalous messages requesting auto-configuration services, or server attack, where the attacker responds maliciously to requests made by other nodes in the network. In order to avoid these types of attacks, the authors differentiate between trusted and distrusted nodes, avoiding the participation of the latter in the auto-configuration protocol.
Even though there is the possibility that a trusted node is compromised the ability to detect reliable nodes that begin to behave abnormally must be implemented as well. This means that the auto-configuration protocol messages must be authenticated so that an adversary cannot create messages on behalf of another node in the network, being capable of detecting and accusing the adversary nodes. In addition, this detection and accusation system should be implemented collaboratively to prevent an adversary of accusing correct nodes of the network, using the same model “K-out-of-N” explained above.
Authentication of auto-configuration protocol messages is performed using digital signatures, which are built based on digital certificates generated by a distributed certifying authority. This is where the model “K-out-of-N” is applied directly, since, even though every one of the nodes can perform the functions of certifying entity, the entity’s private key is split between any subset of K nodes in the MANET. When a new node (one that has not been previously connected to the network) wants to get a digital certificate to identify itself to the MANET, it must take a temporary IP address to request a digital certificate to his 1-hop neighbours. When the MANET nodes receive this request, they can issue a partly signed certificate, depending on the policies established, and send it to the requesting node. After receiving K different certificates, the new node has the ability to build a full certificate and begin the auto-configuration process, discarding the temporary IP. The use of a temporary IP can cause collision problems if the IP is already in use in the network, but it is proposed to use a range of dedicated IPs for this purpose.
The biggest problem in the proposed model is the value of K. A high K value increases security, but reduces the availability of the system because members are less likely to find enough nodes to retrieve the necessary key to the CA. Conversely, if K is small, the availability of the auto-configuration service increases, but the system becomes more vulnerable to attacks by adversaries.
Cavalli and Orset [ At any time a node must be able to enter or leave the network quickly. Likewise, the network must be able to securely and quickly deliver an IP address to a new node. On the other hand, the abrupt departure of a node must not cause chaos within the network. To avoid duplicate IP address conflicts, the protocol must ensure that under no circumstances a node enters the network with its own IP address, but instead the network must be able to deliver the right address to join the MANET. The protocol should allow each node to check the veracity of the members of the network to which they belong. The protocol should be extremely careful with denial of service. For example, it must not allow a malicious node from monopolizing all IP addresses on the network.
The protocol, in addition to satisfying the described requirements above, wants to meet two broad objectives: the first is to provide a mechanism for IP address auto-configuration for nodes belonging to an ad hoc mobile network, optimizing resources such as bandwidth and time, and the second objective is to allow public key exchange between nodes within the network to ensure the authentication.
The proposed protocol ensures safe IP address auto-configuration including the management of public keys for authentication, which allows avoiding the spoofing attack. However one of its greatest failings is that it neither provides nor supports merging networks or prevents malicious behaviour of network participants after these have been authenticated; among these the denial of service attack is worth mentioning since, for example, a malicious node can authenticate
According to Hu and Mitchell [
The proposed solution involves the selection of a method to calculate a “trust value” that is just the level of trust from one node to another, which decreases or increases depending on whether the behaviour of a node is malicious or not, respectively. Then, each node must maintain a list of the levels of trust it has for other nodes. It is possible that different nodes can have different trust limits, depending on security policies. In addition, each node must maintain a blacklist, to which it adds the nodes that do not meet the trust limit, in order to ignore all messages sent by them, except to enable it to recalculate the trust values for these nodes.
When a new node joins the network, it broadcasts a message looking for neighbours, including its trust limit. The nodes receiving this message will respond with a message containing a list of nodes that meet this level of trust, so the new node is able to choose a reliable initiator node. For this model to be fulfilled, the number of malicious nodes needs to be less than the number of normal or valid nodes.
In this way, each time a node receives any information from another node in the network, either as part of the initialization of a new node, collision detection or another process of the auto-configuration protocol, the node first calculates the trust value for the node that sent the message. If this value is below the threshold, the node is added to the black list and a message of suspected malicious node is sent. The nodes receiving this message will act in the same way as the first node, and if they find that the node that sent the message of suspected malicious node has a sufficient trust level, the trust value will be calculated for the suspected node, thus ensuring that only reliable nodes are part of the network. Hu and Mitchell [
In the analysis of the trust model, only nodes that consistently behave maliciously are noted. That is, those malicious nodes whose only interest is to affect the calculation of trust values of other nodes are not taken into account and they remain as a weakness in the proposal. Other weaknesses in the proposal are caused by the lack of guarantees against Sybil attacks, where a node uses multiple identities in a fraudulent manner, and against identity theft attacks.
Taghiloo et al. [
According to this protocol, when a new node joins the ad hoc network, it sends a single hop message called
In this protocol, each network has at least one Allocator. Each Allocator contains an address space used to assign unique addresses to new nodes as added. The method by which nodes are chosen as an Allocator and how the address space is assigned are the main tasks of the protocol. Similarly, to generate a unique IP address, one Allocator can create another Allocator on the network to balance traffic loads. Each Allocator has a list of all Allocators defined in the network.
The security mechanism for auto-configuration [
For subsequent authentications of both nodes, the value of the seed is increased by one at a time, and the hash function value is calculated on the original value of the seed and the new value increased. The value returned by applying the hash function is sent to the node pair that is being communicated. A node applies the hash function. If the value obtained is equal to the value received the first time, the node is authenticated correctly. For the next communications, the seed value must be incremented by one and the previously explained steps are repeated.
Zhou et al. [
It is assumed that the work environment is a densely connected MANET with multiple paths between nodes. If there are malicious nodes in the path between the new node and each of the members, the proposed scheme uses multi-hop broadcast to distribute the information encrypted and signed. Each node checks the forwarded packets to detect the modification of messages.
When a malicious node is placed between a new node and a member of the MANET, it is assumed that there is another good node as a neighbour, and if the malicious node modifies the control message, this node can move or increase the transmission power, sending the message again to try to reach the nodes that lie beyond the malicious one.
If the malicious node deletes the control message, the good node will interpret that the malicious node has left the network or moved away. If there is more than one path between the new node and the MANET member, the message can reach its destination through a different path. If there is a single path, the MANET member will not receive the message because the malicious one interposes and deletes it. The proposal uses the HELLO messages in the routing protocols to help the good node identify the malicious behaviour of the attacker, allowing it to move or increase the transmission power to forward the control message.
The insertion of new nodes in a MANET during the auto-configuration process can generate new threats due to the instabilities in the behaviour of these kinds of networks, which would create a lack of trust in the transmission of information through them. The current auto-configuration protocols, with the presented vulnerabilities, have not resolved, in their majority, the security problems found during the insertion of new nodes, creating a necessity for proposals that include this last component. However, the research associated to security during auto-configuration of ad hoc networks is a developing field and still needs much work. In this work, a few existing proposals in the field of secure auto-configuration in MANETs are presented, and they were examined against seven of the most common threats that can be found on these kind of networks to determine how secure or vulnerable they are.
This work was supported by the Agencia Española de Cooperación Internacional para el Desarrollo (AECID, Spain) through Acción Integrada MAEC-AECID Mediterráneo A1/037528/11. This work was also supported by the Departamento Administrativo de Ciencia, Tecnología e Innovación (COLCIENCIAS, Colombia) through Programa de Recuperación Contingente which funds Project 121545221101 and the Universidad del Norte through the Dirección de Investigaciones, Desarrollo e Innovación (DIDI).