1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
|
Internet Engineering Task Force (IETF) J. Yi
Request for Comments: 7985 T. Clausen
Updates: 7186 Ecole Polytechnique
Category: Informational U. Herberg
ISSN: 2070-1721 November 2016
Security Threats to Simplified Multicast Forwarding (SMF)
Abstract
This document analyzes security threats to Simplified Multicast
Forwarding (SMF), including vulnerabilities of duplicate packet
detection and relay set selection mechanisms. This document is not
intended to propose solutions to the threats described.
In addition, this document updates RFC 7186 regarding threats to the
relay set selection mechanisms using the Mobile Ad Hoc Network
(MANET) Neighborhood Discovery Protocol (NHDP) (RFC 6130).
Status of This Memo
This document is not an Internet Standards Track specification; it is
published for informational purposes.
This document is a product of the Internet Engineering Task Force
(IETF). It has been approved for publication by the Internet
Engineering Steering Group (IESG). Not all documents approved by the
IESG are a candidate for any level of Internet Standard; see
Section 2 of RFC 7841.
Information about the current status of this document, any errata,
and how to provide feedback on it may be obtained at
http://www.rfc-editor.org/info/rfc7985.
Yi, et al. Informational [Page 1]
^L
RFC 7985 Security Threats for SMF November 2016
Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
3. SMF Threat Overview . . . . . . . . . . . . . . . . . . . . . 4
4. Threats to Duplicate Packet Detection . . . . . . . . . . . . 5
4.1. Attack on the Hop Limit Field . . . . . . . . . . . . . . 6
4.2. Threats to Identification-Based Duplicate Packet
Detection . . . . . . . . . . . . . . . . . . . . . . . . 7
4.2.1. Pre-Activation Attacks (Pre-Play) . . . . . . . . . . 7
4.2.2. De-activation Attacks (Sequence Number Wrangling) . . 8
4.3. Threats to Hash-Based Duplicate Packet Detection . . . . 9
4.3.1. Attack on the Hash-Assistant Value . . . . . . . . . 9
5. Threats to Relay Set Selection . . . . . . . . . . . . . . . 10
5.1. Common Threats to Relay Set Selection . . . . . . . . . . 10
5.2. Threats to the E-CDS Algorithm . . . . . . . . . . . . . 10
5.2.1. Link Spoofing . . . . . . . . . . . . . . . . . . . . 11
5.2.2. Identity Spoofing . . . . . . . . . . . . . . . . . . 11
5.3. Threats to S-MPR Algorithm . . . . . . . . . . . . . . . 11
5.4. Threats to the MPR-CDS Algorithm . . . . . . . . . . . . 12
6. Security Considerations . . . . . . . . . . . . . . . . . . . 12
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 13
7.1. Normative References . . . . . . . . . . . . . . . . . . 13
7.2. Informative References . . . . . . . . . . . . . . . . . 13
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . 15
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 15
Yi, et al. Informational [Page 2]
^L
RFC 7985 Security Threats for SMF November 2016
1. Introduction
This document analyzes security threats to Simplified Multicast
Forwarding (SMF) [RFC6621]. SMF aims at providing basic Internet
Protocol (IP) multicast forwarding in a way that is suitable for
wireless mesh and Mobile Ad Hoc Networks (MANET). SMF consists of
two major functional components: duplicate packet detection (DPD) and
relay set selection (RSS).
SMF is typically used in decentralized wireless environments and is
potentially exposed to various attacks and misconfigurations. In a
wireless environment, some of these attacks and misconfigurations
represent threats of particular significance as compared to what they
would do in wired networks. [RFC6621] briefly discusses several of
these, but does not define any explicit security measures for
protecting the integrity of the protocol.
This document is based on the assumption that no additional security
mechanism, such as IPsec, is used in the IP layer, as not all MANET
deployments may be able to support deployment of such common IP
protection mechanisms (e.g., because MANET routers may have limited
resources for supporting the IPsec stack). It also assumes that
there is no lower-layer protection. The document analyzes possible
attacks on, and misconfigurations of, SMF and outlines the
consequences of such attacks/misconfigurations to the state
maintained by SMF in each router.
