1 Introduction

1.1 Backgrounds

Many network services have been developed in recent years, and there are practical applications such as BitCoin or network configurations consisting of directly connected things. Although managing path information via a routing protocol is necessary in such communication, the security of the routing protocol has not been well analyzed from a standpoint of the provable security. In general, the security should be analyzed via mathematically well-defined formalization considering realistic threats and its mathematical proof. Meanwhile, such a proof for a system specification is often difficult in comparison with proofs for the conventional cryptographic schemes. This is because formalizing the system specification is quite complicated. In this work, we challenge formalization of a routing protocol towards their provable security.

Meanwhile, our challenge is mainly for formalizing a system specification of some routing protocol. There are several existing works [3, 25] ultimately formalizing system specifications towards true generalization. However, each routing protocol in the real world has aimed at each layer, devices and applications, and their constructions and design principles are drastically different from each other. That is, extremely formalizing these specifications sometimes has a gap from the realistic environments, and the resulting analysis under such formalization may fall into being meaningless even if the security can be proven. We hence consider that forwarding generalization is undesirable, and try to individually formalize each routing protocol.

In particular, we hereafter discuss the dynamic source routing (DSR) [16] protocol which is a major routing protocol for wireless sensor networks. When each device sends data in DSR, its neighbor devices behave as routers to relay the received data and forward it. Such a mechanism is known as multi-hop routing. The reasons why we focus on DSR are as follows. First, developments of wireless sensor networks including Internet-of-Things (IoT) in recent years are indispensable whereas an adversary can more easily attack the networks rather than the conventional wired networks. For instance, the adversary can intrude in the wireless networks by putting on its own malicious devices. Moreover, because each device in DSR can exchange path information with neighbor devices as a router, the adversary can inject false path information within the networks via the malicious devices. Based on these reasons, we consider that the provable security of DSR is quite important and thus formalize its specification.

1.2 Contributions

In this work, we formalize a specification of DSR as a routing protocol on sensor networks. For this purpose, we also formalize a class of ad-hoc networks and a topology-based routing. Our network definition consists of seven components, i.e., nodes, links between nodes, identifiers, relations between identifiers and nodes, destination, and cost evaluation. See Sect. 3 as more details. Based on the network definition, we also define two functions of DSR, route discovery and route maintenance. These definitions can also be extended into their security extensions with cryptographic schemes. See Sect. 4. We also briefly describe the existing secure routing protocols as instantiations of our definition. We leave as an open problem to prove the security of these protocols.

1.3 Paper Organization

In this section, we described the motivation of this work and main contributions. The rest parts of this paper are organized as follows. In the next section, we briefly describe several related works with respect to formal analysis of routing protocols. Next, we define a network configuration of ad-hoc networks in Sect. 3 and DSR in Sect. 4, respectively. In Sect. 5, we show the existing secure routing protocols as further applications of our definition. Finally, we conclude in Sect. 6.

2 Related Works

There are two kinds of security analysis of routing protocols in the existing works, i.e., proofs by black-box reduction by human and proofs by formal methods.

In the former approach, Buttyán and Vajda [6] have defined the security model of ad-hoc networks via a simulation-based definition. Their model dealt with each device and a network itself as Turing machines, and an adversary can put only a single malicious node in the network. Their model also assumes that each device communicates with only the network in order to communicate with other devices. In other words, the network behaves as a proxy of any devices. However, we consider that a network should be a simply public channel and hence their model seems to be strange. Although there are several works to discus the security by black-box reduction [1, 17, 23], all of them have followed the model by Buttyán and Vajda. The strangeness described above, therefore, still exists.

Next, for proofs by formal methods, John and Marshall [15] have analyzed the security of the secure routing protocol (SRP) [21] and Godskesen [9] has analyzed that of the authenticated routing for ad hoc networks (ARAN) [22], respectively. Nanz and Hankin [20] have formalized the network topology and its broadcast communication toward formal analysis. These works do not discuss the black-box reduction which is our main target. Arnaud et al. [2, 3] then formalized these protocols as a more generalized form. The most generalization has been done by Zhang et al. [25], and their idea is to define any routing protocol consisting of two entities, an origin and a path. Although these works are elegant, we consider that they are still insufficient because they sometimes have gaps from realistic environments due to too much generalization.

As more results in different layers, Boldyreva and Lychev [4] have proved the security of the border-gateway protocol (BGP) and its security extension. Next, Goldberg et al. [10] have analyzed the security of the next secure (NSEC) in the domain name system security extensions (DNSSEC) to hide dependency relations in domain name system (DNS) during guarantee of that between URL and IP addresses. These works are the closest to our work, and finally we plan to extend our work by following these results.

3 Definition of Network Configurations

In this section, we define ad hoc networks and topology-based routing to define DSR later. The following definitions are parts of our contributions.

