Learning Center
Plans & pricing Sign in
Sign Out

Delay Tolerant Networks - Some Thoughts about Security


									        Delay Tolerant Networks
         Some Thoughts about
                                 Hannes Tschofenig
                             This presentation has been produced in the context of the Ambient Networks Project. The Ambient Networks Project is
                             part of the European Community's Sixth Framework Program for research and is as such funded by the European
                             All information in this presentation is provided "as is" and no guarantee or warranty is given that the information is fit for
                             any particular purpose. The user thereof uses the information at its sole risk and liability.
                             For the avoidance of all doubts, the European Commission has no liability in respect of this presentation, which is merely
                             representing the authors view.
Dagstuhl DTN Workshop 2005                                                                                                            1

• Some slides are based on input and
  discussions with Jari Arkko and Pasi

Dagstuhl DTN Workshop 2005               2
     Design Space Overview (1/2)
                End-to-end Connectivity Available

                             M               Wireless                  Internet                    F

                 End-to-end Store-and-Forward                          I2                     I4

                             M             Wireless                                Internet        F
                                           network        I1
                                                                Wireless          I3

                 End Host interacts with a proxy

                     M                         Wireless               If          Internet         F

                 Intermediary peers to isolate the wireless link

                     M           Mobile      Im            Wireless         If    Internet         F
                                 network                   network
Dagstuhl DTN Workshop 2005                                                                             3
Design Space Overview (2/2)

•                Solution affecting parts:
            –                What are the devices that need to be signaled?
            –                How many of them? (end hosts only vs. many nodes along the
            –                Where are they? What is the relationship between the end host
                             and these boxes?

•                DTN Properties
            1.               Possibly no e2e connectivity   See above-issues
            2.               Long or variable delay         Calls for
            3.               Asymmetric data rates          mechanisms
            4.               High error rates               (roundtrip,

Dagstuhl DTN Workshop 2005                                                          4
Security “Goals”
• Hop-by-Hop / End-to-middle
            – Prevent access by unauthorized applications
            – Prevent applications from asserting control over the DTN
• End-to-End
            – Typically very application dependent
            – Hard to accomplish and have different properties than
              security offered to the middle of the network

• There are many other issues:
            – Network hiding, user identity confidentiality, privacy, DoS,

Dagstuhl DTN Workshop 2005                                                   5
 Network Access
 Authentication and
 a) Why existing network access auth/authz might not be
    appropriate for DTNs
 b) Can the result of network access authentication be helpful for
    the DTN architecture?
 c) Are the existing concepts useful for DTN?

Dagstuhl DTN Workshop 2005                                           6
Some Current Problems 1

• DTN: Hosts might be partitioned in a number of
  connected clouds (possibly 1)
• Reasonable to consider the entire protocol stack
  rather than a single protocol (particular if
  performance is important)

•        Attachments involve a large number of messages
•        Over 50% of this is due to security
•        Request/Response style, even across the Internet
•        Multiple mandatory waiting periods
•        Iteration over available accesses
Dagstuhl DTN Workshop 2005                          7
Current Procedure
(IPv6 + WLAN)                                   access              other
   client                                      network   home       node
                        802.11 Attachment

                    802.11 Authentication

                              802.1X and EAP

                         802.11i 4-Way HS

                   IPv6 Router Discovery

                                IPv6 DAD
                         Nemo/MIPv6 Reg

                              MIPv6 RO Reg

 Dagstuhl DTN Workshop 2005                                     8
Some Current Problems 2
• Limited information transfer & control
              –Network selection
              –Handoff guidance and control
              –Capabilities of a network not available to end

• Limited business model support
              –No ad hoc, no credit card,
              –Real-time AAA interaction
Dagstuhl DTN Workshop 2005                                9
Fixing some selected aspects…

• Some EAP methods are quite inefficient
• Proposed alternatives:
            – EAP-PSK (lightweight symmetric mechanism)
            – EAP-IKEv2 (flexibility & efficiency)

Dagstuhl DTN Workshop 2005                          10
  Today - Subscription-based Network Access

• Network Access based on trust relationship between MN<->AAAH, AAAH
  <-> AAAL
• De facto keying architecture based on RADIUS/Diameter in relationship
  with EAP; Authentication in real-time between MN<->AAAH;
• Establishment of session keys is an important consideration for the
• NOT well suited for a certain DTN architectures
  Dagstuhl DTN Workshop 2005                                    11

• Why do so many architectures require interaction with
  the “home network”/third party?
            – Authorization provided by the home network
              (based on a dynamic set of attributes)
                         • Credits, Number of concurrent sessions, Location
                         • Attributes sent to the enforcement point (tunnel attributes, session
                           lifetime, keying material, etc.)
            – Real-time interaction required to deal with pre-paid cards,
              accounting, credit checks, re-authorization
            – Bootstrapping of keying material
• When is AAA alike interaction needed for applications?
            – Authorization decision different to network access authentication
            – When cleaner protocol separation is desired.
Dagstuhl DTN Workshop 2005                                                                 12
Re-Thinking Authorization

• What would we like to accomplish?

