Area survey paper - Florida State University
advertisement
Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu Advisor: Dr. Mike Burmester February, 2004 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu Table of contents 1. Introduction ........................................................................................................................................................ 2 1.1 What is ad hoc network......................................................................................................................... 2 1.2 Classification of mobile ad hoc network .............................................................................................. 2 1.3 Applications ........................................................................................................................................... 3 1.4 Security goals and threats ..................................................................................................................... 3 2. Secure Routing ................................................................................................................................................... 4 2.1 2.1.1 2.1.2 Existing routing protocols ..................................................................................................................... 4 AODV ............................................................................................................................................... 5 DSR ................................................................................................................................................... 6 2.2.1 2.2.2 2.2.3 2.2.4 2.2.5 2.2.6 2.2.7 2.2.8 2.2.9 Security threats for routing protocols .................................................................................................. 8 Modification ..................................................................................................................................... 9 Fabrication ..................................................................................................................................... 10 Tunneling attack ............................................................................................................................ 10 Denial of service attack.................................................................................................................. 11 Invisible node attack ...................................................................................................................... 11 Sybil attack..................................................................................................................................... 12 Rushing attack ............................................................................................................................... 12 Non-cooperation............................................................................................................................. 13 Summary ........................................................................................................................................ 13 2.3.1 2.3.2 2.3.3 2.3.4 2.3.5 2.3.6 Secure routing protocols ..................................................................................................................... 14 SRP ................................................................................................................................................. 14 ARAN ............................................................................................................................................. 15 Ariadne ........................................................................................................................................... 17 SEAD .............................................................................................................................................. 20 Deal with tunneling attacks ........................................................................................................... 21 Summary ........................................................................................................................................ 22 2.2 2.3 3. Cooperation Enforcement ................................................................................................................................ 23 3.1 Introduction ......................................................................................................................................... 23 3.2 3.2.1 3.2.2 3.2.3 3.2.4 3.2.5 3.2.6 Solution................................................................................................................................................. 23 Nuglets ............................................................................................................................................ 23 Sprite .............................................................................................................................................. 25 Watchdog and Path Rater ............................................................................................................. 26 CONFIDANT ................................................................................................................................. 28 CORE ............................................................................................................................................. 30 Token-based ................................................................................................................................... 31 4. Conclusion ........................................................................................................................................................ 33 5. References ........................................................................................................................................................ 34 1 Network-layer Security of Mobile Ad hoc Networks 1. Introduction 1.1 What is ad hoc network Jiangyi Hu A mobile ad hoc network is a collection of wireless mobile nodes that are dynamically and arbitrarily located in such a manner that the interconnections between nodes are capable of changing on a continual basis [1]. There are some unique characteristics of mobile ad hoc networks [11, 12, 13, 37]: First, the connections between network nodes are wireless, and the communication medium is broadcast. The wireless connection provides the nodes with freedom to move, so the mobile nodes may come together as needed and form a network, not necessarily with any assistance from the cable connections. Second, unlike traditional wireless networks, mobile ad hoc networks do not have any fixed infrastructure. It is only a collection of self-organized mobile nodes, which are connected through high-variable quality links. Thus, the network topology is always changing; the execution context is extremely dynamic. In Latin, ad hoc literally means "for this purpose only," and usually means temporary. The interconnections between mobile ad hoc network nodes are not permanent; they are capable of changing on a continual basis to adapt this dynamically and arbitrarily pattern. Third, the membership is always changing. The mobile nodes are free to move anywhere, leave at any time and new nodes can enter unexpected. There is no mechanism to administrate or manage the membership. Fourth, the execution environment is insecure and unfriendly. Due to the lack of fixed infrastructure and administration, there are increased chances malicious nodes can mount attacks. Also, nodes may behave selfishly and result a degradation of the performance or even disable the functionality. Finally, the nodes in a mobile ad hoc network are usually portable mobile devices with constrained resources, such as power, computation ability and storage capacity. 1.2 Classification of mobile ad hoc network Current researches classify mobile ad hoc networks into two categories [19]. The first one is called a managed environment, where a common, trusted authority exists to provide certain services, such as a certificate authority [34, 36]. Another is called open environment, where a common authority that regulates the network does not exist [35, 36]. It is also referred as full self-organization environment, namely the network has the ability to work without any external management and configuration. Extensive work has been done recently in both areas. 2 Network-layer Security of Mobile Ad hoc Networks 1.3 Jiangyi Hu Applications Because mobile ad hoc networks do not have any fixed infrastructure such as base stations or routers, they are easy and fast to deploy, and have decreased dependence on infrastructures. Mobile ad hoc networks are highly applicable to environment in which no fixed infrastructure is available, either because it may not be economically practically possible to provide the necessary infrastructure or because the expediency of the situation does not permit its installation, such as emergency deployments, disasters, search and rescue missions and military operations. The future commercial use may include but not restrict to conferencing, home networking, personal area network and embedded computing applications [43]. 1.4 Security goals and threats In mobile ad hoc networks, all networking functions, such as routing and packet forwarding, are performed by the nodes themselves in a self-organizing manner. For this reason, such networks have increased vulnerability and securing a mobile ad hoc network is very challenging. The following attributes are important issues related to mobile ad hoc networks, especially for those security-sensitive applications [12]: Availability ensures the survivability of network services despite denial of service attack. Confidentiality ensures that certain information is never disclosed to unauthorized entities. Integrity guarantees that a message being transferred is never corrupted. Authentication enables a node to ensure the identity of the peer node it is communicating with. Non-repudiation ensures that the origin of a message cannot deny having sent the message. Because of the nature of ad hoc, it is extremely difficult to achieve the above security goals in mobile ad hoc networks. Threats that mobile ad hoc networks have to face can be classified into two levels: attacks on the basic mechanism and attacks on the security mechanism [13]. The vulnerability of the basic mechanism includes: Nodes risk being captured and compromised. Algorithms are assumed to be cooperative, but some nodes may not respect the rules. Routing mechanisms are more vulnerable. Vulnerability of the security mechanism includes: Public key can be maliciously replaced. Some keys can be compromised. The trusted server can fall under the control of a malicious party. 3 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu Though physical layer or link layer are also vulnerable to malicious attacks, the attacks can be limited by lower-layer mechanisms such as the spread-spectrum technology or the WEP protocol [31]. In this survey, we will focus on security issues of network layer in mobile ad hoc networks, especially on secure routing and node cooperation. This survey is organized as follows: Section 2 first discusses existing routing protocols for mobile ad hoc networks, illustrates the threats of such routing protocols; then presents recent researches on secure routing protocols. Section 3 discusses the problem of node selfishness in mobile ad hoc networks and gives some mechanisms to combat selfishness and enforce node cooperation. 