ABSTRACT

Internet has already revolutionized the way we live and work, but it is still in its infancy in some areas to provide ubiquitous connectivity in future. To solve the problem of Ubiquitous connectivity in communication – challenged areas Delay Tolerant Network (DTN) provides an opportunistic networking architecture. Opportunistic networks represent a class of networks where end-to-end continuous connectivity between source and destination is intermittent [1]. There are variety of challenged areas like areas as high latitudes, war prone areas or disastrous scenario where environmental considerations create impossibility for conventional mobile telephony and satellite coverage is inadequate or economically infeasible or because of infrastructure deployment constraints, or power source availability, or because of government policy decisions do not allow access.

Moreover, DTN seeks to address the technical issues in heterogeneous networks to use every possible feasible access method to provide internetworking among existing types of wireless or wired networks like Internet, Mobile and WLAN [7]. Integrating DTN capabilities with the existing TCP/IP based Internet it aims to deliver Internet-like communications even for long variable delay, asynchronous as well as interrupted heterogeneous environment where existing transport protocol and congestion control mechanism have limitations [1]. Basic DTN architecture by IETF RFC involves use of ‘Bundle protocol’ which allows communication over multiple hops by means of ‘custody transfers’ andmessages in DTN are routed in store-and-forward manner on each node[2].

Research and development going on over last ten years has set out some challenges that need more focus before DTN becomes a day to day reality. In this Interim report I am focusing on Denial of Service (DoS) attacks due to open channel and multi-hop DTN transmission characteristics which can limit its full utilisation. First I will review the state-of-art in context of DTN security and attacks at present then I will analyse possible DoS attacks in DTN and their countermeasures.

I will present a comprehensive resilience mechanism to address the identified attacks, focusing on a critical metrics of performance. I will propose a simulation model and demonstrate the effectiveness of the newly proposed techniques through simulation using ONE simulator.

CHAPTER 1: Introduction

1.1 Background and Context

The emergence of the idea of Delay tolerant networking started in late 1990 as ‘Interplanetary Internet’ from NASA’s experiment of deep space, high delay, store-and- forward networks [5]. That early work focused on protocols suitable for very long propagation delays of deep- space- interplanetary communications. Other early work includes military specific Disruption-Tolerant Networking due to scenarios of long delayed links, broken or intermittent links. Extending initial work purpose in 2002-03 researchers looked at other applicable scenarios, like terrestrial wireless networks, wireless sensor networks and other local area networks, where communication opportunities were not much certain. DTN has shown its suitability and strength to applications having long or unknown delays due to frequent disconnections and for interconnecting various heterogeneous networks, which commonly is not a conventional IP-based network.

The development of wireless communication technologies made the Internet ubiquitously. Within the vision of ‘any time anywhere’ networking, efficient internetworking among existing types of wireless networks is inevitable. Integrating DTN networks as another access method into the existing network infrastructure allows the Internet to reach people who are hundreds of kilometres, or more away from existing infrastructure. Although Internet has already revolutionized the way we live and work, but it is still in its infancy in some areas. Challenges faced by current Internet

Today’s Internet is based on end-to-end network connectivity based TCP/IP protocol model. It makes certain fundamental assumptions like continuous source destination connectivity, end – to- end low delay paths, low transmission error rate and bidirectional symmetrical data rate which applies a number of constraints to its reachability[1][5].

So the overall vision [6] of Future Internet should be to provide ubiquitous and pervasive networking for the users and applications in well-connected regions with keeping in mind communication challenged areas. The current Internet must develop to be more able of dealing with new evolving forms of content and their consumption but there are many challenges in the wide range of application requirements related to network heterogeneity as well as by the growing number of non-TCP/IP networks and mobile devices.

1.2 Motivation to DTN:

1.2.1 Challenged networks/environments for Internet

Some regions are called ?communications challenged’ because they have little or negligible infrastructure that is required to support modern wireless and wired Internet communications.

These Challenged environments are very heterogeneous and have characteristics [1] [5] such as

End-to-end path may not exist creating Intermittent connectivity Node reachability and density may be Predictable (Planetary dynamics, scheduled vehicles, message ferries) Unpredictable (Sparse sensor networks, data mules, vehicular) Semi-predictable (animals, vehicles, etc.) Large, unpredictable, variable delays for transmission (deep space- moon: 3s, Mars: 2min, Pluto: 5h) Asymmetric/ asynchronous data rate which may be very low (acoustic underwater modems: 1 bit/s–few Kbit/s) High bit error rate (wireless, underwater, satellite) Using different transport protocols in different parts of the network making interactive communication impossible/ inefficient or unreliable Environment having very large round trip times (deep space, military or remote area communication)

Many of the challenges have been tried to address using Performance Enhancing Proxies (PEPs) which try to solve high delay low bit rate links performance but it still demands end-to-end connection.

