PACKET RADIO NETWORKS · three packet radio network environments for further study and refine inent These represent three extreme cases as far as engineering is ... The basic channel

PACKETRADIO

NETWORKS

Architectures Protocols Technologies

and Applications

CIIIt\

\UU

\

I1JJJjIJ1I\U

Brownrigg

Peroamnn Press

Page 000001 Mercedes-Benz USA, LLC, Petitioner - Ex. 1008

Packet Radio Networks

Architectures Protocols Tech nologies

and Applications

Page 000002

Mi1fti LLth


Architectures Protocols Technologies

and Applications

CLIFFORD LYNCH

and

EDWIN BROWNRIGGDivision of Library Automation

Office of the President and Universitywide Services

University of California Berkeley California 94720

PERGAMON PRESSOXFORD NEW YORK- BEIJING- FRANKFURT

SAO PAULO SYDNEY TOKYO TORONTO

Page 000003

U.K

U.S.A

PEOPLES REPUBLICOF CHINA

FEDERAL REPUBLICOF GERMANY

BRAZIL

AUSTRALIA

JAPAN

CANADA

Pergamon Press Headington Hill Hall

Oxford 0X3 OBW England

Pergamon Press Maxwell House Fairview Park

Elmsford New York 10523 U.S.A

Pergamon Press Room 4037 Oianmen Hotel Beijing

Peoples Republic of China

Pergamon Press Hammerweg6242 Kronberg Federal Republic of Germany

Pergamon Editora Rua Eça de Oueiros 346CEP 04011 Paraiso Sao Paulo Brazil

Pergamon Press Australia P.O Box 544Potts Point SW 2011 Australia

Pergamon Press bth floor Matsuoka Lentral BuidirgNishishinjuku Shinluku ku Tokyo 160 Japan

Pergamon Press Canada Suite No 271253 College Street Toronto Ontario Canada M5T iRS

Copyright 1987 Lynch and Brownrigg

All Rights Reserved No part of this publication may be

reproduced stored in retrieval system or transmittedin any form or by any means electronic electrostatic

magnetic tape mechanical photocopying recording or

otheiwise without permission in writing from the

publishers

First edition 19B7

Library of Congress Cataloging in Publication Data

Lynch Clifford

Packet radio networks

BibliographyIncludes index

Radio Packet transmission BrownriggEdwin Blake 1946 II Title

TK6562.P32L96 1987 004.6 87 25B74

British Library Cataloguing in Publication Data

Lynch Clifford

Packet radio networks architectures

protocols technologies and applications

Packet switching Data transmissionl

Radio

Title II Brownrigg Edwin

004.66 TKS1O5

ISBN 08035913

Printed in Great Britain by Wheaton Co Ltd Exeter

Page 000004

Txitroduction Xi

The project was intended to take about six to nine months in

fact the report continued to expand and was not completed until

early 1986 somewhat revised version of this report updated to

reflect developments through late 1986 forms the core of this book

The book is divided into two parts with total of nine chapters

Part Packet Radio Systems contains Chapters and The

first chapter entitled System Requirements provides taxonomyof packet radio systems and describes three model systems including

their performance requiremcnts for further study These three sample

configurations were the focus of the Univrsity of California IBM

joint study They include low-speed terminal-oriented local area

network much like the one we had originally hoped to build with the

TNC boards in 1983 high speed local area network intended to

connect computers and fast peripherals in much the same spirit as

cable-based Ethernet and wide-area packet radio system with

repeaters which grew out of the developments that have taken place

in military as well as amateur packet radio technology This first

chapter is adapted in part from discussion draft entitled SystemRequirements for Library Automation Packet Radio Networks by

Clifford Lynch which was submitted to IBM in October 1984

The second chapter entitled System Design Considerations

discusses the components of packet radio system radios digital

hardware software and interfaces to terminals or computers One of

the most important parts of this chapter is the definition of logical

interface between the radio part of packet radio and the digital

control component We believe that the lack of any standardization

in such an interface has been significant factor in causing the

development of packet radio especially high-performance oneto become major undertaking since custom engineering is required

Finally this chapter details the system design considerations for the

three models described in Chapter using these components as

building blocks As part of the discussion of system design we explore

the differences between the first two configurationsa packet radio

network that uses terminal access controller TAC and local area

distributed computingin light of the trend to replace terminals with

personal computers This discussion leads us to consider how the TACconfiguration might gracefully evolve into local area network and the

implications of operating in hybrid environment during transition

Page 000005


tcchnician to rr anually orient an antenna on the ncn or resited node

In contrast one can envision totally adaptive and self organizing

rtwork in shich new packet radio could announce its presence to

the nctwork and electronically adjust its own antenna human inter

enton might only be required to authorize the nctwork address Anadaptive system such as this which rninirnizcd rnaiiagcmcnt problemswould be extremely desirable in library automation applications It

could employ some of the self organizing techniques used in mobile

packet radio ystems but the application of these techniques would

be simplified since the performance requirements uould be far less

stringent For example transient anoma1ies in dynamic routing would

not he major problem if they settlcd down within short period

hccause the topology is more or less fixed This would be unacceptable

in military rnvironment where packet radio in supersonic

aircraft could enter travel through and leave packet radio network

sithin very fess minutes

Unifornñty of Nodes

One of the key issues in designing packet radio system is whether

the system is composed of homogeneous or heterogcneous components For cxamnple are all nodes functionally equivalent as in

peer to pccr computer to computer network Or is the twork

primarily intcnded to connect population of terminals to one or

more hosts perhaps through specialized base stations If the system

es peaters can any node act as repeatc or are repeaters built

from specialized hardssare These questions are intimately related

to the intended application of the netsork hybrid approach to

this issue is often cost effcctie In hybrid sy stern both terminals

and cormiputers would partiipate in the netaork but the connections

hetwccn computers would be different from those bctwecn computers

and terminals

Although connecting hosts to terminals is the primary problem

today in library autoirmation in the longer run the focus will probably

be on the interconnection of large numbers ofcornputers both because

of the proliferation of different comnputcr based automation services

and because of the spreading use of the personal computerand Brown rigg 1984 Therefore we propose that system composedof interconnected computers some of shich may be small personal

