draft-ietf-manet-smf-sec-threats-03.txt   draft-ietf-manet-smf-sec-threats-04.txt 
Mobile Ad hoc Networking (MANET) J. Yi Mobile Ad hoc Networking (MANET) J. Yi
Internet-Draft T. Clausen Internet-Draft T. Clausen
Intended status: Informational LIX, Ecole Polytechnique Intended status: Informational LIX, Ecole Polytechnique
Expires: May 9, 2016 U. Herberg Expires: August 18, 2016 U. Herberg
November 6, 2015 February 15, 2016
Security Threats for Simplified Multicast Forwarding (SMF) Security Threats for Simplified Multicast Forwarding (SMF)
draft-ietf-manet-smf-sec-threats-03 draft-ietf-manet-smf-sec-threats-04
Abstract Abstract
This document analyzes security threats of the Simplified Multicast This document analyzes security threats of the Simplified Multicast
Forwarding (SMF), including the vulnerabilities of duplicate packet Forwarding (SMF), including the vulnerabilities of duplicate packet
detection and relay set selection mechanisms. This document is not detection and relay set selection mechanisms. This document is not
intended to propose solutions to the threats described. intended to propose solutions to the threats described.
Status of this Memo Status of this Memo
skipping to change at page 1, line 34 skipping to change at page 1, line 34
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 9, 2016. This Internet-Draft will expire on August 18, 2016.
Copyright Notice Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 23 skipping to change at page 2, line 23
4.2. Threats to Identification-based Duplicate Packet 4.2. Threats to Identification-based Duplicate Packet
Detection . . . . . . . . . . . . . . . . . . . . . . . . 7 Detection . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2.1. Pre-activation Attacks (Pre-Play) . . . . . . . . . . 7 4.2.1. Pre-activation Attacks (Pre-Play) . . . . . . . . . . 7
4.2.2. De-activation Attacks (Sequence Number wrangling) . . 8 4.2.2. De-activation Attacks (Sequence Number wrangling) . . 8
4.3. Threats to Hash-based Duplicate Packet Detection . . . . . 8 4.3. Threats to Hash-based Duplicate Packet Detection . . . . . 8
4.3.1. Attack on Hash-Assistant Value . . . . . . . . . . . . 9 4.3.1. Attack on Hash-Assistant Value . . . . . . . . . . . . 9
5. Threats to Relay Set Selection . . . . . . . . . . . . . . . . 9 5. Threats to Relay Set Selection . . . . . . . . . . . . . . . . 9
5.1. Relay Set Selection Common Threats . . . . . . . . . . . . 10 5.1. Relay Set Selection Common Threats . . . . . . . . . . . . 10
5.2. Threats to E-CDS Algorithm . . . . . . . . . . . . . . . . 10 5.2. Threats to E-CDS Algorithm . . . . . . . . . . . . . . . . 10
5.2.1. Link Spoofing . . . . . . . . . . . . . . . . . . . . 10 5.2.1. Link Spoofing . . . . . . . . . . . . . . . . . . . . 10
5.2.2. Identity Spoofing . . . . . . . . . . . . . . . . . . 11 5.2.2. Identity Spoofing . . . . . . . . . . . . . . . . . . 10
5.3. Threats to S-MPR Algorithm . . . . . . . . . . . . . . . . 11 5.3. Threats to S-MPR Algorithm . . . . . . . . . . . . . . . . 11
5.4. Threats to MPR-CDS Algorithm . . . . . . . . . . . . . . . 11 5.4. Threats to MPR-CDS Algorithm . . . . . . . . . . . . . . . 11
6. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 12 6. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 12
7. Security Considerations . . . . . . . . . . . . . . . . . . . 13 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12
8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 13
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 13
10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 13
10.1. Normative References . . . . . . . . . . . . . . . . . . . 13 10.1. Normative References . . . . . . . . . . . . . . . . . . . 13
10.2. Informative References . . . . . . . . . . . . . . . . . . 13 10.2. Informative References . . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
This document analyzes security threats to the Simplified Multicast This document analyzes security threats to the Simplified Multicast
skipping to change at page 4, line 8 skipping to change at page 4, line 8
2. Terminology 2. Terminology
This document uses the terminology and notation defined in [RFC5444], This document uses the terminology and notation defined in [RFC5444],
[RFC6130], [RFC6621] and [RFC4949]. [RFC6130], [RFC6621] and [RFC4949].
