draft-ietf-manet-nhdp-sec-threats-03.txt   draft-ietf-manet-nhdp-sec-threats-04.txt 
Mobile Ad hoc Networking (MANET) U. Herberg Mobile Ad hoc Networking (MANET) U. Herberg
Internet-Draft Fujitsu Laboratories of America Internet-Draft Fujitsu Laboratories of America
Intended status: Informational J. Yi Intended status: Informational J. Yi
Expires: October 12, 2013 T. Clausen Expires: December 8, 2013 T. Clausen
LIX, Ecole Polytechnique LIX, Ecole Polytechnique
April 10, 2013 June 6, 2013
Security Threats for NHDP Security Threats for NHDP
draft-ietf-manet-nhdp-sec-threats-03 draft-ietf-manet-nhdp-sec-threats-04
Abstract Abstract
This document analyses common security threats of the Neighborhood This document analyzes common security threats of the Neighborhood
Discovery Protocol (NHDP), and describes their potential impacts on Discovery Protocol (NHDP), and describes their potential impacts on
MANET routing protocols using NHDP. MANET routing protocols using NHDP. This document is not intended to
propose solutions to the threats described.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on October 12, 2013. This Internet-Draft will expire on December 8, 2013.
Copyright Notice Copyright Notice
Copyright (c) 2013 IETF Trust and the persons identified as the Copyright (c) 2013 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 21 skipping to change at page 2, line 22
4.1. Jamming . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.1. Jamming . . . . . . . . . . . . . . . . . . . . . . . . . 5
4.2. Denial of Service Attack . . . . . . . . . . . . . . . . . 5 4.2. Denial of Service Attack . . . . . . . . . . . . . . . . . 5
4.3. Eavesdropping . . . . . . . . . . . . . . . . . . . . . . 6 4.3. Eavesdropping . . . . . . . . . . . . . . . . . . . . . . 6
4.4. Incorrect HELLO Message Generation . . . . . . . . . . . . 6 4.4. Incorrect HELLO Message Generation . . . . . . . . . . . . 6
4.4.1. Identity Spoofing . . . . . . . . . . . . . . . . . . 6 4.4.1. Identity Spoofing . . . . . . . . . . . . . . . . . . 6
4.4.2. Link Spoofing . . . . . . . . . . . . . . . . . . . . 7 4.4.2. Link Spoofing . . . . . . . . . . . . . . . . . . . . 7
4.5. Replay Attack . . . . . . . . . . . . . . . . . . . . . . 8 4.5. Replay Attack . . . . . . . . . . . . . . . . . . . . . . 8
4.6. Message Timing Attacks . . . . . . . . . . . . . . . . . . 8 4.6. Message Timing Attacks . . . . . . . . . . . . . . . . . . 8
4.6.1. Interval Time Attack . . . . . . . . . . . . . . . . . 8 4.6.1. Interval Time Attack . . . . . . . . . . . . . . . . . 8
4.6.2. Validity Time Attack . . . . . . . . . . . . . . . . . 9 4.6.2. Validity Time Attack . . . . . . . . . . . . . . . . . 9
4.7. Indirect Jamming . . . . . . . . . . . . . . . . . . . . . 9 4.7. Indirect Channel Overloading . . . . . . . . . . . . . . . 9
4.8. Attack on Link Quality Update . . . . . . . . . . . . . . 10 4.8. Attack on Link Quality Update . . . . . . . . . . . . . . 10
5. Impact of inconsistent Information Bases on Protocols 5. Impact of inconsistent Information Bases on Protocols
using NHDP . . . . . . . . . . . . . . . . . . . . . . . . . . 11 using NHDP . . . . . . . . . . . . . . . . . . . . . . . . . . 11
5.1. MPR Calculation . . . . . . . . . . . . . . . . . . . . . 11 5.1. MPR Calculation . . . . . . . . . . . . . . . . . . . . . 11
5.1.1. Flooding Disruption due to Identity Spoofing . . . . . 11 5.1.1. Flooding Disruption due to Identity Spoofing . . . . . 11
5.1.2. Flooding Disruption due to Link Spoofing . . . . . . . 12 5.1.2. Flooding Disruption due to Link Spoofing . . . . . . . 12
5.1.3. Broadcast Storm . . . . . . . . . . . . . . . . . . . 13 5.1.3. Broadcast Storm . . . . . . . . . . . . . . . . . . . 13
5.2. Routing Loops . . . . . . . . . . . . . . . . . . . . . . 14 5.2. Routing Loops . . . . . . . . . . . . . . . . . . . . . . 14
5.3. Invalid or Non-Existing Paths to Destinations . . . . . . 14 5.3. Invalid or Non-Existing Paths to Destinations . . . . . . 14
5.4. Data Sinkhole . . . . . . . . . . . . . . . . . . . . . . 15 5.4. Data Sinkhole . . . . . . . . . . . . . . . . . . . . . . 15
skipping to change at page 3, line 13 skipping to change at page 3, line 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction 1. Introduction
