draft-ietf-manet-nhdp-sec-threats-00.txt   draft-ietf-manet-nhdp-sec-threats-01.txt 
Mobile Ad hoc Networking (MANET) U. Herberg Mobile Ad hoc Networking (MANET) U. Herberg
Internet-Draft Fujitsu Laboratories of America Internet-Draft Fujitsu Laboratories of America
Intended status: Informational J. Yi Intended status: Informational J. Yi
Expires: October 11, 2012 T. Clausen Expires: April 25, 2013 T. Clausen
LIX, Ecole Polytechnique LIX, Ecole Polytechnique
April 9, 2012 October 22, 2012
Security Threats for NHDP Security Threats for NHDP
draft-ietf-manet-nhdp-sec-threats-00 draft-ietf-manet-nhdp-sec-threats-01
Abstract Abstract
This document analyses common security threats of the Neighborhood This document analyses common security threats of the Neighborhood
Discovery Protocol (NHDP), and describes their potential impacts on Discovery Protocol (NHDP), and describes their potential impacts on
MANET routing protocols using NHDP. MANET routing protocols using NHDP.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 11, 2012. This Internet-Draft will expire on April 25, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2012 IETF Trust and the persons identified as the Copyright (c) 2012 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 12 skipping to change at page 2, line 12
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. NHDP Threat Overview . . . . . . . . . . . . . . . . . . . . . 4 3. NHDP Threat Overview . . . . . . . . . . . . . . . . . . . . . 4
4. Detailed Threat Description . . . . . . . . . . . . . . . . . 4 4. Detailed Threat Description . . . . . . . . . . . . . . . . . 4
4.1. Jamming . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.1. Jamming . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.2. Eavesdropping . . . . . . . . . . . . . . . . . . . . . . 5 4.2. Denial of Service Attack . . . . . . . . . . . . . . . . . 5
4.3. Incorrect HELLO Message Generation . . . . . . . . . . . . 5 4.3. Eavesdropping . . . . . . . . . . . . . . . . . . . . . . 6
4.3.1. Identity Spoofing . . . . . . . . . . . . . . . . . . 6 4.4. Incorrect HELLO Message Generation . . . . . . . . . . . . 6
4.3.2. Link Spoofing . . . . . . . . . . . . . . . . . . . . 6 4.4.1. Identity Spoofing . . . . . . . . . . . . . . . . . . 6
4.4. Replay Attack . . . . . . . . . . . . . . . . . . . . . . 7 4.4.2. Link Spoofing . . . . . . . . . . . . . . . . . . . . 7
4.5. Sequence Number Attack . . . . . . . . . . . . . . . . . . 8 4.5. Replay Attack . . . . . . . . . . . . . . . . . . . . . . 8
4.6. Message Timing Attacks . . . . . . . . . . . . . . . . . . 8 4.6. Message Timing Attacks . . . . . . . . . . . . . . . . . . 8
4.6.1. Interval Time Attack . . . . . . . . . . . . . . . . . 8 4.6.1. Interval Time Attack . . . . . . . . . . . . . . . . . 8
4.6.2. Validity Time Attack . . . . . . . . . . . . . . . . . 8 4.6.2. Validity Time Attack . . . . . . . . . . . . . . . . . 9
4.7. Indirect Jamming . . . . . . . . . . . . . . . . . . . . . 9 4.7. Indirect Jamming . . . . . . . . . . . . . . . . . . . . . 9
5. Impact of inconsistent Information Bases on Protocols 5. Impact of inconsistent Information Bases on Protocols
using NHDP . . . . . . . . . . . . . . . . . . . . . . . . . . 9 using NHDP . . . . . . . . . . . . . . . . . . . . . . . . . . 10
5.1. MPR Calculation . . . . . . . . . . . . . . . . . . . . . 10 5.1. MPR Calculation . . . . . . . . . . . . . . . . . . . . . 10
5.1.1. Flooding Disruption due to Identity Spoofing . . . . . 10 5.1.1. Flooding Disruption due to Identity Spoofing . . . . . 10
5.1.2. Flooding Disruption due to Link Spoofing . . . . . . . 11 5.1.2. Flooding Disruption due to Link Spoofing . . . . . . . 12
5.1.3. Broadcast Storm . . . . . . . . . . . . . . . . . . . 12 5.1.3. Broadcast Storm . . . . . . . . . . . . . . . . . . . 12
5.2. Routing Loops . . . . . . . . . . . . . . . . . . . . . . 13 5.2. Routing Loops . . . . . . . . . . . . . . . . . . . . . . 13
