Internet Engineering Task Force (IETF) J. Yi Request for Comments: 7186 LIX, Ecole Polytechnique Category: Informational U. Herberg ISSN: 2070-1721 Fujitsu Laboratories of America T. Clausen LIX, Ecole Polytechnique April 2014
Internet Engineering Task Force (IETF) J. Yi Request for Comments: 7186 LIX, Ecole Polytechnique Category: Informational U. Herberg ISSN: 2070-1721 Fujitsu Laboratories of America T. Clausen LIX, Ecole Polytechnique April 2014
Security Threats for the Neighborhood Discovery Protocol (NHDP)
邻域发现协议(NHDP)的安全威胁
Abstract
摘要
This document analyzes common security threats of the Neighborhood Discovery Protocol (NHDP) and describes their potential impacts on Mobile Ad Hoc Network (MANET) routing protocols using NHDP. This document is not intended to propose solutions to the threats described.
本文分析了邻域发现协议(NHDP)的常见安全威胁,并描述了它们对使用NHDP的移动自组网(MANET)路由协议的潜在影响。本文件并非针对所述威胁提出解决方案。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are a candidate for any level of Internet Standard; see Section 2 of RFC 5741.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 5741第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7186.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问http://www.rfc-editor.org/info/rfc7186.
Copyright Notice
版权公告
Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.
版权所有(c)2014 IETF信托基金和确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(http://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. NHDP Threat Overview . . . . . . . . . . . . . . . . . . . . 4 4. Detailed Threat Description . . . . . . . . . . . . . . . . . 5 4.1. Jamming . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.2. Denial-of-Service Attack . . . . . . . . . . . . . . . . 5 4.3. Eavesdropping and Traffic Analysis . . . . . . . . . . . 6 4.4. Incorrect HELLO Message Generation . . . . . . . . . . . 7 4.4.1. Identity Spoofing . . . . . . . . . . . . . . . . . . 7 4.4.2. Link Spoofing . . . . . . . . . . . . . . . . . . . . 8 4.5. Replay Attack . . . . . . . . . . . . . . . . . . . . . . 9 4.6. Message Timing Attacks . . . . . . . . . . . . . . . . . 9 4.6.1. Interval Time Attack . . . . . . . . . . . . . . . . 10 4.6.2. Validity Time Attack . . . . . . . . . . . . . . . . 10 4.7. Indirect Channel Overloading . . . . . . . . . . . . . . 10 4.8. Attack on Link Quality Update . . . . . . . . . . . . . . 11 5. Impact of Inconsistent Information Bases on Protocols using NHDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.1. MPR Calculation . . . . . . . . . . . . . . . . . . . . . 12 5.1.1. Flooding Disruption due to Identity Spoofing . . . . 12 5.1.2. Flooding Disruption due to Link Spoofing . . . . . . 13 5.1.3. Broadcast Storm . . . . . . . . . . . . . . . . . . . 14 5.2. Routing Loops . . . . . . . . . . . . . . . . . . . . . . 15 5.3. Invalid or Nonexistent Paths to Destinations . . . . . . 16 5.4. Data Sinkhole . . . . . . . . . . . . . . . . . . . . . . 16 6. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 16 7. Security Considerations . . . . . . . . . . . . . . . . . . . 17 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 9.1. Normative References . . . . . . . . . . . . . . . . . . 18 9.2. Informative References . . . . . . . . . . . . . . . . . 18
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 3. NHDP Threat Overview . . . . . . . . . . . . . . . . . . . . 4 4. Detailed Threat Description . . . . . . . . . . . . . . . . . 5 4.1. Jamming . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.2. Denial-of-Service Attack . . . . . . . . . . . . . . . . 5 4.3. Eavesdropping and Traffic Analysis . . . . . . . . . . . 6 4.4. Incorrect HELLO Message Generation . . . . . . . . . . . 7 4.4.1. Identity Spoofing . . . . . . . . . . . . . . . . . . 7 4.4.2. Link Spoofing . . . . . . . . . . . . . . . . . . . . 8 4.5. Replay Attack . . . . . . . . . . . . . . . . . . . . . . 9 4.6. Message Timing Attacks . . . . . . . . . . . . . . . . . 9 4.6.1. Interval Time Attack . . . . . . . . . . . . . . . . 10 4.6.2. Validity Time Attack . . . . . . . . . . . . . . . . 10 4.7. Indirect Channel Overloading . . . . . . . . . . . . . . 10 4.8. Attack on Link Quality Update . . . . . . . . . . . . . . 11 5. Impact of Inconsistent Information Bases on Protocols using NHDP . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 5.1. MPR Calculation . . . . . . . . . . . . . . . . . . . . . 12 5.1.1. Flooding Disruption due to Identity Spoofing . . . . 12 5.1.2. Flooding Disruption due to Link Spoofing . . . . . . 13 5.1.3. Broadcast Storm . . . . . . . . . . . . . . . . . . . 14 5.2. Routing Loops . . . . . . . . . . . . . . . . . . . . . . 15 5.3. Invalid or Nonexistent Paths to Destinations . . . . . . 16 5.4. Data Sinkhole . . . . . . . . . . . . . . . . . . . . . . 16 6. Future Work . . . . . . . . . . . . . . . . . . . . . . . . . 16 7. Security Considerations . . . . . . . . . . . . . . . . . . . 17 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 18 9.1. Normative References . . . . . . . . . . . . . . . . . . 18 9.2. Informative References . . . . . . . . . . . . . . . . . 18
The Neighborhood Discovery Protocol (NHDP) [RFC6130] allows routers to acquire topological information up to two hops away from themselves, by way of periodic HELLO message exchanges. The information acquired by NHDP is used by other protocols, such as the Optimized Link State Routing Protocol version 2 (OLSRv2) [RFC7181] and Simplified Multicast Forwarding (SMF) [RFC6621]. The topology information, acquired by way of NHDP, serves these routing protocols by detecting and maintaining local 1-hop and 2-hop neighborhood information.
邻域发现协议(NHDP)[RFC6130]允许路由器通过定期的HELLO消息交换,在距离自身两跳的距离内获取拓扑信息。NHDP获取的信息被其他协议使用,例如优化链路状态路由协议版本2(OLSRv2)[RFC7181]和简化多播转发(SMF)[RFC6621]。通过NHDP获取的拓扑信息通过检测和维护本地1-hop和2-hop邻居信息为这些路由协议服务。
As NHDP is typically used in wireless environments, it is potentially exposed to different kinds of security threats, some of which are of particular significance as compared to wired networks. As radio signals can be received as well as transmitted by any compatible wireless device within radio range, there is commonly no physical protection as otherwise known for wired networks. NHDP does not define any explicit security measures for protecting the integrity of the information it acquires; however, it suggests that the integrity protection be addressed in a fashion appropriate to the deployment of the network.
由于NHDP通常用于无线环境,因此它可能面临不同类型的安全威胁,其中一些与有线网络相比具有特殊意义。由于无线电信号可由无线电范围内的任何兼容无线设备接收和传输,因此通常不存在有线网络已知的物理保护。NHDP未定义任何明确的安全措施,以保护其获取的信息的完整性;但是,它建议以适合网络部署的方式解决完整性保护问题。
This document is based on the assumption that no additional security mechanism such as IPsec is used in the IP layer, as not all MANET deployments may be able to accommodate such common IP protection mechanisms (e.g., because of limited resources of MANET routers). The document analyzes possible attacks on and misconfigurations of NHDP and outlines the consequences of such attacks/misconfigurations to the state maintained by NHDP in each router (and, thus, made available to protocols using this state).
本文档基于这样的假设,即在IP层中没有使用额外的安全机制,例如IPsec,因为并非所有MANET部署都能够适应这种常见的IP保护机制(例如,由于MANET路由器的资源有限)。该文件分析了NHDP可能遭受的攻击和错误配置,并概述了此类攻击/错误配置对每个路由器中由NHDP维护的状态的影响(从而使使用该状态的协议可用)。
This document is not intended to propose solutions to the threats described. [RFC7185] provides further information on how to enable integrity protection to NHDP, which can help mitigating the threats described related to identity spoofing.
