Notes for DIY Mesh Networks

And shut out your government in your community owned mesh network
This morning I received this link: "How the #Occupy Movement Is Spurring Tech Innovation" and in particular this paragraph stood out for me:
Occupiers are also the most recent activists to take a stab at creating a “mesh network,” or a localized, independent version of the Internet. (It doesn’t use central hubs that can be shut down by governments.) During the Egyptian uprising in early 2011, mesh networks garnered interest as a viable workaround for future Internet blackouts, like the one instated by Hosni Mubarak. The Egyptian experience inspired projects called Open Mesh and Apps for the Apocalypse. And now Occupy has ignited The Free Network Foundation which, like its precursors, aims to harness the momentum of today’s protests to create technological solutions that will serve actions of tomorrow.
Also, in the last week, I have been approached by several people wanting to know if "mesh networks" is the way to go. In all cases I replied "yes, and check out Securing Wireless Mesh Networks (download from mediafire)" which is an excellent starting point that can serve as bridge between users understanding the (security) issues involved in Mesh Networking.
I'll be more enthusiastic about encouraging thinking outside the box when there's evidence of any thinking going on inside it. ~ Terry Pratchett

Below are my notes made from that document that range from general Wireless Mess Networks (with and without Internet) to Vehicular networks to Multi-operator WMNs to OpenMesh. The notes are not only excerpts, and contain links to many more useful and interesting reads. Such links lead to directly downloadable documents uploaded on mediafire. There may be more recent interesting documents with new information available. If so, please let me know and I will add them. I will also be scouring OpenMesh information for more information.

Assumptions that may lead to ideas for community-led, community-owned and user-operated networks are bolded.

Preliminaries: Authentication, integrity and confidentiality issues


Avoid, if possible, the use of asymmetric cryptographic operations by mobile clients. Mobile clients are battery operated and need authentication to be energy efficient, which makes the use of public key cryptography primitives unsuitable; these primitives have a high computational overhead and are prone to DoS attacks. If authentication requires the computation or the verification of a signature, this feature can be misused by an adversary that can continuously ask the MC to compute or verify signatures; this attack can drain a client's battery.

Mutual authentication of network nodes (Transit Access Points and Wireless Hot Spots) is done at initialisation or re-initialisation (for example after detection of an attack) and during the sending and receiving of packets of a mobile client.

TAPs and WHS are energy-rich and can use asymmetric key cryptography for initialisation and re-initialisation. We can assume each has a certified public/private key pair assigned to them by the operators that are managing them. Mobile clients can use the nearest TAPs certified public key for authentication during session establishment.

Authentication of the nodes during the sending and receiving of packets of a mobile client is a different matter: the messages are sent using multi-hop communications and public key cryptography to authenticate the sender and/or the receiver of each and every packet is a heavy process. That's highly inefficient and not suitable.

Instead, network nodes can rely on symmetric key cryptography, using session keys established during the initialisation or re-initialisation or using long-term shared keys originally loaded in the devices, like Message Authentication Codes (MACs). With a downstream message, from the Internet to the mobile client, symmetric keys can be established or predefined between each TAP and the WHS and used to compute MACs on exchanged messages.

Verifying the integrity of exchanged messages can be done end-to-end, by the WHS for upstream messages and by the MC for the downstream messages, or by each intermediate TAP, or both, by establishing a symmetric key with the MC at session establishment; the MC uses this key to protect the message (using MAC). Because data confidentiality is an issue in all of our cases, this key can also be used to encrypt the message.

WHS not necessarily need to connect to the internet, and can be management devices in local mesh networks of TAP's when the internet is blacked out, providing basic initialisation and security setup.

Note: MACs are usually used to verify the integrity of a message, but they can also be used to authenticate the sender of the message. Indeed, assume that two parties A and B share a symmetric key k. A can generate a message m, use k to compute a MAC on it and then send both m and the corresponding MAC to B. Upon receipt of these data, B can use k to compute the MAC on m and compare it to the MAC it received; if the two MACs are identical, and given that A and B are the only two parties that know k, B can conclude that m was indeed generated by A. This authentication technique is weaker than the one that uses asymmetric key cryptography, but it is efficient.