Additionally, this document introduces the following terminology: Additionally, this document introduces the following terminology:
SMF router: A MANET router, running SMF as specified in [RFC6621]. SMF router: A MANET router, running SMF as specified in [RFC6621].
Attacker: A device that is present in the network and intentionally Attacker: A device that is present in the network and intentionally
seeks to compromise the information bases in SMF routers. seeks to compromise the information bases in SMF routers. It may
generate syntactically correct SMF control messages.
Compromised SMF router: An attacker that generates syntactically
correct SMF control messages. Control messages emitted by a
compromised SMF router may contain additional information, or omit
information, as compared to a control message generated by a non-
compromised SMF router located in the same topological position in
the network.
Legitimate SMF router: An SMF router that is not a compromised SMF Legitimate SMF router: An SMF router that is correctly configured
Router. and not compromised by an attacker.
3. SMF Threats Overview 3. SMF Threats Overview
SMF requires an external dynamic neighborhood discovery mechanism in SMF requires an external dynamic neighborhood discovery mechanism in
order to maintain suitable topological information describing its order to maintain suitable topological information describing its
immediate neighborhood, and thereby allowing it to select reduced immediate neighborhood, and thereby allowing it to select reduced
relay sets for forwarding multicast data traffic. Such an external relay sets for forwarding multicast data traffic. Such an external
dynamic neighborhood discovery mechanism may be provided by lower- dynamic neighborhood discovery mechanism may be provided by lower-
layer interface information, by a concurrently operating MANET layer interface information, by a concurrently operating MANET
routing protocol that already maintains such information such as routing protocol that already maintains such information such as
skipping to change at page 5, line 9 skipping to change at page 4, line 49
o It can "deactivate" DPD, so as to make it such that duplicate o It can "deactivate" DPD, so as to make it such that duplicate
packets are not correctly detected, and that as a consequence they packets are not correctly detected, and that as a consequence they
are (redundantly) transmitted, increasing the load on the network, are (redundantly) transmitted, increasing the load on the network,
draining the batteries of the routers involved, etc. draining the batteries of the routers involved, etc.
o It can "pre-activate" DPD, so as to make DPD detect a later o It can "pre-activate" DPD, so as to make DPD detect a later
arriving (valid) packet as being a duplicate, which therefore arriving (valid) packet as being a duplicate, which therefore
won't be forwarded. " won't be forwarded. "
The attacks on DPD are detailed in Section 4. The attacks on DPD can be achieved by replay existed packets, wrangle
sequence numbers, manipulate hash values, etc. They are detailed in
Section 4.
RSS produces a reduced relay set for forwarding multicast data RSS produces a reduced relay set for forwarding multicast data
packets across the MANET. SMF supports the use of several relay set packets across the MANET. SMF supports the use of several relay set
algorithms, including E-CDS (Essential Connected Dominating Set) algorithms, including E-CDS (Essential Connected Dominating Set)
[RFC5614], S-MPR (Source-based Multi-point Relay, as known from [RFC5614], S-MPR (Source-based Multi-point Relay, as known from
[RFC3626] and [RFC7181]), or MPR-CDS [MPR-CDS]. An Attacker can [RFC3626] and [RFC7181]), or MPR-CDS [MPR-CDS]. An Attacker can
disrupt the RSS algorithm by degrading it to classical flooding, or disrupt the RSS algorithm by degrading it to classical flooding, or
by "masking" certain parts of the routers from the multicasting by "masking" certain parts of the routers from the multicasting
domain. The attacks to RSS algorithms are illustrated in Section 5. domain. The attacks to RSS algorithms are illustrated in Section 5.
4. Threats to Duplicate Packet Detection 4. Threats to Duplicate Packet Detection
Duplicate Packet Detection (DPD) is required for packet dissemination Duplicate Packet Detection (DPD) is required for packet dissemination
in MANETs because the packets may be transmitted via the same in MANETs because: (1) the packets may be transmitted via the same
physical interface as the one over which they were received. A physical interface as the one over which they were received; (2) a
router may also receive multiple copies of the same packet from router may also receive multiple copies of the same packet from
different neighbors. DPD is thus used to check if an incoming packet different neighbors. DPD is thus used to check if an incoming packet
has been previously received or not. has been previously received or not.