2. Secure Routing 2.1 Existing routing protocols Currently, there are two kinds of routing protocols for mobile ad hoc networks. The first is called table-driven routing protocol, also known as proactive routing. It uses a routing table on each node to maintain a path from source to any destination, and route updates are broadcasted when changes happen. Examples of table-driven routing protocol include DestinationSequence Distance-Vector Routing (DSDV) [2], Clusterhead Gateway Switch Routing (CGSR) [3] and Wireless Routing Protocol (WRP) [4]. The second type of routing protocol is called on demand routing protocol, which is designed so that routing information is acquired only when needed, also known as source-initiated or reactive routing. Examples of on demand routing protocol include Ad hoc On-demand Distance Vector Routing (AODV) [5], Dynamic Source Routing (DSR) [6], Temporally Ordered Routing Algorithm (TORA) [7], Associativity-Based Routing (ABR) [8] and Signal Stability Routing (SSR) [9]. On demand routing protocol offers a number of potential advantages over table-driven routing protocol in mobile ad hoc networks [12]. First, on demand routing protocol uses no periodic routing advertisement messages, thereby reducing network bandwidth overhead, particularly during periods when little or no significant node movement is taking place. Table-driven routing protocol, on the other hand, must continue to send advertisements even when nothing changes, so that other mobile nodes will continue to consider those network links as valid. In addition, many of the links seen by the routing algorithm may be redundant. Wired networks are usually explicitly configured to have only one (or a small number) of routers connecting any two networks, but there are no explicit links in a mobile ad hoc network. The redundant paths in a wireless environment unnecessarily increase the size of routing updates that must be sent over the network, and increase the CPU overhead required to process each update and to compute new routes [6]. 4 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu Also, table-driven routing protocol is not designed for the type of dynamic topology changes that may be present in mobile ad hoc networks. In conventional networks, links between routers occasionally go down or come up, and sometimes the cost of a link may change due to congestion, but routers do not generally move around dynamically. In an environment with mobile nodes as routers, though, convergence to new, stable routes after such dynamic changes in network topology may be slow, particularly with distance vector algorithms. Table-driven routing protocols are less suitable for mobile ad hoc networks because they constantly consume power throughout the network, regardless of the presence of network activity, and are not designed to track topology changes occurring at a high rate [18]. Below, we will discuss in detail two on demand routing protocols that are under consideration by the IETF for standardization: AODV (Ad hoc On-demand Distance Vector routing protocol) and DSR (dynamic source routing). 2.1.1 AODV Charles E. Perkins et al. proposed the Ad hoc On-demand Distance Vector routing protocol (AODV) [5]. AODV builds routes using a route request/route reply query cycle. When a source node desires a route to a destination for which it does not already have a route, it broadcasts a route request (RREQ) packet across the network. The format of a RREQ is as follows: <source_addr, source_sequence_#, broadcast_id, dest_addr, dest_sequence_#, hop_cnt> source_addr and broadcast_id identifies a unique RREQ. broadcast_id increases for every RREQ by the initiator. source_sequence_# is used to maintain freshness information about the reverse route to the source. dest_sequence_# specifies how fresh a route to the destination must be so it can be accepted by the source. hop_cnt increases every time a intermediate node rebroadcast RREQ. As the RREQ travels from a source, a reverse path is set up automatically since each node records the address of the neighbor from which it received the first copy of the RREQ. The intermediate node can reply with RREP when it has a route with dest_sequence_# that is greater or equal to that contained in the RREQ. Otherwise, it rebroadcast the RREQ after increasing the hop_cnt. Nodes keep track of the RREQ's source_addr and broadcast_id. If they receive a RREQ that they have already processed, they discard the RREQ and do not forward it. The format of RREP is as follows: < source_addr, dest_addr, dest_sequence_#, hop_cnt, lifetime > 5 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu As the RREP travels from the destination to the source, a forward path is set up since each node along the path sets up a forward pointer to the node from which the RREP came. The intermediate node can reply with RREP only when it has a route with dest_sequence_# that is greater or equal to that contained in the RREP, Otherwise, it unicasts the RREP to the neighbor from which it received the RREQ. Each node maintains a route table entry for each destination. Each route table entry contains: <dest_addr, Next hop,hop_cnt, dest_sequence_#, Active neighbors, Expiration time> AODV implements path maintenance to recover broken paths when nodes move. If the source node moves and the route is still needed, route discovery is re-initiated with a new route request message. If the destination node or an intermediate node along an active route moves, the node upstream of the link break deletes the routing table entry for this destination and broadcasts a route error message, which is a special RREP, to all active upstream neighbors. This special RREP has a fresh dest_sequence_ # and the hop_cnt is set to infinite. 2.1.2 DSR D. B. Johnson and D. A. Maltz proposed a protocol for routing in mobile ad hoc networks that uses dynamic source routing (DSR) [6]. The protocol adapts quickly to changes such as node movement, yet requires no routing protocol overhead during periods in which such changes do not occur. To send a packet to another node using DSR, the sender constructs a source route in the packet’s header, giving the address of each node in the network through which the packet should be forwarded in order to reach the destination node. The sender then transmits the packet over its wireless network interface to the first hop identified in the source route. When a node receives a packet, if this node is not the final destination of the packet, it transmits the packet to the next hop identified in the source route. Once the packet reaches its final destination, the packet is delivered to the network layer software on that node. Each mobile node participating in the mobile ad hoc network maintains a route cache in which it caches source routes that it has learned. When one node sends a packet to another node, the sender first checks its route cache for a source route to the destination. If a route is found, the sender uses this route to transmit the packet. If no route is found, the sender may attempt to discover one using the route discovery protocol. Each entry in the route cache has associated with it an expiration period, after which the entry is deleted from the cache. DSR divides the routing into route discovery and route maintenance. Route discovery allows any node in the mobile ad hoc network to dynamically discover a route to any other nodes, whether directly reachable within wireless transmission range or reachable through one or more intermediate network hops through other nodes. Route maintenance refers to the 6 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu monitoring of the correct operation of a route in use by each node in the route. For example, if the sender, the destination, or any of the other nodes along a route move out of wireless transmission range of the next or previous hop along the route, the route can no longer be used to reach the destination. A route will also no longer work if any of the nodes along the route fails or be powered off. When a problem with a route in use is detected, route discovery may be used again to discover a new, correct route to the destination. If a node wants to communicate with another node which it has no route in its cache, it initiates a route discovery by broadcasting a route request packet which may be received by those nodes within wireless transmission range of it. The format of the route request packet is as follows: <ROUTE REQUEST, initiator address, target address, request id, route record> initiator address refers to the node initiate the route discovery. target address identifies the target of the route discovery, for which the route is requested. route record is a record of the sequence of hops taken by the route request packet accumulated as it is propagated through the mobile ad hoc network during this route discovery. request id is set by the initiator from a locally maintained sequence number. In order to detect duplicate route requests received, each node in the mobile ad hoc network maintains a list of the <initiator address, request id> pairs that it has recently received on any route request. When any node receives a route request packet, it processes the request according to the following steps: 1. If the pair <initiator address, request id> for this route request is found in this node’s list of recently seen requests, then discard the route request packet and do not process it further. 2. Otherwise, if this node’s address is already listed in the route record in the request, then discard the route request packet and do not process it further. 3. Otherwise, if the target of the request matches this node’s own address, then the route record in the packet contains exactly the route by which the request reached this node from the initiator of the route request. Return a copy of this route in a route reply packet to the initiator. 4. Otherwise, append this node’s own address to the route record in the route request packet, and re-broadcast the request. The route request thus propagates through the mobile ad hoc network until it reaches the target node, which then replies to the initiator. If the route discovery is successful, the initiating node 7 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu receives a route reply packet listing a sequence of network hops through which it may reach the target. Since wireless networks are inherently less reliable than wired networks, many wireless networks utilize a hop-by-hop acknowledgement at the data link level in order to provide early detection and retransmission of lost or corrupted packets. If the data link level reports a transmission problem for which it cannot recover (for example, because the maximum number of retransmissions it is willing to attempt has been exceeded), this node sends a route error packet to the original sender of the packet encountering the error. The route error packet contains the addresses of the nodes at both ends of the hop in error: the node that detected the error and the node to which it was attempting to transmit the packet on this hop. When a route error packet is received, the hop in error is removed from this node’s route cache, and all routes which contain this hop must be truncated at that point. As with the return of a route reply packet, a node must have a route to the sender of the original packet in order to return a route error packet to it. If this node has an entry for the original sender in its route cache, it may send the route error packet using that route. Otherwise, this node may reverse the route from the packet in error (the route by which the packet reached this node) or may use piggybacking as in the case of a route reply packet. Another option in the case of returning a route error packet is for this node to save the route error packet locally in a buffer, perform a route discovery for the original sender, and then send the route error packet using that route when it receives the route reply for this route discovery. 