3.1 Definition of Ad Hoc Networks

To formalize DSR, we first define a configuration of networks and a class of a topology-based routing protocol as its idealized class. In particular, we define networks as \((\mathbf{Node}, \mathbf{Links}, \mathbf{ID}, \mathbf{IDforNode}\), \(\mathbf{Routeto}, \mathbf{Dest}, \mathbf{Cost})\).

 

\(\mathcal{G}=\) (Node, Links):

is a finite graph consisting of a set Node of nodes and a connected function \(\mathbf{Links}: \mathbf{Node} \times \mathbf{Node} \rightarrow \{0,1\}\). Here, each node V included in Node corresponds to a network device, and an existence of an edge between any two nodes V and \(V'\), i.e., a connection between V and \(V'\), is defined as Links \((V, V')\) outputs 1.

ID:

is a set given by \(\{ 0, 1\}^*\) and defines a unique identifier for any device.

IDforNode:

is a function represented by \(\mathbf{ID} \rightarrow \mathbf{Node}\). Given any identifier \(ID \in \mathbf{ID}\) as input, it returns a device node \(V \in \mathbf{Node}\).

Routeto:

represents a transitive binary relation between any two routes. In particular, Routeto \(_V\) for each node \(V \in \mathbf{Node}\) describes relations between routes to an identifier ID corresponding to V.

Cost:

is a function defined by \(\mathbf{Node} \times \mathbf{Node} \rightarrow \mathbb { R}\), and outputs a cost in a real number required for communication between two nodes \((V, V') \in \mathbf{Node}\) given as input.

 

In this work, we define a route R as a permutation \((V_n, \cdots , V_1)\) consisting of n nodes for any \(n \in \mathbb {N}\) and any node s\((V_1, \cdots , V_n) \in \mathbf{Node}\). We call \(V_1\) in the permutation \((V_n, \cdots , V_1)\) as a source. Similarly, an index \(i \in [1,n]\) for each node means a distance from the source. More precisely, for any i, the number of hops for \(V_i\) from the source increases in proportion to the value of i. We say a node V prefers R rather than \(R'\) for any \(V\in \mathbf{Node}\) and two routes \((R, R')\) if \(R' \mathbf{Routeto}_V R\). We furthermore say \(R=(V_{n-1}, \cdots , V_{1})\) for any \(ID \in \mathbf{ID}\) is the j-th preferred route to \(V_n\) for if there are \(j-1\) routes \(R'\)s such that \(R' \mathbf{Routeto}_{V_n} R\) holds. Similarly, we say that R is the most preferred route for \(j=1\).

3.2 Topology-Based Routing Protocol

A topology-based routing protocol is an idealized protocol to deal with multiple routing protocol for sensor networks, and DSR can be discussed in the topology-based routing. As the details described in the next section, we briefly describe capability of the topology-based routing. In this protocol, there are two steps, the route discovery and the route maintenance. The route discovery is utilized to find a route to a destination node when a source node sends data. The availability of the found route can be checked via the route maintenance.

3.3 Route Discovery

Route Discovery is a function executed between multiple nodes. Each node \(V_i\) is given \((V_i, \mathbf{Neighbors}(V_i)\), \( \mathbf{Routeto}_{V_i}, \mathbf{Cost}, \{ ID_j \}_{j=1}^{i-1})\) as input, where \(\mathbf{Neighbors}(V_i)\) is a set of nodes which are neighbors of \(V_i\) and \(\{ ID_j \}_{j=1}^{i-1}\) is a set of identities whose nodes appear in a route from a source to \(V_i\). \(V_i\) then send a route request \((V_i, V_j, R, D, C, W, Aux)\) to all \(V_j \in \mathbf{Neighbors}(V_i)\), where R is a route as described in the previous section, D is a unique identifier of its destination defined in ID, \(C\in \mathbb {R}\) is a whole cost on R, \(W \in \{0, 1\}\) is a disappearance flag, and Aux is any auxiliary input to hold any additional input. For instance, information about the global positioning system (GPS) for vehicular ad hoc networks can be utilized as Aux. For any route request an error \(\bot \) only if \(V_i\) can discard the request. We say \(V_i\) accepts a route request if \(V_i\) does not discard the request.

3.4 Route Maintenance

Route maintenance is a function executed between multiple nodes. Each node \(V_i\) is given \((V_i, \mathbf{Neighbors}(V_i)\), \( \mathbf{Routeto}_{V_i}, \mathbf{Cost}, \{ ID_j \}_{j=1}^{i-1}, N, s)\) as input, where N is an expire date defined in an integer set \(\mathbb {N}\), s is state information defined in \(\mathbb {N}\). \(V_i\) sends a route information \((V_i, V_j, R, D, C, W, Aux)\) on a route R to all \(V_j \in \mathbf{Neighbors}(V_i)\), and then checks if \(V_j\) accepts the request. If so, \(V_i\) keeps the route and resets s. Otherwise, \(V_i\) increments s as \(s=s\,+\,1\) and sends the route information again until \(s \le N\). For \(s>N\), \(V_i\) discards the route information and returns \(W=1\) to its source node as disappearance of the route.

