Security issues of Mobile Ad Hoc Networks

packrobustΔίκτυα και Επικοινωνίες

18 Ιουλ 2012 (πριν από 5 χρόνια και 4 μέρες)

435 εμφανίσεις

Network Security
Scott Huang,David MacCallum,and Ding Zhu Du(Eds.)
c
￿2005 Springer
Security issues of Mobile Ad Hoc Networks

Mike Burmester
Department of Computer Science
Florida State University,Tallahassee,FL 32306-4530
E-mail:burmester@cs.fsu.edu
Tri Van Le
Department of Computer Science
Florida State University,Tallahassee,FL 32306-4530
E-mail:levan@cs.fsu.edu
Contents
1 Introduction 2
2 A Model for Mobile Ad hoc Networks 4
2.1 Models and Definitions..........................4
2.1.1 Security mechanisms.......................7
2.2 Mobility models..............................8
2.2.1 The Random Walk model....................8
2.2.2 The Random Waypoint model.................8
2.2.3 The Random Direction model..................9
2.2.4 The Nomadic Group model...................9
2.2.5 The Target Group model....................10

This material is based on work supported in part by the U.S.Army Research Labo-
ratory and the U.S.Research Office under grant number DAAD19-02-1-0235,and in part
by the National Science Foundation under grant number NSF-009316.
1
3 Routing algorithms 10
3.1 Introduction................................10
3.2 Network-Centric Routing........................11
3.2.1 Destination-Sequenced Distance-Vector Routing.......11
3.2.2 Clusterhead Gateway Switch Routing.............12
3.2.3 Wireless Routing.........................12
3.2.4 Ad-hoc On-Demand Distance-Vector Routing.........12
3.3 Source-Centric Routing.........................13
3.3.1 Dynamic Source Routing....................13
3.3.2 Other Source-Centric Routing algorithms...........14
4 Security issues for routing algorithms 14
4.1 Security Associations and Public Key Infrastructure.........14
4.2 Denial of Service attacks.........................15
4.3 Man-in-the-Middle attacks........................16
4.4 Security issues for Ariadne,SEAD and SAODV routing.......18
4.5 Security at the physical and data link layers..............18
5 Tracing malicious faults 19
5.1 An algorithm that traces malicious faults...............20
5.2 An optimistic tracing algorithm.....................23
5.3 Tracing malicious behavior with AODV and DSR...........24
6 Multipath & Multichannel Routing 24
6.1 Geodesic Routing.............................25
6.1.1 Circle Routing..........................25
6.1.2 Space-Disjoint Routing.....................27
6.2 Color Routing...............................27
6.2.1 Color-Disjoint Routing......................27
6.2.2 Color-Secure Routing......................28
6.3 Simple Multipath Communication...................28
6.4 Adaptive Multipath Routing......................29
6.5 Securing AODV and DSR........................33
References
1 Introduction
Mobile ad hoc networks are collections of self-organizing mobile nodes with
dynamic topologies and no fixed infrastructure.The nodes can be regarded
as wireless mobile hosts with limited power (operating off batteries) and
constrained bandwidth.Transmission is in a broadcast medium.The recent
2
rise in popularity of mobile wireless devices and technological developments
have made possible the deployment of such networks for several applications,
such as emergency deployments,disasters,search and rescue missions and
military operations.
Finding and maintaining communication routes in an ad hoc network is
a major challenge,especially with respect to security and fault tolerance.
To date,most of the research has focused on performance and services (see
e.g.,[5,8,20,26,36,38,45,50,51,52,60,63]) with security being given a
lower priority,and in many cases,regarded as an add-on afterthought tech-
nology rather than a design feature (e.g.,[2,39,52,56]).Although such
an approach may be appropriate for networks with predictable faults,it is
not suitable for ad hoc networks in which we have unpredictable,malicious
(Byzantine [40]),faults [13,15].For example,one cannot trace malicious
nodes by only exploiting stochastic node behavior,because malicious nodes
can avoid detection by behaving normally whenever a fault detection mech-
anism is triggered (the approach used in [2] will only trace attacks that can
be simulated).
Of particular concern in military applications is the possibility that an
established route is taken over by the adversary,and then used at a critical
time when damage is maximized,and when there is not sufficient time to fix
the route or to find alternative routes.In such cases multipath routing and
communication is of benefit.Multipath routing will also enhance bandwidth
usage,load balancing and more generally efficiency (e.g.,[61,44,28]).
Another concern is that besides packet dropping,malicious nodes may
also render a network useless by confusing nodes about the state of the
system,e.g.,blaming non-faulty nodes for failures and dropping/corrupting
packets.It is therefore important to trace malicious behavior and protect
the trust infrastructure and associations of the network and to prevent faulty
nodes from taking part in future attacks.
Our goal in this chapter is to give an overview of current security threats
and solutions for mobile ad hoc networks,focusing on routing issues.We
will consider networks with a varying degree of ad hoc-ness,ranging from
almost static networks to extremely changeable networks.We shall implic-
itly assume that there is sufficient connectivity during the lifetime of the
system to support basic communication functions,even though we shall not
make any assumption about the lifetime of each link (which could be very
short).In such a scenario,nodes have to enlist the aid of neighbor nodes
to forward data,and communication is a store-and-forward process based
on finding secure routes and maintaining them.Unlike traditional networks
that use dedicated nodes to support basic functions such as message for-
3
warding,routing and network management,with ad hoc networks these
functions are carried out dynamically by nodes that are locally available.
The problem is that there may be insufficient ´a priori trust among these
nodes to assure the correct execution of such functions.This is at the core
of the security problems that are specific to ad hoc networks.
Organization.This chapter organized as follows.In Section 2 we present
a general model for mobile ad hoc networks that captures at an appropri-
ate degree of abstraction their basic stochastic aspect.We then give our
definitions.In Section 3 we give an overview of current routing algorithms.
In Section 4 we consider security issues.In Section 5 we describe two algo-
rithms that will trace malicious faults.In Section 6 we describe some general
approaches that can be used to establish routing.We then present several
multipath and multichannel routing algorithms and an adaptive multipath
routing algorithm.
2 A Model for Mobile Ad hoc Networks
2.1 Models and Definitions
There are several ways in which one can model the unpredictable nature
of a mobile ad hoc network.Whichever way is used,there are important
mobility aspects that must be reflected in this model.In particular,ad
hoc networks are stochastic finite state systems.The following definition
captures this requirement.
Definition 2.1 Let V be a finite state system with state space S.The
elements of V are mobile nodes:each node is a probabilistic finite state
machine.A mobile ad hoc network is a random process
G = {(G
1
,S
1
)},{(G
2
,S
2
)},...,{(G
t
,S
t
)},...,{(G
T
,S
T
)},
where G
t
= (V,N
t
) is a graph with node set V and link set N
t
,and S
t
∈ S
is the internal state of V at time t,subject to the following constraints:
(i) Markov constraint.Given the current network state (G
t
,S
t
),the fol-
lowing state (G
t+1
,S
t+1
) is independent of all previous network states
(G
1
,S
1
),...,(G
t−1
,S
t−1
).
(ii) Mobility constraint.The transitional probabilities
Pr [(G
t+1
,S
t+1
) | (G
t
,S
t
)],t = 1,2,....
4
are independent of time t.The distribution generated by these prob-
abilities is called the mobility distribution µ of the network.
(iii) Medium constraint.The communication medium is promiscuous:if a
node x transmits a packet at time t then it will be received at time
t
￿
> t simultaneously by all its neighbors (linked to it at that time).
In particular,the time taken for a single transmission (one hop) to
be received,taken over all network nodes is bounded.Furthermore,
the communication medium has limited bandwidth:beyond a certain
threshold,simultaneous transmissions in a neighborhood will result in
transmission failure.Finally,the links of G are bidirectional:if x,y
are neighbors,then y will receive any message transmitted by x and x
will receive any message transmitted by y.
Our model for mobile ad hoc networks is time dependent.That is,changes
in the topology of the network occur over time and transmissions are time
bounded.In particular,the time taken for a message to be delivered via m
retransmissions (hops) is bounded by mτ,where τ is an upperbound on the
time taken for a retransmission.
The mobility distribution µ defines the mobility model of the network and
is determined by the internal states of the nodes of G and Nature.Nature’s
contribution comes from the environment and fact that the communication
is wireless.A wide variety of factors may affect the communication.These
range from weather to radio interference and physical obstacles.
The mobility distribution µ may support the automatic derivation of
probabilities for a set of possible causes.It is important to note however that
there are cases when the unpredictable nature of the mobility of an ad hoc
network,that is its uncertainty or entropy,is such that there is practically
no useful structure in the network (that lasts for more than a few time
periods).In particular the derivation of any useful stochastic analysis may
be impossible because of the unpredictable behavior of malicious nodes.We
shall discuss this issue in Section 2.2.
Definition 2.2 An ad hoc network G is simulatable if there is an effi-
cient algorithm σ called the simulator that simulates G according to its
mobility distribution µ.That is,σ generates random network samples
(
ˆ
G
1
,
ˆ
S
1
),(
ˆ
G
2
,
ˆ
S
2
),...,such that for all t ≥ 1:
Pr[(
ˆ
G
1
,
ˆ
S
1
),...,(
ˆ
G
t
,
ˆ
S
t
)] = Pr[(G
1
,S
1
),...,(G
t
,S
t
)].
Communication in ad hoc network G is achieved by forwarding packets
via routes.Traditionally,a route R(s,d) is a path that links a source node
5
s to a destination node d.However the notion of a route can be extended
to allow for a more general definition.
Definition 2.3 A route R(s,d) with source node s and destination node d
is a list of nodes of G,that starts at s and ends at d,through which packets
are forwarded.This list may not be known to s,or to any other node.Nodes
on the list may know their successor,or may not.Routes may change over
time and may not be connected for any time period:it is sufficient that the
links of adjacent nodes are connected in turn,over time.
We shall also consider multipath routes and multichannel routes R(s,d).
Multipath routes have several node-disjoint path lists that link s,d and
multichannel routes have several node-disjoint channels lists,i.e.,connected
bounded regions of the node space that links s,d.
Definition 2.4 The adversary A
k
can corrupt up to k nodes of G through-
out the lifetime of the system.
1
A
k
controls these nodes and may use them
to undermine the security of the network.We call these nodes corrupted
or faulty,and refer to A
k
as a k-adversary.A k-adversary may be passive
or active.A passive adversary (also called,honest-but-curious) will only
eavesdrop on the network communication.An active k-adversary may use
up to k corrupted nodes to monitor and prevent the normal functioning of
the network via snooping,dropping,modifying,and/or fabricating network
messages.These nodes and the corresponding faults are called malicious or
Byzantine.Malicious nodes may use hidden (covert) channels or “worm-
