Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
PACKETRADIO
NETWORKS
Architectures Protocols Technologies
and Applications
CIIIt\
\UU
\
I1JJJjIJ1I\U
Brownrigg
Peroamnn Press
Page 000001 Mercedes-Benz USA, LLC, Petitioner - Ex. 1008
Packet Radio Networks
Architectures Protocols Tech nologies
and Applications
Page 000002
Mi1fti LLth
Packet Radio Networks
Architectures Protocols Technologies
and Applications
CLIFFORD LYNCH
and
EDWIN BROWNRIGGDivision of Library Automation
Office of the President and Universitywide Services
University of California Berkeley California 94720
PERGAMON PRESSOXFORD NEW YORK- BEIJING- FRANKFURT
SAO PAULO SYDNEY TOKYO TORONTO
Page 000003
U.K
U.S.A
PEOPLES REPUBLICOF CHINA
FEDERAL REPUBLICOF GERMANY
BRAZIL
AUSTRALIA
JAPAN
CANADA
Pergamon Press Headington Hill Hall
Oxford 0X3 OBW England
Pergamon Press Maxwell House Fairview Park
Elmsford New York 10523 U.S.A
Pergamon Press Room 4037 Oianmen Hotel Beijing
Peoples Republic of China
Pergamon Press Hammerweg6242 Kronberg Federal Republic of Germany
Pergamon Editora Rua Eça de Oueiros 346CEP 04011 Paraiso Sao Paulo Brazil
Pergamon Press Australia P.O Box 544Potts Point SW 2011 Australia
Pergamon Press bth floor Matsuoka Lentral BuidirgNishishinjuku Shinluku ku Tokyo 160 Japan
Pergamon Press Canada Suite No 271253 College Street Toronto Ontario Canada M5T iRS
Copyright 1987 Lynch and Brownrigg
All Rights Reserved No part of this publication may be
reproduced stored in retrieval system or transmittedin any form or by any means electronic electrostatic
magnetic tape mechanical photocopying recording or
otheiwise without permission in writing from the
publishers
First edition 19B7
Library of Congress Cataloging in Publication Data
Lynch Clifford
Packet radio networks
BibliographyIncludes index
Radio Packet transmission BrownriggEdwin Blake 1946 II Title
TK6562.P32L96 1987 004.6 87 25B74
British Library Cataloguing in Publication Data
Lynch Clifford
Packet radio networks architectures
protocols technologies and applications
Packet switching Data transmissionl
Radio
Title II Brownrigg Edwin
004.66 TKS1O5
ISBN 08035913
Printed in Great Britain by Wheaton Co Ltd Exeter
Page 000004
Txitroduction Xi
The project was intended to take about six to nine months in
fact the report continued to expand and was not completed until
early 1986 somewhat revised version of this report updated to
reflect developments through late 1986 forms the core of this book
The book is divided into two parts with total of nine chapters
Part Packet Radio Systems contains Chapters and The
first chapter entitled System Requirements provides taxonomyof packet radio systems and describes three model systems including
their performance requiremcnts for further study These three sample
configurations were the focus of the Univrsity of California IBM
joint study They include low-speed terminal-oriented local area
network much like the one we had originally hoped to build with the
TNC boards in 1983 high speed local area network intended to
connect computers and fast peripherals in much the same spirit as
cable-based Ethernet and wide-area packet radio system with
repeaters which grew out of the developments that have taken place
in military as well as amateur packet radio technology This first
chapter is adapted in part from discussion draft entitled SystemRequirements for Library Automation Packet Radio Networks by
Clifford Lynch which was submitted to IBM in October 1984
The second chapter entitled System Design Considerations
discusses the components of packet radio system radios digital
hardware software and interfaces to terminals or computers One of
the most important parts of this chapter is the definition of logical
interface between the radio part of packet radio and the digital
control component We believe that the lack of any standardization
in such an interface has been significant factor in causing the
development of packet radio especially high-performance oneto become major undertaking since custom engineering is required
Finally this chapter details the system design considerations for the
three models described in Chapter using these components as
building blocks As part of the discussion of system design we explore
the differences between the first two configurationsa packet radio
network that uses terminal access controller TAC and local area
distributed computingin light of the trend to replace terminals with
personal computers This discussion leads us to consider how the TACconfiguration might gracefully evolve into local area network and the
implications of operating in hybrid environment during transition
Page 000005
Packet Radio Networks
tcchnician to rr anually orient an antenna on the ncn or resited node
In contrast one can envision totally adaptive and self organizing
rtwork in shich new packet radio could announce its presence to
the nctwork and electronically adjust its own antenna human inter
enton might only be required to authorize the nctwork address Anadaptive system such as this which rninirnizcd rnaiiagcmcnt problemswould be extremely desirable in library automation applications It
could employ some of the self organizing techniques used in mobile
packet radio ystems but the application of these techniques would
be simplified since the performance requirements uould be far less
stringent For example transient anoma1ies in dynamic routing would
not he major problem if they settlcd down within short period
hccause the topology is more or less fixed This would be unacceptable
in military rnvironment where packet radio in supersonic
aircraft could enter travel through and leave packet radio network
sithin very fess minutes
Unifornñty of Nodes
One of the key issues in designing packet radio system is whether
the system is composed of homogeneous or heterogcneous components For cxamnple are all nodes functionally equivalent as in
peer to pccr computer to computer network Or is the twork
primarily intcnded to connect population of terminals to one or
more hosts perhaps through specialized base stations If the system
es peaters can any node act as repeatc or are repeaters built
from specialized hardssare These questions are intimately related
to the intended application of the netsork hybrid approach to
this issue is often cost effcctie In hybrid sy stern both terminals
and cormiputers would partiipate in the netaork but the connections
hetwccn computers would be different from those bctwecn computers
and terminals
Although connecting hosts to terminals is the primary problem
today in library autoirmation in the longer run the focus will probably
be on the interconnection of large numbers ofcornputers both because
of the proliferation of different comnputcr based automation services
and because of the spreading use of the personal computerand Brown rigg 1984 Therefore we propose that system composedof interconnected computers some of shich may be small personal
Page 000006
Sys tern qnireinents
computers or irnilar dcvices is the st niodel for packct radio
stem for library automat ion rIc conner tion between terminal and
lost could be handlcd cparately by Terminal cccss Cc nroller
IA hk would act olely as point of entry to the par ket radio
ctwork for popul ion of dumb terminals Links 4we the TACand the tern inals it sc could he tebli cithc by radio or by
shIes
horn nnagemnc nt point of siew of course homnogcneou
fully distributed network is ry attractive it si inplifles netss ork
onfiguration pee ially as this cvolsc over time reduces inventory
for spare parts and largely eliminates single points of failure facili
tating the construction of robust nctwork The major justification
for devc loping hcterogeneous ne twork of specialized components is
ually ccorcrsic rather than technical
One-Hop Full Broadcast vs Multihop
Semuibroadcast Topologies
rrhere are two major configurations for packet radio systems when one
considers routing and network issues In the full broadcast or one-