2.2 Security threats for routing protocols Mobile ad hoc networks are networks with no fixed infrastructure and network functions are carried out by all available nodes, which are highly mobile and have constrained power resources [18]. Consequently, mobile ad hoc network has increased sensitivity to node misbehavior [18, 19, 20]. There are two sources of attacks related to node misbehavior in mobile ad hoc networks [12]. The first is external attacker, in which unauthenticated attackers can replay old routing information or inject false routing information to partition the network or increase the network load. The second is internal attack, which comes from the compromised nodes inside the network. Since compromised nodes can be authenticated, internal attacks are usually much harder to detect and can create severe damage. Misbehave nodes in mobile ad hoc networks are classified into two types: faulty/malicious nodes and selfish nodes [42]. Faulty nodes refer to the nodes that are faulty and cannot follow a protocol, and malicious nodes are intentionally malicious and try to attack the network. The security problem caused by faulty/malicious nodes is extremely important in security sensitive applications. Selfish nodes are economically rational nodes whose objective is to maximize their own welfare. They will be the dominant type of nodes in a civilian ad hoc network. 8 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu Although selfish nodes do not intend to attack the network, such selfish behaviors are also very harmful to mobile ad hoc network, which is highly dependent on the cooperation of all available nodes [20]. Although passive (eavesdropping) attacks are also possible in mobile ad hoc networks, they can easily be controlled by using cryptographic mechanisms. Active attacks, which are more damaging, can not be defended by only applying cryptography mechanisms. The goal of an active attack is to disrupt the proper function of the network. This may be achieved by several ways, some of the most common attacks are [10, 11]: Denial of service: o Route Disruption (RD): breaking down an existing route or preventing a new route from being established. o Direct Denial of Service (DDoS): preventing a given node from communicating with any other node in the network. o Resource Consumption (RC): consuming the communication bandwidth in the network or resource at individual node. Route Invasion (RI): an attacker adds itself into a route between two nodes and takes control of the route. Exploits against mobile ad hoc network routing protocols can be classified into modification, fabrication, tunneling attack, denial of service attack, invisible node attack, Sybil attack, rushing attack and non-cooperation. Below, we will discuss the threats of mobile ad hoc network routing protocols in detail. 2.2.1 Modification Malicious nodes can modify the protocol fields of messages passed among nodes. Such attacks compromise the integrity of routing computation. By altering routing information, an attacker can cause network traffic to be dropped, redirected to a different destination or take a long route to the destination increasing communication delays [10, 19]. Using AODV as an example, a malicious node can either increase the broadcast_id in RREQ to make the faked RREQ message acceptable, or it can decrease the hop_cnt to update other nodes' reverse routing tables. In the network illustrated in Figure 1, a malicious node M can increase the chances it is included on a newly created route from source node S to destination node D by consistently advertising to A a shorter route to D than that B advertises. 9 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu A D S B M : broadcasting : unicast S: source node D: destination node M: malicious node A, B, M: intermediate node Figure 1. Redirection with modification 2.2.2 Fabrication Fabrication refers to attacks performed by generating false routing messages. Following is an example of an attack launched by sending false route error message. Suppose S has a route to D via nodes A and B, as in Fig. 1. A malicious node M can launch a denial-of-service attack by continually sending route error messages to A spoofing B, indicating a broken link between B and D. A receives the spoofed route error message thinking that it came from B. A deletes its routing table entry for D and forwards the route error message on to the upstream node, who then also delete its routing table entry. If M listens and broadcasts spoofed route error messages whenever a route is established from S to D, M can successfully prevent communications between S and D. 2.2.3 Tunneling attack Tunneling attack is also called wormhole attack. In a tunneling attack, an attacker receives packets at one point in the network, “tunnels” them to another point in the network, and then replays them into the network from that point. It is called tunneling attack because the colluding malicious nodes are linked through a private network connection which is invisible at higher layers [16, 21, 23]. 10 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu Tunneled path M N .............. B S D A C : broadcasting S: source node D: destination node M, N: malicious node A, B, C: intermediate node Figure 2. Tunneling attack In Figure 2, M receivers RREQ, and tunnels it to N. When N receives the RREQ, it forwards the RREQ to D as if it had traveled S, M and N. N also tunnels the RREP back to M. By doing this, M, N falsely claim a path between them and fool S to choose the path through M, N (because it has shorter path length). The tunnel between the attackers is actually faster than links between legitimate nodes, so the tunneled packet arrives sooner than packets through other route. Therefore, the attackers are more likely to be included in a route by claiming a shorter path and then they can take control of the route [39]. 2.2.4 Denial of service attack By saying denial of service attack, we refer to an attack that a malicious node floods irrelevant data to consume network bandwidth or to consume the resources (e.g. power, storage capacity or computation resource) of a particular node. With fixed infrastructure networks, we can control denial of service attack by using “Round Robin Scheduling”, but with mobile ad hoc networks, this approach has to be extended to adapt to the lack of infrastructure, which requires the identification of neighbor nodes by using cryptographic tools, and cost is very high. 2.2.5 Invisible node attack Marshall et al. identified a flaw on SRP in [44, 45]. The attack occurs when an intermediate node M does not append its IP address to the route record field of the SRP header. In SRP, the destination node D uses the accumulated route record to establish a path between the source node S and itself. The result of the attack is that M becomes “invisible” in the path and S erroneously believes a path exists between D and itself that does not depend on M. If M leaves 11 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu the mobile ad hoc network, any route maintenance technique will be unable to notify S that the route is no longer intact because M is “invisible” and it is believed the path does not rely in the existence of M. 2.2.6 Sybil attack The Sybil attack refers to represent multiple identities for malicious intent [41]. This can be achieved if the malicious nodes collude and share their secret keys. As illustrated in Figure. 3, A is connected with B, C and the malicious node, M1. If M1 represents other nodes M2, M3 and M4 (e.g. by using their secret keys), this makes A believe it has 6 neighbors instead of 3. B C M4 A M2 M3 M1 : actual neighbor : fake neighbors Figure. 3 The Sybil attack In mobile ad hoc networks, where the functionality relies on the trust of each node, the Sybil attack is very harmful. By “being in more than one place at once”, the Sybil attack disrupts geographic and multi-path routing protocols. In a mobile ad hoc network that uses multi-path routing, the possibility of choosing a path that contains a malicious node (e.g. M 1) will be largely increased. 2.2.7 Rushing attack 12 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu Generally, during the process of route discovery, only the first received route request packet (RREQ) is processed. If the RREQ forwarded by an attacker is the first to reach the destination node, then the route discovered will include the hop through the attacker [39]. Thus, an attacker that can forward Route Request packets more quickly than legitimate nodes can increase the probability of being included in the discovered route. In a rushing attack, the adversary succeeds in fooling the source into believing that a route is short, by relaying packets much faster through nodes under his control. An attacker can achieve faster transit by transmitting at a higher wireless transmission power level or may employ a wired tunnel which is much faster than wireless forwarding. 2.2.8 Non-cooperation In mobile ad hoc networks, the resource (e.g. the power, storage capacity, computation resource) of a mobile node is restricted. In order to get the most benefit, a mobile node may behave selfishly to save energy for itself; it may not participate in routing or may not forward packets for other nodes. This kind of node misbehavior caused by lack of cooperation is called node selfishness. A selfish node differs from a malicious node for it does not intend to damage other nodes with active attacks, but the damage selfish behaviors cause to the mobile ad hoc network can not be underestimated [19]. We will discuss it in more detail in section 3. 2.2.9 Summary In this section, we make a summary of all the attackers on mobile ad hoc network routing protocols. Table 1 illustrates the different types of attacks, their description and results. Type of attacks Modification Fabrication Tunneling attack DoS attack Invisible node attack Sybil attack Rushing attack Non-cooperation Description Modify the routing message Results DoS, take control of the route Generate false routing messages DoS, take control of the route Colluding, take advantage of Take control of the route “tunnels” Floods irrelevant data, resource DoS consuming Malicious node becomes “invisible” DoS Colluding, forging of multiple DoS, take control of the identities route Rushing routing message Take control of the route Not participate, selfish behavior DoS, take control of the route 13 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu Table 1. Different types of attacks on mobile ad hoc network routing Some of the attacks can be achieved by only one malicious node, e.g. modification, fabrication, DoS attack, invisible node attack, rushing attack and non-cooperation. Other attacks may need two or more malicious nodes to collude with each other, for example, the tunneling attack requires a “tunnel” between the malicious nodes; to launch the Sybil attack, attackers have to share their secret keys. In the following section, we will discuss some secure routing protocols which deal with the above attacks. They secure the routing protocols by applying cryptographic techniques and making modifications to the existing protocols. Such secure routing protocols may deter or mitigate some of the attacks mentioned above, but none of them is capable of dealing with all the attacks. 