A Secure Correspondent Router Protocol for NEMO Route Optimization

Computer Networks 57 (2013) 1078–1100

Contents lists available at SciVerse ScienceDirect

Computer Networks journal homepage: www.elsevier.com/locate/comnet

A Secure Correspondent Router Protocol for NEMO Route Optimization Christian Bauer ⇑ Institute of Communications and Navigation, German Aerospace Center (DLR), Muenchner Str. 20, 82234 Wessling, Germany

a r t i c l e

i n f o

Article history: Received 8 February 2012 Received in revised form 25 September 2012 Accepted 19 October 2012 Available online 22 December 2012 Keywords: Aeronautics Mobile IP NEMO Route optimization PKI Authentication

a b s t r a c t The Network Mobility (NEMO) protocol is needed to support the world-wide mobility of aircraft mobile networks across different access networks in the future IPv6 based aeronautical telecommunications network (ATN). NEMO suffers from the constraint that all traffic has to be routed via the home agent though. The already existing correspondent router (CR) protocol solves this triangular routing problem and permits to route packets on a direct path between the mobile network and the ground based correspondent nodes. We identify security deficiencies of this protocol that make it unsuitable for use within the ATN. We therefore propose a new route optimization procedure based on the CR protocol that provides a higher level of security. We evaluate our new protocol in three ways. We first conduct a simulation based handover performance study using an implementation of a realistic aeronautical access technology. We then investigate the mobility signaling overhead. Finally, we specify a threat model applicable for the aeronautical environment and use it to perform a security analysis of both the old and our new protocol. It is shown that our protocol is not only more secure but also provides better handover latency, smaller overhead in the aeronautical scenario and a higher level of resilience when compared to the original CR protocol. Ó 2012 Elsevier B.V. All rights reserved.

1. Introduction The International Civil Aviation Organization adopted IPv6 for use within its future IP-based Aeronautical Telecommunications Network [1]. This global network will carry safety related data such as air traffic control communications between the cockpit and an air traffic controller on the ground. For security reasons we assume that this network will be segregated from the public Internet. In this paper we focus on air traffic control communications. The high degree of mobility on a global scale and the heterogeneous network environment consisting of shortrange and long-range terrestrial as well as satellite access technologies requires an appropriate IP mobility protocol. The Network Mobility Basic Support (NEMO) protocol [2] ⇑ Tel.: +49 8153 28 2860. E-mail address: [email protected] 1389-1286/$ - see front matter Ó 2012 Elsevier B.V. All rights reserved. http://dx.doi.org/10.1016/j.comnet.2012.10.021

is an adequate solution, as an aircraft will consist of a mobile router (MR) with several on-board end-systems. The disadvantage of a NEMO based approach is that all traffic has to be routed via the home agent. This increases the end-to-end communications latency between the mobile network and the ground based correspondent nodes if the distance to the home agent is large. The home agent also introduces the risk of a single point of failure, as routing from and to the mobile network will fail if the home agent is not available. A route optimization protocol would permit to bypass the home agent and route packets on a direct path between the mobile network and the correspondent nodes on the ground. Such a protocol has not yet been standardized, although its need has already been identified in the appropriate standardization bodies, e.g., [3]. A NEMO route optimization protocol that is suitable for air traffic control communications has to fulfill high requirements. Foremost, this covers security aspects, as

C. Bauer / Computer Networks 57 (2013) 1078–1100

the protocol has to be protected against a variety of attacks. Additionally, a small end-to-end latency has to be provided. This is important for air traffic control communications that will also include Voice over IP based communication in the future [4]. Requirements listed in [5] state that there exists aircraft sensor data that should be transmitted in real-time to the ground-based processing systems. Furthermore, safety related applications and services require a high level of availability, with the highest demand being 99.99995% [6]. Finally, due to the limited bandwidth provided by the aeronautical wireless links, the amount of protocol related signaling should be as small as possible. Wakikawa et al. already proposed a correspondent router protocol that provides route optimization for NEMO [7]. We identify security deficiencies within this protocol that are not acceptable for a safety related environment. In a previous publication [8] we proposed a Secure NEMO Route Optimization (SeNERO) protocol based on the correspondent router concept. SeNERO addresses the issues mentioned above. The previous publication provided a simplified test-bed based evaluation. The contributions of this paper are (a) a more comprehensive and realistic handover evaluation based on simulations with an aeronautical wireless access technology, (b) a signaling overhead analysis and (c) a comprehensive security analysis of SeNERO and the original protocol. The security analysis is based on a threat model we introduce in this paper. We also provide an overview of related work on route optimization protocols with an emphasis on the security and signaling efficiency aspects. The paper is organized as follows. Section 2 provides a short summary dealing with NEMO, the existing correspondent router protocol and its deficiencies. Section 3 presents the SeNERO protocol. A handover performance evaluation is performed in Section 4. Section 5 provides an overhead analysis. The security analysis is presented in Section 6. Finally, Section 7 discusses different approaches on route optimization security. We assume that the reader is familiar with the Mobile IPv6 protocol and primitives for symmetric and asymmetric cryptography. 2. Network mobility and route optimization In the following we shortly summarize the key aspects of NEMO and the correspondent router protocol. 2.1. NEMO in a Nutshell NEMO [2] is an extension to Mobile IPv6 [9], providing a mobile network prefix (MNP) instead of only a single home address to a mobile router (MR). The mobile network nodes (MNNs) that attach to the MR inside the mobile network obtain their addresses from the mobile network prefix advertised by the MR. The mobility signaling for NEMO is similar to Mobile IPv6, as shown in Fig. 1. When the MR performs a handover and moves to a foreign network, it acquires a care-of address (CoA) from the foreign network. The MR then

1079

Fig. 1. NEMO basic support mobility signaling (home registration).

performs a home registration with the home agent (HA) that is located in the home network. The mobility signaling exchange is performed by means of a binding update (BU)/ binding acknowledgement (BA) exchange, protected by an IPsec security association. Traffic originating from the mobile network nodes is tunneled by the MR to the home agent. From there packets are forwarded to their destination, the correspondent nodes (CNs). Similarly, packets addressed to a mobile network node inside the mobile network are routed to the home agent using normal Internet routing. These packets are then tunneled by the home agent to the care-of address of the MR, which corresponds to the current location of the MR. The MR decapsulates the packet and forwards it to the destination, the mobile network node. A disadvantage of the NEMO protocol is suboptimal routing: all packets between mobile network nodes and correspondent nodes are routed via the home agent.

2.2. Correspondent router-based route optimization The solution to the sub-optimal triangular routing can be provided by a route optimization (RO) procedure that allows packets to bypass the home agent and use a direct routing path between a mobile network node and a correspondent node. In this paper we focus on a solution that involves a correspondent router (CR) that acts as a proxy and performs the route optimization signaling with the MR on behalf of its locally served correspondent nodes. Traffic destined to the mobile network node or correspondent node can be directly routed between MR and CR instead of being relayed via the home agent. The protocol was originally proposed by Wakikawa et al. [7]. Packets to the mobile network prefix are routed to the care-of address of the MR. Traffic to those correspondent nodes that are in the same network as the CR is routed directly to the address of the CR. These nodes can be identified as their addresses are configured from the correspondent router prefix (CRP). This prefix is the CR-equivalent of the mobile network prefix of the MR. The advantages of the CR approach are (1) a short endto-end delay as the CR should be deployed close to the correspondent nodes, (2) scalability, as a CR can provide an optimized route to several correspondent nodes simultaneously and (3) the transparency to the end-systems in the mobile network and on the ground.

1080

C. Bauer / Computer Networks 57 (2013) 1078–1100

The route optimization signaling is based on the Mobile IPv6 route optimization procedure [9], as illustrated in Fig. 2. It consists of a care-of test (CoTI/CoT) and home test (HoTI/HoT) message exchange for authenticating care-of address and mobile network prefix. While the care-of test messages are routed directly from and to the care-of address of the mobile router, the home test messages are routed to a random address of the mobile network prefix of the mobile router. HoTI/HoT are therefore routed via the home agent. The CoT and HoT messages each contain a symmetric cryptographic key KC and KH generated by the correspondent router. The mobile router proofs to be the owner of the claimed care-of address and mobile network prefix by being able to receive the cryptographic keys at these locations. In the next stage the correspondent registration is performed, consisting of a binding update (BU)/binding acknowledgement (BA) message exchange. The care-of key KC and home key KH are combined into a single symmetric key Krr by the mobile router:

K rr ¼ HðK C jK H Þ

ð1Þ

where H denotes a hash function and j denotes concatenation. The key Krr is then used to calculate a Hash-based Message Authentication Code (HMAC) of the binding update message that serves for the purpose of authentication and integrity protection. The binding update instructs the correspondent router to establish a packet redirection state: all traffic destined to the mobile network prefix should be directly routed to the care-of address of the mobile router. Upon receiving the binding update, the correspondent router will verify the HMAC based on the combined keys KC and KH, cf. Eq. (1). If this succeeds, the correspondent router establishes the packet redirection state such that all traffic destined to the mobile network prefix will be directly routed to the care-of address of the mobile router. The correspondent router also returns a binding acknowledgement to the MR. This message is integrity protected by a HMAC calculated from the combined keys KC and KH. After receiving and successfully verifying the HMAC on the binding acknowledgement, the mobile router will also establish a packet redirection state: all traffic destined to

the correspondent router prefix will be directly routed to the correspondent router. The direct routing between mobile router and correspondent router takes place via a bi-directional IP-in-IP tunnel. Prior to route optimization signaling, the mobile router first has to discover the correspondent router that is associated with a correspondent node. There are several options available, cf. Appendix B. We argue that the choice of a suitable discovery mechanism is deployment dependant. No assumptions should therefore be made with respect to the discovery mechanism and its level of security. 2.3. Deficiencies of the correspondent router protocol In the following, a short summary of the deficiencies of the correspondent router protocol is provided in order to motivate our own protocol that is presented later on. A more detailed discussion on the security deficiencies of the existing protocol is provided in Section 6.3. The CR has to redirect traffic from its original destination (the mobile network prefix of the MR) to another address (the care-of address of the MR). An authentication is necessary before the packet redirection state can be established – the MR has to prove that it is the owner of both the claimed mobile network prefix and care-of address. The original CR protocol reuses the Mobile IPv6 route optimization procedure [9] for authenticating care-of address and mobile network prefix. The mobile router proofs to be the owner of the claimed care-of address and mobile network prefix by being able to receive cryptographic keys at these locations, cf. Fig. 2. Deficiency 1: An adversary located on the path between home agent and correspondent router is capable of seeing the home test (HoT) message and the cryptographic key KH in cleartext, cf. Fig. 2. The adversary can then request a care-of key KC from the CR for his own care-of address, combine it with the stolen key KH and send a valid binding update to the correspondent router. The correspondent router would then redirect traffic of the stolen mobile network prefix to the adversary’s care-of address. This constitutes a successful mobile network prefix hijacking. This vulnerability is well known in the Mobile IPv6 context [9,10]. The following deficiencies are new. Deficiency 2: No mutual authentication is provided in the CR protocol. While the MR authenticates its prefix to the CR, the CR prefix is not authenticated to the MR. There is no equivalent to the home test init/home test message exchange that authenticates the correspondent router prefix. This allows an adversary to masquerade as a legitimate CR and hijack the correspondent router prefix. Consecutively, traffic originally destined to the correspondent router can then be redirected to the adversary’s address.