本文件并非针对所述威胁提出解决方案。[RFC7185]提供了有关如何对NHDP启用完整性保护的更多信息,这有助于缓解与身份欺骗相关的威胁。
It should be noted that many NHDP implementations are configurable, and so an attack on the configuration system (such as [RFC6779]) can be used to adversely affect the operation of an NHDP implementation.
应注意的是,许多NHDP实现是可配置的,因此对配置系统(如[RFC6779])的攻击可用于对NHDP实现的操作产生不利影响。
The NHDP MIB module [RFC6779] might help monitoring some of the security attacks mentioned in this document. [MGMT-SNAP] provides a snapshot of OLSRv2-routed MANET management as currently deployed, while [MANET-MGMT] is intended to provide specific guidelines on MANET network management considering the various MIB modules that have been written.
NHDP MIB模块[RFC6779]可能有助于监控本文档中提到的一些安全攻击。[MGMT-SNAP]提供当前部署的OLSRv2路由MANET管理的快照,而[MANET-MGMT]旨在提供考虑到已编写的各种MIB模块的MANET网络管理的具体指南。
This document uses the terminology and notation defined in "Generalized Mobile Ad Hoc Network (MANET) Packet/Message Format" [RFC5444], "Mobile Ad Hoc Network (MANET) Neighborhood Discovery Protocol (NHDP)" [RFC6130], and "Internet Security Glossary, Version 2" [RFC4949].
本文件使用“通用移动自组织网络(MANET)数据包/消息格式”[RFC5444]、“移动自组织网络(MANET)邻域发现协议(NHDP)”[RFC6130]和“互联网安全词汇表,第2版”[RFC4949]中定义的术语和符号。
Additionally, this document introduces the following terminology:
此外,本文件还介绍了以下术语:
NHDP router: A MANET router, running NHDP as specified in [RFC6130].
NHDP路由器:一种MANET路由器,按照[RFC6130]中的规定运行NHDP。
Attacker: A device that is present in the network and intentionally seeks to compromise the information bases in NHDP routers.
攻击者:存在于网络中并有意破坏NHDP路由器中信息库的设备。
Compromised NHDP router: An attacker that is present in the network and generates syntactically correct NHDP control messages. Control messages emitted by a compromised NHDP router may contain additional information, or omit information, as compared to a control message generated by a non-compromised NHDP router located in the same topological position in the network.
受损的NHDP路由器:存在于网络中并生成语法正确的NHDP控制消息的攻击者。与位于网络中相同拓扑位置的未受损NHDP路由器生成的控制消息相比,受损NHDP路由器发出的控制消息可能包含附加信息或省略信息。
Legitimate NHDP router: An NHDP router that is not a compromised NHDP router.
合法的NHDP路由器:非受损的NHDP路由器。
NHDP defines a HELLO messages exchange, enabling each NHDP router to acquire topological information describing its 1-hop and 2-hop neighbors, and specifies information bases for recording this information.
NHDP定义了HELLO消息交换,使每个NHDP路由器能够获取描述其1-hop和2-hop邻居的拓扑信息,并指定记录此信息的信息基础。
An NHDP router periodically transmits HELLO messages using a link-local multicast on each of its interfaces with a hop-limit of 1 (i.e., HELLOs are never forwarded). In these HELLO messages, an NHDP router announces the IP addresses as heard, symmetric, or lost neighbor interface addresses.
NHDP路由器在其每个接口上使用链路本地多播定期发送HELLO消息,跳数限制为1(即,HELLO从不转发)。在这些HELLO消息中,NHDP路由器将IP地址宣布为侦听、对称或丢失的邻居接口地址。
An Attacker has several ways of harming this neighbor discovery process: it can announce "wrong" information about its identity, postulate nonexistent links, and replay HELLO messages. These attacks are presented in detail in Section 4.
攻击者有几种方法可以破坏此邻居发现过程:它可以宣布有关其身份的“错误”信息,假定不存在链接,并重播HELLO消息。第4节详细介绍了这些攻击。
The different ways of attacking an NHDP deployment may eventually lead to inconsistent information bases, not accurately reflecting the correct topology of the MANET. The consequence is that protocols using NHDP will base their operation on incorrect information, causing routing protocols to not be able to calculate correct (or
攻击NHDP部署的不同方式可能最终导致信息库不一致,无法准确反映MANET的正确拓扑。其结果是,使用NHDP的协议将根据不正确的信息进行操作,导致路由协议无法计算正确的(或
any) paths, degrade the performance of flooding operations based on reduced relay sets, etc. These consequences to protocols using NHDP are described in detail in Section 5.
任何)路径,降低基于减少的中继集的泛洪操作性能等。这些对使用NHDP的协议的后果在第5节中详细描述。
For each threat, a description of the mechanism of the corresponding attack is given, followed by a description of how the attack affects NHDP. The impacts from each attack on protocols using NHDP are given in Section 5.
对于每种威胁,都给出了相应攻击机制的描述,然后描述了攻击如何影响NHDP。第5节给出了每次攻击对使用NHDP的协议的影响。
For simplicity in the description, the examples given assume that NHDP routers have a single interface with a single IP address configured. All the attacks apply, however, for NHDP routers with multiple interfaces and multiple addresses as well.
为简化说明,给出的示例假设NHDP路由器具有配置了单个IP地址的单个接口。然而,所有这些攻击都适用于具有多个接口和多个地址的NHDP路由器。
One vulnerability, common for all protocols operating a wireless ad hoc network, is that of "jamming", i.e., that a device generates massive amounts of interfering radio transmissions, which will prevent legitimate traffic (e.g., control traffic as well as data traffic) on part of a network. Jamming is a form of interference and overload with the threat consequence of disruption [RFC4593].
操作无线自组织网络的所有协议都存在一个常见的漏洞,即“干扰”,即设备产生大量干扰无线电传输,这将阻止部分网络上的合法通信量(例如,控制通信量以及数据通信量)。干扰是干扰和过载的一种形式,具有干扰的威胁后果[RFC4593]。
Depending on lower layers, this may not affect transmissions: HELLO messages from an NHDP router with "jammed" interfaces may be received by other NHDP routers. As NHDP identifies whether a link to a neighbor is unidirectional or bidirectional, a routing protocol that uses NHDP for neighborhood discovery may ignore a link from a jammed NHDP router to a non-jammed NHDP router. The jammed router (a router with jammed carrier) would appear simply as "disconnected" for the unjammed part of the network, which is able to maintain accurate topology maps.
根据较低的层,这可能不会影响传输:来自具有“阻塞”接口的NHDP路由器的HELLO消息可能会被其他NHDP路由器接收。当NHDP识别到邻居的链路是单向的还是双向的时,使用NHDP进行邻居发现的路由协议可以忽略从阻塞的NHDP路由器到非阻塞的NHDP路由器的链路。对于网络中未受干扰的部分,受干扰的路由器(带有受干扰载波的路由器)将简单地显示为“断开”,这能够保持准确的拓扑图。
If a considerable amount of HELLO messages are lost or corrupted due to collisions caused by a jamming attack, neighbor NHDP routers are not able to establish links between themselves any more. Thus, NHDP will present empty information bases to the protocols using it.
如果由于干扰攻击引起的冲突导致大量HELLO消息丢失或损坏,则相邻的NHDP路由器将无法在它们之间建立链路。因此,NHDP将向使用它的协议提供空的信息库。
A denial-of-service (DoS) attack can be a result of misconfiguration of legitimate NHDP routers (e.g., very short HELLO transmission interval) or malicious behavior of compromised NHDP routers [ACCT2012], so-called Byzantine routers [RFC4593]. DoS is a form of interference and overload with the threat consequence of disruption [RFC4593].