2.3 Secure routing protocols 2.3.1 SRP Papadimitratos and Haas proposed the Secure Routing Protocol (SRP) [14] as an extension of existing on demand routing protocols. SRP emphasizes the acquisition of correct topological information in a timely manner in the presence of malicious nodes. It introduces a set of features, such as the requirement that the query verifiably arrives at the destination, the consequent verifiable return of the query response over the reverse of the query propagation route, the query/reply identification by a dual identifier, the reply protection of the source and destination nodes and the regulation of the query propagation. The only assumption of the proposed scheme is the existence of a security association between the node initiating the query and the destination. The trust relationship could be instantiated, for example, by the knowledge of the public key of the other communicating end. The two nodes can negotiate a shared secret key (KS,T) and then, using the secret key, verify that the principal that participated in the exchange was indeed the trusted node. The route request packet initiated by the source node S contains a pair of identifiers: a query sequence number and a random query identifier. The source and destination and the unique (with respect to the pair if end nodes) query identifiers are the input for calculating the Message Authentication Code (MAC), along with K S,T. The identities of the traversed intermediate nodes are accumulated in the route query packet. The intermediate nodes relay route requests and maintain a limited amount of state information regarding the relayed queries, so that previously seen route requests are discarded. When the route request reaches the destination T, T verifies the integrity and authenticity of the request by calculating MAC and comparing them with the MAC contained in the route request packet. If the route request is valid, T constructs the route replies, it calculates a MAC 14 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu covering the route reply contents and returns the packet to S over the reverse of the route accumulated in the respective request packet, The destination response to one or more request packets of the same query, so that it provides the source with an as diverse topology as possible. The querying node will validate the replies and updates its topology. SRP copes with non-colluding malicious nodes that are able to modify, replay, spoofing and fabricate routing packets. But SRP suffers from the lack of a validation of route maintenance messages: route errors packets are not verified. However, by source-routing error packets along the prefix of the route reported as broken, the source node can verify that the provided route error feedback refers to the actual route and is not generated by a node that is not even part of the route. That is, a malicious node can harm only the route it belongs. SRP is also not immune to the wormhole attack: two colluding malicious nodes can misroute the routing packets on a private network connection and alter the network topology vision a benign node can collect. 2.3.2 ARAN Kimaya et al. proposed a secure mobile ad hoc network routing protocol [16], ARAN (Authenticated Routing for Mobile ad hoc network), which detects and protects against malicious actions by third parties and peers in one particular mobile ad hoc network environment. ARAN introduces authentication, message integrity and non-repudiation. It makes use of cryptographic certificates and requires the use of a trusted certificated server, whose public key is known to all valid nodes. Suppose source node S want to establish a route to destination node D, as illustrated in Figure 4. S begins route instantiation by broadcast a route discovery packet (RDP): [RDP,IPD, CertS, NS, t]KS- , CertS The RDP includes the packet type identifier (RDP), the IP address of D (IPD), S’s certificate (CertS), a nonce (NS), and the current time (t), all signed with S’s private key (KS-). Each time S performs route discovery, it monotonically increases the nonce. When S’s neighbor B received the packet, it validates the signature, sets up a reverse path back to the source and forward broadcasts the message: [[RDP,IPD, CertS, NS, t]KS- , CertS ] KB- , CertB The signature of B prevents spoofing attacks that may alter the route or form loops. B’s neighbor C received the packet, validates the signature, sets up a reverse path by recording the neighbor from which it received the RDP and forward broadcasts the message: [[RDP,IPD, CertS, NS, t]KS- , CertS ] KC- , CertC 15 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu Each node along the path validates the previous node’s signature, removes the previous node’s certificate and signature, records the previous node’s IP address, signs the original contents of the message, appends its own certificate and forward broadcasts the message. Eventually, the message is received by the destination, D, who replies to the first RDP that it receives for a source and a given nonce. There is no guarantee that the first RDP received traveled along the shortest path from the source. The destination unicasts a route reply (REP) packet back along the reverse path to the source. Let the first node that receives the REP sent by D be node C. D will send to C the following message: [REP,IPS , CertD , NS , t]KD- , CertD The REP includes a packet type identifier (REP), the IP address of S (IPS), the certificate belonging to D (CertD), the nonce (NS) and associated timestamp (t) sent by S. D also signs the REP using its private key (KD-). Nodes that receive the REP forward the packet back to the predecessor from which they received the original RDP. Each node along the reverse path back to the source signs the REP and appends its own certificate before forwarding the REP. Let C's next hop to the source be node B. C will send to B the following message: [[REP,IPS , CertD , NS , t]KD- , CertD ]KC- , CertC B validates C's signature, removes the signature, and then signs the contents of the message before unicasting the following RDP message to S: [[REP,IPS , CertD , NS , t]KD- , CertD]KB- , CertB Each node checks the nonce and signature of the previous hop as the REP is returned to the source. This avoids attack where malicious nodes instantiate routes by impersonation and replay of D’s message. When the source receives the REP, it verifies the destination’s signature and the nonce returned by the destination. 16 Network-layer Security of Mobile Ad hoc Networks S [RDP,IPD, CertS, NS, t]KS- , CertS [[REP,IPS , CertD , NS , t]KD- , CertD]KB- , CertB B Jiangyi Hu [[RDP,IPD, CertS, NS, t]KS- , CertS ] KB- , CertB C [[REP,IPS , CertD , NS , t]KD-, CertD ]KC- , CertC [[RDP,IPD, CertS, NS, t]KS- , CertS ] KC- , CertC [REP,IPS , CertD , NS , t]KD-, CertD D : broadcast : unicast Figure 4. Route discovery from S to D using ARAN Nodes keep track of whether routes are active. Data received on an inactive route causes nodes to generate an error message that travels the reverse path toward the source. Error message is also used to report link broken due to node movement. Although it’s difficult to detect when error messages are fabricated, the non-repudiation provide by the signed error message allows a node to be verified as the source of each error message that it sends. ARAN copes with exploits using modification, impersonation and fabrication, but it does not cope with wormhole attacks where two or more malicious nodes collude to launch an attack. Also, since ARAN uses asymmetric cryptography, it is costly to use in terms of CPU and energy usage. 2.3.3 Ariadne Hu, Perrig and Johnson presented a secure on-demand mobile ad hoc network routing protocol based on DSR, called Ariadne, which prevents attackers or compromised nodes from tampering with uncompromised routes consisting of uncompromised nodes [15]. It is efficient because it uses symmetric cryptography which is highly efficient. The authentication in Ariadne is based on the TESLA broadcast authentication protocol. TESLA uses clock synchronization and delayed key disclosure to create the asymmetry for secure broadcast authentication from symmetric primitives. Each sender using TESLA for authentication generates a one-way key chain, by repeatedly computing a one-way hash function H on a randomly chosen key KN, Ki=HN-i[KN]. The one-way chain has two properties: first, anybody can compute the key chain in one direction, that is, anybody can derive K j from Ki, where j<i; second, any key can be used to authenticate following keys. Every node predetermines a schedule at which it publishes the keys of the one-way key chain in reverse order from generation. 17 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu In Aridane, every node has a TESLA one-way key chain and all nodes know an authentic key of the TESLA one-way key chain of each node (for authentication of subsequent keys). Also, every pair of nodes share a secret MAC key, for example, node A and B shares the MAC keys KAB. To send a packet, the sender first estimates a pessimistic upper bound in the end-to-end network delay, it then picks a key Ki from its one-way key chain which the receiver will believe is still secret at the time the receiver is expected to receive the packet. When a receiver receives a packet authenticated with TESLA, it first verifies that the key Ki used to authenticate the packet is still secret. If the check is successful, the receiver buffers the packet and waits for the sender to publish key Ki. The design of Aridane is based on Dynamic Source Routing Protocol (DSR). In Ariadne, the basic RREQ mechanism is enriched with eight fields used to provide authentication and integrity to the routing protocol: <ROUTE REQUEST, initiator, target, request id, time interval, hash chain, route record, MAC list> The initiator and target are set to the address of the initiator and target nodes, respectively. The initiator sets the request id to an identifier that it has not recently used in initiating a Route Discovery. The time interval is the TESLA time interval at the pessimistic expected arrival time of the request at the target, accounting for clock skew. The initiator of the request then initializes the hash chain to MACKSD (initiator, target, id, time interval) and the route record and MAC list to empty lists. When any node receives a RREQ, the node checks if it has already seen a same request. The node also checks whether the time interval is valid: the key corresponding to it must not have been disclosed yet. If the time interval is valid, the node modifies the request by appending its own address to the route record in the request, replacing the hash chain field and appending a MAC of the entire request to the MAC list, and forward broadcasting. When the target node receives the RREQ, it checks the validity of the request by determining that the keys from the time interval specified have not been disclosed yet, and that the hash chain field is equal to: H [n , H [n-1 , H [ . . . , H [1 , MACKSD (initiator, target, id, time interval) ] . . ]]], where i is the node address at position i of the route record in the request, and n is the number of nodes in the node list. If the target node determines that the request is valid, it returns a RREP to the initiator. A node forwarding a RREP waits until it is able to disclose its key from the time interval specified, then it appends its key from that time interval in the reply and forwards the packet 18 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu according to the source route indicated in the packet. Waiting delays the return of the RREP but does not consume extra computational power. When the initiator receives a RREP, it verifies that each key in the key list is valid, that the target MAC is valid, and that each MAC in the MAC list is valid. If all of these tests succeed, the node accepts the RREP; otherwise, it discards it. Following is an example illustrating the routing discovery process from source node S to destination node D, assuming the route goes through A, B and C: S : h0 = MACKSD(REQUEST,S,D, id, ti) S broadcast: (REQUEST, S, D, id, ti, h0, (), ()) A : h1 = H[A,h0] MA = MACKAti (REQUEST, S, D, id, ti,h1, (A), ()) A broadcast: (REQUEST, S, D, id, ti, h1, (A), (M A)) B : h2 = H[B,h1] MB = MACKBti (REQUEST, S, D, id, ti, h2, (A, B), (MA)) B broadcast: (REQUEST, S, D, id, ti, h2, (A, B), (M A, MB)) C : h3 = H[C,h2] MC = MACKCti (REQUEST, S, D, id, ti, h3, (A, B, C), (MA,MB)) C broadcast: (REQUEST, S, D, id, ti, h3, (A, B, C), (M A, MB, MC)) D : MD = MACKSD (REPLY,D,S, ti, (A,B,C), (MA,MB,MC)) D →C : (REPLY,D,S, ti, (A,B,C), (MA,MB,MC),MD, ()) C →B : (REPLY,D,S, ti, (A,B,C), (MA,MB,MC),MD, (KCti )) B →A : (REPLY,D,S, ti, (A,B,C), (MA,MB,MC),MD, (KCti , KBti )) A→S : (REPLY,D,S, ti, (A,B,C), (MA,MB,MC),MD, (KCti, KBti ,KAti )) Figure 5: Route Discovery example in Ariadne. The initiator node S is attempting to discover a route to the target node D. A ROUTE ERROR packet in Ariadne contains six fields: <ROUTE ERROR, sending address, receiving address, time interval, error MAC, recent TESLA key>. 