hop model each terminal can hear transmissions from all other
terminals in the network In the multihop or semibroadcast model
some nodes function as repeaters on specialized basis or in addition
to other functions and packets have to be retransmitted or repeated
in order to pass from their source to their ultimate destination within
the network
In networks that use base station another common configu
ration is sort of extended full broadcast netvork in which all
terminals can receive all transmissions from the base station and the
base station can receive transmissions from all terminals but there is
no guarantee that one terminal can receive anothers transmission
rrhe choice of full broadcast vs multihop network is largely
forced by the geographic spread of the network and the transmitter
power and recciver sensitivity of the radios involved Transmitter
power in turn has regulatory implications The radio propagation
environment within which the network operates also plays role
At many commonly used frequency ranges no amount of trans
mitter power can extend the range of transmitter much beyond
Page 000007
System RequIrements 17
Other General Issues in the Design of
Packet Switching Systems
There are number of classic and well-debated issues related to packet
switching systems in gcneral and hence to packet radio systems in
particular These include the advantages of connection-oriented e.gbirtual circuit vs connectionless e.g datagram systems and the
way in which routing is done fixed perhaps with alternate routes
with virtual-circuit setup in virtual circ uit network or on packet-
by-packet basis in datagrain network Many of the issues raised are
philosophical in natuie and persuasive arguments can be given on all
sides With this perspective we will state some of our biases
We believe that library automation systems should be oriented
toward datagrams rather than virtual circuits First of all virtual
circuits can be built from datagrains if desired through protocols
such as TCP or the NBS Class transport protocol but not vice versa
except with rather high overhead Moreover evidence indicates that
datagrams form better basis for the construction of distributed
computing systems than do virtual circuits consider the Xerox
Internet Architecture and related protocols et al i980J the
Cambridge Ring distributed computing environment Needham and
Herbert 1982 and the DARPA Internet Finally on pzactkal
basis the University of California internet like most network in
universities is based on TCP/IP and any packet radio twork
for library automation will have to interoperate smoothly with
networks
We also believe that routing should be fully adaptive on packet-
by-packet basis where relevant recall that there is no routing in
full broadcast network This minimizes administrative problems and
maximizes the robustness of the network although the design will be
more complex
System Configurations
On the basis of the considerations discussed above we have identified
three packet radio network environments for further study and refine
inent These represent three extreme cases as far as engineering is
concerned and we believe great deal of insight may be gained from
Page 000008
40 Packet Radio Networks
only single packet outstanding at time rathcr than one to cach
Ic tination probler is with single tciminal node could seriously
grade the performance of the entire nctwork
Since the end to uP protocol in the crminal gc ncrate3 an nd to
end acknowledgment ipon receipt of data at the tcrrninal bandwidth
cr be rcduccd by adding snaIl dclay in the rcceiving packet radio
unit before an acknowledgmcnt is gc nerated and then using piggyback
acknowlcdgments Ihu only ore packet containing both the local
icknowledgnent with the packct radio etwork and the end to end
lrowlc dgrnrnt that will pass through tie gateway packaged in the
base station necds to be generated
High-Speed Loa1 Area Packet Radio Network
In contrast to the packet radio TAC model terminal interface units
are unncce sary in the high speed local area packet radio nctwork
The hosts on this network are sufficiently intelligent to send and
receive packets directly from the digital control component of the
packet radio no terminal interface unit is needed
Since the topology of this network is assumed to be full broadcast
with no hidden terminals the introduction of hidden terminals is
discussed below routing is not an issue In addition the radios can
be relatively unsophisticated in the sense that directional bias and
signal strength control are unnecessary However the radios must
operate at high speeds and some radio parameters notably key-up
time become critical see below
The Channel Access Protocol
The basic channel access protocol for this network should be CSMArro keep delay time to minimum one of the persistent variants of
CSMA should be used Although the more persistent versions of
CSMA give lower delay times than do the nonpersistent versions they
are also more sensitive to overload and their throughput degrades
more quickly in the face of heavy traffic In other words the optimal
offered traffic load supported by persistent forms of CSMA is lower
than that for nonpersistent CSMA when this load is exceeded delay
time increases and throughput degrades rapidly
Page 000009
Security and Authentication 63
Obtaining legal protection against active attack may be partic
ularly difficult for local area systems that are operating without
license under the low-power prov-ions of the FCC rules If an attacker
who is not on the same premises as the packet radio network can
interfere with the system by jamming or by trdnsmitting packets
that the packet radio system ca rcceive it is not cntirely clear that
the attacker is violating any law other than perhaps general laws
dealing with fraud or theft of service If however the attacker
brings transmitter onto the prenuses where the packet radio system
is operating the system operator may be able to expel the attacker
or apply trespass laws
Thus from practical point of view it is desirable for packet
radio network to use built in technological means to protcct itself
from eavcsdropping and attack because the machinery of law and
law enforcenicnt are so difficult to bring to bear to control attacks
It is important here to distingui betueen fraud and thcft which
essentially opcrate within the sy tem and thus can be dcfended
against within the system and attacks such as jamming that attempt
simply to disrupt the operation of the sy tem Defending against
this latter group of threats takcs the system dcsigner into the ter
ritory of military communications systems whir are designed to
survive and operate in the face of determined hostile ECM electronic
countermeasures in an electronic warfare environment kIt bough the
LCCM electronic counter countermeasure techniques used in typical
military ss stems to counter disrupting attacks may be appropriate
for an electronic battlcfleld they would be poorly received as part
of civilian networks which are regulated by the FCC and share the
electromagnetic spectrum with variety of other users An exception
might be low power local area networks Consequently we conclude
that nonmilitary packet radio systems will be somewhat vulnerable
to malicious disruption such as jamming from technologically so
phisticated adversaries and that they must rely on laws and law
enforcement rather than on military-style ECCM techniques to defend
against such attacks however undesirable this state of affairs may be
Security Threats and Countermeasures
This section discusses the various security threats that packet radio
network faces subsequent sections will discuss the rclatcd problem of
Page 000010
64 Packet Radio Networks
authentication and some of the irnplcrnentation considerations for the
countcrrneasures described in this lion
We can make nurnbcr of assumptions about the tools and the
degrre of knowledge available to potential attacker It is rca onable
