Mobile Ad hoc Networking (MANET)Internet Engineering Task Force (IETF) J. YiInternet-DraftRequest for Comments: 7985 T. Clausen Updates: 7186(if approved)Ecole PolytechniqueIntended status:Category: Informational U. HerbergExpires: February 28, 2017 August 27,ISSN: 2070-1721 October 2016 Security Threatsforto Simplified Multicast Forwarding (SMF)draft-ietf-manet-smf-sec-threats-06Abstract This document analyzes security threatsof theto Simplified Multicast Forwarding(SMF) mechanism,(SMF), includingthevulnerabilities of duplicate packet detection and relay set selection mechanisms. This document is not intended to propose solutions to the threats described.ThisIn addition, this documentalsoupdatesRFC7186RFC 7186 regardingthethreats to the relay set selection mechanisms usingRFC6130.the Mobile Ad Hoc Network (MANET) Neighborhood Discovery Protocol (NHDP) (RFC 6130). Status ofthisThis Memo ThisInternet-Draftdocument issubmitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documentsnot an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF).Note that other groups may also distribute workingIt has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documentsas Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Draftsapproved by the IESG aredraft documents valid foramaximumcandidate for any level of Internet Standard; see Section 2 ofsix monthsRFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may beupdated, replaced, or obsoleted by other documentsobtained atany time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on February 28, 2017.http://www.rfc-editor.org/info/rfc7985. Copyright Notice Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . .. 32 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . .43 3. SMFThreatsThreat Overview . . . . . . . . . . . . . . . . . . . . . 4 4. Threats to Duplicate Packet Detection . . . . . . . . . . . . 5 4.1. Attackto Theon the Hop Limit Field . . . . . . . . . . . . . .65 4.2. Threats toIdentification-basedIdentification-Based Duplicate Packet Detection . . . . . . . . . . . . . . . . . . . . . . . . 7 4.2.1.Pre-activationPre-Activation Attacks (Pre-Play) . . . . . . . . . . 7 4.2.2. De-activation Attacks (Sequence Numberwrangling)Wrangling) . . 8 4.3. Threats toHash-basedHash-Based Duplicate Packet Detection . . . .. 98 4.3.1. Attack on the Hash-Assistant Value . . . . . . . . .. . .9 5. Threats to Relay Set Selection . . . . . . . . . . . . . . .. 109 5.1. Common Threats to Relay Set SelectionCommon Threats . .. . . . . . . . . . 10 5.2. Threats to the E-CDS Algorithm . . . . . . . . . . . . .. . .10 5.2.1. Link Spoofing . . . . . . . . . . . . . . . . . . . .1110 5.2.2. Identity Spoofing . . . . . . . . . . . . . . . . . .1110 5.3. Threats to S-MPR Algorithm . . . . . . . . . . . . . . ..11 5.4. Threats to the MPR-CDS Algorithm . . . . . . . . . . . .. . . 1211 6. Security Considerations . . . . . . . . . . . . . . . . . . . 12 7.IANA Considerations . . . . . . . . . . . . . . . . . . .References . .13 8. Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . 139.7.1. Normative References . . . . . . . . . . . . . . . . . . 13 7.2. Informative References . . . . . . . .14 9.1. Normative References . . .. . . . . . . . . 13 Acknowledgments . . . . . . .14 9.2. Informative References. . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . .. 1514 1. Introduction This document analyzes security threats totheSimplified Multicast Forwarding (SMF)mechanism[RFC6621]. SMF aims at providing basic Internet Protocol (IP) multicastforwarding,forwarding in a way that is suitable forlimitedwireless mesh and Mobile Adhoc NETworksHoc Networks (MANET). SMFis constitutedconsists of two major functional components:Duplicate Packet Detectionduplicate packet detection (DPD) andRelay Set Selection.relay set selection (RSS). SMF is typically used in decentralized wirelessenvironments,environments and is potentially exposed to various attacks and misconfigurations.SomeIn a wireless environment, some of these attacks andmisconfigurtions, in a wireless enviroment,misconfigurations represent threats of particular significance as compared to what they would do in wired networks. [RFC6621] briefly discusses several of these, but does not define any explicit security measures for protecting the integrity of the protocol. This document is based on the assumption that no additional securitymechanismmechanism, such asIPsecIPsec, is used in the IP layer, as not all MANET deployments may besuitableable todeploysupport deployment of such common IP protection mechanisms (e.g., becauseof limited resources