Securing and enhancing routing protocols for mobile ad hoc networks

1. CONTEXTO1.1. MANETMANET (Mobile and Ad hoc NETworks) (Redes móviles sin cables) son redes formadas por nodos móviles. Se comunican sin cables i lo hacen de manera 'ad hoc'. En este tipo de redes, los protocolos de enrutamiento tienen que ser diferentes de los utilizados en redes fijas.Hoy en día, existen protocolos de enrutamiento capaces de operar en este tipo de redes. No obstante, son completamente inseguras y confían en que los nodos no actuarán de manera malintencionada. En una red donde no se puede contar con la presencia de servidores centrales, se necesita que los nodos puedan comunicarse sin el riesgo de que otros nodos se hagan pasar por aquellos con quien quieren comunicarse. En una red donde todo el mundo es anónimo conceptos como identidad y confianza deben ser redefinidos.1.2. AODVAd Hoc On-Demand Vector Routing (AODV) es un protocolo de enrutamiento reactivo para redes MANET. Esto significa que AODV no hace nada hasta que un nodo necesita transmitir un paquete a otro nodo para el cual no tiene ruta. AODV sólo mantiene rutas entre nodos que necesitan comunicarse. Sus mensajes no contienen información de toda la ruta, solo contienen información sobre el origen i el destino. Por lo tanto los mensajes de AODV tienen tamaño constante independientemente del numero de nodos de la ruta. Utiliza números de secuencia para especificar lo reciente que es una ruta (en relación con otra), lo cual garantiza ausencia de 'loops' (bucles).En AODV, un nodo realiza un descubrimiento de ruta haciendo un 'flooding' de la red con un mensaje llamado 'Route Request' (RREQ). Una vez llega a un nodo que conoce la ruta pedida responde con un 'Route Reply' (RREP) que viaja de vuelta al originador del RREQ. Después de esto, todos los nodos de la ruta descubierta conocen las rutas hacia los dos extremos de la ruta.2. CONTRIBUTIONS2.1. SAODVSAODV (Secure Ad hoc On-Demand Distance Vector) es una extensión de AODV que protege el mecanismo de descubrimiento de ruta. Proporciona funcionalidades de seguridad como ahora integridad i autenticación.Se utilizan firmas digitales para autenticar los campos de los mensajes que no son modificados en ruta y cadenas de hash para proteger el 'hop count' (que es el único campo que se modifica en ruta).2.2. SAKMSAKM (Simple Ad hoc Key Management) proporciona un sistema de gestión de llaves que hace posible para cada nodo obtener las llaves públicas de los otros nodos de la red. Además, permite que cada nodo pueda verificar la relación entre la identidad de un nodo y la llave pública de otro.Esto se consigue a través del uso de direcciones estadísticamente únicas y criptográficamente verificables.2.2.1. Verificación pospuestaEl método 'verificación pospuesta' permite tener rutas pendientes de verificación. Estas serán verificadas cuando el procesador disponga de tiempo para ello y (en cualquier caso) antes de que esas rutas deban ser utilizadas para transmitir paquetes.2.3. Detección de atajosCuando un protocolo de enrutamiento para redes MANET realiza un descubrimiento de ruta, no descubre la ruta más corta sino la ruta a través de la cual el mensaje de petición de ruta viajó más rápidamente. Además, debido a que los nodos son móviles, la ruta que era la más corta en el momento del descubrimiento puede dejar de ser-lo en breve. Esto causa un retraso de transmisión mucho mayor de lo necesario y provoca muchas más colisiones de paquetes.Para evitar esto, los nodos podrían realizar descubrimientos de atajos periódicos para las rutas que están siendo utilizadas. Este mismo mecanismo puede ser utilizado para 'recuperar' rutas que se han roto.1. BACKGROUND1.1. MANETMANET (Mobile and Ad hoc NETworks) are networks formed by nodes that are mobile. They use wireless communication to speak among them and they do it in an ad hoc manner. In this kind of networks, routing protocols have to be different than from the ones used for fixed networks. In addition, nodes use the air to communicate, so a lot of nodes might hear what a node transmits and there are messages that are lost due to collisions.Nowadays, routing in such scenario has been achieved. Nevertheless, if it has to be broadly used, it is necessary to be able to do it in a secure way. In a network where the existance of central servers cannot be expected, it is needed that nodes will be able to communicate without the risk of malicious nodes impersonating the entities they want to communicate with. In a network where everybody is anonymous, identity and trust need to be redefined.1.2. AODVAd Hoc On-Demand Vector Routing (AODV) protocol is a reactive routing protocol for ad hoc and mobile networks. That means that AODV does nothing until a node needs to transmit a packet to a node for which it does not know a route. In addition, it only maintains routes between nodes which need to communicate. Its routing messages do not contain information about the whole route path, but only about the source and the destination. Therefore, routing messages have a constant size, independently of the number of hops of the route. It uses destination sequence numbers to specify how fresh a route is (in relation to another), which is used to grant loop freedom.In AODV, a node does route discovery by flooding the network with a 'Route Request' message (RREQ). Once it reaches a node that knows the requested route, it replies with a 'Route Reply' message (RREP) that travels back to the originator of the RREQ. After this, all the nodes of the discovered path have routes to both ends of the path. 2. CONTRIBUTIONS2.1. SAODVThe Secure Ad hoc On-Demand Distance Vector (SAODV) is an extension of the AODV routing protocol that can be used to protect the route discovery mechanism providing security features like integrity and authentication.Two mechanisms are used to secure the AODV messages: digital signatures to authenticate the non-mutable fields of the messages, and hash chains to secure the hop count information (the only mutable information in the messages).The information relative to the hash chains and the signatures is transmitted with the AODV message as an extension message.2.2. SAKMSimple Ad hoc Key Management (SAKM) provides a key management system that makes it possible for each ad hoc node to obtain public keys from the other nodes of the network. Further, each ad hoc node is capable of securely verifying the association between the identity of a given ad hoc node and the public key of that node.This is achieved by using statistically unique and cryptographically verifiable address.2.2.1. Delayed VerificationDelayed verification allows to have route entries and route entry deletions in the routing table that are pending of verification. They will be verified whenever the node has spared processor time or before these entries should be used to forward data packages.2.3. Short Cut DetectionWhen a routing protocol for MANET networks does a route discovery, it does not discover the shortest route but the route through which the route request flood traveled faster. In addition, since nodes are moving, a route that was the shortest one at discovery time might stop being so in quite a short period of time. This causes, not only a much bigger end-to-end delay, but also more collisions and a faster power consumption.In order to avoid all the performance loss due to these problems, nodes could periodically discover shortcuts to the active routes that can be used with any destination vector routing protocol. The same mechanism can be used also as a bidirectional route recovery mechanism