to assume that the potential attackcr p0 cs packct radio and
knowledge cf boss the systcm ssoiks rpo bc con rvative onc should
further assumc that the pote tial opponent can examine and replace
the contents of ROMs and PRO\4s ssithin the packet radio and
can modify the hardssare in thc packet radio desice or cven build
customind equipment to substitute for star dard packet radio node
These assumptions may hold true only for sophistic ated opponent
hosscer Propcr design of the packet radio unit as we will show later
can preclude certain types of casual attadcs by an opponent who is
not prepared for example to create new packet radio PROMs
One illustration of the importance of gauging the sophistication
of the threat can be seen in the recent generation of police radios that
use encryption to protect voice channels from eavesdropping see for
example 1985 police radio that is lost or captured can
be disabled remotely from control station via special encoded
channel Once disabled the radio must be physically brought in to
the maintenance site to be reenabled if it is subsequently recovered
If one assumes that the opponent is relatively unsophisticated this is
scry effective Ilownser technically sophisticated attacker could
not only reenable captured radio by replicating the operations
done at the maintenance site but could also attack the system by
simulating the self destruct signal to which all radios in the system
are designed to respond Thus the system is made more secure in the
face of an unsophisticated opponent but at the price of adding new
vulnerabilities that sophisticated attacker could exploit
Passive Threats
Eavesdropping
The most blatant threat to security is unauthorized interception of
data traffic Interception is particularly easy in an unsecured packet
radio network just as it is in an Ethernct 411 sorts of data are
Page 000011
Security and Authentication 65
available for the taking including files mail and passwords transmit
ted as part of logon sequences Merely eliminating the promiscuous
reception mode from the packet radio node is of limited use This maymake it more difficult for casual easesdropper to browse through
traffic passing over the netssork but it will not help if the attacker is
prc pared to build cu tomnized receiver or to alter the programmingin an existing node The solution of course is encrypt data passing
over the network However even though encryption is concptually
simple it presents number of difficult technical problems Should
it be done at the link level or end to end How should session keys
be distributed What algorithms should be used We will examine
these questions in subsequent sections
Traffic Analysis
Even if data traffic proper is encrypted an attacker can still analyze
traffic patterns i.e who is sending how many packets to whom if
packet source and destination addresses are sent in clear text For
military applications this threat is generally considered to be quite
serious since there is long tradition of using traffic analysis as
source of intelligence For comiriercial applications its importance
varies substantially It may be difficult to prevent unauthorized traffic
analysis because all nodes must be able to decrypt all encrypted
source and destination addresses The encryption/decryption keys
and algoiithrns thus must be known globally throughout the networkand anyone with access to packet radio in the system can be
presumed to have access to the codes
If traffic analysis is considered serious threat the best one can do
is encrypt all packet addresses and use network wide key preferably
with frequent key changes This will prevcnt external analysis of
traffic patterns since an opponent will need the key If radio is
captuxed ui wiiipruniised new can be distributed tu each radio
in the network except the captured node via some channel external
to the network or through public key system in order to resecure
the network This approach of course assumes that the network
ecurity center rcalizes that node has becn compromised or captured
Moreover it is only reactive measure to control the extent of
security breach
Page 000012
66 Packet Radio Networks
Another source of vulnerability to traffic analysis may be sig
nificant for high sccurity netsorks If the netssork uses rcpcaters
systematic extcrnal monitoring of packets in the vic inity of each radio
will provide an attacker with useful hints about the correspondence
bctucen cncryptd addrcsscs and actual nodes To defcnd against
thc intru ions it will be neces ary to change the key cd to cncrypt
addresscs frequently perhaps using public key cry ptosy tent with
distribution of keys to cach node and to generate dummy traffic to
confusc cxternal listeners The dummy traffic ssill create cxtra channel
loading and degrade performance
Note that thcre relationship betwecn the sophistication of
outing algorithms and sulnerability to external traffic analysis If
se sume that oue ruajor riterion for good rontiug algorithm is
that it minimizes the number of nodes that must receive process
amid retransmit packet by definition such routing algorithm has
greatly simplified the task of external traffic analysis In cases in
which the system designer is willing to trade perforruance for security
simple routing schemes that use flooding techniques provide some
protection from traffic analysis In these schemes each packet is
initially transmitted with repeat count that is set to value
slightly higher than the radius of the network i.e the maximumnumber of repeater hops necessary for data to pass from any node in
the network to any other node Each node keeps cache of recently
transmitted packets and on receiving new packet it decreases the
repeat count by one if the repeat count bccomes zero the packet is
discarded If the decreased repeat count is nonzero the node scans its
cache to make sure that it has not already received and retransmitted
this packet if it has already seen the packet it discards the new
copy Otherwise the node simply broadcasts the packet and places it
in its local cache
From the point of view of security the beauty of this scheme
is that intcrvcning repcaters do not need to know the addresses of
other nodes in the network The address by which node is known
is private matter between the packet originator arid the recipient
Nodes can even be known by many different names to other nodes
in order to confuse the traffic analyst and the names by which
node is known need not be stored in all other nodes throughout the
network
Page 000013
Security and Authentication 67
For networks with very high security requirements one could
design packet radio nodes that do not upport promiscuous modethat use global encryption key for all netssork addresscs and that
store this key in volatile mcmory which will he erased automatically
any attempt is made opcn the scaled unit containing the packet
radio node In all likelihood one would want such sealcd secure
packet radio to rnect TEMPEST spccifications on signal emissions
as nell lest an attacker gain information by monitoring low power
radiation from intermediate frcq iency IF or digital components In
csscnce this approach amounts to building secure trusted and
tamper proof packet radio Engineering such device would be
difficult and the cc tilting unit nould be cumbersome and expensive
In addition it is hard to place much confidence in tamper proof
cngineerng dc er attacker might still be able to gain access to
the internal coinponcnts of the radio without triggering the automatic
erasure mechanism for keys and other data stored within the unit
Radio Emissions
Many computing and other electronic devices emit radio waves that
can be analyzed with appropriate equipment The TEMPEST stan
dard defines shielding levels that protect against this type of attack
Although packet radio node dcsigned for commercial use maybe vulnerable to such an attack in gencral this is currently not