Security issues


Security issues are detection of corrupt TAPs, securing the routing mechanism, definition of a proper fairness metric to ensure a certain level of fairness in the Wireless Mesh Network, securing MAC protocols, and securing nodes’ location.

Detection of corrupt TAPs


The WHS handles and stores critical cryptographic data and we can assume the WHS is physically protected. This is a dangerous assumption. The owner may be an adversary from the start, or may have changed sides for personal benefit. TAP's cannot even be physically protected from removal, tampering or replication by adversaries. The adversary does not even need to physically capture a TAP: A distant hack into the device would work perfectly.

In the case of a brutal attack where a TAP is removed or replaced to modify the network topology to the benefit of the adversary, this can be detected by the WHS or nearby TAP's.

When an adversary accesses the internal state of the captured device without changing it, it is much harder to detect. Even a short “absence” of a device can easily be taken for some congestion problem by (security) management routines. Such attacks are very serious. The adversary can do an analysis of the traffic going through the TAP, retrieve its secret data, namely its public/private key pair, the symmetric key shared with the neighboring TAPs or with the WHS, etc. This data can then be used to compromise, at least locally, the security of the WMN, especially data confidentiality and integrity, and mobile client anonymity.

A possible solution to mitigate this threat is a periodic erasure and reprogramming of all the TAPs; the adversary is then obliged to compromise the device again, and again, and again ...

What if the adversary modifies the internal state of the TAP such as the configuration parameters, the secret data ... ? The purpose of such an attack can be, for example, to modify the routing algorithm at the captured node in order to change the network topology. This attack can be detected by the WHS using a verifier such as the one presented in [SWATT: softWare-based attestation for embedded devices (download from mediafire)].

And what if the adversary clones captured device and installs replicas at some strategically chosen locations in the mesh network, which allows the adversary to inject false data or to disconnect parts of the WMN. This attack can seriously disrupt the routing mechanism, but it can be detected using the mechanism introduced in [Distributed Detection of Node Replication Attacks in Sensor Networks (download from mediafire)].

Secure Multi-hop Routing


A seriously malicious adversary may want to partition the network or to isolate a given TAP or a given geographic region (only if they can assess TAP locations). A rational adversary may want to force the traffic through a specific TAP in the network through a TAP that it has compromised in order to monitor the traffic of a given mobile client or a region. Another example of a routing attack is to artificially lengthen the routes between the WHS and the TAPs or between TAPs, which would seriously affect the performance of the network. Such an attack can be considered rational if it is performed against a competitor (or occupys and revolutions in a class war).

Attacks on the routing mechanism can be done by tampering with the routing messages, modifying the state of one or several TAPs in the network, using (a) replicated node(s), or performing DoS attacks. Except for the first attack, solving all these attacks requires human intervention like installing/removing TAPs and/or jamming devices.

To prevent attacks against the routing messages, the operator can use one of the proposed secure routing protocols for wireless multi-hop networks [A Survey of Secure Wireless Ad Hoc Routing (2006, download from mediafire)] [A Survey on Security Issues in Wireless Ad hoc Network Routing Protocols (2010, download from mediafire)].

If the adversary chooses to modify the state of one or several TAPs in the network, the attack can be detected using [SWATT: softWare-based attestation for embedded devices (download from mediafire)] and the operator can reconfigure the WMN accordingly.

If the adversary uses replicated node(s), the attack can be detected as the operator will realize that the network topology is not the one it originally deployed; it can therefore disable the rogue devices or install new ones [Distributed Detection of Node Replication Attacks in Sensor Networks (download from mediafire)]

Finally, DoS attacks represent a simple and efficient way to attack routing. These attacks are very harmful as they are simple to perpetrate and impossible to prevent. Indeed, the adversary can disturb the communications between the TAPs in a given area and force the reconfiguration of the network. In order to solve this problem, the operator has to identify the source of disturbance [The Feasibility of Launching and Detecting Jamming Attacks in Wireless Networks (download from mediafire)] and, if possible, disable it.

Fairness


The bandwidth sharing should be fair client-wise, because the purpose of a mesh network is to offer a service (typically Internet or local Mesh connectivity) to mobile clients. In the case of Internet connectivity, getting the word out to the rest of the world what is happening, the fairness issue is closely related to the number of hops between the TAPs and a WHS; this means that if an adversary manages to increase the number of hops between a given TAP and the WHS, it can decrease the bandwidth share of this TAP dramatically.

