A Secure IPv6-based Urban Wireless Mesh Network (SUMNv6)

Computer Communications 31 (2008) 3707–3718

Contents lists available at ScienceDirect

Computer Communications journal homepage: www.elsevier.com/locate/comcom

A Secure IPv6-based Urban Wireless Mesh Network (SUMNv6) Ramanarayana Kandikattu *, Lillykutty Jacob Electronics and Communication Engineering Department, National Institute of Technology, Calicut 673601, India

a r t i c l e

i n f o

Article history: Received 29 March 2008 Received in revised form 7 July 2008 Accepted 7 July 2008 Available online 13 July 2008 Keywords: Handover Mobility Return Routability test Route Optimization Security Wireless Mesh Network

a b s t r a c t Security and fast handover are the two major concerns for the existence of Wireless Mesh Network (WMN). Existing solutions for Internet access by mobile users – Mobile IPv6, and its enhancements such as HMIPv6, F-HMIPv6 and HCF – have been designed to improve the handover latency without any light weight security considerations. The Route Optimization (RO) of MIPv6 introduces new security threats and the Return Routability (RR) test is only a weak solution for MIPv6 supplemented Internet. This paper proposes a secure F-HMIPv6-based framework to WMN that offers secure and fast handover as well as secure RO. The proposed framework addresses the security threats to both MIPv6 and WMN, improves the security of the existing RR test, and uses efficient key management. It is designed to enable secure, fast, and efficient signaling and communications for mesh clients within WMN as well as with outside world. This paper presents detailed cost analysis and numerical results to compare the proposed scheme with HMIPv6. Ó 2008 Elsevier B.V. All rights reserved.

1. Introduction Wireless Mesh Network (WMN) [1] is expected to play a major role in future anywhere-anytime communications. WMNs have received significant attention by the research community as well as by the industry and standard organizations because, they offer the flexibility of wireless access, combined with a high coverage area, reliability, and cost efficiency. WMN has been advocated as major component of the next generation Internet. It comprises dedicated backbone wireless routers and gateways to offer last mile broadband connectivity to the mesh clients. The demand for a variety of wireless applications that require a mesh network is exploding. Typical applications are, broadband home network, enterprise network, community network, metropolitan area network, intelligent transportation network, Industrial automation network, sensor network, and emergency or rescue networks [1]. Users of WMN demand seamless Internet access while they are in move. This requires frequent handover from one WMN domain to another WMN domain. MIPv4 [2] and MIPv6 [3] give solution for IP support to mobile users. MIPv6 and its subsequent improvements such as HMIPv6 [4], FMIPv6 [5], F-HMIPv6 [6], and HCF [7] have been proposed to improve handover performance. Security is another important concern for the existence of WMN. MIPv6 based protocols offer IPSec [8] based security. IPSec helps only in end-to-end authentication and security between two network entities that already have the security association between them. * Corresponding author. Tel.: +91 495 2286700; fax: +91 495 2287250. E-mail addresses: [email protected], [email protected] (R. Kandikattu). 0140-3664/$ - see front matter Ó 2008 Elsevier B.V. All rights reserved. doi:10.1016/j.comcom.2008.07.003

Without some pre-established security associations, especially over wireless and dynamic connections, building low-cost secure channel is still a challenge. IPv6 and its security extensions do not address the problem of handling public key infrastructure in a very large scale with many dynamic communication channels. Rapid changes in the network topology make the job even harder. Roaming mesh clients may not have the prior security associations and trust relations among themselves. Considering these facts, it is necessary to address key setup procedure, secure and fast mobility management architecture suitable for WMN. Route Optimization (RO) is a built-in feature of MIPv6 that avoids triangular routes between mobile node and correspondent node. Though, RO improves network performance it invites new security threats not only to MIPv6 network but also to the whole Internet [15,16]. MIPv6 standard uses an infrastructure-less solution called Return Routability test (RR test) [5] to make ‘MIPv6 supplemented Internet’ at least as safe as ‘IPv4 based Internet without mobility’. Though RR test eliminates many potential attacks on Internet, but still leaves certain weak links which allow smart attackers to carryout attacks. This paper proposes a secure Wireless Mesh Network architecture called SUMNv6 that addresses both secure fast handover and improved RO security. This paper has three major contributions. The first is the application of Identity-Based Cryptography (IBC) for public-private key setup and pair-wise shared key setup among the participating nodes in WMN to promote security. The second contribution is in providing mechanisms for ‘secure handover to support micro-mobility and macro-mobility’ in the realistic future broadband WMN that is assumed to be operated by different operators, controlling several wireless domains, which are either geo-

3708

R. Kandikattu, L. Jacob / Computer Communications 31 (2008) 3707–3718

2. Background and related work

MN moves to a different link in the same MAP domain, it requires to register new LCoA with MAP. RCoA does not change as long as mobile node is in the same MAP domain. HA outside the MAP domain knows only inter-domain movements of mobile nodes. Thus, HMIPv6 reduces the signaling overhead by limiting the binding update with local MAP for intra-domain handover. However, HMIPv6 does not address any key distribution and security association among different entities. Though HMIPv6 considers the delay saving due to location update, it does not consider any specific mechanism to reduce delay incurred in movement detection and address auto-configuration.

2.1. Mobile IPv6

2.3. Fast handover for MIPv6 (FMIPv6)

Mobile IPv6 (MIPv6) [3] has been designed to facilitate mobility support for mobile nodes in a IPv6-based wireless LAN integrated with Internet. Route Optimization and IPSec based security are built-in features of MIPv6, whereas these are non-standard extensions of MIPv4. The stateless address auto-configuration and neighbor discovery features in MIPv6 eliminate the need for Foreign Agents (FAs). According to MIPv6, a Mobile Node (MN) can learn of its arrival to a new foreign network by receiving the Router Advertisements (RAs). If it is in a foreign network, MN can configure its Care-of Address (CoA) taking the foreign network prefix as the first 64 bits and its MAC address in EUI-64 format as the remaining 64 bits using stateless address auto-configuration technique. Then, the MN can register the CoA with its Home Agent (HA) by sending Binding Update (BU) message. HA records the binding information between MN’s home address and CoA in binding cache and then responds MN with Binding Acknowledgment (BA) message. After building the binding entry for the MN, the HA uses proxy neighbor discovery to intercept data packets routed to the MN’s home address and tunnel them to the MN’s current CoA. The Route Optimization needs every MN to register its CoA binding information with all its Correspondent Nodes (CNs). This allows a CN to send packets directly to a MN without the help of the HA. MIPv6 protects all the control packets such as BU, BA, using IPSec. A security procedure called Return Routability (RR) test is used to authorize the establishment of binding with CNs. MIPv6 does not address the security association and key setup procedure among the participating entities. For highly mobile applications that need frequent handover, MIPv6 is not a suitable solution because it degrades overall efficiency of the network due to packet loss and handover latencies.

Handover mechanism involves three components: movement detection, IP address configuration, location update. As FMIPv6 [5] does not use a hierarchical mobility management architecture like HMIPv6, it does not address location update latency. But it reduces the latency due to the other two. According to FMIPv6 protocol, a MN while in move gets the prospective next router details either using link layer specific mechanisms like scan or using special router discovery mechanisms. Then computes the prospective new CoA before handover takes place. This prior information reduces delays incurred in movement detection and address auto-configuration. FMIPv6 allows bidirectional tunneling between previous access router and new access router to avoid packet loss during binding update. This process makes real time applications transparent to handover. FMIPv6 gives a better mechanism than MIPv6 to support real time traffic at the expense of more signaling overhead.

graphically adjacent or non-adjacent to each other. The third contribution is the design of an enhanced RR test suitable for SUMNv6. The rest of the paper is organized as follows. Section 2 gives an overview of preliminaries. Section 3 presents a detailed description of the proposed framework. Section 4 presents a simple security analysis. Section 5 gives a detailed cost analysis and numerical results to compare the proposed protocol with HMIPv6 protocol. Finally Section 6 presents the conclusion and future work.