In the Security Considerations section of [RFC6621], denial-of-
service-attack scenarios are briefly discussed. This document
further analyzes and describes the potential vulnerabilities of, and
attack vectors for, SMF. While completeness in such analysis is
always a goal, no claims of being complete are made. The goal of
this document is to be helpful when deploying SMF in a network and
for understanding the risks incurred, as well as for providing a
reference to and documented experience with SMF as input for possible
future developments of SMF.
This document is not intended to propose solutions to the threats
described. [RFC7182] provides a framework that can be used with SMF,
and depending on how it is used, may offer some degree of protection
against the threats related to identity spoofing described in this
document.
This document also updates [RFC7186], specifically with respect to
threats to relay set selection (RSS) mechanisms that are using MANET
NHDP [RFC6130].
Yi, et al. Informational [Page 3]
^L
RFC 7985 Security Threats for SMF November 2016
2. Terminology
This document uses the terminology and notation defined in [RFC5444],
[RFC6130], [RFC6621], and [RFC4949].
Additionally, this document introduces the following terminology:
SMF router: A MANET router, running SMF as specified in [RFC6621].
Attacker: A device that is present in the network and intentionally
seeks to compromise the information bases in SMF routers. It may
generate syntactically correct SMF control messages.
Legitimate SMF router: An SMF router that is correctly configured
and not compromised by an attacker.
3. SMF Threat Overview
An SMF router requires an external dynamic neighborhood discovery
mechanism in order to maintain suitable topological information
describing its immediate neighborhood, and thereby allowing it to
select reduced relay sets for forwarding multicast data traffic.
Such an external dynamic neighborhood discovery mechanism may be
provided by lower-layer interface information, by a concurrently
operating MANET routing protocol that already maintains such
information (e.g., [RFC7181]) or by explicitly using the MANET
Neighborhood Discovery Protocol (NHDP) [RFC6130]. If NHDP is used
for both 1-hop and 2-hop neighborhood discovery by SMF, SMF
implicitly inherits the vulnerabilities of NHDP discussed in
[RFC7186]. As SMF relies on NHDP to assist in network-layer 2-hop
neighborhood discovery (no matter if other lower-layer mechanisms are
used for 1-hop neighborhood discovery), this document assumes that
NHDP is used in SMF. The threats that are NHDP specific are
indicated explicitly.
Based on neighborhood discovery mechanisms, [RFC6621] specifies two
principal functional components: duplicate packet detection (DPD) and
relay set selection (RSS).
DPD is required by SMF in order to be able to detect duplicate
packets and eliminate their redundant forwarding. An attacker has
two ways in which to harm the DPD mechanisms. Specifically, it can:
o "deactivate" DPD, making it such that duplicate packets are not
correctly detected. As a consequence, they are (redundantly)
transmitted, which increases the load on the network, drains the
batteries of the routers involved, etc.
Yi, et al. Informational [Page 4]
^L
RFC 7985 Security Threats for SMF November 2016
o "pre-activate" DPD, making DPD detect a later arriving (valid)
packet as being a duplicate and will, therefore, not be forwarded.
Attacks on DPD can be achieved by replaying existing packets,
wrangling sequence numbers, manipulating hash values, etc.; these are
detailed in Section 4.
RSS produces a reduced relay set for forwarding multicast data
packets across a MANET. For use in SMF, [RFC6621] specifies several
relay set algorithms including E-CDS (Essential Connected Dominating
Set) [RFC5614], S-MPR (Source-Based Multipoint Relay, as known from
[RFC3626] and [RFC7181]), and MPR-CDS (Multipoint Relay Connected
Dominating Set) [MPR-CDS]. An attacker can disrupt the RSS
algorithm, and thereby the SMF operation, by degrading it to
classical flooding or by "masking" certain parts of the network from
the multicasting domain. Attacks on RSS algorithms are detailed in
Section 5.
Other than the attacks on DPD and RSS, a common vulnerability of
MANETs is "jamming", i.e., a device generates massive amounts of
interfering radio transmissions, which will prevent legitimate
traffic (e.g., control traffic as well as data traffic) on part of a
network. The attacks on DPD and RSS can be further enhanced by
jamming.
