Eunsoo Shim, Jens-Peter Redlich, and Richard D. Gitlin
Secure Candidate Access Router Discovery
CCRL, NEC USA, Inc.
4 Independence Way, Princeton, NJ08540USA
Abstract--The Candidate Access Router [CAR] discovery protocol is designed for use in wireless IP networks to dynamically collect information about neighboring access routers and their capabilities dynamically enables the mobile nodes to execute low-latency handoffs and select the target access router intelligently. This paper presents our security analysis on currently published CAR discovery approaches, as well as a new approach that uses geographical information and novel security mechanisms.
Methods Keywords—System design
Keywords-- Access Router, Neighbor, CAR, Discovery, Security, Wireless
I.INTRODUCTION
The number of wireless network users has rapidly grown. In particular, the number of wireless Internet terminals is soon expected to exceed that of the fixed Internet terminals soon. On the other hand, the wireless access network environment has become heterogeneous and the tendency is continuing. One of the fundamental differences of the wireless Internet from the wired Internet is mobility support. A key requirement for high levels of Quality of Service [QoS] in wireless networks is low latency handoffs, since large latencies,since it may cause considerable quality degradation. MobileIP [14] is most likely the Internet standard for mobility support and the MobileIP working group of the IETF has proposed a low-latency handoff mechanism [11] that can reduce handoff latency significantly compared to base MobileIP. However the proposed low-latency handoff mechanism requires the knowledge of the IP address of the target AR (access router) (or foreign agent in the MobileIPv4 case) while the MN (mobile node) is attached to the current AR. Unless we assume soft handoff capability in the underlying L2 wireless technologies, the MN can know only the L2 ID (layer 2 identity, such as MAC address) of the target BS(base station) that is associated to the target AR. So the low-latency handoff mechanism requires mapping of the L2 ID of the BS to the IP address of the target AR during the handoff procedure.
There are cases when a MN is in a location where signals from multiple BSs are above the reception threshold. The BSs could be using the same or different wireless technologies. The latter would often be the case in heterogeneous wireless overlay networks such as a wireless network consisting of GSM/CDMA cellular networks and WLANs. Then, selecting a BS just based on signal strength does not make much sense. There are many attributes of the link to each BS, or the associated AR, that can affect the preference such as price, available bandwidth, account requirements, protocol support, and the availability of certain other features. Just simply communicating with all the available BSs is not preferable in most cases since the mobile user may have to pay more and/or the overall system capacity is reduced. The MN may talk to the AR or the NAS (network access server) associated with each BS one by one and find out all such attributes and choose an AR. But this process may introduce disruption of the application traffic if the MN’s wireless interface(s) cannot support simultaneous access and completion the L2 attachment procedure for a short message exchange on each wireless link. In this case,the information exchange is not power-efficient compared to the case when the necessary information is given to the MN through the currently active wireless link. So, it is desirable for the MN to be able to collect the information about the available BSs and the associated ARs via the currently active air link.
Also, when a dual-interface MN supporting, for example, GSM and WLAN is in a GSM-only coverage area, the MN will likely turn off the WLAN interface to save power. Consequently, the MN cannot know the availability of the WLAN coverage even if it enters a WLAN coverage area. In the case, it is desirable for the AR to inform the MN of the WLAN coverage availability.
When a BS or AR is congested because too many MNs are attached, the network may pursue load-balancing by guiding some of the MNs to hand over to other attachment points. This requires the network knows the congestion states or resource statuses of the BSs or ARs to which the MNs can hand over without moving.
For simplicity of presentation, we will denote the L2 ID of the BS associated to a certain AR the AR’s L2 ID hereafter. Then an AR can have multiple L2 IDs if it serves multiple BSs. One obvious solution for all the abovementioned problems is using a static configuration in which the information such as the IP addresses and the L2 IDs of all the ARs that can be a target AR in a handoff are statically configured at each AR or even each MN. Such static configuration is inflexible and may not be a viable solution where the target AR belongs to a different administrative authority. The reasoning leads us to a mechanism for dynamic collection of the information about the possible target AR. The CAR (candidate access router) discovery protocol has been proposed for this application, and [22] describes the scope of the protocol and related issues.