拒绝服务(DoS)攻击可能是合法NHDP路由器配置错误(例如,很短的HELLO传输间隔)或受损NHDP路由器[ACCT2012],即所谓的拜占庭路由器[RFC4593]的恶意行为造成的。DoS是干扰和过载的一种形式,具有中断的威胁后果[RFC4593]。
By transmitting a huge amount of HELLO messages in a short period of time, NHDP routers can increase channel occupation as described in Section 4.1. Furthermore, a compromised NHDP router can spoof a large amount of different IP addresses and send HELLOs to its neighbors to fill their Link/Neighbor Sets. This may result in memory overflow, and it makes the processing of legitimate HELLO messages impossible. A compromised NHDP router can also use link spoofing in its HELLO messages, generating huge 2-hop Sets in adjacent NHDP routers and therefore potentially a memory overflow. Moreover, protocols such as SMF and OLSRv2, using the 2-hop information for multipoint relay (MPR) calculation, may exhaust the available computational resources of the router if the Neighbor Set and 2-hop Sets have too many entries.
通过在短时间内传输大量HELLO消息,NHDP路由器可以增加信道占用,如第4.1节所述。此外,受损的NHDP路由器可以欺骗大量不同的IP地址,并向其邻居发送HELLO以填充其链路/邻居集。这可能会导致内存溢出,并使合法的HELLO消息无法处理。受损的NHDP路由器还可以在其HELLO消息中使用链路欺骗,在相邻的NHDP路由器中生成巨大的2跳集,因此可能会导致内存溢出。此外,如果邻居集和2-hop集具有过多的条目,则使用2-hop信息进行多点中继(MPR)计算的协议(如SMF和OLSRv2)可能会耗尽路由器的可用计算资源。
By exhausting the memory, CPU, and/or channel resources of a router in a DoS attack or a misconfiguration, NHDP routers may not be able to accomplish their specified tasks of exchanging 1-hop and 2-hop neighborhood information, and thereby disturbing the operation of routing protocols using NHDP.
通过在DoS攻击或错误配置中耗尽路由器的内存、CPU和/或信道资源,NHDP路由器可能无法完成其交换1跳和2跳邻域信息的指定任务,从而干扰使用NHDP的路由协议的操作。
In some MANETs, the routers are powered by battery. Another consequence of a DoS attack in such networks is that the power will be drained quickly by unnecessary processing, transmitting, and receiving of messages.
在一些移动自组网中,路由器由电池供电。在此类网络中,DoS攻击的另一个后果是,不必要的消息处理、发送和接收会迅速耗尽电力。
Eavesdropping, sometimes referred to as sniffing, is a common and easy passive attack in a wireless environment. Once a packet is transmitted, any adjacent NHDP router can potentially obtain a copy, for immediate or later processing. Neither the source nor the intended destination can detect this. A malicious NHDP router can eavesdrop on the NHDP message exchange and thus learn the local topology. It may also eavesdrop on data traffic to learn source and destination addresses of data packets, or other header information, as well as the packet payload.
窃听,有时称为嗅探,是无线环境中常见且容易的被动攻击。一旦数据包被传输,任何相邻的NHDP路由器都可能获得一个副本,以便立即或稍后处理。源和目标都无法检测到这一点。恶意NHDP路由器可以窃听NHDP消息交换,从而了解本地拓扑。它还可以窃听数据流量,以了解数据分组的源地址和目的地址,或其他报头信息,以及分组有效载荷。
Eavesdropping does not pose a direct threat to the network or to NHDP, in as much as that it does not alter the information recorded by NHDP in its information bases and presented to other protocols. However, eavesdropping can provide network information required for enabling other attacks, such as the identity of communicating NHDP routers, detection of link characteristics, and NHDP router configuration. The compromised NHDP routers may use the obtained information to launch subsequent attacks, and they may also share NHDP routing information with other NHDP or non-NHDP entities. [RFC4593] would categorize the threat consequence as disclosure.
窃听不会对网络或NHDP构成直接威胁,因为它不会改变NHDP在其信息库中记录并提交给其他协议的信息。然而,窃听可以提供启用其他攻击所需的网络信息,例如通信NHDP路由器的身份、链路特征检测和NHDP路由器配置。受损的NHDP路由器可能使用获得的信息发起后续攻击,并且它们还可能与其他NHDP或非NHDP实体共享NHDP路由信息。[RFC4593]将威胁后果归类为披露。
Traffic analysis normally follows eavesdropping, which is the process of intercepting messages in order to deduce information from communication patterns. It can be performed even when HELLO messages are encrypted (encryption is not a part of NHDP), for example:
流量分析通常在窃听之后进行,窃听是截取消息以便从通信模式中推断信息的过程。即使对HELLO消息进行加密(加密不是NHDP的一部分),也可以执行此操作,例如:
o Triggered HELLO messages: an attacker could figure out that messages are triggered and determine that there was a change of symmetric neighbors of an NHDP router sending the HELLO (as well get the frequency).
o 触发的HELLO消息:攻击者可以发现消息被触发,并确定发送HELLO的NHDP路由器的对称邻居发生了变化(以及获取频率)。
o Message size: the message grows exactly by x bytes per neighbor. Depending on which cipher is used for the encryption, some information about the size could be inferred, and thus the number of neighbors could be guessed.
o 消息大小:每个邻居的消息精确增长x字节。根据用于加密的密码,可以推断出有关大小的一些信息,从而可以猜测邻居的数量。
[RFC4593] would categorize the threat consequence as disclosure.
[RFC4593]将威胁后果归类为披露。
An NHDP router performs two distinct tasks: it periodically generates HELLO messages, and it processes incoming HELLO messages from neighbor NHDP routers. This section describes security attacks involving the HELLO generation.
NHDP路由器执行两个不同的任务:它定期生成HELLO消息,并处理来自相邻NHDP路由器的传入HELLO消息。本节介绍涉及HELLO生成的安全攻击。
Identity spoofing implies that a compromised NHDP router sends HELLO messages, pretending to have the identity of another NHDP router, or even a router that does not exist in the networks. A compromised NHDP router can accomplish this by using an IP address, which is not its own, in an address block of a HELLO message, and associating this address with a LOCAL_IF Address Block TLV [IJNSIA2010].
身份欺骗意味着受损的NHDP路由器发送HELLO消息,假装拥有另一个NHDP路由器的身份,甚至是网络中不存在的路由器的身份。受损的NHDP路由器可以通过在HELLO消息的地址块中使用非其自身的IP地址,并将该地址与本地_IF地址块TLV[IJNSIA2010]关联来实现这一点。
An NHDP router receiving that HELLO message from a neighbor will assume that it originated from the NHDP router with the spoofed interface address. As a consequence, it will add a Link Tuple to that neighbor with the spoofed address, and include it in its next HELLO messages as a heard neighbor (and possibly as a symmetric neighbor after another HELLO exchange).
从邻居接收HELLO消息的NHDP路由器将假定该消息来自具有伪造接口地址的NHDP路由器。因此,它将向具有伪造地址的邻居添加一个链接元组,并在其下一个HELLO消息中将其作为听到的邻居(可能在另一次HELLO交换后作为对称邻居)包含。
Identity spoofing is particularly harmful if a compromised NHDP router spoofs the identity of another NHDP router that exists in the same routing domain. With respect to NHDP, such a duplicated, spoofed address can lead to an inconsistent state up to two hops from an NHDP router. [RFC4593] would categorize the threat consequences as disclosure and deception.
如果受损的NHDP路由器欺骗存在于同一路由域中的另一个NHDP路由器的身份,则身份欺骗尤其有害。就NHDP而言,这样一个重复的、伪造的地址可能导致一个不一致的状态,从一个NHDP路由器跳两次。[RFC4593]将威胁后果归类为披露和欺骗。
Figure 1 depicts a simple example. In that example, NHDP router A is in radio range of NHDP router C, but not of the compromised NHDP router X. If X spoofs the address of A, that can lead to conflicts for a routing protocol that uses NHDP, and therefore for wrong path calculations as well as incorrect data traffic forwarding.