4. Threats to Duplicate Packet Detection
Duplicate packet detection (DPD) is required for packet dissemination
in MANETs because: (1) packets may be retransmitted via the same
physical interface as the one over which they were received, and (2)
a router may receive multiple copies of the same packet (on the same
or on different interfaces) from different neighbors. DPD is thus
used to check whether or not an incoming packet has been previously
received.
DPD is achieved by maintaining a record of recently processed
multicast packets, and comparing later received multicast packets
herewith. A duplicate packet detected is silently dropped and is not
inserted into the forwarding path of that router, nor is it delivered
to an application. DPD, as proposed by SMF, supports both IPv4 and
IPv6 and suggests two duplicate packet detection mechanisms for each:
1) IP packet header content identification-based DPD (I-DPD), in
combination with flow state, to estimate temporal uniqueness of a
packet, and 2) hash-based DPD (H-DPD), employing hashing of selected
IP packet header fields and payload for the same effect.
Yi, et al. Informational [Page 5]
^L
RFC 7985 Security Threats for SMF November 2016
In the Security Considerations section of [RFC6621], a selection of
threats to DPD are briefly introduced. This section expands on that
discussion and describes how to effectively launch the attacks on DPD
-- for example, by way of manipulating jitter and/or the Hash-
Assistant Value. In the remainder of this section, common threats to
packet detection mechanisms are discussed first; then, the threats to
I-DPD and H-DPD are introduced separately. The threats described in
this section are applicable to general SMF implementations,
regardless of whether NHDP is used.
4.1. Attack on the Hop Limit Field
One immediate Denial-of-Service (DoS) attack is based on manipulating
the Time-to-Live (TTL, for IPv4) or Hop Limit (for IPv6) field. As
routers only forward packets with TTL > 1, an attacker can forward an
otherwise valid packet while drastically reducing the TTL hereof.
This will inhibit recipient routers from later forwarding the same
multicast packet, even if received with a different TTL --
essentially, an attacker can thus instruct its neighbors to block the
forwarding of valid multicast packets.
For example, in Figure 1, router A forwards a multicast packet with a
TTL of 64 to the network. A, B, and C are legitimate SMF routers,
and X is an attacker. In a wireless environment, jitter is commonly
used to avoid systematic collisions in Media Access Control (MAC)
protocols [RFC5148]. An attacker can thus increase the probability
that its invalid packets arrive first by retransmitting them without
applying jitter. In this example, router X forwards the packet
without applying jitter and reduces the TTL to 1. Router C thus
records the duplicate detection value (hash value for H-DPD or the
header content of the packets for I-DPD) but does not forward the
packet (due to TTL == 1). When a second copy of the same packet,
with a non-maliciously manipulated TTL value (63 in this case),
arrives from router B, it will be discarded as a duplicate packet.
.---.
| X |
--'---' __
packet with TTL=64 / \ packet with TTL=1
/ \
.---. .---.
| A | | C |
'---' '---'
packet with TTL=64 \ .---. /
\-- | B |__/ packet with TTL=63
'---'
Figure 1
Yi, et al. Informational [Page 6]
^L
RFC 7985 Security Threats for SMF November 2016
As the TTL of a packet is intended to be manipulated by
intermediaries forwarding it, classic methods such as integrity check
values (e.g., digital signatures) are typically calculated by setting
TTL fields to some predetermined value (e.g., 0) -- for example, the
case for IPsec Authentication Headers -- rendering such an attack
more difficult to both detect and counter.
If the attacker has access to a "wormhole" through the network (a
directional antenna, a tunnel to a collaborator, or a wired
connection, allowing it to bridge parts of a network otherwise
distant), it can make sure that the packets with such an artificially
reduced TTL arrive before their unmodified counterparts.
4.2. Threats to Identification-Based Duplicate Packet Detection
I-DPD uses a specific DPD identifier in the packet header to identify
a packet. By default, such packet identification is not provided by
the IP packet header (for both IPv4 and IPv6). Therefore, additional
identification headers, such as the fragment header, a hop-by-hop
header option, or IPsec sequencing, must be employed in order to
support I-DPD. The uniqueness of a packet can then be identified by
the source IP address of the packet originator and the sequence
number (from the fragment header, hop-by-hop header option, or
IPsec). By doing so, each intermediate router can keep a record of
recently received packets and determine whether or not the incoming
packet has been received.