rriajor ssorry for sy stc ms that are limited to conirnercial applications
however conccrn about this area of vulnerability scems to be gross
ing Since designing system to meet TEMPEST specifications is
primarily an issue of detailed engineering and packaging sse will not
discuss this further here other than to note that the vulnerability
exists and that the enginecring problems involsed may be difficult
and expensive to resolve
Active Threats
Masquerading
node can generate packets with false source address and thus
pretend to be another node in network This problem involves two
Page 000014
68 Packet Radio Networks
issues the first being initial authentication When one node say
wishes to establish communications with auother node say an
authentication process must occur in order for cach node to establish
that the other node really is what it claims to be The authentication
process is typically complex and expensive it is discussed in detail
later
Once nodes arid have established each others credentials
to their mutual satisfaction second issue arUes Each node over
period of time will gcnerate nuruber of packets to the other node
fast low overhcad method is needed to ensure that once the identity
of has been established by subsequent packets arriving from
have really come from and have not been introduced by some
other node pretending to be node If we assume that as part of
the authentication process nodes and have exchanged session
encryption keys or perhaps more appropriately keys valid for
limited period of time in sccure fashion either through public key
cryptosystem or through private keys with an authentication process
and key servers several approaches to this problem are po sible
The simplest approach is to use header constant as part of
the data encrypted under the session key If after decryption the
hcader constant appears the packet is prc umed to be from the correct
source For this to work data must he cncrypted in such way that
this header cannot be extracted in alrcady encrypted form from
transnii ion that is overheard by the attacker and then appended to
false message rihis protection can be provided in several ways by
using chained mode of encryption in which the decryption of each
few bytes of data depends on correct receipt of all of the previous bytes
where chaining occurs across messages not just within individual
data segments by placing the header constant at the end of each
segment and using chaining technique only within the segment
or hy replacing the header constant with sequence number that
is incremented for each segment sent thus caucing the signatureconstant to change for each block This last technique is the most
effective it also solves the spooling problem discussed below Using
chaining within blocks to encrypt constant is cryptographically
sseak and will not prcsent spoofing Continuous chaining is feasible
but leads to difficult resynchronization problems when segment is
lost
Page 000015
Security and Authentication 69
special ca of masquerading will illustrate how vulnerable to
attack pack radio system can be An intruder can masquerade not
nIy as randorri nodc but al as node that fumu tions as server
in particular an attaker might ma querade as an authentication
vcr in kc radio twork Thus all sc cur itv mcasurc dc igrrcd
into odc rrrt trcat any communication with re note node with
grc at suspicion Mary sccurity schcme- such as that nscd in the
Xcrox XNS protocols urne the prc encc of priviliged or trusted
processcs This may be dubious practicc in broadcast network
uch an Ethernet but it is an insitation to disaster in the even
rore kmnnnding environment of packet radio network
Spuvfing
kn attacker could record transmissions from the network and replay
them into the nctwork at omne later time If the recorded transmis
ions were encrypted data the regenerated transmissions might also
appear to the network as correctly encrypted data The sequencing
mechanisnis discussed above will deal with attempted spoofs into the
middle of an active session Spoofing of an authentication handshake
can be prevented by having the participants introduce some random
data perhaps based on time stamp into each handshake exchangethus making each one unique This is discussed further below
Jairuning
Radio frequencies can obviously be jammed Partial jamming acts
like random interference and the same mechanisms that handle such
interference can be used to attempt to overcome the jamming Total
jamming can be circurnented only by spread spectrum techniques
These techniques require the jarnmer to inest much more power by
evcral orders of magnitude to jam the network than the transmit
ters need to send packets over the network successfully It is possible
to develop routing algorithms that reorganize wide area network
to circumvent localized jamming Ephremides 1983 In general
however there is little defense against determined jamming in
nonmilitary environment other than the standard legal and regulatory
recourses
Page 000016
70 Packet Radio Nctworks
Delibeiately Overloading The Network
node that ignores flow control and pacing techniques in standard
channel access piotocols and continues to insert packcts into the
network as quickly poccible can flood the n1work oxerlnad the
channel and sssarnp the othcr nodes in the nctwork This can
happcn accidentally as scll as delihcratcly ii nodc or the client
host attached to node malfunctions
As one approach to this problem the packet radio nodes could
he built in such say that they did not transmit more than
fixed number of packets per unit of time into the nctwork Two
regulators would probably bc needed one to control the rate of
packets introduced in burst perhaps over period of one minute
and one to control the average rate of packet introdm tion over longer
period say 15 or 30 minutes The limitation of such mechanism is
that cleser opponent might disable it
As second approach control channel could be used to tell
all nodes to ignore traffic from given source address Howeverthis approach also introduces another point of vulnerability since an
attacker could attempt to order the nodes in the network to ignore
legitimate traffic Furthermore although it would control flooding
of the entire network it would not prcvent saturation of specific
mnultiaccess channel It only provides quarantinc measure to prevent
the flood from spreading
The best approach mc ight be to include logic to rcgulate traffic
rate in the receiers If the traffic rate from given source exceeded
some thrcshold rate other nodes would assume that the node had
gone rogue and ignore all subsequent traffic from it for some
period of time most importantly they would not repeat it The
regulatory mechanism would have to be designed at such level that
masquerading would first be filtered out by the kind of cryptographic
checks discussed above Otherwise this approach would provide
mechanism that an attacker could use to block traffic from legitimate
nodes If regulator logic is built into the receivers in network an
attempt to oerload the network will function like localized jamming
once it is dctected since the renegade nodes impact is limited to tying
up the radio channel in its immediate vicinity and the other nodes
that can hear it with high demands to examine and discard packets
Page 000017
Security and Authentication 71
One of the most useful lines of defense against nodes accidentally
or deliberately trying to overload the network is some means of
rporting the situation to rntwork control nodes Tins solution at
least allows the situation to be identified and perhaps corrected
administratively or through legal channels Ifoever once again
node could gencrate purious reports of attempted masquerading
attempted network overloadii and the like to the network control
center these reports therefore must he accompanied by authentica
tion themselves othci vise this approach merely provides one more