图1描述了一个简单的示例。在该示例中,NHDP路由器A位于NHDP路由器C的无线电范围内,但不在受损的NHDP路由器X的无线电范围内。如果X欺骗A的地址,则可能导致使用NHDP的路由协议发生冲突,从而导致错误的路径计算和错误的数据流量转发。
.---. .---. .---. | A |----| C |----| X | '---' '---' '---'
.---. .---. .---. | A |----| C |----| X | '---' '---' '---'
Figure 1
图1
Figure 2 depicts another example. In this example, NHDP router A is two hops away from NHDP router C, reachable through NHDP router B. If the compromised NHDP router X spoofs the address of A, NHDP router D will take A as its 1-hop neighbor, and C may think that A is indeed reachable through D.
图2描述了另一个示例。在本例中,NHDP路由器A距离NHDP路由器C有两个跳,可通过NHDP路由器B到达。如果受损的NHDP路由器X欺骗A的地址,NHDP路由器D将A作为其1跳邻居,C可能认为A确实可通过D到达。
.---. .---. .---. .---. .---. | A |----| B |----| C |----| D |----| X | '---' '---' '---' '---' '---'
.---. .---. .---. .---. .---. | A |----| B |----| C |----| D |----| X | '---' '---' '---' '---' '---'
Figure 2
图2
Similar to identity spoofing, link spoofing implies that a compromised NHDP router sends HELLO messages, signaling an incorrect set of neighbors. This is sometimes referred to as falsification [RFC4593], and in NHDP it may take either of two forms:
与身份欺骗类似,链路欺骗意味着受损的NHDP路由器发送HELLO消息,向不正确的邻居发送信号。这有时被称为伪造[RFC4593],在NHDP中可以采取两种形式之一:
o A compromised NHDP router can postulate addresses of non-present neighbor NHDP routers in an address block of a HELLO, associated with LINK_STATUS TLVs.
o 受损的NHDP路由器可以在HELLO的地址块中假定不存在的邻居NHDP路由器的地址,该地址块与链路状态TLV关联。
o A compromised NHDP router can "ignore" otherwise existing neighbors by not advertising them in its HELLO messages.
o 受损的NHDP路由器可以通过不在其HELLO消息中公布邻居来“忽略”其他现有邻居。
The effect of link spoofing with respect to NHDP are twofold, depending on the two cases mentioned above:
链接欺骗对NHDP的影响是双重的,取决于上述两种情况:
o If the compromised NHDP router ignores existing neighbors in its advertisements, links will be missing in the information bases maintained by other routers, and there may not be any connectivity for these NHDP routers to or from other NHDP routers in the MANET.
o 如果受损的NHDP路由器忽略其广告中的现有邻居,则由其他路由器维护的信息库中的链接将丢失,并且这些NHDP路由器可能无法与MANET中的其他NHDP路由器连接。
o On the other hand, if the compromised NHDP router advertises nonexistent links, this will lead to inclusion of topological information in the information base, describing nonexistent links in the network (which, then, may be used by other protocols using NHDP in place of other, existing, links).
o 另一方面,如果受损的NHDP路由器播发不存在的链路,这将导致在信息库中包含拓扑信息,描述网络中不存在的链路(然后,可以由使用NHDP代替其他现有链路的其他协议使用)。
[RFC4593] would categorize the threat consequences as usurpation, deception, and disruption.
[RFC4593]将威胁后果归类为篡夺、欺骗和破坏。
A replay attack implies that control traffic from one region of the network is recorded and replayed in a different region at (almost) the same time, or in the same region at a different time. This may, for example, happen when two compromised NHDP routers collaborate on an attack, one recording traffic in its proximity and tunneling it to the other compromised NHDP router, which replays the traffic. In a protocol where links are discovered by testing reception, this will result in extraneous link creation (basically, a "virtual" link between the two compromised NHDP routers will appear in the information bases of neighboring NHDP routers). [RFC4593] would categorize this as a falsification and interference threat with threat consequences of usurpation, deception, and disruption.
重放攻击意味着来自网络一个区域的控制流量在(几乎)同一时间在不同区域中记录和重放,或在不同时间在相同区域中重放。例如,当两个受损的NHDP路由器协作进行攻击时,可能会发生这种情况,一个记录其附近的流量,并通过隧道将其传输到另一个受损的NHDP路由器,后者会重播流量。在通过测试接收发现链路的协议中,这将导致创建无关链路(基本上,两个受损NHDP路由器之间的“虚拟”链路将出现在相邻NHDP路由器的信息库中)。[RFC4593]将其归类为伪造和干扰威胁,具有篡夺、欺骗和破坏的威胁后果。
While this situation may result from an attack, it may also be intentional: if data traffic is also relayed over the "virtual" link, the link being detected is indeed valid for use. This is, for instance, used in wireless repeaters. If data traffic is not carried over the virtual link, an imaginary, useless link between the two compromised NHDP routers has been advertised and is being recorded in the information bases of their neighboring NHDP routers.
虽然这种情况可能是由攻击造成的,但也可能是故意造成的:如果数据流量也通过“虚拟”链路中继,则检测到的链路确实可以使用。例如,这在无线中继器中使用。如果数据流量未通过虚拟链路传输,则两个受损的NHDP路由器之间的一个假想的无用链路已被通告,并记录在其相邻的NHDP路由器的信息库中。
Compared to incorrect HELLO message attacks described in Section 4.4, the messages used in replay attacks are legitimate messages sent out by (non-malicious) NHDP routers and replayed at a later time or different locality by malicious routers. This makes this kind of attack harder to be detect and to counteract; integrity checks cannot help in this case, as the original message's Integrity Check Value (ICV) was correctly calculated.
与第4.4节中描述的错误HELLO消息攻击相比,重播攻击中使用的消息是由(非恶意)NHDP路由器发送的合法消息,并由恶意路由器在稍后时间或不同位置重播。这使得这种攻击更难被发现和抵抗;完整性检查在这种情况下没有帮助,因为原始邮件的完整性检查值(ICV)计算正确。
In NHDP, each HELLO message contains a "validity time" (the amount of time that information in that control message should be considered valid before being discarded) and may contain an "interval time" field (the amount of time until the next control message of the same type should be expected) [RFC5497].
在NHDP中,每个HELLO消息都包含一个“有效时间”(该控制消息中的信息在被丢弃之前应被视为有效的时间量),并且可能包含一个“间隔时间”字段(预期到下一个相同类型的控制消息的时间量)[RFC5497]。
A use of the expected interval between two successive HELLO messages is for determining the link quality in NHDP: if messages are not received within the expected intervals (e.g., a certain fraction of messages are missing), then this may be used to exclude a link from being considered as useful, even if (some) bidirectional communication has been verified. If a compromised NHDP router X spoofs the identity of an existing NHDP router A and sends HELLOs indicating a low interval time, an NHDP router B receiving this HELLO will expect the following HELLO to arrive within the interval time indicated. If that expectation is not met, the link quality for the link A-B will be decreased. Thus, X may cause NHDP router B's estimate of the link quality for the link A-B to fall below the minimum considered useful, so the link would not be used [CPSCOM2011]. [RFC4593] would categorize the threat consequence as usurpation.