A candidate AR is an AR to which a MN can hand over from the current access router, that is, a candidate for the target access router in the next handoff. We define the AR coverage area as the collection of the coverage areas of the BSs associated with the AR. And we use AR IP address hereafter to represent anything equivalent to the IP-level identity of the AR that enables IP-based communication to the target AR. Then the coverage of the CAR overlaps at least partially with that of the current AR to which the MN is attached. So the set of the candidate ARs can be different for each MN since each MN may support different wireless access technologies. Whereas the candidate AR is from the viewpoint of a MN, the neighboring AR is from the viewpoint of an AR. A neighboring AR is an AR that can be a candidate AR of a MN that is currently being served or can be served by the current AR. So the set of the neighboring ARs of an AR includes allof the candidate ARs of every MN the AR can serve. Also as the term ‘neighboring’ indicates, the neighboring access routers can be said to be as the ARs whose geographical coverage overlap at least partially or are adjacent to that of the current AR.
One thing to be noticed is that a neighboring access router does not have to be a neighbor in the wired network. It can be across several hops or in a different administrative domain. That is why the IP routing protocol cannot be used for CAR discovery. The CAR discovery protocol is one of the charter items of the SeaMoby working group in the IETF and already several proposals have been submitted [2] [21]. Still the work is quite primitive and security issues have not been thoroughly analyzed and addressed yet. This paper presents our security analysis of the currently published CAR discovery approaches, as well as a new approach using the geographical information and also novel secure mechanisms.
In this paper, we review briefly the security issues and measures for protocols used for dynamic discovery in the Internet, in particular, the Internet routing protocols and the ARP protocol. Then we review possible CAR discovery mechanisms including the two proposals under discussion in the IETF and analyze security threats for the mechanisms and investigate the requirements for secure CAR discovery. A brief conclusion of the paper is followed with discussions about other remaining issues of CAR discovery.
II.Related work
There are many protocols in the Internet for dynamic discovery of certain network entities. To list a few examples, those are the Internet routing protocols such as OSPF [8] and BGP [16], the ARP protocol [15], the service location protocol [23], and the IPv6’s neighbor discovery protocol [12]. It is generally the case that whenever information is to be discovered dynamically, there are security issues. The routing protocols are the core signaling protocol of the Internet and thus protection of the routing protocols is critical for the correct operation of the Internet.
Wrong routing information can result in congestion of a link by advertising the link as the best route to many networks. Or this can cause unnecessary traffic overhead by generating routes containing loops or longer paths than necessary. In this case, packets will be discarded due to timeout and longer delays will result. Of particular significance is that a portion of the network may look unreachable even when usable routes exist.[10]
Kumar [6] analyzed the security requirements of network routing protocols and identified two sources of attacks: subverted routers and subverted links. He proposed neighbor-to-neighbor digital signatures of routing updates, the addition of sequence numbers and timestamps to the updates, and the addition of acknowledgements and retransmissions of routing updates for distance-vector routing protocols. Kumar and Crowcroft [7] analyzed the security threats and security measures of the IDRP and particularly link-level encryption on inter-domain links. Digital signatures using public keys on routing messages were proposed by Perlman [13], Murphy and Badger [9] [10], Kent, et al [5], and Smith and Garcia-Luna-Aceves [19], and others to provide authentication of the routing messages. Sequence numbers and/or timestamps in the routing messages are used to prevent replay attacks. OSPF can detect false advertisement about a nonexistent link if only one router distributes the information but it cannot if two routers cooperate about it but its damage is very limited. A more serious case is when a router advertises a subnet which does not exist and thus authorization is introduced for that subnet. In particular, [10] lets a router be authorized to advertise a certain address range with the certificate by the parent organization owning the address range since it was required to verify whether the router was supposed to advertise a certain set of reachable prefixes and the authorization is done at each level of domain along the address hierarchy with the ICANN as the root authority. Authorization prevents a router from advertising an address space illegitimately but cannot prevent a router from omitting a certain address space in its UPDATE messages. So authorization is crucial for secure routing even though the infrastructure requirement and computation overhead for verifying the certificates or signatures are substantial. However it cannot still be verified whether the advertisement topology or route information is 100% correct and complete.
III.Approaches for CAR discovery
CAR discovery can be divided into two steps: discovering the IP address (or IP-level identity) of the neighboring AR and then finding the capability of the AR. Once two neighboring ARs know each other’s IP address, they can exchange information about their capabilities. We focus on how to discover the IP address of the neighboring AR. We pursue distributed and scalable mechanisms and thus we require each AR collect the information of its own neighboring ARs.
There are three caseswhenwe can say an AR is a neighboring AR to another AR. The first case is when a MN detects at the same location the L2 beacons from two base stations associated with the two ARs respectively. The second case is when a MN is handed over from/to the AR to/from the oter AR. The third base is when the coverage area of the AR overlaps with that of the current AR. So we can list three approaches for CAR discovery: L2 Beacon-Based Discovery, Handoff-Based Discovery and Geographical Information-Based Discovery.