DPD is achieved by maintaining a record of recently processed DPD is achieved by maintaining a record of recently processed
multicast packets, and comparing later received multicast packets multicast packets, and comparing later received multicast packets
herewith. A duplicate packet detected is silently dropped and is not herewith. A duplicate packet detected is silently dropped and is not
inserted into the forwarding path of that router, nor is it delivered inserted into the forwarding path of that router, nor is it delivered
to an application. DPD, as proposed by SMF, supports both IPv4 and to an application. DPD, as proposed by SMF, supports both IPv4 and
IPv6 and for each suggests two duplicate packet detection mechanisms: IPv6 and for each suggests two duplicate packet detection mechanisms:
skipping to change at page 6, line 8 skipping to change at page 5, line 50
4.1. Common Threats to Duplicate Packet Detection Mechanisms 4.1. Common Threats to Duplicate Packet Detection Mechanisms
4.1.1. Replay Attack 4.1.1. Replay Attack
A replay attack implies that control traffic from one region of the A replay attack implies that control traffic from one region of the
network is recorded and replayed in a different region at (almost) network is recorded and replayed in a different region at (almost)
the same time, or in the same region at a different time. the same time, or in the same region at a different time.
One possible replay attack is based on the Time-to-Live (TTL, for One possible replay attack is based on the Time-to-Live (TTL, for
IPv4) or hop limit (for IPv6) field. As routers only forward packets IPv4) or hop limit (for IPv6) field. As routers only forward packets
with TTL > 1, a compromised SMF router can forward an otherwise valid with TTL > 1, an attacker can forward an otherwise valid packet,
packet, while drastically reducing the TTL hereof. This will inhibit while drastically reducing the TTL hereof. This will inhibit
recipient routers from later forwarding the same multicast packet, recipient routers from later forwarding the same multicast packet,
even if received with a different TTL - essentially a compromised SMF even if received with a different TTL - essentially an attacker thus
router thus can instruct its neighbors to block forwarding of valid can instruct its neighbors to block forwarding of valid multicast
multicast packets. packets.
For example, in Figure 1, router A forwards a multicast packet with a For example, in Figure 1, router A forwards a multicast packet with a
TTL of 64 to the network. A, B, and C are legitimate SMF routers, TTL of 64 to the network. A, B, and C are legitimate SMF routers,
and X is the compromised SMF router. In a wireless environment, and X is the attacker. In a wireless environment, jitter is commonly
jitter is commonly used to avoid systematic collisions in MAC used to avoid systematic collisions in MAC protocols [RFC5148]. An
protocols [RFC5148]. An attacker can thus increase the probability attacker can thus increase the probability that its invalid packets
that its invalid packets arrive first by retransmitting them without arrive first by retransmitting them without jittering. In this
jittering. In this example, router X forwards the packet without example, router X forwards the packet without jittering and reduces
jittering and reduces the TTL to 1. Router C thus records the the TTL to 1. Router C thus records the duplicate detection value
duplicate detection value (hash value for H-DPD, or the header (hash value for H-DPD, or the header content of the packets for
content of the packets for I-DPD) but stops forwarding it to the next I-DPD) but stops forwarding it to the next hops because of the TTL
hops because of the TTL value. When the same packet with normal TTL value. When the same packet with normal TTL value (63 in this case)
value (63 in this case) arrives from router B, it will be discarded arrives from router B, it will be discarded as duplicate packet.
as duplicate packet.
.---. .---.
| X | | X |
--'---' __ --'---' __
packet with TTL=64 / \ packet with TTL=1 packet with TTL=64 / \ packet with TTL=1
/ \ / \
.---. .---. .---. .---.
| A | | C | | A | | C |
'---' '---' '---' '---'
packet with TTL=64 \ .---. / packet with TTL=64 \ .---. /
skipping to change at page 6, line 50 skipping to change at page 6, line 43
Figure 1 Figure 1
As the TTL of a packet is intended to be manipulated by As the TTL of a packet is intended to be manipulated by
intermediaries forwarding it, classic methods such as integrity check intermediaries forwarding it, classic methods such as integrity check
values (e.g., digital signatures) are typically calculated with values (e.g., digital signatures) are typically calculated with
setting TTL fields to some pre-determined value (e.g., 0) - such is setting TTL fields to some pre-determined value (e.g., 0) - such is
for example the case for IPsec Authentication Headers - rendering for example the case for IPsec Authentication Headers - rendering
such an attack more difficult to both detect and counter. such an attack more difficult to both detect and counter.