2.2. Hierarchical Mobile IPv6 (HMIPv6) Hierarchical Hierarchical Mobilev6 (HMIPv6) [4] is an enhancement of Hierarchical Mobilev6 that reduces handover latency. It introduces a new entity called Mobile Anchor Point (MAP), which is a mobility agent that manages many Access Routers (ARs). Each AR is interfaced with many Access Points (APs) covering a subnet. Thus, each MAP domain covers a larger geographical area comprising many subnets. MAP is the default gateway router to all the MNs within its domain. According to HMIPv6, each mobile node is addressable by a onLink Care-of Address (LCoA) and a Regional Care-of Address (RCoA). LCoA gives the link or subnet to which it is attached, where as RCoA gives the mobile node’s current MAP domain. When a mobile node enters a new MAP domain, it receives router advertisements containing MAP’s information and it configures its RCoA and LCoA. It sends BU message to register its new RCoA with its HA and all CNs, and also registers its LCoA with MAP. HA tunnels the first packet destined to MN to its new RCoA. Then MAP at RCoA tunnels the packet to the MN’s LCoA. Through RO the subsequent packets are directly routed to RCoA. When the

2.4. Fast handover for HMIPv6 (F-HMIPv6) Fast HMIPv6 employs both the hierarchical structure of HMIPv6 and improved movement detection and address auto-configuration of FMIPv6, with reduced signaling and processing overhead. In FMIPv6, MNs exchange signaling messages with ARs for movement detection and fast handover, where as in F-HIMPv6 [6] MNs exchange these messages with MAP. 2.5. Handover Control Function (HCF) based handover for MIPv6 HCF [7] is also an enhancement for MIPv6 to support fast handover. HCF based MIPv6 uses an entity called handover control function similar to MAP in HMIPv6. HCF maintains a record of information regarding network prefix of its attached ARs and MAC addresses of all the APs under its control. HCF based network uses network-assisted handover, wherein a MN that requires fast handover, gets the information about the MAC addresses of APs in its vicinity and their signal strength. MN informs these details to the associated HCF. Then HCF decides to which AR the MN should associate with based on MN’s service conditions, and sends the new AR information to MN. Then MN configures its new CoA based on new AR’s network prefix. This framework uses the fact that the configured CoA is unique globally, because it is based on its globally unique MAC address. Thus HCF avoids Duplicate Address Detection (DAD) [2] and thereby saves delay in processing DAD. 2.6. Security issues in MIPv6 and its enhancements The prominent security issue in MIPv6 design is the RO security because MIPv6 assumes no security association between the MN and a random CN. This gives room for various attacks on MIPv6 nodes as well as on the Internet. MIPv6 designers assume that it is not feasible to build a global authentication infrastructure.

R. Kandikattu, L. Jacob / Computer Communications 31 (2008) 3707–3718

But, authors of [13] argue the feasibility of building a global authentication infrastructure. This argument is based on the fact that IPv6 addressing is hierarchical in nature. In [13] authors illustrate the procedure as follows: every MIPv6 node is administratively connected to its home domain. By cryptographically connecting related fragmented individual administrative domains to their upstream service providers, and then connecting upstream service providers to next level aggregator, and then connecting Next Level Aggregator (NLA), to Top Level Aggregator (TLA), constructing a hierarchical security infrastructure is possible. Since top level aggregators belong to tier-1 ISPs and their number is less and have strong security association among them, building global infrastructure is practicable. In the global security infrastructure explained above, authentication of a MN requires authentication of a hierarchy of administrators either using Certificate-Based Cryptography (CBC) or Identity-Based Cryptography (IBC). CBC requires verification of certificates and signatures of hierarchy of all administrators. This process incurs heavy processing and communication overhead and causes delay. It may not support real time or seamless handover while the mobile is on move across domains, which challenges the very purpose of handover. Return Routability test (RR test) [15] is an infrastructure-less solution and has two components, Home address Test (HoT) and Care-of address Test (CoT). These tests ensure that the mobile node’s home address and care of address are the same as what it claims to be. RR test is a simple and elegant method that uses minimal computations at both CN and MN side. Though RR test cannot completely rule out the possibility of attacks, it drastically reduces the number of malicious nodes and restricts their locations. Secure HMIPv6sec [22] is a security extension to HMIPv6 protocol. This is based on a mechanism called Cryptographically Generated Addresses (CGA) [14]. CGA is a technique whereby an interface part of IPv6 address of a node is cryptographically associated with node’s public key and some other parameters. But CGAs themselves are not certified. Therefore, a malicious node can generate CGA using its public key. This protocol also allows nodes to use its self generated public–private key pair and does not require trusted third party. Even though the IP address and public key are cryptographically associated, if the public key is not certified by any trusted authority then the association between public key and node cannot be verified. Malicious node can generate its own public–private key pair and can enter the network and then access the resources illegally. In summary, secure RO has two different solutions: an infrastructure-less and lightweight solution that still gives room for various attacks [17]; an infrastructure based solution that can not meet the real time handover latency requirements. Therefore, secure RO is still an open research problem. Our proposed SUMNv6 adopts RR test without any changes at CN side but uses the advantage gained by secure mesh network architecture. This solution reduces the possibility of attacks on RO by minimizing weak links. Further, it uses IBC to simplify the key setup. 2.7. Identity-Based Cryptography—preliminaries Conventional certificate-based cryptography requires a lengthy (typically 1K Byte) certificate to distribute the public key among the participating nodes. In the WMN scenario, the certificate is piggy-backed on the control packets to distribute public key. This method incurs heavy routing overhead, network bandwidth and computational resources. IBC eliminates the need for certificates because public key of an authorized participating node can be extracted from the identity of that node. Moreover IBC allows any pair of authenticated clients to generate pair-wise shared key if their identities are known to each

3709

other. Shamir introduced the concept of IBC [10]. Later Boneh et al. proposed a basic Identity-based signature scheme [11] and presented Identity- based encryption scheme using pairing technique [12]. These schemes are based on bilinear maps using Weil or Tate pairing, defined over super singular elliptic curves. The introduction of IBC revolutionized public key cryptography and opened new methods for distributing keys in pervasive and ubiquitous networks. A good survey on pairing-based cryptographic protocols is provided by [9]. The following gives an overview of the basics of pairing technique. 2.7.1. Bilinear pairing Let G1 be an additive group and G2 be a multiplicative group of the same prime order q. Let P be an arbitrary generator of G1 : Assume that the discrete logarithm problem is hard in both G1 and G2 : A mapping F : G1  G1 ! G2 satisfying the following properties is called a cryptographic bilinear map as defined by Boneh et al. [11].