Securing and enhancing routing protocols for mobile ad hoc networks

1. CONTEXTO1.1. MANETMANET (Mobile and Ad hoc NETworks) (Redes móviles sin cables) son redes formadas por nodos móviles. Se comunican sin cables i lo hacen de manera 'ad hoc'. En este tipo de redes, los protocolos de enrutamiento tienen que ser diferentes de los utilizados en redes fijas.Hoy en día, existen protocolos de enrutamiento capaces de operar en este tipo de redes. No obstante, son completamente inseguras y confían en que los nodos no actuarán de manera malintencionada. En una red donde no se puede contar con la presencia de servidores centrales, se necesita que los nodos puedan comunicarse sin el riesgo de que otros nodos se hagan pasar por aquellos con quien quieren comunicarse. En una red donde todo el mundo es anónimo conceptos como identidad y confianza deben ser redefinidos.1.2. AODVAd Hoc On-Demand Vector Routing (AODV) es un protocolo de enrutamiento reactivo para redes MANET. Esto significa que AODV no hace nada hasta que un nodo necesita transmitir un paquete a otro nodo para el cual no tiene ruta. AODV sólo mantiene rutas entre nodos que necesitan comunicarse. Sus mensajes no contienen información de toda la ruta, solo contienen información sobre el origen i el destino. Por lo tanto los mensajes de AODV tienen tamaño constante independientemente del numero de nodos de la ruta. Utiliza números de secuencia para especificar lo reciente que es una ruta (en relación con otra), lo cual garantiza ausencia de 'loops' (bucles).En AODV, un nodo realiza un descubrimiento de ruta haciendo un 'flooding' de la red con un mensaje llamado 'Route Request' (RREQ). Una vez llega a un nodo que conoce la ruta pedida responde con un 'Route Reply' (RREP) que viaja de vuelta al originador del RREQ. Después de esto, todos los nodos de la ruta descubierta conocen las rutas hacia los dos extremos de la ruta.2. CONTRIBUTIONS2.1. SAODVSAODV (Secure Ad hoc On-Demand Distance Vector) es una extensión de AODV que protege el mecanismo de descubrimiento de ruta. Proporciona funcionalidades de seguridad como ahora integridad i autenticación.Se utilizan firmas digitales para autenticar los campos de los mensajes que no son modificados en ruta y cadenas de hash para proteger el 'hop count' (que es el único campo que se modifica en ruta).2.2. SAKMSAKM (Simple Ad hoc Key Management) proporciona un sistema de gestión de llaves que hace posible para cada nodo obtener las llaves públicas de los otros nodos de la red. Además, permite que cada nodo pueda verificar la relación entre la identidad de un nodo y la llave pública de otro.Esto se consigue a través del uso de direcciones estadísticamente únicas y criptográficamente verificables.2.2.1. Verificación pospuestaEl método 'verificación pospuesta' permite tener rutas pendientes de verificación. Estas serán verificadas cuando el procesador disponga de tiempo para ello y (en cualquier caso) antes de que esas rutas deban ser utilizadas para transmitir paquetes.2.3. Detección de atajosCuando un protocolo de enrutamiento para redes MANET realiza un descubrimiento de ruta, no descubre la ruta más corta sino la ruta a través de la cual el mensaje de petición de ruta viajó más rápidamente. Además, debido a que los nodos son móviles, la ruta que era la más corta en el momento del descubrimiento puede dejar de ser-lo en breve. Esto causa un retraso de transmisión mucho mayor de lo necesario y provoca muchas más colisiones de paquetes.Para evitar esto, los nodos podrían realizar descubrimientos de atajos periódicos para las rutas que están siendo utilizadas. Este mismo mecanismo puede ser utilizado para 'recuperar' rutas que se han roto.1. BACKGROUND1.1. MANETMANET (Mobile and Ad hoc NETworks) are networks formed by nodes that are mobile. They use wireless communication to speak among them and they do it in an ad hoc manner. In