Page 000006

Sys tern qnireinents

computers or irnilar dcvices is the st niodel for packct radio

stem for library automat ion rIc conner tion between terminal and

lost could be handlcd cparately by Terminal cccss Cc nroller

IA hk would act olely as point of entry to the par ket radio

ctwork for popul ion of dumb terminals Links 4we the TACand the tern inals it sc could he tebli cithc by radio or by

shIes

horn nnagemnc nt point of siew of course homnogcneou

fully distributed network is ry attractive it si inplifles netss ork

onfiguration pee ially as this cvolsc over time reduces inventory

for spare parts and largely eliminates single points of failure facili

tating the construction of robust nctwork The major justification

for devc loping hcterogeneous ne twork of specialized components is

ually ccorcrsic rather than technical

One-Hop Full Broadcast vs Multihop

Semuibroadcast Topologies

rrhere are two major configurations for packet radio systems when one

considers routing and network issues In the full broadcast or one-

hop model each terminal can hear transmissions from all other

terminals in the network In the multihop or semibroadcast model

some nodes function as repeaters on specialized basis or in addition

to other functions and packets have to be retransmitted or repeated

in order to pass from their source to their ultimate destination within

the network

In networks that use base station another common configu

ration is sort of extended full broadcast netvork in which all

terminals can receive all transmissions from the base station and the

base station can receive transmissions from all terminals but there is

no guarantee that one terminal can receive anothers transmission

rrhe choice of full broadcast vs multihop network is largely

forced by the geographic spread of the network and the transmitter

power and recciver sensitivity of the radios involved Transmitter

power in turn has regulatory implications The radio propagation

environment within which the network operates also plays role

At many commonly used frequency ranges no amount of trans

mitter power can extend the range of transmitter much beyond

Page 000007

System RequIrements 17

Other General Issues in the Design of

Packet Switching Systems

There are number of classic and well-debated issues related to packet

switching systems in gcneral and hence to packet radio systems in

particular These include the advantages of connection-oriented e.gbirtual circuit vs connectionless e.g datagram systems and the

way in which routing is done fixed perhaps with alternate routes

with virtual-circuit setup in virtual circ uit network or on packet-

by-packet basis in datagrain network Many of the issues raised are

philosophical in natuie and persuasive arguments can be given on all

sides With this perspective we will state some of our biases

We believe that library automation systems should be oriented

toward datagrams rather than virtual circuits First of all virtual

circuits can be built from datagrains if desired through protocols

such as TCP or the NBS Class transport protocol but not vice versa

except with rather high overhead Moreover evidence indicates that

datagrams form better basis for the construction of distributed

computing systems than do virtual circuits consider the Xerox

Internet Architecture and related protocols et al i980J the

Cambridge Ring distributed computing environment Needham and

Herbert 1982 and the DARPA Internet Finally on pzactkal

basis the University of California internet like most network in

universities is based on TCP/IP and any packet radio twork

for library automation will have to interoperate smoothly with

networks

We also believe that routing should be fully adaptive on packet-

by-packet basis where relevant recall that there is no routing in

full broadcast network This minimizes administrative problems and

maximizes the robustness of the network although the design will be

more complex

System Configurations

On the basis of the considerations discussed above we have identified

three packet radio network environments for further study and refine

inent These represent three extreme cases as far as engineering is

concerned and we believe great deal of insight may be gained from

Page 000008

40 Packet Radio Networks

only single packet outstanding at time rathcr than one to cach

Ic tination probler is with single tciminal node could seriously

grade the performance of the entire nctwork

Since the end to uP protocol in the crminal gc ncrate3 an nd to

end acknowledgment ipon receipt of data at the tcrrninal bandwidth

cr be rcduccd by adding snaIl dclay in the rcceiving packet radio

unit before an acknowledgmcnt is gc nerated and then using piggyback

acknowlcdgments Ihu only ore packet containing both the local

icknowledgnent with the packct radio etwork and the end to end

lrowlc dgrnrnt that will pass through tie gateway packaged in the

base station necds to be generated

High-Speed Loa1 Area Packet Radio Network

In contrast to the packet radio TAC model terminal interface units

are unncce sary in the high speed local area packet radio nctwork

The hosts on this network are sufficiently intelligent to send and

receive packets directly from the digital control component of the

packet radio no terminal interface unit is needed

Since the topology of this network is assumed to be full broadcast

with no hidden terminals the introduction of hidden terminals is

discussed below routing is not an issue In addition the radios can

be relatively unsophisticated in the sense that directional bias and

signal strength control are unnecessary However the radios must

operate at high speeds and some radio parameters notably key-up

time become critical see below

The Channel Access Protocol

The basic channel access protocol for this network should be CSMArro keep delay time to minimum one of the persistent variants of