4.2.1. Pre-Activation Attacks (Pre-Play)
In a wireless environment, or across any other shared channel, an
attacker can perceive the identification tuple (source IP address,
sequence number) of a packet. It is possible to generate a packet
with the same (source IP address, sequence number) pair with invalid
content. If the sequence number progression is predictable, then it
is trivial to generate and inject invalid packets with "future"
identification information into the network. If these invalid
packets arrive before the legitimate packets that they are spoofing,
the latter will be treated as a duplicate and will be discarded.
This can prevent multicast packets from reaching parts of the
network.
Figure 2 gives an example of a pre-activation attack. A, B, and C
are legitimate SMF routers, and X is the attacker. The line between
the routers presents the packet forwarding. Router A is the source
and originates a multicast packet with sequence number n. When
router X receives the packet, it generates an invalid packet with the
source address of A and sequence number n. If the invalid packet
arrives at router C before the forwarding of router B, the valid
Yi, et al. Informational [Page 7]
^L
RFC 7985 Security Threats for SMF November 2016
packet will be dropped by C as a duplicate packet. An attacker can
manipulate jitter to make sure that the invalid packets arrive first.
Router X can even generate packets with future sequence numbers (if
they are predictable), so that the future legitimate packets with the
same sequence numbers will be dropped as duplicate ones.
.---.
| X |
--'---' __
packet with seq=n / \ invalid packet with seq=n
/ \
.---. .---.
| A | | C |
'---' '---'
packet with seq=n \ .---. /
\-- | B |__/ valid packet with seq=n
'---'
Figure 2
As SMF does not currently have any timestamp mechanisms to protect
data packets, there is no viable way to detect such pre-play attacks
by way of timestamps. Especially, if the attack is based on
manipulation of jitter, the validation of the timestamp would not be
helpful because the timing is still valid (but, much less valuable).
4.2.2. De-activation Attacks (Sequence Number Wrangling)
An attacker can also seek to de-activate DPD by modifying the
sequence number in packets that it forwards. Thus, routers will not
be able to detect an actual duplicate packet as a duplicate --
rather, they will treat them as new packets, i.e., process and
forward them. This is similar to DoS attacks, as each packet that is
considered unique will be multicasted: for a network with n routers,
there will be n-1 retransmissions. This can easily cause the
"broadcast storm" problem discussed in [MOBICOM99]. The consequence
of this attack is an increased channel load, the origin of which
appears to be a router other than the attacker.
Given the topology shown in Figure 2, on receiving a packet with
seq=n, the attacker X can forward the packet with a modified sequence
number n+i. This has two consequences: firstly, router C will not be
able to detect that the packet forwarded by X is a duplicate packet;
secondly, the consequent packet with seq=n+i generated by router A
will probably be treated as a duplicate packet and will be dropped by
router C.
Yi, et al. Informational [Page 8]
^L
RFC 7985 Security Threats for SMF November 2016
4.3. Threats to Hash-Based Duplicate Packet Detection
When explicit sequence numbers in packet headers is undesired, hash-
based DPD can be used. A hash of the non-mutable fields in the
header of the data payload can be generated and recorded at the
intermediate routers. A packet can thus be uniquely identified by
the source IP address of the packet and its hash-value.
The hash algorithm used by SMF is being applied only to provide a
reduced probability of collision and is not being used for
cryptographic or authentication purposes. Consequently, a digest
collision is still possible. In case the source router or gateway
identifies that it has recently generated or injected a packet with
the same hash-value, it inserts a "Hash-Assist Value (HAV)" IPv6
header option into the packet, such that also calculating the hash
over this HAV will render the resulting value unique.
4.3.1. Attack on the Hash-Assistant Value
The HAV header is helpful when a digest collision happens. However,
it also introduces a potential vulnerability. As the HAV option is
only added when the source or the ingress SMF router detects that the
incoming packet has digest collision with previously generated
packets, it can actually be regarded as a "flag" of potential digest
collision. An attacker can discover the HAV header and be able to
conclude that a hash collision is possible if the HAV header is
removed. By doing so, the modified packet received by other SMF
routers will be treated as duplicate packets and will be dropped
because they have the same hash value as previously received packets.