ofMANET routersto supportmay have limited resources for supporting the IPsec stack). It also assumes that there is no lower-layerprotection either.protection. The document analyzes possible attacksonon, andmis- configurations ofmisconfigurations of, SMF and outlines the consequences of suchattacks/ mis-configurationsattacks/misconfigurations to the state maintained by SMF in each router. In the Security Considerations section of [RFC6621], denial-of-service attackservice-attack scenarios are briefly discussed. This document further analyzes and describes the potential vulnerabilitiesofof, and attack vectorsforfor, SMF. While completeness in such analysis is always a goal, no claims of being complete are made. The goal of this document is to be helpfulforwhen deploying SMF in a network andneeding to understandfor understanding the risksthereby incurred -incurred, as well as for providing a reference to and documented experience with SMF as input forpossiblypossible future developments of SMF. This document is not intended to propose solutions to the threats described. [RFC7182] provides a framework that can be used with SMF, and depending on how it isused -used, may offer some degree of protection against the threatsdescribed in this documentrelated to identityspoofing.spoofing described in this document. This document also updates [RFC7186], specifically with respect to threats to relay set selection (RSS) mechanismswhichthat are using MANET NHDP [RFC6130]. 2. Terminology This document uses the terminology and notation defined in [RFC5444], [RFC6130],[RFC6621][RFC6621], and [RFC4949]. Additionally, this document introduces the following terminology: SMF router: A MANET router, running SMF as specified in [RFC6621]. Attacker: A device that is present in the network and intentionally seeks to compromise the information bases in SMF routers. It may generate syntactically correct SMF control messages. Legitimate SMF router: An SMF router that is correctly configured and not compromised by an attacker. 3. SMFThreatsThreat Overview An SMF router requires an external dynamic neighborhood discovery mechanism in order to maintain suitable topological information describing its immediate neighborhood, and thereby allowing it to select reduced relay sets for forwarding multicast data traffic. Such an external dynamic neighborhood discovery mechanism may be provided bylower- layerlower-layer interface information, by a concurrently operating MANET routing protocol that already maintains such informationsuch as [RFC7181],(e.g., [RFC7181]) or by explicitly using the MANET Neighborhood Discovery Protocol (NHDP) [RFC6130]. If NHDP is used for both 1-hop and 2-hop neighborhood discovery by SMF, SMF implicitly inherits the vulnerabilities of NHDP discussed in [RFC7186]. As SMF relies on NHDP to assist innetwork layernetwork-layer 2-hop neighborhood discovery (no matter if other lower-layer mechanisms are used for 1-hop neighborhood discovery), this document assumes that NHDP is used in SMF. The threats that areNHDP-specificNHDP specific are indicated explicitly. Based on neighborhood discovery mechanisms, [RFC6621] specifies two principal functional components:Duplicate Packet Detectionduplicate packet detection (DPD) andRelay Set Selectionrelay set selection (RSS). DPD is required by SMF in order to be able to detect duplicate packets and eliminate their redundant forwarding. AnAttackerattacker has two ways in which to harm the DPDmechanisms, specificallymechanisms. Specifically, it can: o "deactivate" DPD,so as to makemaking it such that duplicate packets are not correctlydetected, and that asdetected. As aconsequenceconsequence, they are (redundantly) transmitted,increasingwhich increases the load on the network,drainingdrains the batteries of the routers involved, etc. o "pre-activate" DPD,so as to makemaking DPD detect a later arriving (valid) packet as being aduplicate, which therefore won'tduplicate and will, therefore, not be forwarded. Attacks on DPD can be achieved by replaying existing packets,bywrangling sequence numbers,bymanipulating hash values,etc., andetc.; these are detailed in Section 4. RSS produces a reduced relay set for forwarding multicast data packets acrossthea MANET. For use in SMF, [RFC6621] specifies several relay setalgorithms,algorithms including E-CDS (Essential Connected Dominating Set) [RFC5614], S-MPR(Source-based Multi-point(Source-Based Multipoint Relay, as known from [RFC3626] and [RFC7181]),orand MPR-CDS[MPR-CDS], for use in SMF.