– Bilinearity: FðaP; bQ Þ ¼ FðP; Q Þab ¼ FðaP; Q Þb ¼ FðP; bQ Þa for all P; Q 2 G1 and a; b 2 Z q , where Z q ¼ f1; 2; . . . . . . q  1g. – Non-degeneracy: If P is a generator of G1 , then FðP; PÞ is the generator of G2 ; in other words FðP; PÞ 6¼ 1. – Computability: There exists an efficient algorithm to compute FðP; Q Þ for all P; Q 2 G1 . Modified Weil and Tate pairings on an elliptic curve over a finite field are examples of cryptographic bilinear maps. 2.7.2. IBC algorithms IBC requires a trusted authority called Private Key Generator (PKG). User submits any arbitrary bit string (e.g., IP address, email) as its ID to PKG in order to obtain its private key. User can extract its public key from its ID either directly or by applying a domain hash function on it as per the rules stipulated in the employed IBC system. An IBC system consists of the following important algorithms: – Setup: PKG generates domain parameters that are publicly known while the master key is kept secret. – Extract: PKG generates private key corresponding to user’s ID using its master key. – Encrypt: User-1 encrypts the message using User-2’s public key, which is generated from User-2’s ID using a publicly known function. – Decrypt: User-2 decrypts the message using its private key. – Signature: User-1 appends signature that is calculated over the message using its private key. – Verify: User-2 verifies User-1’s signature using User-1’s public key that is extracted from User-1’s identity. User-1 and User-2 are any two authorized IBC-entities having knowledge of domain parameters. The survey by Dutta et al. [9] and the references therein provide more detailed description about various pairing based cryptographic protocols. 3. Proposed framework: Secure Urban Mesh Network (SUMNv6) Secure Urban Mesh Network (SUMNv6) adopts the hierarchical structure and fast handover mechanisms that are used in FHMIPv6. It is a secure version of F-HMIPv6 applied to WMN. It has efficient key management and relatively strong RO security. The hierarchical structure of SUMNv6 is shown in Fig. 1 and the notations used in this framework are given in Table 3. Each operator’s wireless network may contain a single regional domain or many regional domains that are either physically

3710

R. Kandikattu, L. Jacob / Computer Communications 31 (2008) 3707–3718

Fig. 1. Secure Urban Wireless Mesh Network (SUMNv6).

adjacent to each other or isolated. Each regional domain contains the hierarchical structure shown in Fig. 1. Regional Agent (RA), Local Agent (LA) and Access Point (AP) in this framework are functionally similar to Mobility Anchor Point (MAP), Access Router (AR) and Access Point (AP) defined in HMIPv6, respectively. SUMNv6 assumes that all the RAs and LAs are static or less mobile forming backbone network to support inter-mesh and mesh-Internet communications. 3.1. IP address setup Unlike F-HMIPv6, SUMNv6 uses truly hierarchical address structure. According to MIPv6, IP address contains a 64-bit network prefix and 64-bit interface part. As per MIPv6, if each LA and its subnet in a regional domain is addressed by a different network prefix, they may use only a small portion of 64-bit address space and lot of address space may left unused. SUMNv6 addresses this issue and uses the address space optimally: Each RA uses 64bit uniquely routable network prefix. The corresponding address space is divided into two parts. One part with MSB ‘0’ followed by 63-bit space is allotted for RA, home address of MC, and regional Care-of Address of MC. While the other half with MSB ‘1’ followed by 63-bit space is allotted for LA and LCoA of MC. This is illustrated in Table 1. Each operator is identified by a unique 16-bit identifier with MSB set to zero. Each LA has an associated 16-bit identifier with MSB set to one. An LA, which is serving under a RA, uses the same network prefix as that of RA followed by its associated 16-bit identifier. Serving RA’s network prefix followed by LA’s 16-bit identifier (64 + 16 = 80 bits) serves as the extended network prefix to the LA which is unique within the regional domain. LA advertises extended network prefix in its router advertisements within SUMNv6. Therefore SUMNv6 allows each RA to serve 215  1 different LAs and each LA to serve 248  2 different APs and MCs, thus providing efficient address utilization than the IPv6 standard. In this architecture, RA’s IP address and MC’s HoA/RCoA carry additional information about its operator. Similarly, MC’s LCoA carries additional information about its serving LA. The extended network prefix based addressing scheme used in SUMNv6 is transparent to the outside world. Packet from any Internet node destined to MC, first reaches the concerned RA with the help of 64-bit unique network prefix. The RA routes the packet to the concerned LA with the help of 16-bit LA identifier embedded in the LCoA address of MC. The LA then forwards the packet to the concerned MC with the help of its unique MAC address. For efficient routing among the mesh LAs SUMNv6 requires an intra-domain routing protocol, which is assumed to exist.

The concepts of LCoA, RCoA, HoA are the same as that of HMIPv6 except for the change in address structure. HoA is the permanent IP address of a mesh client. HoA is formed by concatenating its home network prefix (64 bits), operators identifier (16 bits), and its MAC address (48 bits). MC is known to the outside world by this address. Any packet addressed to MC’s HoA first reaches its HA through conventional IP routing. HA uses its binding cache to locate MC’s LCoA/RCoA and forwards the packet. LCoA and its configuration: From the router/LA advertisements, a MC gets LA’s extended network prefix and ID. By comparing the first 64 bits of received extended network prefix with its home network prefix MC can check whether it is in home domain or foreign domain. Then it can also ensure whether the network operator is same as its registered operator by verifying operator identifier in the LA’s ID. This paper considers a single operator case. SUMNv6 can be extended to multiple operators with inter-operator services as well. When MC is in the home domain, it configures LCoA by concatenating LA’s extended network prefix (80 bits) and its MAC address (48 bits) and sends the binding update to its RA, i.e., in this case it is HA. RA/HA records HoA, LCoA association in its binding cache. MC needs to send binding update periodically to renew its location information with RA/HA. RCoA and its configuration: When MC is in a foreign domain but operated by its registered operator then MC has to configure RCoA also in addition to its LCoA. LCoA configuration is similar to the process explained above. MC sends the LCoA binding update to its RA (in this case it is FA). MC configures RCoA by concatenating network prefix, operator’s identifier and its MAC address. MC registers its RCoA binding with HA. RCoA binding update is used for registering macro-mobility and LCoA binding is for registering micro-mobility. HA is transparent to MC’s micro-mobility within the foreign network and is informed only when movement takes place across regional domains. Local mobility within the regional domain is managed by RA itself. In SUMNv6, LCoA and RCoA addresses of a node are unique because they use unique MAC address, therefore Duplicate Address Detection (DAD) process is not required at RA. Thus SUMNv6 saves delay in performing DAD. 3.2. Identity setup SUMNv6 requires each entity to get identity, private key, IBC domain certificate, before entering the network. Operator issues them to the registered entity such as MC, LA, and RA by some secure means after thorough verification. Table 2 gives the identity structure used and Table 3 gives the notations used. The freshness of identity is decided by the expiry time. 3.3. IBC Operations 3.3.1. Domain parameter setup IBC requires a trusted third party called Private Key Generator (PKG) to generate the public-private key pair corresponding to each node’s identity using pairing based mechanisms. In SUMNv6, operator does the role of trusted third party. It performs the following domain-parameter initialization: – Generates the pairing parameters ðq; G1 ; G2 ; F; P; H1 Þ. – Picks a random s 2 Z q as domain secret and computes domainpublic key as Ppub ¼ s:P. We use the domain-parameters ðq; G1 ; G2 ; F; P; H1 ; P pub Þ; and define the domain certificate as: (domain-parameters, s:H1 (domainparameters). The operator must keep ‘s’ confidential, while making domain-certificate publicly known. All the entities under an operator use the same domain parameters. The concept of bilinearity gi-

3711

R. Kandikattu, L. Jacob / Computer Communications 31 (2008) 3707–3718 Table 1 SUMNv6 IP address structure

Table 3 Notations Symbol

Meaning

Data structure

Ok RAj;k LAi;j;k

Operator’s 16-bit identifier RA’s IP address LA’s IP address

IDRAj;k

Operator k RA j controlled by operator k LA i under RA j controlled by operator k MC i under RA j controlled by operator k Identity bitwise concatenation of message segments m and n identity of RAj;k

IDLAi;j;k

identity of LAi;j;k

IDMC i;j;k

identity of MC i;j;k

HO1 k

Domain hash function H1 of operator k Domain certificate of operator k Domain secret s of operator k Private key of RAj;k Public key of RAj;k Private key of LAi;j;k Public key of LAi;j;k Private key of MC i;j;k Public key of MC i;j;k Entity A broadcasts message m Entity A unicasts message m to entity B Signature of entity A over message m Sequence number of node X Shared key between node X and node Y Hash(K XY , message)