In the example shown in Figure 3, routers A and B are legitimate SMF
routers; X is an attacker. Router A generates two packets, P1 and
P2, with the same hash value h(P1)=h(P2)=x. Based on the SMF
specification, a HAV is added to the latter packet P2, so that
h(P2+HAV)=x' avoids digest collision. When the attacker X detects
the HAV of P2, it is able to conclude that a collision is possible by
removing the HAV header. By doing so, packet P2 will be treated as a
duplicate packet by router B and will be dropped.
P2 P1 P2 P1
.---. h(P2+HAV)=x' h(P1)=x .---. h(P2)=x h(P1)=x .---.
| A |---------------------------> | X | ----------------------> | B |
`---' `---' `---'
Figure 3
Yi, et al. Informational [Page 9]
^L
RFC 7985 Security Threats for SMF November 2016
5. Threats to Relay Set Selection
A framework for an RSS mechanism, rather than a specific RSS
algorithm, is provided by SMF. Relay Set Selection is normally
achieved by distributed algorithms that can dynamically generate a
topological Connected Dominating Set based on 1-hop and 2-hop
neighborhood information. In this section, common threats to the RSS
framework are first discussed. Then specific threats to the three
algorithms (Essential Connection Dominating Set (E-CDS), Source-Based
Multipoint Relay (S-MPR), and Multipoint Relay Connected Dominating
Set (MPR-CDS)) explicitly enumerated by [RFC6621] are analyzed. As
the relay set selection is based on 1-hop and 2-hop neighborhood
information, which rely on NHDP, the threats described in this
section are NHDP specific.
5.1. Common Threats to Relay Set Selection
Non-algorithm-specific threats to RSS algorithms, including DoS
attacks, eavesdropping, message timing attacks, and broadcast storm,
are discussed in [RFC7186].
5.2. Threats to the E-CDS Algorithm
The "Essential Connected Dominating Set" (E-CDS) algorithm [RFC5614]
forms a single CDS mesh for an SMF operating region. This algorithm
requires 2-hop neighborhood information (the identity of the
neighbors, the link to the neighbors, and the neighbors' priority
information), as collected through NHDP or another process.
An SMF router will select itself as a relay, if:
o The SMF router has a higher priority than all of its symmetric
neighbors, or
o A path from the neighbor with the largest priority to any other
neighbor via neighbors with greater priority than the current
router does not exist.
An attacker can disrupt the E-CDS algorithm by link spoofing or
identity spoofing.
Yi, et al. Informational [Page 10]
^L
RFC 7985 Security Threats for SMF November 2016
5.2.1. Link Spoofing
Link spoofing implies that an attacker advertises non-existing links
to another router (which may or may not be present in the network).
An attacker can declare itself to have high route priority and spoof
the links to as many legitimate SMF routers as possible to declare
high connectivity. By doing so, it can prevent legitimate SMF
routers from selecting themselves as relays. As the "super" relay in
the network, the attacker can manipulate the traffic it relays.
5.2.2. Identity Spoofing
Identity spoofing implies that an attacker determines and makes use
of the identity of other legitimate routers, without being authorized
to do so. The identity of other routers can be obtained by
eavesdropping the control messages or the source/destination address
from datagrams. The attacker can then generate control or datagram
traffic by pretending to be a legitimate router.
Because E-CDS self-selection is based on the router priority value,
an attacker can spoof the identity of other legitimate routers and
declare a different router priority value. If it declares that a
spoofed router has a higher priority, it can prevent other routers
from selecting themselves as relays. On the other hand, if the
attacker declares that a spoofed router has a lower priority, it can
force other routers to select themselves as relays to degrade the
multicast forwarding to classical flooding.
5.3. Threats to S-MPR Algorithm
The S-MPR set selection algorithm enables individual routers, using
2-hop topology information, to select relays from among their set of
neighboring routers. MPRs are selected by each router such that a
message generated by it, and relayed only by its MPRs, will reach all
of its 2-hop neighbors.
An SMF router forwards a multicast packet if and only if:
o the packet has not been received before, and
o the neighbor from which the packet was received has selected the
router as MPR.
