[Olsr-dev] ARP prevention!

Andrea Di Pasquale (spam-protected)
Thu Aug 18 12:59:59 CEST 2011 

Il giorno 18/ago/2011, alle ore 12:42, Henning Rogge ha scritto:

> On Thu, 18 Aug 2011 11:50:57 Andrea Di Pasquale wrote:
>> ArpON does what you're asking with the cooperation of all nodes. :)
>> 
>> Read please these links:
>> 
>> http://arpon.sourceforge.net/
>> http://arpon.sourceforge.net/documentation.html
>> http://arpon.sourceforge.net/algorithms.html
> From what I read ARPon does work if the attacker cannot spoof its MAC address 
> Spoofing the MAC address is trivial in wireless networks.
> 
>> In ARP, you solve the problem with authenticating each host and ArpON does
>> it.
> No, it does not.
> 
> ARPon verifies that the MAC address of a communication partner belongs to the 
> verified node, nothing more.

ArpON is a proactive solution o proactive protocol because it works with cooperative node. 
You can to see ArpON as an evolution of ARP protocol.
ArpON doesn't authenticate the host as Cisco DAI to do with DHCP server.

See here:

http://arpon.sourceforge.net/img/algo/HARPI.jpg

These algorithms don't implements an authenticate solution.
ArpON sets precise policies for ARP. Thus, ARP works in secure mode without cryptography.

> 
> Imagine the following scenario.
> 
> We have two verified users Alice (A) and Bob (B), which cannot directly hear 
> each other in the mesh.
> 
> The attacker Mallory sets up two nodes, one near Alice (MA) and one near Bob 
> (MB) which are connected by a hidden channel (a cable for example).
> 
> Mallory now begins to replay the traffic he hears on each node on the other 
> side, including MAC addresses.
> 
> A --- MA --- MB --- B
> 
> The OLSR instance of Alice will hear OLSR HELLO messages from Bob, which will 
> form a link between the two.
> 
> When an unicast packet has to travel from Alice to Bob, Alice sends an ARP 
> challenge to Bob.
> 
> MA will hear the ARP request and replay it on MB, where it will be heard by 
> Bob.
> 
> Bob will reply with a cryptographically signed ARP response, which will be 
> transmitted by MB to MA and then to Alice.
> 
> Alice is now sure that she knows the MAC-Address of Bob (which is true).
> 
> But she still communicates with Bob through the cable between MA and MB, which 
> is controlled by Mallory.

This is a problem of OLSRd, it isn't problem of ARP protocol.


Andrea

More information about the Olsr-dev mailing list