If the compromised SMF router has access to a "wormhole" through the If the attacker has access to a "wormhole" through the network (a
network (a directional antenna, a tunnel to a collaborator or a wired directional antenna, a tunnel to a collaborator or a wired
connection, allowing it to bridge parts of a network otherwise connection, allowing it to bridge parts of a network otherwise
distant), it can make sure that the packets with such an artificially distant), it can make sure that the packets with such an artificially
reduced TTL arrive before their unmodified counterparts. reduced TTL arrive before their unmodified counterparts.
4.2. Threats to Identification-based Duplicate Packet Detection 4.2. Threats to Identification-based Duplicate Packet Detection
I-DPD uses a specific DPD identifier in the packet header to identify I-DPD uses a specific DPD identifier in the packet header to identify
a packet. By default, such packet identification is not provided by a packet. By default, such packet identification is not provided by
the IP packet header (for both IPv4 and IPv6). Therefore, additional the IP packet header (for both IPv4 and IPv6). Therefore, additional
identification headers, such as the fragment header, a hop-by-hop identification headers, such as the fragment header, a hop-by-hop
header option, or IPSec sequencing, must be employed in order to header option, or IPSec sequencing, must be employed in order to
support I-DPD. The uniqueness of a packet can then be identified by support I-DPD. The uniqueness of a packet can then be identified by
the source IP address of the packet originator and the sequence the source IP address of the packet originator and the sequence
number (from the fragment header, hop-by-hop header option, or number (from the fragment header, hop-by-hop header option, or
IPsec). By doing so, each intermediate router can keep a record of IPsec). By doing so, each intermediate router can keep a record of
recently received packets and determine whether the incoming packet recently received packets and determine whether the incoming packet
has been received or not. has been received or not.
4.2.1. Pre-activation Attacks (Pre-Play) 4.2.1. Pre-activation Attacks (Pre-Play)
In a wireless environment, or across any other shared channel, a In a wireless environment, or across any other shared channel, an
compromised SMF router can perceive the identification tuple (source attacker can perceive the identification tuple (source IP address,
IP address, sequence number) of a packet. It is possible to generate sequence number) of a packet. It is possible to generate a packet
a packet with the same (source IP address, sequence number) pair with with the same (source IP address, sequence number) pair with invalid
invalid content. If sequence number progression is predictable, then content. If sequence number progression is predictable, then it is
it is trivial to generate and inject invalid packets with "future" trivial to generate and inject invalid packets with "future"
identification information into the network. If these invalid identification information into the network. If these invalid
packets arrive before the legitimate packets that they are spoofing, packets arrive before the legitimate packets that they are spoofing,
the latter will be treated as a duplicate and discarded. This can the latter will be treated as a duplicate and discarded. This can
prevent multicast packets from reaching parts of the network. prevent multicast packets from reaching parts of the network.
Figure 2 gives an example of pre-activation attack. A, B and C are Figure 2 gives an example of pre-activation attack. A, B and C are
legitimate SMF routers, and X is the compromised SMF router. The legitimate SMF routers, and X is the attacker. The line between the
line between the routers presents the packet forwarding. Router A is routers presents the packet forwarding. Router A is the source and
the source and originates a multicast packet with sequence number n. originates a multicast packet with sequence number n. When router X
When router X receives the packet, it generates an invalid packet receives the packet, it generates an invalid packet with the source
with the source address of A and sequence number n. If the invalid address of A and sequence number n. If the invalid packet arrives at
packet arrives at router C before the forwarding of router B, the router C before the forwarding of router B, the valid packet will be
valid packet will be dropped by C as a duplicate packet. An attacker dropped by C as a duplicate packet. An attacker can manipulate
can manipulate jitter to make sure that the invalid packets arrive jitter to make sure that the invalid packets arrive first. Router X
first. Router X can even generate packets with future sequence can even generate packets with future sequence numbers (if they are
numbers (if they are predictable), so that the future legitimate predictable), so that the future legitimate packets with the same
packets with the same sequence numbers will be dropped as duplicate sequence numbers will be dropped as duplicate ones.
ones.