Because MPR calculation is based on the willingness declared by the
SMF routers and the connectivity of the routers, it can be disrupted
by both link spoofing and identity spoofing. These threats and their
impacts have been illustrated in Section 5.1 of [RFC7186].
Yi, et al. Informational [Page 11]
^L
RFC 7985 Security Threats for SMF November 2016
5.4. Threats to the MPR-CDS Algorithm
MPR-CDS is a derivative from S-MPR. The main difference between
S-MPR and MPR-CDS is that while S-MPR forms a different broadcast
tree for each source in the network, MPR-CDS forms a unique broadcast
tree for all sources in the network.
As MPR-CDS combines E-CDS and S-MPR and the simple combination of the
two algorithms does not address the weaknesses; the vulnerabilities
of E-CDS and S-MPR that are discussed in Sections 5.2 and 5.3 apply
to MPR-CDS also.
6. Security Considerations
This document does not specify a protocol or a procedure. The whole
document, however, reflects on security considerations for SMF
regarding packet dissemination in MANETs. Possible attacks to the
two main functional components of SMF, duplicate packet detection,
and relay set selection are analyzed and documented.
Although neither [RFC6621] nor this document propose mechanisms to
secure the SMF protocol, there are several possibilities to secure
the protocol in the future and drive new work by suggesting which
threats discussed in the previous sections could be addressed.
For the I-DPD mechanism, employing randomized packet sequence numbers
can avoid some pre-activation attacks based on sequence number
prediction. If predicable sequence numbers have to be used, applying
timestamps can mitigate pre-activation attacks.
For the H-DPD mechanism, applying cryptographically strong hashes can
make the digest collisions effectively impossible, and it can avoid
the use of a HAV.
[RFC7182] specifies a framework for representing cryptographic
Integrity Check Values (ICVs) and timestamps in MANETs. Based on
[RFC7182], [RFC7183] specifies integrity and replay protection for
NHDP using shared keys as a mandatory-to-implement security
mechanism. If SMF is using NHDP as the neighborhood discovery
protocol, implementing [RFC7183] remains advisable so as to enable
integrity protection for NHDP control messages. This can help
mitigate threats related to identity spoofing through the exchange of
HELLO messages and provide some general protection against identity
spoofing by admitting only trusted routers to the network using ICVs
in HELLO messages.
Yi, et al. Informational [Page 12]
^L
RFC 7985 Security Threats for SMF November 2016
Using ICVs does not, of course, address the problem of attackers able
to also generate valid ICVs. Detection and exclusion of such
attackers is, in general, a challenge that is not unrelated to how
[RFC7182] is used. If, for example, it is used with a shared key (as
per [RFC7183]), excluding single attackers generally is not aided by
the use of ICVs. However, if routers have sufficient capabilities to
support the use of asymmetric keys (as per [RFC7859]), part of
addressing this challenge becomes one of providing key revocation in
a way that does not in itself introduce additional vulnerabilities.
As [RFC7183] does not protect the integrity of the multicast user
datagram, and as no mechanism is specified by SMF for doing so,
duplicate packet detection remains vulnerable to the threats
introduced in Section 4.
If pre-activation/de-activation attacks and attacks on the HAV of the
multicast datagrams are to be mitigated, a datagram-level integrity
protection mechanism is desired, by taking consideration of the
identity field or HAV. However, this would not be helpful for the
attacks on the TTL (or Hop Limit for IPv6) field, because the mutable
fields are generally not considered when ICV is calculated.
7. References
7.1. Normative References
[RFC6130] Clausen, T., Dearlove, C., and J. Dean, "Mobile Ad Hoc
Network (MANET) Neighborhood Discovery Protocol (NHDP)",
RFC 6130, DOI 10.17487/RFC6130, April 2011,
<http://www.rfc-editor.org/info/rfc6130>.
[RFC6621] Macker, J., Ed., "Simplified Multicast Forwarding",
RFC 6621, DOI 10.17487/RFC6621, May 2012,
<http://www.rfc-editor.org/info/rfc6621>.