1.2.2 Challenges due to Mobility

Mobility may create potential disconnection in end-to-end connectivity which produces challenges for current TCP/IP based Internet in form of:

Communication link availability (not ubiquitous due to movement Limited Transmission range Communication link specially interactive communication link may be costly due to frequent movement of nodes Link may be unavailable due lack of battery power or storage

Although Ad-hoc and Peer-to-Peer networks may solve the problem to some extend but there are limitations due to not enough mobile nodes available or willing nodes or nodes with incompatible devices.

1.3 DTN concept: Solution to Challenged environments and mobility

DTN aims to provide solution for challenged environment where no end- to-end connection is available or it is disrupted. Delay Tolerant Network is a network over underlying heterogeneous networks having opportunistic encounter driven ‘store, carry and forward’ approach to provide connectivity on hop-by-hop basis. Most discussedcurrent approach to DTN is centred on an overlay protocol called the bundle protocol (BP).[11]

2.4 DTN Denial of service attack (DoS): Motivations

DTN transmission is open channel and multi-hop which makes attacks in such situations an easier task. Traditional mechanisms to mitigate these attacks are not well sufficient to challenge environments where nodes are not connected for long periods of time and direct end-to-end communication is not possible and resources are scarce. Most of the solution available so far in literature address security in general and does not give attention to Denial of Service aspects in DTN. DoS is the most common attack in Internet communication and in DTN environments due to longer delays DoS attempts will be more effective. So there is need for more research explicitly considering DoS at all times.

1.5 Objectives of Project

Study of delay tolerant network (DTN) architecture, its concepts and Bundle layer and how they differ from current networks, giving more emphases on security and attacks. First I will review the state-of-art in context of DTN security and attacks at present then I will analyse possible. Identify the common DoS attacks and their countermeasures, focussing on a scenario of communication in delay tolerant networks comprising mobile nodes. To design develop and test some resilience mechanism mechanism to address the identified attacks (nodes with address spoofing, false authentication and packet flooding), focusing on a critical metrics of performance using Simulator Simulation result will show how performance of a DTN network suffers when no Resilience scheme is used.

1.6 Overview of Dissertation:

First I will review the state-of-art literature review in context of DTN architecture, security and analyse possible DoS attacks in DTN and their countermeasures. Then (in Ch-3) I will present an attack model and resilience mechanism for DoS attack. In next sections will follow ONE simulator overview and future work in direction of achieving objectives of project with Gantt chart and finally conclusion and references.

CHAPTER 2: State-of-The-Art and Literature Review

2.1 Introduction

DTN aims to provide usable Internet-way communications for long variable delays, asynchronous as well as interrupted heterogeneous environment where existing transport protocol and congestion control mechanism have limitations [1].

2.2 Delay Tolerant Network history and Overview

Delay Tolerant Networks (DTNs) have become a hot research topic among researchers and academicians since it was proposed by Kevin Fall in 2003 SIGCOMM seminar paper [1]. Vinton Cerf who is recognized as “one of the fathers of Internet” contributed in designing and defining its reference Architecture [2] in DTNRG for IETFdraft of RFC-4838.

Basic DTN architecture by Internet Research Task Force’s Delay-Tolerant Networking Research Group (IRTF DTNRG) involves use of ‘Bundle protocol’ which allows communication over multiple hops by means of ‘custody transfers’ andmessages in DTN are routed in store-and-forward manner on each node[RFC-5050].

2.3 Delay Tolerant Networking Definition and Contexts of DTNs in Literature

A delay- or disruption-tolerant network has been defined in several ways in literature. In [1], the DTN is defined as challenged networks, which may not follow the assumptions of the Internet. In [2]RFC-4838 describes it as occasionally and opportunistically -connected networks that may comprise more than one different set of protocols. It includes a hop-by-hop transfer of message for reliable delivery. A DTN as stated in [5] was defined as a network of regional networks, where it serves as a store-and-forward overlay on top of (and providing interoperability between) regional networks (Internet, the MANETs, sensor network or any other network).

2.4 Constraints in Delay Tolerant Networks

Node Constraints includes (a) Limited Memory (b) Limited and unreliable Power and Energy (c) limited transfer time for messages. Network Constraints are (a) Unreliable Communication (b) Collisions and latency Physical Limitations are (a) Unattended after deployment (b) Remotely managed Link constraints (a) long and varying delays (b) changeable mobility pattern of devices In Opportunistic networks such as Sensor/Actuator networks that use scheduled intermittent connectivity (to conserve power), because they have extremely limited node power, storage memory, and CPU processing capability. In Vehicular networks which use opportunistic (unpredictable) contact for message delivery. In Satellite networks having medium delays or periodic connectivity In Terrestrial wireless networks that connect mobile devices, including PDAs etc. In Underwater acoustic (sensor) networks having frequent interruptions with moderate delays. Outer (deep)-space networks (InterPlaNetary (IPN) Internet project). Military Ad-hoc Networks such as a military battlefield where systems operate in highly hostile environments having mobility, bad environmental factors, or regulations causing disconnections like intentional jamming. In Rural villages or developing regions low cost and remotely located networks that non-interactively and occasionally communicate with the Internet. For example remotely located schools, kiosks and computer centres are linked on occasional basis using satellite and data mules or local transport infrastructures. In sparsely connected ad hoc networks where some wireless devices or networks may fall outside the required communication range of each other.