opportunity for the attackcr to generate confusion
Causing Deliber3te Malfunctions in the Network Protocols
Along with overloading number of othcr deliberate or accidental
malfunctions can create problems Among these are ruisreporting
of connection or ronting information acknowledging packets but not
forwarding them and misexecuting collision resolution algorithms
see Chapter 4Managing Overload These probleIns are difficult
to handle In addition most networks are extremely sensitive to
the introduction of incorrect routing information For example the
DARPA gateway system has crashed several times after gateways
failed and introduced falacious routing information into the internet
The program in the Interface Message Processors IMPs the packet
svvitches of the backbone ARPANET has also proven vulnerable to
bad data Rosen 1981 All networks that we know of require at least
ome trusted nodes that are considered reliable for supplying correct
routing data See Meketon and Topkis 1983 for an analysis of the
sensitivity of some routing algorithms to bad data
Ilere again there are several lines of defense The first is
good set of tracing and problem reporting tools that can isolate
the offending nodes and perhaps tell the other nodes to ignore the
offending nodes knother is good prograriimning If the maintenance
routines for the routing table check for reasonableness and consistency
in the routing data received from other nodes this will at least reduce
the vulnerability of the network to attack or malfunction
In the end there seems to be no totally satisfactory means of
defending against nodes that are deliberately feeding false information
to the networks management and control functions At present the
Page 000018
72 Parke Radio Networks
hcst on can hope to do is identify the ource of the had data If one is
willing to run thc risi of creating new iiuc of potential subvcrsion
it is fairly ca to enable the netw rk operation enter to tell the
nctwok to ignore the roguc nodcs at whkh point thc malfunction
hegins to rc hie lo aliicd Jan iing ideal approach would
cc mnp1et Iy distributed means of id nt if ing rogne behavior in
nodcs ll is could be au ornpli hcd it least to eeoc extent through
cor thination of ouree authentication salidity and onsisteny chccks
and traffic regnlat Hi mechanisms The goal hould be to have each
node indept ndently id ntify the rogue nodes and attempt to ostracize
them with appropriate reports made to the network control and
urity managencnt nodes
Directional Antenna Considerations
Direction sensithe techniques discussed in detail in Chapter offer
some interesting possibilities for new validity checks and counter
measures Directional reception can be used not only to provide
information about the location of an attacker but also to detect
attempted spoofing or masquerading For example sudden and
radical change in the location of node as determined by directional
sensing when new packet is received frorri that node would indicate
that masquerading or spooling was taking place unless the node were
mobile Even in the case of mobile node one could consider the
elocity necessary to account for the apparent change of position in
the remote node and use this as validity check
Directional receiver antennae can also be used as simple analog
to the antenna nulling techniques found in sophisticated ECCMsystems It is possible for example to simply turn off the antenna
that is listening in the direction of rogue node in order to ignore
overload traffic that the node may be generating This would permit
the network to quarantine an area around rogue node
Two factors must be considered in examining the effectiveness
of directional nulling These factors are similar to those important
in cvaluating the efficacy of null steerable antenna arrays against
jamming in electronic warfare Pettit 1982 They are the coverage
of the jammer and the degree of control onr the recehers lobe
patterns In the case of null steerable antenna arrays the second
Page 000019
Security and Authentication 73
factor is typically related to the number of array elements In the
simplest case in which the attackcr is using captured packet radio
the precision of the jarnmer or rogue transmitter is equivalent to that
of the receiver since both the transmitter and receiver have control
over sec tots through their identical anrenna systems In more
sophisticated scenarios one can assume that the rogue node is using
specialized ant nna system that provides transmission resolution to
an almost arbitrary degree of directionality and that the rogue node
has more transmitter power at its disposal than do normal packet
radio nodes
En either scenario sector control discussed in the section on
Directional Transmission may be too crude to be of much help
Ideally in these circumstances one would want transmit/receive
antenna st.m that provided high degree of control to individual
nodes i.e the capability to transmit for .r degrees around vector
of Quarantining rogue node is possible but requires the
remaining network nodes to cut off many of their direct connections
to each other Rerouting around the rogue node would require the use
of highly circuitous paths Baker et al 1982 have analyzed similar
scheme however it assumes the use of spread spectrum and the
analysis applies mostly to HF groundwave propagation Cook 1980has analyzed this problem from the opposite perspective he develops
criteria for nptirnum relay placement involving extra repeaters to
minimize vulnerability to jamming in an ECM environment Cooks
charactcriation applied to an existing topology may offer some
measure of the topologys resistance to jamming
Spread Spectrum Considerations
well designed spread spectrum system essentially provides protected channel by rirtue of the fact that the external attacker must
know the peudorioist or frequency hop pattern to cover the chan
nel or else umust expend enormous transrmmitter power on blanket
jamming Spread spectrum techniques atso reduce the vulnerabil
ity of transmissions to external earesdropping since the potential
cavesdroppcr must obtain spread spctrumn receiser which is not
readily arailable off the shelf component and then determine the
spreading sequence Ilorsever spread spec trum techniques provide
Page 000020
74 Packet Radio Networks
little help if the attacker has captured and analyzed packet radio
node and thus learned the spreading patt rn In this case the
deterrent to easesdropping is lest and the techniques continue to
provide pi tection against jamming only sshen CDMA is used then
each node is listening for unque pread spec tm in encoding pattern
and the transmitter hi pattern to each target node Spread
sp etruni cc qu nees are like private kc both the sender and receiver
must know the code to communic ate Thus when 2DM is usedthe captured node may know the pread spectrum code for all the
other nodes in the stem hut the captured radio can only transmit
according to one of these patterns at any gisen time and can jam or
attempt to oserload only one other node at any giv moment unless
hmoadhand jammers partial hand jamming techniques or multiple
tranmniter are med Sijion al 1984 1985 Furthc1moreif prcading codes are transmitted from some central server under
protection of public key cryptosystem for example issuing new
spreading codes to the network pros ides some protection from jam
rning as well as from the other kinds of attacks discussed above Like
encryption with globally-known key this approach presupposes that
the network manager knows that packet radio has been captured or
compromised and knows the identity of that radio
In summary spread spectrum provides protection against jamming and eavesdropping through the secrecy of the spreading code
When the attacker does not have the code the protection can be
substantial when an attacker captures packet radio node and
thu obtains th code the protection from eavesdropping is minimal