.---. .---.
| X | | X |
--'---' __ --'---' __
packet with seq=n / \ invalid packet with seq=n packet with seq=n / \ invalid packet with seq=n
/ \ / \
.---. .---. .---. .---.
| A | | C | | A | | C |
'---' '---' '---' '---'
packet with seq=n \ .---. / packet with seq=n \ .---. /
skipping to change at page 8, line 27 skipping to change at page 8, line 27
Figure 2 Figure 2
As SMF currently does not have any timestamp mechanisms to protect As SMF currently does not have any timestamp mechanisms to protect
data packets, there is no viable way to detect such pre-play attacks data packets, there is no viable way to detect such pre-play attacks
by way of timestamps. Especially, if the attack is based on by way of timestamps. Especially, if the attack is based on
manipulation of jitter, the validation of timestamp would not be manipulation of jitter, the validation of timestamp would not be
helpful because the timing is still valid (but with much less value). helpful because the timing is still valid (but with much less value).
4.2.2. De-activation Attacks (Sequence Number wrangling) 4.2.2. De-activation Attacks (Sequence Number wrangling)
A compromised SMF router can also seek to de-activate DPD, by An attacker can also seek to de-activate DPD, by modifying the
modifying the sequence number in packets that it forwards. Thus, sequence number in packets that it forwards. Thus, routers will not
routers will not be able to detect an actual duplicate packet as a be able to detect an actual duplicate packet as a duplicate - rather,
duplicate - rather, they will treat them as new packets, i.e., they will treat them as new packets, i.e., process and forward them.
process and forward them. This is similar to DoS attacks. The This is similar to DoS attacks. The consequence of this attack is an
consequence of this attack is an increased channel load, the origin increased channel load, the origin of which appears to be a router
of which appears to be a router other than the compromised SMF other than the attacker.
router.
Given the topology shown in Figure 2, on receiving a packet with Given the topology shown in Figure 2, on receiving a packet with
seq=n, the attacker X can forward the packet with modified sequence seq=n, the attacker X can forward the packet with modified sequence
number n+i. This has two consequences: firstly, router C will not be number n+i. This has two consequences: firstly, router C will not be
able to detect the packet forwarded by X is a duplicate packet; able to detect the packet forwarded by X is a duplicate packet;
secondly, the consequent packet with seq=n+i generated by router A secondly, the consequent packet with seq=n+i generated by router A
probably will be treated as duplicate packet, and dropped by router probably will be treated as duplicate packet, and dropped by router
C. C.
4.3. Threats to Hash-based Duplicate Packet Detection 4.3. Threats to Hash-based Duplicate Packet Detection
When it is not feasible to have explicit sequence numbers in packet When explicit sequence numbers in packet headers is undesired, hash-
headers, hash-based DPD can be used. A hash of the non-mutable based DPD can be used. A hash of the non-mutable fields in the
fields in the header of and the data payload can be generated, and header of and the data payload can be generated, and recorded at the
recorded at the intermediate routers. A packet can thus be uniquely intermediate routers. A packet can thus be uniquely identified by
identified by the source IP address of the packet and its hash-value. the source IP address of the packet and its hash-value.
The hash algorithm used by SMF is being applied only to provide a The hash algorithm used by SMF is being applied only to provide a
reduced probability of collision and is not being used for reduced probability of collision and is not being used for
cryptographic or authentication purposes. Consequently, a digest cryptographic or authentication purposes. Consequently, a digest
collision is still possible. In case the source router or gateway collision is still possible. In case the source router or gateway
identifies that it recently has generated or injected a packet with identifies that it recently has generated or injected a packet with
the same hash-value, it inserts a "Hash-Assist Value (HAV)" IPv6 the same hash-value, it inserts a "Hash-Assist Value (HAV)" IPv6
header option into the packet, such that calculating the hash also header option into the packet, such that calculating the hash also
over this HAV will render the resulting value unique. over this HAV will render the resulting value unique.