CSMA should be used Although the more persistent versions of

CSMA give lower delay times than do the nonpersistent versions they

are also more sensitive to overload and their throughput degrades

more quickly in the face of heavy traffic In other words the optimal

offered traffic load supported by persistent forms of CSMA is lower

than that for nonpersistent CSMA when this load is exceeded delay

time increases and throughput degrades rapidly

Page 000009

Security and Authentication 63

Obtaining legal protection against active attack may be partic

ularly difficult for local area systems that are operating without

license under the low-power prov-ions of the FCC rules If an attacker

who is not on the same premises as the packet radio network can

interfere with the system by jamming or by trdnsmitting packets

that the packet radio system ca rcceive it is not cntirely clear that

the attacker is violating any law other than perhaps general laws

dealing with fraud or theft of service If however the attacker

brings transmitter onto the prenuses where the packet radio system

is operating the system operator may be able to expel the attacker

or apply trespass laws

Thus from practical point of view it is desirable for packet

radio network to use built in technological means to protcct itself

from eavcsdropping and attack because the machinery of law and

law enforcenicnt are so difficult to bring to bear to control attacks

It is important here to distingui betueen fraud and thcft which

essentially opcrate within the sy tem and thus can be dcfended

against within the system and attacks such as jamming that attempt

simply to disrupt the operation of the sy tem Defending against

this latter group of threats takcs the system dcsigner into the ter

ritory of military communications systems whir are designed to

survive and operate in the face of determined hostile ECM electronic

countermeasures in an electronic warfare environment kIt bough the

LCCM electronic counter countermeasure techniques used in typical

military ss stems to counter disrupting attacks may be appropriate

for an electronic battlcfleld they would be poorly received as part

of civilian networks which are regulated by the FCC and share the

electromagnetic spectrum with variety of other users An exception

might be low power local area networks Consequently we conclude

that nonmilitary packet radio systems will be somewhat vulnerable

to malicious disruption such as jamming from technologically so

phisticated adversaries and that they must rely on laws and law

enforcement rather than on military-style ECCM techniques to defend

against such attacks however undesirable this state of affairs may be

Security Threats and Countermeasures

This section discusses the various security threats that packet radio

network faces subsequent sections will discuss the rclatcd problem of

Page 000010


authentication and some of the irnplcrnentation considerations for the

countcrrneasures described in this lion

We can make nurnbcr of assumptions about the tools and the

degrre of knowledge available to potential attacker It is rca onable

to assume that the potential attackcr p0 cs packct radio and

knowledge cf boss the systcm ssoiks rpo bc con rvative onc should

further assumc that the pote tial opponent can examine and replace

the contents of ROMs and PRO\4s ssithin the packet radio and

can modify the hardssare in thc packet radio desice or cven build

customind equipment to substitute for star dard packet radio node

These assumptions may hold true only for sophistic ated opponent

hosscer Propcr design of the packet radio unit as we will show later

can preclude certain types of casual attadcs by an opponent who is

not prepared for example to create new packet radio PROMs

One illustration of the importance of gauging the sophistication

of the threat can be seen in the recent generation of police radios that

use encryption to protect voice channels from eavesdropping see for

example 1985 police radio that is lost or captured can

be disabled remotely from control station via special encoded

channel Once disabled the radio must be physically brought in to

the maintenance site to be reenabled if it is subsequently recovered

If one assumes that the opponent is relatively unsophisticated this is

scry effective Ilownser technically sophisticated attacker could

not only reenable captured radio by replicating the operations

done at the maintenance site but could also attack the system by

simulating the self destruct signal to which all radios in the system

are designed to respond Thus the system is made more secure in the

face of an unsophisticated opponent but at the price of adding new

vulnerabilities that sophisticated attacker could exploit

Passive Threats

Eavesdropping

The most blatant threat to security is unauthorized interception of

data traffic Interception is particularly easy in an unsecured packet

radio network just as it is in an Ethernct 411 sorts of data are

Page 000011


available for the taking including files mail and passwords transmit

ted as part of logon sequences Merely eliminating the promiscuous

reception mode from the packet radio node is of limited use This maymake it more difficult for casual easesdropper to browse through

traffic passing over the netssork but it will not help if the attacker is

prc pared to build cu tomnized receiver or to alter the programmingin an existing node The solution of course is encrypt data passing

over the network However even though encryption is concptually

simple it presents number of difficult technical problems Should

it be done at the link level or end to end How should session keys

be distributed What algorithms should be used We will examine

these questions in subsequent sections

Traffic Analysis

Even if data traffic proper is encrypted an attacker can still analyze

traffic patterns i.e who is sending how many packets to whom if

packet source and destination addresses are sent in clear text For

military applications this threat is generally considered to be quite

serious since there is long tradition of using traffic analysis as

source of intelligence For comiriercial applications its importance

varies substantially It may be difficult to prevent unauthorized traffic

analysis because all nodes must be able to decrypt all encrypted

source and destination addresses The encryption/decryption keys

and algoiithrns thus must be known globally throughout the networkand anyone with access to packet radio in the system can be

presumed to have access to the codes

If traffic analysis is considered serious threat the best one can do

is encrypt all packet addresses and use network wide key preferably

with frequent key changes This will prevcnt external analysis of

traffic patterns since an opponent will need the key If radio is

captuxed ui wiiipruniised new can be distributed tu each radio

in the network except the captured node via some channel external

to the network or through public key system in order to resecure

the network This approach of course assumes that the network

ecurity center rcalizes that node has becn compromised or captured

Moreover it is only reactive measure to control the extent of

security breach

Page 000012


Another source of vulnerability to traffic analysis may be sig

nificant for high sccurity netsorks If the netssork uses rcpcaters

systematic extcrnal monitoring of packets in the vic inity of each radio

will provide an attacker with useful hints about the correspondence

bctucen cncryptd addrcsscs and actual nodes To defcnd against

thc intru ions it will be neces ary to change the key cd to cncrypt

addresscs frequently perhaps using public key cry ptosy tent with

distribution of keys to cach node and to generate dummy traffic to

confusc cxternal listeners The dummy traffic ssill create cxtra channel

loading and degrade performance

Note that thcre relationship betwecn the sophistication of

outing algorithms and sulnerability to external traffic analysis If

se sume that oue ruajor riterion for good rontiug algorithm is

that it minimizes the number of nodes that must receive process

amid retransmit packet by definition such routing algorithm has

greatly simplified the task of external traffic analysis In cases in

which the system designer is willing to trade perforruance for security

simple routing schemes that use flooding techniques provide some

protection from traffic analysis In these schemes each packet is

initially transmitted with repeat count that is set to value

slightly higher than the radius of the network i.e the maximumnumber of repeater hops necessary for data to pass from any node in

the network to any other node Each node keeps cache of recently

transmitted packets and on receiving new packet it decreases the

repeat count by one if the repeat count bccomes zero the packet is

discarded If the decreased repeat count is nonzero the node scans its

cache to make sure that it has not already received and retransmitted

this packet if it has already seen the packet it discards the new

copy Otherwise the node simply broadcasts the packet and places it

in its local cache

From the point of view of security the beauty of this scheme

is that intcrvcning repcaters do not need to know the addresses of

other nodes in the network The address by which node is known

is private matter between the packet originator arid the recipient

Nodes can even be known by many different names to other nodes

in order to confuse the traffic analyst and the names by which

node is known need not be stored in all other nodes throughout the

network

Page 000013


For networks with very high security requirements one could

design packet radio nodes that do not upport promiscuous modethat use global encryption key for all netssork addresscs and that