2.5 Major DTN Applications and Examples

Example of Projects involving DTN: [6,7] Diesel net. Haggle, Interplanetary Internet, BBN’s SPINDLE project, FirstMileSolutions SeNDT – Sensor Network with Delay Tolerance, Saratoga and HTTP-DTN, SNC Project, N4C Project, ZebraNet, FidoNet, SUMOWIN, Shared Wireless Infostation Model (SWIM) at Cornell, The Mindstream Project at the University of Waterloo School of Computer Science, Time Equals Knowledge (TeK),World Wide Web Offline Explorer (WWWOFFLE), Bytewala DTN, Chianti, IBR-DTN etc.

2.6 Routing in DTN **

Traditional routing protocols operate under the assumptions of continuous connectivity, low delay and very low packet loss rate but in case of DTN opportunistic and disconnected links new routing protocols and system architectures are required to be developed. There are various types of DTNs based on their characteristics, but allows great flexibility for routing protocols in these networks based on their specific requirements.

There are several DTN routing schemes proposed in the literature. Four major ones could be

Epidemic routing: Epidemic routing simply makes multiple copies of packets to flood the network in a hope that any one of them will be delivered to the destination. This protocol performs best in terms of packet delivery and latency when network bandwidth and storage are unlimited. But it is not the case in practice.

PROPHET: estimates delivery predictability to destinations using the history of encounters.

MaxProp: computes a rank for each packet in terms of delivery probability and sorts packets in the transfer buffer accordingly. Upon transfer opportunity, packets are replicated in the order of their ranks

Spray-and-Wait: follows a flooding scheme, but limits the total number of copies per packet.

2.6 Threats in DTN

To understand the topic I will first examine the terminology, then the definitions of threats and DoS followed by discussion why DoS is potential problem in DTN. Security and attack literature reviews are given in next chapter.

Threat: [20] Any circumstance or event (such as the existence of an attacker and vulnerabilities) with the potential to adversely impact a system through a security.

Attack: Attempt to gain unauthorized access to a service, resource, or information, or the attempt to compromise integrity, availability, or confidentiality. It is irrelevant to success, which may or may not.

Non DTN node threats: The first set of threats considered were those coming from network elements which are not directly part of the DTN. As an overlay network, bundles typically traverse multiple underlying networks. Any vulnerability in the bundle protocol can be exploited at any of those network elements [13].

Denial of Service (DoS): Classically, the definition of denial-of-service (DOS) involves three components: authorized users, a shared service, and a maximum waiting time [20][13].

In DoS Authorized users are said to deny service to other authorized users when they prevent access to or use of a shared service for longer than some maximum waiting time.

More generally to denial-of-service in DTN: The result of any action that prevents any part of a DTN from functioning correctly or in a timely manner so that intended user cannot use it. It is directly a breach to availability [20].

2.7 Denial of Service Attacks:

[3]In addition to the basic resource consumption threats mentioned above there is also a range of denial of service (DoS) attacks which must be considered in the DTN context.

DoS attacks can be mounted at any layer, from physical to application. In a DTN environment, the generally longer latencies involved will probably act to make DoS attempts more effective. As with all networks, security mechanisms will themselves create new DoS opportunities. Therefore whatever services and mechanisms are defined for DTN security should explicitly consider DoS. For example, mechanisms which involve certificate status checking (via some protocol to a key) based on received messages create new DoS opportunities since such lookups consume resources on both the receiving node and the key server. Common DoS attacks:

Attacks that are common to DTNs are

Dropping of packets, Flooding the network with unnecessary spurious packets, Spoofing a different node’s address to intercept all the packets destined to that node, orrupting routing states and Counterfeiting network acknowledgments Resource consumption (Battery exhaustion, creating routing loops)

2.8 Resource consumption

Due to the resource-scarcity that characterizes DTNs, unauthorized access and use of DTN resources is a serious concern. Specifically, the following can consume DTN resources and be considered threats against a DTN infrastructure [13]:

1. Access by unauthorized entities,

2. Unauthorized applications controlling the DTN infrastructure,

3. Authorized applications sending bundles at a rate or class of service for which they lack permission.

4. Unauthorised bundle content modification -tempering

5. Compromised network elements, be they DTN nodes or not.

In addition to these threats, DTN nodes can act to assist or amplifysuch resource consuming behaviour as follows:

Forwarding bundles that were not sent by authorized DTN nodes. Generating reports not originally requested (e.g. if a bundle has been modified) Not detecting unplanned replays or other misbehaviours.