5.3. Invalid or Non-Existing Paths to Destinations . . . . . . 13 5.3. Invalid or Non-Existing Paths to Destinations . . . . . . 14
5.4. Data Sinkhole . . . . . . . . . . . . . . . . . . . . . . 14 5.4. Data Sinkhole . . . . . . . . . . . . . . . . . . . . . . 14
6. Security Considerations . . . . . . . . . . . . . . . . . . . 14 6. Security Considerations . . . . . . . . . . . . . . . . . . . 14
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14
8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14 8. References . . . . . . . . . . . . . . . . . . . . . . . . . . 14
8.1. Normative References . . . . . . . . . . . . . . . . . . . 14 8.1. Normative References . . . . . . . . . . . . . . . . . . . 14
8.2. Informative References . . . . . . . . . . . . . . . . . . 15 8.2. Informative References . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 15
1. Introduction 1. Introduction
skipping to change at page 3, line 21 skipping to change at page 3, line 21
OLSRv2 [OLSRv2] and SMF [SMF]. The topology information, acquired by OLSRv2 [OLSRv2] and SMF [SMF]. The topology information, acquired by
way of NHDP, serves these routing protocols for calculating paths to way of NHDP, serves these routing protocols for calculating paths to
all destinations in the MANET, for relay set selection for network- all destinations in the MANET, for relay set selection for network-
wide transmissions, etc. wide transmissions, etc.
As NHDP is typically used in wireless environments, it is potentially As NHDP is typically used in wireless environments, it is potentially
exposed to different kinds of security threats, some of which are of exposed to different kinds of security threats, some of which are of
particular significance as compared to wired networks. As wireless particular significance as compared to wired networks. As wireless
radio waves can be captured as well as transmitted by any wireless radio waves can be captured as well as transmitted by any wireless
device within radio range, there is commonly no physical protection device within radio range, there is commonly no physical protection
as otherwise known for wired networks. [RFC6130] does not define any as otherwise known for wired networks. NHDP does not define any
explicit security measures for protecting the integrity of the explicit security measures for protecting the integrity of the
information it acquires, however suggests that this be addressed in a information it acquires, however suggests that this be addressed in a
fashion appropriate to the deployment of the network. fashion appropriate to the deployment of the network.
This document analyses possible attacks on NHDP and outlines the This document is based on the assumption that no additional security
consequences of such attacks to the state maintained by NHDP in each mechanism (such as IPsec) is used in the IP layer. The document
router (and, thus, made available to protocols using this state). analyses possible attacks and mis-configurations on NHDP and outlines
the consequences of such attacks/mis-configurations to the state
maintained by NHDP in each router (and, thus, made available to
protocols using this state).
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
[RFC2119]. [RFC2119].
This document uses the terminology and notation defined in [RFC5444] This document uses the terminology and notation defined in [RFC5444]
and [RFC6130]. and NHDP [RFC6130].
Additionally, this document introduces the following terminology: Additionally, this document introduces the following terminology:
NHDP Router: A MANET router, running NHDP as specified in [RFC6130]. NHDP Router: A MANET router, running NHDP as specified in [RFC6130].
Attacker: A device, present in the network and which intentionally Attacker: A device, present in the network and which intentionally
seeks to compromise the information bases in NHDP routers. seeks to compromise the information bases in NHDP routers.