Jamming attacks using captured receiver can be limited only under
CDMA or follossing the distribution of new spreading sequence
Encryption Techniques
Encryption is obviously mequired to maintain reasonable degree of
prisaey and security on packet radio network Several related design
decisions thus must be considered
Encryption Algorithms
In deciding on the encryption algorithm to be used the basic considerations are the cryptographic strength of the algorithm and its
Page 000021
Security and Authentication 75
performance Determining the cryptographic strength of algorithms is
notoriously difficult Given the prescnt state of the art only negative
information is really asailable ciyptographic analysis can prove that
given algorithm is weak hut no currcnt mcthod of analysis can provide
confldcn -e that givcn algortlim is -trong The most encouraging
thing that can bc id shout given algorithm that it ha- been
widely scrutiniicd by thc profc ional oimnunity arid no one has
broken it or at Ic ast no ore ad nits to doing so This state of affairs
nilitates against the usc of cxotic rod littlc known algorithms unless
cxtensive analysis has bc cn erformed
Thus the ficld is currently more cr Ic limnitcd to two well known
algorithms the Data Encryption Standard DES developed by the
National Bureau of Standards and the Rivcst Sharnir Adelman RSApublic key cryptosystem Rivcst et 1978 Most other proposed
techniques have shown serious signs of cryptographic weakness over
the years most notably some of the alternative public-key cryp
tosystern proposed such as the Lu and Lee system and some of the
knapsack based public key sytems 1981
These two algorithms are quite different in that the RSA tech
nique is public key cryptosy stem and DES is classical private key
technique If other fac tors e.g cryptographic strength and perfor
inance vvcre equal the RSA approach ssould be preferable because
of the additional functions that public key cryptosystem provides
lion ever performance is anything but equal and thus it becomes the
deciding factor The RSA algorithm is extremely slow particularly in
decryption where good software implementations run at speeds of
fow bytes per second Even sophisticated hardware implementation
of substantial cost will only reach about 1000 bytes/sec As far as we
know there is to date no commercially available VLSI implementation
of the liSA algorithm prototype chips that run at about 150 bytes/sec
have been fabricated 1980 but they apparently had problems
and were not ubjected to cxtensive cxpcrimentation Very recently
British firm announced bit sliced implementation of the liSA
algorithm sixteen-chip version offers about Kbytes/sec Smith
1985 Although DES was intended to be implemented in hardware
and software implementations tend to be slow in the range of tens
of Kbytes/sec on fast machines speedy VLSI implementations of
DES are available off the shelf For example the MZ8068/Am9518
Page 000022
76 Packet Radio Networks
Data iphcring Processor which was announced by Advanced Micro
Deviccs in 1983 claims data rates well in cxcess of Mbyte/sec
Adsanced Micro Devices Inc 1983 see Teja l985 for disc ussion
of other current DES chips
Conscquently it appears that DES is suitable for workingencryption algorithm if it is supported in hardware The RSAscheme which presumably would be implemented in software is
uscfnl supplementary tool for certain pecialiaed tasks such as key
distribution discussed later but is too slow for bulk data encryption
givcn the current state of the art
One intcreting possibility that has been proposed recently is an
algorithm somewhat like DES that is implemented in software
1985 Its cryptographic strength has received little scrutiny It is ac
tually proposal for an encryption schcme that is based on principles
similar to those of DES but is byte rather than bit oriented to permit
faster software implementation Such an algorithm sinning that
it could be standardized and shown to have sufficient cryptographic
strength offers an attractive alternative to DES since it is cntirely
implemented in software it would be easier to integrate with existing
TP IP irnplernentat ions than would DES based encryption which
calls upon special purpose hardware
Recently the status of DES has become quite confused Newmanand Pickholtz 1986 The National Security Agency NSA has mdi
cated that it intends to withdraw support from DES as an encryption
standard for uew applications when it comes up for recertification in
1988 Media coverage of this announcement suggests that the NSAfeels that it is unwise to rely universally and for protracted period
of time on any single encryption algorithm rather than that DES has
been or is close to being compromised DES has become standard for
several applications particularly for the electronic transfer of fundsand it is reasonable to expect that DES will continue to be used well
into the 1990s unless some more concrete vulnerability is publicly
revealed In fact it appears that the NSA will continue for example
to explicitly support DES for electronic funds transfer
NSAs current plans as of June 1986 are to deselop apparently
only in tamper resistant chip form series of cryptographic modules
for various applications e.g voice general computer data and high
spced computer data These will be made aailable for general
Page 000023
Security and Authentication 77
commercial use i.e nonclassificd data within the 11 nited States
but apparently ssill he subject to export restriction TI algorithms
will not be made public Intcroperability will be limited des ices
using \SA modules for the same application class will apparently
interope rate but thcre will be no interopcration bet sccn dill rent
application cIa us
of thi riting the auth rs have seen no other information on
plans for future encryption techniques and clearly many unanswered
questions remain about thc function and availability of post DES
encr ption hardu are
Techniques for Applying Encryption Algoritluns
Encryption algorithms are simply functions in the form Fdatakeywhere data represents few bytes of data 64 bits worth for DES and
frey is fixed length key 56 bits ssorth for DES Since the segments
of data to be encrypted are typicall much longer than the size of the
data unit that is entered into the encryption algorithm some meansof repetitively applying the encryption algorithm to longer unit of
data is needed One of the usual approaches is to encrypt each bytes
of the segment independently The other is to use chaining methodin which the key for group of bytes is established by combining
the previous key and some value obtained from the preceding group
of bytes Ordinarily exclusive OR operations are used to combine
the key and value
Chaining can be applied either within message or on an ongoing
basis across stream of messages The difficulty with the latter
approach is that once single message is lost no subsequent messages
can be decrypted This is not problem if encryption is applied
only to data carried on top of reliable transport level protocol
Voydock and Kent 1981 Hossever if encryption is used to protect
the data elements in the TCP/IP header as well the key for the entire
connection must be resynchronized
Although it is desirable to avoid rcsynchronization it is also
desirable to protect the TCP/IP headers Otherwise an attacker
could cause the loss of data or other confusion by generating false
acknowledgments and fake TCP messages Such false data would
be rejected by the application running abuse the TCP/IP level but
Page 000024
78 Packet Radio Networks
the reliable data transport connection ssould be disrupted and the
application would have no recourse hut to restart the TCP/IP conncct ion Con equentIy chaining should be used only within segments
at the TCP11P level not from segment to segment and the TCP/IPheader as well as the application data should be encrypted Notethat the TCP byte numbers used for FE acknowledgments can