DoS prevention: As described above, denial-of-service is a breach of the security characteristic of availability. Along with availability, confidentiality and integrity are the primary concerns of security.

DoS cannot be prevented because most attacks leverage the use of routing and other network activity but there are countermeasures to mitigate it like:

Spread spectrum techniques (using network coding) Proper authentication using either Public-key cryptography (computationally expensive)

or Fast symmetric-key cryptography must be used sparingly

Currently work has been done using Identity based cryptography (IBC) or Hierarchical based cryptography (HIBC).

DTN Security Requirements: [5] According to DTNRG The emphasis of DTN security is

on protecting the DTN infrastructure from unauthorized access and use Prevent access by unauthorized applications, Prevent unauthorized applications from asserting control over the DTN infrastructure, Prevent authorized applications from sending bundles at a rate or class of service for which they lack permission, Promptly detect and discard bundles that were not sent by authorized users, (early detection within infrastructure rather than at destination), Promptly detect and discard bundles whose headers have been modified Promptly detect and disable compromised entities Secondary emphasis is on providing optional end-to-end security services to bundle applications.

CHAPTER 3: My proposed approach to DOS in DTN

3.1 Introduction

In this section I summarise my analysis of previous work done in the areas of security and attacks in DTN, especially Denial of Service in DTN. Also I identify conditions that are can materialise an attack materialise. Then I show that based on these conditions the attack effectively happening in a representative model, with a set number of nodes and chosen network topology, routing schemes and security scheme.

I also demonstrate that security and privacy are crucial in DTN and using cryptographic techniques we can secure DTN. I assert that because of constrained nature of DTN, participants have limited access to Trusted Authority.

In view of these constraints, I propose a model based on a symmetric and asymmetric key cryptography to mitigate DOS attacks in DTN. My model is based on prior creation and distribution of keys to participants at setup stage, where each trusted participant knows keys of others.

3.1 Scenario

My scenario is based on IETF DNRG architecture on Delay tolerant network. There are multiple operating groups in this DTN. Each group has its own trusted and well known registering agency/organisation which can work as an affiliation agency or service provider. These could be any mobile service provider or any company which will register its employees and knows them prior or any university/school/hospitals which can register members by verifying their identity and credentials. This means that members of this group are now trusted and known and are not malicious.

With this set up we have limited authenticated participant nodes and we can avoid any malicious activity by unknown/ untrusted nodes. Such network is a special DTN and can also be useful for example in a conflict zone where participation by anonymous nodes is not desired.

I consider a scenario in which these mutually trusted DTN mobile nodes exchange messages within its group (using PDA/Bluetooth devices/mobile phones) with one another after authentication phase is successful.

Fig1: Used Scnario

3.2 Background/Review of Security and DOS in DTN In Literature

Here I will discuss solutions and reviews based on literature survey on DTN security and DOS attacks. There is a particular lack of research papers addressing DOS attacks in DTN. Most work is based on assuming that routing or security mechanism of DTN will prevent DOS to some extent. Nevertheless these schemes can never underlie the necessity of authentication protocols.

Farrell and Cahill [11] review the current state of DTN security work inspired by Internet. They identify and analyse threats for DTN and the security requirements in bundle protocol. Then they discuss open issues in bundle security and implementation issues in DTN security as follows. (1.) First set of threats are from outside network due to being overlay nature of DTN. (2.) modification of messages or bundles in transit for malicious purposes. (3.) Unauthorized use of scarce DTN resources like replay attacks and (4.) denial of service which can be mounted on any network layer, and (5.) confidentiality and integrity threats like changing the destination in bundle.

The author propose for DOS that firstly using random values instead of counters for identifying messages will make it hard to guess valid message content. Secondly, accepting only fresh authenticated messages and dropping all others will be advantageous in mitigating attacks. Thirdly, authors point that networks and security protocols themselves can create new DOS if not carefully designed. I am building on the second concept in my proposal i.e. exchange message after successful authentication.

Moreover, Farrell and Cahill [11] propose that security architecture is needed in which security services can be provided both on hop-by-hop and end-to-end basis, and additionally between two intermediary nodes in the middle of a route. They also mention that several open issues remain in DTN security like the implementation cost and level of complexity should not rise too high, since typically complicated solutions are not secure in practice. Another big open issue is key management [11][12] briefly addresses security services on an end-to-end basis (e.g. confidentiality and DoS), but does not go into specifics nor considers the case of initial communication between two nodes without any prior security context.

[13]The Delay Tolerant Networking Research Group (IRTF-DTNRG) has produced an Internet draft for bundle security protocol specification [12] and an additional draft [13] explaining the security overview and design choices made in the specification. The draft which is near completion describes security headers that can be added to bundles to provide different security services.