(Multipoint Relay Connected Dominating Set) [MPR-CDS]. AnAttackerattacker can disrupt the RSS algorithm, and thereby the SMF operation, by degrading it to classicalflooding,flooding or by "masking" certain parts of the network from the multicasting domain. Attacks on RSS algorithms are detailed in Section 5. Other than the attacks on DPD and RSS, a common vulnerability of MANETs is "jamming", i.e., a device generates massive amounts of interfering radio transmissions, which will prevent legitimate traffic (e.g., control traffic as well as data traffic) on part of a network. The attacks on DPD and RSS can be further enhanced by jamming. 4. Threats to Duplicate Packet Detection DuplicatePacket Detectionpacket detection (DPD) is required for packet dissemination in MANETs because: (1) packets may betransmittedretransmitted via the same physical interface as the one over which they were received, and (2) a router may receive multiple copies of the same packet (on thesame,same or on different interfaces) from different neighbors. DPD is thus used to checkifwhether or not an incoming packet has been previouslyreceived or not.received. DPD is achieved by maintaining a record of recently processed multicast packets, and comparing later received multicast packets herewith. A duplicate packet detected is silently dropped and is not inserted into the forwarding path of that router, nor is it delivered to an application. DPD, as proposed by SMF, supports both IPv4 and IPv6 andfor eachsuggests two duplicate packet detectionmechanisms:mechanisms for each: 1) IP packet header content identification-based DPD (I-DPD),using packet headers,in combination with flow state, to estimate temporal uniqueness of a packet, and 2) hash-based DPD (H-DPD), employing hashing of selected IP packet header fields and payload for the same effect. In the Security Considerations section of [RFC6621], a selection of threats to DPD are briefly introduced. This section expands on thatdiscussion,discussion and describes how to effectively launch the attacks on DPD--- for example, by way of manipulating jitter and/or the Hash- Assistant Value. In the remainder of this section, common threats to packet detection mechanisms arefirst discussed. Thendiscussed first; then, the threats to I-DPD and H-DPD are introduced separately. The threats described in this section are applicable to general SMF implementations,no matter ifregardless of whether NHDP isused or not.used. 4.1. Attackto Theon the Hop Limit Field One immediateDoSDenial-of-Service (DoS) attack is based on manipulating the Time-to-Live (TTL, for IPv4) orhop limitHop Limit (for IPv6) field. As routers only forward packets with TTL > 1, an attacker can forward an otherwise validpacket,packet while drastically reducing the TTL hereof. This will inhibit recipient routers from later forwarding the same multicast packet, even if received with a different TTL- essentially-- essentially, an attackerthuscan thus instruct its neighbors to block the forwarding of valid multicast packets. For example, in Figure 1, router A forwards a multicast packet with a TTL of 64 to the network. A, B, and C are legitimate SMF routers, and X is an attacker. In a wireless environment, jitter is commonly used to avoid systematic collisions inMACMedia Access Control (MAC) protocols [RFC5148]. An attacker can thus increase the probability that its invalid packets arrive first by retransmitting them without applying jitter. In this example, router X forwards the packet without applying jitter and reduces the TTL to 1. Router C thus records the duplicate detection value (hash value forH-DPD,H-DPD or the header content of the packets for I-DPD) but does not forward the packet (due to TTL ==1) not forward.1). When a second copy of the same packet, with a non-maliciously manipulated TTL value (63 in this case), arrives from router B, it will be discarded as a duplicate packet. .---. | X | --'---' __ packet with TTL=64 / \ packet with TTL=1 / \ .---. .---. | A | | C | '---' '---' packet with TTL=64 \ .---. / \-- | B |__/ packet with TTL=63 '---' Figure 1 As the TTL of a packet is intended to be manipulated by intermediaries forwarding it, classic methods such as integrity check values (e.g., digital signatures) are typically calculatedwithby setting TTL fields to somepre-determinedpredetermined value (e.g., 0)- such is-- forexampleexample, the case for IPsec Authentication Headers--- rendering such an attack more difficult to both detect and counter. If the attacker has access to a "wormhole" through the network (a directional antenna, a tunnel to acollaboratorcollaborator, or a wired connection, allowing it to bridge parts of a network otherwise distant), it can make sure that the packets with such an artificially reduced TTL arrive before their unmodified counterparts. 