store this key in volatile mcmory which will he erased automatically

any attempt is made opcn the scaled unit containing the packet

radio node In all likelihood one would want such sealcd secure

packet radio to rnect TEMPEST spccifications on signal emissions

as nell lest an attacker gain information by monitoring low power

radiation from intermediate frcq iency IF or digital components In

csscnce this approach amounts to building secure trusted and

tamper proof packet radio Engineering such device would be

difficult and the cc tilting unit nould be cumbersome and expensive

In addition it is hard to place much confidence in tamper proof

cngineerng dc er attacker might still be able to gain access to

the internal coinponcnts of the radio without triggering the automatic

erasure mechanism for keys and other data stored within the unit

Radio Emissions

Many computing and other electronic devices emit radio waves that

can be analyzed with appropriate equipment The TEMPEST stan

dard defines shielding levels that protect against this type of attack

Although packet radio node dcsigned for commercial use maybe vulnerable to such an attack in gencral this is currently not

rriajor ssorry for sy stc ms that are limited to conirnercial applications

however conccrn about this area of vulnerability scems to be gross

ing Since designing system to meet TEMPEST specifications is

primarily an issue of detailed engineering and packaging sse will not

discuss this further here other than to note that the vulnerability

exists and that the enginecring problems involsed may be difficult

and expensive to resolve

Active Threats

Masquerading

node can generate packets with false source address and thus

pretend to be another node in network This problem involves two

Page 000014


issues the first being initial authentication When one node say

wishes to establish communications with auother node say an

authentication process must occur in order for cach node to establish

that the other node really is what it claims to be The authentication

process is typically complex and expensive it is discussed in detail

later

Once nodes arid have established each others credentials

to their mutual satisfaction second issue arUes Each node over

period of time will gcnerate nuruber of packets to the other node

fast low overhcad method is needed to ensure that once the identity

of has been established by subsequent packets arriving from

have really come from and have not been introduced by some

other node pretending to be node If we assume that as part of

the authentication process nodes and have exchanged session

encryption keys or perhaps more appropriately keys valid for

limited period of time in sccure fashion either through public key

cryptosystem or through private keys with an authentication process

and key servers several approaches to this problem are po sible

The simplest approach is to use header constant as part of

the data encrypted under the session key If after decryption the

hcader constant appears the packet is prc umed to be from the correct

source For this to work data must he cncrypted in such way that

this header cannot be extracted in alrcady encrypted form from

transnii ion that is overheard by the attacker and then appended to

false message rihis protection can be provided in several ways by

using chained mode of encryption in which the decryption of each

few bytes of data depends on correct receipt of all of the previous bytes

where chaining occurs across messages not just within individual

data segments by placing the header constant at the end of each

segment and using chaining technique only within the segment

or hy replacing the header constant with sequence number that

is incremented for each segment sent thus caucing the signatureconstant to change for each block This last technique is the most

effective it also solves the spooling problem discussed below Using

chaining within blocks to encrypt constant is cryptographically

sseak and will not prcsent spoofing Continuous chaining is feasible

but leads to difficult resynchronization problems when segment is

lost

Page 000015


special ca of masquerading will illustrate how vulnerable to

attack pack radio system can be An intruder can masquerade not

nIy as randorri nodc but al as node that fumu tions as server

in particular an attaker might ma querade as an authentication

vcr in kc radio twork Thus all sc cur itv mcasurc dc igrrcd

into odc rrrt trcat any communication with re note node with

grc at suspicion Mary sccurity schcme- such as that nscd in the

Xcrox XNS protocols urne the prc encc of priviliged or trusted

processcs This may be dubious practicc in broadcast network

uch an Ethernet but it is an insitation to disaster in the even

rore kmnnnding environment of packet radio network

Spuvfing

kn attacker could record transmissions from the network and replay

them into the nctwork at omne later time If the recorded transmis

ions were encrypted data the regenerated transmissions might also

appear to the network as correctly encrypted data The sequencing

mechanisnis discussed above will deal with attempted spoofs into the

middle of an active session Spoofing of an authentication handshake

can be prevented by having the participants introduce some random

data perhaps based on time stamp into each handshake exchangethus making each one unique This is discussed further below

Jairuning

Radio frequencies can obviously be jammed Partial jamming acts

like random interference and the same mechanisms that handle such

interference can be used to attempt to overcome the jamming Total

jamming can be circurnented only by spread spectrum techniques

These techniques require the jarnmer to inest much more power by

evcral orders of magnitude to jam the network than the transmit

ters need to send packets over the network successfully It is possible

to develop routing algorithms that reorganize wide area network

to circumvent localized jamming Ephremides 1983 In general

however there is little defense against determined jamming in

nonmilitary environment other than the standard legal and regulatory

recourses

Page 000016

70 Packet Radio Nctworks

Delibeiately Overloading The Network

node that ignores flow control and pacing techniques in standard

channel access piotocols and continues to insert packcts into the

network as quickly poccible can flood the n1work oxerlnad the

channel and sssarnp the othcr nodes in the nctwork This can

happcn accidentally as scll as delihcratcly ii nodc or the client

host attached to node malfunctions

As one approach to this problem the packet radio nodes could

he built in such say that they did not transmit more than

fixed number of packets per unit of time into the nctwork Two

regulators would probably bc needed one to control the rate of

packets introduced in burst perhaps over period of one minute

and one to control the average rate of packet introdm tion over longer

period say 15 or 30 minutes The limitation of such mechanism is

that cleser opponent might disable it

As second approach control channel could be used to tell

all nodes to ignore traffic from given source address Howeverthis approach also introduces another point of vulnerability since an