19 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu The sending address is set to the address of the intermediate node encountering the error, and the receiving address is set to the intended next hop destination of the packet it was attempting to forward. The time interval is set to the TESLA time interval at the pessimistic expected arrival time of the error message at the destination, and the error MAC is set to the MAC of preceding fields of the ROUTE ERROR, computed using the sender of the ROUTE ERROR’s TESLA key for the time interval specified in the ROUTE ERROR. The recent TESLA key is set to the most recent TESLA key that can be disclosed for the sender of the ROUTE ERROR. TESLA is used to authenticate ROUTE ERROR so that forwarding nodes can also authenticate and process the ROUTE ERROR, thus preventing the injection of invalid ROUTE ERROR into the network from any node other than the one on the sending end of the broken link specified by the ROUTE ERROR. Ariadne does not deal with attacks when malicious nodes can collude, such as wormhole attack. The time synchronization, which is important in TESLA, is also subject to attack. 2.3.4 SEAD Hu, Perrig and Johnson presented a table driven routing protocol, Secure Efficient Ad hoc Distance vector routing (SEAD) [17, 38], which is based on Destination-Sequence Distance Vector Protocol (DSDV) [4]. In distance vector routing, each route maintains a routing table listing all possible destinations within the network. Each entry in a node’s routing table contains the address of some destination, this node’s shortest known distance to that destination, and the address of the node’s neighbor that is the first hop on this shortest route to that destination. To maintain the routing table, each node periodically transmits a routing update to each of its neighbor routes, containing the information from its own routing table. A node also uses triggered updates, in which a node transmits a new update about some destination as soon as the metric in its table entry for that destination changes, rather than waiting for its next scheduled periodic update to be sent. The updates may be either a “full dump”, listing all destinations, or an “incremental” update, listing only destinations for which the route has changed since the last full dump sent by that node. SEAD uses efficient one-way hash chain rather than relying on expensive asymmetric cryptography operations. Especially on CPU-limited devices, symmetric cryptography operations are three to four orders of magnitude faster than asymmetric operations. SEAD assumes some mechanism for a node to distribute an authentic element of the hash chain that can be used to authenticate all the other elements of the chain. As a traditional approach, the authors suggest ensuring the key distribution relaying on a trusted entity that signs public key 20 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu certificates for each node; each node can then use its public key to sign a hash chain element and distribute it. To create a one-way hash chain, a node choose a random initial value x and computes the list of values h0, h1, h2, h3 … hn, where h0=x and hi=H (hi-1) for 0<i<=n. The node at initialization generates the elements of its hash chain as shown above and then over time uses certain elements of the chain to secure its routing updates; in using these values, the node progresses from “right to left” (in order of decreasing subscript i ) within the generated chain. Each node uses a specific authentic (i.e. signed) element from its hash chain in each routing update that it sends about itself (metric 0). Based on this initial element, the one-way hash chain provides authentication for the lower bound on the metric in other routing updates for that node. The use of a hash value corresponding to the sequence number and metric in a routing update entry prevents any node from advertising a route to some destination claiming a greater sequence number than that destination’s own current sequence number. Likewise, a node can not advertise a route better than those for which it has received an advertisement, since the metric in an existing route cannot be decreased due to the on-way nature of the hash chain. For example, a routing update with sequence number i and metric j will be appended a hash value (hn-i*m+j), a node cannot advertise a route with either sequence number greater than i or with metric less than j because it cannot compute the corresponding hash value. When a node receives a routing update, it checks the authenticity of the information for each entry in the update using the destination address, the sequence number and the metric of the received entry, together with the latest prior authentic hash value received from that destination’s hash chain. Hashing the received elements the correct number of times (according to the prior authentic hash value) assures the authenticity of the received information if the calculated hash value and the authentic hash value match. The source of each routing update message in SEAD must also be authenticated, since otherwise, an attacker may be able to create routing loops through the impersonation attack. The authors propose two different approaches to provide node authentication: the first is based on a broadcast authentication mechanism such as TESLA, the second is based on the use of Message Authentication Codes, assuming a shared secret key between each couple of nodes in the network. SEAD does not cope with colluding attacks, such as wormhole attack. 2.3.5 Deal with tunneling attacks Tunneling attack can form serious threat in mobile ad hoc network, especially against many routing protocols [21, 23]. Burmester et al.[22] proposed two possible solutions: a temporal solution and a locational solution. The first one exploits the time taken for each hop, while the second one uses the physical location of the nodes. Yih-chun Hu etc proposed a mechanism based on this, which is called packet leashes, to detect and defend against wormhole attacks 21 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu [23]. Their mechanism has two types of leashes: geographic leaches and temporal leashes. A leash is any information that is added to a packet designed to restrict the packets’ maximum allowed transmission distance. A geographic leash ensures that the recipient of the packet is within a certain distance from the sender. It is based on location information and loosely synchronized clocks. A temporal leash ensures that the packet has an upper bound on its lifetime, which restricts the maximum travel distance. It relies on extremely precise time synchronization and extremely precise timestamps in each packet. Either type of leash can prevent the wormhole attack, because it allows the receiver of a packet to detect if the packet traveled further than the leash allows. Lidong Zhou and et al. proposed a mechanism to take advantage of the inherent redundancy of mobile ad hoc networks to defend routing against wormhole attacks [12]. They use routing algorithm to find multiple routes between nodes, so that nodes can switch to an alternative route when the primary route appear to have failed or have tunneled. 2.3.6 Summary The table below compares the implementation, requirements and disadvantages of the discussed security routing protocols: Secure routing Implementation Requirements Disadvantages protocols SRP ARAN Ariadne SEAD Message Security association not cope with Authentication Code between source and colluding, destination false route error Asymmetric A trusted third party Costly, not cope cryptography certificate server with colluding One way hash chain TESLA, clock not cope with synchronization colluding A trusted certificate not cope with server colluding One way hash chain Table 2. Comparison of secure routing protocols Of the mentioned secure routing protocols, SRP, ARAN and Ariadne can be applied to on demand routing protocols, while SEAD is based on table-driven routing protocols. They use different cryptographic techniques to ensure the integrity of the routing message: SRP uses Message Authentication Code, ARAN uses asymmetric cryptography; Ariadne and SEAD uses one-way hash chain. SRP assumes a security association between source node and every 22 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu destination node; ARAN requires a trusted certificate server to authenticate, distribute and revoke certificate for each node; Ariadne and SEAD also need a trusted server to ensure public key distribution. Ariadne even requires clock synchronization, which can also become a target of attacks. 3. Cooperation Enforcement 3.1 Introduction In mobile ad hoc networks, basic networking functions like packet forwarding and routing are carried out by all available nodes in the network. There is no reason to assume that the nodes will cooperate one with another since network operation consumes energy, which is a particularly scarce resource in mobile ad hoc networks. A new type of node misbehavior is caused by lack of cooperation and is called node selfishness [24, 33]. A selfish node differs from a malicious node, it does not intend to damage other nodes with active attacks, but simply does not cooperate to the network operation, saving battery life for its own communication. But damages caused by selfish behavior can not be underestimated: simulations show that a little percentage of selfish nodes present in the network leads to a severe degradation of performances [24]. Mechanisms to enforce node cooperation in a mobile ad hoc network can be divided into two categories: one is currency based (Nuglets, Sprite) [26, 42, 40]; the other uses a local monitoring technique (Watchdog, Confidant, CORE) [18, 25, 27, 28, 31]. Currency based systems are simple to implement but may rely in a tamperproof hardware and it is difficult to establish a way to exchange the virtual currency making their use not realistic in a practical system. Cooperative security schemes based on a local monitoring offer a more suitable solution to the selfish problem. Every node monitors its local neighbors evaluating for each of them a metric that is directly related to the nodes’ behavior. The main drawback is related to the absence of a mechanism that securely identifies the nodes of the network: any selfish node could elude the cooperation enforcement mechanism and get rid of its bad reputation by changing its identity. 