holes” through which they can communicate or tunnel packets.
It has been shown in the literature (see e.g.,[40]) that if the number
of malicious faults in a network is bounded,say no more than k,then we
can achieve unconditional secure communication (integrity and privacy) by
using 3k+1 vertex-disjoint paths that link the source to the destination.For
unconditional integrity we need 2k+1 vertex-disjoint paths.For conditional
security (with digital signatures and encryption mechanisms) we only need
k +1 vertex-disjoint paths,which is the case concerned in this chapter.
Definition 2.5 Let G be an ad hoc network and P a distributed algorithm
of G.We say that P tolerates A
k
,or tolerates k malicious faults,if the
probability π
P
A
that P terminates successfully when A
k
is present is the
1
This is the Byzantine threats model [40].There are several generalizations.One such
generalization allows the adversary to release some of the corrupted (captured) nodes at
regular intervals and replace them by an equal number of uncorrupted nodes.Another
generalization is the Adversary Structure model [43].We shall not consider these here.
6
same as the probability π
P
0
that P terminates successfully when A
k
is not
present.If | π
P
A
− π
P
0
|< ε,then we say that P tolerates A
k
with error
probability ε.
The probabilities π
P
0
and π
P
A
are taken over the random coins of P and
A,and the random distribution of inputs to P.
2.1.1 Security mechanisms
For data integrity,Message Authentication Codes (MACs) may be used.
For authenticity and integrity,digital signatures are used [59].These are
keyed mechanisms.There are two types of cryptosystems:symmetric and
public key.Symmetric cryptosystems require one shared secret key.Public
key cryptosystems require two keys,a public key and a secret key.In our
algorithms we use the following notation:
• [data]
sd
,data together with its Message Authentication Code (MAC)
with the shared key of s,d.
• [data]
x
,data together with its digital signature with the (secret) sign-
ing key of x.
• hash(m),the (cryptographic) hash of m [59].
We shall assume in this paper that all MACs and digital signatures are
unforgeable
2
.As a consequence,security properties discussed here on are
conditional on the computational power of the adversary A.
The computational cost of public key cryptosystems is relatively high
for ad hoc network applications.It is therefore preferable to use symmetric
key mechanisms for authentication.There are however cases when one has
to use public key cryptosystems.
3
To reduce the computational complexity,
one may use Elliptic Curve (EC) cryptosystems [59],or the NTRU [47]
cryptosystem.
The two major security goals of mobile ad hoc networks are:
(i) To provide reliable communication that is resilient to mobility fluctu-
ations,to faults caused by Nature and to malicious adversaries.
(ii) To establish a trust infrastructure that will support the cryptographic
applications and facilitate collaboration among untrusted mobile nodes.
2
This implies that the network nodes are polynomially bounded in the security param-
eter of the signatures.
3
Public key technology supports non-repudiation,which is needed for tracing malicious
behavior.
7
2.2 Mobility models
Mobility models are simulations of ad hoc networks that provide realistic
mobility patterns.They are used to evaluate the performance of network
protocols.They are an important tool and have been used extensively to
illustrate the effectiveness and efficiency of network protocols.However they
are subject to a variety of stochastic processes and complex behaviors that
may be hard,or even impossible to simulate.
4
In particular,simulations of
ad hoc networks cannot be used to analyze the security aspects of routing
algorithms,because malicious attacks in general are not simulatable.
In the mobility models that we shall consider below,we assume that
the nodes move in a predefined area,usually confined to the unit square.
Nodes within distance δ,0 < δ < 1,of each other are in broadcast range
and therefore linked,while the others are not.
2.2.1 The Random Walk model
The Random Walk (Brownian Motion) model [3] is the simplest model.In
this model nodes move in turns.At the beginning of its turn,a node selects
the parameters for its move during the turn:a value v,v
min
≤ v ≤ v
max
,
for its speed,a value θ,0 ≤ θ < 2π,for its direction and finally a value t,
t
min
≤ t ≤ t
max
,for the duration of the turn.These are selected uniformly
at random.During the turn the node moves at constant speed v,in the
direction θ,for a time t.At the end of the move the node pauses for a
specified time period,and then a new turn starts.Alternatively,instead of
a time period t,mobile nodes may move for a distance d,d
min
≤ d ≤ d
max
,
before changing their direction and speed.In these models the nodes tend
to move close their initial position because of their Brownian motion.
2.2.2 The Random Waypoint model
The Random Waypoint model [36,6,7] is an extension of the Random
Walk model and is the most commonly used.In this model,each node at
the beginning of its turn,moves to a new position,selected uniformly at
random in the unit square.This addresses the Brownian motion behavior
of nodes.However,now the majority of nodes tend to congregate to the
center of the square [21].To alleviate this situation,the parallel edges of
the unit square can be wrapped round to form a torus [29].This allows the
mobile nodes to move away from the center by crossing the borders.The
4
In general it is impossible to simulate human behavior or Nature
8
delay,acceleration and deceleration at each turn can also be specified and
randomized,making the movements of the nodes more realistic.
There remain some problems with the torus model.One such problem
concerns the average speed decay of mobile nodes as time increases [67].
This can be addressed by using a special distribution of the nodes at start
time,a minimum speed and a required warm up period [67,41].Another
problem is the sudden and abrupt changes in the node direction at the end
of each turn,which is unrealistic.
2.2.3 The Random Direction model
The Random Direction model [29,6,48] extends the Random Waypoint
model and makes the sudden changes of speed Δv and direction Δθ at the
end of turns,gradual.In particular,Δv = v
new
−v
old
and Δθ = θ
new
−θ
old
are selected at random uniformly from [−A,A] and [−Θ,Θ],respectively,
where A is the maximum acceleration and Θ the maximum angular change.
To allow for a more refined control between the random and deterministic
behavior of node movement,the new speed and direction are calculated as
follows:v
new
= αv
old
+(1−α)
v+
￿
(1 −α
2
)Δv,θ
new
= αθ
old
+
￿
(1 −α
2
)Δθ,
where 0 ≤ α ≤ 1 is a control parameter,
v is the mean speed,and Δv,Δθ
are selected according to a Gaussian distribution.
In the three models that we have considered,namely the Random Walk
model,the Random Waypoint model and the Random Direction model,
the movement of each node is determined by its current state,defined by
its current position,speed,direction and the time left until the next turn.
Therefore their mobility patterns are Markovian.These models do not take
into account other natural constraints such as physical obstacles which affect
both mobile node movements and wireless signal propagations [35].
2.2.4 The Nomadic Group model
Group mobility models simulate group behaviors using a reference point.
As the reference point moves,the group moves along with it.Several ways
are used to determine the movement of an individual node relative to the
reference point.Below we shall consider two such ways.
In the Nomadic Group model [55] the mobile nodes move randomly
around the common reference point.This generates a nomadic movement
in which the new position pos
new
of a mobile node is the vector sum of the
position of the common reference point ref and a small random vector r:
pos
new
= ref +r.
9
2.2.5 The Target Group model
In the Target Group model [55] the common reference point is used as a
target point that attracts mobile nodes.That is:
pos
new
= pos
old
+acc(ref −pos
old
) +r.
Here pos
old
is the previous position of the node and acc its acceleration.For
more realistic movements,the vector (ref − pos
old
) can be normalized so
that the acceleration is kept within its limits.
The movement of the common reference point can be simulated by using
any one of the first three mobility models.The resulting models are also
Markovian,since the movement of each node is determined (only) by its
own current state and the current state of the common reference point.
3 Routing algorithms
3.1 Introduction
Depending on where most of the routing effort takes place,there are cur-
rently two types of routing algorithms for mobile ad-hoc networks:network-
centric and source-centric algorithms.With network-centric routing [50,20,
45,52] the routing effort is distributed within the network,and is regarded
as a service provided to the source.The service involves primarily route
discovery and route patching.With source-centric routing [23,50,62,56]
most of the routing effort is done by the source node.
Broadcast flooding is the de facto route discovery algorithm for ad hoc
networks [2,5,8,53].With flooding,each node that receives a message
retransmits that message once.This guarantees,maximal coverage,dis-
tance preservation and redundancy.Maximal coverage means that if a
time-relevant path exists between a source and any destination,
5
flooding
will discover that path.Flooding will also find the quickest,often shortest,
path between the source and destination.Redundancy is in many respects a
positive attribute for ad hoc networks because these networks are naturally
less reliable and more vulnerable than their static counterparts.However
algorithms based on broadcast flooding can also be very inefficient,because
of this redundancy [37,30,57].Indeed in dense networks,the redundancy
may trigger a broadcast storm [46].We shall discuss this issue further in
Section 4.2.
5
Since ad hoc networks are dynamic,a path may form or dissolve during the flooding
process.Whether the flooded message reaches its destination is time-dependent.
10
3.2 Network-Centric Routing
Network-centric algorithms use a route discovery algorithmto find the short-
est route between nodes by running a distributed version of the Bellman-
Ford [27] algorithm.
6
Whenever a source node s wants to find a new route
or a shorter route,because of changes in the network topology,it runs an
update procedure which compares its distance from a destination d to the
distance of its neighbors from d,and then updates its shortest route to d
via the neighbor that has minimal distance from d.If this route is a new
route then the change is broadcast to all its neighbors who in turn run the
update procedure.Local updates will propagate through the network,and
may repeat several times before the update information of all nodes “settles”
to the shortest possible routes.To avoid inconsistencies and loops resulted
fromout of order updates,sequence numbers are employed to keep freshness
of routing information.
Network-centric routing in general requires considerable cooperation be-
tween the nodes of the network in order to update and maintain a distributed
database of routing information such as routes,cost,distance,reliability,
time,etc.These are often organized in one or more tables at each node of
the network.The corresponding algorithms are therefore called table-driven
routing algorithms.Changes to the network,due to broken links or new
links,are broadcast regularly.Each node in the network updates its tables
in order to keep the liveliness and consistency of the routing information.
This type of routing is appropriate for networks where node mobilities
are low and changes are less frequent.Its advantage is that routing ser-
vice is always available,and communication can start almost immediately.
However,the power,the computation and the communication required to
maintain the network routing tables are considerable.