4.3.1. Attack on Hash-Assistant Value 4.3.1. Attack on Hash-Assistant Value
The HAV header is helpful when a digest collision happens. However, The HAV header is helpful when a digest collision happens. However,
it also introduces a potential vulnerability. As the HAV option is it also introduces a potential vulnerability. As the HAV option is
only added when the source or the ingress SMF router detects that the only added when the source or the ingress SMF router detects that the
coming packet has digest collision with previously generated packets, coming packet has digest collision with previously generated packets,
it actually can be regarded as a "flag" of potential digest it actually can be regarded as a "flag" of potential digest
collision. A compromised SMF router can discover the HAV header, and collision. An attacker can discover the HAV header, and be able to
be able to conclude that a hash collision is possible if the HAV conclude that a hash collision is possible if the HAV header is
header is removed. By doing so, the modified packet received by removed. By doing so, the modified packet received by other SMF
other SMF routers will be treated as duplicate packets, and be routers will be treated as duplicate packets, and be dropped because
dropped because they have the same hash value with the precedent they have the same hash value with the precedent packet.
packet.
In the example of Figure 3, Router A and B are legitimate SMF In the example of Figure 3, Router A and B are legitimate SMF
routers; X is a compromised SMF router. A generates two packets P1 routers; X is an attacker. A generates two packets P1 and P2, with
and P2, with the same hash value h(P1)=h(P2)=x. Based on the SMF the same hash value h(P1)=h(P2)=x. Based on the SMF specification, a
specification, a hash-assistant value (HAV) is added to the latter hash-assistant value (HAV) is added to the latter packet P2, so that
packet P2, so that h(P2+HAV)=x', to avoid digest collision. When the h(P2+HAV)=x', to avoid digest collision. When the attacker X detects
attacker X detects the HAV of P2, it is able to conclude that a the HAV of P2, it is able to conclude that a collision is possible by
collision is possible by removing the HAV header. By doing so, removing the HAV header. By doing so, packet P2 will be treated as
packet P2 will be treated as duplicate packet by router B, and be duplicate packet by router B, and be dropped.
dropped.
P2 P1 P2 P1 P2 P1 P2 P1
.---. h(P2+HAV)=x' h(P1)=x .---. h(P2)=x h(P1)=x .---. .---. h(P2+HAV)=x' h(P1)=x .---. h(P2)=x h(P1)=x .---.
| A |---------------------------> | X | ----------------------> | B | | A |---------------------------> | X | ----------------------> | B |
`---' `---' `---' `---' `---' `---'
Figure 3 Figure 3
5. Threats to Relay Set Selection 5. Threats to Relay Set Selection
skipping to change at page 10, line 37 skipping to change at page 10, line 34
An SMF Router select itself as a relay, if: An SMF Router select itself as a relay, if:
o The SMF Router has a higher priority than all of its symmetric o The SMF Router has a higher priority than all of its symmetric
neighbors, or neighbors, or
o There does not exist a path from the neighbor with largest o There does not exist a path from the neighbor with largest
priority to any other neighbor, via neighbors with greater priority to any other neighbor, via neighbors with greater
priority. priority.
A compromised SMF Router can disrupt the E-CDS algorithm by link An attacker can disrupt the E-CDS algorithm by link spoofing or
spoofing or identity spoofing. identity spoofing.
5.2.1. Link Spoofing 5.2.1. Link Spoofing
Link spoofing implies that a compromised SMF Router advertises non- Link spoofing implies that an attacker advertises non-existing links
existing links to another router (present in the network or not). to another router (present in the network or not).
A compromised SMF Router can declare itself with high route priority, An attacker can declare itself with high route priority, and spoofs
and spoofs the links to as many legitimate SMF Routers as possible to the links to as many legitimate SMF Routers as possible to declare
declare high connectivity. By doing so, it can prevent legitimate high connectivity. By doing so, it can prevent legitimate SMF
SMF Routers from self-selecting as relays. As the "super" relay in Routers from self-selecting as relays. As the "super" relay in the
the network, the compromised SMF Router can manipulate the traffic network, the attacker can manipulate the traffic relayed by it.
relayed by it.
5.2.2. Identity Spoofing 5.2.2. Identity Spoofing
Identity spoofing implies that a compromised SMF router determines Identity spoofing implies that an attacker determines and makes use
and makes use of the identity of other legitimate routers, without of the identity of other legitimate routers, without being authorized
being authorized to do so. The identity of other routers can be to do so. The identity of other routers can be obtained by
obtained by overhearing the control messages or the source/ overhearing the control messages or the source/destination address
destination address from datagrams. The compromised SMF router can from datagrams. The attacker can then generate control or datagram
then generate control or datagram traffic, pretending to be a traffic, pretending to be a legitimate router.
legitimate router.