Fig. 2. Route optimization signaling with correspondent router.

Deficiency 3: An adversary who is in possession of a prefix of arbitrary size, can hijack the mobile network prefix of a MR. Such an

C. Bauer / Computer Networks 57 (2013) 1078–1100

adversary claims a larger prefix that it actually owns. Traffic, originally destined for the mobile network prefix of the legitimate MR, can then be redirected to the adversary’s care-of address. This attack is outlined in more detail in Section 6.3. There is also another, non-security related, deficiency – the home agent representing a single point of failure. Deficiency 4: In case the home agent is not reachable, route optimization cannot be completed. No direct routing path between mobile router and correspondent router can then be established. The root of this problem is the proof by reachability for the mobile network prefix. The home key KH transported with the home test message can not be forwarded to the MR if the home agent is not reachable, cf. Fig. 2. 3. SeNERO: Secure NEMO Route Optimization In the following we describe our new protocol, called Secure NEMO Route Optimization (SeNERO). It is based on the existing correspondent router protocol, but addresses its deficiencies. SeNERO provides mutual authentication that can usually not be found in other related work for NEMO [11,12] or Mobile IP [13,14]. Those proposals that do provide mutual authentication [15,16] cause a higher signaling load. In contrast to the original correspondent router protocol [7] and other related work [12,16,13], SeNERO does not require routing of signaling messages via the home agent. The related work that does also not require a home agent [11,15] does either not provide mutual authentication, suffers from security problems or requires a larger number of signaling messages. 3.1. Approach for prefix and address authentication The review of related work in route optimization security, cf. Section 7, shows the advantages and disadvantages of the individual approaches for both prefix and care-of address authentication. For performing the prefix authentication in SeNERO, public-key cryptography with an associated public key infrastructure (PKI) and certificates is used. This approach is scalable and the private key is only known to the key owner (unlike reachability tests and identity-based cryptography). No issues with respect to the cryptographic output length exist, as the signature length can be arbitrary (unlike cryptography based identities or zero-knowledge interactive proofs). While the feasibility of such a public key infrastructure probably seems unrealistic for the public Internet, it is assumed that it is not just possible but actually necessary for a closed and security critical environment such as the aeronautical telecommunications network. This necessity has already been identified in a more general aviation context [17]. In fact, such a PKI has already been established for electronic passports, based on national trust anchors for the passport issuing countries [18]. Even in the public Internet, a trust infrastructure with a hierarchy based on a single root key has been successfully established: the

1081

security extensions for the Domain Name System (DNS) [19]. It is therefore argued that a public key infrastructure based hierarchical approach is also possible for the closed safety related aeronautical environment. For performing the care-of address authentication, a reachability test has been chosen for providing the mobile router with a symmetric key during runtime. This approach is scalable and keys are only provided on a needed basis. This approach only suffers from the disadvantage that the cryptographic key is transported in cleartext. Even an authentication based on asymmetric cryptography has security weaknesses though, due to time shifting attacks (for cryptography based identities, cf. Section 7.2). A trade-off is therefore necessary. While the reachability test exposes the care-of key, its lightweight cryptography allows reducing the denial of service exposure for the correspondent router and also provides ‘‘real-time’’ assurance of the care-of address ownership. 3.2. Proposed public key infrastructure model The main component for authenticating prefixes in our route optimization procedure is the public key infrastructure. From the different existing PKI models [20], a single-root based certificate authority (CA) scheme is the most suitable one, as IP address space is also structured in a hierarchical way. Unlike care-of address authentication, prefix authentication is not affected by aircraft mobility. Both mobile network and correspondent router prefix are fixed. The root CA of the proposed PKI is authoritative for the entire aeronautical IP address space. Hence, for every arbitrary pair of mobile router and correspondent router, the certification chain established for mutual authentication will always be anchored based on the root CA. Fig. 3 shows the proposed public key infrastructure, where a global single root (e.g. the International Civil Aviation Organization) is in charge of all aeronautical IP address space. The root CA can partition and delegate the IP address space to subordinate, national CAs (level 1 CA). These CAs can then delegate prefixes from this sub-space to the CRs and MRs. More detailed, each level X CA, MR or CR receives an X.509 certificate with an extension field [21] that includes the delegated IP address prefix. In case of the MR this is the mobile network prefix, for the CR it is the

Fig. 3. Public key infrastructure for prefix authorization.

1082

C. Bauer / Computer Networks 57 (2013) 1078–1100

Table 1 Abbreviations and symbols for formal notation of protocol exchanges. Symbol

Explanation

A?B AjB

Message from A to B Concatenation of A and B Public key of entity X

K PUB X K PRIV X K NX CX S T AMR ; ACR K{M} K[M] H(X) MNP, CRP

Private key of entity X Symmetric cryptographic key Nonce X Certificate of entity X Strictly increasing sequence number Timestamp with current date and time Cryptographic algorithms supported by MR/CR Message M encrypted with key K Message M with HMAC or signature from key K One-way hash function with input X Mobile Network/Correspondent Router Prefix

correspondent router prefix. This certificate is authorizing the owner to use or delegate the specified prefix. Both MR and CR must have trust to the root CA. The delegation and certification chain from the root CA to the MR or CR certificate then provides the necessary proof for a claim on a certain prefix. 3.3. Initial authentication The Secure NEMO RO (SeNERO) signaling consists of two message exchanges. The first exchange is a care-of test that authenticates the MR’s care-of address. The second exchange consists of the binding update (BU)/binding acknowledgement (BA) messages that authenticates the prefixes of each MR and CR and establishes the bi-directional tunnel that is used for the packet redirection. We use a formal notation for the protocol message exchanges, whose symbols are listed in Table 1. We assume that the reader is familiar with security-related protocol primitives such as timestamps, nonces, hashed message authentication codes, etc. We start with describing the first, initial registration of the MR with the CR, as illustrated in Fig. 4. A care-of test/ care-of test init (CoTI/CoT) message exchange is used by the MR to retrieve the symmetric care-of test key KC. Written in the formal notation, the exchange looks as follows:

MR ! CRðCoTIÞ : N C

ð2Þ

CR ! MRðCoTÞ : NC ; I S ; K C

ð3Þ

The correspondent router generates the key KC in the following way:

  K C ¼ H NC jCoAjSiC

ð4Þ

where NC refers to a randomly generated nonce and CoA refers to the source address of the care-of test init message, which is the care-of address of the mobile router. SiC is a secret key only known to the correspondent router. There is a total number of n such keys, each one only valid for a limited lifetime. In the care-of test message, the field I S specifies which key i has been used for generating the care-of key KC. By being able to receive this key at the care-of address, the MR proves to be the owner of this address. The key only authorizes the use of the respective care-of address. The next step is the transmission of the binding update (BU) message to the correspondent router:

h i MR ! CRðBUÞ : K C K PRIV MR ½S; MNP; N C ; I S ; T ; CMR ; AMR 

ð5Þ

This message includes a monotonically increasing sequence number S and the mobile network prefix MNP of the MR. The nonce NC is equivalent to the one used in the CoTI/CoT messages in the care-of test. The timestamp T specifies the current time of the MR. The certificate CMR of the MR includes the IP address extension [21], listing the mobile network prefix. The algorithm identifiers AMR specify which signature, encryption and HMAC algorithm the MR is using. Finally, a digital signature and a HMAC are calculated and appended to the binding update. The signature is calculated with the MR’s private key K PRIV MR . The HMAC is calculated with the symmetric key KC obtained from the care-of test (CoT) message. The CR, when receiving the binding update, verifies the HMAC to ensure that the MR is the proper owner of the claimed care-of address. The CR can regenerate the key KC for verifying the HMAC based on formula (4): NC is contained in the binding update, CoA is the source address of the binding update and I S indicates which SiC has originally been used by the correspondent router for generating KC. The CR does therefore not have to keep any state for the care-of test init/care-of test message exchange.

Fig. 4. SeNERO mobility signaling: initial authentication.

C. Bauer / Computer Networks 57 (2013) 1078–1100

1083

Fig. 5. SeNERO mobility signaling: subsequent authentications after a handover has occurred.

The claim on the mobile network prefix is verified by the signature. If the certificate CMR is valid1 and the public key K PUB MR from this certificate can be used to verify the signature on the binding update, the CR can be assured that the MR is the proper owner of the mobile network prefix. The CR then generates a random, symmetric key KPH and sends a binding acknowledgement (BA) to the MR:

CR ! MRðBAÞ h i S; CRP; NC ; T ; K PUB : K PRIV CR MR fK PH g; C CR ; AMR ; ACR

ð6Þ

This messsage is very similar to the binding update, cf. message (5). The major differences are the correspondent router prefix CRP and the certificate CCR of the CR with an IP address extension that includes the correspondent router prefix. The binding acknowledgement also contains the permanent home key KPH that is encrypted with the public key of the MR. The algorithm identifiers ACR specify the algorithm suites used by the CR. Finally, a digital signature is calculated and appended to the binding acknowledgement. The signature is calculated with the CR’s private key K PRIV CR . When the MR receives the binding acknowledgement it will verify the CR’s certificate CCR and the signature on the binding acknowledgement. The latter is performed based on the public key of the CR provided in the certificate. The signature confirms that the CR is the proper owner of the correspondent router prefix. The MR also decrypts and stores the permanent home key KPH. Route optimization has now been successfully completed and data traffic between the mobile network nodes and those correspondent nodes that are located behind the CR can be directly tunneled between MR and CR.

3.4. Subsequent authentication If the MR has already established a packet redirection state at the CR but performs a handover to another access network, the care-of address of the mobility binding has to be updated. The corresponding signaling messages are different from those in the initial authentication, as shown in Fig. 5. The permanent home key KPH is used now as a 1 The CR has to construct and verify a certification chain from the MR certificate to the root CA of the PKI.

session key that authenticates the MR during subsequent handovers. After a handover, the MR first performs a care-of test to obtain a care-of key KC for the new care-of address. Cf. messages (2) and (3). This key is then combined with KPH:

K pk ¼ HðK C jK PH Þ

ð7Þ

The new key Kpk is used for calculating the HMAC that is attached to the binding update. This calculation uses the algorithm specified in ACR , as learned from the binding acknowledgement in message (6).