attacker could attempt to order the nodes in the network to ignore

legitimate traffic Furthermore although it would control flooding

of the entire network it would not prcvent saturation of specific

mnultiaccess channel It only provides quarantinc measure to prevent

the flood from spreading

The best approach mc ight be to include logic to rcgulate traffic

rate in the receiers If the traffic rate from given source exceeded

some thrcshold rate other nodes would assume that the node had

gone rogue and ignore all subsequent traffic from it for some

period of time most importantly they would not repeat it The

regulatory mechanism would have to be designed at such level that

masquerading would first be filtered out by the kind of cryptographic

checks discussed above Otherwise this approach would provide

mechanism that an attacker could use to block traffic from legitimate

nodes If regulator logic is built into the receivers in network an

attempt to oerload the network will function like localized jamming

once it is dctected since the renegade nodes impact is limited to tying

up the radio channel in its immediate vicinity and the other nodes

that can hear it with high demands to examine and discard packets

Page 000017


One of the most useful lines of defense against nodes accidentally

or deliberately trying to overload the network is some means of

rporting the situation to rntwork control nodes Tins solution at

least allows the situation to be identified and perhaps corrected

administratively or through legal channels Ifoever once again

node could gencrate purious reports of attempted masquerading

attempted network overloadii and the like to the network control

center these reports therefore must he accompanied by authentica

tion themselves othci vise this approach merely provides one more

opportunity for the attackcr to generate confusion

Causing Deliber3te Malfunctions in the Network Protocols

Along with overloading number of othcr deliberate or accidental

malfunctions can create problems Among these are ruisreporting

of connection or ronting information acknowledging packets but not

forwarding them and misexecuting collision resolution algorithms

see Chapter 4Managing Overload These probleIns are difficult

to handle In addition most networks are extremely sensitive to

the introduction of incorrect routing information For example the

DARPA gateway system has crashed several times after gateways

failed and introduced falacious routing information into the internet

The program in the Interface Message Processors IMPs the packet

svvitches of the backbone ARPANET has also proven vulnerable to

bad data Rosen 1981 All networks that we know of require at least

ome trusted nodes that are considered reliable for supplying correct

routing data See Meketon and Topkis 1983 for an analysis of the

sensitivity of some routing algorithms to bad data

Ilere again there are several lines of defense The first is

good set of tracing and problem reporting tools that can isolate

the offending nodes and perhaps tell the other nodes to ignore the

offending nodes knother is good prograriimning If the maintenance

routines for the routing table check for reasonableness and consistency

in the routing data received from other nodes this will at least reduce

the vulnerability of the network to attack or malfunction

In the end there seems to be no totally satisfactory means of

defending against nodes that are deliberately feeding false information

to the networks management and control functions At present the

Page 000018

72 Parke Radio Networks

hcst on can hope to do is identify the ource of the had data If one is

willing to run thc risi of creating new iiuc of potential subvcrsion

it is fairly ca to enable the netw rk operation enter to tell the

nctwok to ignore the roguc nodcs at whkh point thc malfunction

hegins to rc hie lo aliicd Jan iing ideal approach would

cc mnp1et Iy distributed means of id nt if ing rogne behavior in

nodcs ll is could be au ornpli hcd it least to eeoc extent through

cor thination of ouree authentication salidity and onsisteny chccks

and traffic regnlat Hi mechanisms The goal hould be to have each

node indept ndently id ntify the rogue nodes and attempt to ostracize

them with appropriate reports made to the network control and

urity managencnt nodes

Directional Antenna Considerations

Direction sensithe techniques discussed in detail in Chapter offer

some interesting possibilities for new validity checks and counter

measures Directional reception can be used not only to provide

information about the location of an attacker but also to detect

attempted spoofing or masquerading For example sudden and

radical change in the location of node as determined by directional

sensing when new packet is received frorri that node would indicate

that masquerading or spooling was taking place unless the node were

mobile Even in the case of mobile node one could consider the

elocity necessary to account for the apparent change of position in

the remote node and use this as validity check

Directional receiver antennae can also be used as simple analog

to the antenna nulling techniques found in sophisticated ECCMsystems It is possible for example to simply turn off the antenna

that is listening in the direction of rogue node in order to ignore

overload traffic that the node may be generating This would permit

the network to quarantine an area around rogue node

Two factors must be considered in examining the effectiveness

of directional nulling These factors are similar to those important

in cvaluating the efficacy of null steerable antenna arrays against

jamming in electronic warfare Pettit 1982 They are the coverage

of the jammer and the degree of control onr the recehers lobe

patterns In the case of null steerable antenna arrays the second

Page 000019


factor is typically related to the number of array elements In the

simplest case in which the attackcr is using captured packet radio

the precision of the jarnmer or rogue transmitter is equivalent to that

of the receiver since both the transmitter and receiver have control

over sec tots through their identical anrenna systems In more

sophisticated scenarios one can assume that the rogue node is using

specialized ant nna system that provides transmission resolution to

an almost arbitrary degree of directionality and that the rogue node

has more transmitter power at its disposal than do normal packet

radio nodes

En either scenario sector control discussed in the section on

Directional Transmission may be too crude to be of much help

Ideally in these circumstances one would want transmit/receive

antenna st.m that provided high degree of control to individual

nodes i.e the capability to transmit for .r degrees around vector

of Quarantining rogue node is possible but requires the

remaining network nodes to cut off many of their direct connections

to each other Rerouting around the rogue node would require the use

of highly circuitous paths Baker et al 1982 have analyzed similar

scheme however it assumes the use of spread spectrum and the

analysis applies mostly to HF groundwave propagation Cook 1980has analyzed this problem from the opposite perspective he develops

criteria for nptirnum relay placement involving extra repeaters to

minimize vulnerability to jamming in an ECM environment Cooks

charactcriation applied to an existing topology may offer some

measure of the topologys resistance to jamming

Spread Spectrum Considerations

well designed spread spectrum system essentially provides protected channel by rirtue of the fact that the external attacker must

know the peudorioist or frequency hop pattern to cover the chan

nel or else umust expend enormous transrmmitter power on blanket

jamming Spread spectrum techniques atso reduce the vulnerabil

ity of transmissions to external earesdropping since the potential

cavesdroppcr must obtain spread spctrumn receiser which is not

readily arailable off the shelf component and then determine the

spreading sequence Ilorsever spread spec trum techniques provide

Page 000020


little help if the attacker has captured and analyzed packet radio

node and thus learned the spreading patt rn In this case the

deterrent to easesdropping is lest and the techniques continue to

provide pi tection against jamming only sshen CDMA is used then

each node is listening for unque pread spec tm in encoding pattern

and the transmitter hi pattern to each target node Spread

sp etruni cc qu nees are like private kc both the sender and receiver

must know the code to communic ate Thus when 2DM is usedthe captured node may know the pread spectrum code for all the

other nodes in the stem hut the captured radio can only transmit

according to one of these patterns at any gisen time and can jam or

attempt to oserload only one other node at any giv moment unless

hmoadhand jammers partial hand jamming techniques or multiple

tranmniter are med Sijion al 1984 1985 Furthc1moreif prcading codes are transmitted from some central server under

protection of public key cryptosystem for example issuing new

spreading codes to the network pros ides some protection from jam

rning as well as from the other kinds of attacks discussed above Like

encryption with globally-known key this approach presupposes that

the network manager knows that packet radio has been captured or

compromised and knows the identity of that radio

In summary spread spectrum provides protection against jamming and eavesdropping through the secrecy of the spreading code