also serse as sequence nurnbcrs to prcvent poofing When single
segment chaining is ed it seakcns thc cryptographic strength of the
cncryption somesshat and 5esAon keys should thercfore be changcd
with reasonable frc qu ncy
Scope of Encryption
One can use either link level or end to end encryption in packet radio
networks or both can be used together variant of end to end
encryption end to end within the packet radio network rather than
across the internet is also possibility With this technique the
gateway that passes packets from the packet radio netssork to the
outside world would be responsible for appropriate encryption and
decryption as required
Link level encryption is transparent to the rest of the network
and is widely used sith point to point links in more traditional
networks IIoseser since packet radio networks contain no links
link level encryption cannot be applied directly unless global key is
ed throughout the network As sse have discussed previously an
opponent only nceds to obtain or seire control of single packet radio
in ordcr to compromise the entire network when global key is used
Consequently global link lesel keys are poor idca when the nodes
cannot he secured
End to cud ener3ption has two major drawbacks interactions
with the transport level protocols at both ends of the connection are
complex and encryption must be implemented in consistent wayacross the internet Lynch 1986 Currently we know of no cominerc ially available TCP/IP impleinentat ion that integrates support
for end-to-end encryption Furthermore there is little incentive for
development since no single version of TCP IP has dominant market
share and any implementor souId be reluctant to add fcatures that are
not widely supported by different TCP/IP implementations Finally
Page 000025
Security and Authentication 79
adding support for DES-based encryption to any TCP/IP implementation while retaining good performance is difficult Special-purpose
hardware must be used for the encryption/decryption operations andthns the DES support interacts closely with the operating system on
the host machine
It is also important to consider the interaction betwccn encryp
tion and the laycred telecommunications protocols in packet radio
network Each packet contains three headers local packet radio
network header an lP header and TCP header and application
data For end to end encryption we can only encrypt the TCP header
and application data since only these have end to end significance If
we encrypt both the CP and IF hcadeIs gateways must be able to
dee rypt IF headers in order to perform internet routing Furthermoreit is desirable to detect spoofing and masquerading within the packet
radio network in order to quarantine rogue nodes To accomplish
this the local network headers must be encrypted separately Unless
traffic analysis is major concern authentication is the only reason
to encrypt these headers
Key Distribution and Key Servers
To establish and use connection protected by end to end DES en
cr ption the two nodes participating in the connection must exchange
secret DES keys If an RSA public-key cryptosystem is available this
is easy to arrange For example let us assume that and are the
nodes involved that registry of public keys for each node exists and
that each node knows its own piivate key Let ExM denote the
result of the encryption of block of data under the public key of
node and DxM the application of the private key of node to
message The basic property of public key cryptosystem can
then he summarized as follows
DxExM and ExDxMFor node to pass working DES key to node secretly node
need only send EBK to can then decrypt the message using
its own secret key
This system is vulnerable in several ways It is vulnerable to spoof
ing hut this can be corrected by concatenating time stamp to
Page 000026
80 Packet Radio Networks
and then having transmit EBUDAK time stamp constantThe recciving node Bcan apply DB then the publicly published SAand thcn ensure that the time stamp is recent This approach also
forms the basis for authentication since if node 13 sends random
constant as part of the authentication kcy cxchange handshake
can provide with DAconstant sshich Bran scrify by applying BAand checking that the rcsult is Bs origi ial constant
In addition to the prohlcm of spoofing an attacker could masquerade as the public key registry and scnd out bogus public keys
for network nodes Thcre are several ways to fix this problem For
examplc the key server node denoted by could send public keys as
Ds public key which would allow any receiver to vcrify the source
of the public key time stamp should also be used to protect against
thc reintroduction of old recorded traffic by an attacker In addition
receiving node could poll several key servers mull iple key servers are
worthwhile for reliability reasons anyway Any disagreement amongthe public key values for node obtained by polling key servers would
immediately indicate possible security problem
Once again standards are an implicit issue It will be necessary
for each host in the internet to register its public key with one or
more key servers In addition any node on the internet must be able
pcrhaps by following chain of referrals to locate the appropriate
key servers that can supply the public key for any node in the
intcrnet This is similar to the systcmn used for name and directory
scrvers Mockapetris 1983b Postel 1986 and might appropriately be
intcgrated with them In addition it is worth keeping in mind that
liSA itself is complex algorithm with many available parameters
internet wide agrcement on appropriate paramcters and use of the
liSA algorithm would be essential for any standardized implementation of the algorithm
host that supports multiple TCP connections for example in
multiuser time sharing system needs only single public key for
itsclf separate scssion keys will be established for thc various rpconnections in progress at any given time llowever the mnultiuser
host must keep its secret key secure from its own users otherwise
user could obtain the working DES key for scssion that belongs to
another uscr who is sharing the mainframe
Page 000027
Security and Authentication 81
Aut he nt ic at ion
The encption techniques we havc di cusscd so far permit two nodes
to establish connection that is sccure both from eavesdropping and
from active attacks such as the inst rtion of bogus mcs ages or the
reinscrtion of previously recorded and once salid mcssages lhe first
goml is accomplished by the encryption algorithmn itself the second by
nunibering the data units sequentially
Once connection is established and kcys arc exchanged ongoing
authentication is provided by the sequcnce nurnberirg and the DES
key together thcy ensure that all data pa sing oser the connection are
in fact coming from the same node However one still needs to ensure
during the time that connections are established and keys exchangedthat nodea part ipating in the conueton are adually who they Jaim
to be
Our previous discussion has hown that public key cryptosystem
pios ides for fully distributed authcntication in which each node
using directory of public keys can authenticate any other node in
the network or internet In this environment which was originally
described by Needham and Schroeder 1978 there is little need for
authentication servers per se but only for some means to maintain
registry of public keys and to distribute this rcgistry These tasks can
he acornplished either by nonsccure sersers or by massive replication
of the publickey database in every node
It is also possible to implement authentication using only classical
private key methods such as DES howcver this requires secure
authentication server that knows the keys of all of its client nodes
and dictributcs cedentials among them This approach which is
discussed in detail by Needharn and Schroeder and Israel and
Linden 1983 has been formalized in the Xerox XNS system as their