3.2.1 Destination-Sequenced Distance-Vector Routing
In the Destination-Sequenced Distance-Vector (DSDV) [50] routing algo-
rithm each node maintains a vector of distances to each destination in the
network and also the next node in the corresponding route.Changes in
topology are assigned new sequence numbers and broadcast by destination
nodes.Each node in the network updates its own vector with information
about its neighborhood so that an up-to-date shortest-route from it to each
destination is maintained.In order to reduce the traffic generated by fre-
6
This algorithm finds maximal sets of edge (or vertex) disjoint paths that link two
nodes.
11
quent network changes,updates are delayed after a settling time,and sent
in either deltas or full-dumps.
3.2.2 Clusterhead Gateway Switch Routing
Clusterhead Gateway Switch (CGS) routing [20] is a two-layer version of
DSDV routing in which all the routing and maintaining tasks are delegated
to a subset of nodes called clusterheads.The source forwards its entire packet
to its current clusterhead.The clusterhead in turn forwards the packets to
the destination clusterhead,where they are forwarded to the destination
node.To achieve this,each clusterhead keeps a node-to-clusterheads table
(cluster membership table) together with the shortest routes to other clus-
terheads.Gateways,that is nodes at the boundary of a clusterhead’s local
physical area,provide links between clusterheads.When two clusterheads
are in range (crowded clusterheads),or when some node moves out of range
of all other clusterheads (missing clusterheads),then all mobile nodes run a
distributed Least-Cluster-Change algorithm (LCC) to re-partition the net-
work into new clusters,and members of each cluster elect a new clusterhead.
The LCC algorithm assures that overheads in clusterhead changes are kept
minimal.
3.2.3 Wireless Routing
Wireless Routing [45] differs from DSDV and CGS routing in that the net-
work changes are broadcast locally instead of globally throughout the net-
work.With Wireless Routing the routing table at each node does not con-
tain the next node in a shortest route to each destination,but instead the
second-to-last node in a shortest route.Together with consistency checks
performed by the nodes,this change reduces the update time when link fail-
ures occur [20].Furthermore,each mobile node knows a complete path to
each destination.
3.2.4 Ad-hoc On-Demand Distance-Vector Routing
Ad-hoc On-Demand Distance-Vector (AODV) routing [52] is an on demand
version of DSDV routing in which DSDV routing is only activated when
communication is requested.However route failures do not result in route
updates but in a new DSDV instance.To reduce route discovery traffics,
nodes may cache routing information between different route discoveries.
Due its on demand nature,AODV will save energy when communications
and mobility is low.
12
3.3 Source-Centric Routing
With source-centric routing,the source s is responsible for discovering the
topology of the network,for finding a route to the destination and for up-
dating any change,with minimal help fromother nodes.When a node needs
to send some information,the routes to the destination are constructed on-
demand by the source and updated according to the changes in the network.
Cooperation from other nodes in the network is often limited to forwarding
packets or collecting local information.Since there is almost no status infor-
mation to maintain,this kind of routing is quite flexible and is appropriate
for dynamic networks that change frequently.
Since no up-to-date routing information is constantly maintained,route
discovery is done by flooding the network with route requests rreq for new
connectivity information.Each rreq can carry a trace of the nodes through
which it travelled,so that when a rreq for new connections reaches the desti-
nation d,d can acknowledge the recorded route back to source s.Depending
on several possible criteria,the source node will choose the route that best
suits its requirements.This process is repeated each time a new connection
is needed,or when the network topology changes.
Depending on the application,a variety of criteria can be used in the
selection of an optimal route when there are several routes available,such as
signal strength [26],node mobility [50],and link stability [62].The advan-
tage of source routing is flexibility:the source and destination does not have
to depend on other nodes to find routes.The pair (s,d) can also adapt one
or more routing algorithms over time depending on their needs and prefer-
ences such as bandwidth,delay,overhead,fault tolerance and security,thus
allows more optimal usage of network resources.
3.3.1 Dynamic Source Routing
The Dynamic Source Routing algorithm [36] is based on the concept of
source routing.When a request to send a packet is made,the source looks
up its cache to find a suitable route.If a non-expired route is found,it is
used right away.Otherwise,the source broadcasts its request to other nodes
for a route to the destination.The destination and other nodes that have
a live route to the destination will reply to this request with the requested
routes.When link errors occur,all routes containing the broken link will be
deleted fromthe cache.The chosen route will be appended to each packet in
order to help intermediate nodes in routing.The assumption made in this
routing algorithmis that routes do not change frequently,which is applicable
13
to networks with moderate dynamics.
3.3.2 Other Source-Centric Routing algorithms
Temporally-Ordered Routing [50],Associativity-Based Routing [62] and Sig-
nal Stability Routing [26] are source-centric algorithms that differ from Dy-
namic Source Routing in that,instead of finding a shortest route they choose
a route by favoring:(a) nodes for which link errors occur first,(b) links with
a long lifespan,and (c) channels with strong signal strength,respectively.
These metrics allow a more refined control over quality of the route needed.
4 Security issues for routing algorithms
From a security point of view,network-centric routing requires substantial
cooperation between network nodes and strong trust relationships.Network-
centric algorithms are therefore particularly vulnerable to malicious faults.
There is no way to prevent such faults,because with network-centric routing
the routing service is provided by remote nodes (which may be faulty).
Ultimately such faults may lead in the best of cases to a Denial of Service
(DoS) attack,and in the worst,when no security mechanisms [59] are used,
to a complete takeover of the communication by the adversary.Observe
that with ad hoc networks,DoS faults caused by the adversary may be
statistically indistinguishable from ad hoc link failures at the network or
link levels (the adversary may try to evade detection through statistical
analysis),but nevertheless causes distinguishable faults on the path,i.e.,at
the end-to-end level [15].
On the other hand source-centric routing lessens the dependence on in-
termediate node cooperation,and thus is less vulnerable to active attacks.
Furthermore,since the source and destination have control over the routes,
they are also more flexible in dealing with DoS.For these reasons,when
security issues are of concern,source-centric routing is preferable.
4.1 Security Associations and Public Key Infrastructure
There are three basic security requirements:confidentiality,integrity and
availability.Confidentiality (privacy) and integrity (authenticity) are achieved
by using secret key or public key cryptographic mechanisms [59].For con-
fidentiality packets are encrypted,and for integrity digital signatures or
message authentication codes (MACs) are used.Whether secret key or
public key mechanisms are adopted,security (trust) associations must be
14
established between the nodes of the network.One way to do this is by
using (external) trusted third parties or a Public Key Infrastructure [59]
(e.g.,with satellite broadcast).Alternatively,trust relationships may be
distributed based on ´a priori knowledge,or on local observations.One of
the main problems with the management of distributed trust associations
is dealing with malicious behavior and key revocation.Reputation based
systems address such issues by assigning trust ratings to nodes based on
“opinions” of nodes regarding the behavior of their neighbors.The trust
ratings are regularly updated (see e.g.,[9,10]).Trust associations can also
be supported by incentives that reward good behavior (see e.g.,[58]).
Below we describe the two main types of attacks that apply to ad hoc
networks:DoS attacks and man-in-the middle attacks,and discuss mecha-
nisms that can be used to control them.
4.2 Denial of Service attacks
There are several ways in which a DoS can be triggered.For example,the
adversary can cause a DoS by flooding the network with irrelevant packets
(via faulty nodes).Another way to trigger a DoS is by flooding queries
in dense networks.We also have DoS attacks on routes.If the adversary
succeeds in taking control of a route,for example by having one or more
nodes under his control selected by a route discovery algorithm,then the
adversary may advertise non existing routes or routes that lead to loops,
which could prevent routing update from settling and convergence.
Denial of service can also be triggered by packet dropping.For exam-
ple,nodes on a route discovery algorithm may drop packets downstream
or upstream (or both),depending on the situation,to prevent the source
getting path information.Furthermore,packet dropping can take place
during communication,thus preventing packets reaching the destination or
acknowledgements reaching the source.This problem is aggravated when
malicious nodes collude.
DoS caused flooding from malicious nodes can be controlled by us-
ing Intrusion Detection mechanisms.DoS caused by network density is
usually controlled by reducing the broadcast redundancy.Gossip proto-
cols [22,57,19] use this approach by reducing the number of retransmis-
sions.In particular,nodes will only transmit a received message with a
certain probability p,called the gossip probability.
Haas-Halpern-Li [30] describe two gossip protocols.The first one has
constant gossip probability p = k/c,k < c,where k is a propagation param-
eter and c a lower bound on the degree of the nodes (the number of their
15
neighbors) of the network.For this protocol the expected number of gossips
(transmissions) in the neighborhood of a node x is c
x
p = k(c
x
/c),where c
x
is the degree of x.The second protocol uses a dynamic gossip probability.
In this case,each node x computes p
x
= k/c
x
,0 < k ≤ c
x
,and the ex-
pected number of gossips per neighborhood is reduced to k.DoS,when not
malicious,is best addressed at the data link layer.However,malicious DoS
attacks have to be addressed at the network layer and above (Section 4.5).
From a security point of view,gossiping may have undesirable effects.
Chief among these is the fact that malicious nodes gain undue influence in
the propagation process,while non-faulty nodes that adhere to the protocol
may forego participation.Thus protocols that may be highly reliable and
efficient in a fair environment,will be ineffective in a malicious environment.
However by exploiting other locally available information it is possible to
improve the efficiency of gossip protocols and to enhance their security.
Several such protocols are proposed in [16,17].
One way to deal with DoS attacks on routes caused by malicious node
behavior is to use fault tracing algorithms.Awerbuch-Holmer-Nita Rotaru-
Rubens [2] use an adaptive probing technique to trace malicious link failures.
This triggers an onion routing [62] algorithmon routes for which faults occur
at a rate higher than that of ordinary link failures (non-malicious) of the
network.Nodes on the faulty route are requested to either acknowledge the
receipt of a packet,or to confirm a timeout,if no packet is received.Digi-