When the attacker does not have the code the protection can be

substantial when an attacker captures packet radio node and

thu obtains th code the protection from eavesdropping is minimal

Jamming attacks using captured receiver can be limited only under

CDMA or follossing the distribution of new spreading sequence

Encryption Techniques

Encryption is obviously mequired to maintain reasonable degree of

prisaey and security on packet radio network Several related design

decisions thus must be considered

Encryption Algorithms

In deciding on the encryption algorithm to be used the basic considerations are the cryptographic strength of the algorithm and its

Page 000021


performance Determining the cryptographic strength of algorithms is

notoriously difficult Given the prescnt state of the art only negative

information is really asailable ciyptographic analysis can prove that

given algorithm is weak hut no currcnt mcthod of analysis can provide

confldcn -e that givcn algortlim is -trong The most encouraging

thing that can bc id shout given algorithm that it ha- been

widely scrutiniicd by thc profc ional oimnunity arid no one has

broken it or at Ic ast no ore ad nits to doing so This state of affairs

nilitates against the usc of cxotic rod littlc known algorithms unless

cxtensive analysis has bc cn erformed

Thus the ficld is currently more cr Ic limnitcd to two well known

algorithms the Data Encryption Standard DES developed by the

National Bureau of Standards and the Rivcst Sharnir Adelman RSApublic key cryptosystem Rivcst et 1978 Most other proposed

techniques have shown serious signs of cryptographic weakness over

the years most notably some of the alternative public-key cryp

tosystern proposed such as the Lu and Lee system and some of the

knapsack based public key sytems 1981

These two algorithms are quite different in that the RSA tech

nique is public key cryptosy stem and DES is classical private key

technique If other fac tors e.g cryptographic strength and perfor

inance vvcre equal the RSA approach ssould be preferable because

of the additional functions that public key cryptosystem provides

lion ever performance is anything but equal and thus it becomes the

deciding factor The RSA algorithm is extremely slow particularly in

decryption where good software implementations run at speeds of

fow bytes per second Even sophisticated hardware implementation

of substantial cost will only reach about 1000 bytes/sec As far as we

know there is to date no commercially available VLSI implementation

of the liSA algorithm prototype chips that run at about 150 bytes/sec

have been fabricated 1980 but they apparently had problems

and were not ubjected to cxtensive cxpcrimentation Very recently

British firm announced bit sliced implementation of the liSA

algorithm sixteen-chip version offers about Kbytes/sec Smith

1985 Although DES was intended to be implemented in hardware

and software implementations tend to be slow in the range of tens

of Kbytes/sec on fast machines speedy VLSI implementations of

DES are available off the shelf For example the MZ8068/Am9518

Page 000022


Data iphcring Processor which was announced by Advanced Micro

Deviccs in 1983 claims data rates well in cxcess of Mbyte/sec

Adsanced Micro Devices Inc 1983 see Teja l985 for disc ussion

of other current DES chips

Conscquently it appears that DES is suitable for workingencryption algorithm if it is supported in hardware The RSAscheme which presumably would be implemented in software is

uscfnl supplementary tool for certain pecialiaed tasks such as key

distribution discussed later but is too slow for bulk data encryption

givcn the current state of the art

One intcreting possibility that has been proposed recently is an

algorithm somewhat like DES that is implemented in software

1985 Its cryptographic strength has received little scrutiny It is ac

tually proposal for an encryption schcme that is based on principles

similar to those of DES but is byte rather than bit oriented to permit

faster software implementation Such an algorithm sinning that

it could be standardized and shown to have sufficient cryptographic

strength offers an attractive alternative to DES since it is cntirely

implemented in software it would be easier to integrate with existing

TP IP irnplernentat ions than would DES based encryption which

calls upon special purpose hardware

Recently the status of DES has become quite confused Newmanand Pickholtz 1986 The National Security Agency NSA has mdi

cated that it intends to withdraw support from DES as an encryption

standard for uew applications when it comes up for recertification in

1988 Media coverage of this announcement suggests that the NSAfeels that it is unwise to rely universally and for protracted period

of time on any single encryption algorithm rather than that DES has

been or is close to being compromised DES has become standard for

several applications particularly for the electronic transfer of fundsand it is reasonable to expect that DES will continue to be used well

into the 1990s unless some more concrete vulnerability is publicly

revealed In fact it appears that the NSA will continue for example

to explicitly support DES for electronic funds transfer

NSAs current plans as of June 1986 are to deselop apparently

only in tamper resistant chip form series of cryptographic modules

for various applications e.g voice general computer data and high

spced computer data These will be made aailable for general

Page 000023


commercial use i.e nonclassificd data within the 11 nited States

but apparently ssill he subject to export restriction TI algorithms

will not be made public Intcroperability will be limited des ices

using \SA modules for the same application class will apparently

interope rate but thcre will be no interopcration bet sccn dill rent

application cIa us

of thi riting the auth rs have seen no other information on

plans for future encryption techniques and clearly many unanswered

questions remain about thc function and availability of post DES

encr ption hardu are

Techniques for Applying Encryption Algoritluns

Encryption algorithms are simply functions in the form Fdatakeywhere data represents few bytes of data 64 bits worth for DES and

frey is fixed length key 56 bits ssorth for DES Since the segments

of data to be encrypted are typicall much longer than the size of the

data unit that is entered into the encryption algorithm some meansof repetitively applying the encryption algorithm to longer unit of

data is needed One of the usual approaches is to encrypt each bytes

of the segment independently The other is to use chaining methodin which the key for group of bytes is established by combining

the previous key and some value obtained from the preceding group

of bytes Ordinarily exclusive OR operations are used to combine

the key and value

Chaining can be applied either within message or on an ongoing

basis across stream of messages The difficulty with the latter

approach is that once single message is lost no subsequent messages

can be decrypted This is not problem if encryption is applied

only to data carried on top of reliable transport level protocol

Voydock and Kent 1981 Hossever if encryption is used to protect

the data elements in the TCP/IP header as well the key for the entire

connection must be resynchronized

Although it is desirable to avoid rcsynchronization it is also

desirable to protect the TCP/IP headers Otherwise an attacker

could cause the loss of data or other confusion by generating false

acknowledgments and fake TCP messages Such false data would

be rejected by the application running abuse the TCP/IP level but

Page 000024


the reliable data transport connection ssould be disrupted and the

application would have no recourse hut to restart the TCP/IP conncct ion Con equentIy chaining should be used only within segments