4.2. Threats toIdentification-basedIdentification-Based Duplicate Packet Detection I-DPD uses a specific DPD identifier in the packet header to identify a packet. By default, such packet identification is not provided by the IP packet header (for both IPv4 and IPv6). Therefore, additional identification headers, such as the fragment header, a hop-by-hop header option, orIPSecIPsec sequencing, must be employed in order to support I-DPD. The uniqueness of a packet can then be identified by the source IP address of the packet originator and the sequence number (from the fragment header, hop-by-hop header option, or IPsec). By doing so, each intermediate router can keep a record of recently received packets and determine whether or not the incoming packet has beenreceived or not.received. 4.2.1.Pre-activationPre-Activation Attacks (Pre-Play) In a wireless environment, or across any other shared channel, an attacker can perceive the identification tuple (source IP address, sequence number) of a packet. It is possible to generate a packet with the same (source IP address, sequence number) pair with invalid content. If the sequence number progression is predictable, then it is trivial to generate and inject invalid packets with "future" identification information into the network. If these invalid packets arrive before the legitimate packets that they are spoofing, the latter will be treated as a duplicate and will be discarded. This can prevent multicast packets from reaching parts of the network. Figure 2 gives an example of a pre-activation attack. A,BB, and C are legitimate SMF routers, and X is the attacker. The line between the routers presents the packet forwarding. Router A is the source and originates a multicast packet with sequence number n. When router X receives the packet, it generates an invalid packet with the source address of A and sequence number n. If the invalid packet arrives at router C before the forwarding of router B, the valid packet will be dropped by C as a duplicate packet. An attacker can manipulate jitter to make sure that the invalid packets arrive first. Router X can even generate packets with future sequence numbers (if they are predictable), so that the future legitimate packets with the same sequence numbers will be dropped as duplicate ones. .---. | X | --'---' __ packet with seq=n / \ invalid packet with seq=n / \ .---. .---. | A | | C | '---' '---' packet with seq=n \ .---. / \-- | B |__/ valid packet with seq=n '---' Figure 2 As SMFcurrentlydoes not currently have any timestamp mechanisms to protect data packets, there is no viable way to detect such pre-play attacks by way of timestamps. Especially, if the attack is based on manipulation of jitter, the validation of the timestamp would not be helpful because the timing is still valid(but with(but, much lessvalue).valuable). 4.2.2. De-activation Attacks (Sequence Numberwrangling)Wrangling) An attacker can also seek to de-activateDPD,DPD by modifying the sequence number in packets that it forwards. Thus, routers will not be able to detect an actual duplicate packet as a duplicate--- rather, they will treat them as new packets, i.e., process and forward them. This is similar to DoS attacks, as each packet that is considered unique will be multicasted: for a network with n routers, there will be n-1 retransmissions. This can easily cause the "broadcast storm" problem discussed in [MOBICOM99]. The consequence of this attack is an increased channel load, the origin of which appears to be a router other than the attacker. Given the topology shown in Figure 2, on receiving a packet with seq=n, the attacker X can forward the packet with a modified sequence number n+i. This has two consequences: firstly, router C will not be able to detect that the packet forwarded by X is a duplicate packet; secondly, the consequent packet with seq=n+i generated by router Aprobablywill probably be treated as a duplicatepacket,packet and will be dropped by router C. 4.3. Threats toHash-basedHash-Based Duplicate Packet Detection When explicit sequence numbers in packet headers is undesired, hash- based DPD can be used. A hash of the non-mutable fields in the header ofandthe data payload can begenerated,generated and recorded at the intermediate routers. A packet can thus be uniquely identified by the source IP address of the packet and its hash-value. The hash algorithm used by SMF is being applied only to provide a reduced probability of collision and is not being used for cryptographic or authentication purposes. Consequently, a digest collision is still possible. In case the source router or gateway identifies that itrecentlyhas recently generated or injected a packet with the same hash-value, it inserts a "Hash-Assist Value (HAV)" IPv6 header option into the packet, such that also calculating the hashalsoover this HAV will render the resulting value unique. 