tal signatures [59] are used to authenticate acknowledgments or to confirm
timeouts of non-faulty nodes.Since the adversary cannot forge signatures,
it is possible to trace malicious behavior.There are however several prob-
lems with this approach,due primarily to the fact that an`a priori stochastic
approach cannot in general be used to probe malicious behavior.For ex-
ample,a malicious node need not exhibit faulty behavior when probed,but
only during communication.Furthermore,malicious faults may occur very
infrequently:for example only when they are least expected.Such behavior
cannot be probed using`a priori failure rates.In Section 5 we describe two
algorithms that will trace such malicious behavior when it occurs.
4.3 Man-in-the-Middle attacks
In a man-in-the-middle attack the adversary takes control of the communi-
cation channel between the source and destination by interposing between
them.In its simplest form,it is a passive attack in which the adversary
relays packets between two nodes x,y via nodes under his control.The re-
laying node(s) is (are) transparent to x and y,and x is fooled into believing
16
that y is in range (a neighbor).In particular x,y will appear to be adja-
cent in any route containing them.The attacker will not be listed on the
route,but the nodes x,y will be.Consequently,the route will appear to
be shorter than it actually is,and therefore may be selected in preference
to other routes.In this way the adversary can take control of the route.
Authentication mechanisms (e.g.,message authentication codes or digital
signatures) are of no help:the adversary simply relays the authenticators
via “invisible” nodes under his control.
Active man-in-the-middle attacks in which the attacker is an “insider”,
that is a malicious node that is trusted,are the hardest to control.In such
attacks,the attacker is properly authenticated and controls nodes on routes
originating at the source.In a wormhole attack [33] the adversary succeeds
in fooling the source into believing that a route is short by tunneling packets
intended for the destination via nodes under his control.A rushing attack
is a wormhole attack in which the adversary succeeds in sending packets
through the wormhole faster than normal network traffic.In these attacks,
some of the faulty nodes are insiders listed on the route to the destination.
As before,the route may appear to be shorter and selected in preference
to others.With such attacks it may not possible to distinguish non-faulty
nodes frommalicious nodes because,as mentioned earlier,the adversary may
disguise the attack to mimics (stochastically) a failure caused by Nature.
In a Sybil attack [25] a malicious node z presents multiple identities.
In this way z succeeds in fooling the source into believing that there are
many short routes to the destination.These routes pass through conspiring
nodes z
i
that may actually be far away (in broadcast hops),but which are
used as proxy nodes by the “nearby” node z.In this attack node z knows
the secret authentication keys of the conspiring nodes z
i
,and uses these to
authenticate the proxy nodes.
Man-in-the-middle attacks in ad hoc networks are hard to counter,if
not impossible.There are two general approaches that can be used with
such attacks:a temporal approach and a locational approach.The former
exploits the time taken for each broadcast hop.In most cases this can be
used to prevent the attacker from falsifying the length of routes.The latter
uses the physical location of the nodes.Each node certifies its own position.
In most cases this approach will trace nodes that claim false positions (by
non-faulty neighbor nodes).
17
4.4 Security issues for Ariadne,SEAD and SAODV routing
Several routing protocols in the literature address security issues (see e.g.,
[49]).Here we discuss three of the more popular ones:Ariadne [31],SEAD[32]
and Secure AODV [68].
Ariadne is a source-centric routing algorithm based on DSR that uses an
authentication mechanism with a keyed hash chain called TESLA [31] for
path integrity.The security of this algorithmis based on the assumption that
all nodes on a route (insiders) will protect the integrity of path information.
It therefore will not tolerate insider attacks.Thus it does not tolerate DoS
caused by packet dropping,which is a special case of insider attacks.SEAD
is a source-centric variant of Ariadne.This algorithm also does not tolerate
insider attacks.
Secure AODV (SAODV) is a network-centric routing algorithm that is
based on the AODV algorithm (Section 3.2).It uses digital signatures and
hash chains to protect the integrity of path information.As with the previ-
ous two algorithms it will not tolerate insider attacks.
Rushing attacks (Section 4.3) on routing algorithms are the hardest to
control.These are wormhole attacks in which two colluding malicious nodes,
one close to the source s the other close to the destination d,tunnel packets
intended for d and sent by s via a wormhole,slightly faster than normal
network traffic.The colluding nodes are authenticated and may insert con-
spiring nodes (using a Sybil attack) on the path to make its length appear
normal.In this way the path discovery algorithm may select this path in
preference to other paths.To prevent such attacks one can use temporal
and locational mechanisms (e.g.,mechanisms that make it possible for the
nodes to gather information about their position at any given point in time).
Alternatively,one may use directional or signal strength mechanisms.
4.5 Security at the physical and data link layers
There are two types of faults that may occur in a routing algorithm:(i)
faults whose effect is stochastically indistinguishable from ordinary link fail-
ures caused by the mobility of the system,radio interference,power failure
etc,and (ii) faults whose effect can be distinguished from ordinary failures.
Malicious faults tend to be of the second type,although the first type should
not be excluded.For example,as already observed,the adversary may try
to evade detection by causing faults that mimic the statistics of natural fail-
ures.Furthermore,malicious physical faults may affect the mobility of the
system.
18
Faults that are indistinguishable fromordinary failures can be controlled
effectively by using redundancy and replication.In particular,by using error
detection,error correction and erasure mechanisms.These faults are best
dealt with at the physical or data link layer of the protocol stack with
Medium Access Control (MAC) protocols (see e.g.,[4]).At these layers
one can also deal with jamming attacks (using frequency-hopping spread
spectrum techniques) and most isolated Denial of Service attacks.
Faults of the second type,although by definition statistically detectable,
can be quite hard to trace or locate on a path (see e.g.,[15,2]).They include
malicious faults.Such faults may only occur when they are least expected,
and may not be traceable with statistical failure analysis.The reason for
this is that any analysis based on reported failures can be manipulated by
the adversary.Faults of this type have to be addressed at the network layer.
In this paper we focus on such faults.
5 Tracing malicious faults
In this section we consider routing algorithms that will trace malicious faults
by identifying malicious behavior.Faulty nodes that are traced have their
keys invalidated by the non-faulty nodes,thus preventing future attacks.
If a faulty node refuses to forward a received packet,then its neighbors
will detect this behavior,and if they are not faulty,report it to other nodes.
Faulty nodes,however,may not do this and therefore reported failure rates
may be inaccurate.Consequently,tracing mechanisms that are triggered
by failure rates that exceed a certain threshold,at the link layer can fail
to trace malicious behavior.So we cannot use the data link layer to trace
malicious behavior.
It is important to note that when a node has been located and reported
as malicious by another node then it is not possible to tell which node is ac-
tually faulty:the reporting or the reported node.There are two approaches
to address such issues.In the first,we assume that the number of malicious
nodes in the network is bounded,say not more than k.Then any node that
is reported as malicious by more than k different nodes is indeed malicious.
In the second approach,each time a node is reported as malicious,both the
reporting node and the reported node are treated as malicious and elimi-
nated.In this case the malicious nodes can cause up to k faults,but will be
eliminated together with up to k non-faulty nodes.
19
5.1 An algorithm that traces malicious faults
Our first algorithm that traces malicious node behavior is based on the
tracing algorithm in [15].This algorithm identifies and locates malicious
behavior whenever it occurs.
7
The cost of tracing is a single digital signature
and its verification.In contrast to [2],this algorithm will locate faults even
when malicious nodes collude.In this algorithm,each participating node
only needs to know its neighbors on the path.
The tracing algorithm is described in Figure 1.In this figure,the source
Source s.Set seq
s
= 0.While a connection to d has not terminated
1.Set timer
s
and send pkt
s
to succ(s).
2.If a valid ack
d
is received before timeout then set seq
s
= seq
s
+1.
3.If a valid nack
y
is received before timeout then y or succ(y) is malicious.
4.Otherwise succ(s) is malicious.
Intermediate node x.When a valid pkt
s
is received:
1.Set timer
x
and send pkt
s
to succ(x).
2.If a valid ack
d
is received before timeout then send ack
d
to prec(x).
3.If a valid nack
y
is received before timeout then send nack
y
to prec(x).
4.Otherwise construct and send a nack
x
to prec(x).
Destination d.When a valid pkt
s
(s) is received:
1.Construct and send ack
d
to prec(d).
Figure 1:A routing algorithm that traces malicious behavior.
s sends a packet pkt
s
to succ(s),to be delivered to the destination d.If there
is no fault the packet reaches d who will send back to s a digitally signed
acknowledgement ack
d
.If there is a fault then each intermediate node x
on the path will check its downstream link to pinpoint a malicious node.
If the downstream link (x,succ(x)) of x is faulty then x sends back to s a
digitally signed nack
x
.Similarly if x receives a failure report nack
y
from a
downstream node y,it sends this back to s.The following notation is used:
7
Faults that can be dealt with at the data link layer by error correction and re-sending
packets are treated as non-malicious.
20
• seq
s
and timer
s
,counters for s;timeout depends on the time taken for a
roundtrip from s to d.
• pkt
s
= [s,d,sn,seq
s
,data]
s
,a digitally signed packet by s consisting of:iden-
tifiers s,d,a session number sn for tracing algorithm(unique to each session),
the sequence number seq
s
for pkt
s
.
• ack
d
= [s,d,sn,seq
s
]
d
,a digitally signed acknowledgment by d that pkt
s
is
received.
• prec(x),succ(x),the nodes that precede,succeed x on the path taken by
pkt
s
.
• nack
y
= [s,d,y,succ(y),sn,seq
s
]
y
,a digitally signed acknowledgement of
failure of succ(y) reported by y.
Observe that when dealing with a malicious adversary we have to use some
kind of cryptographic mechanism to protect the integrity of transmitted
packets.In particular,in this algorithm packets should be validated and
checked by intermediate nodes before being processed.
Theorem 5.1 For any k-adversary,the tracing algorithm in Figure 1 al-
ways succeeds in either sending pkt
s
to d or tracing at least one faulty node.
In particular we have:
1.If all nodes adhere to the protocol then the destination d will receive
pkt
s
and the source s will receive ack
d
before timeout.
2.If the source s receives an ack
d
before timeout then the destination d
has received pkt
s
.
3.If the source s does not receive an ack
d
before timeout then at least
one faulty node is traced.
Proof.We prove each part separately.
1.It is obvious that when all nodes adhere to the protocol,the events
happen as follows:
s