3.2 Solution 3.2.1 Nuglets Buttyan and Hubaux introduced a virtual currency, called nuglets, and present a mechanism of charging/rewarding service usage/provision to stimulate cooperation in [26]. They assumed that each node in a mobile ad hoc network belongs to a different authority and has full control 23 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu of the node. They also assumed that the physical and data link layer of the nodes function correctly, but the users can modify all other layers, including network layer. Two models were presented for using the nuglets: packet purse model and packet trade mode. In packet purse model, when sending the packet, the source loads it with a number of nuglets sufficient to reach the destination. Each intermediate node takes nuglets for forwarding service. If a packet does not have enough nuglets to be forwarded, then it is discarded. The main advantages of this mode are: 1) it stimulates cooperation; 2) it deters nodes from sending useless data and overloading the network. The disadvantage is that it is difficult for the source node to estimate the number of nuglets that are required to reach a given destination. In packet trade model, packet is traded for nuglets by intermediate nodes. Each intermediary “buys” the packet from the previous one for some nuglets and “sells” it to the next one. The advantage of this model is the source does not have to know in advance the number of nuglets required to deliver a packet. A serious disadvantage is it does not directly prevent nodes from overloading the network. A hybrid model combines the two models in the following way: the source loads the packets with some nuglets before sending it. The packet is handled according to the packet purse model until it runs out of nuglets. Then it is handled according to the packet trade model until the destination buys it. This model combines the advantages of the packet purse and packet trade model. The authors also discussed the problem of controlling the number of nuglets that are charged for packet forwarding. Consider packet purse model as an example, how many nuglets should be taken out from the packet by the forwarding nodes? Two extensions are proposed to the basic packet purse model: fixed per hop charge and auctions. With fixed per hop charge, each forwarding node acquires exactly u nuglets for the forwarding operation. The advantages of this approach are: 1) it is simple to implement; 2) it is generic and can easily be added to any existing routing algorithm. The disadvantage of this approach is it is not flexible. With auctions, each forwarding node runs a sealed bid price auction to determine the next hop. The bidders, which are the potential next hops towards the destination of the packet, determines a price for which it is willing to forward the packet, and sends it to the forwarding node in a sealed form. When the forwarding node receives all the bids, it determines the winner of the auction, which offers the lowest bid. The assumption of the auction is that the bidders do not collude and they have no information about the total number of bidders participating in the auction. This approach is more complex and the auction causes a considerable overhead both in terms of bandwidth and latency. Another disadvantage is that it can only be incorporated with routing algorithms in which the nodes are allowed to have multiple entries with different next hops for the same destination in their routing table. The 24 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu advantage of this approach is it tries to minimize the number of nuglets spent during the delivery of packets and the lifetime of the network can be lengthened by routing the traffic in such a way that the energy consumption is balanced among the nodes in proportion to their energy reserves. To implement either the packet purse model or the packet trade model, a tamper-proof hardware is required at each node to ensure that the correct amount of nuglets is deducted or credited at each node [45]. Besides, mechanism using nuglets have some other issues: 1. Both models require the clearance of nuglets in realtime. The performance of the system may degrade if the system does not have enough nuglets circulating around. 2. If a mobile node runs out of nuglets, it has to contact with some central authority to "refill” its credit. 3.2.2 Sprite S. Zhong et al. proposed Sprite, a simple, cheat-proof, credit-based system for mobile ad hoc networks [45]. Selfish node is considered as an economically rational node whose objective is to maximize its own welfare, which is defined as the benefit of its actions minus the cost of its actions. Sprite uses credit to provide incentive for mobile nodes to cooperate and report actions honestly. The basic idea of their scheme is as follows: a Credit Clearance Service (CCS) is introduced to determine the charge and credit to each node involved in the transmission of a message. When a node receives a message, the node keeps a receipt of the message and later reports it to the CCS when the node has a fast connection with the CCS. Payments and charges are determined from a game theory perspective. The sender instead of the destination is charged in order to prevent denial-of-service attack in the destination by sending it a large amount of traffic. Any node who has ever tried to forwarding a message is compensated, but the credit a node receives depends on whether or not its forwarding action is successful – forwarding is considered successful if and only if the next node on the path reports a valid receipt to the CCS. Three selfish actions and the corresponding countermeasures are discussed in the paper: 1. After receiving a message, a selfish node may save a receipt but does not forward the message. To prevent this, the CCS should give more credit to a node who forwards a message than to a node that does not forward a message to motivate a selfish node to forward others’ message. To achieve this objective, if the destination does not submit a receipt, the CCS first determines the last node on the path that has ever received the message. Then the CCS pays this last node less than it pays each of the predecessors of the last node. 25 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu 2. A node received a message may not report the receipt. This is possible if the sender colludes with the intermediate nodes, so that the sender can pay the node a behind-thescene compensation, which is little bit more than the CCS will pay, and the sender still get a net gain. In order to prevent this cheating action, the CCS charges the sender an extra amount of credit if the destination does not report the receipt so that colluding group get no benefit. . 3. Since reporting a receipt to the CCS is sufficient for getting credit, a group of colluding nodes may forward only the receipt of a message, instead of forwarding the whole message, to its successor. Two cases are considered: 1) the destination colludes with the intermediate nodes; 2) the destination does not collude with the intermediate nodes. In the first case, since the message is for the destination and if the destination really submits the receipt, then the intermediate nodes and the destination should be paid as if no cheating had happened. In the second case, if the destination does not report a receipt of a message, the credit paid to each node should be multiply by a fraction, r, where r<1. Modeling the submissions of receipts regarding a given message as a one-round game, the authors proved the correctness of the receipt-submission system using game theory [30, 42]. Although the main purpose of the system is for message-forwarding in unicast, it can be extended to route discovery and multicast as well. This scheme, however, may have several issues: 1. Receipts of each node along a path maybe submitted to the CCS at different times, making it difficult for the CCS to determine the actual payment to each node. 2. The scheme is based on DSR, which includes the path in the forwarding message. A malicious node not on the path can collude with nodes on the path to forge a receipt and spoof the CCS. 3.2.3 Watchdog and Path Rater Sergio Marti, T.J. Giuli, Kevin Lai, and Mary Baker proposed watchdog and path rater components to mitigate routing misbehavior [25]. The watchdog identifies misbehaving nodes, while the path rater avoids routing packets through these nodes. When a node forwards a packet, the node's watchdog verifies that the next node in the path also forwards the packet. The watchdog does this by listening promiscuously to the next node's transmissions. If the next node does not forward the packet, then it is considered as misbehaving. The path rater uses this knowledge of misbehaving nodes to choose the network path that is most likely to deliver packets. The nodes rely on their own watchdog exclusively and do not exchange reputation information with others. 26 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu Figure 6 illustrates how the watchdog works. Suppose there exists a path from node S to D through intermediate nodes A, B, and C. Node A cannot transmit all the way to node C, but it can listen on node B's traffic. Thus, when A transmits a packet for B to forward to C, A can often tell if B transmits the packet. If encryption is not performed separately for each link, which can be expensive, then A can also tell if B has tampered with the payload or the header. S A B C D : packet forwarding : listen : packet forwarding over multiple hops Figure 6: Watchdog technology When B forwards a packet from S toward D through C, A can overhear B's transmission and can verify that B has attempted to pass the packet to C. The solid line represents the intended direction of the packet sent by B to C, while the dashed line indicates that A is within transmission range of B and can overhear the packet transfer. The watchdog is implemented by maintaining a buffer of recently sent packets and comparing each overheard packet with the packet in the buffer to see if there is a match. If so, the packet in the buffer is removed and forgotten by the watchdog, since it has been forwarded on. If a packet has remained in the buffer for longer than a certain timeout, the watchdog increments a failure tally for the node responsible for forwarding on the packet. If the tally exceeds a certain threshold bandwidth, it determines that the node is misbehaving and sends a message to the source notifying it of the misbehaving node. The path rater, run by each node in the network, combines knowledge of misbehaving nodes with link reliability data to pick the route most likely to be reliable. Each node maintains a rating for every other node it knows about in the network. It calculates a path metric by averaging the node ratings in the path. If there are multiple paths to the same destination, the path with the highest metric will be chosen. Nodes suspected of misbehaving by the watchdog mechanism are assigned a special highly negative value. When the path rater calculates the path metric, negative path values indicate the existence of one or more suspected misbehaving nodes in the path. If a node were marked as misbehaving due to a temporary malfunction or incorrect accusation it would be preferable if it were not permanently excluded from routing. Therefore nodes that have negative ratings should have their ratings slowly increased or set back to a non-negative value after a long timeout. 27 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu In watchdog and path rater mechanism, wireless interfaces that support promiscuous mode operation are assumed, which is not appropriate for all mobile ad hoc network scenarios (particularly some military scenarios). Also, the watchdog technique has the weaknesses that it might not detect a misbehaving node in the presence of: 1. Ambiguous collision. As in the above example, an ambiguous collusion is the scenario that packet collusion occurs at A while it is listening for B to forward on a packet. 