MC i;j;k ID m; n

ven in Section 2.7 allows checking the legitimacy of the domain parameters, by validating the domain certificate as follows: FðP; s:H1 (domain-parameters))=Fðs:P; H1 (domain-para- meters)) =FðPpub ; H1 (domain-parameters)). 3.3.2. Extract Operator generates public key from the ID of its entity by applying domain hash on it, and computes the corresponding private key by multiplying public key with domain secret s. The public-private key pair for RA, LA, MC are generated as follows: O

K RAjk ¼ H1 k ðIDRAjk Þ O

Ok k K 1 RAjk ¼ s :H 1 ðIDRAjk Þ O

K LAijk ¼ H1 k ðIDLAijk Þ

Domain  cert Ok sOk K 1 RAj;k K RAj;k K 1 LAi;j;k K LAi;j;k K 1 MC i;j;k K MC i;j;k A ! : m A ! B: m

O

Ok k K 1 LAijk ¼ s :H 1 ðIDLAijk Þ

m; SignK 1 ðÞ A

O

K MC ijk ¼ H1 k ðIDMC ijk Þ

seqX K XY

O

Ok k K 1 MC ijk ¼ s :H1 ðIDMC ijk Þ

Note that, the superscript Ok is used to denote operator k0s domain parameters. 3.3.3. Pair-wise shared key setup Once registered entities (e.g., MC 1;1;1 and MC 2;1;1 ) in an administrative domain are equipped with their ID, domain parameters, and public-private key pair, then they can establish pair-wise shared key with each other using bilinearity as given in (1). O1 K MC 1;1;1 ;MC 2;1;1 ¼ F O1 ðK 1 MC 1;1;1 ; H 1 ðIDMC 2;1;1 ÞÞ

¼ F O1 ðsO1 :HO1 1 ðIDMC 1;1;1 Þ; HO1 1 ðIDMC 2;1;1 ÞÞ ¼ F O1 ðHO1 1 ðIDMC 1;1;1 Þ; sO1 :HO1 1 ðIDMC 2;1;1 ÞÞ ¼ F O1 ðHO1 1 ðIDMC 1;1;1 Þ; K 1 MC 2;1;1 Þ ¼ K MC 2;1;1 ;MC 1;1;1

ð1Þ

3.4. SUMNv6 signaling and security SUMNv6 has two aspects of security: (i) security of signaling and data messages within the mesh network; (ii) authentication and authorization of BU and BA during the RO process. IBC allows only authorized clients to take part in WMN communications. IBC based shared key setup allows secure data packet communication among different mesh clients. The secure binding update with CN is based on the same assumption as in standard MIPv6, i.e., there

Table 2 Identity structure of different entities in SUMNv6

MIC XY

MC’s IP address(Home Address) — — ðRAj;k , operator’s identifier, expiry time) ðLAi;j;k , operator’s identifier, expiry time) ðMC i;j;k , operator’s identifier, expiry time) — — — sOk :HO1 k ðIDRAj;k Þ HO1 k ðIDRAj;k Þ sOk :HO1 k ðIDLAi;j;k Þ HO1 k ðIDLAi;j;k Þ sOk :HO1 k ðIDMC i;j;k Þ HO1 k ðIDMC i;j;k Þ — — — 32-bit number — —

is no security association between MC and a random correspondent node and there is no globally trusted infrastructure to support secure RO. SUMNv6 registration (binding update) process with HA/ RA is illustrated in Fig. 2. As soon as a MC is powered on, it first identifies its current regional domain with the help of LA advertisements. LA periodically broadcasts (link local multicasts) agent advertisement through all APs connected to its interfaces. Agent advertisement contains its ID, i.e., IDLAijk ; domain  certOk , and a sequence number seqLAijk . It appends its signature over the entire message with its private key K 1 LAijk as in (2). Note that SUMNv6 uses sequence number to protect the message from replay attacks. Node increments sequence number by one each time it sends the similar message, e.g., LAijk increments seqLAijk each time it generates a new advertisement.

LAijk !  : IDLAijk ;

domain  cert Ok ; seqLAijk ;

SignK 1 ðÞ LAijk

ð2Þ

All the MCs which are at one hop distance from the LA can receive the message. Upon reception of advertisement of LAijk by MC 1;1;1 , it first determines whether it is in the home domain or foreign domain by comparing its network prefix and operator codes with that

3712

R. Kandikattu, L. Jacob / Computer Communications 31 (2008) 3707–3718

of the agent LAijk . Note that LA’s ID itself contains its extended network prefix with embedded operator identifier. If it is in the same operator’s domain, it performs the following operations in sequence: (i) checks whether the message is fresh with the help of seqLAijk ; (ii) ensures that LAijk is not expired, by examining the expiry-time field; (iii) verifies the signature; If all these checks are satisfied, then MC 1;1;1 authenticates agent LAijk . If MC happens to receive the advertisement first time from that LA, then it cannot check (i); in that case it verifies (ii) and (iii) and if they are valid then MC creates a table to record LA’s ID, seqLAijk and delete-time. Delete-time is the time after which the entry is deleted from the table. The following two cases can exist depending upon MC’s current RA. 3.4.1. Home RA-Secure LCoA registration If MC 1;1;1 is in its home domain, it configures LCoA as explained in Section 3.1 and sends local binding update (LBU) as in (3)

MC 1;1;1 ! LAijk : LBUðHoA; LCoAÞ; IDMC 1;1;1 ; domain  cert O1 ; SignK 1

MC 1;1;1

ðÞ

ð3Þ

LA does the following, after receiving the registration request: (i) checks if the message is fresh by checking sequence number in the BU; (ii) ensures that the ID is not expired by verifying the expiry time; (iii) validates the signature; and, (iv)verifies whether LCoA is configured according to the current location by tallying its extended network prefix with that of MC and also compares MAC address in the ID with that in LCoA.

These verifications ensure that: (i) the MC is an authorized node; (ii) the request is fresh; and, (iii) LCoA is configured correctly according to the MC’s current point of attachment. If all the verifications are satisfactory then LA forwards this update as in (4) to its associated RA through secure channel between them otherwise it drops the request.

LAijk ! RA : LBUðHoA; LCoAÞ;

MIC LAijk RA

ð4Þ

It is assumed that all the RAs and LAs under an operator establish pair-wise shared keys among themselves and establish secure channel between each pair as soon as WMN is formed. LA/RA uses keyed Message Integrity check Code (MIC) to protect integrity of control packet. RA verifies the request and creates a binding entry in its binding cache and records the association between MC’s HoA and LCoA with expiry time. Each MC registered under RA should update its location information as and when MC moves to another link in the same RA or before the lapse of expiry time, otherwise entry will be deleted from RA’s cache. RA sends all the packets meant for a MC with the help of binding information. RA responds with Binding Acknowledgment (BA) to MC. Note that, the LA does the BU signature verifications and responds with BA on behalf of RA to reduce the computational overhead on RA. Since LA and RA have mutual trust relations RA trusts the verifications done by LA. This distributed mechanism reduces computational load on RA. 3.4.2. Foreign RA-RCoA and LCoA registration When MC moves away from its home region, it registers LCoA with RA as explained in the previous subsection. In addition to that

Fig. 2. Secure Location update and fast binding update processes.

3713

R. Kandikattu, L. Jacob / Computer Communications 31 (2008) 3707–3718

it registers RCoA with HA. MC sends message (3) for LCoA binding update and message (5) for RCoA update.