MR ! CRðBUÞ : K pk ½S; NC ; I S 

ð8Þ

The MR sends the binding update without any certificate and signature as the prefix has already been authorized in the initial authentication. If the CR can verify the HMAC, the binding update is accepted and the packet redirection state accordingly updated with the new care-of address of the MR. A binding acknowledgement is then sent, with the HMAC being calculated the same way as in the binding update. In formal notation:

CR ! MRðBAÞ : K pk ½S; NC 

ð9Þ

Packets can now be routed between MR and CR from and to the new care-of address. 3.5. Aeronautical communications based on CRs In the following we will discuss how correspondent routers can be integrated into the scenario of the aeronautical telecommunications network. For the mobile router, handovers between base stations and associated access routers are expected to occur several times while associated to a national network and when crossing national airspace borders. Base station handovers are likely to occur in the time range of every 20–30 min. Hence, the number of access router handovers triggering IP mobility signaling can occur in the time range of every 20–30 min (upper bound), over five handovers per country down to 1 handover per country (lower bound). This depends on the specific access network structure and flight path. Air traffic control communication takes place between a mobile network node in the aircraft and a correspondent node, the ATS controller. In today’s operations, the controller is geographically close to the aircraft it is controlling. There will be each one correspondent node at the

1084

C. Bauer / Computer Networks 57 (2013) 1078–1100

departure and destination airport as well as a varying number of correspondent nodes for each crossed country. The aircraft will be communicating with only one correspondent node for the purpose of air traffic control at one point in time. The correspondent nodes are changing in a sequential way, depending on the current geographical location of the aircraft. Ground networks are organized on a national basis: the correspondent nodes of a country are within the same administrative domain. A single correspondent router located in the same network can therefore provide an optimized route to all correspondent nodes of that country. Each country will have such a correspondent router for providing NEMO route optimization. When an aircraft starts communicating with a correspondent node of another country, it will establish an optimized route with the correspondent router located in this national network. This is also illustrated in Fig. 6. 3.6. Summary A return routability procedure with symmetric keys transported inside a care-of test message is always used to authenticate the care-of address of the MR. The initial authentication of the prefixes is based on certificates and asymmetric cryptography. The claim of the prefixes is verified by a certificate chain to the trust anchor and a digital signature embedded inside the binding messages. In subsequent signaling exchanges, to update the packet redirection state with the new care-of address of the MR after a handover has occurred, authentication is performed based on the symmetric session key KPH. The algorithms specified in AMR and ACR are used for indicating the cryptographic algorithms that are used for signatures in binding update and binding acknowledgement, for the encryption of the permanent home key KPH in the binding acknowledgement and for the HMACs used in binding update/binding acknowledgement. In contrast to the original CR protocol, route optimization can also be performed in case the home agent is not

Fig. 6. Correspondent routers in the aeronautical communications environment.

reachable, as no message exchanges are performed via the home agent. For both initial and subsequent authentications, only two round-trip times of signaling are consumed.

4. Evaluation: handover performance The performance of SeNERO will be compared with the original CR protocol. Mobility and route optimization signaling is always performed after a handover has taken place. Hence, the relevant performance metric is the handover delay tHO that consists of the following components:

tHO ¼ tL2 þ t MOV þ t MOB The access technology specific (layer 2) handover signaling for associating with a new base station is represented by tL2. The process of detecting the new access router and configuring an IP address is captured by tMOV. After both the layer 2 signaling and the IP address configuration signaling have been finished, the mobility protocol exchanges are performed – this is covered by tMOB. These exchanges can be the home registration in NEMO Basic Support (cf. Fig. 1) or a route optimization procedure, such as SeNERO. This evaluation is focused on the mobility signaling specific handover latency tMOB. 4.1. Scenarios The topology used in the simulations is shown in Fig. 7. The mobile network consists of a MR with one end-system, the mobile network node. The home agent (HA) is located in the home network. The access network consists of several base stations, each attached to a different access router. Packets between access network, home network and correspondent network are routed via the core network. The correspondent network includes both the CR and the correspondent node. Once the mobile network node starts communicating with the correspondent node, the mobile router starts performing the route optimization signaling with the correspondent router. In case of SeNERO, an initial authentication is then performed. Afterwards, when the MR performs a handover to the next base station, the MR will configure a new care-of address and therefore reperform route optimization signaling. In case of SeNERO, a subsequent authentication is then performed. Based on this topology, we define a best-case and a worst-case scenario: the MR can be either attached to a European or an Asian access network. While the topology is the same in both scenarios, the latency for routing packets from the core to the home network is varying. It is significantly larger in the Asian scenario to emulate the large distance to a Europe-based home agent. The precise latencies are provided in Table 2. We use the notion of ‘‘home network distance’’ for referring to the latency of routing packets between the core and home network. In the air traffic control environment, the correspondent node is always close to the aircraft (the aircraft is communicating with a node from a certain country if it is flying

1085

C. Bauer / Computer Networks 57 (2013) 1078–1100

Fig. 7. Topology used for handover evaluation.

Table 2 Average delay values for evaluation topology. Path

Border router – HA Border router – CR HA – CR

Latency (ms) Europe

Asia

18 10 18

148 10 148

over that country). Therefore, the delay between access network and correspondent network is relatively small. 4.2. Simulation environment We make use of the OMNeT++ [22] simulator with its INET framework.2 The already existing Mobile IPv6 implementation [23] has been extended with NEMO as well as the original CR protocol and SeNERO. The implementation conforms to the signaling procedures defined in Figs. 2, 4 and 5. In addition, we also make use of an implementation of the aeronautical access technology L-DACS 1. The cryptographic operations are not considered in the simulation environment. Previous results with a test-bed implementation [8] showed that certificate verification and related asymmetric cryptography in SeNERO requires 7–8 ms of processing time for each correspondent router and mobile router. This is negligible in comparison to the overall handover latency, as will be seen later on. 4.3. L-DACS 1 L-DACS 1 [24] is one of the two candidates for becoming the future wireless long-range aeronautical access technology. It is operated as an Orthogonal Frequency-Division Multiplexing (OFDM) based frequency division duplexing (FDD) system, consisting of an asymmetric pair of forward (base station to mobile station) and return link (mobile station to base station). While data transmission on the 2

http://inet.omnetpp.org.

forward link is based on OFDM only, the return link uses Orthogonal Frequency-Division Multiple Access (OFDMA) with Time Division Multiple Access (TDMA). In both directions data is sent within OFDM frames, protected by Forward Error Correction coding. The OFDM(A)-based physical layer provides three different time slot types on the reverse link (Random Access slot RA, Dedicated Control slot DC, and DATA slot) and three different time slot types on the forward link (Broadcast Control slot BC, Common Control slot CC, and DATA slot). The assignment of time slots to mobile stations for sending data via the return link is performed on demand by the base station. The bit and frame error rates used in the simulations for the individual logical channels are provided in Table 3.

4.4. Simulation parameters Within the simulations, the delay between the home and core network has been gradually increased from 18 ms (European scenario) to 148 ms (Asian scenario) in steps of 10 ms. This yields 14 different home network latencies that have been simulated. Additional dummy nodes are present in the radio cells. Their number is also varying: it starts at 0 and is incremented in steps of 10 up to a maximum number of 170 nodes. The latency within the access network is not defined as a parameter, but instead depends on the number of dummy nodes that are attached to a base station. The total number of simulated scenarios is therefore 14  18 = 252. 40 simulation runs are performed for each scenario, characterized by a (home network delay, number Table 3 Bit and frame error rates of individual L-DACS 1 channels. Channel

Bit error rate

Frame error rate

RACH BCCH CCCH DCH FL DCH RL DCCH

9.535 6.376 9.17 9.17 4.814 9.17

8.74 1.634 6.315 6.315 6.292 6.315

1086

C. Bauer / Computer Networks 57 (2013) 1078–1100

Fig. 8. Overview of handover (HO) delay for original correspondent router protocol and SeNERO in extended simulations with L-DACS 1.

of dummy nodes) parameter pair. The total number of simulation runs is therefore 14  18  40 = 10,080. This number of simulations is performed for each of the two protocols. The dummy nodes generate an additional ‘‘background’’ traffic that causes an overhead of 2420 bit/s on the forward link (base station to mobile) and 484 bit/s on the return link (mobile to base station) per mobile node on the application layer. With 170 dummy nodes within a cell, this results in a peak application traffic volume of 400 kbit/s on the forward and 80 kbit/s on the return link. The signaling is implemented as request–response messages based on UDP. Each packet carries application data with a size of 56 bytes that is sent once every 100 ms. Including UDP and IPv6 headers, the peak volume is 529 kbit/s on the forward link and 207 kbit/s on the return link. The simulation output is the mobility specific handover (HO) delay tMOB of the mobile router.

two protocols is shown as a function of the latency to the home network (x-axis) and the number of dummy nodes in the radio cell (y-axis). Fig. 9 shows side views on the 3-dimensional plots, illustrated as box-and-whisker diagrams. Subfigures (a), (c) and (e) show the handover delay (y-axis) in correlation with the delay to the home network (x-axis). Subfigures (b), (d) and (f) show the handover delay (y-axis) in correlation with the number of dummy nodes in the radio cell (xaxis).

4.5. Simulation results

4.5.1. Original correspondent router protocol Fig. 8a shows that the handover delay for the original correspondent router protocol increases linearly with a larger distance to the home network and a larger number of dummy nodes in the radio cell. A more detailed view on the correlation between handover latency and home network distance is provided in Fig. 9a. The spread on the y-axis, measured in terms of the IQR,3 is 236–279 ms. This spread originates from the

An overview of the results for the original correspondent router protocol and SeNERO are shown in Fig. 8: the mobility specific handover latency median (z-axis) of the

3 The interquartile range measures the statistical dispersion and is calculated as the difference between the 75 and 25 percentiles: IQR = q0.75  q0.25.