at the TCP11P level not from segment to segment and the TCP/IPheader as well as the application data should be encrypted Notethat the TCP byte numbers used for FE acknowledgments can

also serse as sequence nurnbcrs to prcvent poofing When single

segment chaining is ed it seakcns thc cryptographic strength of the

cncryption somesshat and 5esAon keys should thercfore be changcd

with reasonable frc qu ncy

Scope of Encryption

One can use either link level or end to end encryption in packet radio

networks or both can be used together variant of end to end

encryption end to end within the packet radio network rather than

across the internet is also possibility With this technique the

gateway that passes packets from the packet radio netssork to the

outside world would be responsible for appropriate encryption and

decryption as required

Link level encryption is transparent to the rest of the network

and is widely used sith point to point links in more traditional

networks IIoseser since packet radio networks contain no links

link level encryption cannot be applied directly unless global key is

ed throughout the network As sse have discussed previously an

opponent only nceds to obtain or seire control of single packet radio

in ordcr to compromise the entire network when global key is used

Consequently global link lesel keys are poor idca when the nodes

cannot he secured

End to cud ener3ption has two major drawbacks interactions

with the transport level protocols at both ends of the connection are

complex and encryption must be implemented in consistent wayacross the internet Lynch 1986 Currently we know of no cominerc ially available TCP/IP impleinentat ion that integrates support

for end-to-end encryption Furthermore there is little incentive for

development since no single version of TCP IP has dominant market

share and any implementor souId be reluctant to add fcatures that are

not widely supported by different TCP/IP implementations Finally

Page 000025


adding support for DES-based encryption to any TCP/IP implementation while retaining good performance is difficult Special-purpose

hardware must be used for the encryption/decryption operations andthns the DES support interacts closely with the operating system on

the host machine

It is also important to consider the interaction betwccn encryp

tion and the laycred telecommunications protocols in packet radio

network Each packet contains three headers local packet radio

network header an lP header and TCP header and application

data For end to end encryption we can only encrypt the TCP header

and application data since only these have end to end significance If

we encrypt both the CP and IF hcadeIs gateways must be able to

dee rypt IF headers in order to perform internet routing Furthermoreit is desirable to detect spoofing and masquerading within the packet

radio network in order to quarantine rogue nodes To accomplish

this the local network headers must be encrypted separately Unless

traffic analysis is major concern authentication is the only reason

to encrypt these headers

Key Distribution and Key Servers

To establish and use connection protected by end to end DES en

cr ption the two nodes participating in the connection must exchange

secret DES keys If an RSA public-key cryptosystem is available this

is easy to arrange For example let us assume that and are the

nodes involved that registry of public keys for each node exists and

that each node knows its own piivate key Let ExM denote the

result of the encryption of block of data under the public key of

node and DxM the application of the private key of node to

message The basic property of public key cryptosystem can

then he summarized as follows

DxExM and ExDxMFor node to pass working DES key to node secretly node

need only send EBK to can then decrypt the message using

its own secret key

This system is vulnerable in several ways It is vulnerable to spoof

ing hut this can be corrected by concatenating time stamp to

Page 000026


and then having transmit EBUDAK time stamp constantThe recciving node Bcan apply DB then the publicly published SAand thcn ensure that the time stamp is recent This approach also

forms the basis for authentication since if node 13 sends random

constant as part of the authentication kcy cxchange handshake

can provide with DAconstant sshich Bran scrify by applying BAand checking that the rcsult is Bs origi ial constant

In addition to the prohlcm of spoofing an attacker could masquerade as the public key registry and scnd out bogus public keys

for network nodes Thcre are several ways to fix this problem For

examplc the key server node denoted by could send public keys as

Ds public key which would allow any receiver to vcrify the source

of the public key time stamp should also be used to protect against

thc reintroduction of old recorded traffic by an attacker In addition

receiving node could poll several key servers mull iple key servers are

worthwhile for reliability reasons anyway Any disagreement amongthe public key values for node obtained by polling key servers would

immediately indicate possible security problem

Once again standards are an implicit issue It will be necessary

for each host in the internet to register its public key with one or

more key servers In addition any node on the internet must be able

pcrhaps by following chain of referrals to locate the appropriate

key servers that can supply the public key for any node in the

intcrnet This is similar to the systcmn used for name and directory

scrvers Mockapetris 1983b Postel 1986 and might appropriately be

intcgrated with them In addition it is worth keeping in mind that

liSA itself is complex algorithm with many available parameters

internet wide agrcement on appropriate paramcters and use of the

liSA algorithm would be essential for any standardized implementation of the algorithm

host that supports multiple TCP connections for example in

multiuser time sharing system needs only single public key for

itsclf separate scssion keys will be established for thc various rpconnections in progress at any given time llowever the mnultiuser

host must keep its secret key secure from its own users otherwise

user could obtain the working DES key for scssion that belongs to

another uscr who is sharing the mainframe

Page 000027


Aut he nt ic at ion

The encption techniques we havc di cusscd so far permit two nodes

to establish connection that is sccure both from eavesdropping and

from active attacks such as the inst rtion of bogus mcs ages or the

reinscrtion of previously recorded and once salid mcssages lhe first

goml is accomplished by the encryption algorithmn itself the second by

nunibering the data units sequentially

Once connection is established and kcys arc exchanged ongoing

authentication is provided by the sequcnce nurnberirg and the DES

key together thcy ensure that all data pa sing oser the connection are

in fact coming from the same node However one still needs to ensure

during the time that connections are established and keys exchangedthat nodea part ipating in the conueton are adually who they Jaim

to be

Our previous discussion has hown that public key cryptosystem

pios ides for fully distributed authcntication in which each node

using directory of public keys can authenticate any other node in

the network or internet In this environment which was originally

described by Needham and Schroeder 1978 there is little need for

authentication servers per se but only for some means to maintain

registry of public keys and to distribute this rcgistry These tasks can

he acornplished either by nonsccure sersers or by massive replication

of the publickey database in every node

It is also possible to implement authentication using only classical

private key methods such as DES howcver this requires secure

authentication server that knows the keys of all of its client nodes

and dictributcs cedentials among them This approach which is

discussed in detail by Needharn and Schroeder and Israel and

Linden 1983 has been formalized in the Xerox XNS system as their

Authentication Protocol Corporation 1984

standard authentication approaches such as the nec of pasordsare inappropriate in an unsecured broadcast enironmnent They canof course be used either as second level of set urity or as means