pkt
s
−→x

1
pkt
s
−→...x

n−1
pkt
s
−→d
ack
d
−→x

n−1
ack
d
−→...x

1
ack
d
−→s

,
where x

means timer
x
starts,x

means timer
x
stops and x
u
−→ y
means y receives packet u from x.Therefore,pkt
s
is received by d and
ack
d
is received by s.
21
2.Suppose that the source receives ack
d
.By our assumption on the
unforgeability of digital signature,only node the source s can sign
pkt
s
and only node the destination d can sign ack
d
.Furthermore,in
the protocol d only signs a matching ack
d
when it receives a valid
pkt
s
.Hence when s receives a valid ack
d
that matches pkt
s
,then d
has received pkt
s
.
3.Suppose that the source s has not received ack
d
before timeout.First
observe that any non faulty intermediate node x that has received pkt
s
upstream will have sent back upstream either an ack
d
or a nack
y
for
some y before its timer timeouts.We shall show that:
(a) If s has not receive a valid nack
y
before its timer
s
timeouts,then
succ(s) is faulty.
(b) If s has received a valid nack
y
= [s,d,sn,seq,y,z]
y
for some y,z
before its timer
s
timeouts,then at least one of {y,z} is faulty.
Indeed (a) is true because if succ(s) were not faulty then by our ob-
servation,s would have received an ack
d
or a nack
y
,both of which
contradict our assumptions.
We next show that (b) is also true.Suppose that the sourcxe s receives
a valid nack
y
.If y is faulty then clearly (b) is true so we assume that
y is not faulty.By the protocol,y only signs a nack
y
when:(i) it has
received and forwarded pkt
s
to succ(y) and,(ii) it has not received
either an ack
d
or a nack
z
from succ(y).Thus succ(y) did receive pkt
s
but did not send back any ack
d
nor nack
z
.Therefore succ(y) must be
faulty,i.e.,(b) is true.
Consequently,in either case (a) or (b),s succeeded in tracing at least
one faulty node.￿
In this tracing algorithm when there are no faults,a short ack is sent
back.When faults do occur,a short nack is sent.In either case,a packet
is confirmed successfully delivered,or a fault location is determined with
only one digital signature.This is the most efficient single round routing
algorithm that will trace malicious behavior.It greatly improves on the
fault tracing algorithm in [2],where at least log(n) communication rounds
and signatures are needed to locate a malicious fault.
22
5.2 An optimistic tracing algorithm
We describe an optimistic
8
routing algorithm that will trace malicious node
behavior.With this algorithm there is no additional cost when there are no
faults.When faults do occur,the cost to locate a fault is one tracing round
and one digital signature.The tracing algorithm is described in Figure 2.
Source s.Set seq
s
= 0.While a connection to d has not terminated do:
1.Set timer
s
and send pkt
s
to succ(s).
2.If ack
d
is received before timeout then set seq
s
= seq
s
+1.
3.Else If a valid nack
y
is received before timeout then y or succ(y) is malicious.
4.Otherwise:
(a) Send prob
s
to succ(s).
(b) If a valid nack
y
is received before timeout then y or succ(y) is malicious.
(c) Else succ(s) is malicious.
Intermediate node x.When pkt
s
is received:
1.Set timer
xd
and send pkt
s
to succ(x).
2.If a matching ack
d
is received before timer
xd
timeouts then
(a) Set timer
xs
and send ack
d
to prec(x).
(b) If a valid prob
s
is received before timer
xs
timeouts then
i.Set timer
￿
xd
and send prob
s
to succ(x)
ii.If a valid nack
y
is received before timer
￿
xd
timeouts then
Send nack
y
to prec(x).
iii.Else construct and send nack
x
to prec(x).
3.Else If a valid nack
y
is received before timer
xd
timeout then
(a) Send nack
y
to prec(x).
4.Otherwise construct and send nack
x
to prec(x).
Destination d.When a valid pkt
s
is received:
1.Construct and send ack
d
to prec(d).
Figure 2:An optimistic tracing algorithm.
We use the notation in the previous section adjusted as follows:
• pkt
s
= [s,d,sn,seq
s
,data]
sd
,a packet authenticated with a message authen-
tication code consisting of:identifiers s,d,a session number sn for tracing
8
Optimistic algorithms have optimal performance when they are no faults.
23
algorithm (unique to each session),the sequence number seq
s
for pkt
s
.
• ack
d
= [s,d,sn,seq
s
]
sd
,an acknowledgement by the destination d.
• prob
s
= [s,d,sn,seq
s
,hash(pkt
s
),hash(ack
d
)]
s
,where hash is a cryptographic
hash function [59].
• timer
xy
,bound on time taken for a packet going round trip from x to y.
Here pkt
s
and ack
d
are checked by s and d by using their shared key sd.
Intermediate nodes check matching strings (s,d,sn,seq
s
) in all packets and
only check the digital signatures in nack
y
and prob
s
.
Theorem 5.2 For any k-adversary,the optimistic routing algorithmalways
succeeds in either sending pkt
s
to d or tracing at least one faulty node.
Proof.This is essentially the same as that of Theorem 5.1,except that in
this case the tracing takes place in a second round when prob
s
is sent.￿
5.3 Tracing malicious behavior with AODV and DSR
Most of the routing algorithms in ad hoc networks can easily be extended
to include our tracing mechanisms for the communication phase.For exam-
ple,for distance vector based routings such as the Destination-Sequenced
Distance-Vector Routing algorithm or the Ad-hoc On-Demand Distance-
Vector Routing algorithm (Section 3.2),we can trace malicious faults by
using Step 2,Step 3 and Step 4 of the tracing algorithm in either Figure 1
or Figure 2,for packet processing (the store-and-forward process).
Similarly,with the Dynamic Source Routing algorithm (Section 3.3) we
can trace malicious faults by adding Step 2,Step 3 and Step 4 of the tracing
algorithm in Figure 1 or Figure 2 for the source and intermediate nodes at
the network layer,i.e.,after the error checking at the data link layer.In
this case,the error reporting at the data link layer is redundant,although
it can be useful to optimize the tracing time.
6 Multipath & Multichannel Routing
While reactive algorithms trace,correct and remove malicious faults,proac-
tive algorithms essentially circumvent faults by using multiple paths (or
channels) that are independent (disjoint).In this section we will describe
some general approaches that can be used to establish proactive routing by
exploiting particular features of ad hoc networks.
24
Multipath routing involves the establishment of multiple paths between
source and destination pairs.These paths may be used for replicated (or
redundant) communication to control malicious attacks.The main ad-
vantage of communication via multiple paths is that by exploiting redun-
dancy it guarantees service continuity,even when the adversary is active.
Multipath routing may also be used for quality of service such as,load
balancing,aggregation of network bandwidth,reducing traffic congestion,
etc [54,44,61,28,64,65].Another application involves diversity coding [1]
for which multipaths are used for fault tolerance and self-healing.
Multipath routing in mobile ad hoc networks will support extreme se-
curity,when continuity of communication is critical and there are enough
redundant resources.Because of their lack of infrastructure,ad hoc networks
offer an independent communication service which is less prone to physical
attacks (due to their mobility).They can be used as overlay networks to
provide additional redundancy and diversity.For highly critical applications
the usual power constraint for ad hoc networks can be relaxed and node mo-
bility can be controlled in such a way so as to support safety/security.
Finding routes with multiple paths in networks that have no fixed infras-
tructure is challenging and in general requires a different approach to that
used with fixed infrastructures.In the following section we shall consider
several multipath route discovery approaches.These will include routing
algorithms that flood packets along narrow corridors that link the source to
the destination.This type of routing is called multichannel routing.Our
first example is of a location-based multipath routing algorithm.
6.1 Geodesic Routing
Geodesic Routing (GR) is location based routing.Each node of the ad hoc
network is assumed to know its approximate location (by using either a
GPS device or some other means [18]).Vertex-disjointness is established
with spatially disjoint routes.
6.1.1 Circle Routing
With Circle Routing (CR) [14],a family of circles incident with the source
s and destination d is used for routing.The source selects a few circular
paths π
i
,say t ≥ 1,with sufficient space disjointness (not too close).Areas
close to s and d have to be dealt appropriately.Packets are directed along
these paths.To each packet the location coordinates of a circular path π
i
are appended,that is its center C
i
and radius R
i
.To allow for the possibility
25
that there may not be sufficient forwarding nodes on a selected path,the
paths may be “broadened” to corridors by allowing nodes a few hops away
to be used.This is a parameter selected by s and is also appended to
the packets.Two other variables are appended to the packets:direction
(clockwise/counterclockwise) and ttl (time-to-live in hop counts).
The location of d is obtained by ordinary flooding.Encryption is used
to protect the location of d.There are two communication modes that can
be used with CR:(i) multipath routing and (ii) multichannel routing.The
first involves forwarding packets to specified neighbors along the paths π
i
.
9
The second is,essentially,directed flooding along given circular corridors
(of specified hop diameter).With multichannel routing the only location
information about s,d that leaks to the intermediate nodes (and the adver-
sary!) is the center and radius of the path used (and possibly the direction).
This routing mode is appropriate for high mobility applications,and does
not require any local neighborhood knowledge.
Multipath routing.Packets are forwarded through multiple (vertex) disjoint
paths that link the source s and destination d.The paths are determined by
the source as follows.Let S = (x
s
,y
s
) and D = (x
d
,y
d
) be the coordinate
positions in the Euclidean plane of the source and destination.The source
first computes the midpoint of S,D:(x
mid
,y
mid
),where x
mid
=
x
s
+x
d
2
,
y
mid
=
y
s
+y
d
2
,and the slope m of (S,D):m =
y
d
−y
s
x
d
−x
s
.To select t circu-
lar paths,s chooses random
10
numbers r
i
,i = 1,...,t and computes the
coordinates of the centers C
i
= (x