C. Bauer / Computer Networks 57 (2013) 1078–1100

1087

Fig. 9. Handover (HO) delay for original correspondent router protocol and SeNERO depending on the delay to the home network and the number of nodes in the radio cell.

varying number of dummy nodes within the radio cell. A larger number of nodes produces a higher load on the wireless link – as a consequence, the available capacity for every

individual node becomes smaller, therefore increasing the latency for sending packets over the wireless link. This latency increase is most noticeable between the 75th

1088

C. Bauer / Computer Networks 57 (2013) 1078–1100

percentile (q0.75) and the maximum, which represents situations with up to 170 dummy nodes. The explanation for this behavior is that the increase in latency from 120 to 170 nodes is significantly larger than the increase in latency from 0 to 50 nodes, where the radio cell is underutilized. Fig. 9a shows that the handover latency median is 540 ms on the very left (European scenario with distance to home: 18 ms) and 1055 ms on the very right (Asian scenario with distance to home: 148 ms). The difference between the two scenarios is therefore 515 ms. The latency increases linearly with the home network distance. This is due to the forwarding path MR ? HA ? CR for the home test init message and CR ? HA ? MR for the home test message. Given a distance of 18 ms, the latency of routing the home test init message from MR to CR is 2  18 = 36 ms. As the delay for home test is the same, only the direction is reversed, the total accumulated latency of finishing a HoTI/HoT message exchange is 72 ms. If the distance to the home network is 148 ms, routing the home test init message takes 2  148 = 296 ms. The total accumulated delay for HoTI/HoT is then 592 ms. The difference between the 18 ms and 148 ms scenario for routing HoTI/ HoT is therefore 592  72 = 520 ms. This number is close to the 515 ms difference obtained by the simulation results. Given an interquartile range of 238–258 ms and a standard deviation of 263–268 ms for these two specific scenarios (distance to home: 18 and 148 ms), the simulation results can be considered in line with the theoretical number of 520 ms. A different view on the obtained results of the original correspondent router protocol is provided in Fig. 9b, which shows the handover latency as a function of the number of dummy nodes within the radio cell. The vertical spread in the handover latency inside each box is, to one part, due to the varying distance to the home network. The spread increases with the number of dummy nodes. The varying number of nodes can cause an additional latency of 547 ms, considering a handover latency median of 609 ms on the very left (0 dummy nodes) and 1156 ms on the very right (170 dummy nodes). The interquartile range increases from 271 ms on the very left to 400 ms on the very right. The increasing number of nodes causes a higher utilization of the available bandwidth of the radio cell. Consecutively, less bandwidth is available for every individual node and latency increases. As a consequence, the spread/interquartile range within the handover latency boxes continually increases with the number of nodes. Summarized, the handover latency median for the original protocol has a varying component of 515 ms due to different distances to the home network. A 547 ms spread exists for a varying number of dummy nodes in the radio cell.

with a larger number of dummy nodes in the radio cell. This can be seen in Fig. 8b and c. A more detailed view on the correlation between handover latency and home network distance is provided in Fig. 9c and e. The medians are in a range of 496–508 ms for the initial and 473–495 ms for the subsequent authentication. The overall median in the initial authentication, when aggregating among the different distances to the home network, is 18 ms or 3.6% larger then in the subsequent authentication. The vertical spread in the handover latency, measured in terms of the interquartile range, is 289–328 ms for the initial and 256–306 ms for the subsequent authentication. The larger handover latency medians and interquartile range for the initial authentication can be explained by the large sizes for binding update and binding acknowledgement. Both messages include certificates, and the transmission of a large message consumes more time, especially on the wireless link. The impact the number of dummy nodes per radio cell has on the handover delay is shown in Fig. 9d and f. The medians of the handover latency, considering 0 additional dummy nodes in the cell, are 315 and 247 ms for the initial and subsequent authentication. In the case of 170 nodes, the medians are 917 and 873 ms respectively. The varying number of dummy nodes therefore causes an additional latency of up to 602 and 626 ms for the two different authentication phases. The spread in terms of the interquartile range increases considerably from 40 ms (for 0 nodes) to 505 ms (for 170 nodes) for the initial authentication. For the subsequent authentication, the spread increases from 41 ms (for 0 nodes) to 406 ms (for 170 nodes). The reason for this behavior is that the traffic caused by the increasing number of nodes consumes all of the available capacity of the radio cell. A fully utilized radio cell causes packets to be queued until they can be transmitted over the wireless link. The latency therefore increases and, as a consequence, the handover delay variance also increases. This is particularly noticeably in the transition from 100 nodes to 110 nodes during the initial authentication, where an interquartile range increase of more than 50 ms is present. The interquartile range is smaller for the subsequent authentication due to the smaller binding update and binding acknowledgement message sizes. Summarized, an important observation is the handover latency median of 485 and 503 ms for the initial and subsequent authentication, considering a varying distance to the home network. A 465 and 365 ms spread exists for a varying number of dummy nodes in the radio cell. This is 82–182 ms smaller compared to the spread of the original correspondent router protocol for a varying number of dummy nodes. 4.6. Radio cell load impact

4.5.2. SeNERO For SeNERO, results for both the initial and subsequent authentication are provided. As SeNERO does not perform any signaling exchanges via the home agent, the handover delay is constant with respect to a varying home network distance. It only increases

A more detailed investigation of the simulation results based on the varying number of dummy nodes is provided in the following. This comparison between original correspondent router protocol and SeNERO is based on three different radio cell load situations:

1089

C. Bauer / Computer Networks 57 (2013) 1078–1100

1. Small load: 50 dummy nodes per cell. 2. Average load: 100 dummy nodes per cell. 3. Overload: 170 dummy nodes per cell. In the small load case, for the original protocol the handover latency median is 706 ms. For SeNERO, the median is 400 ms in the initial authentication and 389 ms in the subsequent authentication. Considering the initial authentication, SeNERO therefore provides an improved handover performance of 77%. With respect to the subsequent authentication, the improvement is 81%. For the average load case, the handover latency median for the original protocol is 849 ms. For SeNERO, the median is 552 ms for the initial authentication, while for the subsequent authentication it is 537 ms. SeNERO therefore provides an improved handover performance of 54% for the initial authentication and 58% for the subsequent authentication. For the overload case, the handover latency median for the original protocol is 1156 ms. For the SeNERO initial authentication, it is 917 ms while for the subsequent authentication it is 873 ms. SeNERO therefore provides an improved handover performance of 26% in the initial authentication and 32% in the subsequent authentication. Summarized, SeNERO always provides a better handover performance, with improvements usually ranging between 26% and 81% when compared to the original protocol. The subsequent authentication provides an improvement of 4–7% when compared to the initial authentication. That the performance advantage of SeNERO, when compared to the original CR protocol, decreases from the small load to the overload scenario is due to the fact that the delay on the wireless link becomes larger. As a consequence, the distance to the home network is not the only dominating component of the handover latency anymore. Instead it is reduced by the delay on the wireless link that constitutes a larger part of the overall handover latency.

5. Evaluation: overhead analysis In the following, the overhead caused by the original correspondent router protocol and SeNERO is compared against each other. The discussion addresses overhead caused by the mobility signaling itself. The overhead for the end-to-end user data packets is equivalent for both protocols as both use an IP-in-IP tunnel for forwarding application data between mobile router and correspondent router. The trade-off for the improvements provided by SeNERO is the increased size of the signaling messages in the initial authentication. This is due to the embedded public-key certificates. The sizes of the individual messages for each of the two protocols are provided in Table 4, as obtained from the test-bed implementation in [8]. Elliptic Curve Cryptography has been assumed for public-key cryptography in SeNERO, with key and signature sizes of 384 bits and 96 bytes respectively. However, a disadvantage with respect to signaling overhead also exists for the original correspondent router

protocol: the return routability procedure with its care-of test and home test messages (cf. Fig. 2) has to be periodically repeated every 7 min, as specified in [9]. This is to limit the vulnerability to adversaries located on the path between home agent and correspondent router (see Sections 2.3 and 6.3). This periodic signaling causes additional overhead, even if the mobile router is not performing any handovers. The comparison of the signaling overhead for the two protocols is shown in Fig. 10. For the original CR protocol, the signaling consumes 480 bytes every 7 min and for every handover. For SeNERO, the initial overhead is 1859 bytes that is increased with every handover by 278 bytes. Fig. 10a shows the accumulated signaling overhead of both protocols over time. It can be seen that the initial overhead of SeNERO is larger, but remains constant over time in contrast to the original CR protocol, where overhead increases linearly over time. Fig. 10b shows the signaling overhead per minute, also as a function of time. It can be seen that SeNERO has a high overhead per minute in the initial phase, but becomes more efficient if the optimized route remains established over a longer time period of time. In contrast to this, the original CR protocol has a smaller initial overhead, but remains at a higher overhead level over time. The initial overhead for the original correspondent router protocol (480 bytes) is 74% below that of SeNERO (1859 bytes). Considering the signaling overhead generated per minute, the original protocol requires less bandwidth than SeNERO in the first minutes. For the time duration of the first 7 min, the bandwidth consumption per minute of the original protocol is 74% below that of SeNERO. However, the overhead of the original protocol increases over time due to the periodic signaling. The overhead of SeNERO remains constant, as it is timeindependent. After 21 min (1920 bytes), the overhead of the original protocol is almost identical to that of SeNERO. The overhead is 3% above that of SeNERO, for both the absolute signaling overhead and the signaling overhead per minute. After 29 min, the overhead of the original protocol is slightly above the overhead incurred by SeNERO. After 56 and 84 min, the overhead for the original protocol (4320 and 6240 bytes) further increases to 57% and 70% above that of SeNERO, when comparing the absolute numbers. When comparing the signaling overhead per minute, the overhead of SeNERO is 57% and 68% below that of the original protocol for a time duration of 56 and 84 min. These numbers have to be interpreted based on how often the correspondent node is changing. Each time the correspondent node, or rather the associated correspondent router, is changed, route optimization signaling with Table 4 Route optimization signaling message sizes in bytes for old and new protocol. Message

CR

SeNERO

CoTI/CoT HoTI/HoT Initial BU/BA Latter BU/BA

56/64 96/104 92/68 92/68

56/64 –/– 860/879 92/66

1090

C. Bauer / Computer Networks 57 (2013) 1078–1100

Fig. 10. Signaling overhead of SeNERO and original correspondent router protocol as a function of time.

a full authentication has to be performed. The following two scenarios describe scenarios that are advantageous for either the original correspondent router protocol or SeNERO.