MC 1;1;1 ! LAijk : BUðHoA; RCoAÞ; IDMC 1;1;1 ; MIC MC 1;1;1 HA ; MIC MC 1;1;1 LAijk

ð5Þ

Upon receiving BU, serving LA verifies signature in (3) and authenticates MC. LA validates MIC in (5). Then it validates RCoA and LCoA addresses based on MC’s location similar to the verification process detailed in Section 3.4.1. This process avoids any malicious node to send fake BU to any LA. LA drops such impersonated BU. Once BU is authenticated then LA sends BU to its associated RA. LA sends messages (4) and (6) one after another.

LAijk ! RA : BUðHoA; RCoAÞ; IDMC 1;1;1 ; MIC MC 1;1;1 HA ; MIC LAijk RA

MIC MC 1;1;1 HA ; IDRAi;j ; MIC RAHA

ð7Þ

HA verifies MIC RAHA of foreign RA and authenticates Foreign RA. It also verifies MIC MC 1;1;1 HA . After satisfactory verification, home RA records the association between MC’s HoA and RCoA in its binding cache and then sends binding acknowledgment (BA) to foreign RA with MIC HARA as in (8).

HA ! RA : BAðHoA; RCoAÞ; IDHA ; MIC HARA ; MIC HAMC

NLA PLA NLCoA PLCoA RtSolPr PrRtAdv FBU FBACK LBU LBACK HI HACK FNA

New local agent Previous local agent New on-link Care-of Address Previous on-link Care-of Address Router solicitation for proxy advertisement Proxy router advertisement Fast binding update Fast binding acknowledgment Local binding update Local binding acknowledgment Handover initiate Handover acknowledgment Fast neighbor advertisement

ð6Þ

Foreign RA verifies MIC LAijk RA and then sends the BU(HoA,RCoA) to MC’s HA after attaching its MIC RAHA as in (7).

RA ! HA : BUðHoA; RCoAÞ; IDMC 1;1;1 ;

Table 4 Entities involved and messages used in fast handover

ð8Þ

Upon receiving BA, Foreign RA verifies MIC RAHA and on satisfactory verification, it creates an entry in its binding cache and records the association between RCoA and LCoA, then it forwards BA to MC. MC then verifies MIC HAMC and authenticates HA. MC then initiates Route Optimization with the CNs that it is currently communicating with, as detailed in the next subsection. This process completes the binding update mechanism with HA and foreign RA. Binding process also ensures mutual authentication of MC, Foreign RA and HA. It is to be noted that every RA computes its pair-wise shared key with its every neighboring RA similar to the pairwise shared key setup given in (1) and maintains the key list in a lookup table. RAs use MIC with their shared key for authentication and data integrity check instead of signatures to save delay and computational overhead. After binding update process, MC and RA generate pair-wise shared key among them. This process sets up secure channel between MC, Home RA and Foreign RA. 3.4.3. Fast handover in SUMNv6 HMIPv6-based architecture reduces the signaling overhead and delay associated with the BU in MIPv6. To support real time applications it is essential to reduce latency further. When a MC moves from previous LA (PLA) to new LA(NLA) within a regional domain, fast handover described in [5] allows to complete movement detection and IP address auto-configuration while MC is still associated with the PLA. This mechanism decreases handover latency further and reduces packet drop. But [5] has no mechanism to protect handover signals from attackers. SUMNv6 provides security during fast handover. The secure fast handover process described in this section is in line with that described in [5]. But uses IBC based security for protecting the control messages such as: RtSolPr, PrRtAdv, FBU, HI, HACK, FBACK, LBU, LBACK. The entities and messages used in fast handover are listed in Table 4 and the definitions of these messages are as given in [5]. Various steps involved in the secure and fast handover procedure are depicted in Fig. 2 and the procedure is discussed below.

(i) MC sends Router Solicitation Proxy (RtSolPr) to RA indicating that it wishes to perform a fast handover to a new attachment point. The RtSolPr includes the information about the link layer address or identifier of the concerned NLA, which is derived from NLA’s beacon message. MC appends its ID and MIC MCRA to RtSolPr as in (9).

MC ! RA : RtSolPr; IDMC ; MIC MCRA

ð9Þ

(ii) RA validates MIC MCRA and sends a Proxy Router Advertisement (PrRtAdv) message as response to MC as in (10). RA appends its ID and MIC RAMC to protect PrRtAdv message. PrRtAdv contains [AP-ID, LA-Info] tuple for the MC to use in NLA region. Note that, in SUMNv6, the RA knows the extended network prefix and link layer address of the associated NLAs.

RA ! MC : PrRtAdv; IDRA ; MIC RAMC

ð10Þ

(iii) MC validates MIC RAMC , generates NLCoA with the help of extended network prefix of NLA in PrRtAdv, and sends fast Binding update (FBU) message to RA. The FBU message contains NLCoA, PLCoA, IP address of the NLA. Additionally MC appends MC’s ID, hash(nonce,K MCRA ) called token1 and MIC MCRA to the FBU as in (11). Token1 is for authenticating MC by NLA.

MC ! RA : FBU; IDMC ; token1; MIC MCRA

ð11Þ

(iv) RA sends a HI message to the NLA to establish a bidirectional tunnel. RA sends its ID, token1 and MIC RANLA along with HI as in (12).

RA ! NLA : HI; IDRA ; token1; MIC RANLA

ð12Þ

In response to the HI message, the NLA sets up host route entry for the MC’s PLCoA and then responds with a handover response (HACK) message. NLA uses MIC NLARA to protect HACK message as in (13) and token1 to authenticate MC.

NLA ! RA : HACK; IDNLA ; MIC NLARA

ð13Þ

As a result, a bi-directional tunnel between RA and NLA is established. The NLA may cache those data packets flowing from the RA, until it receives Router solicitation (RS) message (possibly with FNA option) from the newly incoming MC. (v) RA sends FBACK messages toward the MC over PLCoA and NLCoA as in (14). Then, the RA will begin to forward the data packets destined to MC to the NLA by using the established tunnel.

RA ! MCðPLCoAÞ=MCðNLCoAÞ : FBACK; IDRA ; MIC RAMC

ð14Þ

(vi) MC sends FNA message along with hash(token1, K MCNLA ) called token2 as in (15) to NLA.

3714

R. Kandikattu, L. Jacob / Computer Communications 31 (2008) 3707–3718

MCðNLCoAÞ ! NLA : FNA; IDMC ; token2; MIC MCNLA

ð15Þ

Upon reception of (15), NLA computes hash(token1, K MCNLA ) and compares with token2 received in (15). If both are same then NLA authenticates MC and then delivers the buffered data packets to the MC over NLCoA, otherwise drops the FNA. (vii) MC then follows the normal HMIPv6 procedures by sending a Local Binding Update (LBU) to RA, as per HMIPv6. When the RA receives the new Local Binding Update with NLCoA from the MN, it stops the packet forwarding to NLA and then clear the tunnel established for fast handover. (viii) In response to LBU, RA sends Local Binding ACK (LBACK) to MC, and the remaining procedures are as in HMIPv6.

Fig. 3. Secure route optimization.

3.5. Secure route optimization SUMNv6 does not assume any security association between CN and MC. The security is such that SUMNv6 does not add any new security threats to the Internet and provides security at least that of IPv4 without mobility. SUMNv6 does not require global infrastructure but it provides security better than that provided by the existing methods such as RR test and CGA. The detailed procedure is given below. Once MC completes the binding update with home RA and Foreign RA successfully, all the three entities believe each other and can establish pair-wise shared keys with each other using (1). With the help of the pair-wise shared keys they can communicate using RR test messages such as HOTI, COTI, HOT, COT, BU and BA. The messages used are listed in Table 5 and the definitions are as given in [3]. The secure RR test message exchanges are depicted in Fig. 3. All the RO message exchanges between RA1, RA2 and MC are encrypted using the respective pair-wise shared keys. This avoids passive eavesdropping and consequent active attacks on RO process. MC sends encrypted N0 in HOTI message to home RA and encrypted N1 in COTI message to foreign RA with the respective shared keys. Therefore only the respective RA is aware of N0 or N1. Similarly RA1 sends HOT message to MC after encrypting it with the shared key and RA2 sends COT message to MC after encrypting with its shared key. Therefore only authorized MC which has shared keys with both RA1 and RA2 can get back the contents of the HOT and COT messages and can compute K bm . This process avoids most common internal attacks such as impersonation, fabrication, and replay attacks on SUMNv6. Hierarchical address structure avoids most of the attacks by external node on SUMNv6. Since SUMNv6 RO security is based on basic RR test, it inherits security against most common MIPv6 attacks such as connection hijacking attack, bombing attack, state storage exhaustion attack, CPU exhaustion attack, reflection and amplification attack.