i
,y

i
) and the radii R
i
,i = 1,...,t,as
follows:
x

i
= x
mid
+r
i
,y

i
= y
mid

r
i
m
,R
i
=
￿
(
x
d
−x
s
2
+r
i
)
2
+(
y
d
−y
s
2

r
i
m
)
2
.
The source s selects a neighbor P
i
for which | distance(P
i
,C
i
) −R
i
| is mini-
mized,for each path π
i
,i=1,...,t,as specified by direction.Then s sends
the packet pkt
s
= (P
i
;direction,C
i
,R
i
;data) to each P
i
,i = 1,...,t.
On receiving pkt
s
= [Q
j
,direction,C
j
,R
j
;data),each node Q
j
checks if
it is on the corresponding path π
j
determined by (direction,C
j
,R
j
).If it is,
Q
j
selects as next node on its path a neighbor T
j
for which | distance(T
j
,C
j
)−
R
j
| is minimized,and sends T
j
the packet pkt
s
= [T
j
,direction,C
j
,R
j
;data).
9
In sequential multipath routing,paths are used sequentially one-at-a-time.Each time
a path fails,the next one is selected.
10
Although this scenario is described for the Euclidean plane,a finite subset is only
used.
26
Multichannel routing.Packets are flooded locally along t circular channels
(corridors) that link the source and destination.The channels are selected
by the source.
Curve Routing.Several other geometric families of curves can be used
in a similar way,as for example families of ellipses.
6.1.2 Space-Disjoint Routing
Space-Disjoint Routing (SPR) is an extension of circle routing in which the
space between the source and the destination is partitioned,and packets are
sent through the partitions.There are several ways of doing this.One way
is to use templates (stretchable maps),which given three space locations,
will determine a forwarding direction.Such templates may take into account
the physical topology features,such as the terrain of the particular network
application.
6.2 Color Routing
Color routing algorithms are used in networks whose nodes are multicolored.
The colors may correspond to node vulnerabilities.For example,a color may
be assigned to each module that is used by the node.Nodes using similar
modules (same software,hardware,same manufacturer,etc) have a common
color.When a particular module gets corrupted by the adversary,then all
nodes that use similar modules may become faulty.Consequently,nodes
with a common color may be compromised.For such networks,security
is achieved by using independent platforms (different software,hardware,
manufacturer etc).
6.2.1 Color-Disjoint Routing
Color-Disjoint Routing (CDR) is color routing via multipaths whose paths
are color-disjoint.A CDR can tolerate up to t − 1 faults if a multipath
with t paths is used.The advantage of CDR routing is that it tolerates
a large number of faults (with few colors) using only a small number of
paths.A similar approach has been used to model fault-tolerant and secure
computations [11,12].As noted in [12],finding color-disjoint paths appears
to be hard,even for two-path routing.
27
6.2.2 Color-Secure Routing
Color-Secure Routing (CSR) is color routing via multipaths for which there
is at least one path avoiding certain specified colors.A CSR algorithm is
c-secure if for any set of c colors there is at least one path none of whose
nodes have these colors.For example,a CSR algorithm is secure against
single color faults if for any color,there is a path whose nodes do not have
this color.In general,the paths in such a route are not color-disjoint.
In the context of mobile ad hoc routing,finding multipath routes with
the least number of paths requires knowledge of the full mobility graph.
Therefore it is not practical to ask for optimal solutions.Below we describe
an extension of the Dynamic Source Routing algorithm (Section 3.3.1) to
colored graphs which gives us Color-Secure routing for small values of c.
A Color-Secure DSR algorithm.As in DSR,the source s initiates a route
discovery algorithm by flooding the network with requests rreq for new
connectivity information (Section 3.3).In time,the destination node d will
receive sets of rreq packets that contain different paths linking (s,d).Node
d obtains a minimal c-secure color path set by removing all redundant paths
from the list.The minimal set is then used to communicate with the source.
As in DSR,the route discovery process is improved by having each node of
the network cache multipath routes when they are found.
If some paths are disconnected,the source initiates a new route discovery
process,which discovers more paths,while the remaining good paths are still
used for communication,thus providing continuity of service.
6.3 Simple Multipath Communication
Figure 3 illustrates a simple multipath communication algorithm.The al-
gorithm uses a t-multipath route whose paths are vertex-disjoint,and will
tolerate up to (t − 1) faults.Two digital signatures and two encryptions
are needed (we can also use message authentication codes,and symmetric
encryption [59]).
In the protocol:
• pkt
s
= [s,d,sn,seq
s
,data]
s
,a packet with its digital signature by s consisting
of:a session number sn,a sequence number seq
s
and data;
• ack
d
= [s,d,sn,seq
s
]
d
,a digitally signed acknowledgment by d that pkt
s
is
received.
To send data to the destination d,the source digitally signs (s,d,sn,seq
s
,data)
with its signing key,appends the signature and then encrypts the result with
28
Source s
1.Broadcast pkt
s
to d via t paths
2.If ack
d
is received before timeout
(a) Set seq
s
= seq
s
+1
(b) Return success
Destination d
1.If a packet pkt is received
(a) Broadcast ack
d
to s via t paths
(b) Set seq
s
= seq
s
+1
(c) Return (s,sn,seq
s
,data)
Figure 3:A simple t-multipath algorithm.
the encryption key of the d.The source s then broadcasts via the t vertex-
disjoint paths of the multipath the signed-then-encrypted packet pkt
s
=
{[s,d,sn,seq
s
,data]
s
}
d
.The destination d will accept pkt
s
if (sn,seq
s
) has
not been used in an earlier packet and if the signature of s is valid.If
this is the case,then d broadcasts via the t-multipath the acknowledgement
ack
d
= [s,d,sn,seq
s
]
d
to s.
Theorem 6.1 For any k-adversary,k < t,the simple multipath communi-
cation algorithm in Figure 3 always succeeds in sending pkt
s
to d.
Proof.Since the number of faulty nodes k is less than t,there always exists
at least one non faulty path among the t paths used in sending.Therefore
d always get a valid pkt
s
and s always gets a valid matching ack
d
.Hence
the algorithm is secure.￿
6.4 Adaptive Multipath Routing
In this section we consider a multipath routing algorithm that combines in
parallel a distributed version of Ford-Fulkerson Max Flow algorithm [27]
(at the source) with a local network discovery algorithm (for nearby nodes)
to find vertex-disjoint paths that link the source to the destination.When
there are no malicious faults,a single route is used.Otherwise,the route
is adaptively reconstructed to deal with the faults.When multiple routes
present,only one best route is actually used while the rest are kept alive.
The algorithm is presented in Figures 4 and 5.Figure 4 describes the
protocol for the source s.Initially s broadcasts a request req
s
for neigh-
bor lists.A hop-by-hop (on-the-fly) version of Ford-Fulkerson Max Flow
algorithm
11
is used to construct a local graph G

= (V

,E

) with neighbor
11
The Ford-Fulkerson Max Flow algorithm is given for static networks.However it can
easily be extended to mobile settings.Here we consider such an extension.
29
Source s
1.Set G

= ∅,flow = ∅,t = 1,radius = Δ.
2.Start using flow for communication whenever value(flow) ≥ 1.
3.AddLinks(s,neighbors(s);flow,G

).
4.While a connection to d has not terminated do
(a) While value(flow) < t do
i.Set seq
s
,ttl
s
,timeout
s
and broadcast req
s
.
ii.For each valid rep
x
received before timeout
s
do
AddLinks(x,neighbors(x);flow,G

).
iii.Set radius = radius +Δ.
(b) If errorrate(path) > ￿
0
for all path ∈ flow then
i.t = t +1.
Figure 4:The adaptive multipath routing algorithm,I
lists obtained from network nodes.G

is a directed graph which is a vertex
expanded version of the network graph G:each node x in G corresponds to
two nodes x
+
,x

linked by (x
+
,x

) in G

,and each link (x,y) of G corre-
sponds to a link (x

,y
+
) in G

,and conversely.Initially G

= ∅.The source
adds to G

its neighbors and the links to them.The following variables are
used:
• flow,a list of vertex-disjoint paths that link s to d in G