Because E-CDS self-selection is based on the router priority value, a Because E-CDS self-selection is based on the router priority value,
compromised SMF router can spoof the identity of other legitimate an attacker can spoof the identity of other legitimate routers, and
routers, and declares a different router priority value. If it declares a different router priority value. If it declares a higher
declares a higher priority of a spoofed router, it can prevent other priority of a spoofed router, it can prevent other routers from
routers from selecting themselves as relays. On the other hand, if selecting themselves as relays. On the other hand, if the attacker
the compromised router declares lower priority of a spoofed router, declares lower priority of a spoofed router, it can enforce other
it can enforce other routers to selecting themselves as relays, to routers to selecting themselves as relays, to degrade the multicast
degrade the multicast forwarding to classical flooding. forwarding to classical flooding.
5.3. Threats to S-MPR Algorithm 5.3. Threats to S-MPR Algorithm
The source-based multipoint relay (S-MPR) set selection algorithm The source-based multipoint relay (S-MPR) set selection algorithm
enables individual routers, using 2-hop topology information, to enables individual routers, using 2-hop topology information, to
select relays from their set of neighboring routers. MPRs are select relays from their set of neighboring routers. MPRs are
selected so that forwarding to the router's complete 2-hop neighbor selected so that forwarding to the router's complete 2-hop neighbor
set is covered. set is covered.
An SMF router forwards a multicast packet if and only if: An SMF router forwards a multicast packet if and only if:
skipping to change at page 12, line 23 skipping to change at page 12, line 21
addressed. addressed.
For the I-DPD mechanism, employing randomized packet sequence numbers For the I-DPD mechanism, employing randomized packet sequence numbers
can avoid some pre-activation attacks based on sequence number can avoid some pre-activation attacks based on sequence number
prediction. If predicable sequence numbers have to be used, applying prediction. If predicable sequence numbers have to be used, applying
timestamps can mitigate pre-activation attacks. timestamps can mitigate pre-activation attacks.
If NHDP is used as the neighborhood discovery protocol, [RFC7183] is If NHDP is used as the neighborhood discovery protocol, [RFC7183] is
recommended to be implemented to enable integrity protection to NHDP, recommended to be implemented to enable integrity protection to NHDP,
which can help mitigating the threats related to identity spoofing which can help mitigating the threats related to identity spoofing
through the exchange of HELLO messages. through the exchange of HELLO messages. It provides certain
protection against identity spoofing by admitting only trusted
routers to the network using Integrity Check Values (ICVs) in HELLO
messages based on shared keys.
[RFC7183] provides certain protection against identity spoofing by However, using ICVs does not address the problem of attackers that
admitting only trusted routers to the network using Integrity Check can generate valid ICVs. Detecting such attackers could be studied
Values (ICVs) in HELLO messages. However, using ICVs does not in new work. The shared key mechanism makes excluding single
address the problem of compromised routers that can generate valid attackers routers difficult. Work could be done to facilitate
ICVs. Detecting such compromised routers could be studied in new revocation mechanisms in certain MANET use cases where routers have
work. [RFC7183] mandates implementation of a security mechanism that sufficient capabilities to support asymmetric keys (such as
is based on shared keys and makes excluding single compromised
routers difficult. Work could be done to facilitate revocation
mechanisms in certain MANET use cases where routers have sufficient
capabilities to support asymmetric keys (such as
[I-D.ietf-manet-ibs]). [I-D.ietf-manet-ibs]).
As [RFC7183] does not protect the integrity of the multicast As [RFC7183] does not protect the integrity of the multicast
datagram, and no mechanism is specified to do that for SMF yet, the datagram, and no mechanism is specified to do that for SMF yet, the
duplicate packet detection is still vulnerable to the threats duplicate packet detection is still vulnerable to the threats
introduced in Section 4. introduced in Section 4.
If pre-activation/de-activation attacks and attack on hash-assistant If pre-activation/de-activation attacks and attack on hash-assistant
value of the multicast datagrams are to be mitigated, a datagram- value of the multicast datagrams are to be mitigated, a datagram-
level integrity protection mechanism is desired, by taking level integrity protection mechanism is desired, by taking
 End of changes. 27 change blocks. 
119 lines changed or deleted 107 lines changed or added

This html diff was produced by rfcdiff 1.42. The latest version is available from http://tools.ietf.org/tools/rfcdiff/