使用两个连续HELLO消息之间的预期间隔是为了确定NHDP中的链路质量:如果在预期间隔内未收到消息(例如,丢失了某部分消息),则这可用于排除被视为有用的链路,即使(某些)双向通信已得到验证。如果受损的NHDP路由器X欺骗现有NHDP路由器a的身份并发送HELLOs,指示间隔时间较短,则接收此HELLO的NHDP路由器B将期望在指示的间隔时间内到达以下HELLO。如果未满足该期望,链路A-B的链路质量将降低。因此,X可能导致NHDP路由器B对链路A-B的链路质量的估计低于认为有用的最小值,因此该链路不会被使用[CPSCOM2011]。[RFC4593]将威胁后果归类为篡夺。
A compromised NHDP router X can spoof the identity of an NHDP router A and send a HELLO using a low validity time (e.g., 1 ms). A receiving NHDP router B will discard the information upon expiration of that interval, i.e., a link between NHDP router A and B will be "torn down" by X. The sending of a low validity time can be caused by intended malicious behaviors or simply misconfiguration in the NHDP routers. [RFC4593] would categorize the threat consequence as usurpation.
受损的NHDP路由器X可以欺骗NHDP路由器A的身份,并使用低有效时间(例如1毫秒)发送HELLO。接收NHDP路由器B将在该间隔到期时丢弃该信息,即,NHDP路由器A和B之间的链路将被X“破坏”。发送低有效时间可能是由于NHDP路由器中的恶意行为或简单的错误配置造成的。[RFC4593]将威胁后果归类为篡夺。
Indirect Channel Overloading is when a compromised NHDP router X by its actions causes other legitimate NHDP routers to generate inordinate amounts of control traffic. This increases channel occupation and the overhead in each receiving NHDP router that processes this control traffic. With this traffic originating from legitimate NHDP routers, the malicious device may remain undetected in the wider network. It is a form of interference and overload with the threat consequence of disruption [RFC4593].
间接信道过载是指受损的NHDP路由器X通过其动作导致其他合法的NHDP路由器产生过多的控制流量。这增加了处理此控制流量的每个接收NHDP路由器中的信道占用和开销。由于该流量来自合法的NHDP路由器,恶意设备可能在更广泛的网络中未被检测到。它是干扰和过载的一种形式,具有中断的威胁后果[RFC4593]。
Figure 3 illustrates Indirect Channel Overloading with NHDP. A compromised NHDP router X advertises a symmetric spoofed link to the nonexistent NHDP router B (at time t0). Router A selects X as MPR upon reception of the HELLO then triggers a HELLO at t1. Overhearing this triggered HELLO, the attacker sends another HELLO at t2, advertising the link to B as lost; this causes NHDP router A to
图3说明了NHDP的间接信道过载。受损的NHDP路由器X播发到不存在的NHDP路由器B的对称欺骗链路(在时间t0)。路由器A在接收到HELLO后选择X作为MPR,然后在t1触发HELLO。无意中听到这个触发的HELLO,攻击者在t2处发送另一个HELLO,将到B的链接广告为丢失;这导致NHDP路由器A断开
deselect the attacker as MPR, and to send another triggered message at t3. The cycle may be repeated, where the link X-B is advertised alternately as LOST and SYM.
将攻击者取消选择为MPR,并在t3发送另一条触发消息。可以重复该循环,其中链路X-B被交替地通告为丢失和SYM。
MPRs(X) MPRs() .---. .---. .---. .---. | A | | A | | A | | A | '---' '---' '---' '---' | | | | | SYM(B) | | LOST(B) | | | | | .---. .---. .---. .---. | X | | X | | X | | X | '---' '---' '---' '---' . . . . . . ..... ..... . B . . B . ..... .....
MPRs(X) MPRs() .---. .---. .---. .---. | A | | A | | A | | A | '---' '---' '---' '---' | | | | | SYM(B) | | LOST(B) | | | | | .---. .---. .---. .---. | X | | X | | X | | X | '---' '---' '---' '---' . . . . . . ..... ..... . B . . B . ..... .....
t0 t1 t2 t3
t0 t1 t2 t3
Figure 3
图3
According to NHDP [RFC6130]:
根据NHDP[RFC6130]:
Link quality is a mechanism whereby a router MAY take considerations other than message exchange into account for determining when a link is and is not a candidate for being considered as HEARD or SYMMETRIC. As such, it is a "link admission" mechanism.
链路质量是一种机制,路由器可通过该机制考虑除消息交换以外的其他因素,以确定链路何时被认为是或不被认为是可听到的或对称的。因此,它是一种“链接允许”机制。
Section 14.4 of NHDP [RFC6130] then lists several examples of which information can be used to update link quality. One of the listed examples uses packet exchanges between neighbor routers (as described in [RFC5444]), e.g., an NHDP router may update the link quality of a neighbor based on receipt or loss of packets if they include a sequential packet sequence number.
NHDP[RFC6130]第14.4节列出了几个信息可用于更新链路质量的示例。所列示例之一使用相邻路由器之间的分组交换(如[RFC5444]中所述),例如,如果分组包括顺序分组序列号,则NHDP路由器可以基于分组的接收或丢失来更新相邻路由器的链路质量。
NHDP does not specify how to acquire link quality updates normatively; however, attack vectors may be introduced if an implementation chooses to calculate link quality based on packet sequence numbers. The consequences of such threats would depend on specific implementations. For example, if the link quality update is based on a sequential packet sequence number from neighbor routers, a
NHDP没有规范地规定如何获取链路质量更新;然而,如果实现选择基于分组序列号计算链路质量,则可能引入攻击向量。这些威胁的后果将取决于具体的实施。例如,如果链路质量更新基于来自相邻路由器的顺序分组序列号,则
compromised NHDP router can spoof packets appearing to be from another legitimate NHDP router that skips some packet sequence numbers. The NHDP router receiving the spoofed packets may degrade the link quality as it appears that several packets have been dropped. Eventually, the router may remove the neighbor when the link quality drops below HYST_REJECT.
受损的NHDP路由器可以欺骗看起来来自另一个跳过某些数据包序列号的合法NHDP路由器的数据包。接收伪造数据包的NHDP路由器可能会降低链路质量,因为似乎有几个数据包已被丢弃。最终,当链路质量下降到HYST_REJECT以下时,路由器可以移除邻居。
This section describes the impact on protocols that use NHDP when NHDP fails to obtain and represent accurate information, possibly as a consequence of the attacks described in Section 4. This description emphasizes the impacts on the MANET protocols OLSRv2 [RFC7181] and SMF [RFC6621].
本节描述了当NHDP无法获得和表示准确信息时(可能是第4节所述攻击的结果),对使用NHDP的协议的影响。本说明强调了对MANET协议OLSRv2[RFC7181]和SMF[RFC6621]的影响。
MPR selection (as used in [RFC7181] and [RFC6621], for example) uses information about a router's 1-hop and 2-hop neighborhood, assuming that (i) this information is accurate, and (ii) each 1-hop neighbor is apt to act as MPR, depending on the willingness it reports. Thus, a compromised NHDP router may seek to manipulate the 1-hop and 2-hop neighborhood information in a router so as to cause the MPR selection to fail, leading to a flooding disruption of traffic control messages. This can result in incomplete topology advertisement or can degrade the optimized flooding to classical flooding.
MPR选择(例如在[RFC7181]和[RFC6621]中使用)使用关于路由器的1跳和2跳邻居的信息,假设(i)该信息是准确的,并且(ii)每个1跳邻居易于充当MPR,这取决于它报告的意愿。因此,受损的NHDP路由器可寻求操纵路由器中的1-hop和2-hop邻域信息,以导致MPR选择失败,从而导致流量控制消息的泛洪中断。这可能导致不完整的拓扑广告,或将优化的泛洪降级为经典泛洪。
A compromised NHDP router can spoof the identify of other routers in order to disrupt the MPR selection, so as to prevent certain parts of the network from receiving flooded traffic [IJNSIA2010].
受损的NHDP路由器可以欺骗其他路由器的标识,以中断MPR选择,从而防止网络的某些部分接收到洪水流量[IJNSIA2010]。
In Figure 4, a compromised NHDP router X spoofs the identity of B. The link between X and C is correctly detected and listed in X's HELLOs. Router A will receive HELLOs indicating links from B:{B-E}, X:{X-C, X-E}, and D:{D-E, D-C}, respectively. For router A, X and D are equal candidates for MPR selection. To make sure the X can be selected as MPR for router A, X can set its willingness to the maximum value.