Table 5 Abbreviations used in secure route optimization CN RR Test RO CGA HOTI COTI HOT COT N0 N1 K0 K1 K bm

Correspondent node Return Routability test Route Optimization Cryptographically generated addresses Home test init Care-of test init Home test Care-of test A Nonce called Home init cookie A Nonce called Care-of init cookie Home Keygen token Care-of Keygen token Binding management key

4. Security analysis 4.1. Urban mesh network security All the entities involved in the SUMNv6 have to obtain ID, IP address, and public-private key pair from the operator before entering the network. A node’s identity contains information about RA, operator, expiry time, and is cryptographically bonded with public-private key pair. Therefore, any entity can verify the authenticity of a node in question by checking expiry time and signature. MIPv6 or its extensions do not have this kind of security check, therefore give room for attacks. SUMNv6 LCoA address is hierarchical in nature and is location dependent. An MC’s LCoA is verified against its present location (or network link that is presently associated with) by the LA through which MC wants to send binding update to RA. Therefore, an MC cannot configure its LCoA with an impersonated address and cannot do any attacks. The secure registration process adopted in the protocol promotes mutual authentication of LA, MC and RA. All the registration messages contain: i) sequence number to avoid replay attacks; ii) signature to protect the message from modification attacks and to ensure that the message is originated by an authorized party. Registration process builds trust among LA, MC and RA and ensures that they are communicating with authorized party and not with any fraudulent node. This process also helps to setup pair-wise shared keys among themselves, for their future secure communications. SUMNv6 ensures secure communications among the home RA, foreign RA and MC with the help of either IBC or pair-wise shared keys. Extended RR test exploits this to eliminate weak link between MC and CN. 4.2. RO security RO security is the most challenging task to achieve because a random CN should believe that the binding between HoA and RCoA is correct. Since global infrastructure is either difficult to achieve or computationally expensive, SUMNv6 prefers infrastructure-less solution. In SUMNv6 the RO security is built upon RR test mentioned in MIPv6 RFC. Therefore a random CN cannot distinguish between SUMNv6 node and a MIPv6 node. But the important difference is that SUMNv6 uses foreign RA’s services also in addition to Home RA’s services during RR test. MIPv6 communicates RR test messages in plain text thus gives attackers a chance to eavesdrop on to the radio link between RA-MC and to carryout impersonation, fabrication and replay attacks. In SUMNv6, RR test messages are sent after encryption with the shared key of the respective MC-RA pair. Thus eliminates the weak link between MC and RA.

3715

R. Kandikattu, L. Jacob / Computer Communications 31 (2008) 3707–3718

Using the above transition probabilities, the steady state probability of state r, pr , can be expressed as:

5. Estimation of cost and analysis In this section we estimate the cost of location update with RA and with HA based on the transmission costs on different radio links and processing costs at different nodes that various control packets experience during each location update. Then using an analytic model, we find out: (i) probability that a MC performs regional registration; (ii) probability that it performs home registration. Based on the estimated costs and probabilities we compare the performance of SUMNv6 with HMIPv6. In this analysis we assume that HMIPv6 control packets are protected using IPSec with RSA cryptosystem. This analysis does not consider fast binding update in order to simplify the analysis. Also assumes no security for RR test messages and data packets in SUMNv6 in order to evaluate the systems on similar security grounds.

Let C xUr , C xUh and C xRO represent costs for regional location update (local binding update), home location update (global binding update) and Route Optimization, respectively. Here, the superscript x represents either HMIPv6 or SUMNv6. The average location update cost per unit time can be expressed as [28]:

5.1. Analytical model

C xLU ¼

In this subsection we describe an analytical model based on a 2D cellular configuration [26] for the WMN and random walk model for mobility. We make the following assumptions: (i) each subnet that is managed by an LA is in the form of hexagonal cell; (ii) each regional domain that is managed by a RA contains hexagonal cells, with the structure as shown in the Fig. 4. The inner most cell is labeled with ‘0’ and the cell labeled with ‘1’ forms the first ring around cell ‘0’ and so on; and, (iii) All the regional domains are of same size. Let q be the probability that a MC stays in the current cell, then using random walk mobility model [26], the probability that movement of the MC will result in increasing distance r (pþ ðrÞ) or decreasing distance (p ðrÞ) from cell ‘0’ are given by:

where T represents the average cell residence time that MC stays in a cell.

pþ ðrÞ ¼

1 1 þ 3 6r

and p ðrÞ ¼

1 1  3 6r

ð16Þ

The movement of the MC with respect to cell ‘0’ can be represented as a Markovian chain. Let ar;rþ1 represents the transition probability that the movement will result in increasing distance from cell ‘0’ and br;r1 represents the transition probability that the movement will result in decreasing distance from cell ‘0’. Assuming a regional domain of R rings, the transition probabilities are given by:

(

ar;rþ1 ¼

ð1  qÞ

if r ¼ 0

ð1  qÞð13 þ 6r1 Þ

if 1 6 r 6 R

br;r1 ¼ ð1  qÞð13  6r1 Þ if 1 6 r 6 R

5

5 5

5 5 4 5

4

5 5

4

3 3 3

4 5 5

4

3 2 2

3

4 5

3

3

2 3

4

4

4

4 3

2 1 1 2 3

5

5

2

4 5

4

1

5 3

2

2

1 0 1 1 2 2 3

4 4 5 5

3

5

4 4

4 3 3

2

3 4

2 4

4 4 5

5

5

4 5 5

5

5 5

5

3 3

5

4 4

5

5 4 5

4

5 5

4

3 3 3

4 5 5

3 2 2

3

4 5

3 3

2 3

4

4

4

4

5

2 1 1 2 3

5

4 3

1

3 2

2

1 0 1 1 2 2 3

4 4 5 5

Fig. 4. Cellular representation of SUMNv6.

3

5 4 4 3 3

2

3 4

2 3 3

4

4 4 5

5

5

¼ 1, and

ð19Þ

p0 can be expressed as

1 PR Qr1 ai;iþ1 r¼1

ð20Þ

i¼0 biþ1;i

pR :aR;Rþ1 :ðC xUh þ C xRO Þ þ ð1  pR aR;Rþ1 ÞC xUr T

ð21Þ

5.2. Location update cost In this subsection we compute the cost overhead for SUMNv6 and HMIPv6 systems. Table 6 depicts the notations and symbols used in this cost analysis, and similar to those in [23]. 5.2.1. HMIPv6 location update cost The message flow illustrated in Fig. 2 is considered for estimating the transmission and processing cost for each location update. This analysis follows the notations given in [23]. HMIPv6 control packet includes the basic IPv6 header(40 bytes), some of the optional IPv6 extension headers and IPSec security payload. The length of BU, BA, HOTI, COTI, COT without security payload are, respectively 72, 64, 56, 64, 56, and 64 Bytes [25]. Therefore for the sake of simplicity the average control packet size of HMIPv6 without security payload is taken as 128 bytes. The proportionality constant for transmission cost for the control packet of 128 bytes over WMN backbone wireless link (e.g., 802.16 radio