Scenario 1: The correspondent node is not changing frequently or (a large number of) the different correspondent nodes are served by the same correspondent router. The optimized path is

C. Bauer / Computer Networks 57 (2013) 1078–1100

then established and kept alive for more than 20 min. Only the care-of address of the mobile router has to be updated in case of subsequent handovers. SeNERO is then more bandwidth efficient than the original protocol. Scenario 2: The correspondent nodes are changing frequently and they are located within different networks, therefore also served by different correspondent routers. For each correspondent router, a route optimization procedure with an initial authentication has to be performed. If this happens every 20 min or even less, then the original correspondent router protocol is more bandwidth efficient than SeNERO. For air traffic control communications, scenario 1 dominates: an aircraft usually remains for more than 20 min within a certain national airspace. During this time, it is communicating with air traffic controllers of that airspace. A single correspondent router can be used to provide an optimized path to all the correspondent nodes located within this national network. Hence, SeNERO can be considered being more bandwidth-efficient than the original correspondent router protocol within the aeronautical communications scenario. 6. Evaluation: security analysis We first specify a generic threat model that can be used for a security analysis of mobility management protocols. We will then analyze both SeNERO and the original CR protocol. 6.1. Threat model The following threat model does not cover the topics of end-to-end communications security, access network security, etc. Instead, it focuses on attacks on the packet redirection mechanism of a mobility protocol. Fig. 11 illustrates a generic mobile communications network model. For now we only consider the aeronautical overlay network on the top of the figure, consisting of access networks, correspondent networks and and home network. These different networks are inter-connected by a core network. The access networks consist of several base stations, an access router and a border router for inter-connection to the core. The end-system (MNN1) in the mobile network that is attached to the access network on the left is communicating with a correspondent node (CN1). The communication path from MNN1 to CN1 is an optimized route flowing via a correspondent router. The end-system (MNN2) in the other mobile network, which is attached to the other access network, is communicating with another correspondent node (CN2). These packets are routed via the home agent. In the Mobile IP context, attacks are directed against the mobile or correspondent nodes. In a NEMO route

1091

optimization scenario, the mobility signaling takes place between MR and CR – the threat model therefore focuses on attacks on these two routers. We distinguish between two basic types of adversaries/ attackers: on-path and off-path. On-path refers to a location that is on the optimized, direct forwarding path between mobile router and correspondent router. Off-path refers to a location that is not on this direct path. An onpath attacker can be located (a) in the mobile network itself between the mobile router and the radio/modem, (b) within the same radio cell as the mobile router or (c) be along the optimized routing path where individual packets between the end-systems are forwarded. In all three cases, the adversaries can be either eavesdroppers or man-inthe-middle attackers. An example for case (a) is illustrated by attacker 5 in Fig. 11. It is necessary to be located on the direct link between MR and the access technology modem/radio in order to perform attacks on the mobility signaling itself. An example for case (b) is illustrated by attacker 1. A lack of security in the access technology (layer 2) enables this attack position. Examples for case (c) are attackers 2 and 3 in Fig. 11. These can attempt to either compromise an existing router or to masquerade as a router, e.g., directly to the MR. The four exemplary adversaries listed above (1, 2, 3, 5) are all on-path attackers. An example for an off-path attacker is illustrated by attacker 4 in Fig. 11. This attacker is located close to the home agent, which makes it impossible for the adversary to see packets exchanged on the direct, optimized path. Instead, this adversary only has access to packets that are routed via the home agent. This adversary could have compromised an existing router. Apart from the adversary location, the second important aspect are the possible attacks. Besides mobility protocol specific attacks, we consider all types of generic protocol attacks as listed in [[25], Section 1.6]:  Hijacking/masquerading: the adversary masquerades as a MR or CR and steals the mobile network or correspondent router prefix of the authentic router. The traffic of the hijacked prefix can then be redirected to the adversary’s location.  Flooding/denial-of-service: the adversary runs an application that requests a large volume data stream. The adversary then performs route optimization with the address of a victim node as care-of address. Thereby the large volume data stream is redirected from the adversary’s prefix to the victim’s address.  CPU exhaustion/denial-of-service: the attacker overwhelms the CR with a large number of request messages where expensive cryptographic operations have to be performed.  Protocol interaction: the adversary uses route optimization signaling messages in another protocol to have these decrypted, signed, etc. within the other protocol.  Reflection: the adversary sends a protocol message back to the entity that originally sent it or to another entity involved in a message exchange of the same protocol.

1092

C. Bauer / Computer Networks 57 (2013) 1078–1100

Fig. 11. Generic mobile communications network model with attacker locations (in overlay network). One access networks, networks with correspondent nodes, a home network and one core network.

 Replay: the adversary resends an authentic message originally sent by another node (from either MR or CR).  Preplay: comparable to replay, the adversary injects a message in advance. The receiving node could then ignore the authentic message because it is classified as a duplicate if the preplayed message arrives earlier. The receiver might also establish a protocol state based on the preplayed message that is undesired at this point in time.  Delete: the attacker drops packets exchanged between MR and CR.  Modify: the attacker intercepts, modifies and reinserts an authentic message. Cryptanalysis has not been included as an attack. Assuming that the underlying cryptographic algorithms are immune to cryptanalysis, this threat only becomes applicable in case weak cryptographic keys are used. This is not the case for SeNERO – the used key sizes are in line with the recommendations for the year 2030 and beyond [26]. The used algorithms can also be regularly adjusted due to the cryptographic algorithm agility supported by SeNERO. Table 5 lists which attacks are applicable to which attacker. An off-path attacker can initiate route optimiza-

tion signaling with the CR from an arbitrary location and attempt to perform mobile network prefix hijacking. Furthermore this adversary can also initiate route optimization signaling using his own, valid mobile network prefix but specify an incorrect location (care-of address) for route optimization. Data will then be routed to this incorrect location, where a victim node can be flooded. The off-path attacker can also perform CPU exhaustion attacks by sending a large number of route optimization messages that have to be cryptographically validated by the CR. The adversary can also attempt to run another protocol with the CR or MR where, e.g., the MR or CR decrypts or signs a message that is then used by the adversary within the route optimization protocol. It is also possible for the adversary to engage in route optimization signaling and reflect authentic messages sent by the MR or CR back to them. On-path attackers (eavesdropper, man-in-the-middle) can launch all attacks possible for an off-path attacker. An eavesdropper is an on-path attacker located either in the mobile network between MR and modem/radio or inside the same radio cell as a MR. This adversary can therefore ‘‘see’’ messages exchanged between MR and CR. This allows the attack of replaying old messages that have been observed. Similarly, the adversary can preplay a message

C. Bauer / Computer Networks 57 (2013) 1078–1100 Table 5 Possible attacks depending on attacker location. The on-path attacker is split into man-in-the-middle (MITM) and eavesdropping. An attack itself is either not applicable ( ) or applicable (U) for a certain attacker type. Attack

Hijacking Flooding CPU exhaustion Protocol interaction Reflection Replay Preplay Delete Modify

On-path attacker MITM

Eavesdropper

U U U U U U U U U

U U U U U U U

Off-path attacker

U U U U U

such that it arrives before the authentic message sent by MR or CR. The man-in-the-middle (MITM) attacker usually controls a router on the forwarding path or masquerades as a router. He can therefore also perform attacks such as modifying or deleting messages exchanged between MR and CR. He can also launch the attacks possible for an eavesdropper. 6.1.1. Scenario of aeronautical communications We will now discuss how the generic threat model applies to our specific scenario. The IP-based Aeronautical Telecommunications Network (ATN) will be a global network operated by entities from different countries and institutions. Due to cost reasons, it will not be physically separated from the public Internet but instead use it as a transit network. This has been visualized in Fig. 11 – the ATN corresponds to the overlay network that is running on top of the Internet underlay. It can be assumed that a segregation is performed at least on the network layer. This implies that the aeronautical networks will use IP addresses that will not be routed from and to the public Internet. The aeronautical environment will also have its own (inter-domain) routing infrastructure to enable routing within the ATN overlay. We now apply the threat model on the aeronautical environment. In current aircraft network designs, there is a physical separation between the safety and non-safety related networks (e.g. passenger domain). We assume that this segregation of the on-board mobile network will still be in place in the future. While access to a safety related network of an aircraft is restricted, we do not consider it impossible for an adversary to attach to this network. The switched on-board network only provides direct links between the router and certified network nodes, which are usually already set up by the airframe manufacturer. A prospective on-board attacker might attempt hijacking such a link, therefore enabling man-in-the middle or eavesdropping capabilities. A compromised link between the end-system (mobile network node) and the mobile router is not affecting the route optimization signaling: an eavesdropper has no attack capabilities at all as signaling messages are only exchanged between MR and CR. A man-in-the-middle attacker could successfully prevent communication in gen-

1093

eral and route optimization in particular by simply dropping packets between mobile network node and MR. This vulnerability is a general problem of packet based communication and not specific to a mobility protocol. This attack is therefore out of scope for this model. However, both man-in-the-middle and eavesdropper are considered at the location between MR and radio/modem, as these adversaries are able to influence or observe the mobility signaling. We assume that ground-networks for safety related communications in the ATN overlay are also segregated from non-safety related networks. We assume that the ground network infrastructure provided by the (authentic) service providers is in general trustworthy. It might be possible that certain nodes are compromised by either insider or outsider adversaries though. For example, a security analysis [27] came to the conclusion that it is possible for a non-authorized individual to gain access to safety related ground network systems. The probability was specified with 103, which is ‘‘likely to occur sometimes’’. Eavesdroppers within the ground network have to be expected, as the aeronautical access technologies that exist as of today do not provide any layer 2 security. Another threat are hackers that gain access to routers of the aeronautical networks (ATN overlay). These routers can be access routers, border routers or routers in the core network. A compromised router in the Internet underlay can also be used for attacks on the ATN overlay. This enables the possibility for both on-path and off-path attackers. 6.2. Security assessment of SeNERO We now analyze SeNERO with regard to the threat model introduced in Section 6.1. A summary is provided in Table 6. The following investigation is based on the individual signaling messages specified in Sections 3.3 and 3.4. Modify: in general, an adversary cannot modify binding update/binding acknowledgement without the receiver noticing this operation. In the initial authentication, both messages are protected by signatures and a HMAC. In subsequent handovers, the HMAC, calculated with the session key Kpk defined in (7), itself is sufficient for ensuring integrity protection. A special case of modifications are downgrading attacks in the initial authentication, where the adversary intercepts the binding update and sets the cryptographic algorithms specified in AMR to values not supported by the CR. The CR would then be unable to validate signature and HMAC and therefore return a negative binding acknowledgement, specifying that the proposed cryptographic algorithms are not supported. This would constitute a successful denial of service attack, as the MR would be unable to continue. To counter this threat in SeNERO, the CR copies the original algorithm specification AMR from the binding update to the binding acknowledgement. This message is integrity protected and uses the mandatory-to-implement fall-back algorithms, which are listed in ACR . In case of a downgrading attack, the algorithms specified in AMR inside the binding acknowledgement are different from those originally specified by the MR inside the binding update. The MR will

