Seguridad en las Redes

This section provides an overview of this DSR-based prevention mechanism, which consists of two stages: route request/reply packet transmission stage and route evaluation stage. Bypassing misbehaving nodes is realized at the first stage. At the second stage, all discovered routes are evaluated and the optimal route is selected in terms of hop count as well as path quality.

Route discovery is a scheme by which a sender node S tries to discover a path to a destination node D when S has packets addressed to that destination node but no available route exists in its routing table. Because this prevention mechanism is based on DSR, all basic operations follow the standard of DSR protocol.

Bypassing misbehaving nodes is realized in the following way. In the route discovery phase, the sender node broadcasts a route request packet and then the packet floods in the whole network. Each node puts its well-behaving neighbors and their local reputations into the packet, and only the neighbors contained in the packet are authorized to forward this route request packet, which means misbehaving nodes are not allowed to forward the packet. And each node only accepts the route request/reply packets from its well-behaving neighbors. All route request/reply packets from its misbehaving neighbors must be dropped to guarantee that only well-behaving nodes are included in the discovered routes.

Figure 21. Bypassing misbehaving nodes

D, S can promise that the next node A is not a misbehaving node according to its own observation, and A can promise the next node B is not a misbehaving node, because each node on the route is able to promise that the next node is not a misbehaving node. Therefore, all discovered misbehaving nodes can be excluded from the discovered routes. Furthermore, the route reply packets are protected by Message Authentication Code (MAC) calculated with keyed one-way hash function to prevent misbehaving nodes modifying the reply packets. Route evaluation is performed by sender nodes according to the local reputation (packet forwarding ratio) information contained in the route reply packets. Because DSR is able to discover multiple routes to a certain destination, the sender node can make use of local reputations of all intermediate nodes on a path to calculate the quality of this path. In this solution, path quality is measured by packet delivery ratio, which means if the sender node transmits a packet to another node, what is the probability that the packet can reach the destination along the expected route (here, retransmission is not considered). Packet delivery ratio is used to choose the most reliable path and then good performance such as low delay, high throughput can be achieved.

To initiate route discovery, the sender node first needs to create a route request packet. Besides the necessary information required by DSR, the sender node checks its neighbor table and puts all its well-behaving neighboring nodes and their local reputation values into the request packet, and broadcasts this packet. The route request packet is received by all nodes currently within its transmission radio range. Here, the sender node is called route discovery initiator, and the destination node is called route discovery target.

When a node receives this request packet, if it is not the target, it processes the packet in this way: if this packet is from a well-behaving neighbor, it has never processed the same request packet before, and it is a well-behaving node from that neighbor’s point of view (the node from which it receives this request packet), this node appends its own address to the route record of the packet, obtains its own local reputation from the neighbor record of the packet and appends this value to the reputation record of the packet, removes all information in the neighbor record, puts its own well-behaving neighbors and their local reputations into the neighbor record, and last broadcasts the packet. Otherwise, the packet should be dropped silently.

If the node is the target of the route discovery, it returns a route reply packet to the initiator. A copy of the accumulated route record and the reputation record is put into the route reply packet, which is protected by MAC calculated using keyed one-way hash function. The route to the discovery originator must be the reverse path according to the accumulated hops in the route request packet. This is necessary to enable each node on the path to guarantee that the next node towards the target is not a misbehaving node and the important information in the packet is correct.

is from one of the neighbors that it puts into the corresponding route request packet. If it is not the cast, this reply packet should be dropped. And then it checks whether the local reputation information in the reply packet is consistent with that in the corresponding route request packet kept in its cache. If it is not the case, the node should drop the packet silently. Otherwise, it forwards the packet to the next hop according to the route in the packet.

When the sender node receives the route reply packet, it first performs the similar check, and then calculates the MAC to identify whether the packet is modified. If the MAC is correct, it can make use of intermediate nodes’ local reputations to evaluate this path’s quality. And finally, the optimal route among all discovered routes can be discovered.