Compromised NHDP Router: An attacker, present in the network and Compromised NHDP Router: An attacker, present in the network and
which generates syntactically correct NHDP control messages. which generates syntactically correct NHDP control messages.
Control messages emitted by a Compromised NHDP router may contain Control messages emitted by a Compromised NHDP router may contain
additional information, or omit information, as compared to a additional information, or omit information, as compared to a
control message generated by a non-compromized NHDP router located control message generated by a non-compromized NHDP router located
in the same topological position in the network. in the same topological position in the network.
Legitimate NHDP Router: An NHDP router, which is not a Compromised Legitimate NHDP Router: An NHDP router, which is not a Compromised
NHDP Router. NHDP Router.
3. NHDP Threat Overview 3. NHDP Threat Overview
[RFC6130] defines a HELLO messages exchange, enabling each NHDP NHDP defines a HELLO messages exchange, enabling each NHDP router to
router to acquire topological information describing its 1-hop and acquire topological information describing its 1-hop and 2-hop
2-hop neighbors, and specifies information bases for recording this neighbors, and specifies information bases for recording this
information. information.
An NHDP router running [RFC6130] periodically transmits HELLO An NHDP router periodically transmits HELLO messages using a link-
messages using a link-local multicast on each of its interfaces with local multicast on each of its interfaces with a hop-limit of 1
a hop-limit of 1 (i.e., HELLOs are never forwarded). In these HELLO (i.e., HELLOs are never forwarded). In these HELLO messages, an NHDP
messages, an NHDP router announces the IP addresses as heard, router announces the IP addresses as heard, symmetric or lost
symmetric or lost neighbor interface addresses. neighbor interface addresses.
An adversary has several ways of harming this neighbor discovery An Attacker has several ways of harming this neighbor discovery
process: It can announce "wrong" information about its identity, process: It can announce "wrong" information about its identity,
postulate non-existent links, and replay HELLO messages. These postulate non-existent links, and replay HELLO messages. These
attacks are presented in detail in Section 4. attacks are presented in detail in Section 4.
The different ways of attacking an NHDP deployment may eventually The different ways of attacking an NHDP deployment may eventually
lead to inconsistent information bases, not accurately reflecting the lead to inconsistent information bases, not accurately reflecting the
correct topology of the MANET. The consequence hereof is that correct topology of the MANET. The consequence hereof is that
protocols using NHDP will base their operation on incorrect protocols using NHDP will base their operation on incorrect
information, causing routing protocols to not be able to calculate information, causing routing protocols to not be able to calculate
correct (or any) paths, degrade the performance of flooding correct (or any) paths, degrade the performance of flooding
skipping to change at page 5, line 15 skipping to change at page 5, line 18
4.1. Jamming 4.1. Jamming
One vulnerability, common for all protocols operating a wireless ad One vulnerability, common for all protocols operating a wireless ad
hoc network, is that of "jamming", i.e., that a device generates hoc network, is that of "jamming", i.e., that a device generates
massive amounts of interfering radio transmissions, which will massive amounts of interfering radio transmissions, which will
prevent legitimate traffic (e.g.,control traffic as well as data prevent legitimate traffic (e.g.,control traffic as well as data
traffic) on part of a network. traffic) on part of a network.
Depending on lower layers, this may not affect transmissions: HELLO Depending on lower layers, this may not affect transmissions: HELLO
messages from an NHDP router with "jammed" interfaces may be received messages from an NHDP router with "jammed" interfaces may be received
by other NHDP routers. As [RFC6130] identifies and uses only bi- by other NHDP routers. As NHDP identifies whether a link to a
directional links, a link from a jammed NHDP router to a non-jammed neighbor is uni-directional or bi-directional, a routing protocol
NHDP router would not be considered, and the jammed NHDP router that uses NHDP for neighborhood discovery may ignore a link from a
appear simply as "disconnected" for the un-jammed part of the network jammed NHDP router to a non-jammed NHDP router. The jammed router (a
- which is able to maintain accurate topology maps. router with jammed carrier) would appear simply as "disconnected" for
the un-jammed part of the network - which is able to maintain
accurate topology maps.