1094

C. Bauer / Computer Networks 57 (2013) 1078–1100

Table 6 Vulnerabilities of SeNERO with regard to different attackers and attacks. The protocol is either resistent to an attack (U) or cannot provide protection from this attack ( ). It is also possible to have a vulnerability that is of only limited use to an attacker (£). Attack

MITM

Eavesdropper

Off-path attacker

Hijacking (CRP) Hijacking (MNP) Flooding CPU exhaustion Protocol interaction Reflection Replay Preplay Delete Modify

U U £ £ U U U £ £ U

U U £ £ U U U £

U U U £ U U

detect this anomaly and can verify the authenticity of the negative binding acknowledgement with the fall-back algorithms specified in ACR . The MR can then use the fall-back algorithms for sending another binding update to the CR. Deleting messages results in the inability of MR and CR to properly perform route optimization signaling and establish a direct route between each other. This is a general problem applicable to all types communication systems without any mitigation strategy on a protocol level. This attack is therefore not further addressed. A preplay could be attempted by on-path attackers on the CoTI/CoT message exchange. The adversary can see the care-of test init message sent by the MR to the CR and then inject a care-of test message with a wrong key K 0C . The MR will then use this key for calculating the HMAC on the binding update, which cannot be validated by the CR. Route optimization can then not be successfully completed. Preventing MR and CR from performing route optimization is already possible for the MITM attacker by means of deleting packets. An eavesdropper can only perform this attack if the adversary is capable of sending a CoT message with a forged source address, namely the address of the CR. A replay attack on the care-of test message, applicable to on-path attackers, fails due to the nonce NC. Replays of binding update or binding acknowledgement, applicable to on-path attackers, also fail. In the initial authentication, a replay of a binding update is prohibited by the timestamp T . The replay of a binding acknowledgement in the initial authentication fails as timestamp T , sequence number S and nonce NC have to match those of the original binding update. For subsequent handovers, authenticated with help of the permanent home key Kpk, the replay of binding update and binding acknowledgement is prohibited as well. This is achieved by sequence number S and nonce NC. In a reflection attack, the adversary retransmits a received message back to the sender. E.g., sending an already received binding acknowledgement back to the CR to be used as binding update. This is not possible as binding update and binding acknowledgement have different headers and a different message content, most notably prefixes and addresses. In protocol interaction an adversary could attempt to let a MR or CR sign a binding update or binding acknowledgement message within another protocol. This signed

message could then be used for the initial authentication with the MR or CR. If the public–private key pair used for SeNERO is different from the key pairs used in other protocols, this attack is not possible. In case the key pair is shared, the adversary would have to trick the MR or CR into signing a binding update/acknowledgement in the other protocol. As the signatures have to be calculated over the entire message, including protocol headers, other protocols can properly identify these messages as being from another protocol that should not be signed. The attack is not applicable at all to subsequent authentications that are authenticated with the session key Kpk that is generated dynamically within SeNERO. CPU exhaustion: an adversary could send a large number of binding updates that overwhelm the processing capabilities of the correspondent router who would be busy with signature verifications. However, the signature verification will not be started before the HMAC has been successfully validated. The adversary therefore has to engage in a care-of test init/care-of test message exchange. Resources in terms of an additional round trip time of signaling have to be committed by the adversary, who can also be traced back to the used care-of address. The vulnerability has therefore been significantly reduced. This initial message exchange is stateless for the CR and does not involve any cryptographic operations. The key KC can be regenerated by the CR upon reception of the binding update message based on formula (4). A remaining issue is the situation when the CR receives a binding update with invalid algorithms specified in AMR , cf. the modify attack. The CR then has to send a negative binding acknowledgement that is authenticated by a signature. This behavior could be used by the adversary for sending a large number of binding updates without any preceding care-of test init/care-of test message exchange, as the CR is not able to verify the HMAC that is based on an unknown algorithm. When receiving a large number of such binding updates, the CR would be busy with calculating signatures for the binding acknowledgements. To counter this attack, in case the HMAC specified in AMR is invalid, the CR will only return a binding acknowledgement protected by a HMAC and not by a signature. A man-in-the-middle attacker could use this behavior and set the HMAC algorithm specified in AMR inside the binding update message to an algorithm unknown to the CR. The CR then returns a HMAC-only protected binding acknowledgement to the MR, saying that the HMAC algorithm specified in the binding update is not supported. The route optimization process could hereby be blocked by the adversary. This is however already possible for a man-in-the-middle attacker in a much simpler way, by means of deleting messages. In flooding, an adversary attempts to provide an invalid care-of address to the CR. The care-of test init/care-of test message exchange ensures that a node can only use a careof address it currently owns. The care-of key KC is bound to a specific care-of address and only valid for a limited time window, cf. to the key generation specified in formula (4). An on-path adversary can therefore not reuse an observed key KC that is based on a different care-of address. Due to the limited lifetime, it is not possible to perform a

1095

C. Bauer / Computer Networks 57 (2013) 1078–1100

time shifting attack (as with cryptography based identities, cf. Section 7.2), where a care-of address is reused although the adversary does not possess this address anymore. It is not possible for the adversary to hijack the entire route optimization process, as the care-of key KC only authorizes the usage of the care-of address, but not the usage of the prefixes. The hijacking of prefixes, owned by either the MR or the CR, is not possible. Assuming the trustworthiness of the underlying public key infrastructure, an adversary will not be able to receive a certificate with an invalid prefix. It is also not possible for an adversary to make use of a stolen certificate, as the calculation of the signature on the binding update and binding acknowledgement requires the associated private key of the MR or CR. The security of the subsequent authentications is based on the knowledge of the permanent home key Kpk that is only known to the MR and CR.

6.3. Security assessment of original CR protocol To allow comparison with SeNERO, we provide a security analysis of the original CR protocol in the following. The possible attacks are listed in Table 7. The Mobile IPv6 return routability procedure has been reused in the original correspondent router protocol. A home key KH is transported inside the home test message that is routed via the home agent. The attacks ‘‘modify’’, ‘‘delete’’, ‘‘preplay’’ and ‘‘replay’’ therefore become applicable for the off-path attacker with respect to this message. For brevity, we will omit discussing every individual attack as we did for SeNERO. The original CR protocol actually exhibits the same resistance to attacks such as modification, deletion, etc. as SeNERO. Instead, we focus on describing the major differences, the prefix hijacking attacks. The discussion is based on the signaling messages that are shown in Fig. 2. Vulnerability 1: the attack procedure is equivalent to the well known vulnerability of Mobile IPv6 route optimization to off-path attackers [10,9]. The source of the problem is the home test init/home test message exchange that authenticates the mobile network prefix. The adversary can ‘‘see’’ the key KH included in the home test (HoT) message, which is valid for a particular MR with a certain mobile network prefix. HoT is not encrypted on the path between CR and home agent. The key is therefore exposed to the off-path attacker that is located on the path between home agent and CR. Once KH has been eavesdropped, the adversary can initiate route optimization signaling. A care-of test init/careof test message exchange with the CR is then performed to retrieve a key KC that is valid for the adversary’s own care-of address. Afterwards, the adversary can combine the stolen key KH with the obtained care-of key KC according to formula (1). The resulting key Krr can be used to calculate a HMAC for the binding update. The message will be accepted by the CR who establishes a route optimization (packet-redirection) state where traffic is redirected from the stolen mobile network prefix to the care-of address of the off-path attacker.

Table 7 Vulnerabilities of original correspondent router protocol with regard to different attackers and attacks. The protocol is either resistent to an attack (U) or cannot provide protection from this attack ( ). It is also possible to have a vulnerability that is of only limited use to an attacker (£). Attack Hijacking (CRP) Hijacking (MNP) Flooding CPU exhaustion Protocol interaction Reflection Replay Preplay Delete Modify

MITM

Eavesdropper

Off-path attacker U

£ U U U U £ £ U

£ U U U U £

U U U U U £ U

Vulnerability 2: we have identified an additional vulnerability, which is the lack of mutual authentication. The care-of and home test messages authenticate care-of address and mobile network prefix of the MR, but the CR does not authenticate it’s correspondent router prefix to the mobile router.4 An adversary can therefore masquerade as CR and hijack the associated correspondent router prefix. A MITM attacker can achieve this by simply responding with forged packets to the MR, e.g., forged care-of test and binding acknowledgement. An eavesdropper can successfully perform this attack when responding with a forged discovery response packet to the MR. In the original protocol [7], the MR detects the CR by sending a discovery request message to the correspondent router prefix. The CR, when receiving this request, will send a discovery response message that contains the CR server address. The eavesdropper can provide his own address in the forged response after seeing the original request. In both cases (MITM and eavesdropper), the MR will perform the route optimization signaling procedure with the adversary. At the end, the route optimization state is established between the MR and the adversary, who can illegitimately claim the correspondent router prefix. Vulnerability 3: we have identified another, new type of attack that is applicable to all types of adversaries (offpath and on-path). The attack allows hijacking the mobile network prefix of a MR, as long as the adversary is in possession of a valid prefix. Within a so called prefix expansion attack, the adversary claims a mobile network prefix that is larger than the prefix the attacker actually owns. This expanded prefix contains the prefixes of other mobile routers, whose traffic is then redirected to the adversary. The attack is illustrated in Fig. 12. The adversary sends a HoTI (message 1) with a prefix that is larger than the one it actually owns – e.g., a length of /46 instead of the /47. The CR will respond with a HoT message that is sent to a random address within the /46 prefix. A /46 prefix can be split into two /47 prefixes. In the example we assume that one /47 is in possession of the adversary, whereas the other /47 is in possession of

4 The address of the CR does not have to be authenticated. Performing route optimization signaling with the CR implicitly authenticates the CR server address within the protocol.