Representation r l m h n p c

Symbol

Meaning

5

dxy ax dU dD nxy vx ka kb

5

I

Average distance (in hops) between entity x and entity y Processing cost of control packet at entity x Proportionality constant for control packet delivery Transmission cost for data packet delivery Average number of entity y in entity x’s coverage area Data packet processing cost at entity x Data packet arrival rate at foreign RA Arrival rate of first packet in a session at HA Data Packet processing cost at HA Cost for IBC signature verification Cost for IBC signature generation Cost for RSA signature verification Cost for RSA signature generation Proportionality constant for MC-LA wireless link Cost for MIC computation Cost for IBC pairing computation Cost for shared key encryption/decryption

5 5 5 5

4 5

1þ

r¼0

RA LA MC HA NLA PLA CN

4 4

p0 ¼

PR

Entity

5 4

with the requirement

ð18Þ

5

2

4 5

4

for 1 6 r 6 R

Table 6 Notations used in cost analysis

5

5

r1 Y ai;iþ1 biþ1;i i¼0

ð17Þ

5

5

5

5

pr ¼ p0

g wI

S wS

q c s u

3716

R. Kandikattu, L. Jacob / Computer Communications 31 (2008) 3707–3718

link) is denoted by dU . IPSec with RSA cryptosystem requires about 745 bytes additional overhead to carry certificate and signature [27]. Then the average control packet with security payload becomes 873 bytes. This makes the proportionality constant for transmission cost to carry the HMIPv6 control packet with security payload seven times that of HMIPv6 control packet without security. Therefore the proportionality constant for transmission cost of control packet in HMIPv6 with security is set to 7dU . IPSec security with RSA uses digital signatures to protect the packets. It requires five signature verification and four signature generation operations during regional registration. It requires ten signature verifications and seven signature generation operations during home registration. Thus costs for location update with HA (termed as home registration cost) and location update with RA (termed as regional registration cost) for each location update in HMIPv6 are given as follows:

C HMIPv6 ¼ 2al þ 2ar þ ah þ 2ðq þ drl þ dhr Þð7dU Þþ Uh

ð22Þ

10S þ 7wS C HMIPv6 ¼ 2al þ ar þ 2ðq þ drl Þð7dU Þ þ 5S þ 4wS Ur

ð23Þ

5.2.2. SUMNv6 location update cost IBC uses about 64 bytes additional overhead to carry sequence number, identity, and signature/MIC making the average control packet size in SUMNv6 (128 + 64) as 192 bytes, which is 1.5 times that of HMIPv6 control packet without security. Therefore the proportionality constant for transmission cost in SUMNv6 is set to 1.5dU . Also, SUMNv6 has security process overhead in addition to the normal process at each node. Due to the different cryptographic operations, the processing cost at each node during registration request and reply phases are not the same. SUMNv6 requires two signature verifications, one signature generation, two pairing computations to compute shared keys and six MIC operations during regional registration. We assume that the shared key between MC and HA is precomputed. SUMNv6 requires three signature verifications, one signature generation and twelve MIC operations during home registration. Thus for SUMNv6 the home registration cost and the regional registration cost for each location update are given below:

C SUMNv6 Uh

¼ 2al þ 2ar þ ah þ 2ðq þ drl þ dhr Þð1:5dU Þ

ð24Þ

þ3 þ w þ 2s þ 12c

The packet delivery cost comprises three cost components: (i) the packet processing cost at foreign RA; (ii) the packet processing cost at HA; and, (iii) the packet transmission cost from CN to MC. The total packet processing cost in HMIPv6 can be expressed as:

C HMIPv6 ¼ vp þ vh þ ðdcp þ dpl ÞdD PD

ð27Þ

The packet processing cost at RA, i.e., vp has the following components: (i) cost for lookup into table for mapping of RCoA into LCoA; and (ii) cost for lookup in the routing table for routing the packet to the concerned LA. Route Optimization process allows CN to send the packets directly to MC without passing through HA. But the first packet from CN should tunnel through HA. Then the packet processing cost at RA includes de-capsulation and en-capsulation costs of the tunneled packet from HA. These costs are neglected for the sake of simplicity of analysis. The cost for lookup into (RCoA, LCoA) mapping table is proportional to the size of mapping table. The size of mapping table is proportional to the number of MCs in the regional domain. The cost for lookup into routing table is proportional to the logarithm of the length of the routing table [23] which is equal to the number of LAs in the regional domain. Let ka be the packet arrival rate at RA, the packet processing cost at RA can be expressed as:

vp ¼ ka ðanpm þ blogðnpl ÞÞ

ð28Þ

where a and b are the proportionality constants for binding table lookup and routing table lookup, respectively. The packet processing at HA is proportional to the arrival rate of first packet in the session and is given as follows:

vh ¼ kb g

ð29Þ

where kb is the session arrival rate and g is the unit packet processing cost at HA. Assuming that the average session size is r packets, kb is kra . Substituting (28) and (29) in (27), the total packet processing cost per unit time is given by

C HMIPv6 ¼ ka ðanpm þ blogðnpl ÞÞ þ kb g þ ðdcp þ dpl ÞdD PD

ð30Þ

Since this analysis assumes that SUMNv6 data packets are not encrypted, the above packet processing cost calculations hold for SUMNv6 also. Therefore the total signaling cost for HMIPv6/ SUMNv6 is given by:

C xT ¼ C xLU þ C xPD

ð31Þ

Here, the superscript x represents either HMIPv6 or SUMNv6. 5.4. Numerical results and discussion

C SUMNv6 ¼ 2al þ ar þ 2ðq þ drl Þð1:5dU Þ þ 2 þ w þ 2s þ 6c Ur

ð25Þ

5.3. Packet delivery cost Let nlm be average number of MC’s in a LA’s coverage area, npm be the average number of MC’s in a RA’s coverage area, and npl be the number of LAs in a RA’s coverage area. Then they are related by

npm ¼ npl nlm

ð26Þ

The computation times on a node with 1 GHz, Pentium-III processor are considered for numerical values. We use the following values from [20]: RSA signature generation and verification times of 7.9 ms and 0.4 ms, respectively; and, pairing computation for shared key generation of 20 ms. AES encryption/decryption time for 128 Byte data is about 8.4 ls and SHA-1 takes 5.73 ls [21]. A 100-Kbps average data rate is assumed over the wireless link between MC and LA, and 1-Mbps average data rate over wireless link between LA and RA and between RAs. With 128 byte control packet (without security), the average transmission delay over MC-LA wire-

Table 7 Cost parameters Parameter

al

ap

ah

ac

am

q

dpl

dhp

dhc

dpc

dU

dD

Value

10

5

5

5

5

10

5

32

32

32

1

8

Parameter

S

wS

I

wI

s

a

b

npm

g

q

kb

c

Value

0.4

7.9

2.22

45.8

20

0.3

0.7

15

10

0.5

ka

0.00573

r

3717

R. Kandikattu, L. Jacob / Computer Communications 31 (2008) 3707–3718 Table 8 Numerical results

3500 C HMIPv6 Uh

C SUMNv6 Uh

C HMIPv6 RO

C HMIPv6 Ur

C SUMNv6 Ur

C SUMNv6 RO

Value

752.3

268.53

476

268.6

160.27

476

6500 HMIPv6 SUMNv6 6000

Total signaling cost

HMIPv6 SUMNv6

3000

Total signling cost

Cost parameter

5500

5000

2500

2000

1500

1000

4500

500 –1 10

0

1

10

10

Packet arrival rate

4000

Fig. 6. Effect of packet arrival rate.