If, due to a jamming attack, a considerable amount of HELLO messages If, due to a jamming attack, a considerable amount of HELLO messages
are lost or corrupted due to collisions, neighbor NHDP routers are are lost or corrupted due to collisions, neighbor NHDP routers are
not able to establish links between them any more. Thus, NHDP will not able to establish links between them any more. Thus, NHDP will
present empty information bases to the protocols using it. present empty information bases to the protocols using it.
4.2. Eavesdropping 4.2. Denial of Service Attack
A Denial of Service (DoS) attack can be a result of misconfiguration
of Legitimate NHDP Routers (e.g., very short HELLO transmission
interval) or malicious behavior of Compromised NHDP Routers.
By transmitting a huge amount of HELLO messages in a short period of
time, NHDP Routers can jam the communication channel as introduced in
Section 4.1. Furthermore, a Compromised NHDP Router can spoof a
large amount of different IP addresses, and send HELLOs to its
neighbors to fill their Link/Neighbor Sets. This may result in
memory overflow, and makes the processing of legitimate HELLO
messages impossible. A Compromised NHDP Router can also use link
spoofing in its HELLO messages, generating huge 2-hop Sets in
adjacent NHDP Routers and therefore potentially a memory overflow.
Moreover, protocols such as SMF and OLSRv2, using the 2-hop
information for MPR calculation, may exhaust the available
computational resources of the router if the Neighbor Set and 2-hop
Sets have too many entries.
By exhausting the memory, CPU, or (and) channel resources of a router
in a DoS attack or a misconfiguration, NHDP Routers may not be able
to accomplish their specified tasks of exchanging 1-hop and 2-hop
neighborhood information, and thereby disturbing the operation of
routing protocols using NHDP.
4.3. Eavesdropping
Eavesdropping is a common and easy passive attack in a wireless Eavesdropping is a common and easy passive attack in a wireless
environment. Once a packet is transmitted, any adjacent NHDP router environment. Once a packet is transmitted, any adjacent NHDP router
can potentially obtain a copy, for immediate or later processing. can potentially obtain a copy, for immediate or later processing.
Neither the source nor the intended destination can detect this. A Neither the source nor the intended destination can detect this. A
malicious NHDP router can eavesdrop on the NHDP message exchange and malicious NHDP router can eavesdrop on the NHDP message exchange and
thus learn the local topology. It may also eavesdrop on data traffic thus learn the local topology. It may also eavesdrop on data traffic
to learn source and destination addresses of data packets, or other to learn source and destination addresses of data packets, or other
header information, as well as the packet payload. header information, as well as the packet payload.
Eavesdropping does not pose a direct threat to the network nor to Eavesdropping does not pose a direct threat to the network nor to
NHDP, in as much as that it does not alter the information recorded NHDP, in as much as that it does not alter the information recorded
by NHDP in its information bases and presented to other protocols by NHDP in its information bases and presented to other protocols
using it, but it can provide network information required for using it, but it can provide network information required for
enabling other attacks, such as the identity of communicating NHDP enabling other attacks, such as the identity of communicating NHDP
routers, link characteristic, NHDP router configuration, etc. routers, link characteristic, NHDP router configuration, etc.
4.3. Incorrect HELLO Message Generation 4.4. Incorrect HELLO Message Generation
An NHDP router running [RFC6130] performs two distinct tasks: it An NHDP router performs two distinct tasks: it periodically generates
periodically generates HELLO messages, and it processes incoming HELLO messages, and it processes incoming HELLO messages from
HELLO messages from neighbor NHDP routers. This section describes neighbor NHDP routers. This section describes security attacks
security attacks involving the HELLO generation. involving the HELLO generation.