Security Blocks in Bundle security Specification: According to RFC draft [13] there are four types of security block that can be included in a bundle. These are the (1.)Bundle Authentication Block (BAB), (2.) Payload Integrity Block (PIB), (3.) Payload Confidentiality Block (PCB) and (4.) Extension Security Block (ESB).

The BAB is used to assure the authenticity and integrity of the bundle along a single hop from forwarder to intermediate receiver. The PIB is used to assure the authenticity and integrity of the payload from the PIB security-source, which creates the PIB, to the PIB security-destination, which verifies the PIB authenticator. The PCB indicates that the payload has been encrypted, in whole or in part, at the PCB security-source in order to protect the bundle content while in transit to the PCB security-destination. PIB and PCB protect the payload. The ESB provides security for non-payload blocks in a bundle. ESB therefore is not applied to PIB or PCBs, and of course is not appropriate for either the payload block or primary block.

Extension Blocks

Bundle Payload

Primary Blocks (Time Stamp, Life Span, Flags, Source EID, Destination EID, Report to EID, Custodian EID)

Security Blocks (optional)

BAB, PIB, PCB, ESB

Each security block contains source and destination information and a cipher-suite defines the algorithms that should be used to process the received security headers. The security-sender and the cipher-suite information together determine the choice of keys. Different combinations of these four security headers can be used simultaneously.

The need to authenticate bundles using Security blocks is very useful to protect against denial-of service (DOS) attacks against a bundle agent’s resources, but need more insight knowledge how to implement it.

In [14], [15] (Seth and Kate) authors discuss the challenges of providing secure communication (i.e., confidentiality) in DTN and suggest employing Identity-Based Encryption (IBE) to let a source derive the destination public key from some associated identity string, e.g., an e-mail address. In [14] Seth et al. discuss in detail about rural area DTN and shows that traditional mechanisms including a combination of Public Key Infrastructure (PKI) and certificates issued by trusted third party are not suitable for DTN. They develop a security mechanism for DTN using Hierarchical Identity-Based Cryptography (HIBC) for creating secure channels, providing mutual authentication, and key revocation.

[15] Kate et al. uses identity based cryptography (IBC) for source authentication and anonymous communication as well as message confidentiality are provided using IBC. Its main idea is to make an entity’s public key directly derivable from its publicly known identity information such as e-mail address. Eliminating the need for public-key certificates and their management makes IBC much more appealing for securing DTNs, where the need to transmit and check certificates has been identified as a significant limitation. I note that the existing techniques to secure DTNs are aimed to provide data confidentiality and authentication only.

In [16] Burgess et al. suggested that some Delay tolerant networks coupled with replication-based routing protocols are intrinsically fault tolerant even without authentication mechanisms. They compare four different routing algorithms (MaxProp and its three variants) against four different attack models: dropping of packets, flooding of packets, routing table falsification and counterfeiting delivery acknowledgments. They distinguish between two types of attack; weak and strong attacks on the basis of prior knowledge of DTN scenario. One of the major themes in the paper is the two-fold benefit of epidemic-style packet dissemination in DTN routing which improves packet delivery rates and greater attack tolerance. However, this paper does not provide any attack specific simulation.

In [22] authors poses the question of the necessity of authentication or the level of authentication required especially since authentication imposes overhead. Without authentication, the number of nodes willing to join the network may actually increase due to the easier deployment, resulting in better overall performance. They identify conditions for an attack and present an attack based on a combination of targeted flooding and acknowledgement counterfeiting. They suggested that generally, attacks become increasingly effective when the minimum hop count required increases.

Coclusion: Identity-based cryptography requires a global trusted third party to guarantee for new nodes entering the network (by generating the necessary private keys). But IBC is no better than traditional PKI in terms of authentication and only a little better than traditional PKI in terms of encryption since network connectivity is not necessarily needed at the time of reception and decryption.

In [17] authors propose a scheme that gives confidentiality and authentication to messages leveraging social contact information and past present affiliation of peers. Author evaluates the proposed scheme by analysing real-world social network data of Facebook, simulating communication scenarios, and through an informal security analysis.

In [18] authors focus on DOS and describe few possible DOS attacks for DTN and propose a token based mechanism against those attacks. Authors suggest attack depends on routing protocol. Therefore, it is obvious that the routing protocol that maintains routing table like in-node states can be subject to severe DOS attacks. Spray-and-wait protocol is a stateless protocol in that nodes do not maintain any routing states; instead a tiny state is kept in each packet header. Their first approach is very trivial but second approach based on Token utilising collision count with every peer node provides countermeasures against spoofing and packet dropping in a limited scenario. There are many drawbacks in this approach for example an honest node always meets the same malicious node spoofing the same address and that honest node never meets with the actual address holder or any other adversary spoofing that address. In this case the honest node does not suspect this peer to be an adversary and always follows basic Spray and will transfer message to malicious node.