3500

3000 –1 10

0

10

12000

1

10

HMIPv6 SUMNv6

Average cell residence time 10000

less link is 10.24 ms, and over LA-RA and RA-RA wireless link it is 1 ms. Therefore dU becomes 1 ms. Assuming the average data packet size of 1KByte, the transmission cost for data packet delivery dD is 8 ms. The parameter values are given in Table 7, and the corresponding numerical results are tabulated in Table 8. From the numerical results presented in Table 8, the home registration cost and regional registration costs for SUMNv6 are respectively 35% and 60% of that of HMIPv6. From this we infer that IBC based cryptosystem reduces the cost overhead drastically than the conventional IPSec with RSA cryptosystem. Next, we compare the performance of SUMNv6 with HMIPv6 on the basis of total signaling cost at varying: (i) average data packet arrival rate; (ii) average cell residence time,T; and, (i) Packet-toMobility Ratio (PMR); PMR is defined as the ratio of packet arrival rate to mobility rate, i.e., PMR is ka T. In all these cases regional network size (R) of 4 is considered. 5.4.1. The impact of average cell residence time In this analysis the packet arrival rate (ka ) of 10 packets/s is considered. Fig. 5 shows the effect of cell residence time (T) on total signaling cost for HMIPv6 and SUMNv6 systems. From the figure we observe that, SUMNv6 has the lower total signaling cost than HMIPv6 at lower values of cell residence time and both are converging to some minimal value as the cell residence time increases. This is because of the fact that, as the cell residence time increases the location update cost per unit time decreases. As a result the packet delivery cost dominates location update cost. 5.4.2. The impact of average packet arrival rate The cell residence time (T) of 1 U of time, and packet arrival rate ka =[0.1 10] packets/s are considered for analysis. Fig. 6 shows the impact of packet arrival rate on HMIPv6 and SUMNv6. Again, SUMNv6 shows a clear advantage in cost overhead than HMIPv6 for all values of packet arrival rate. Since cell residence time is fixed, at lower packet arrival rates the location update cost dominates the total cost. At higher packet arrival rates, the curves converged each other because of the fact that, the total cost is influenced by packet arrival rate alone. But the total

Total signaling cost

Fig. 5. Effect of cell residence time (T).

8000

6000

4000

2000

0 –1 10

0

10

1

10

2

10

3

10

Packet–to–mobility ratio, PMR Fig. 7. Effect of packet-to-mobility ratio (PMR) on total signaling cost.

cost in all cases are increasing monotonically with increase in packet arrival rate. 5.4.3. The impact of packet-to-mobility ratio Fig. 7 shows the total signaling cost as a function of PMR for SUMNv6 and HMIPv6. Packet arrival rate, ka = [1-40] packets/s, cell residence time, T = [0.1–20] are considered for the analysis. From the figure we can observe that, at lower values of PMR there is a large deviation in the total signaling costs and the curves are coinsiding each other as the PMR increases. This is because of the fact that at lower PMR values either cell residence time is low or packet arrival rate is low, then the location update cost per unit time dominates packet delivery cost and when PMR is high (either user residence time in a cell (T) is large or packet arrival rate is high) then packet delivery cost dominates location update cost for all the systems. At certain range of (medium) PMR values the performance of the system is observed as optimum with lowest total signaling cost. 6. Conclusion Secure WMN with fast handover mechanisms is required for future WMN. In this paper we proposed SUMNv6 that addresses both

3718

R. Kandikattu, L. Jacob / Computer Communications 31 (2008) 3707–3718

security and fast handover, and also secure RO process for WMN. MIPv6 and its extensions have no integrated framework for key distribution mechanism, and have weak MC-RA link. SUMNv6 gives a comprehensive solution addressing key distribution, fast handover, and mutual authentication of MC, RA (home) and RA (foreign). It adopts secure RR test to eliminate weak link between MC and RA (foreign). From the numerical results, it is clear that SUMNv6 incurs only 35% and 60% cost overhead of that of HMIPv6 per each home registration and regional registration process respectively. The performance graphs show that SUMNv6 outperforms HMIPv6 at lower values of PMR, packet arrival rate, cell resident times, but at heigher values these curves are converging each other, because of the domination of packet processing cost over location update cost at heigher vaues. SUMNv6 is discussed for single operator WMN. It can be extended to multiple operators as well. References [1] I.F. Akyildiz, X. Wang, W. Wang, Wireless Mesh Networks: a survey, Computer Networks 47 (4) (2005) 445–487. [2] C. Perkins, IP Mobility Support for IPv4, IETF, RFC 3220. [3] D. Johnson, C. Perkins, J. Arkko, Mobility Support in IPv6, IETF, RFC 3775. [4] H. Soliman, C. Castelluccia, K. Malki, L. Bellier, Hierarchical Mobile IPv6 mobility management (HMIPv6), IETF, RFC 4140. [5] R. Koodli(Ed), Fast Handovers for Mobile IPv6, IETF, RFC 4068. [6] H.Y. Jung, S.J. Koh, Fast Handover Support in Hierarchical Mobile IPv6, in: proceedings of the 6th International conference on Advanced Communication Technology 2 (2004) 551-554. [7] G.Z. Wei, A. Wei, K. Xu, H. Deng, Handover Control Function Based Handover for Mobile IPv6, Proceedings of ICCS, vol. 3994, LNCS, 2006, pp. 17–24. [8] N. Doraswamy, D. Harkins, IPSec: The New Security Standard for the Internet, Intranets, and Virtual Private Networks, Prentice Hall PTR, 2003.

[9] R. Dutta, R. Barua, P. Sarkar, Pairing-Based Cryptographic Protocols: A Survey, Cryptology ePrint Archive, 2004. [10] A. Shamir, Identity-based cryptosystems and signature schemes, in: Proceedings of CRYPTO 84 on Advances in Cryptography, (1985) (47-53). [11] D. Boneh, B. Lynn, H. Shacham, Short Signatures from the Weil Pairing, Journal of Cryptology 17 (4) (2004) 297–319. [12] D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing, SIAM Journal on Computing 32 (3) (2003) 586–615. [13] K. Ren, W. Lou, K. Zeng, F. Bao, J. Zhou, R. Deng, Routing Optimization Security in Mobile IPv6, Computer Networks 50 (13) (2006) 2401–2419. [14] T. Aura, Cryptographically generated addresses (CGA), IETF, RFC 3972. [15] T. Aura, Mobile IPv6 security, in: Proceedings of the Security Protocols, LNCS, 2467 (2002). [16] T. Aura, M. Roe, Designing the IPv6 Security Protocol, Annals of Telecommunications 61 (3-4) (2006). [17] K. Elgoarany, M. Eltoweissy, Security in Mobile Ipv6:A Survey, Information Security Tech. Report, 12(1) (2007) 32-43. [20] S.L. Paulo, M. Barreto, et al., Efficient Implementation of Pairing-Based Cryptosystems, Journal of Cryptoplogy (2004) 321–334. [21] Botan-a BSD licensed crypto library-benchmarks, available at . [22] W. Haddad, S. Krishnan, H. Soliman, Using Cryptographically Generated Addresses (CGA) to secure HMIPv6 Protocol (HMIPv6sec), Internet draft, available at , August 2006. [23] J. Xie and I.F. Akyildiz, A distributed dynamic regional location management scheme for Mobile IP, in: Proceedings of IEEE INFOCOM (2002). [25] J. Arkko, and C. Vogt, ‘‘Credit-Based Authorization for Binding Lifetime Extension, Internet draft , May 2004. [26] I.F. Akyildiz, W. Wang, A dynamic location management scheme for next generation multitier PCS systems, IEEE Transactions on Wireless Communications 1 (1) (2002) 178–189. [27] R. Housley, W. Polk, W. Ford, and D. Solo, ‘‘ Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, RFC 3280, 2002. [28] S. Pack, and Y. Choi, ‘‘Performance Analysis of Hierarchical Mobile IPv6 in IPbased cellular Networks, in Proceedings of PIMRC 2003, 2003.