2. Receiver collisions. In the example, A can only tell whether B sends the packet to C, but it cannot tell if C receives it. 3. Limited transmission power, in which signal is strong enough to be overheard by the previous node but too weak to be received by the true recipient. 4. False misbehavior, in which nodes falsely report other nodes as misbehavior. 5. Collusion, where multiple nodes in collusion can mount a more sophisticated attack. For example, B forwards a packet to C but do not report to A when C drops the packet. 6. Partial dropping, in which a node can circumvent the watchdog by dropping packets at a lower rate than the watchdog’s configured minimum misbehavior threshold. 3.2.4 CONFIDANT Buchegger and Boudec present a protocol, called CONFIDANT, for making misbehavior unattractive [27, 28]. CONFIDANT stands for Cooperation Of Nodes---Fairness In Dynamic Ad-hoc Network, it works as an extension to on demand routing protocols. CONFIDANT is based on selective altruism and utilitarianism. It aims at detecting and isolating misbehaving nodes, thus making it unattractive to deny cooperation. Nodes monitor their neighbors and change the reputation accordingly. Reputation is used to evaluate routing and forwarding behavior according to the network protocol. Trust is used to evaluate participation in the CONFIDANT meta-protocol. Trust relationships and routing decisions are based on experienced, observed, or reported routing and forwarding behavior of other nodes. CONFIDANT consists of the following components: The Monitor, the Trust Manager, the Reputation System and the Path Manager. The monitor is the equivalent of a “neighbor watch”, where nodes locally look for deviating nodes. The node can detect deviation by the next node on the source route by either listen to the transmission of the next node or by observation of route protocol behavior. 28 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu The trust manager deals with incoming and outgoing ALARM messages. ALARM messages are sent by the trust manager of a node to warn others of malicious nodes. Outgoing ALARM messages are generated by the node itself after having experienced, observed, or received a report of malicious behavior. The recipients of these ALARM messages are so-called friends, which are administered in a friends list. Incoming ALARM messages originate from either outside friends or other nodes, so the source of an ALARM has to be checked for trustworthiness before triggering a reaction. The reputation system in this protocol manages a table consisting of entries for nodes and their rating. The rating is changed only when there is sufficient evidence of malicious behavior that is significant for a node and that has occurred a number of times exceeding a threshold to rule out coincidences. To avoid a centralized rating, local rating lists and/or black lists are maintained at each node and potentially exchanged with friends. The path manager performs the following functions: path re-ranking according to reputation of the nodes in the path; deletion of paths containing malicious nodes, action on receiving a request for a route from a malicious node (e.g. ignore, do not send any reply) and action on receiving request for a route containing a malicious node in the source route (e.g. ignore, alter the source). Figure 7: Trust architecture and finite state machine within each node. As shown in Figure 7, each node monitors the behavior of its neighbors. If a suspicious event is detected, the information is given to the reputation system. If the event is significant for the node, it is checked whether the event has occurred more often than a predefined threshold that is high enough to distinguish deliberate malicious behavior from simple coincidences such as 29 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu collisions. What constitutes the significance rating can be defined for different types of nodes according to their security requirements. If that occurrence threshold is exceeded, the reputation system updates the rating of the node that caused that event. If the rating turns out to be intolerable, the information is relayed to the path manager, which proceeds to delete all routes containing the misbehaving node from the path cache. Although CONFIDANT can detect and isolate misbehaving nodes, it has some limitations: 1. It is a detection-based reputation system. 2. Events have to be observable and classified for detection. 3. Reputation can only be meaningful if the identity of each node is persistent; otherwise it is vulnerable to spoofing attack. 3.2.5 CORE P. Michiardi et al proposed a mechanism called CORE (COllaborative REputation mechanism) to enforce node cooperation based on a collaborative monitoring technique [29]. It is a generic mechanism that can be integrated with any network function like packet forwarding, route discovery, network management and location management. CORE stimulates node cooperation by a collaborative monitoring technique and a reputation mechanism. In this mechanism, reputation is a measure of someone’s contribution to network operations. Members that have a good reputation can use the resources while members with a bad reputation, because they refused to cooperate, are gradually excluded from the community. Each node computes a reputation value for every neighbor using a sophisticated reputation mechanism that differentiates between subjective reputation (observation), indirect reputation (positive reports by others) and functional reputation (take-specific behavior). There are two basic components for the CORE mechanism: reputation table (RT) and watchdog mechanism (WD). The watchdog mechanism is used to detect misbehavior nodes.The reputation table is a data structure stored in each node. Each row of the table consists of four entries: the unique identifier of the entity, a collection of recent subjective observations made on that entity’s behavior, a list of the recent indirect reputation values provided by other entities and the value of the reputation evaluated for a predefined function. The CORE scheme involves two types of protocol entities, a requestor and one or more providers that are within the wireless transmission range of the requestor. If a provider refuses to cooperate (the request is not satisfied), then the CORE scheme will react by decreasing the reputation of the provider, leading to its exclusion if the non-cooperative behavior persists. Route tables are updated in two different situations: during the request phase of the protocol and during the reply phase corresponding to the result of the execution. In the first case only the subjective reputation value is updated while in the second case, only the indirect reputation 30 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu value is updated. To prevent a misbehaving entity to distribute false information about other entities in order to initiate a denial of service attack, the protocol allows only the distribution of positive rating factors. No negative ratings are spread between the nodes, so it is impossible for a node to maliciously decrease another node’s reputation. CORE suffers from spoofing attack because misbehaving nodes can change their network identity. The watchdog technique, a basic component of CORE, relies on the promiscuous mode operation, which is not always true (e.g. in military applications) and has some weakness that we have discussed in section 3.2.2. Though CORE successfully prevents false accusation that may decrease nodes’ reputation maliciously, it cannot prevent colluding nodes from distribute false praise that may increase malicious nodes’ reputation. 3.2.6 Token-based In [31], Yang et al. proposed a token-based mechanism to enforce cooperation in mobile ad hoc networks. In their proposal, each node has to have a token in order to participate in the network operations; its local neighbors collaboratively monitor it to detect any misbehavior in routing or packet forwarding services. The token is renewed via multiple neighbors after it is expired. The period of validity of a node’s token is dependent on how long it has stayed and behaved well in the network. A wellbehaving node accumulates its credit and renews its token less and less frequently as time evolves. The solution takes a self-organized approach, where neither existence of any centralized trust entity nor any a priori secret association between nodes is assumed. There is only a global secret/public key pair SK/PK, where PK is well known by every node of the network, and SK is shared by all nodes in the network, but each node only knows a limited portion of it. The solution is composed of four components: Neighbor verification: verify whether each node is legitimate or malicious. Neighbor monitoring: monitor behaviors of each node and detect attacks from malicious ones. Intrusion reaction: alert the network and isolate the attackers. Security enhanced routing protocol: incorporates the security information into the mobile ad hoc network routing protocol. The token issuing process is decentralized, and the token of each node is issued and signed by its k neighbors collaboratively. Before the expiration of a node’s current token, the node broadcasts a TREQ (Token Request) to its neighbors. When a node receives a TREQ from its neighbor, it extracts the token from the TREQ packet. If the TREQ is valid and the owner of 31 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu the TREQ matches the owner of the token, it constructs a new token, signs the newly constructed token using its own share of SK, encapsulates the signed token in a TREP (Token reply), and unicasts the TREP to the node requesting the token. When the node which needs to renew its token receives k TREP from different neighbors, it can combine these partially signed token into a token signed by SK. The authors adopted credit based strategy in determining the expiration time of each node’s token. Each time a legitimate node renews its token, the period of validity of its token increases by a fixed time interval. The authors also extend the AODV protocol into AODV-S, which is a security enhanced routing protocol. Routing security relies on the redundancy of routing information rather than cryptographic techniques. Each AODV-S node maintains the list of all its verified neighbors which possess valid tokens and only interacts with its verified neighbors. When a node broadcasts a new routing update, it explicitly claims the next hop. Each node also keeps track of the route entries previously announced by its neighbors. This redundancy of the routing information makes it possible for a node to prevent routing updates misbehavior. Packet forwarding misbehaviors, such as packet dropping, packet duplicating and network layer packet jamming, are also detected using an algorithm similar to the watchdog technique in [25]. Each node overhears the channel at all time and records the headers of the recent packets it has overheard. If a node detects a neighbor’s misbehavior, it considers the neighbor as an attacker and broadcast a SID (Single Intrusion Detection) packet. A node is considered as an attacker if and only if m nodes out of all n neighbors have independently sent out SID packets against it. The selection of m represents the tradeoff between the prompt reaction to the attackers and the protection of legitimate modes from false accusation. When a node has received m independent SID packets against the same node, it constructs a notification of token revocation, signs the notification using its own share of SK, and broadcasts it in a GID (Group Intrusion Detection) packet. Then the first node that receives k GID packets against the same node combines them and constructs a TREV (Token Revocation), which is signed by the SK, based on polynomial secret sharing. The intrusion reaction process is triggered only when an attacker is detected. When a node receives a TREV packet and if the token is not on the TRL (Token Revocation List), it adds the token into the TRL. At the same time, each neighbor of an attacker deems the link between it and the attacker as broken and uses the path maintenance mechanism to cancel out these links. Token-based mechanism is more suitable in large and dense mobile ad hoc network and where node mobility is low than otherwise because it presents the following drawbacks: 1. Frequent changes in the local subset of the network that shares a key for issuing valid tokens can cause high computational overhead, not to mention the high traffic generated by issuing/renewing a token. 