4.3.1. Identity Spoofing 4.4.1. Identity Spoofing
Identity spoofing implies that a Compromised NHDP router sends HELLO Identity spoofing implies that a Compromised NHDP router sends HELLO
messages, pretending to have the identity of another NHDP router. A messages, pretending to have the identity of another NHDP router, or
Compromised NHDP router can accomplish this by using another NHDP even a router that does not exist in the networks. A Compromised
router's IP address in an address block of a HELLO message, and NHDP router can accomplish this by using another IP address in an
associating this address with a LOCAL_IF Address Block TLV. address block of a HELLO message, and associating this address with a
LOCAL_IF Address Block TLV.
An NHDP router receiving the HELLO message from a neighbor, will An NHDP router receiving the HELLO message from a neighbor, will
assume that it originated from the NHDP router with the spoofed assume that it originated from the NHDP router with the spoofed
interface address. As a consequence, it will add a Link Tuple to interface address. As a consequence, it will add a Link Tuple to
that neighbor with the spoofed address, and include it in its next that neighbor with the spoofed address, and include it in its next
HELLO messages as a heard neighbor (and possibly as symmetric HELLO messages as a heard neighbor (and possibly as symmetric
neighbor after another HELLO exchange). neighbor after another HELLO exchange).
Identity spoofing is particular harmful if a Compromised NHDP router Identity spoofing is particular harmful if a Compromised NHDP router
spoofs the identity of another NHDP router that exists in the same spoofs the identity of another NHDP router that exists in the same
routing domain. With respect to NHDP, such a duplicated, spoofed routing domain. With respect to NHDP, such a duplicated, spoofed
address can lead to an inconsistent state up to two hops from an NHDP address can lead to an inconsistent state up to two hops from an NHDP
router. Figure 1 depicts a simple example. In that example, NHDP router. Figure 1 depicts a simple example. In that example, NHDP
router A is in radio range of C, but not of the Compromised NHDP router A is in radio range of C, but not of the Compromised NHDP
router X. If X spoofs the address of A, that can lead to conflicts router X. If X spoofs the address of A, that can lead to conflicts
for upper-layer routing protocols, and therefore for wrong path for routing protocol that uses NHDP, and therefore for wrong path
calculations as well as incorrect data traffic forwarding. calculations as well as incorrect data traffic forwarding.
.---. .---. .---. .---. .---. .---.
| A |----| C |----| X | | A |----| C |----| X |
'---' '---' '---' '---' '---' '---'
Figure 1 Figure 1
Figure 2 depicts another example. In this example, A is two hops Figure 2 depicts another example. In this example, A is two hops
away from NHDP router C, reachable through NHDP router B. If the away from NHDP router C, reachable through NHDP router B. If the
Compromised NHDP router X spoofs the address of A, C may think that A Compromised NHDP router X spoofs the address of A, D will take A as
is indeed reachable through NHDP router D. its one hop neighbor, and C may think that A is indeed reachable
through NHDP router D.
.---. .---. .---. .---. .---. .---. .---. .---. .---. .---.
| A |----| B |----| C |----| D |----| X | | A |----| B |----| C |----| D |----| X |
'---' '---' '---' '---' '---' '---' '---' '---' '---' '---'
Figure 2 Figure 2
4.3.2. Link Spoofing 4.4.2. Link Spoofing
Similar to identity spoofing, link spoofing implies that a Similar to identity spoofing, link spoofing implies that a
Compromised NHDP router sends HELLO messages, signaling an incorrect Compromised NHDP router sends HELLO messages, signaling an incorrect
set of neighbors. This may take either of two forms: set of neighbors. This may take either of two forms:
o A Compromised NHDP Router can postulate addresses of non-present o A Compromised NHDP Router can postulate addresses of non-present
neighbor NHDP routers in an address block of a HELLO, associated neighbor NHDP routers in an address block of a HELLO, associated
with LINK_STATUS TLVs. with LINK_STATUS TLVs.