;value(flow),
connectivity between s and d in G

or the number of paths in flow.
• req
s
= [s,d,sn,seq
s
,ttl
s
]
s
,a request by s for neighbor lists consisting of:
identifiers for s,d,a session number sn,a sequence number seq
s
for req
s
,the
time-to-live ttl
s
for req
s
and its digital signature.
• rep
x
= [x,sn,seq
s
,x,ttl
x
,neighbor(x)]
x
,a report by x consisting of:an iden-
tifier for x,sn and seq
s
for req
s
,the time-to-live ttl
x
for rep
x
,the neighbor
list of x and its digital signature.
• ctime
z
,the current time for node z.
• radius,an upperbound on the hop distance for req
s
,Δ an initial hop radius.
• seq
s
= ctime
s
,ttl
s
= ctime
s
+radius ×τ,timeout
s
= ttl
s
+radius ×τ.
• t,the number of disjoint paths of the multipath.
• ￿
0
,a threshold for the error rate of a non faulty path.
• errorrate(path),the error rate of path.
30
Procedure AddLinks(x,neighbors(x);G

)
1.G

= G

+{(x
+
,x

),(x

,y
+
),(y
+
,y

) | y ∈ neighbors(x)}.
2.Let reverse(S):= {(x,y) | (y,x) ∈ S},for a set of links S of G.
3.For each path p from s

to d
+
in G

such that
p = (p −flow) +(p ∩reverse(flow)),
set flow = flow +p −reverse(p).
Each edge in graph G

has capacity 1.Consequently,flow is a set of edge-
disjoint paths in G

.If (s

,x
+
1
,x

1
,...,x
+
n−1
,x

n−1
,d
+
) is a directed path in
flow then the corresponding path in G is (s,x
1
,...,x
n−1
,d) –provided that
all the reverse links (x