在图4中,受损的NHDP路由器X伪造了B的身份。X和C之间的链接被正确检测并在X的HELLOs中列出。路由器A将分别从B:{B-E},X:{X-C,X-E}和D:{D-E,D-C}接收指示链接的hello。对于路由器A,X和D是MPR选择的同等候选。为了确保可以选择X作为路由器A的MPR,X可以将其意愿设置为最大值。
.---. .---. .---. | E |----| D |----| C | '---' '---' '---' | | . | | . .---. .---. .---. | B |----| A |----| X | '---' '---' '---' spoofs B
.---. .---. .---. | E |----| D |----| C | '---' '---' '---' | | . | | . .---. .---. .---. | B |----| A |----| X | '---' '---' '---' spoofs B
Figure 4
图4
If B and X (i) accept MPR selection and (ii) forward flooded traffic as if they were both B, identity spoofing by X is harmless. However, if X does not forward flooded traffic (i.e., does not accept MPR selection), its presence entails flooding disruption: selecting B over D renders C unreachable by flooded traffic.
如果B和X(i)接受MPR选择,并且(ii)像它们都是B一样转发被淹没的流量,那么X的身份欺骗是无害的。但是,如果X不转发泛洪通信量(即,不接受MPR选择),则它的存在会导致泛洪中断:在D上选择B会使泛洪通信量无法到达C。
.---. | D | '---' | | .---. .---. .---. .---. .---. | X |----| A |----| B |----| C |----| E |... '---' '---' '---' '---' '---' spoofs E
.---. | D | '---' | | .---. .---. .---. .---. .---. | X |----| A |----| B |----| C |----| E |... '---' '---' '---' '---' '---' spoofs E
Figure 5
图5
In Figure 5, the compromised NHDP router X spoofs the identity of E, i.e., routers A and C both receive HELLOs from a router identifying itself as E. For router B, routers A and C present the same neighbor sets and are equal candidates for MPR selection. If router B selects only router A as MPR, C will not relay flooded traffic from B or transiting via B, and router X (and routers to the "right" of it) will not receive flooded traffic.
在图5中,受损的NHDP路由器X伪造了E的身份,即路由器A和C都从识别自身为E的路由器接收HELOS。对于路由器B,路由器A和C呈现相同的邻居集,并且是MPR选择的同等候选。如果路由器B仅选择路由器A作为MPR,则C将不会中继来自B的泛洪流量或通过B传输,并且路由器X(及其“右侧”的路由器)将不会接收泛洪流量。
A compromised NHDP router can also spoof links to other NHDP routers, thereby making itself appear as the most appealing candidate to be MPR for its neighbors, possibly to the exclusion of other NHDP routers in the neighborhood. (In particular, this can occur if the compromised NHDP router spoofs links to all other NHDP routers in the neighborhood, plus to one NHDP router outside the neighborhood.) By thus excluding other legitimate NHDP routers from being selected as MPR, the compromised NHDP router will receive and be expected to
受损的NHDP路由器还可以欺骗到其他NHDP路由器的链接,从而使自己成为其邻居最有吸引力的MPR候选,可能排除邻居中的其他NHDP路由器。(特别是,如果受损的NHDP路由器欺骗到邻居中的所有其他NHDP路由器以及邻居之外的一个NHDP路由器的链接,则可能会发生这种情况。)通过排除其他合法的NHDP路由器被选为MPR,受损的NHDP路由器将接收并预期
relay all flooded traffic (e.g., traffic control messages in OLSRv2 or data traffic in SMF) that it can then drop or otherwise manipulate.
中继所有被淹没的流量(例如OLSRv2中的流量控制消息或SMF中的数据流量),然后可以丢弃或以其他方式操纵这些流量。
In the network in Figure 6, the compromised NHDP router X spoofs links to the existing router C, as well as to a fictitious W. Router A receives HELLOs from X and B, reporting X: {X-C, X-W}, B: {B-C}. All else being equal, X appears a better choice for MPR than B, as X appears to cover all neighbors of B, plus W.
在图6中的网络中,受损的NHDP路由器X欺骗现有路由器C以及虚构的W的链接。路由器a从X和B接收HELOS,报告X:{X-C,X-W},B:{B-C}。在所有其他条件相同的情况下,X似乎是MPR比B更好的选择,因为X似乎覆盖了B的所有邻居,加上W。
,---. ..... | S | . C . '---' ..... | . | . .---. .---. .---. .---. .---. | D |----| C |----| B |----| A |----| X | '---' '---' '---' '---' '---' . . ..... . W . .....
,---. ..... | S | . C . '---' ..... | . | . .---. .---. .---. .---. .---. | D |----| C |----| B |----| A |----| X | '---' '---' '---' '---' '---' . . ..... . W . .....
Figure 6
图6
As router A will not select B as MPR, B will not relay flooded messages received from router A. The NHDP routers on the left of B (starting with C) will, thus, not receive any flooded messages from router A or transiting router A (e.g., a message originating from S).
由于路由器A不会选择B作为MPR,B不会中继从路由器A接收到的泛洪消息。因此,B左侧的NHDP路由器(从C开始)不会接收来自路由器A或传输路由器A的任何泛洪消息(例如,来自S的消息)。
A compromised NHDP router may attack the network by attempting to degrade the performance of optimized flooding algorithms so as to be equivalent to classic flooding. This can be achieved by forcing an NHDP router into choosing all its 1-hop neighbors as MPRs. In MANETs, a broadcast storm caused by classic flooding is a serious problem that can result in redundancy, contention, and collisions [MOBICOM99].
受损的NHDP路由器可能通过试图降低优化洪泛算法的性能来攻击网络,从而等效于经典洪泛。这可以通过强制NHDP路由器选择其所有1跳邻居作为MPR来实现。在移动自组网中,经典洪水引发的广播风暴是一个严重的问题,可能导致冗余、争用和冲突[MOBICOM99]。
As shown in Figure 7, the compromised NHDP router X spoofs the identity of NHDP router B and, spoofs a link to router Y {B-Y} (Y does not have to exist). By doing so, the legitimate NHDP router A has to select the legitimate NHDP router B as its MPR in order for it to reach all its 2-hop neighbors. The compromised NHDP router Y can
如图7所示,受损的NHDP路由器X伪造NHDP路由器B的身份,伪造到路由器Y{B-Y}(Y不一定存在)的链接。通过这样做,合法的NHDP路由器A必须选择合法的NHDP路由器B作为其MPR,以便它到达其所有的2跳邻居。受损的NHDP路由器Y可以
perform this identity-and-link spoofing for all of NHDP router A's 1-hop neighbors, thereby forcing NHDP router A to select all its neighbors as MPR and disabling the optimization sought by the MPR mechanism.
对NHDP路由器A的所有1跳邻居执行此身份和链路欺骗,从而迫使NHDP路由器A选择其所有邻居作为MPR,并禁用MPR机制寻求的优化。
.---. | B | '---' | | .---. .---. ..... | A |----| X | . . . Y . '---' '---' ..... spoofs B
.---. | B | '---' | | .---. .---. ..... | A |----| X | . . . Y . '---' '---' ..... spoofs B
Figure 7
图7
Inconsistent information bases, provided by NHDP to other protocols, can also cause routing loops. In Figure 8, the compromised NHDP router X spoofs the identity of NHDP router E. NHDP router D has data traffic to send to NHDP router A. The topology recorded in the information base of router D indicates that the shortest path to router A is {D->E->A}, because of the link {A-E} reported by X. Therefore, the data traffic will be routed to NHDP router E. As the link {A-E} does not exist in NHDP router E's information bases, it will identify the next hop for data traffic to NHDP router A as being NHDP router D. A loop between the NHDP routers D and E is thus created.