4.3.1. Attack on the Hash-Assistant Value The HAV header is helpful when a digest collision happens. However, it also introduces a potential vulnerability. As the HAV option is only added when the source or the ingress SMF router detects that thecomingincoming packet has digest collision with previously generated packets, itactuallycan actually be regarded as a "flag" of potential digest collision. An attacker can discover the HAVheader,header and be able to conclude that a hash collision is possible if the HAV header is removed. By doing so, the modified packet received by other SMF routers will be treated as duplicatepackets,packets and will be dropped because they have the same hash valuewith the precedent packet.as previously received packets. In the exampleofshown in Figure 3,Routerrouters A and B are legitimate SMF routers; X is an attacker. Router A generates twopacketspackets, P1 and P2, with the same hash value h(P1)=h(P2)=x. Based on the SMF specification, ahash-assistant value (HAV)HAV is added to the latter packet P2, so thath(P2+HAV)=x', to avoidh(P2+HAV)=x' avoids digest collision. When the attacker X detects the HAV of P2, it is able to conclude that a collision is possible by removing the HAV header. By doing so, packet P2 will be treated as a duplicate packet by routerB,B and will be dropped. P2 P1 P2 P1 .---. h(P2+HAV)=x' h(P1)=x .---. h(P2)=x h(P1)=x .---. | A |---------------------------> | X | ----------------------> | B | `---' `---' `---' Figure 3 5. Threats to Relay Set Selection A framework for an RSS mechanism, rather than a specific RSSalgorithmalgorithm, is provided by SMF.ItRelay Set Selection is normally achieved by distributed algorithms that can dynamically generate a topological Connected Dominating Set based on 1-hop and 2-hop neighborhood information. In this section,thecommon threats to the RSS framework are first discussed. Then specific threats to the threecommonly used algorithms: Essentialalgorithms (Essential Connection Dominating Set(E-CDS) algorithm, Source-based(E-CDS), Source-Based Multipoint Relay(S-MPR)(S-MPR), and Multipoint Relay Connected Dominating Set(MPR-CDS)(MPR-CDS)) explicitly enumerated by [RFC6621] are analyzed. As the relay set selection is based on 1-hop and 2-hop neighborhood information, which rely on NHDP, the threats described in this section areNHDP-specific.NHDP specific. 5.1. Common Threats to Relay Set SelectionCommon Threats Common (i.e., non algorithm specific)Non-algorithm-specific threats to RSS algorithms, includingDenial of Service attack,DoS attacks, eavesdropping, message timingattackattacks, and broadcaststorm have beenstorm, are discussed in [RFC7186]. 5.2. Threats to the E-CDS Algorithm The "Essential Connected Dominating Set" (E-CDS) algorithm [RFC5614] forms a single CDS mesh forthean SMF operating region.ItThis algorithm requires 2-hop neighborhood information (theidentifyidentity of the neighbors, the link to theneighborsneighbors, and the neighbors' priorityinformation)information), as collected through NHDP or another process. An SMFRouterrouter will select itself as a relay, if: o The SMFRouterrouter has a higher priority than all of its symmetric neighbors, or oThere does not exist aA path from the neighbor with the largest priority to any otherneighbor,neighbor via neighbors with greaterpriority.priority than the current router does not exist. An attacker can disrupt the E-CDS algorithm by link spoofing or identity spoofing. 5.2.1. Link Spoofing Link spoofing implies that an attacker advertises non-existing links to another router(present(which may or may not be present in thenetwork or not).network). An attacker can declare itselfwithto have high routepriority,priority andspoofsspoof the links to as many legitimate SMFRoutersrouters as possible to declare high connectivity. By doing so, it can prevent legitimate SMFRoutersrouters fromself-selectingselecting themselves as relays. As the "super" relay in the network, the attacker can manipulate the trafficrelayed by it.it relays. 