i
,x
+
i−1
) are also in G

.It is not hard to see that if
{(s

,x
+
1
,x

1
,...,x
+
n−1
,x

n−1
,d
+
)} is a set of edge-disjoint paths in G

then
the corresponding paths {(s,x
1
,...,x
n−1
,d)} in G are vertex-disjoint,and
vice-versa [27].
Figure 5 describes the protocol for intermediate nodes and the destina-
tion.On receiving a request req
s
each node x checks its signature’s validity
Intermediate node x and the destination
1.If a new valid req
s
is received such that ttl
s
≤ ctime
x
then
(a) Set ttl
x
and timeout
x
.
(b) Broadcast rep
x
and req
s
.
(c) For each new valid rep
y
received before timeout
x
do
if ttl
y
≤ ctime
x
then broadcast rep
y
.
Figure 5:The adaptive multipath routing algorithm,II
and ttl
s
.If these hold,x sends a report rep
x
to s with its neighbor list and
forwards req
s
.Similarly,when node x receives a report rep
y
from a node
y it checks its signature’s validity and ttl
y
.If these hold,x broadcasts the
report rep
y
.
Theorem 6.2 The adaptive multipath routing algorithm in Figure 4 toler-
ates any k-adversary,provided that the network graph is (k +1)-connected.
Proof.We consider the two cases,when there are no faults and when there
are faults separately.
31
First suppose that there are no faulty nodes.Then when the source
s requests local connectivity information from the nodes in radius Δ,each
node in range will forward the request and will reply with its list of neighbors.
By timeout
s
,s will have received a complete connectivity graph of the nodes
that are no more than radius hop counts from it.Observe that radius
increases adaptively,until s finds t disjoint paths froms to d,where t ≤ k+1,
and that the graph is (k +1)-connected.Then by the property of the Ford-
Fulkerson algorithm,s will eventually succeed in finding t such paths.Note
that since there are malicious nodes in this case,the value of t stays at 1.
Next consider the case when there are up to k malicious nodes.The
faulty nodes may sabotage the routing discovery by dropping route requests
req
s
or route replies rep
x
.Manipulating or fabricating packets does not
affect the outcome of the algorithm since intermediate nodes will always
forward a new message before its timeout,regardless of the actions or the
states of their neighbors.Furthermore,we are assuming that the graph is
(k +1)-connected.Thus there will always exist a non faulty path between
any pair of nodes that does not contain a malicious node.Consequently the
request req
s
of s will reach every intermediate node x in range,and vice
versa,a rep
x
by any intermediate node x in the range of req
s
will always
reach s.
Therefore in either case,the route discovery will always succeed in finding
routes.In the communication phase,the number of paths t needed increases
adaptively until at least one good path is in the flow.Since the graph is
(k +1)-connected,this process takes at most k steps,at which point flow
is assured to contains at least one non-faulty path.This adaptive approach
avoids finding unneccessary paths when the adversary is partially active.￿
Remark 6.3 The novelty of this route discovery algorithm is that it is
resistant to malicious DoS attacks and that malicious attacks are addressed
adaptively.In particular,a single route is used when there are no attacks.
With each malicious attack,the multipath is adaptively reconstructed to
deal with the threat.Communication is activated as soon as a path becomes
available,so there are no unnecessary delays.
Remark 6.4 When faults in a t-multipath occur beyond a certain accept-
able threshold,then the source s will use a (t + 1)-multipath.Since this
new set of paths is already constructed in the background,the delay caused
by the faults is minimized.Most of the time,there should be no delay.Fur-
thermore,in our algorithm,the set of vertex-disjoint paths of the multipath
32
is constructed incrementally,so that even when delays are unavoidable,they
are minimal.
Remark 6.5 Each node on a path only needs to know its upstream and
downstream neighbor.So the path information needs to be sent to inter-
mediate nodes only at the beginning.When changes are made to the mul-
tipath,the source sends delta information to all nodes on the new paths.
Other nodes will remove unused information after a period of inactivity.
Remark 6.6 Collecting local information centrally is more effective than
collecting it distributively.In particular,the procedure used in the adaptive
routing algorithm by the source s allows more vertex-disjoint paths to be
found than by the distributed process used in most other multipath routing
protocols.
6.5 Securing AODV and DSR
It is easy to see how one can combine the adaptive multipath routing al-
gorithm with the Dynamic Source Routing algorithm (Section 3.3.1) to get
an adaptive multipath DSR algorithm.Similarly we can combine adaptive
multipath routing with Color-Disjoint Routing (Section 6.2.1),for t colors
using one color per path,and Ad-hoc On-Demand Distance-Vector routing
(Section 3.2.4) to get a Color-Disjoint Multipath AODV algorithm.
Finally we may combine the adaptive multipath routing algorithm with
the tracing mechanism in Section 5.1 to get an adaptive routing algorithm
that will trace malicious behavior.
References
[1] E.Ayanoglu,I.Chih-Lin,R.D.Gitlin,and J.E.Mazo,Diversity cod-
ing for transparent self-healing and fault-tolerant communication net-
works,IEEE Transactions on Communications (1993),Vol.41,No.11,
pp.1677–1686.
[2] B.Awerbuch,D.Holmer,C.Nita-Rotaru and H.Rubens,An On-
Demand Secure Routing Protocol Resilient to Byzantine Failures,ACM
Workshop on Wireless Security – WiSe’02 (2002).
[3] A.Bar-Noy,I.Kessler,and M.Sidi.Mobile users:To update or not to
update?Proc.Joint Conference of the IEEE Computer and Communi-
cations Societies – INFOCOM (1994) pp.570-576.
33
[4] D.Bertsekas and R.Gallaher,Data Networks.Prentice Hall,1992.
[5] E.M.Belding-Royer and C.-K.Toh,A review of current routing proto-
cols for ad-hoc mobile wireless networks,IEEE Personal Communications
Magazine (1999) pp.46-55.
[6] C.Bettstetter,H.Hartenstein and X.Perez-Costa,Stochastic properties
of the random waypoint mobility model:epoch length,direction distribu-
tion,and cell change rate,Proc.5th ACM Int.Workshop on Modeling
Analysis and Simulation of Wireless and Mobile systems,(2002),pp.
7-14.
[7] J-Y.Le Boudec,On the Stationary Distribution of Speed and Location
of Random Waypoint,IEEE Trans.Mob.Comput (2005),Vol.4 No.4,
pp.404-405.
[8] J.Broch et al,A performance comparison of multi-hop wireless ad hoc
network routing protocols,Proc.ACM MOBICOM (1998) pp.85-97.
[9] S.Buchegger and J.Y.L.Boudec,Performance Analysis of the CONFI-
DANT Protocol:Cooperation Of Nodes – Fairness In,Dynamic Ad-hoc
NeTworks.In Proc.IEEE/ACM Symposium on Mobile Ad Hoc Net-
working and Computing – MobiHOC (2002).
[10] S.Buchegger and J.Y.Le Boudec,A Robust Reputation System for P2P
and Mobile Ad-hoc Networks.Proc.Second Workshop on the Economics
of Peer-to-Peer Systems (2004).
[11] M.Burmester and Y.Desmedt.Hierarchical public-key Certification:
The Next Target for Hackers?Communications of the ACM (2004) Vol
47,No 8,pp.86-74.
[12] M.Burmester and Y.Desmedt and Y.Wang.A critical analysis of mod-
els for fault-tolerant and secure computation.Proc.Computer,Network
and Information Security 2003 (2003).
[13] M.Burmester and Tri van Le.Tracing Byzantine faults in ad hoc net-
works,Proc.Computer,Network and Information Security 2003 (2003).
[14] M.Burmester and Tri van Le.Secure Multipath Communication in Mo-
bile Ad hoc Networks,International Conference on Information Technol-
ogy,Coding and Computing,Las Vegas (2004)
34
[15] M.Burmester and Tri van Le.Tracing faults in ad hoc networks,3rd
IFIP Networking conference – Networking 2004,Athens (2004).
[16] M.Burmester,Tri van Le and A.Yasinsac.Weathering the storm:man-
aging redundancy and security in ad hoc networks.Proc.3rd Interna-
tional Conference on Ad hoc and Wireless networks – ADHOC-NOW’04,
Vancouver,(2004) pp.96-107.
[17] M.Burmester,Tri van Le and A.Yasinsac.Adaptive gossip protocols:
managing security and redundancy in dense ad hoc networks.Journal of
Ad hoc Networks,Elsevier,2006.
[18] S.Capkun,M.Hambdi and J.Hubaux,Gps-free positioning in mobile
ad hoc networks,Proc.Hawaii Int.Conf.on System Sciences (2001).
[19] J.Cartigny and D.Simplot,Border node betransmission based proba-
bilistic broadcast protocols in ad-hoc networks.Telecommunication Sys-
tems Vol.22 No 1-4 (2003) pp.189–204.
[20] C.C.Chiang et al,Routing in Clustered Multihop,Mobile Wireless Net-
works with Fading Channel,Proc.IEEE SICON ’97 (1997) pp.197–211.
[21] T.Chu and I.Nikolaidis,On the artifacts of random waypoint simu-
lations.Proc.1st International Workshop on Wired/Wireless Internet
Communications (2002).
[22] S.Corson and J.Macker,Mobile Ad hoc Networking (MANET):Rout-
ing Protocol Performance Issues and Evaluation Considerations,Memo
RFC2501 (1999).
[23] C.R.Davis,IPSec:Securing VPNs,McGraw-Hill,New York (2000).
[24] D.E.Denning and W.E.Baugh.Hiding Crimes in Cyberspace Informa-
tion,Communication and Society Vol.2 No.3 (1999) pp.251-276.
[25] J.R.Douceur,The Sybil attack,Proc.1st International Workshop on
Peer-to-Peer Systems – IPTPS ’02 (2002).
[26] R.Dube,C.D.Rais,K.Y.Wang,and S.K.Tripathi,Signal Stability
based Adaptive Routing for Ad-Hoc Mobile Networks,IEEE Personal
Communications (1997) pp.26-45.
[27] L.R.Ford and D.R.Fulkerson,Flows in Networks.Princeton University
Press,Princeton,NJ (1962).
35
[28] P.Georgatsos and D.Griffin,A management system for load balancing
through adaptive routing in multiserve ATM networks,Proc.of IEEE
INFOCOM (1996).
[29] Z.Haas.A new routing protocol for reconfigurable wireless networks.
Proc.IEEE International Conference on Universal Personal Communi-
cations – ICUPC (1997),pp.562-565.
[30] Z.J.Haas,J.Y.Halpern and L.Li.Gossip-based ad hoc routing.Proc.
INFOCOM’02 (2002) pp.1707-1716.
[31] Y-C Hu,D.B.Johnson and A.Perrig.Ariadne:A Secure On-Demand
Routing protocol for Ad Hoc Networks.ACM Mobicom 2002.
[32] Y-C Hu,D.B.Johnson and A.Perrig.SEAD:Secure Efficient Dis-
tance Vector Routing for Mobile Wireless Ad Hoc Networks.Proc.4th
IEEE Workshop on Mobile Computing Systems & Applications (WM-
CSA 2002),IEEE,Calicoon,NY,2002
[33] Y-C.Hu,A.Perrig and D.B.Johnson.Rushing attacks and defense in
wireless ad hoc network routing protocols – WiSe2003 (2003) pp.30-40.
[34] J.-P.HuBaux,L.Buttyan,and S.Capkun,The quest for security in
mobile ad hoc networks,Proc.ACM MOBICOM (2001).
[35] A.Jardosh,E.M.Belding-Royer,K.C.Almeroth and S.Suri,Towards
realistic mobility models for mobile ad hoc networks,Proc.9th Annual
International Conference on Mobile Computing and Networking (2003)
pp.217-229.
[36] D.B.Johnson and D.A.Maltz,Dynamic Source Routing in Ad-Hoc
Wireless Networks,ed.T.Imielinski and H.Korth,Mobile Computing,
Kluwer Academic Publisher (1996) pp.152-181.
[37] B.Karp and H.Kung,Greedy Perimeter Stateless Routing for Wireless
Networks.Proc.6th International Conference on Mobile Computing and
Networking,Boston (2000) pp.243-254.
[38] Y.B.Ko and N.H.Vaidya,Location-Aided Routing in Mobile Ad Hoc
Networks,Proc.ACM/IEEE MOBICOM ’98 (1998).
[39] J.Kong et al.,Providing robust and ubiquitous security support for
mobile ad-hoc networks,Proc.IEEE ICNP (2001) pp.251-260.
36
[40] L.Lamport,R.Shostac and M.Pease,The Byzantine Generals prob-
lem.ACM Transactions on programming languages and systems,Vol.4
No 2 (1982) pp.382-401.
[41] G.Lin,G.Noubir and R.Rajaraman,Mobility Models for Ad hoc Net-
work Simulation.Proc.IEEE INFOCOM 2004 (2004).
[42] J.Li,P.L.Reiher and G.J.Popek,Resilient Self-Organizing Overlay
Networks for Security Update Delivery,IEEE Journal on Selected Areas
in Communications (2004) Vol.22,No.1,pp.189-202.
[43] M.Hirt and U.Maurer,Player Simulation and General Adversary
Structures in Perfect Multiparty Computation,Journal of Cryptology,
Vol 13 No 1,(2000) pp.31-60.
[44] N.F.Maxemchuk,Dispersity routing in high-speed networks,Computer
networks and ISDN systems (1993),pp.645-661.
[45] S.Murphy and J.J.Garcia-Lunca-Aceves,An efficient routing protocol
for wireless networks,ACM Mobile Networks and Applications Journal,
(1996) pp.182-197.
[46] S-Y.Ni,Y-C.Tseng,Y-S.Chen,and J-P.Sheu,The broadcast storm
problem in a mobile ad hoc network.Proc.5th Annual ACM/IEEE In-
ternational Conference on Mobile Computing and Networking (1999) pp.
151-162.
[47] http://www.ntru.com/products/toolkits.htm
[48] S.PalChaudhuri,J-Y.Le Boudec and M.Vojnovic,Perfect Simula-
tions for Random Trip Mobility Models,Annual Simulation Symposium
(2005),pp.72-79.
[49] P.Papadimitratos and Z.H.Haas.Secure Routing for Mobile Ad hoc
Networks.Mobile Computing and Communications Review,Vol 6,No
4,2002.
[50] V.Park and M.Corson,A highly adaptive distributed routing algorithm
for mobile wireless networks,Proc.INFOCOMM (1997).
[51] C.E.Perkins and P.Bhagwat,Highly Dynamic Destination-Sequenced
Distance-Vector Routing for Mobile Computers,Computer Communica-
tions Review (1994) pp.224-244.
37
[52] C.E.Perkins and E.M.Royer,Ad hoc on-demand distance vector rout-
ing,IEEE Workshop on Mobile Computing Systems and Applications
(1999) pp.90-100.
[53] C.E.Perkins,E.M.Royer and S.R.Das,IP Flooding in ad hoc networks.
Internet draft (draft-ietf-manet-bcast-00.txt) (2001).
[54] M.O.Rabin Efficient dispersal of information for security,load balanc-
ing,and fault tolerance Journal of the ACM (1989),Vol.36,No.2,pp.
335 - 348.
[55] M.Sanchez and P.Manzoni.Anejos,A java based simulator for ad-hoc
networks,Future Generation Computer Systems,Vol.17 No 5 (2001) pp.
573-583.
[56] K.Sanzgiri et al,A Secure Routing Protocol for Ad Hoc Networks,
citeseer.nj.nec.com/sanzgiri02secure.html
[57] Y.Sasson,D.Cavin and A.Schiper,Probabilistic Broadcast for Flooding
in Wireless Mobile Ad hoc Networks.Proc.of IEEE WCNC 2003 (2003).
[58] N.Salem,L.Buttyan,J.Hubaux and M.Jakobsson,A charging and
rewarding scheme for packet forwarding in multi-hop cellular networks.
In Mobihoc 2003 (2003) pp.13-24.
[59] B.Schneier,Applied Cryptography:Protocols,Algorithms,and Source
Code in C,John Wiley & Sons,New York (1996).
[60] S.Signh,M.Woo,and C.S.Raghavendra,Power-Aware Routing in
Mobile Ad Hoc Networks,Proc.ACM/IEEE MOBICOM ’98 (1998).
[61] H.Suzuki and F.A.Tobagi,Fast bandwidth reservation scheme with
multi-link and multi-path routing in ATM networks,Proc.IEEE INFO-
COM (1992).
[62] P.F.Syverson,D.M.Goldschlag and M.G.Reed,Anonymous Connec-
tions and Onion Routing.IEEE Symposium on Security and Privacy,
Oakland,(1997) pp.44-54.
[63] C.K.Toh,A Novel Distributed Routing Protocol To Support Ad-Hoc
Mobile Computing,Proc.Fifteenth IEEE Annual International Phoenix
Conference on Computers and Communications (1996) pp.480-486.
38
[64] A.Tsirigos and Z.J.Haas Analysis of multipath routing,part 1:The
effect on the packet delivery ratio,IEEE Transactions on Wireless Com-
munications (2004),Vol.3,No.1,pp.138-146.
[65] A.Tsirigos and Z.J.Haas Analysis of multipath routing,part 2:Mitiga-
tion of the effects of frequently changing topologies,IEEE Transactions
on Wireless Communications (2004),Vol.3,No.2,pp.500-511.
[66] S.Yi,P.Naldurg,and R.Kravets,Security-aware ad hoc routing for
wireless networks,Proc.ACM Mobihoc (2001).
[67] Jungkeun Yoon,Mingyan Liu,Brian Noble,Random Waypoint Con-
sidered Harmful.Proc.IEEE INFOCOM (2003).
[68] M.G.Zapata.Secure Ad hoc On-Demand Vector (SAODV) Rout-
ing.IETF Internet Draft.draft-guerrero-manet-saodv-00.txt.Aug 2001
(work in progress).
[69] L.Zhou and Z.J.Haas,Securing ad hoc networks,IEEE Network
Magazine Special Issue on Network Security,(1999) Vol.13 No.6,pp.
24-30.
39