1. Field of the Invention
The present invention relates to a method and to nodes, for supporting secure communication between routers and hosts.
2. Description of the Related Art
Internet Protocol version 6 (IPv6) is a network layer standard used by numerous types of electronic devices to exchange data across interrelated packet-switched networks. It is intended as a successor to IP version 4 (IPv4), which is presently ubiquitous and in general use. Compared to IPv4, IPv6 defines a much wider range of addresses.
FIG. 1 shows a generic format of an IPv6 address 100. The IPv6 address 100 is 128-bits long, and comprises a 64-bit network prefix 110 and a 64-bit Interface IDentifier (IID) 120. A device may have one or more permanent IPv6 addresses 100. In addition, one or more IPv6 addresses 100 may be allocated dynamically to the device. For example, an IPv6 address 100 may be allocated by a router serving the device, wherein the network prefix 110 is defined by the router. In principle, it is possible to route data packets towards the device using any permanent or dynamic IPv6 address 100 of the device, as long as the IPv6 address 100 is unique in the Internet. In practice, dynamic IPv6 addresses 100 are preferred because routing of data packets through the router to the device is facilitated by the fact that the network prefix 110 in the dynamic IPv6 address 100 of the device relates to the specific router serving the device.
In IPv6 a host, for example an end-user device, receives a connection service from an Access Router (AR). One or more hosts may be connected to one AR, for example by way of an Ethernet link, or through a radio link, and the like. The host needs to receive information from the AR in order to configure the IPv6 address 100, which will in turn enable the host to communicate with further nodes on the Internet. The AR sends the required information, comprising the network prefix 110 of the AR, in Router Advertisement messages (RtAdv) described in the Internet Engineering Task Force (IETF) Request For Comments (RFC) number 2461. The RtAdv may be broadcasted periodically by the AR for the benefit of all hosts on the same link. Alternatively, the host may not wait for the periodic RtAdv and send a Router Solicitation message (RtSol) to the AR. The AR may then respond with a dedicated RtAdv, intended for the host having sent the RtSol.
The RtAdv provides the network prefix 110 that is used by the host to configure its IPv6 address 100. The host adds its own IID 120 to the network prefix 110 to generate the IPv6 address 100. The host must then initiate a Duplicate Address Detection (DAD) procedure, described in the IETF RFC 2462, to ensure that no host currently linked to the same AR is using the same IPv6 address 100. In the event where the IPv6 address 100 configured by the host is already in use, as detected in the DAD procedure, the host needs to generate a distinct IPv6 address 100 by use of a different IID 120 and invoke again the DAD procedure. This process may be repeated as many times as required until the host finally acquires a unique IPv6 address 100.
Once the host has configured its IPv6 address 100, following proper verification that this address is unique, it receives further periodic RtAdv messages. These message generally comprise up to date information related to the manner in which the host receives service from the AR. The host updates this information in its internal memory.
Another party, for example a neighbor host on the same link or the AR itself, may need to communicate with the host. Communicating with the host requires knowing both its IPv6 address 100 of the host and a layer 2 address of the host, the layer 2 address being for example a Media Access Control (MAC) address in the case of an Ethernet link. It is necessary that the other party sends a Neighbor Discovery (ND) Request in multicast mode, capable of being detected by any device on the link. The host responds with a ND Advertisement that broadcasts the host's IPv6 address 100 and MAC address. The ND protocol is described in the IETF RFC 2461.
In the processes described hereinabove, there are several potential security issues. A malicious node could launch several types of Denial Of Service (DOS) attacks. The DOS attack is an attempt to make a device's resources unavailable to its intended user. By launching the DOS attack, the malicious node may force the host to consume its resources such that it can no longer provide its intended service. The malicious node may obstruct the link between the host and the AR so that they can no longer communicate adequately. When the host sends the RtSol message and then receives the RtAdv message, it does not know a priori whether the RtAdv is sent by a legitimate AR or by the malicious node. The malicious node may send the RtAdv in order to set up a DOS attack. Alternatively, when the host broadcasts its newly configured IPv6 address 100 as a part of the DAD procedure, the malicious node may consistently respond that it already holds the same IPv6 address 100, thereby launching a different type of DOS attack. Another type of DOS attack occurs when another party sends a ND Request; the malicious node may send the ND Advertisement in place of a legitimate host, thereby impersonating the legitimate host and stealing service therefrom.
Methods currently in use to avoid DOS attacks comprise signatures and encryption. Two communicating nodes each comprise a public Key (K+) and a private Key (K−). A node is the only entity that is aware of the value of its K−, but the K+ are known to everyone. When a first node sends a message to a second node, the first node may compute a signature, that is a result of encrypting a known value with its K−, and include the signature in the message. Upon receiving the message, the second node uses the K+ of the first node to decrypt the signature. If the known value is obtained from the decryption, this is a proof that the message was indeed sent by the first node. The signature provides a proof for validity and non-repudiability of the message sent by the first node. Public and private keys may also be used for encrypting messages. The first node may use the K+ of the second node to encrypt the content of a message intended for the second node. The second node is the only entity capable of decrypting the message by use of its own K−.
A protocol named SEcure Neighbor Discovery (SEND), defined by the IETF RFC 3971, solves the DOS attack issues mentioned hereinabove by use of signatures and encryption. SEND relies on Cryptographically Generated Address (CGA) keys used by both the host and the AR to provide a strong signature to every message exchanged between these nodes. Use of CGA public and private keys provides a proof of ownership of the addresses of the host, of the AR and of other parties. However, CGA signature is a heavy process which requires extensive processing power. Using the CGA keys to sign every message exchanged between the AR and the host adds significant delays to the exchange. When battery-powered hosts such as mobile nodes or sensors are used, CGA key signatures may further cause high battery consumption.
Another tool currently used in some systems to provide some level of security is a One-Way Hash (OWH) function. The OWH is a cryptographic hash function of a secret seed value, generally a random number, the result of which cannot be used to recover the value of the seed. A well-known example of hash function is called Secure Hash Algorithm (SHA), of which SHA-256 is preferably used because it provides a high level of security. The SHA function requires significantly less processing power than using the CGA keys A One-Way Hash Chain (OWHC) is formed from a seed V(n) when the result of hashing V(n) is hashed again to produce a value V(n−1), repeating the process “n” times by hashing again the result of the hash, in sequence, to obtain a nth value V(i=0). Hashing of a value V(i+1), where “i” is smaller than “n” produces a value V(i). With a strong hashing algorithm such as the SHA-256, it is not possible to infer the value V(i+1) from the value V(i). Once a first sending node has demonstrated its validity to a second receiving node by any means, and the second receiving node knows a V(k) value of the first sending node, the first sending node may demonstrate its validity by sending a value V(k+1). The second receiving node may hash the value V(k+1) and obtain the value V(k), thereby obtaining a proof of the identity of the first sending node.
There would be clear advantages of having a method, a host and an access router, all relying on a limited use of heavy encryption means, for providing a high level of security against malicious attacks.