5.2.2. Identity Spoofing Identity spoofing implies that an attacker determines and makes use of the identity of other legitimate routers, without being authorized to do so. The identity of other routers can be obtained byoverhearingeavesdropping the control messages or the source/destination address from datagrams. The attacker can then generate control or datagramtraffic,traffic by pretending to be a legitimate router. Because E-CDS self-selection is based on the router priority value, an attacker can spoof the identity of other legitimaterouters,routers anddeclaresdeclare a different router priority value. If it declaresa higher priority ofthat a spoofedrouter,router has a higher priority, it can prevent other routers from selecting themselves as relays. On the other hand, if the attacker declareslower priority ofthat a spoofedrouter,router has a lower priority, it can force other routers toselectingselect themselves asrelays,relays to degrade the multicast forwarding to classical flooding. 5.3. Threats to S-MPR Algorithm Thesource-based multipoint relay (S-MPR)S-MPR set selection algorithm enables individual routers, using 2-hop topology information, to select relays from among their set of neighboring routers. MPRs are selectedsoby each router such thatforwarding to the router's completea message generated by it, and relayed only by its MPRs, will reach all of its 2-hopneighbor set is covered.neighbors. An SMF router forwards a multicast packet if and only if: o the packet has not been received before, and o the neighbor from which the packet was received has selected the router as MPR. Because MPR calculation is based on the willingness declared by the SMFrouters,routers and the connectivity of the routers, it can be disrupted by both link spoofing and identity spoofing.TheThese threats anditstheir impacts have been illustrated insectionSection 5.1 of [RFC7186]. 5.4. Threats to the MPR-CDS Algorithm MPR-CDS is a derivative from S-MPR. The main difference between S-MPR and MPR-CDS is that while S-MPR forms a different broadcast tree for each source in the network, MPR-CDS forms a unique broadcast tree for all sources in the network. As MPR-CDS combines E-CDS and S-MPR and the simple combination of the two algorithms does not address theweakness,weaknesses; the vulnerabilities of E-CDS and S-MPR that are discussed inSectionSections 5.2 andSection5.3 apply to MPR-CDS also. 6. Security Considerations This document does not specify a protocol or a procedure. The whole document, however, reflects on security considerations for SMFforregarding packet dissemination in MANETs. Possible attacks to the two main functional components of SMF, duplicate packetdetectiondetection, and relay setselection,selection are analyzed and documented. Although neither [RFC6621] nor this document propose mechanisms to secure the SMF protocol, there are several possibilities to secure the protocol in the future anddrivingdrive new work by suggesting which threats discussed in the previous sections could be addressed. For the I-DPD mechanism, employing randomized packet sequence numbers can avoid some pre-activation attacks based on sequence number prediction. If predicable sequence numbers have to be used, applying timestamps can mitigate pre-activation attacks. For the H-DPD mechanism, applying cryptographically strong hashes can make the digest collisions effectively impossible, and it can avoid the use ofhash-assistant value.a HAV. [RFC7182] specifies a framework for representing cryptographic Integrity Check Values (ICVs) and timestamps in MANETs. Based on [RFC7182], [RFC7183] specifies integrity and replay protection for NHDP using sharedkeys,keys as a mandatory-to-implement security mechanism. If SMF is using NHDP as the neighborhood discovery protocol, implementing [RFC7183] remains advisable so as to enable integrity protection for NHDP control messages. This can helpmitigatingmitigate threats related to identity spoofing through the exchange of HELLOmessages,messages andprovidesprovide some general protection against identity spoofing by admitting only trusted routers to the network using ICVs in HELLO messages. Using ICVsdoes,does not, of course,notaddress the problem ofattackers,attackers able to also generate valid ICVs. Detection and exclusion of such attackers is, in general, achallenge, whichchallenge that is not unrelated to how [RFC7182] is used. If, for example, it is used with a shared key (as per [RFC7183]), excluding single attackers generally is not aided by the use of ICVs.HoweverHowever, if routers have sufficient capabilities to support the use of asymmetric keys (as per [RFC7859]), part of addressing this challenge becomes one of providing