In [19] A. Wood very broadly discusses about DOS attack taxonomy to identify the attacker, his capabilities, and the target of the attack, vulnerabilities used, and the end result. Although, author surveys vulnerabilities and give possible defences in Wireless sensor network some of which issues are useful in gaining insight of DOS attacks in DTN. According to author denial-of-service is the result of any action that prevents any part of a network from functioning correctly or in a timely manner. It is directly a breach to availability.

In [2s0] authors also use Identity based cryptography to investigate how security in DTNs can be bootstrapped and present an improved scheme for authentication of fragments. We show that DTN with replicative routing protocols are not necessarily robust under known denial of service attacks if there are no authentication mechanism in place. Under many networking settings and mobility patterns, carefully designed attacks based on well-known techniques can cause considerable performance degradation. They investigate the attack effectiveness under various settings and identify properties of the networking environment that attribute to the vulnerability of the network. They observed that routing protocols which globally floods routing metadata to guide routing decisions are more susceptible to attacks as the routing metadata can be easily spoofed. They also observed that the minimum hop count required for packet delivery plays an important role.

3.3 Attack Model

My objective is to determine how performance of a DTN network suffers when no authentication scheme is used. This also depends on other variables set aside in assumptions about the security model and what attacks I want to consider. By recognise that these little variations can cause DTN to perform badly even in the presence of few attackers, for example in case of extremely low mobility of nodes and one node positions itself at a crucial location along the routing path. If that node misbehaves, by dropping or flooding bundles, DTN will perform miserably at least along that routing path.

I have chosen a hop by hop authentication model where main aim of adversary nodes is to create DOS by preventing the successful delivery of packets to their intended destinations. The adversary nodes can join together to launch a coordinated attack or a standalone adversary node can perform an opportunistic attack.

3.4 Authentication

Without authentication no estimation can be formed about the identities of nodes and therefore the intentions of peers can be determined. In traditional TCP/IP, data frames are transmitted to all other nodes on a network. Each receiving node checks the destination address of each frame, and simply ignores any frame not addressed to its own MAC. Because it is a local broadcast domain, MAC address spoofing is fairly easy. Attackers can spoof address of any node and can become any node at any time including the destination node of the bundle.

3.5 Routing Model

While routing is important consideration and routing data exchange between nodes is an important factor, the need for peer to peer and end to end authentication cannot be precluded. In my model I am ignoring any attacks based on routing data exchange and also at application layer such as spoofing requests that floods legitimate nodes to flood each other with unneeded traffic.

3.6 Mobility Model

An attacker’s mobility can be variable. It can attack all nodes that come within its transmission range or it can choose to remain in the vicinity of one node in the network for extended periods. Tailgating is also possible. [6] Burgess et al call the latter approach a parasite attack – the most effective use of the attacker’s resources.

3.7 Attack types

In the above situation DOS attacks are possible by misbehaving nodes. I am considering the following two:

Packet Dropping: An adversary node does not replicate, forward or store a packet that is received from its peer. These nodes act like black holes in the network and impair packet propagation in the network, although routing choices such as Spray provide some resilience to such attacks, because additional copies of packets might exist at other locations.

Address Spoofing: An adversary fakes the some other node’s address when it encounters another node in the network. An unsuspecting node sends packets to this malicious node and removes packets from its queue. The unsuspecting node might also delete the packet after delivery.

If the malicious node receives packets with a high replication count, the successful delivery of such packets becomes highly unlikely. Spoofing created more problems in the network than dropping with respect to packet delivery. An attacker can also perform both types of attacks simultaneously.

3.8 Assumptions

In this section I describe assumptions for my proposed resilience mechanism to prevent DOS attacks in DTN. I’m considering two schemes; one based on pre shared symmetric keys and other based on public key cryptography.

There is a Trusted Authority is assumed not to be compromised and nodes can only be registered by proving their credentials. Registration Authority can be any service providing company or any local company or government organisation. Also malicious nodes cannot be registered and registered nodes are not malicious. Each node has a unique ID and I assume that all group nodes have enough power and storage capability to perform cryptographic operations. For pre pre-shared keys scheme, each node at registration phase is given a group key, which it uses for authenticating other nodes. For public key cryptography based scheme, each node is given a public- private key pair at registration phase. Also, each node maintains a table of every other node in the group and their public keys. This table is provided at registration phase.

3.9 Proposed Resilience Mechanism

My proposed schemes are based on creating a mutually trusting network of nodes. Spoofing nodes cannot utilise this network because they cannot pass authentication checks.

a) Scheme based on pre-shared group key:

The communicating nodes thwart potential DOS attacks of packet flooding by malicious sender and packet dropping by malicious receiver. Nodes authenticate each other before sending packets. The intention is to find if a peer is spoofing someone’s address. This is done as follows.

Two nodes N1 and N2 are part of the group, which shares the group key G that they received at registration phase and wants to authenticate each other.