The Neighborhood Discovery Protocol (NHDP) [RFC6130] allows routers The Neighborhood Discovery Protocol (NHDP) [RFC6130] allows routers
to acquire topological information up to two hops away from to acquire topological information up to two hops away from
themselves, by way of periodic HELLO message exchanges. The themselves, by way of periodic HELLO message exchanges. The
information acquired by NHDP is used by other protocols, such as information acquired by NHDP is used by other protocols, such as
OLSRv2 [I-D.ietf-manet-olsrv2] and SMF [RFC6621]. The topology OLSRv2 [I-D.ietf-manet-olsrv2] and SMF [RFC6621]. The topology
information, acquired by way of NHDP, serves these routing protocols information, acquired by way of NHDP, serves these routing protocols
for calculating paths to all destinations in the MANET, for relay set by detecting and maintaining local 1-hop and 2-hop neighborhood
selection for network-wide transmissions, etc. information.
As NHDP is typically used in wireless environments, it is potentially As NHDP is typically used in wireless environments, it is potentially
exposed to different kinds of security threats, some of which are of exposed to different kinds of security threats, some of which are of
particular significance as compared to wired networks. As radio particular significance as compared to wired networks. As radio
signals can be received as well as transmitted by any compatible signals can be received as well as transmitted by any compatible
wireless device within radio range, there is commonly no physical wireless device within radio range, there is commonly no physical
protection as otherwise known for wired networks. NHDP does not protection as otherwise known for wired networks. NHDP does not
define any explicit security measures for protecting the integrity of define any explicit security measures for protecting the integrity of
the information it acquires, however suggests that this be addressed the information it acquires, however suggests that this be addressed
in a fashion appropriate to the deployment of the network. in a fashion appropriate to the deployment of the network.
This document is based on the assumption that no additional security This document is based on the assumption that no additional security
mechanism (such as IPsec) is used in the IP layer. The document mechanism such as IPsec is used in the IP layer, as not all MANET
analyses possible attacks and mis-configurations on NHDP and outlines deployments may be suitable to deploy common IP protection mechanisms
the consequences of such attacks/mis-configurations to the state (e.g., because of limited resources of MANET routers to support the
maintained by NHDP in each router (and, thus, made available to IPsec stack). The document analyzes possible attacks and mis-
protocols using this state). configurations on NHDP and outlines the consequences of such attacks/
mis-configurations to the state maintained by NHDP in each router
(and, thus, made available to protocols using this state). This
document is not intended to propose solutions to the threats
described. [I-D.ietf-manet-nhdp-olsrv2-sec] provides further
information on how to enable integrity protection to NHDP, which can
help mitigating the threats described related to identity spoofing.
2. Terminology 2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
[RFC2119]. [RFC2119].
This document uses the terminology and notation defined in [RFC5444], This document uses the terminology and notation defined in [RFC5444],
NHDP [RFC6130] and [RFC4949]. NHDP [RFC6130] and [RFC4949].
skipping to change at page 5, line 38 skipping to change at page 5, line 42
not able to establish links between them any more. Thus, NHDP will not able to establish links between them any more. Thus, NHDP will
present empty information bases to the protocols using it. present empty information bases to the protocols using it.
4.2. Denial of Service Attack 4.2. Denial of Service Attack
A Denial of Service (DoS) attack can be a result of misconfiguration A Denial of Service (DoS) attack can be a result of misconfiguration
of Legitimate NHDP Routers (e.g., very short HELLO transmission of Legitimate NHDP Routers (e.g., very short HELLO transmission
interval) or malicious behavior of Compromised NHDP Routers. interval) or malicious behavior of Compromised NHDP Routers.