of pros iding finer level of authentication once the protection of an

authenticated connection is established It is also possible to deselop

nonauthenticating key distribution mcchanism that secures

connection for the exchange of authenticating passwords but does not

Page 000028


itsclf authenticate the two participants in the connection instead it

would only guarantee that their cornnmnieation is protected under an

cncryption kcy

our diEcusion indicates we recomrncnd placing mnt of the

re ponsibility for encryption and authentication on the clients of

packet radio node rather than retaining it in the packct radio

node per se except in the case of the packet radio terminal where

node and client host are integrated togctlier logical diision of

re ponsihility sould to make the packet radio nodes responsible

for the encryption of local packet radio hadcrs and the host ICP

responsible for ryp encryption

It is also clear that unless hardware support for encryption is

asailable performance problems may preclude the use of the current

standard encryption algorithms It is easy to envision local low

se urity applications such as office automation in which the network

contains some dcviccs with encryption support and some without

Such cases are studied in detail by Israel and Linden 1983

kuthentic at ion is actually needed at two different levels end-to-

end across the internet and node to-node within the packet radio

network Node to node authentication is problematic if the packet

radio has repcaters As discussed previously it is dcsirable for each

packet radio node even if it is merely repeater for given packet

and not the packets final destination to authenticate the origin of

packets in the packet radio network in order to limit the effects of

attacks rrhus any node must be able to authenticate any packets

source With public key cryptosystem this is readily accomplished

each packet header need only contain credcntial authenticating the

source in the form of constant or tine htamp that i5 eHclypted

under the private key of the source node Any node that needs to

authenticate the source of packet can simply apply the public-key

function for the alleged source and see if the result is valid constant

or time stamp

There are two problems with this approach First of all it requires

receiving nodes to compute an RSA function when examining each

packet if thcy are to quickly discard fake packets Of course if

constant were used the nodes could cachc the cncrypted value of the

constant and perform comparisons with this encrypted value rather

than recomputing the RSA function for each packet The trouble with

Page 000029


uing con tant however closely related to the econd problem

with this overall approach theft of credentials and spoofing Anattackcr necd only wait for packet to he transmitted by the node it

nants to masquc rade as and then either retransmit that packet as it

tar1ds for poofing attack or cxtract the crcdcntial and insert it

bit its os fcke pac kets for hi ft of crc dent ials

Frequent recomputat ion of the PS function seems unavoidable

if poofing at ta ks are to be prcsented since the credential must self

dc st nrc ith in shc rt period of time The network will always

be sorneal-at vulnerable to spoofing and mnasqucrading unlcss the

net sork has synchronizcd global clock the credential is created

by applying the lISA function to the time stamp each time node

gcnc rates packet and the clock ticks fast enough so that an old

time tamp crcdential bee orncs invalid within sufficiently short time

that an attackcr cannot receive copy and retransmit it during that

period hese problems howeser sould be stopped at the end-to

end lcsel whcn they did occur

In the case of repeated packet the repeater would have to

add its own authentication credential to the packet header prior to

retransmission in order for the sources credential to remain valid

Otherwise the credential would become obsolete by the time it was

received by the second or third repeater in repeater chain

Providing the described capabilities for authentication within the

packet radio network would rcquire cxpensive and carefully designed

special purpose hardware for handling RSA functions

Additional security could be supplied only when it was needed by

relying on the ability of other mechanisms to detect security problems

rrhis would include the ability of each rode to listen for transmissions

having its own source address and immediately raise security alert

rrhis simple and virtually free measure is worth implementing in any

case as way of detecting attacks even if nothing is done to prevent

thermi within the packet radio network and the decision is made to

rcly entirely on end-to end encryption Under normal circumstances

credential expiration could be relatively slow and caching scheme in

the receivers authentication routines could be used When an attack

was detccted the period between credential updates which could be

set by each sending node independently with receivers invalidating

an earlier time stamp as the basis for credential whenever later

Page 000030


one is received could be greatly reduced at least by the node that

was the victim of the attempted masquerade Every time the node

under attack tran mitted the nìasquerading node sould have to steal

the credential anew

The heart of the problem here is that we have created re

quirement that any receiver must he able to anther tieate packet

from any source without the source knowirg the receiver in advance

rrhis will be the case if flooding type routing strategies are used in

seinibroadeast network or if broadcast type messages are supported

in full broadcast network In full broadcast network without

broadcast type messages or semibroadcast network in which re

peater paths are prey iously allocated either through source routing

or scheme in which repeater chains are assigned authentication

can he considered as pairwise process In these cases the problem

of authentication at the packet radio node becomes more tractable

since virtual links can be established through the same kinds of

authentication handshakes and cryptographic protection that we have

discussed for end to end connections In network with repeaters

however all repeaters in the path that has been preassigned or defined

by source routing must participate in the authentication process

Sunirriary

Although packet radio network may be more vulnerable to easy

attack than traditional networks the encryption and authentication

measures required for its protection are similar to those required

for distributed broadcast networks that use cable Performance is

an important consideration in choosing protective neasues and

hardware support is almost unavoidable The authentication and key

distribution issues are more tractable if one is ss illing to implement

public key ryptos stern and trust in its cryptographic see urity

It is also clear that packet radio network beraise of it reliance

on the electromagnetic ether is uniquely vulnerable to disiupting

attacks as well as subversion Some of these disrupting attacks are

similar to those encountered in electronic warfare and the counter

measures available outside of the ECCM context are limited Th

other class of disrupting attacks stems from the ease with which one

can capture or build fake node and use it to violate protocols or

Page 000031

Security end AuthentIcation 85

introduce spurious control data into the network Countermeasures

for this sort of attack are also limited Many of them employ software

engineering techniques similar to those used to defend distributed

system against node that is accidentally malfunctioning

Page 000032

Documents

PACKET RADIO NETWORKS · three packet radio network environments for further study and refine inent These represent three extreme cases as far as engineering is ... The basic channel