Security Issues in PIM-SM Link-local Messages Salekul Islam J. William Atwood Department of Computer Science and Software Engineering {salek_is, bill}@cse.concordia.ca

Abstract In the present Internet Draft (ID) of PIM-SM, the IPsec Authentication Header (AH) protocol without anti-replay mechanism has been proposed to protect the link-local messages. This compromise makes PIMSM vulnerable to Denial of Service (DoS) attack. Moreover, in this ID, the Security Association lookup and the required number of Security Associations are erroneous. In this paper, a new proposal is presented to protect PIM link-local messages while activating the anti-replay mechanism. The Security Association lookup method has also been modified. Finally, this proposal has been formally validated using SPIN.

1. Introduction In the present PIM-SM Internet Draft (ID) [1], most of the control messages fall into the link-local category, and are sent to the adjacent routers only, using ALL_PIM_ROUTERS as the destination address. Hello, Join/Prune and Assert messages are included in this category. If a forged link-local message is sent to the ALL_PIM_ROUTERS multicast address by an attacker, it will affect the construction of the distribution tree. The effects will vary for different types of forged messages, from very severe to minor.

2. Authentication according to the PIMSM ID In the PIM-SM ID, IPsec [2] transport mode using Authentication Header [3] has been recommended to prevent attacks generated by forged control messages. However, according to the current specification of IPsec [2, 3], the anti-replay option does not support the case of a Security Association (SA) identified by a multicast destination address. For this reason, the PIMSM ID suggests that the anti-replay option be disabled. It also assumes that manual configuration of SAs will be performed, although it does not preclude the use of

a negotiation protocol such as the Internet Key Exchange to establish SAs. Finally, the IPsec Security Parameter Index (SPI) = 0 will be used all the time.

2.1 Limitations of the PIM-SM ID Although the anti-replay mechanism is optional in the AH protocol, it has an important role in countering Denial of Service (DoS) attacks. If it is disabled, a receiver cannot differentiate between a fresh new packet and a previously received one. All these packets will be received and processed by the receiver. Thus, it will be affected in two ways. Firstly, it will waste its resource by calculating the Integrity Check Value for some already received packets, and this may cause a DoS attack. Secondly, a replayed packet may change any Join, Prune, Assert or Hello state within the receiving router. For inbound packet processing, three parameters (SPI, destination address, protocol used) distinguish an SA and are used in Security Association lookup. In [1], it is assumed that there should be a different Security Association Database (SAD) for each router interface, so that a different authentication method can be used for each interface. For PIM link-local messages, the three parameters (SPI = 0, destination address = ALL_PIM _ROUTERS, protocol used = AH) are fixed for any link-local message. It is clear that these three parameters are inadequate to differentiate among received packets and will fail to map a received packet with the associated SAD entry. The present ID requires a PIM router to establish one SA per local link or interface it has. In some cases, more than one sender is connected through the same interface. In that situation, only one SA for that interface is insufficient, if different senders use different authentication methods. That means, instead of one SA per interface, it is necessary to establish one SA per directly connected sender. Obviously, we have to maintain a different SAD per sender as well.

3. Proposed technique

Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks (LCN’04) 0742-1303/04 $ 20.00 IEEE

We are now in the position to present our own proposal [4]. To activate the anti-replay mechanism in a multi-sender multicast group communication, in the receiver end, we have to maintain a separate sliding window for each sender [5]. Although separate sliding windows clearly should be forbidden in the general case of a large potential number of senders, for a specific PIM receiver router, the number of senders will be equal to the number of directly connected PIM routers, which will be small. Hence, we are strongly proposing that the anti-replay mechanism be activated while sending PIM link-local messages, and that a PIM router maintain a different sliding window for each directly connected sender. If we use the corresponding sender address and the SPI in the SA lookup process instead of the previously mentioned three parameters, we will be able to eliminate the errors present in the SA lookup process of the PIM ID. For an incoming packet, the source address will be unique for a specific sender and in conjunction with the SPI it will be possible to sort out a specific SA for that sender from the SAD entries. Use of the sender address to index SA lookup has been accepted in a recent version of the AH ID [6]. We are assuming that the Network Administrator will configure a router manually during its boot up process. This will not be onerous, given the number of parameters that have to be manually configured for a router on boot up. Automatic configuration is required for dynamic groups, but the configuration of PIM-SM routers is very static. In contrast to a host computer, a router is always connected with other routers. It is not member of a particular multicast group, and does not serve a particular group only. In the recent ID for the AH protocol [6] there is a provision for a 64-bit Extended Sequence Number (ESN). Both the sender and the receiver maintain a 64bit counter for the sliding window protocol. If we use ESN, we can send 264-1 packets. A PIM-SM router is unlikely to exceed this number in its lifetime. For this reason, we can use manual key configuration safely while using the IPsec AH protocol, as long as we use ESN for the counter for the anti-replay mechanism.