By transmitting a huge amount of HELLO messages in a short period of By transmitting a huge amount of HELLO messages in a short period of
time, NHDP Routers can jam the communication channel as introduced in time, NHDP Routers can increase the channel occupancy as introduced
Section 4.1. Furthermore, a Compromised NHDP Router can spoof a in Section 4.1. Furthermore, a Compromised NHDP Router can spoof a
large amount of different IP addresses, and send HELLOs to its large amount of different IP addresses, and send HELLOs to its
neighbors to fill their Link/Neighbor Sets. This may result in neighbors to fill their Link/Neighbor Sets. This may result in
memory overflow, and makes the processing of legitimate HELLO memory overflow, and makes the processing of legitimate HELLO
messages impossible. A Compromised NHDP Router can also use link messages impossible. A Compromised NHDP Router can also use link
spoofing in its HELLO messages, generating huge 2-hop Sets in spoofing in its HELLO messages, generating huge 2-hop Sets in
adjacent NHDP Routers and therefore potentially a memory overflow. adjacent NHDP Routers and therefore potentially a memory overflow.
Moreover, protocols such as SMF and OLSRv2, using the 2-hop Moreover, protocols such as SMF and OLSRv2, using the 2-hop
information for MPR calculation, may exhaust the available information for MPR calculation, may exhaust the available
computational resources of the router if the Neighbor Set and 2-hop computational resources of the router if the Neighbor Set and 2-hop
Sets have too many entries. Sets have too many entries.
skipping to change at page 6, line 24 skipping to change at page 6, line 29
malicious NHDP router can eavesdrop on the NHDP message exchange and malicious NHDP router can eavesdrop on the NHDP message exchange and
thus learn the local topology. It may also eavesdrop on data traffic thus learn the local topology. It may also eavesdrop on data traffic
to learn source and destination addresses of data packets, or other to learn source and destination addresses of data packets, or other
header information, as well as the packet payload. header information, as well as the packet payload.
Eavesdropping does not pose a direct threat to the network nor to Eavesdropping does not pose a direct threat to the network nor to
NHDP, in as much as that it does not alter the information recorded NHDP, in as much as that it does not alter the information recorded
by NHDP in its information bases and presented to other protocols by NHDP in its information bases and presented to other protocols
using it, but it can provide network information required for using it, but it can provide network information required for
enabling other attacks, such as the identity of communicating NHDP enabling other attacks, such as the identity of communicating NHDP
routers, link characteristic, NHDP router configuration, etc. routers, detection of link characteristic, and NHDP router
configuration.
4.4. Incorrect HELLO Message Generation 4.4. Incorrect HELLO Message Generation
An NHDP router performs two distinct tasks: it periodically generates An NHDP router performs two distinct tasks: it periodically generates
HELLO messages, and it processes incoming HELLO messages from HELLO messages, and it processes incoming HELLO messages from
neighbor NHDP routers. This section describes security attacks neighbor NHDP routers. This section describes security attacks
involving the HELLO generation. involving the HELLO generation.
4.4.1. Identity Spoofing 4.4.1. Identity Spoofing
skipping to change at page 9, line 14 skipping to change at page 9, line 18
4.6.2. Validity Time Attack 4.6.2. Validity Time Attack
A Compromised NHDP router X can spoof the identity of an NHDP router A Compromised NHDP router X can spoof the identity of an NHDP router
A and send a HELLO using a low validity time (e.g.,1 ms). A A and send a HELLO using a low validity time (e.g.,1 ms). A
receiving NHDP router B will discard the information upon expiration receiving NHDP router B will discard the information upon expiration
of that interval, i.e., a link between NHDP router A and B will be of that interval, i.e., a link between NHDP router A and B will be
"torn down" by X. It can be caused by intended malicious behaviors, "torn down" by X. It can be caused by intended malicious behaviors,
or simply mis-configuration in the NHDP routers. or simply mis-configuration in the NHDP routers.