1096

C. Bauer / Computer Networks 57 (2013) 1078–1100

Fig. 12. Prefix expansion attack where adversary owns a mobile router with associated mobile network prefix.

another (victim) home agent. The probability for the CR to send the HoT message to either the adversary (message 2a) or the real home agent (victim; message 2b) is each 50%. If the adversary receives the HoT message with home key KH, he can send a binding update that will allow him to redirect all traffic from the /46 to his own care-of address. This means that all traffic to MRs, which are associated with the /47 of the victim home agent, is redirected to the adversary. In reality an adversary might have to expand a prefix by more bits, e.g., from /47 to /42 in order to also include the prefixes of other MRs. While this decreases the probability of the adversary receiving the HoT message, this can be compensated by sending a large number of HoTI messages. 7. Related work We provide an overview of existing work on route optimization, with an emphasis on packet redirection security. The vast majority of previous work is related to Mobile IPv6 and not NEMO. Address authentication is also relevant for NEMO route optimization though, as the mobile router has to authenticate its care-of address. A summary of the following discussion is provided in Table 8. The individual proposals are categorized into five classes. 7.1. Reachability test In a reachability test, symmetric keys are transported on-demand between correspondent router and mobile router. The return routability procedure used in Mobile IPv6 is such a test for authenticating care-of address and home address of the mobile host. The original correspondent router protocol proposed by Wakikawa [7] uses the same procedure for authenticating the the care-of address and the mobile network prefix of the mobile router, cf. Section 2.2. Another example is MIRON [12], where the mobile router acts as route optimization proxy, reusing Mobile IPv6 signaling to perform route optimization directly with the correspondent node on behalf of the mobile network node. An advantage of this approach is scalability, as the keys KH and KC are exchanged on-demand between the mobile

router and correspondent router. A significant disadvantage is that the key KH is transported in cleartext on the path between home agent and correspondent router. The cryptographic material is therefore exposed to adversaries that are located on this path. Also, an active home agent is required for forwarding the home test messages. 7.2. Cryptographically generated addresses/prefixes The concept of cryptography-based identities [31] permits to generate an identity, such as an address or prefix, that is cryptographically bound to a public key. The ownership of the identity can be proven by calculating a signature with the private key that is associated to the public key used in the generation. This approach has been used in Enhanced Route Optimization [29]. A cryptographically generated address (CGA) is used as home address by a mobile host in the Mobile IPv6 context. Here, the home agent is used in the initial authentication of the home address. Kukec et al. [11] have proposed a Cryptographically Generated Prefix Address (CGPA) for the authentication of a mobile router with a correspondent router in the NEMO context. A CGPA is a standard IPv6 address consisting of a cryptographically generated prefix. The protocol does not provide mutual authentication nor a care-of address authentication. A general issue with cryptography-based identities is the cryptographic output length. The author’s of [14] argue that the 64 bit output of a CGA is not sufficient. Another investigation [32] states that a CGA can be impersonated within a time of 259. The output length of 72 bits for a CGPA is not significantly improving the situation. Another issue specifically with CGAs is the lack of ‘‘real-time’’ assurance, as a CGA can be generated and used anytime, even if the mobile node is not currently located at this address. Cf. the time shifting attack discussed in [29]. 7.3. Zero-knowledge interactive proof Based on a zero-knowledge system such as the FeigeFiat-Shamir scheme [33], an address or prefix can be generated from a public key. This approach is similar to the cryptography-based identities discussed in the previous section. The address/prefix ownership proof is based on a

1097

C. Bauer / Computer Networks 57 (2013) 1078–1100

Table 8 Overview of the characteristics of the individual protocols for address or prefix authentication in the route optimization context. The authentication types are crypto-based identity (CBID), return routability (RR), certificate (C) and identity-based cryptography (IBC). (U) indicates supported or yes, whereas ( ) indicates not supported or No. Protocol

Authentication Scope

Type

Wakikawa [7] Kukec [11] Calderon [12] Koo [16] Bernardos [28] Ren [13] Zao [15] Cao [14]

Prefix Prefix Address Prefix Prefix Address Address Address

RR CBID RR C C C C IBC

Arkko [29]

Address

CBID

Le [30]

Address

CBID

HA required

Messages

RTTs

Note

U

3 n/a 3 2 3 3 3 n/a

Security issue inherited from Mobile IPv6 Problems with cryptographic output length Security issue inherited from Mobile IPv6 Care-of address not verified Relies on IKE/IPsec

U

6 n/a 6 10 6 6 6 n/a

U Initial authentication: Subsequent authentication: U

6/4 6 4 4

3/2 3 2 2

Mutual

U U

U U U

U

3-pass message exchange where the correspondent node responds with a challenge to the initial request of the mobile node. This challenge has to be answered by the mobile node in the third message using the zero-knowledge system. This 3-pass message exchange replaces the signature that is used in the cryptography-based identity approach. Le et al. [30] used the Feige-Fiat-Shamir scheme for providing security in the Mobile IPv6 context. Both home address and care-of address are generated from the public key of the mobile host. A zero-knowledge system suffers from the same problem as cryptography-based identities: the cryptographic output length is limited to 64 bits when used with IPv6 addresses.

7.4. Identity-based cryptography In identity-based cryptography, a public–private key pair is generated from an arbitrary string, the identity, which can be an address or a prefix. A key management center plays a pivotal role in such a system as it provides public parameters as well as a master secret for key generation. The private keys are distributed to the mobile nodes by the key management center. The associated public keys can be calculated by any node with help of the identity and the public parameters, which are obtained once from the key management center. A specific example for this approach is the work of Cao et al. [14]. The authors propose to use cryptographically generated addresses in the Mobile IPv6 context, where the CGA generation function is based on identity-based cryptography. The authors do not specify a route optimization signaling procedure. The basic properties of their protocol [14] – home agent dependency, limited cryptographic output length – can therefore be considered being equivalent to Enhanced Route Optimization that was discussed in Section 7.2. A general issue with this approach is the pivotal role of the key management center. In case of a security breach of

Central key management center for private key calculation required Problems with cryptographic output length

Home address not verified, no binding acknowledgement exchanged

this entity, the private keys of all nodes can be recalculated by the adversary based on the master secret.

7.5. Traditional public-key cryptography Classic public-key cryptography relies on every node generating its own public–private key pair. Certificates, as part of an overall public key infrastructure (PKI), are used for distributing the public keys. A public key infrastructure provides an overall high level of security if the individual certificate authorities are trustworthy. An example for this approach is the proposal of Koo et al. [16] where an optimized route is established between two mobile routers. Certificates for prefix authentication are exchanged between the home agents, which are actively involved in the signaling. It should be noted that within the proposed signaling procedure, the care-of address is not verified. The authors of the IETF draft [28] propose to use certificates for authentication between a mobile router and correspondent router. The authors rely on the IKE/IPsec protocols for authentication and for securing the signaling messages. Signaling therefore requires four messages for IKE and additional two for the binding update/binding acknowledgement exchange. A public key infrastructure based approach for Mobile IPv6 has been proposed by Ren et al. [13]. The authentication of the home address is achieved with the help of a certificate that is exchanged between home agent and correspondent node. The route optimization signaling of the mobile host therefore still requires active participation of the home agent. Authentication is only one-way (mobile node to correspondent node). Zao et al. [15] also proposed a protocol that makes use of a public key infrastructure for home address authentication in Mobile IPv6. A certificate is exchanged between mobile host and correspondent node directly. Due to the usage of the Internet Key Exchange protocol for authentication and secure transport of signaling messages, the total

1098

C. Bauer / Computer Networks 57 (2013) 1078–1100

number of exchanged messages is six (three round trip times). Common to all previous work is that the authors do not provide information on how the IP address/prefix information is stored inside the certificates. SeNERO is the first protocol to make use of IP address extensions [21] inside a certificate.

8. Conclusion We proposed a NEMO route optimization procedure (‘‘SeNERO’’) that provides mutual authentication between a mobile router and a correspondent router. A public key infrastructure is used for authorizing the prefixes used in the route optimization process. The care-of address of the mobile router is authenticated by a reachability test. Only four messages and two round trip times of signaling are required by the new protocol. The deficiencies of the existing correspondent router protocol have been addressed: vulnerability to prefix hijacking attacks, bad handover performance and dependency on the home agent for performing route optimization signaling. It is important to address these deficiencies due to the safety related nature of air traffic control communications (security), the need to support time critical data (handover latency) and for fulfilling the high availability requirements (home agent dependency). We evaluated our protocol in three different ways. We first showed the handover latency improvements in comparison to the original correspondent router protocol. The simulations based on the realistic aeronautical access technology L-DACS 1 showed that the performance improvement of SeNERO is up to 58% in situations with an average radio cell load. Even if the radio cell is overloaded, an improvement of up to 32% with respect to the median values is possible. In case the radio cell load is small, the improvement can be even up to 81%. The second evaluation showed that the signaling overhead of SeNERO is 3–70% below that of the original correspondent router protocol, considering a time window of 21–84 min in which the optimized route to a single correspondent router is kept active. This is actually the case for the air traffic control communications scenario that we are considering. Given a single wireless radio link, seamless handovers for supporting real-time services such as Voice over IP are not possible. This can only be achieved when using multihoming and make-before-break handover strategies. E.g., activating a second wireless radio link and registering the associated care-of address before a handover on the currently used wireless link occurs. Such a strategy can indeed allow seamless handovers, as it has been shown in [34]. The last evaluation was a security analysis. We defined a threat model specifically for this purpose. The security analysis based on this model showed that prefix hijacking attacks are not possible with SeNERO. This is in contrast to the original correspondent router protocol where we identified two new vulnerabilities that allow hijacking both mobile network and correspondent router prefix.

Furthermore SeNERO provides a higher level of resilience for end-to-end communications: route optimization can even be performed in the absence of a reachable home agent.

Appendix A. Fulfillment of NEMO RO requirements The IETF document on NEMO route optimization requirements [3] defines nine required and five desirable characteristics. As SeNERO is based on the correspondent router concept, the basic properties of the protocol are similar to the proposal of Bernardos et al. [28] that is also based on the correspondent router concept. The discussion in [28] on how the NEMO RO requirements are fulfilled therefore also applies to SeNERO. In the following, we will only discuss those requirements that are fulfilled differently by SeNERO when compared to [28]. The rationale for requirement 3 – latency – states that ‘‘the approach should minimize latency. . . during handoff’’. SeNERO was shown to provide a smaller handover latency than the original correspondent router protocol. When compared to other protocols, e.g., [28], SeNERO also requires a smaller number of signaling messages. The rationale for requirement 4 – availability – states that ‘‘single points of failure need to be avoided’’. SeNERO introduces a new network node, the correspondent router. Whether the correspondent router increases availability, depends on the specific failure situation: 1. Failure of the home agent/home network. 2. Failure within the correspondent network. 3. Failure with inter-domain routing from/to the correspondent network. 4. Failure of the correspondent router. In the first case, SeNERO increases the availability. The original correspondent router protocol would not be able to establish an optimized path in case the home agent fails. If home agents are replicated and a failover mechanism would be provided, the failure of the home network would still result in non-reachability of the home agents. Again, the original correspondent router protocol would then be unable to establish an optimized path. This is not the case for SeNERO though. In the second case, connectivity or routing problems within the correspondent network will jeopardize packet forwarding within the entire correspondent network. The correspondent router and the correspondent nodes located in the same network then share the same fate [35]: the correspondent router is not reachable, but neither are the correspondent nodes of that network. There is no change in availability. In the third case, availability depends on the connectivity degree of the correspondent network. In case the correspondent network is not multihomed, no alternative path to the home network is available. In the case of SeNERO, the home agent is not required and availability has therefore been increased. In case the correspondent network is multihomed, an alternative path to the home network can be used. SeNERO does not improve the availability then.