this kind of networks, routing protocols have to be different than from the ones used for fixed networks. In addition, nodes use the air to communicate, so a lot of nodes might hear what a node transmits and there are messages that are lost due to collisions.Nowadays, routing in such scenario has been achieved. Nevertheless, if it has to be broadly used, it is necessary to be able to do it in a secure way. In a network where the existance of central servers cannot be expected, it is needed that nodes will be able to communicate without the risk of malicious nodes impersonating the entities they want to communicate with. In a network where everybody is anonymous, identity and trust need to be redefined.1.2. AODVAd Hoc On-Demand Vector Routing (AODV) protocol is a reactive routing protocol for ad hoc and mobile networks. That means that AODV does nothing until a node needs to transmit a packet to a node for which it does not know a route. In addition, it only maintains routes between nodes which need to communicate. Its routing messages do not contain information about the whole route path, but only about the source and the destination. Therefore, routing messages have a constant size, independently of the number of hops of the route. It uses destination sequence numbers to specify how fresh a route is (in relation to another), which is used to grant loop freedom.In AODV, a node does route discovery by flooding the network with a 'Route Request' message (RREQ). Once it reaches a node that knows the requested route, it replies with a 'Route Reply' message (RREP) that travels back to the originator of the RREQ. After this, all the nodes of the discovered path have routes to both ends of the path. 2. CONTRIBUTIONS2.1. SAODVThe Secure Ad hoc On-Demand Distance Vector (SAODV) is an extension of the AODV routing protocol that can be used to protect the route discovery mechanism providing security features like integrity and authentication.Two mechanisms are used to secure the AODV messages: digital signatures to authenticate the non-mutable fields of the messages, and hash chains to secure the hop count information (the only mutable information in the messages).The information relative to the hash chains and the signatures is transmitted with the AODV message as an extension message.2.2. SAKMSimple Ad hoc Key Management (SAKM) provides a key management system that makes it possible for each ad hoc node to obtain public keys from the other nodes of the network. Further, each ad hoc node is capable of securely verifying the association between the identity of a given ad hoc node and the public key of that node.This is achieved by using statistically unique and cryptographically verifiable address.2.2.1. Delayed VerificationDelayed verification allows to have route entries and route entry deletions in the routing table that are pending of verification. They will be verified whenever the node has spared processor time or before these entries should be used to forward data packages.2.3. Short Cut DetectionWhen a routing protocol for MANET networks does a route discovery, it does not discover the shortest route but the route through which the route request flood traveled faster. In addition, since nodes are moving, a route that was the shortest one at discovery time might stop being so in quite a short period of time. This causes, not only a much bigger end-to-end delay, but also more collisions and a faster power consumption.In order to avoid all the performance loss due to these problems, nodes could periodically discover shortcuts to the active routes that can be used with any destination vector routing protocol. The same mechanism can be used also as a bidirectional route recovery mechanism.Postprint (published version

Evaluation of on-demand routing in mobile ad hoc networks and proposal for a secure routing protocol

