[Main] [News] [Introduction] [Background] [Design goals] [Architecture] [Crypto]
[Performance] [Applications] [Download] [Publications] [Contact] [Links]

Packet Level Authentication (PLA): Design goals

In order to get the end-to-end security solutions to work properly, we need an additional security solution at the network infrastructure level that maximizes the reachability (i.e., possibility of two legitimate nodes to communicate regardless their location on the network) in all situations. Thus, the network shall carry only recently sent, unmodified packets of legitimate nodes. All other packets shall be discarded, preferably, already in the next hop neighboring router. In addition to the dramatically reduced network load, this early error detection enables us to detect compromised nodes faster.

Following requirements have been identified for the new security protocol to protect the network infrastructure.

  • DG1: Survivable in dynamic environment:
    The solution shall be capable of operating in a very dynamic environment, such as ad hoc networks, where packets can be routed via alternative routes and where intermediate nodes may be changed at any time. Hence, we can't expect of seeing all packets of the communication via the same route. Especially, we must be capable operating in a case where next packet's route is different than the previous packets and new intermediate routers has no knowledge or history of the content of the previous packets.
  • DG2: Survivable in hostile environment:
    One operating environment is wireless communication in a battlefield where the enemy is clearly present.
  • DG3: Elimination of compromised nodes:
    We shall be capable of revoking effectively compromised nodes from the network.
  • DG4: Dynamicity support:
    In both civilian and military networks, there will be new nodes entering the network after the initial setup and we shall have a means to introduce large number of trusted nodes into the network at any time.
  • DG5: Validation of packets:
    In order to use any packet as a proof of node's benevolence/malevolence, the solution shall have a mechanism that allows only the sending node to sign its packets and all other nodes to verify the signatures.
  • DG6: Scalability:
    We are envisioned to use this solution from small scale sensor devices to high speed core network routers. In the former case, energy efficiency is crucial factor while, in the latter case, high performance is important.
  • DG7: Delegation possibility:
    In large networks, it is not possible to establish direct trust relations between all pairs of nodes. Hence, we need a mechanism to handle trust delegations in the system. This is especially important in Internet-scale networks.
  • DG8: Error reporting mechanism:
    In case any legitimate or illegitimate node attacks against any other node, there shall be a mechanism to report problems and limit the damages as close to the attacker as possible in order to minimize the load to the network and to the attacked node.
  • DG9: Dynamic trust management:
    We shall be capable of detecting and excluding malevolent nodes from the network with various means as a node may become compromised (or otherwise start behaving erratic) either gradually or instantaneously.
  • DG10: Traffic minimizing:
    The amount of packets and additional information in each packet shall be minimized.
  • DG11: Minimum trust between nodes:
    The solution should not require any additional security association setups to route packets in the network.
  • DG12: Privacy protection:
    Since privacy issues will become more and more important, the solution should provide maximum privacy of sending nodes and their users.
  • Packet Level Authentication (PLA): Requirements

    When looking specifically the packet validation, the following validations shall be possible:
  • RQ1: Modification detection:
    Any node that routes packet forward shall be capable of detecting unauthorized modification of the packet without prior negotiation with the sending node, i.e., when a router receives the first packet from a specific sender, it shall be capable of verifying that the packet has not been altered by any intermediate nodes.
  • RQ2: Duplicate detection:
    Any intermediate node shall be capable of detecting if some node has made duplicates copies of legitimate packets and discarding extra copies.
  • RQ3: Delay detection:
    If a legitimate packet is delayed unnecessary long time (e.g., due to replay attack), an intermediate node shall have a means to detect this.
  • RQ4: Method to handle compromised nodes:
    If a node has become malevolent, there shall be means to revoke its rights to send packets to the network. Depending on the operating environment, the revocation may happen immediately or after some reasonable time (e.g., one hour).

  • It shall be noted, that this solution is not coupled with any specific mobility management protocols. Instead, we see, that any mobility management protocols (such as Mobile IP, HIP, SIP) can be used on top of this solution since our solution is just ensuring that "good packets" from one host with topologically correct address can be routed through the network to its destination. Hence, mobility management protocols, including multihoming approaches, will work. There may be a possibility to further enhance the solutions by integrating network infrastructure protection, mobility management and security protocols into one entity that combines these three layers together.

    [TCS main] [Contact Info] [Personnel] [Research] [Publications] [Software] [Studies] [News Archive] [Links]
    Latest update: 29 April 2008.