In order to get the end-to-end security solutions to work properly,
we need an additional security solution at the network infrastructure
level that maximizes the reachability (i.e., possibility of two
legitimate nodes to communicate regardless their location on the network)
in all situations. Thus, the network shall carry only recently sent,
unmodified packets of legitimate nodes. All other packets shall be
discarded, preferably, already in the next hop neighboring router.
In addition to the dramatically reduced network load, this early error
detection enables us to detect compromised nodes faster.
Following requirements have been identified for the new
security protocol to protect the network infrastructure.
DG1: Survivable in dynamic environment:
The solution shall be capable of operating in a very dynamic
environment, such as ad hoc networks, where packets can be
routed via alternative routes and where intermediate nodes
may be changed at any time. Hence, we can't expect of seeing all
packets of the communication via the same route. Especially, we
must be capable operating in a case where next packet's route
is different than the previous packets and new intermediate
routers has no knowledge or history of the content of the previous
DG2: Survivable in hostile environment:
One operating environment is wireless communication in a
battlefield where the enemy is clearly present.
DG3: Elimination of compromised nodes:
We shall be capable of revoking effectively compromised
nodes from the network.
DG4: Dynamicity support:
In both civilian and military networks, there will be new
nodes entering the network after the initial setup and we
shall have a means to introduce large number of trusted nodes
into the network at any time.
DG5: Validation of packets:
In order to use any packet as a proof of node's benevolence/malevolence,
the solution shall have a mechanism that allows only the
sending node to sign its packets and all other nodes to
verify the signatures.
We are envisioned to use this solution from small scale sensor
devices to high speed core network routers. In the former case,
energy efficiency is crucial factor while, in the latter case, high
performance is important.
DG7: Delegation possibility:
In large networks, it is not possible to establish direct
trust relations between all pairs of nodes. Hence, we need
a mechanism to handle trust delegations in the system.
This is especially important in Internet-scale networks.
DG8: Error reporting mechanism:
In case any legitimate or illegitimate node attacks against
any other node, there shall be a mechanism to report problems
and limit the damages as close to the attacker as possible in
order to minimize the load to the network and to the attacked node.
DG9: Dynamic trust management:
We shall be capable of detecting and excluding malevolent nodes
from the network with various means as a node may become
compromised (or otherwise start behaving erratic) either
gradually or instantaneously.
DG10: Traffic minimizing:
The amount of packets and additional information in each
packet shall be minimized.
DG11: Minimum trust between nodes:
The solution should not require any additional security association
setups to route packets in the network.
DG12: Privacy protection:
Since privacy issues will become more and more important, the
solution should provide maximum privacy of sending nodes and their users.
Packet Level Authentication (PLA): Requirements
When looking specifically the packet validation, the following
validations shall be possible:
RQ1: Modification detection:
Any node that routes packet forward shall be capable of detecting
unauthorized modification of the packet without prior negotiation
with the sending node, i.e., when a router receives the first
packet from a specific sender, it shall be capable of verifying
that the packet has not been altered by any intermediate nodes.
RQ2: Duplicate detection:
Any intermediate node shall be capable of detecting if some node
has made duplicates copies of legitimate packets and discarding extra copies.
RQ3: Delay detection:
If a legitimate packet is delayed unnecessary long time (e.g.,
due to replay attack), an intermediate node shall have a means to detect this.
RQ4: Method to handle compromised nodes:
If a node has become malevolent, there shall be means to revoke
its rights to send packets to the network. Depending on the operating
environment, the revocation may happen immediately or after some reasonable
time (e.g., one hour).
It shall be noted, that this solution is not coupled with any specific
mobility management protocols. Instead, we see, that any mobility management
protocols (such as Mobile IP, HIP, SIP) can be used on top of this solution
since our solution is just ensuring that "good packets" from one host with
topologically correct address can be routed through the network to its
destination. Hence, mobility management protocols, including multihoming
approaches, will work. There may be a possibility to further enhance the
solutions by integrating network infrastructure protection, mobility management
and security protocols into one entity that combines these three layers together.