o A Compromised NHDP router can "ignore" otherwise existing o A Compromised NHDP router can "ignore" otherwise existing
skipping to change at page 7, line 24 skipping to change at page 8, line 6
router ignores existing neighbors in its advertisements, links will router ignores existing neighbors in its advertisements, links will
be missing in the information bases maintained by other routers, and be missing in the information bases maintained by other routers, and
there may not be any connectivity to or from these NHDP routers to there may not be any connectivity to or from these NHDP routers to
others NHDP routers in the MANET. If, on the other hand, the others NHDP routers in the MANET. If, on the other hand, the
Compromised NHDP router advertises non-existing links, this will lead Compromised NHDP router advertises non-existing links, this will lead
to inclusion of topological information in the information base, to inclusion of topological information in the information base,
describing non-existing links in the network (which, then, may be describing non-existing links in the network (which, then, may be
used by other protocols using NHDP in place of other, existing, used by other protocols using NHDP in place of other, existing,
links). links).
4.4. Replay Attack 4.5. Replay Attack
A replay attack implies that control traffic from one region of the A replay attack implies that control traffic from one region of the
network is recorded and replayed in a different region (this type of network is recorded and replayed in a different region at (almost)
attack is also known as the Wormhole attack). This may, for example, the same time, or in the same region at a different time. This may,
happen when two Compromised NHDP routers collaborate on an attack, for example, happen when two Compromised NHDP routers collaborate on
one recording traffic in its proximity and tunneling it to the other an attack, one recording traffic in its proximity and tunneling it to
Compromised NHDP router, which replays the traffic. In a protocol the other Compromised NHDP router, which replays the traffic. In a
where links are discovered by testing reception, this will result in protocol where links are discovered by testing reception, this will
extraneous link creation (basically, a "virtual" link between the two result in extraneous link creation (basically, a "virtual" link
Compromised NHDP routers will appear in the information bases of between the two Compromised NHDP routers will appear in the
neighboring NHDP routers). information bases of neighboring NHDP routers).
While this situation may result from an attack, it may also be While this situation may result from an attack, it may also be
intentional: if data-traffic also is relayed over the "virtual" link, intentional: if data-traffic also is relayed over the "virtual" link,
the link being detected is indeed valid for use. This is, for the link being detected is indeed valid for use. This is, for
instance, used in wireless repeaters. If data traffic is not carried instance, used in wireless repeaters. If data traffic is not carried
over the virtual link, an imaginary, useless, link between the two over the virtual link, an imaginary, useless, link between the two
Compromised NHDP routers, has been advertised, and is being recorded Compromised NHDP routers, has been advertised, and is being recorded
in the information bases of their neighboring NHDP routers. in the information bases of their neighboring NHDP routers.
Replay attacks can be especially damaging if coupled with spoofing
and tampering with sequence numbers in the replayed messages,
potentially destroying some important topology information in NHDP
routers all over the network, as described in Section 4.5.
4.5. Sequence Number Attack
[RFC6130] uses message sequence numbers, to avoid processing and
forwarding the same message more than once. An attack may consist of
a Compromised NHDP router, spoofing the identity of another
Legitimate NHDP router in the network and transmitting a large number
of HELLO messages, each with different message sequence numbers.
Subsequent HELLOs with the same sequence numbers, originating from
theLegitimate NHDP router whose identity was spoofed, would hence be
ignored, until eventually information concerning these "spoofed"
HELLO messages expires.
As illustrated in Figure 1, if the Compromised NHDP router X spoofs
the identify of NHDP router A, and broadcasts several HELLO messages,
all the valid HELLO messages sent by A with the same sequence numbers
will be discarded by C, until the information concerning these HELLOs
expire.