Node N1 generates a random token RN1 and encrypts is with the group key G and sends the encrypted message G[RN1] to N2 Node N2 decrypts G[RN1] with G and sends result G’[G[RN1]] to N2 Node N1 checks whether RN1 is equal to G’[G[RN1]], if mismatch, N1 terminates further communication, otherwise proceed to next steps Node N2 generates a random token RN2 and encrypts is with the group key G and sends the encrypted message G[RN2] to N1 Node N1 decrypts G[RN2] with G and sends result G’[G[RN2]] to N2 Node N2 checks whether RN2 is equal to G’[G[RN2]], if mismatch, N2 terminates further communication, otherwise proceed to next steps N1 and N2 exchanges message.

The drawback of this scheme is if pre-shared group key is compromised a malicious node can spoof any other node and coordinated attacks can be very disastrous.

b) Scheme based on public key cryptography:

In this scheme each trusted node maintains a table of other nodes and their public keys. This list is originally provided by Trusted Authority and refreshed when subject node comes in contact with Trusted Authority opportunistically or at scheduled times.

The communicating nodes authenticate each other based on each other’s public keys before sending packets. This is done as follows.

Two nodes N1 and N2 are part of the group, with each having their public private key pair [NiPub, NiPvt] received at registration phase.

N1 generates a random Token RN1 N1 creates encrypted Token N2pub[RN1] Using shared N2’s public key and sends to N2 N2 decrypts N2pub[RN1] using its private key and responds with N2pvt[N2pub[RN1]] N1 checks whether N2pvt[N2pub[RN1]] is equal to RN1. If mismatch, N1 terminates further communication, otherwise proceed to next steps N2 generates a random Token RN2 N2 creates encrypted Token N1pub[RN2] Using shared N1’s public key and sends to N1 N1 decrypts N1pub[RN2] using its private key and responds with N1pvt[N1pub[RN2]] N2 checks whether N1pvt[N1pub[RN2]] is equal to RN2. If mismatch, N2 terminates further communication, otherwise proceed to next steps N1 and N2 exchanges message.

In both of these schemes one node needs to know if

the bundle originates from a trusted community in order to prevent flooding attack by a malicious node and the bundle is sent to a trustworthy node in order to prevent packed dropping

If a malicious node spoofs some other node’s address, it cannot decrypt the encrypted random token it received from its peer.

Analysis of Proposed Mechanism:

I have chosen the above mutual authentication schemes as a mechanism to prevent DOS attacks on DTN because this is a reliable way to identify malicious nodes and prevent packet flooding by rejecting packets from untrusted nodes and also prevent the risk of packet dropping by not sending packets to untrusted nodes.

If a malicious node tries to send junk packets to legitimate nodes, the packets can be discarded at first contact with a legitimate node because a malicious node cannot authenticate itself to the network without pre-shared group key or public-private keys issued by Trusted Authority.

There is a need to address current distribution of security information among nodes. This will involve key management and revocation issues. But this is part of more general DTN configuration management solution.

3.10 Simulation model and parameters

Result Matrices: The simulation results will show that packet delivery rate decreases significantly in the presence of malicious nodes, i.e., packet droppers and/or address spoofers. The results will also show that delivery rate is increased with our countermeasures. In addition to that, I will also measure the overheads caused by the countermeasures in terms of number of copies of a single packet. One Simulator (used for simulation) The Opportunistic Networking Environment (ONE) simulator has been specially designed for evaluating DTN routing and application protocols. It is written in JAVA. It provides

Generation of node movement using different movement models e.g. 1. Random Movement

2. Map based Random Movement 3. Human behaviour Based Movement

Routing messages between nodes with various DTN routing algorithms and sender and receiver types. Visualizing both mobility and message passing in real time in its graphical user interface. I have run some scenarios and already Implement protocols in ONE like 1.) MaxProp 2.)Direct Delivery, 3.) Epidemic, 4.) First Contact, 5.) PROPHET 6.) Spray and Wait I have tried to read and understand Code of different classes, I have configured ONE using Eclipse Work done

Fig: Screen shot of scenario

One simulator test runs

Five test runs were done on One Simulator using default epidemic routing with varying number of nodes from 60 to 180 in steps of 30. Some of the results are captured in the table below

Nodes60

90

120

150

180

sim_time165

374

541

780

1096

delivered288

292

313

300

299

delivery_prob0.3876

0.3914

0.4196

0.4032

0.4024

hopcount_avg20.7396

15.2705

17.7636

15.12

12.9398

Future work

I have chosen mutual authentication as a means to prevent DOS attacks because current implementation of DTN does not yet completely address the problem of address spoofing and packet dropping. Without the aid of some form of authentication either at node level or bundle level, it is difficult to discern malicious nodes.

The bundle security protocol draft introduces four new security blocks in Bundle architecture (BAB, PIB) and their purposes. These blocks can be used to implement existing cryptographic techniques to provide some robust resilience against DOS and other common attacks in DTN. However this will involve development of reliable cipher suites and cryptosystems and this is an area of continued research. My further work will be mainly focused in the area of Bundle security specification.