       User                          NAS                  AAA                AAA
                                     Network              Proxy              Server
                    PPP                                           DIAMETER
               IEEE 802.1X/.11i                DIAMETER
                                               (RADIUS)                Primary & Secondary
                             IKEv2                                        Home Servers

            – Fewer roundtrips and more efficiency
              (with existing architectures)
            – Revised network access architecture
            – Avoid real-time interaction with home network
Dagstuhl DTN Workshop 2005                                                                   13
                   Avoid real-time interaction with home

Dagstuhl DTN Workshop 2005                                 14
Credential based Authorization

• Real-time interaction with the home
  network is not necessary if authorization
  decision can be computed locally.
• Example:
            – Authorization based on non-frequently
              changing attributes (such as roles or traits)
            – Ability to regularly push revocation lists or
              access control information to the
              enforcement points
Dagstuhl DTN Workshop 2005                                15
Example: Digital Coins
                                                                            Trusted Third
•        Interaction between the Vendor and
         the TTP is still necessary to finally
         receive money.
                                                                              Long-lived or pre-
•        Smaller monetary amounts might                                     established agreement

         justify batch transactions.              Trust based on prior
                                                 agreement or contract

Challenge: Double Spending                                                    Network as
  (Tradeoff between taken risk and
  amount of required AAA interaction)

                                                                         Dynamically established
•        Efficiency gain by using hash chains                               trust relationship

•        Pay-as-you-go scheme offers cost            User as
         control and non-repudiation                Customer

Dagstuhl DTN Workshop 2005                                                                 16
Network Access Authentication and
Relationship to other protocols
 • Network Access Authentication authenticates and
   authorizes user at the home network.

 • Protocol interaction is quite heavy-weight.

 • Session keys are sent to the visited network

 • A number of other protocols are used between
   the end host and the visited network (or related
Dagstuhl DTN Workshop 2005                        17
Applicability of Bootstrapping
• How do you bind the initial authentication and
  authorization to a subsequent protocol interaction?
• If you use other protocols do you again want to re-
  run an EAP exchange back to the home network?
• Would you like to use the initial authorization for
  subsequent protocol interactions?

Dagstuhl DTN Workshop 2005                      18
                             DTN router –
                             A Middlebox?

Dagstuhl DTN Workshop 2005                  19
“Middlebox” Traversal
                                                                              “Region” B
                              DTN                                 Gateway
           “Region” A                  ?                           DTN
                                           DTN Gateway can
       Which gateway                                              Gateway
                                           be a DTN router,
       should I use?
                                           SIP proxy,
                                           enhancing proxy,      “Region” C        End
                       Host                HIP rendezvous                          Host
                                           server, NSIS node,
Dagstuhl DTN Workshop 2005                                                         20
Again some things to think about…
• Discover middleboxes along the path dynamically?
            – Destination address based
            – Information within the request indicate the direction (impact on
• Register with middlebox to accomplish global reachability?
• Support mobility within one “region”?
            – DTN gateway acts as a mobility anchor point.
            – Possibly in a nested fashion?
• Reuse existing [channel] security mechanisms
  (including DoS protection)?
            – DoS protection not possible with one-shot signaling messages
• Keep state at middleboxes to speed-up subsequent protocol
            – Following the soft-state principle
• Use delegation to off-load tasks
Dagstuhl DTN Workshop 2005                                                       21
Evaluate security of a “SIP-based” DTN
• Network Attachment
            – Security issues previously discussed
• Discovery of SIP-based DTN gateway:
            – Do you talk to a true gateway or just to the adversary? On path or not?
• Authentication and Authorization to SIP proxy
            – Traditional approach difficult (AAA infrastructure)
            – Trait-based authorization based on SAML could work
• Routing of SIP messages
            – DNS and/or DHT based => security
• End-to-end security guarantees
            – S/MIME ~ suffers from classical deployment problems

• Identifier (SIP URI) aspect requires further thoughts
            – Routing, anonymity, authorization, … (=> see next slides)

Dagstuhl DTN Workshop 2005                                                       22
                             Identity of a Network

Dagstuhl DTN Workshop 2005                           23
The Identity of a Network

• DTN (region, entity)
                    “Placing a DTN node in a particular region is an administrative decision,
                    and may be influenced by differences in protocol families, connection
                    dynamics, or administrative policies.”
• Example:
            – {,}
            – Late binding approach / intentional naming
• Region seems to be used for routing only.
            – Aggregation capability assumes that there a structure in the identifier
• Related questions:
            –       What do you actually authenticate/authorize?
            –       Do you need to show that you belong to a certain network?
            –       How do you join?
            –       What happens if the prerequisites for adding a node to a „region‟
Dagstuhl DTN Workshop 2005                                                              24
Network Identity
Further Examples
•         NEWARCH:
                    trust boundaries
•         IPNL:
                    Global/local address partitions
•         NSIS NATFW NSLP:
            –       Receiver behind a NAT wants to indicate that the signaling messages terminate at the outermost NAT (private
                    to public address space).
            –       Same feature for a Firewall: Really difficult to say what the boundaries are.
•         Ambient Networks project:
            –       Idea: Explicit naming; cryptographic identifiers, if possible.
•         SSID:
            –       Most administrators of WLANs do not change the default SSID (see for example [Pri04] for a study about
                    WLAN usage in London where approximately 40% of the access points are running their default SSID.)
            –       The SSID is non-unique network name that provides only minimal information relating to the network that the
                    STA may connect to.
•         Adrangi-Network-Selection:
            –       Identity selection hints to allow mediating network selection
            –       A syntax by which mediating network information can be represented.

[Pri04]     Priest, J.: "The State of Wireless London”, available at, (July 2004), March 2004.

Dagstuhl DTN Workshop 2005                                                                                                                               25
• Delay Tolerant Networking means (like sensor networking)
  different things to different people.
• Different solution vary a lot depending on the chosen
• Working on a security solution requires a good understanding of
  architecture and the assumptions
• Since many aspects seem to be highly application dependent it
  seems reasonable to investigate existing approach first.

• Good thing:
            – Pick an arbitrary security mechanism
            – Apply it to the DTN in your lab
            – It will just work fine

Dagstuhl DTN Workshop 2005                                      26

To top