4.6. Message Timing Attacks 4.6. Message Timing Attacks
In [RFC6130], each HELLO message contains a "validity time" and may In NHDP, each HELLO message contains a "validity time" and may
contain an "interval time" field, identifying the time for which contain an "interval time" field, identifying the time for which
information in that control message should be considered valid until information in that control message should be considered valid until
discarded, and the time until the next control message of the same discarded, and the time until the next control message of the same
type should be expected [RFC5497]. type should be expected [RFC5497].
4.6.1. Interval Time Attack 4.6.1. Interval Time Attack
A use of the expected interval between two successive HELLO messages A use of the expected interval between two successive HELLO messages
is for determining the link quality in [RFC6130]: if messages are not is for determining the link quality in NHDP: if messages are not
received within the expected intervals (e.g., a certain fraction of received within the expected intervals (e.g., a certain fraction of
messages are missing), then this may be used to exclude a link from messages are missing), then this may be used to exclude a link from
being considered as useful, even if (some) bi-directional being considered as useful, even if (some) bi-directional
communication has been verified. If a Compromised NHDP router X communication has been verified. If a Compromised NHDP router X
spoofs the identity of an existing NHDP router A, and sends HELLOs spoofs the identity of an existing NHDP router A, and sends HELLOs
indicating a low interval time, an NHDP router B receiving this HELLO indicating a low interval time, an NHDP router B receiving this HELLO
will expect the following HELLO to arrive within the interval time will expect the following HELLO to arrive within the interval time
indicated - or otherwise, decrease the link quality for the link A-B. indicated - or otherwise, decrease the link quality for the link A-B.
Thus, X may cause NHDP router B's estimate of the link quality for Thus, X may cause NHDP router B's estimate of the link quality for
the link A-B to fall below the limit, where it is no longer the link A-B to fall below the limit, where it is no longer
considered as useful and, thus, not used. considered as useful and, thus, not used.
4.6.2. Validity Time Attack 4.6.2. Validity Time Attack
A Compromised NHDP router X can spoof the identity of an NHDP router A Compromised NHDP router X can spoof the identity of an NHDP router
A and send a HELLO using a low validity time (e.g.,1 ms). A A and send a HELLO using a low validity time (e.g.,1 ms). A
receiving NHDP router B will discard the information upon expiration receiving NHDP router B will discard the information upon expiration
of that interval, i.e., a link between NHDP router A and B will be of that interval, i.e., a link between NHDP router A and B will be
"torn down" by X. "torn down" by X. It can be caused by intended malicious behaviors,
or simply mis-configuration in the NHDP routers.
4.7. Indirect Jamming 4.7. Indirect Jamming
Indirect jamming is when a Compromised NHDP router X by its actions Indirect jamming is when a Compromised NHDP router X by its actions
causes other legitimate NHDP routers to generate inordinate amounts causes other legitimate NHDP routers to generate inordinate amounts
of control traffic. This increases channel occupation, and the of control traffic. This increases channel occupation, and the
overhead in each receiving NHDP router processing this control overhead in each receiving NHDP router processing this control
traffic. With this traffic originating from Legitimate NHDP routers, traffic. With this traffic originating from Legitimate NHDP routers,
the malicious device may remain undetected to the wider network. the malicious device may remain undetected to the wider network.
Figure 3 illustrates indirect jamming of [RFC6130]. A Compromised Figure 3 illustrates indirect jamming of NHDP. A Compromised NHDP
NHDP router X advertises a symmetric spoofed link to the non-existing router X advertises a symmetric spoofed link to the non-existing NHDP
NHDP router B (at time t0). Router A selects X as MPR upon reception router B (at time t0). Router A selects X as MPR upon reception of
of the HELLO, and will trigger a HELLO at t1. Overhearing this the HELLO, and will trigger a HELLO at t1. Overhearing this
triggered HELLO, the attacker sends another HELLO at t2, advertising triggered HELLO, the attacker sends another HELLO at t2, advertising
the link to B as lost, which leads to NHDP router A deselecting the the link to B as lost, which leads to NHDP router A deselecting the
attacker as MPR, and another triggered message at t3. The cycle may attacker as MPR, and another triggered message at t3. The cycle may
be repeated, alternating advertising the link X-B as LOST and SYM. be repeated, alternating advertising the link X-B as LOST and SYM.
