Security issues in PIM-SM link-local messages

Protocol Independent Multicast-Sparse Mode (PIM-SM) routing protocol attracts most of the attention of the Internet community due to its scalability and flexibility. From the very beginning, multicast communication faced various difficulties in its security areas. PIM-SM is also not free from this problem. Security features of a routing protocol consist of two orthogonal planes: data plane and control message plane. The first one ensures distribution of data packets securely while the other deals with security of control messages. Most of the PIM-SM control messages fall into the link-local category, and are sent to adjacent routers only, using TTL = 1 and ALL_PIM_ROUTERS as destination address. To protect these link-local messages, in the present Internet Draft of PIM-SM a security mechanism has been proposed that uses IPsec Authentication Header (AH) protocol. While using IPsec AH protocol, the anti-replay mechanism has been disabled. This compromise makes PIM-SM vulnerable to denial of service attack. Moreover, the Security Association lookup and number of Security Associations are also erroneous and incomplete in the document. A new proposal has been presented in this thesis to protect PIM link-local messages while activating the anti-replay mechanism as well. Security Association lookup method has been modified also to cope with this proposal. Finally, this new proposal has been validated using a validation tool, SPIN, that uses PROMELA to design the validation model

Multicast Mobility in Mobile IP Version 6 (MIPv6) : Problem Statement and Brief Survey

Publisher PD

Efficient Micro-Mobility using Intra-domain Multicast-based Mechanisms (M&M)

One of the most important metrics in the design of IP mobility protocols is the handover performance. The current Mobile IP (MIP) standard has been shown to exhibit poor handover performance. Most other work attempts to modify MIP to slightly improve its efficiency, while others propose complex techniques to replace MIP. Rather than taking these approaches, we instead propose a new architecture for providing efficient and smooth handover, while being able to co-exist and inter-operate with other technologies. Specifically, we propose an intra-domain multicast-based mobility architecture, where a visiting mobile is assigned a multicast address to use while moving within a domain. Efficient handover is achieved using standard multicast join/prune mechanisms. Two approaches are proposed and contrasted. The first introduces the concept proxy-based mobility, while the other uses algorithmic mapping to obtain the multicast address of visiting mobiles. We show that the algorithmic mapping approach has several advantages over the proxy approach, and provide mechanisms to support it. Network simulation (using NS-2) is used to evaluate our scheme and compare it to other routing-based micro-mobility schemes - CIP and HAWAII. The proactive handover results show that both M&M and CIP shows low handoff delay and packet reordering depth as compared to HAWAII. The reason for M&M's comparable performance with CIP is that both use bi-cast in proactive handover. The M&M, however, handles multiple border routers in a domain, where CIP fails. We also provide a handover algorithm leveraging the proactive path setup capability of M&M, which is expected to outperform CIP in case of reactive handover.Comment: 12 pages, 11 figure

HoPP: Robust and Resilient Publish-Subscribe for an Information-Centric Internet of Things

This paper revisits NDN deployment in the IoT with a special focus on the interaction of sensors and actuators. Such scenarios require high responsiveness and limited control state at the constrained nodes. We argue that the NDN request-response pattern which prevents data push is vital for IoT networks. We contribute HoP-and-Pull (HoPP), a robust publish-subscribe scheme for typical IoT scenarios that targets IoT networks consisting of hundreds of resource constrained devices at intermittent connectivity. Our approach limits the FIB tables to a minimum and naturally supports mobility, temporary network partitioning, data aggregation and near real-time reactivity. We experimentally evaluate the protocol in a real-world deployment using the IoT-Lab testbed with varying numbers of constrained devices, each wirelessly interconnected via IEEE 802.15.4 LowPANs. Implementations are built on CCN-lite with RIOT and support experiments using various single- and multi-hop scenarios

Backscatter from the Data Plane --- Threats to Stability and Security in Information-Centric Networking

Information-centric networking proposals attract much attention in the ongoing search for a future communication paradigm of the Internet. Replacing the host-to-host connectivity by a data-oriented publish/subscribe service eases content distribution and authentication by concept, while eliminating threats from unwanted traffic at an end host as are common in today's Internet. However, current approaches to content routing heavily rely on data-driven protocol events and thereby introduce a strong coupling of the control to the data plane in the underlying routing infrastructure. In this paper, threats to the stability and security of the content distribution system are analyzed in theory and practical experiments. We derive relations between state resources and the performance of routers and demonstrate how this coupling can be misused in practice. We discuss new attack vectors present in its current state of development, as well as possibilities and limitations to mitigate them.Comment: 15 page

Design and implementation of multicast listener discovery protocol on constrained devices

Para la aplicación y apoyo del uso de IPv6 en 6LoWPANs (Low-power Wireless Personal Area Networks), ha habido numerosas investigaciones y se han desarrollado protocolos y mecanismos estandarizados. Sin embargo para la comunicación multicast en estas redes, el tema esta aún bastante abierto a la investigación. La comunicación multicast permite conectar routers con hosts preseleccionados por grupos. La comunicación multicast es muy beneficiosa para aplicaciones con dispositivos con recursos limitados ya que ahorra energía y ancho de banda. A continuación mostramos posibles ejemplos de estas aplicaciones, la iluminación de un edificio organizada por plantas, una red de sensores de temperatura organizados por áreas y un largo número de aplicaciones basadas en la comunicación de un punto a varios puntos preseleccionados. El grupo de investigación de la universidad de Aalto (Finlandia) llamado MAMMoTH (Massive Scale Machine-to-Machine Service) tiene como uno de sus objetivos construir un protocolo multicast para dispositivos con recursos limitados. Para el desarrollo de este protocolo, es necesario un protocolo de encaminamiento multicast y un protocolo de gestión de grupos multicast. Este último, es el protocolo que he desarrollado como “research assistant” para mi proyecto final de carrera. En este proyecto final de carrera, se ha diseñado, implementado y evaluado el protocolo MLD para dispositivos con recursos limitados. MLD permite a un router IPv6 gestionar grupos multicast. No obstante, el uso de MLD en LoWPANs tiene varios problemas como la definición del area local, el tamaño de los paquete y la complejidad del comportamiento del router. El protocolo ha sido implementado en Contiki, un sistema operativo para desarrollar para el “Internet of Things”. Contiki permite conectar sistemas pequeños de poco coste con poca potencia a Internet. Hemos ampliado la pila TCP/IP de Contiki para respaldar MLD. El protocolo ha sido evaluado y analizado sobre un simulador en diferentes topologías para validar el funcionamiento. Del mismo modo, también se ha verificado que el tamaño del objeto creado no ocupaba más memoria de la disponible en los dispositivos Z1 Zolertia

Key distribution technique for IPTV services with support for admission control and user defined groups

Tese de doutoramento. Engenharia Electrotécnica e de Computadores. Faculdade de Engenharia. Universidade do Porto. 200