C. Bauer / Computer Networks 57 (2013) 1078–1100

In the fourth case, the failure of the correspondent router itself would result in the inability to use the optimized path. Packets then have to be exchanged via the home agent again, using the ‘‘standard’’ packet forwarding path where the correspondent router is not involved. The mobile router will detect the non-availability of the correspondent router at the latest when another handover is performed. A combination of the different cases might also occur. For as long as the correspondent router does not fail, availability has been increased. In case the correspondent network is multihomed and the home agent is reachable, SeNERO does not increase the availability. Requirement 5 – packet loss – states that the ‘‘RO scheme should not cause either loss or duplication of data packets during RO path establishment’’. While packet loss cannot be entirely prevented in a handover situation, the amount of lost packets will be smaller for SeNERO. This is due to the decreased handover latency, that will also result in a smaller number of lost packets. Requirement 7 – efficient signaling – states that the protocol must be efficient ‘‘in terms of both size and number of individual signaling messages’’. The overhead evaluation in Section 5 showed that SeNERO is more efficient than the original correspondent router protocol. Requirement 8 – security – specifies that care-of address and mobile network prefix of the mobile router must be properly validated. The security analysis performed in Section 6 showed the increased level of robustness of SeNERO when compared to the original correspondent router protocol, especially with respect to prefix hijacking. SeNERO does not address the requirement on nesting – Des2 in [3]. The nesting problem does not apply to the air traffic control domain, where mobile network nodes are directly connected to the mobile router. A solution to this problem would only be interesting for the passenger domain, where there could be several nested levels of mobile routers, e.g., a passenger using a mobile network node attached to his own mobile router that is in turn attached to the mobile router of the aircraft. Appendix B. Correspondent router discovery Prior to performing route optimization signaling, the mobile router first has to discover the correspondent router, in particular its address. As discussed in the document of Bernardos et al. [28], several approaches exist for this problem, each one with its own advantages and disadvantages. When using static pre-configuration, the mobile router knows the addresses and associated correspondent router prefixes for each correspondent router in advance. Different mechanisms for dynamically discovering a correspondent router have been proposed: based on the Domain Name System (DNS), using anycast addressing or dedicated CR-resolver servers. If the mobile router directly attaches to the network where correspondent node and associated correspondent router are located, then the Dynamic Host Configuration Protocol (DHCP) [36] can also be used for retrieving the address of the CR. We argue that every approach can be useful, depending on the deployment scenario. Correspondent router discov-

1099

ery should therefore not exclusively be based on a single mechanism. Instead, we suggest that all discovery mechanisms should be available for implementation, subject to local decision making by the respective network operator. The security provided by the different mechanisms varies: it is possible to make use of the DNS security extensions for the DNS based system. A DHCP-based discovery can make use of DHCP security, although its security limitations should be considered. A security mechanism for CR-resolver servers would have to be developed. For the anycast mechanism, there is no security mechanism available. SeNERO therefore provides mutual authentication to ensure that route optimization will only be performed with a legitimate correspondent router. No assumptions are made on how a correspondent router is discovered and what kind of security the used mechanism provides, if at all. References [1] International Civil Aviation Organization, Manual on the Aeronautical Telecommunications Network (ATN) Using Internet Protocol Suite (IPS) Standards and Protocols (Doc 9896), first ed., 2010. [2] V. Devarapalli, R. Wakikawa, A. Petrescu, P. Thubert, Network Mobility (NEMO) Basic Support Protocol, RFC 3963, January 2005. [3] W. Eddy, W. Ivancic, T. Davis, Network Mobility Route Optimization Requirements for Operational Use in Aeronautics and Space Exploration Mobile Networks, RFC 5522, October 2009. [4] W. Kampichler, D. Eier, Satellite based voice communication for air traffic management and airline operation, in: Integrated Communications, Navigation and Surveilance Conference (ICNS), 2011. [5] ICAO Aeronautical Communications Panel, WG F, Off-board communications for vehicle health management, 21st meeting of the working group F, Bangkok, Thailand, December 2009, http:// www.icao.int/anb/panels/acp/ wgdoclist.cfm?MeetingID=266. [6] Eurocontrol/FAA Future Communication Study, Communications Operating Concept and Requirements for the Future Radio System, COCR version 2.0, May 2007. [7] R. Wakikawa., S. Koshiba, K. Uehara, J. Murai, ORC: optimized route cache management protocol for network mobility, in: IEEE 10th International Conference on Telecommunication (ICT), 2003, pp. 119–126. [8] C. Bauer, NEMO route optimization with strong authentication for aeronautical communications, in: 22nd IEEE Symposium on Personal, Indoor, Mobile and Radio Communications (PIMRC), Toronto, Canada, 2011. [9] D. Johnson, C. Perkins, J. Arkko, Mobility Support in IPv6, RFC 3775, June 2004. [10] P. Nikander, J. Arkko, T. Aura, G. Montenegro, E. Nordmark, Mobile IP Version 6 Route Optimization Security Design Background, RFC 4225, December 2005. [11] A. Kukec, M. Bagnulo, A. de la Oliva, CRYPTRON: CRYptographic prefixes for route optimization in NEMO, in: IEEE International Conference on Communications (ICC), 2010, pp. 1–5. [12] M. Calderon, C. Bernardos, M. Bagnulo, I. Soto, A. de la Oliva, MIRON: mobile IPv6 route optimization for NEMO, IEEE Journal on Selected Areas in Communications (J-SAC) 24 (9) (2006) 1702–1716. Issue on Mobile Routers and Network Mobility. [13] K. Ren, W. Lou, K. Zeng, F. Bao, J. Zhou, R.H. Deng, Routing optimization security in mobile ipv6, Computer Networks 50 (2006) 2401–2419. [14] Z. Cao, H. Deng, Y. Ma, P. Hu, Integrating identity based cryptography with cryptographically generated addresses in mobile IPv6, in: Proceedings of Computational Science and Its Applications – ICCSA 2007, Part II, Lecture Notes in Computer Science, vol. 4706, Springer, 2007. [15] J. Zao, J. Gahm, G. Troxel, M. Condell, P. Helinek, N. Yuan, I. Castineyra, S. Kent, A public-key based secure mobile ip, Wireless Networks 5 (1999) 373–390.

1100

C. Bauer / Computer Networks 57 (2013) 1078–1100

[16] J.-D. Koo, S.-H. Oh, D.-C. Lee, Authenticated route optimization scheme for network mobility (nemo) support in heterogeneous networks, International Journal of Communication Systems 23 (2010) 1252–1267. [17] J. Holstein, D. Coombs, Public key infrastructure (PKI) – obstacles to implementation, in: ATA e-Business Forum, Montreal, Canada, 2011. [18] International Civil Aviation Organization, Machine Readable Travel Documents (Doc 9303), Sixth ed., 2006. [19] H. Yang, E. Osterweil, D. Massey, S. Lu, L. Zhang, Deploying cryptography in internet-scale systems: a case study on DNSSEC, IEEE Transactions on Dependable and Secure Computing. [20] R. Perlman, An overview of PKI trust models, IEEE Network 13 (6) (1999) 38–43. [21] C. Lynn, S. Kent, K. Seo, X.509 Extensions for IP Addresses and AS Identifiers, RFC 3779, June 2004. [22] A. Varga, et al., The OMNeT++ discrete event simulation system, 2005, http://www.omnetpp.org. [23] F.Z. Yousaf, C. Bauer, C. Wietfeld, An accurate and extensible Mobile IPv6 (xMIPV6) simulation model for OMNeT++, in: Simutools ’08: Proceedings of the 1st International Conference on Simulation Tools and Techniques for Communications, Networks and Systems & Workshops, 2008, pp. 1–8. [24] B. Haindl, M. Sajatovic, M. Ehammer, T. Gräupl, M. Schnell, U. Epple, S. Brandes, L-DACS 1 system definition proposal: deliverable D2, in: EUROCONTROL, 2009. [25] C. Boyd, A. Mathuria, Protocols for Authentication and Key Establishment, Information Security and Cryptography, Springer, 2003 (Chapter: A Tutorial Introduction to Authentication and Key Establishment, pp. 1–31). [26] E. Barker, Recommendation for key management. Part 1: General, NIST special publication: 800-57, Computer Security, National Institute of Standards and Technology, 2007. [27] S. Hunt, P. Platt, T. Evans, P. Ryan, M. Ehammer, T. Brikey, NEWSKY Security Concept, deliverable D15, project NEWSKY, October 2009. [28] C. Bernardos, M. Calderon, I. Soto, Corres pondent Router based Route Optimisation for NEMO (CRON), IETF Internet-Draft (work in progress) draft-bernardos-mext-nemo-ro-cr-00, July 2008. http:// tools.ietf.org/html/draft-bernardos-mext-nemo-ro -cr00.

[29] J. Arkko, C. Vogt, W. Haddad, Enhanced Route Optimization for Mobile IPv6, RFC 4866, May 2007. [30] F. Le, S.M. Faccin, IPv6 address ownership solution based on zeroknowledge identification protocols or based on one time password, Patent, US 7546456, June 2009. [31] G. Montenegro, C. Castelluccia, Crypto-based identifiers (CBIDs): concepts and applications, ACM Transactions on Information and System Security (TISSEC) 7 (1) (2004) 97–127. [32] J.W. Bos, O. Özen, J.-P. Hubaux, Analysis and Optimization of Cryptographically Generated Addresses, in: Proceedings of the 12th International Conference on Information Security (ISC), 2009, pp. 17–32. [33] U. Feige, A. Fiat, A. Shamir, Zero-knowledge proofs of identity, Journal of Cryptology 1 (1988) 77–94. [34] M.S. Hossain, M. Atiquzzaman, W. Ivancic, Performance evaluation of multihomed NEMO, in: IEEE International Conference on Communications (ICC), Ottawa, Canada, 2012. [35] D.D. Clark, The design philosophy of the DARPA internet protocols, SIGCOMM Computer Communication Review 25 (1) (1995) 102– 111. [36] R. Droms, J. Bound, B. Volz, T. Lemon, C. Perkins, M. Carney, Dynamic Host Configuration Protocol for IPv6 (DHCPv6), July 2003.

Christian Bauer received the BS and MS degrees in computer science from the University of Innsbruck, Austria, in 2004 and 2006 respectively. Currently he is a researcher at the Institute of Communications and Navigation at the German Aerospace Center (DLR). His research interests are in the area of wireless networking, with a special emphasis on mobility and handover management as well as information and network security.