4.7. Indirect Jamming 4.7. Indirect Channel Overloading
Indirect jamming is when a Compromised NHDP router X by its actions Indirect Channel Overloading is when a Compromised NHDP router X by
causes other legitimate NHDP routers to generate inordinate amounts its actions causes other legitimate NHDP routers to generate
of control traffic. This increases channel occupation, and the inordinate amounts of control traffic. This increases channel
overhead in each receiving NHDP router processing this control occupation, and the overhead in each receiving NHDP router processing
traffic. With this traffic originating from Legitimate NHDP routers, this control traffic. With this traffic originating from Legitimate
the malicious device may remain undetected to the wider network. NHDP routers, the malicious device may remain undetected to the wider
network.
Figure 3 illustrates indirect jamming of NHDP. A Compromised NHDP Figure 3 illustrates Indirect Channel Overloading with NHDP. A
router X advertises a symmetric spoofed link to the non-existing NHDP Compromised NHDP router X advertises a symmetric spoofed link to the
router B (at time t0). Router A selects X as MPR upon reception of non-existing NHDP router B (at time t0). Router A selects X as MPR
the HELLO, and will trigger a HELLO at t1. Overhearing this upon reception of the HELLO, and will trigger a HELLO at t1.
triggered HELLO, the attacker sends another HELLO at t2, advertising Overhearing this triggered HELLO, the attacker sends another HELLO at
the link to B as lost, which leads to NHDP router A deselecting the t2, advertising the link to B as lost, which leads to NHDP router A
attacker as MPR, and another triggered message at t3. The cycle may deselecting the attacker as MPR, and another triggered message at t3.
be repeated, alternating advertising the link X-B as LOST and SYM. The cycle may be repeated, alternating advertising the link X-B as
LOST and SYM.
MPRs(X) MPRs() MPRs(X) MPRs()
.---. .---. .---. .---. .---. .---. .---. .---.
| A | | A | | A | | A | | A | | A | | A | | A |
'---' '---' '---' '---' '---' '---' '---' '---'
| | | | | | | |
| SYM(B) | | LOST(B) | | SYM(B) | | LOST(B) |
| | | | | | | |
.---. .---. .---. .---. .---. .---. .---. .---.
| X | | X | | X | | X | | X | | X | | X | | X |
skipping to change at page 16, line 11 skipping to change at page 16, line 11
[RFC5497] Clausen, T. and C. Dearlove, "Representing Multi-Value [RFC5497] Clausen, T. and C. Dearlove, "Representing Multi-Value
Time in Mobile Ad Hoc Networks (MANETs)", RFC 5497, Time in Mobile Ad Hoc Networks (MANETs)", RFC 5497,
March 2009. March 2009.
[RFC6130] Clausen, T., Dearlove, C., and J. Dean, "Mobile Ad Hoc [RFC6130] Clausen, T., Dearlove, C., and J. Dean, "Mobile Ad Hoc
Network (MANET) Neighborhood Discovery Protocol (NHDP)", Network (MANET) Neighborhood Discovery Protocol (NHDP)",
RFC 6130, April 2011. RFC 6130, April 2011.
9.2. Informative References 9.2. Informative References
[I-D.ietf-manet-nhdp-olsrv2-sec]
Herberg, U., Dearlove, C., and T. Clausen, "Integrity
Protection for Control Messages in NHDP and OLSRv2",
draft-ietf-manet-nhdp-olsrv2-sec-02 (work in progress),
April 2013.
[I-D.ietf-manet-olsrv2] [I-D.ietf-manet-olsrv2]
Clausen, T., Dearlove, C., Jacquet, P., and U. Herberg, Clausen, T., Dearlove, C., Jacquet, P., and U. Herberg,
"The Optimized Link State Routing Protocol version 2", "The Optimized Link State Routing Protocol version 2",
draft-ietf-manet-olsrv2-19 (work in progress), March 2013. draft-ietf-manet-olsrv2-19 (work in progress), March 2013.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
RFC 4949, August 2007. RFC 4949, August 2007.
[RFC6621] Macker, J., "Simplified Multicast Forwarding", RFC 6621, [RFC6621] Macker, J., "Simplified Multicast Forwarding", RFC 6621,
May 2012. May 2012.
 End of changes. 15 change blocks. 
32 lines changed or deleted 48 lines changed or added

This html diff was produced by rfcdiff 1.41. The latest version is available from http://tools.ietf.org/tools/rfcdiff/