MPRs(X) MPRs() MPRs(X) MPRs()
.---. .---. .---. .---. .---. .---. .---. .---.
| A | | A | | A | | A | | A | | A | | A | | A |
'---' '---' '---' '---' '---' '---' '---' '---'
| | | | | | | |
skipping to change at page 15, line 7 skipping to change at page 15, line 15
[RFC5497] Clausen, T. and C. Dearlove, "Representing Multi-Value [RFC5497] Clausen, T. and C. Dearlove, "Representing Multi-Value
Time in Mobile Ad Hoc Networks (MANETs)", RFC 5497, Time in Mobile Ad Hoc Networks (MANETs)", RFC 5497,
March 2009. March 2009.
[RFC6130] Clausen, T., Dean, J., and C. Dearlove, "MANET [RFC6130] Clausen, T., Dean, J., and C. Dearlove, "MANET
Neighborhood Discovery Protocol (NHDP)", RFC 6130, Neighborhood Discovery Protocol (NHDP)", RFC 6130,
April 2011. April 2011.
8.2. Informative References 8.2. Informative References
[OLSRv2] Clausen, T., Dearlove, C., Philippe, P., and U. Ulrich, [OLSRv2] Clausen, T., Dearlove, C., Philippe, P., and U. Herberg,
"The Optimized Link State Routing Protocol version 2", "The Optimized Link State Routing Protocol version 2",
work in progress draft-ietf-manet-olsrv2-14.txt, work in progress draft-ietf-manet-olsrv2-17.txt,
March 2012. October 2012.
[SMF] Macker, J., "Simplified Multicast Forwarding", work in [SMF] Macker, J., "Simplified Multicast Forwarding", RFC 6621,
progress draft-ietf-manet-smf-14.txt, March 2012. March 2012.
[broadcast-storm] [broadcast-storm]
Ni, S., Tseng, Y., Chen, Y., and J. Sheu, "The Broadcast Ni, S., Tseng, Y., Chen, Y., and J. Sheu, "The Broadcast
Storm Problem in a Mobile Ad Hoc Network", Proceedings of Storm Problem in a Mobile Ad Hoc Network", Proceedings of
the 5th annual ACM/IEEE international conference on Mobile the 5th annual ACM/IEEE international conference on Mobile
computing and networking, 1999. computing and networking, 1999.
Authors' Addresses Authors' Addresses
Ulrich Herberg Ulrich Herberg
skipping to change at page 15, line 38 skipping to change at page 15, line 46
Email: ulrich@herberg.name Email: ulrich@herberg.name
URI: http://www.herberg.name/ URI: http://www.herberg.name/
Jiazi Yi Jiazi Yi
LIX, Ecole Polytechnique LIX, Ecole Polytechnique
91128 Palaiseau Cedex, 91128 Palaiseau Cedex,
France France
Phone: +33 1 69 33 40 31 Phone: +33 1 69 33 40 31
Email: jiazi@jiaziyi@com Email: jiazi@jiaziyi.com
URI: http://www.jiaziyi.com/ URI: http://www.jiaziyi.com/
Thomas Heide Clausen Thomas Heide Clausen
LIX, Ecole Polytechnique LIX, Ecole Polytechnique
91128 Palaiseau Cedex, 91128 Palaiseau Cedex,
France France
Phone: +33 6 6058 9349 Phone: +33 6 6058 9349
Email: T.Clausen@computer.org Email: T.Clausen@computer.org
URI: http://www.thomasclausen.org/ URI: http://www.thomasclausen.org/
 End of changes. 36 change blocks. 
95 lines changed or deleted 105 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/