32 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu 2. The localized monitoring mechanism executed by each node is intrinsically inaccurate due to the inaccuracy in the information obtained by overhearing the channel. 3. The bootstrap phase to generate a valid token for each node has limitation. For example, the node needs to have at least k neighbors, suggesting the use of such mechanism in a rather dense mobile ad hoc network. 4. Conclusion Mobile ad hoc networks are wireless multi-hop networks formed by a collection of mobile nodes without relying on a preexisting infrastructure. Evaluations have shown that mobile ad hoc networks not only are flexible, but also can have good performance [42]. However, due to the lack of infrastructure and the dynamic changing of topology, mobile ad hoc networks have increased vulnerabilities compare with other traditional networks. As far as network layer security is concerned, there are two main issues. First, malicious nodes can launch attacks to disrupt the routing function, such as tunneling attack, the Sybil attack. Second, even if a routing algorithm is secure, there is no guarantee that every node will cooperate to find the route and to forward the message. Selfish node will refuse to forward others’ message to save energy for itself. Both issues have to be taken into account at the early stages of the design of basic networking mechanisms. To secure routing protocols, a wide range of attacks should be considered, and countermeasures to defeat the attacks should not consume too much resource, which is very precious in wireless mobile nodes. Also, the protocols have to be well designed to stimulate cooperation between individual nodes and mitigate selfish behaviors. In this survey, we presented the most common attacks against mobile ad hoc network routing protocols and introduced some secure routing protocols, including SRP, ARAN and etc. Approaches to stimulate node cooperation, both currency-based and monitor-based schemes, were also discussed. Security measures will complex the network functions. In evaluating the security schemes, system overhead should be considered. Usually, there is a tradeoff between security and performance. Mobile ad hoc networks will be applied not only to security sensitive environment, such as military operations, but also to civilian environment, such as out-of-office conferencing. The security requirements of different applications vary, so the security mechanisms adopted to combat misbehaving or compromised nodes have to be flexible enough to be used in different environment, and should be made of easy-to-integrate component. 33 Network-layer Security of Mobile Ad hoc Networks 5. Jiangyi Hu References 1. E.M.Belding-Royer and C.K.Toh. A review of current routing protocols for ad-hoc mobile wireless networks. IEEE Personal Communications Magazine, pages 46-55, April 1999. 2. C.E. Pekins and p.Bhagwat, Highly Dynamic Destination-Sequenced Distance-Vector Routing., Proceedings of INFOCOM ’97, April 1997. 3. C.C.Chiang, H.K.Wu, W,Liu and M.Gerla, Routing in Clustered Multihop, Mobile Wireless Netwroks with Fading Channel, Proceedings of IEEE SICON'97, pp. 197-211, April 1997. 4. S.Murthy and J.J.Garcia-Lana_Aceves, An Efficient Routing Protocol for Wireless Networks, ACM Mobile Networks and Applications Journal, Special Issue on Routing in Mobile Communication Networks, pp. 183-197, October 1996. 5. Charles E. Perkins, Elizabeth M. Belding-Royer, and Samir Das, Ad Hoc On Demand Distance Vector (AODV) Routing, IETF Internet draft, draft-ietf-manet-aodv-12.txt, November 2002. 6. D. B. Johnson and D. A. Maltz, Dynamic source routing in ad hoc wireless networking, in Mobile Computing, T. Imielinski and H. Korth, Eds. Norwell, MA: Kluwer, 1996. 7. V. D. Park and M. S. Corson, Temporally-ordered routing algorithm (TORA) version 1: Functional specification, internet-draft, draft-ietf-manet-tora-spec-01.txt," August 1998 8. C-K. Toh and George Lin, Implementing Associativity-Based Routing for Ad Hoc Mobile Wireless Networks, Unpublished article, March 1998. 9. R.Dube, C.D.Rais, K.Y.Wang, and S.K.Tripathi, Signal Stability based Adaptive Routing (SSA) for Ad hoc Mobile Networks, IEEE Personal Communications, pp. 36-45, Februray 1997. 10. Peng Ning, Kun Sun, How to Misuse AODV: A Case Study of Insider Attacks against Mobile Ad-hoc Routing Protocols, in Proceedings of the 4th Annual IEEE Information Assurance Workshop, pages 60-67, West Point, June 2003. 11. Shahan Yang and John S. Baras, Modeling Vulnerabilities of Ad Hoc Routing Protocols. ACM Workshop on Security of Ad Hoc and Sensor Networks (SASN '03) October 31, 2003 George W. Johnson Center at George Mason University, Fairfax, VA, USA 12. L.Zhou and Z. hass. Securing ad hoc networks. IEEE Network. 13(6):24-30, November/December 1999. 13. J.P. Hubaux, L. Buttyab, and S. Capkun. The quest for security in mobile ad hoc networks. In Proc. ACM MOBICOM, 2001 14. Panagiotis Papadimitratos and Zygmunt J. Haas, Secure Routing for Mobile Ad hoc Networks, SCS Communication Networks and Distributed Systems Modeling and Simulation Conference (CNDS 2002), San Antonio, TX, January 27-31, 2002. 15. Y-C Hu, A. Perrig, D. B. Johnson, Ariadne : A secure On-Demand Routing Protocol for Ad Hoc Networks, in proceedings of MOBICOM 2002. 16. Kimaya Sanzgiri, Bridget Dahill, Brian Neil Levine, Clay Shields, Elizabeth M. Belding- Royer. A secure routing protocol for ad hoc networks. Technical Report 01-37, Department of Computer Science, University of Massachusetts, August 2001. 34 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu 17. Y.-C. Hu, D. B. Johnson, and A. Perrig, "SEAD: Secure efficient distance vector routing for mobile wireless ad hoc networks," in Fourth IEEE Workshop on Mobile Computing Systems and Applications, June 2002. 18. Baruch Awerbuch, David Holmer, Cristina Nita-Rotaru and Herbert Rubens, An On-Demand Secure Routing Protocol Resilent to Byzantine Failures, In ACM Workshop on Wireless Security (WiSe), Atlanta, Georgia, September 28 2002 19. Pietro Michiardi and Refik Molva, Ad hoc networks security , In ST Journal of System Research, Volume 4, March 2003 20. Pietro Michiardi and Refik Molva .Simulation-based Analysis of Security Exposures in Mobile Ad Hoc Networks , European Wireless Conference, 2002 21. Yih-Chun Hu, Adrian Perrig, and David B. Johnson. Wormhole Detection in Wireless Ad Hoc Networks, Technical Report TR01-384, Department of Computer Science, Rice University, Dec 2001. 22. Mike Burmester, Yvo Desmedt, Secure communication in an unknown network using certificates”, Advances in Cryptography – Asiacrypt ’99, LNCS #1716, Springer, pp 273-287, 1999 23. A. Perrig, Y-C Hu, D.B.Johnson Packet Leashes: A Defense against Wormhole Attacks in Wireless Networks, IEEE Infocom 2003 24. Buttyán and J.-P. Hubaux, Stimulating Cooperation in Self-Organizing Mobile Ad Hoc Networks, Technical Report No. DSC/2001/046, Swiss Federal Institute of Technology, Lausanne, August 2001. 25. Sergio Marti, T.J.Giuli, Kevin Lai, and Mary Baker, Mitigating routing misbehavior in mobile ad hoc networks, in proceedings of MOBICOM 2000, pp. 255-265, 2000. 26. L. Buttyn, J.-P. Hubaux, "Nuglets: a Virtual Currency to Stimulate Cooperation in Self Organized Mobile Ad Hoc Networks," Technical report No. DSC/2001. 27. Sonja Buchegger and Jean-Yves Le Boudec. Performance Analysis of the CONFIDANT Protocol: Cooperation Of Nodes --- Fairness In Dynamic Ad-hoc NeTworks. In Proceedings of IEEE/ACM Symposium on Mobile Ad Hoc Networking and Computing (MobiHOC), Lausanne, CH, June 2002. 28. Sonja Buchegger, Jean-Yves Le Boudec, Coping with False Accusations in Misbehavior Reputation Systems for Mobile Ad-hoc, EPFL Technical Report IC/2003/31 29. P. Michiardi, R. Molva, Core: A COllaborative REputation mechanism to enforce node cooperation in Mobile Ad Hoc Networks, IFIP-Communicatin and Multimedia Securtiy Conference 2002. 30. Pietro Michiardi, Refik Molva Game theoretic analysis of security in mobile ad hoc networks, Research Report RR-02-070 - April 2002 31. H. Yang, X. Meng, S. Lu, Self-Organized Network-Layer Security in Mobile Ad Hoc Networks. In ACM MOBICOM Wireless Security Workshop (WiSe'02), September 2002. 32. Seung Yi, Prasad Naldurg, Robin Kravets. A Security-Aware Ad Hoc Routing Protocol for Wireless Networks, the 6th World Multi-Conference on Systemic, Cybernetics and Informatics (SCI 2002), 2002. 35 Network-layer Security of Mobile Ad hoc Networks Jiangyi Hu 33. Vikram Srinivasan, Pavan Nuggehalli, Carla-Fabiana Chiasserini and Ramesh Rao, "Cooperation in Wireless Ad Hoc Networks", in Infocom 2003. 34. S. Capkun, L. Buttyan and J-P Hubaux, Self-Organized Public-Key Management for Mobile Ad Hoc Networks, in ACM International Workshop on Wireless Security, WiSe 2002. 35. M. Reiter, S. Stybblebine, Authentication metric analysis and design, ACM Transactions on Information and System Security, 1999. 36. H. Luo, S. Lu, Ubiquitous and Robust Authenticaion Services for Ad Hoc Wireless Networks, UCLA-CSD-TR-200030. 37. Srdjan Capkun and Jean-Pierre Hubaux, BISS: Building Secure Routing out of an Incomplete Set of Security Associations, ACM Workshop on Wireless Security (WiSe 2003) September 19, 2003 Westin Horton Plaza Hotel, San Diego, California, U.S.A. 38. Yih-Chun Hu, Adrian Perrig, and David B. Johnson. Efficient Security Mechanisms for Routing Protocols. Proceedings of the Tenth Annual Network and Distributed System Security Symposium (NDSS 2003), ISOC, San Diego, CA, February 2003, to appear. 39. Yih-Chun Hu, Adrian Perrig, and David Johnson, Rushing Attacks and Defense in Wireless Ad Hoc Network Routing Protocols, ACM Workshop on Wireless Security (WiSe 2003) September 19, 2003 Westin Horton Plaza Hotel, San Diego, California, U.S.A. 40. Sonja Buchegger, Jean-Yves Le Boudec Nodes Bearing Grudges: Towards Routing Security, Fairness, and Robustness in Mobile Ad Hoc Networks, in 10th Euromicro Workshop on Parallel, Distributed and Network-based Processing, Canary Islands, Spain, January 2002. IEEE Computer Society. 41. John R. Douceur, The Sybil attack, in proceedings of the 1st International Workshop on Peer- to-Peer System (IPTPS ’02), 2002. 42. Sheng Zhong, Jiang Chen, and Yang Richard Yang, Sprite: A simple, Cheat-proof, Credit- based System for Mobile Ad hoc Networks, in Proceedings of IEEE Infocom '03, San Francisco, CA, April 2003. 43. C. E. Perkins, Ad Hoc Networking, Addison-Wesley, 2000 44. John Marshall, Vikram Thakur, and Alec Yasinsac, Identifying Flaws in the Secure Routing Protocol, Proceedings of The 22nd International Performance, Computing, and Communications Conference (IPCCC 2003), April 9-11, 2003 45. John D. Marshall, An Analysis Of The Secure Routing Protocol For Mobile Ad Hoc Network Route Discovery: Using Intuitive Reasoning And Formal Verification, Technique report of Florida State University, TR-030502, http://www.cs.fsu.edu/research/reports/TR-030502.pdf 36