NHDP向其他协议提供的不一致信息库也可能导致路由循环。在图8中,受损的NHDP路由器X伪造了NHDP路由器E的身份。NHDP路由器D有数据流量发送到NHDP路由器A。路由器D信息库中记录的拓扑结构表明,由于X报告的链路{A-E},到路由器A的最短路径是{D->E->A}。因此,数据流量将被路由到NHDP路由器E。由于链路{A-E}不存在于NHDP路由器E的信息库中,它将识别到NHDP路由器A的数据流量的下一个跃点为NHDP路由器D。因此,NHDP路由器D和E之间创建了一个环路。
.---. .---. .---. .---. .---. | A |----| B |----| C |----| D |----| E | '---' '---' '---' '---' '---' | | .---. | X | '---' spoofs E
.---. .---. .---. .---. .---. | A |----| B |----| C |----| D |----| E | '---' '---' '---' '---' '---' | | .---. | X | '---' spoofs E
Figure 8
图8
By reporting inconsistent topology information in NHDP, the invalid links and routers can be propagated as link state information with traffic control messages and results in route failure. As illustrated in Figure 8, if NHDP router B tries to send data packets to NHDP router E, it will choose router A as its next hop, based on the information about the nonexistent link {A-E} reported by the compromised NHDP router X.
通过在NHDP中报告不一致的拓扑信息,无效链路和路由器可以作为链路状态信息与流量控制消息一起传播,并导致路由失败。如图8所示,如果NHDP路由器B尝试向NHDP路由器E发送数据包,它将根据受损的NHDP路由器X报告的关于不存在的链路{A-E}的信息,选择路由器A作为其下一跳。
With the ability to spoof multiple identities of legitimate NHDP routers (by eavesdropping, for example), the compromised NHDP router can represent a "data sinkhole" for its 1-hop and 2-hop neighbors. Data packets that come across its neighbors may be forwarded to the compromised NHDP router instead of to the real destination. The packet can then be dropped, manipulated, duplicated, etc., by the compromised NHDP router. As shown in Figure 8, if the compromised NHDP router X spoofs the identity of NHDP router E, all the data packets to E that cross NHDP routers A and B will be sent to NHDP router X, instead of to E.
由于能够欺骗合法NHDP路由器的多个身份(例如,通过窃听),受损的NHDP路由器可以为其1-hop和2-hop邻居代表一个“数据陷坑”。遇到邻居的数据包可能被转发到受损的NHDP路由器,而不是真正的目的地。然后,受损的NHDP路由器可以丢弃、操纵、复制数据包等。如图8所示,如果受损的NHDP路由器X伪造了NHDP路由器E的身份,则所有通过NHDP路由器A和B发送到E的数据包将被发送到NHDP路由器X,而不是发送到E。
This document does not propose solutions to mitigate the security threats described in Section 4. However, this section aims at driving new work by suggesting which threats discussed in Section 4 could be addressed by deployments or applications.
本文件并未提出缓解第4节所述安全威胁的解决方案。然而,本节旨在通过建议第4节中讨论的哪些威胁可以通过部署或应用程序来解决,从而推动新的工作。
o Section 4.1: Jamming - If a single router or a small area of the MANET is jammed, protocols could be specified that increase link metrics in NHDP for the jammed links. When a routing protocol such as OLSRv2 uses NHDP for neighborhood discovery, other paths leading "around" the jammed area would be preferred, and therefore would mitigate the threat to some extent.
o 第4.1节:干扰-如果单个路由器或MANET的一个小区域被干扰,可以指定协议来增加NHDP中被干扰链路的链路度量。当路由协议(如OLSRv2)使用NHDP进行邻域发现时,优先选择引导“绕过”阻塞区域的其他路径,从而在一定程度上缓解威胁。
o Section 4.2: DoS - A DoS attack using a massive amount of HELLO messages can be mitigated by admitting only trusted routers to the network. [RFC7185] specifies a mechanism for adding Integrity Check Values (ICVs) to HELLO messages and therefore providing an admittance mechanism for NHDP routers to a MANET. (Note that adding ICVs creates a new DoS attack vector, as ICV verification requires CPU and memory resources.) However, using ICVs does not address the problem of compromised routers. Detecting compromised routers could be addressed in new work. [RFC7185] mandates implementation of a security mechanism that is based on shared keys and makes excluding single compromised routers difficult;
o 第4.2节:DoS-使用大量HELLO消息的DoS攻击可以通过只允许可信路由器进入网络来缓解。[RFC7185]指定一种机制,用于向HELLO消息添加完整性检查值(ICV),从而为MANET的NHDP路由器提供准入机制。(注意,添加ICV创建一个新的DoS攻击向量,因为ICV验证需要CPU和内存资源。)然而,使用ICVS不解决受扰路由器的问题。检测受损路由器可以在新的工作中解决。[RFC7185]强制实施基于共享密钥的安全机制,使得排除单个受损路由器变得困难;
work could be done to facilitate revocation mechanisms in certain MANET use cases where routers have sufficient capabilities to support asymmetric keys.
在某些MANET使用情况下,如果路由器具有足够的能力来支持非对称密钥,则可以开展工作来促进撤销机制。
o Section 4.3: Eavesdropping - [RFC7185] adds ICVs to HELLO messages but does not encrypt them. Therefore, eavesdropping of control traffic is not mitigated. Future work could provide encryption of control traffic for sensitive MANET topologies. Note that, other than using a single shared secret key, providing encryption of traffic among a set of neighbors (when that set is potentially undetermined) is nontrivial, especially without multiplying overheads. With traffic analysis, attackers could still deduce the network information like HELLO message triggering and HELLO message size, even though the HELLO messages are encrypted.
o 第4.3节:窃听-[RFC7185]将ICV添加到HELLO消息中,但不加密它们。因此,对控制流量的窃听不会减轻。未来的工作可以为敏感的MANET拓扑提供控制流量的加密。请注意,除了使用单个共享密钥之外,在一组邻居(当该组可能不确定时)之间提供流量加密是非常重要的,尤其是在不增加开销的情况下。通过流量分析,攻击者仍然可以推断网络信息,如HELLO消息触发和HELLO消息大小,即使HELLO消息是加密的。
o Section 4.4.2: Link spoofing - [RFC7185] provides certain protection against link spoofing, but an NHDP router has to "trust" the originator of a HELLO that the advertised links are correct. For example, if a router A reports a link to B, routers receiving HELLOs from A have to trust that B is actually a (symmetric) neighbor of A. New protocol work could address protection of links without overly increasing the space and time overheads. An immediate suggestion for deployments is to protect routers against being compromised and to distribute keys only to trusted routers.
o 第4.4.2节:链路欺骗-[RFC7185]针对链路欺骗提供了一定的保护,但NHDP路由器必须“信任”HELLO的发起人,即广告的链路是正确的。例如,如果路由器a向B报告链路,则从a接收HELOS的路由器必须相信B实际上是a的(对称)邻居。新的协议工作可以解决链路保护问题,而不会过度增加空间和时间开销。部署的一个直接建议是保护路由器不受损害,并且只将密钥分发给受信任的路由器。
o Section 4.5: Replay Attacks - [RFC7185] uses ICVs and timestamps to provide some protection against replay attacks. It is still feasible to replay control messages within a limited time. A suggestion for deployments is to provide time synchronization between routers. New work could provide time synchronization mechanisms for certain MANET use cases or specify a mechanism using nonces instead of timestamps in HELLO messages.
o 第4.5节:重播攻击-[RFC7185]使用ICV和时间戳提供一些针对重播攻击的保护。在有限的时间内重播控制消息仍然是可行的。部署的建议是在路由器之间提供时间同步。新的工作可以为某些MANET用例提供时间同步机制,或者在HELLO消息中指定使用nonce而不是时间戳的机制。
o Section 4.4.1: Identity spoofing; Section 4.6: Message timing attacks; Section 4.7: Indirect channel overloading; and Section 4.8: Attack on link quality update - [RFC7185] provides protection against these attacks, assuming the routers are not compromised.
o 第4.4.1节:身份欺骗;第4.6节:消息定时攻击;第4.7节:间接通道过载;第4.8节:对链路质量更新的攻击-[RFC7185]提供了针对这些攻击的保护,前提是路由器未受损。
This document does not specify a protocol or a procedure. The document, however, reflects on security considerations for NHDP and MANET routing protocols using NHDP for neighborhood discovery.