[RFC7186] Yi, J., Herberg, U., and T. Clausen, "Security Threats for
the Neighborhood Discovery Protocol (NHDP)", RFC 7186,
DOI 10.17487/RFC7186, April 2014,
<http://www.rfc-editor.org/info/rfc7186>.
7.2. Informative References
[MOBICOM99]
Ni, S., Tseng, Y., Chen, Y., and J. Sheu, "The broadcast
storm problem in a mobile ad hoc network", MobiCom
'99 Proceedings of the 5th annual ACM/IEEE international
conference on Mobile computing and networking,
DOI 10.1145/313451.313525, 1999.
Yi, et al. Informational [Page 13]
^L
RFC 7985 Security Threats for SMF November 2016
[MPR-CDS] Adjih, C., Jacquet, P., and L. Viennot, "Computing
Connected Dominating Sets with Multipoint Relays", Journal
of Ad Hoc and Sensor Wireless Networks 2002, January 2002.
[RFC3626] Clausen, T., Ed. and P. Jacquet, Ed., "Optimized Link
State Routing Protocol (OLSR)", RFC 3626,
DOI 10.17487/RFC3626, October 2003,
<http://www.rfc-editor.org/info/rfc3626>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<http://www.rfc-editor.org/info/rfc4949>.
[RFC5148] Clausen, T., Dearlove, C., and B. Adamson, "Jitter
Considerations in Mobile Ad Hoc Networks (MANETs)",
RFC 5148, DOI 10.17487/RFC5148, February 2008,
<http://www.rfc-editor.org/info/rfc5148>.
[RFC5444] Clausen, T., Dearlove, C., Dean, J., and C. Adjih,
"Generalized Mobile Ad Hoc Network (MANET) Packet/Message
Format", RFC 5444, DOI 10.17487/RFC5444, February 2009,
<http://www.rfc-editor.org/info/rfc5444>.
[RFC5614] Ogier, R. and P. Spagnolo, "Mobile Ad Hoc Network (MANET)
Extension of OSPF Using Connected Dominating Set (CDS)
Flooding", RFC 5614, DOI 10.17487/RFC5614, August 2009,
<http://www.rfc-editor.org/info/rfc5614>.
[RFC7181] Clausen, T., Dearlove, C., Jacquet, P., and U. Herberg,
"The Optimized Link State Routing Protocol Version 2",
RFC 7181, DOI 10.17487/RFC7181, April 2014,
<http://www.rfc-editor.org/info/rfc7181>.
[RFC7182] Herberg, U., Clausen, T., and C. Dearlove, "Integrity
Check Value and Timestamp TLV Definitions for Mobile Ad
Hoc Networks (MANETs)", RFC 7182, DOI 10.17487/RFC7182,
April 2014, <http://www.rfc-editor.org/info/rfc7182>.
[RFC7183] Herberg, U., Dearlove, C., and T. Clausen, "Integrity
Protection for the Neighborhood Discovery Protocol (NHDP)
and Optimized Link State Routing Protocol Version 2
(OLSRv2)", RFC 7183, DOI 10.17487/RFC7183, April 2014,
<http://www.rfc-editor.org/info/rfc7183>.
[RFC7859] Dearlove, C., "Identity-Based Signatures for Mobile Ad Hoc
Network (MANET) Routing Protocols", RFC 7859,
DOI 10.17487/RFC7859, May 2016,
<http://www.rfc-editor.org/info/rfc7859>.
Yi, et al. Informational [Page 14]
^L
RFC 7985 Security Threats for SMF November 2016
Acknowledgments
The authors would like to thank Christopher Dearlove (BAE Systems
ATC) who provided detailed review and valuable comments.
Authors' Addresses
Jiazi Yi
Ecole Polytechnique
91128 Palaiseau Cedex
France
Phone: +33 1 77 57 80 85
Email: jiazi@jiaziyi.com
URI: http://www.jiaziyi.com/
Thomas Heide Clausen
Ecole Polytechnique
91128 Palaiseau Cedex
France
Phone: +33 6 6058 9349
Email: T.Clausen@computer.org
URI: http://www.thomasclausen.org/
Ulrich Herberg
Email: ulrich@herberg.name
URI: http://www.herberg.name/
Yi, et al. Informational [Page 15]
^L
|