A possible solution against this attack can be a periodic reconfiguration of the WMN; if the WHS and the TAPs are static, the operator can define - based on the traffic in the WMN - the optimal configuration of the WMN and force the routes at the TAPs to the optimal routes and then use the scheduling presented in [A Fair Scheduling for Wireless Mesh Networks (download from mediafire)] to ensure per-client fairness and optimise the bandwidth utilization in the WMN.

Vehicular Networks


Vehicular networks represent a special case of WMNs that consists of a set of mobile TAPs and of roadside WHSs. The spectrum of applications offered by a vehicular network is wide ranging: It goes from safety related applications such as reporting important events like a police ammassment or protest and flash mob optimisation through cooperative moves, deviating a protest to avoid a police blockade to voting, instant fund raising, anonymous electronic money transfers, and location based crowd-sourcing of resources.

Vehicular networks introduce some specific requirements, like the need for secure and accurate positioning information or real-time constraints (the report about important events should not be delayed). In addition, nodes’ mobility makes the definition and implementation of some (distributed) network operations more delicate, in particular for secure routing and efficient fairness. And, as each car belongs to a different person that can act selfishly and tamper with the embedded devices, the protection of these devices becomes an important issue. Responses to some of these new challenges are presented in [The Security of Vehicular Ad Hoc Networks (download from mediafire)]

Multi-operator WMNs


Now we're finally getting somewhere in terms of decentralisation!

A mesh network can also designate a set of wireless devices belonging to different networks and controlled by different operators. These devices can be as various as access points, base stations, laptops, vehicular nodes or mobile phones and their aggregation leads to an unplanned mesh network with interesting properties [Architecture and evaluation of an Unplanned 802.11b Mesh Network (download from mediafire)]

This allows for an easy, fast and inexpensive network deployment. Ensuring security however is even more delicate when several operators coexist in the network, like when all users are operators in a truly distributed mesh network. To the security challenges already mentioned, one has to add challenges such as the mutual authentication of nodes belonging to different “operating/user domains” or the application of different policies for each of these domains (which affects even more fairness).

And we can think outside the box


OpenMesh: Take away the wires and routes and we will still communicate


On January 25, 2011, when the Egyptian government decided to block the entire Internet, OpenMesh came to life.

OpenMeshProject.org has tasked itself with developing the best open source technologies, while simultaneously partnering with existing technologies, to create a private, citizen-owned communications infrastructure.

We will maintain a community around the Open Source Mesh Standard, and drive for solutions to address our future communications needs in this new age of electronic munitions. Our mandate is to provide a two-click mesh installation on any device, anywhere in the world, to connect citizens irrespective of national boundaries.

Our purpose is to provide open and free communications to all people at all times.

We need information and community-led solutions. If you have an idea, a technology or a skill that can help OpenMeshProject.org achieve its aims then we want to hear from you.

We are particularly looking for wireless firmware experts, coders and companies who develop wireless equipment, both hardware and software. Ultimately we need the brightest and best engineers in the world to make themselves known.

Get involved.

The Free Network Foundation


What We're Doing
  • We envision communications infrastructure that is owned and operated cooperatively, by the whole of humanity, rather than by corporations and states.
  • We are using the power of peer-to-peer technologies to create a global network which is immune to censorship and resistant to breakdown.
  • We promote freedoms, support innovations and advocate technologies that enhance and enable digital self-determination.
How To Help
  1. Tell your friends. We refuse to use unfree forms of social media, and so it is of critical importance that you spread the word. Many of us are working hard to bring about open alternatives to Facebook and Twitter, but in the mean time, you can use them to help the FNF by posting a link to our site.
  2. Sign up for our e-mail list, by submitting your information on the website (see link below). This is our primary mode of communication, collaboration, and exchange. Come join the conversation.
  3. Make a cash donation, by clicking ‘Donate,’ on the right side of the page. The FNF is supported completely by crowdsourcing. That means a lot of small donations from people like you. Money goes to pay for webhosting and development machines.
Join the Movement

No comments:

Post a Comment