Secure routing Mobile Ad hoc Networks (MANETs) has emerged as an important MANET research area. Initial work in MANET focused mainly on the problem of providing efficient mechanisms for finding paths in very dynamic networks, without considering the security of the routing process. Because of this, a number of attacks exploit these routing vulnerabilities to manipulate MANETs. In this thesis, we performed an in-depth evaluation and performance analysis of existing MANET Routing protocols, identifying Dynamic Source Routing (DSR) as the most robust (based on throughput, latency and routing overhead) which can be secured with negligible routing efficiency trade-off. We describe security threats, specifically showing their effects on DSR. We proposed a new routing protocol, named Authenticated Source Routing for Ad hoc Networks (ASRAN) which is an out-of-band certification-based, authenticated source routing protocol with modifications to the route acquisition process of DSR to defeat all identified attacks. Simulation studies confirm that ASRAN has a good trade-off balance in reference to the addition of security and routing efficiency

Bandwidth and Energy-Efficient Route Discovery for Noisy Mobile Ad-Hoc Networks

Broadcasting is used in on-demand routing protocols to discover routes in Mobile Ad-hoc Networks (MANETs). On-demand routing protocols, such as Ad-hoc On-demand Distance Vector (AODV) commonly employ pure flooding based broadcasting to discover new routes. In pure flooding, a route request (RREQ) packet is broadcast by the source node and each receiving node rebroadcasts it. This continues until the RREQ packet arrives at the destination node. Pure flooding generates excessive redundant routing traffic that may lead to the broadcast storm problem (BSP) and deteriorate the performance of MANETs significantly. A number of probabilistic broadcasting schemes have been proposed in the literature to address BSP. However, these schemes do not consider thermal noise and interference which exist in real life MANETs, and therefore, do not perform well in real life MANETs. Real life MANETs are noisy and the communication is not error free. This research argues that a broadcast scheme that considers the effects of thermal noise, co-channel interference, and node density in the neighbourhood simultaneously can reduce the broadcast storm problem and enhance the MANET performance. To achieve this, three investigations have been carried out: First, the effect of carrier sensing ranges on on-demand routing protocol such as AODV and their impact on interference; second, effects of thermal noise on on-demand routing protocols and third, evaluation of pure flooding and probabilistic broadcasting schemes under noisy and noiseless conditions. The findings of these investigations are exploited to propose a Channel Adaptive Probabilistic Broadcast (CAPB) scheme to disseminate RREQ packets efficiently. The proposed CAPB scheme determines the probability of rebroadcasting RREQ packets on the fly according to the current Signal to Interference plus Noise Ratio (SINR) and node density in the neighbourhood. The proposed scheme and two related state of the art (SoA) schemes from the literature are implemented in the standard AODV to replace the pure flooding based broadcast scheme. Ns-2 simulation results show that the proposed CAPB scheme outperforms the other schemes in terms of routing overhead, average end-to-end delay, throughput and energy consumption

Security and privacy for large ad-hoc networks

Ph.DDOCTOR OF PHILOSOPH

Distributed resource discovery: architectures and applications in mobile networks

As the amount of digital information and services increases, it becomes increasingly important to be able to locate the desired content. The purpose of a resource discovery system is to allow available resources (information or services) to be located using a user-defined search criterion. This work studies distributed resource discovery systems that guarantee all existing resources to be found and allow a wide range of complex queries. Our goal is to allocate the load uniformly between the participating nodes, or alternatively to concentrate the load in the nodes with the highest available capacity. The first part of the work examines the performance of various existing unstructured architectures and proposes new architectures that provide features especially valuable in mobile networks. To reduce the network traffic, we use indexing, which is particularly useful in scenarios, where searches are frequent compared to resource modifications. The ratio between the search and update frequencies determines the optimal level of indexing. Based on this observation, we develop an architecture that adjusts itself to changing network conditions and search behavior while maintaining optimal indexing. We also propose an architecture based on large-scale indexing that we later apply to resource sharing within a user group. Furthermore, we propose an architecture that relieves the topology constraints of the Parallel Index Clustering architecture. The performance of the architectures is evaluated using simulation. In the second part of the work we apply the architectures to two types of mobile networks: cellular networks and ad hoc networks. In the cellular network, we first consider scenarios where multiple commercial operators provide a resource sharing service, and then a scenario where the users share resources without operator support. We evaluate the feasibility of the mobile peer-to-peer concept using user opinion surveys and technical performance studies. Based on user input we develop access control and group management algorithms for peer-to-peer networks. The technical evaluation is performed using prototype implementations. In particular, we examine whether the Session Initiation Protocol can be used for signaling in peer-to-peer networks. Finally, we study resource discovery in an ad hoc network. We observe that in an ad hoc network consisting of consumer devices, the capacity and mobility among nodes vary widely. We utilize this property in order to allocate the load to the high-capacity nodes, which serve lower-capacity nodes. We propose two methods for constructing a virtual backbone connecting the nodes