CHAPTER 4: Conclusion

4.1 Project Work Plan

5: References

[1]K. Fall, “A Delay-Tolerant Network Architecture for Challenged Internets,” SIGCOMM, August 2003.

[2]Vinton Cerf, Scott Burleigh, Adrian Hooke, Leigh Torgerson, Robert Durst, Keith Scott, Kevin Fall, and Howard Weis, Delay-tolerant network architecture. DTNRG Internet Draft, March 2003 and IETF RFC 4838, informational, April 2007.

[3]K. Scott and S. Burleigh, “Bundle Protocol Specification,” IETF RFC5050, experimental, November 2007.

[4]K. Fall and S. Farrell, “DTN: an architectural retrospective,” Journal of Selected Areas in Communications, vol. 26 no. 5, pp. 828- 836, June 2008.

[5]William D. Ivancic (NASA Glenn Research Center), “Security Analysis of DTN Architecture and Bundle Protocol Specification for Space-Based Networks”, IEEEAC paper1057, Version 4, Updated 2009:10:27

[6]DTN The State of the Art (http://wiki.n4c.eu/wiki/images/0/03/Proposal_description.pdf) [7] Challenged Internet Access Network Technology Infrastructure (CHIANTI March 2008)

[7]http://en.wikipedia.org/wiki/Delay-tolerant_networking

[8]L. Wood, W. Eddy, P. Holiday: “A Bundle of Problems,” IEEE Aerospace conference, Big Sky, Montana, March 2009.

[9]K. Scott and S. Burleigh, “Bundle Protocol Specification,” IETF RFC5050, experimental, November 2007.

[10] F. Warthman. Delay tolerant networks tutorial..tnrg.org/docs/tutorials/warthman-1.1.pdf, 2003.

[11] Stephen Farrell and Vinny Cahill. Security considerations in space and delay tolerant networks. In Proc. 2nd IEEE International Conference on Space Mission Challenges for Information Technology (SMC-IT’06), July 2006.

[12] Stephen Farrell, Susan Symington, and Howard Weiss. Delay-Tolerant networking security overview.IRTF, DTN research group, October 2006. Draft version -03; expires in Expires: January 4, 2008.

[13] S. Symington, S. Farrell, H. Weiss. Bundle Security Protocol Specification. http://www.dtnrg.org/draft-irtf-dtnrg-bundlesecurity-19.txt, Expires: September 12, 2011.

[14] A Seth, U. Hengartner, and S. Keshav. Practical security for disconnected nodes. In First Workshop on Secure Network Protocols (NPSec), Revised 2006 version of the NPSec paper http://www.cs.uwaterloo.ca/a3seth/practical security v2.pdf.

[15] A. Kate, G. Zaverucha, and U. Hengartner. Anonymity and security in delay tolerant networks. In Secure Comm 2007.

[16] J. Burgess, G. D. Bissias, M. Corner, and B. N. Levine. Surviving attacks on disruption-tolerant networks without authentication. In MobiHoc ’07, pages 61–70, New York, NY, USA, 2007. ACM.

[17] K. El Defrawy, J. Solis, G. Tsudik. Leveraging Social Contacts for Message Confidentiality in Delay-Tolerant Networks 33rd Annual IEEE International Computer Software and Applications Conference, Seattle, Washington, July 20-24, 2009

[18] Technical Report on ‘Denials in DTN’ by www.ideals.illinois.edu/bitstream/handle/2142/14821/denialindtns.pdf?…

[19] Wood A. D. and Stankovic J. A. “A taxonomy for denial-of service attacks in wireless sensor networks”, in Handbook of Sensor Networks: Compact Wireless and Wired Sensing Systems, edited by Mohammad Ilyas and Imad Mahgoub, CRC Press LLC, 2005.

[20] N. Asokan, K. Kostianinen, P. Ginzboorg, J. Ott, and C. Luo, “Towards securing disruption-tolerant networking,” Nokia Research Center, Tech. Rep. NRC-TR-2007-007.

[21] Virgil D. Gligor. On denial-of-service in computer networks. In Proceedings of the International Conference on Data Engineering, pages 608.617. IEEE, 1986.)

[22] Fai Cheong Choo, Mun Choon Chan and Ee-Chien Chang “Robustness of DTN against Routing Attacks,” COMSNET, Bangalore, Jan 4-9, 2010.

[23] Ari Keranen, Jog Ott, and Teemu Karkkainen. The ONE Simulator for DTN Protocol Evaluation. In SIMUTools ’09: Proceedings of the 2nd Inter-national Conference on Simulation Tools and Techniques, New York, NY, USA, 2009. ICST.

[24] One simulator tool website. http://www.netlab.tkk.fi/tutkimus/dtn/theone/.