keyrevocation,revocation in a way that does not in itself introduce additional vulnerabilities. As [RFC7183] does not protect the integrity of the multicast user datagram, and as no mechanism is specified by SMF for doing so, duplicate packet detection remains vulnerable to the threats introduced in Section 4. If pre-activation/de-activation attacks andattackattacks onhash-assistant valuethe HAV of the multicast datagrams are to be mitigated, adatagram- leveldatagram-level integrity protection mechanism is desired, by taking consideration of the identity field orhash-assistant value.HAV. However, this would not be helpful for the attacks on the TTL (orhop limitHop Limit for IPv6) field, because the mutable fields are generally not considered when ICV is calculated. 7.IANA Considerations This document contains no actions for IANA. [RFC Editor: please remove this section prior to publication.] 8. Acknowledgments The authors would like to thank Christopher Dearlove (BAE Systems ATC) who provided detailed review and valuable comments. 9.References9.1.7.1. Normative References [RFC6130] Clausen, T.,Dean, J., and C.Dearlove, C., and J. Dean, "Mobile Ad Hoc Network (MANET) Neighborhood Discovery Protocol (NHDP)", RFC 6130, DOI 10.17487/RFC6130, April2011.2011, <http://www.rfc-editor.org/info/rfc6130>. [RFC6621] Macker, J., Ed., "Simplified Multicast Forwarding", RFC 6621, DOI 10.17487/RFC6621, May2012.2012, <http://www.rfc-editor.org/info/rfc6621>. [RFC7186] Yi, J., Herberg, U., and T. Clausen, "Security Threats for the Neighborhood Discovery Protocol (NHDP)", RFC 7186, DOI 10.17487/RFC7186, April2014. 9.2.2014, <http://www.rfc-editor.org/info/rfc7186>. 7.2. Informative References [MOBICOM99] Ni, S., Tseng, Y., Chen, Y., and J. Sheu, "TheBroadcast Storm Problembroadcast storm problem in aMobile Ad Hoc Network",mobile ad hoc network", MobiCom '99 Proceedings of the 5th annual ACM/IEEE international conference on Mobile computing and networking, DOI 10.1145/313451.313525, 1999. [MPR-CDS] Adjih, C., Jacquet, P., and L. Viennot, "Computing Connected Dominating Sets with Multipoint Relays", Journal of Ad Hoc and Sensor Wireless Networks 2002, January 2002. [RFC3626] Clausen,T.T., Ed. and P. Jacquet,"The OptimizedEd., "Optimized Link State RoutingProtocol",Protocol (OLSR)", RFC 3626, DOI 10.17487/RFC3626, October2003.2003, <http://www.rfc-editor.org/info/rfc3626>. [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August2007.2007, <http://www.rfc-editor.org/info/rfc4949>. [RFC5148] Clausen, T., Dearlove, C., and B. Adamson, "Jitter Considerations in Mobile Ad Hoc Networks (MANETs)", RFC 5148, DOI 10.17487/RFC5148, February2008.2008, <http://www.rfc-editor.org/info/rfc5148>. [RFC5444] Clausen, T., Dearlove, C., Dean, J., and C. Adjih, "GeneralizedMANETMobile Ad Hoc Network (MANET) Packet/Message Format", RFC 5444, DOI 10.17487/RFC5444, February2009.2009, <http://www.rfc-editor.org/info/rfc5444>. [RFC5614] Ogier, R. and P. Spagnolo, "Mobile Ad Hoc Network (MANET) Extension of OSPF Using Connected Dominating Set (CDS) Flooding", RFC 5614, DOI 10.17487/RFC5614, August2009.2009, <http://www.rfc-editor.org/info/rfc5614>. [RFC7181] Clausen, T., Dearlove, C., Jacquet, P., and U. Herberg, "The Optimized Link State Routing ProtocolversionVersion 2", RFC 7181, DOI 10.17487/RFC7181, April2014.2014, <http://www.rfc-editor.org/info/rfc7181>. [RFC7182] Herberg, U., Clausen, T., and C. Dearlove, "Integrity Check Value and Timestamp TLV Definitions for Mobile Ad Hoc Networks (MANETs)", RFC 7182, DOI 10.17487/RFC7182, April2014.2014, <http://www.rfc-editor.org/info/rfc7182>. [RFC7183] Herberg, U., Dearlove, C., and T. Clausen, "Integrity Protection for the Neighborhood Discovery Protocol (NHDP) and Optimized Link State Routing Protocol Version 2 (OLSRv2)", RFC 7183, DOI 10.17487/RFC7183, April2014.2014, <http://www.rfc-editor.org/info/rfc7183>. [RFC7859] Dearlove, C., "Identity-Based Signatures for Mobile Ad Hoc Network (MANET) Routing Protocols", RFC 7859, DOI 10.17487/RFC7859, May 2016, <http://www.rfc-editor.org/info/rfc7859>. Acknowledgments The authors would like to thank Christopher Dearlove (BAE Systems ATC) who provided detailed review and valuable comments. Authors' Addresses Jiazi Yi Ecole Polytechnique 91128 PalaiseauCedex,Cedex France Phone: +33 1 77 57 80 85 Email: jiazi@jiaziyi.com URI: http://www.jiaziyi.com/ Thomas Heide Clausen Ecole Polytechnique 91128 PalaiseauCedex,Cedex France Phone: +33 6 6058 9349 Email: T.Clausen@computer.org URI: http://www.thomasclausen.org/ Ulrich Herberg Email: ulrich@herberg.name URI: http://www.herberg.name/