Authentication Protocol Corporation 1984
standard authentication approaches such as the nec of pasordsare inappropriate in an unsecured broadcast enironmnent They canof course be used either as second level of set urity or as means
of pros iding finer level of authentication once the protection of an
authenticated connection is established It is also possible to deselop
nonauthenticating key distribution mcchanism that secures
connection for the exchange of authenticating passwords but does not
Page 000028
82 Packet Radio Networks
itsclf authenticate the two participants in the connection instead it
would only guarantee that their cornnmnieation is protected under an
cncryption kcy
our diEcusion indicates we recomrncnd placing mnt of the
re ponsibility for encryption and authentication on the clients of
packet radio node rather than retaining it in the packct radio
node per se except in the case of the packet radio terminal where
node and client host are integrated togctlier logical diision of
re ponsihility sould to make the packet radio nodes responsible
for the encryption of local packet radio hadcrs and the host ICP
responsible for ryp encryption
It is also clear that unless hardware support for encryption is
asailable performance problems may preclude the use of the current
standard encryption algorithms It is easy to envision local low
se urity applications such as office automation in which the network
contains some dcviccs with encryption support and some without
Such cases are studied in detail by Israel and Linden 1983
kuthentic at ion is actually needed at two different levels end-to-
end across the internet and node to-node within the packet radio
network Node to node authentication is problematic if the packet
radio has repcaters As discussed previously it is dcsirable for each
packet radio node even if it is merely repeater for given packet
and not the packets final destination to authenticate the origin of
packets in the packet radio network in order to limit the effects of
attacks rrhus any node must be able to authenticate any packets
source With public key cryptosystem this is readily accomplished
each packet header need only contain credcntial authenticating the
source in the form of constant or tine htamp that i5 eHclypted
under the private key of the source node Any node that needs to
authenticate the source of packet can simply apply the public-key
function for the alleged source and see if the result is valid constant
or time stamp
There are two problems with this approach First of all it requires
receiving nodes to compute an RSA function when examining each
packet if thcy are to quickly discard fake packets Of course if
constant were used the nodes could cachc the cncrypted value of the
constant and perform comparisons with this encrypted value rather
than recomputing the RSA function for each packet The trouble with
Page 000029
Security and Authentication 83
uing con tant however closely related to the econd problem
with this overall approach theft of credentials and spoofing Anattackcr necd only wait for packet to he transmitted by the node it
nants to masquc rade as and then either retransmit that packet as it
tar1ds for poofing attack or cxtract the crcdcntial and insert it
bit its os fcke pac kets for hi ft of crc dent ials
Frequent recomputat ion of the PS function seems unavoidable
if poofing at ta ks are to be prcsented since the credential must self
dc st nrc ith in shc rt period of time The network will always
be sorneal-at vulnerable to spoofing and mnasqucrading unlcss the
net sork has synchronizcd global clock the credential is created
by applying the lISA function to the time stamp each time node
gcnc rates packet and the clock ticks fast enough so that an old
time tamp crcdential bee orncs invalid within sufficiently short time
that an attackcr cannot receive copy and retransmit it during that
period hese problems howeser sould be stopped at the end-to
end lcsel whcn they did occur
In the case of repeated packet the repeater would have to
add its own authentication credential to the packet header prior to
retransmission in order for the sources credential to remain valid
Otherwise the credential would become obsolete by the time it was
received by the second or third repeater in repeater chain
Providing the described capabilities for authentication within the
packet radio network would rcquire cxpensive and carefully designed
special purpose hardware for handling RSA functions
Additional security could be supplied only when it was needed by
relying on the ability of other mechanisms to detect security problems
rrhis would include the ability of each rode to listen for transmissions
having its own source address and immediately raise security alert
rrhis simple and virtually free measure is worth implementing in any
case as way of detecting attacks even if nothing is done to prevent
thermi within the packet radio network and the decision is made to
rcly entirely on end-to end encryption Under normal circumstances
credential expiration could be relatively slow and caching scheme in
the receivers authentication routines could be used When an attack
was detccted the period between credential updates which could be
set by each sending node independently with receivers invalidating
an earlier time stamp as the basis for credential whenever later
Page 000030
84 Packet Radio Networks
one is received could be greatly reduced at least by the node that
was the victim of the attempted masquerade Every time the node
under attack tran mitted the nìasquerading node sould have to steal
the credential anew
The heart of the problem here is that we have created re
quirement that any receiver must he able to anther tieate packet
from any source without the source knowirg the receiver in advance
rrhis will be the case if flooding type routing strategies are used in
seinibroadeast network or if broadcast type messages are supported
in full broadcast network In full broadcast network without
broadcast type messages or semibroadcast network in which re
peater paths are prey iously allocated either through source routing
or scheme in which repeater chains are assigned authentication
can he considered as pairwise process In these cases the problem
of authentication at the packet radio node becomes more tractable
since virtual links can be established through the same kinds of
authentication handshakes and cryptographic protection that we have
discussed for end to end connections In network with repeaters
however all repeaters in the path that has been preassigned or defined
by source routing must participate in the authentication process
Sunirriary
Although packet radio network may be more vulnerable to easy
attack than traditional networks the encryption and authentication
measures required for its protection are similar to those required
for distributed broadcast networks that use cable Performance is
an important consideration in choosing protective neasues and
hardware support is almost unavoidable The authentication and key
distribution issues are more tractable if one is ss illing to implement
public key ryptos stern and trust in its cryptographic see urity
It is also clear that packet radio network beraise of it reliance
on the electromagnetic ether is uniquely vulnerable to disiupting
attacks as well as subversion Some of these disrupting attacks are
similar to those encountered in electronic warfare and the counter
measures available outside of the ECCM context are limited Th
other class of disrupting attacks stems from the ease with which one
can capture or build fake node and use it to violate protocols or
Page 000031
Security end AuthentIcation 85
introduce spurious control data into the network Countermeasures
for this sort of attack are also limited Many of them employ software
engineering techniques similar to those used to defend distributed
system against node that is accidentally malfunctioning
Page 000032