4. Validation We have used the formal validation language, PROMELA [7] to specify the validation model, and then used a tool, SPIN [7], to validate our model, with the following requirements: 1. A different Security Association (SA) is activated for each directly connected sender. 2. An SA will be distinguished by the source address and the SPI.

3. 4.

The anti-replay mechanism is enabled. All sorts of attacks a PIM router may face due to the forged link-local messages are generated. 5. For using ESN, the algorithm presented in the AH ID is validated. Our model consists of one receiver and three senders. Among the senders two of them are true senders. To generate different attacks, the third sender will send various forged messages to the receiver. Using SPIN, an executable verifier has been generated from the model. The output of the verifier confirms that our model is free from different errors such as assertion violation and invalid end state. It also establishes that the model has no unreachable state.

5. Conclusion PIM-SM is going to be the dominant routing protocol for multicast based applications, if we can provide security for data packets and for the control messages as well. The core interest of our paper is to protect PIM link-local control messages from all sorts of attacks. We have proposed a very simple and complete solution. Finally, our solution has not added much more overhead and fully compatible with the original specification of PIM-SM.

Acknowledgement J.W. Atwood acknowledges the support of the Natural Sciences and Engineering Research Council of Canada through its Discovery Grants Program and of Concordia University.

References [1] Fenner, B., Handley, M., Holbrook, H., Kouvelas, I. Protocol Independent Multicast-Sparse Mode (PIM-SM): Protocol Specification (Revised). Internet Draft, , Work in Progress, July 2004. [2] Kent, S., Atkinson, R., Security Architecture for the Internet Protocol. IETF, RFC 2401, November 1998. [3] Kent, S. Atkinson, R., IP Authentication Header, IETF, RFC 2402, November 1998. [4] Islam, S. Security Issues in PIM-SM Link-local Messages. Masters Thesis, Department of Computer Science, Concordia University, Montreal, Canada, December 2003. [5] Baugher, M., Canetti, R., Hardjono, T., Weis, B. IP Multicast issues with IPsec. Internet Draft, , Work in Progress, December 2002. [6] Kent, S. IP Authentication Header. Internet Draft, , Work in Progress, March 2004. [7] Holzmann, G. J. Design and Validation of Computer Protocols. Prentice Hall, 1991.

Proceedings of the 29th Annual IEEE International Conference on Local Computer Networks (LCN’04) 0742-1303/04 $ 20.00 IEEE

Security Issues in PIM-SM Link-local Messages

to protect PIM link-local messages while activating ... message is sent to the ALL_PIM_ROUTERS multicast .... that our model is free from different errors such as.
Download PDF
65KB Sizes 1 Downloads 149 Views
Report

Recommend Documents

Security issues and polices in Cloud Computing.pdf
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. Security issues ...
Review on Data Security Issues and Data Security ...
Software as a Service consists of software running on the provider's cloud .... and security design, are all important factors for estimating your company's security.
wireless network security issues pdf
wireless network security issues pdf. wireless network security issues pdf. Open. Extract. Open with. Sign In. Main menu. Displaying wireless network security ...
Exception messages in Planning run.pdf
Exception messages in Planning run.pdf. Exception messages in Planning run.pdf. Open. Extract. Open with. Sign In. Main menu.
Mother's Day Messages
Page 9 ... Ideal for retailers or health and beauty brands. Customer searches for a laptop on a mobile device. 1. Ad for company XYZ is triggered, along.
Birthday Messages
Birthday Messages. Is the brother asking his sister what kind of present she bought Celia? Or is he asking Celia what kind of present she just opened? If you heard the brother .... Include these punctuation marks in your answers. Run till You Drop ..
Missionary Messages - Swartzentrover.com
He is the man of Macedonia that is crying, "Come over and help us." He is the sad Shepherd who is looking out upon the perishing and plaintively asking, "Lovest thou me? Shepherd my sheep, feed my lambs." You were lost, and He loved and sought and fo
Finding Near Duplicates in Short Text Messages in ...
Scalability is one of the main concerns of our project. Our implementation is able to scale up for ... repetitive tweets generated by third party apps (such as games, mobile advertisement app) and human spamming. ..... We are planning to applying our
Resource Issues Impacting National Security - IMSM ...
Resource Issues Impacting National Security. IMSM Workshop .... d is the trend differencing order, at is a zero mean white noise process, p is the. Autoregressive ...
Mobile Ad hoc Network Security Issues - International Journal of ...
IJRIT International Journal of Research in Information Technology, Volume 3, ... Among all network threats, Distributed Denial of Service (DDoS) attacks are the ...
TDM-PON Security Issues: Upstream Encryption is ...
TDM-PON Security Issues: Upstream Encryption is Needed. David Gutierrez, Jinwoo Cho and Leonid G. Kazovsky. Photonics and Networking Research Laboratory, Stanford University,. 058 Packard Building, Stanford, California 94305, USA [email protected]. A