本文件未规定协议或程序。然而,该文件反映了NHDP和使用NHDP进行邻居发现的MANET路由协议的安全考虑。
The authors would like to gratefully acknowledge the following people for valuable comments and technical discussions: Teco Boot, Henning Rogge, Christopher Dearlove, John Dowdell, Joseph Macker, and all the other participants of the IETF MANET working group.
作者感谢以下人士的宝贵意见和技术讨论:Teco Boot、Henning Rogge、Christopher Dearove、John Dowdell、Joseph Macker以及IETF MANET工作组的所有其他参与者。
[RFC5444] Clausen, T., Dearlove, C., Dean, J., and C. Adjih, "Generalized Mobile Ad Hoc Network (MANET) Packet/Message Format", RFC 5444, February 2009.
[RFC5444]Clausen,T.,Dearlove,C.,Dean,J.,和C.Adjih,“通用移动自组网(MANET)数据包/消息格式”,RFC 54442009年2月。
[RFC5497] Clausen, T. and C. Dearlove, "Representing Multi-Value Time in Mobile Ad Hoc Networks (MANETs)", RFC 5497, March 2009.
[RFC5497]Clausen,T.和C.Dearlove,“移动自组织网络(MANET)中代表多值时间”,RFC 54972009年3月。
[RFC6130] Clausen, T., Dearlove, C., and J. Dean, "Mobile Ad Hoc Network (MANET) Neighborhood Discovery Protocol (NHDP)", RFC 6130, April 2011.
[RFC6130]Clausen,T.,Dearlove,C.,和J.Dean,“移动自组织网络(MANET)邻域发现协议(NHDP)”,RFC6130,2011年4月。
[ACCT2012] Jhaveri, R. and S. Patel, "DoS Attacks in Mobile Ad Hoc Networks: A Survey", Second International Conference on Advanced Computing & Communication Technologies (ACCT), January 2012.
[ACCT2012]Jhaveri,R.和S.Patel,“移动自组织网络中的DoS攻击:调查”,第二届先进计算与通信技术国际会议(ACCT),2012年1月。
[CPSCOM2011] Yi, J., Clausen, T., and U. Herberg, "Vulnerability Analysis of the Simple Multicast Forwarding (SMF) Protocol for Mobile Ad Hoc Networks", Proceedings of the IEEE International Conference on Cyber, Physical, and Social Computing (CPSCom), October 2011.
[CPSCOM2011]Yi,J.,Clausen,T.,和U.Herberg,“移动adhoc网络简单多播转发(SMF)协议的脆弱性分析”,IEEE网络、物理和社会计算国际会议记录(CPSCom),2011年10月。
[IJNSIA2010] Herberg, U. and T. Clausen, "Security Issues in the Optimized Link State Routing Protocol version 2", International Journal of Network Security & Its Applications, April 2010.
[IJNSIA2010]Herberg,U.和T.Clausen,“优化链路状态路由协议版本2中的安全问题”,国际网络安全及其应用杂志,2010年4月。
[MANET-MGMT] Nguyen, J., Cole, R., Herberg, U., Yi, J., and J. Dean, "Network Management of Mobile Ad hoc Networks (MANET): Architecture, Use Cases, and Applicability", Work in Progress, February 2013.
[MANET-MGMT]Nguyen,J.,Cole,R.,Herberg,U.,Yi,J.,和J.Dean,“移动自组织网络(MANET)的网络管理:架构、用例和适用性”,正在进行的工作,2013年2月。
[MGMT-SNAP] Clausen, T. and U. Herberg, "Snapshot of OLSRv2-Routed MANET Management", Work in Progress, February 2014.
[MGMT-SNAP]Clausen,T.和U.Herberg,“OLSRv2路由MANET管理快照”,正在进行的工作,2014年2月。
[MOBICOM99] Ni, S., Tseng, Y., Chen, Y., and J. Sheu, "The Broadcast Storm Problem in a Mobile Ad Hoc Network", Proceedings of the 5th annual ACM/IEEE international conference on Mobile computing and networking, 1999.
[MOBICOM99]倪,S.,曾,Y.,陈,Y.,和J.Sheu,“移动adhoc网络中的广播风暴问题”,第五届ACM/IEEE移动计算和网络国际年会论文集,1999年。
[RFC4593] Barbir, A., Murphy, S., and Y. Yang, "Generic Threats to Routing Protocols", RFC 4593, October 2006.
[RFC4593]Barbir,A.,Murphy,S.,和Y.Yang,“路由协议的一般威胁”,RFC 4593,2006年10月。
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", RFC 4949, August 2007.
[RFC4949]Shirey,R.,“互联网安全术语表,第2版”,RFC 49492007年8月。
[RFC6621] Macker, J., "Simplified Multicast Forwarding", RFC 6621, May 2012.
[RFC6621]Macker,J.,“简化多播转发”,RFC 6621,2012年5月。
[RFC6779] Herberg, U., Cole, R., and I. Chakeres, "Definition of Managed Objects for the Neighborhood Discovery Protocol", RFC 6779, October 2012.
[RFC6779]Herberg,U.,Cole,R.,和I.Chakeres,“邻域发现协议的托管对象定义”,RFC 6779,2012年10月。
[RFC7181] Clausen, T., Dearlove, C., Jacquet, P., and U. Herberg, "The Optimized Link State Routing Protocol Version 2", RFC 7181, April 2014.
[RFC7181]Clausen,T.,Dearlove,C.,Jacquet,P.,和U.Herberg,“优化链路状态路由协议版本2”,RFC 7181,2014年4月。
[RFC7185] Herberg, U., Dearlove, C., and T. Clausen, "Integrity Protection for the Neighborhood Discovery Protocol (NHDP) and Optimized Link State Routing Protocol Version 2 (OLSRv2)", RFC 7185, April 2014.
[RFC7185]Herberg,U.,Dearlove,C.,和T.Clausen,“邻域发现协议(NHDP)和优化链路状态路由协议版本2(OLSRv2)的完整性保护”,RFC 7185,2014年4月。
Authors' Addresses
作者地址
Jiazi Yi LIX, Ecole Polytechnique 91128 Palaiseau Cedex France
家子一里,法国塞德克斯宫91128理工学院
Phone: +33 1 77 57 80 85 EMail: jiazi@jiaziyi.com URI: http://www.jiaziyi.com/
Phone: +33 1 77 57 80 85 EMail: jiazi@jiaziyi.com URI: http://www.jiaziyi.com/
Ulrich Herberg Fujitsu Laboratories of America 1240 E Arques Ave Sunnyvale, CA 94085 USA
美国加利福尼亚州桑尼维尔阿克斯大道东1240号乌尔里希·赫伯格富士通实验室,邮编94085
EMail: ulrich@herberg.name URI: http://www.herberg.name/
EMail: ulrich@herberg.name URI: http://www.herberg.name/
Thomas Heide Clausen LIX, Ecole Polytechnique 91128 Palaiseau Cedex France
托马斯·海德·克劳森·利克斯,法国塞德克斯宫91128理工学院
Phone: +33 6 6058 9349 EMail: T.Clausen@computer.org URI: http://www.thomasclausen.org/
Phone: +33 6 6058 9349 EMail: T.Clausen@computer.org URI: http://www.thomasclausen.org/