A.L2 Beacon-Based Discovery
The MN receives the L2 beacons of the neighboring ARs and informs the AR of the L2 identities included in the beacons of the neighboring AR. Then the current AR sends an inquiry including the L2 identity using multicast in the wired network and the corresponding access router replies to it with its IP address [2]. This mechanism is depicted in Figure 1. It is very similar to the ARP protocol. One can notice that it may cause too much traffic overhead if the multicast inquiry messages cross the domain boundaries. As mentioned above, geographical adjacency is independent of domain boundary and thus inter-domain search is inevitable. One can improve the protocol by having a per-domain discovery agent that handles inter-domain inquiry. That is, the access router sends an inquiry using unicast to the per-domain discovery agent and the agent sends a multicast inquiry within the local domain if it does not have an answer. Also, if the discovery agent does not get a response from the local domain ARs, it sends an inquiry to the discovery agents in other domains using multicast. Each discovery agent may answer the inquiry or sends an inquiry to its own domain ARs using multicast. This new mechanism will have much less traffic overhead since a much less number of nodes participate in the inter-domain multicasting, but it introduces more infrastructure requirements and complexity. Furthermore, we can introduce multiple level hierarchies among discovery agents to reduce traffic overhead further and the traffic overhead will be significantly reduced as the system converges, that is, when most access routers have replied to the discovery agents.
B.Handoff-Based Discovery
This idea is shown in [17][18][21] and depicted in Figure 2. The MN hands over from AR to AR and thus it will know the IP address of neighboring ARs. In the most straightforward simple form, the MN remembers the IP address of the AR it attached previously with (old AR) and relays this information to the AR to which it is currently attached after the handoff (current AR). Then the current AR gets to know the IP address of the old AR. The current AR informs the old AR of the current AR’s IP address so that the old AR also gets to know the current AR as a neighbor. A variation of this mechanism is that the MN informs the old AR of the current AR’s IP address directly via the wired network. Then the old AR gets to know the IP address of the current AR. It is a delicate distinction to differentiate who discovers whom in this approach but it affects the security requirements and the details of the protocol.
C.Geographical Information-Based Discovery
Since we are dealing eventually geographical overlapping of AR coverage areas, one may think the information of the location and the coverage area shape and size of the ARs could be distributed and each AR figures out its neighboring ARs from this information. The location information and the coverage area shape and size should be configured statically. In this case, the ARs would flood the information among the ARs using multicast as the link state routing protocol like OSPF does. OSPF can use broadcasting since it advertises on its local links, but the CAR discovery mechanism should use multicast since the ARs are remotely distributed in the wired network. A problem with this approach is that the coverage shape and area are not easy to define precisely. Many times it is affected by the geographical objects such as buildings or walls. The coverage area may not look like a circle in many cases even if we consider only two dimensions. It becomes much more complicated if we consider three-dimensional coverage, which is necessary for WLANs in multi-story buildings. Another problem with this approach is that the flooding of the geographical information is not scalable over domain boundaries. So we need to introduce something like an inter-domain CAR discovery protocol for the information flooding. The inter-domain CAR discovery agents should be configured to exchange the information with the discovery agents of certain domains which have ARs neighboring to ARs of the local domain. That is, the administrator should know which domain will have ARs adjacent to the AR of the local domain in advance. This approach reduces the meaning of the dynamic discovery. Also we cannot define summary of the geographical information. Pretty much the whole information of one domain should be flooded to another domain. Thus this could be information large enough to cause a scalability concern since a domain may have multiple geographically neighboring domains. This approach is distinguished from the former two approaches in that it does not rely on MN at all. On the other hand, having GPS equipment would not be a problem for operators or big corporations but it is not a simple thing for small offices or home WLAN users unless the BS is equipped with the GPS terminal function. This is another disadvantage of this mechanism.
IV.Security threat analysis and security requirements
What harm could the attackers achieve regarding the CAR discovery protocol?
First, the attacker may have false information inserted in the CAR table or the neighbor table that includes information about the neighboring ARs. If the table is filled up with garbage, the table will become useless and all the advantages of CAR discovery will disappear. For example, low-latency handoff using the CAR table will fail. If the information in the CAR table is used to guide the MN in search for target ARs, the corrupted CAR table results in misguidance of the MNs. The attacker may pursue blocking of handoff to a certain AR or seduce the MNs to handover to a certain AR from which the attacker can learn the passwords of other mobile users. Or the AR simply does not exist and the MNs may waste power to search for a nonexistent AR.