4 Dynamic Source Routing Protocol

The dynamic source routing (DSR) protocol is a routing protocol on ad-hoc networks. It does not require network infrastructures but is able to autonomously configure wireless networks. Algorithms of DSR are defined in the protocol described in the previous section in general. In this section, we define a routing table of DSR below and then describe functions extended from the definitions in the previous section.

4.1 Routing Table

Each device node V owns a routing table \(T_V\) to store route information. This \(T_V\) is defined as an bidimensional array \(T_V[i][j]\) for any integers \(i,j \in \mathbb {N}\), where each column i contains an identifier \(ID \in \mathbf{ID} \) and each row j contains the j-th preferred route to V.

4.2 Route Discovery

When any node V with an identifier ID starts with the route discovery, V sends a route request \((V, V', R=(ID)\), D, 0, 0, Aux) to \(V_j \in \mathbf{Neighbors}(V)\). Given the request \((V, V', R\), D, 0, CAux) by V, \(V_j \in \mathbf{Neighbors}(V)\) checks if R includes its own identifier \(ID_j\). If so, \(V_j\) discards the request and returns nothing. Otherwise, \(V_j\) executes the following processes:

  1. 1.

    For \(D=ID'\), return a route reply \((R,W=0,Aux)\) to a source.

  2. 2.

    For \(D\ne ID'\), set \(R= R \cup \{ ID' \}\) and \(C=C+ \mathbf{Cost}(V)\). Then, for any i, retrieve a cost \(C_i\) on the i-th preferred route to D from the routing table \(T_{V'}[D][i]\) and then compare it with C. If some i such that \(C > C_i \), then store the route request \((V, V', R\), D, 0, CAux) in \(T_{V'}[D][i+1]\) as the \((i+1)\)-th preferred route. If there is a route in \(T_{V'}[D][i+1]\) already, then previously set \(T_{V'}[D][j+1] =T_{V'}[D][j]\) for any \(j \ge i+1\).

4.3 Route Maintenance

Each node V retrieves route information \((V, V_j, R, D, C, 0, Aux)\) from a routing table \(T_V [D][i]\) for any destination \(D \in \mathbf{Node}\) and any \(i \in \mathbb {N}\). Then, set state information \(s=0\) and the route information to \(V_j \in \mathbf{Neighbors}(V)\) as a request. If \(V_j\) accepts the request, then V resets s and keeps \(T_V [D][i]\). Otherwise, V sets \(s=s\,+\,1\) and sends the request again until \(s \le N\). For \(s > N\), V sends \(W=1\) as disappearance of the route to a source node, and then sets \(T_V [D][i]=T_V [D][i\,+\,1]\) for all i.

5 Application to Secure Routing Protocols

In this section, we briefly describe intuition that our formalization includes secure routing protocols where the validity of routing information can be guaranteed by cryptographic schemes [12, 24]. We also describe several secure routing protocols as instantiations.

5.1 Overview of Secure Routing Protocols

The overhead due to the use of cryptographic schemes is sometimes large, but their guarantee of the security is quite useful. These cryptographic schemes are able to provide the provable security under both reasonable assumptions and their reduction proofs. In general, a secret key to generate message authentication codes (MAC) or digital signatures is unknown information except for a node which generates route information. Hence, the validity of the route information can be guaranteed by verification of these schemes.

Our formalization described in the previous section contains such secure routing protocols. In particular, each intermediate node v generates MAC or digital signatures on (RDC) included in route information and then can append it as a part of Aux. For the use of MAC, since a forwarding node shares a key for MAC with its received node, the received node can verify the validity of the information from the neighbor. For the use of digital signatures, a received node can verify digital signatures whereby each intermediate node appends not only their signatures but also public key identifiers in Aux. These constructions are applicable to both the route discovery and the route maintenance although we omit the detail due to the page limitation.

5.2 Instantiations of Secure Routing Protocols

Secure routing protocols are roughly classified into two constructions, MAC-based construction and digital-signature-based construction. In the both constructions, the validity of routing information can be guaranteed because their authenticators are generated. Since MAC are quite faster and need lower memories than digital signatures, the conventional secure routing protocols in wireless sensor networks have adopted MAC [3, 12, 13, 21, 25]. In spite of this fact, many secure routing protocols with digital signatures have been proposed [7, 8, 17, 22] in more recent years. Indeed, European Telecommunications Standards Institute (ETSI) has suggested the use of digital signatures for IoT services in order to provide publicly verifiability [11].

We hereinafter describe several major protocols. Papadimitratos and Haas [21] proposed the secure routing protocol (SRP). Next, Hu et al. [12, 14] have proposed Ariadne with both MAC and digital signatures. While SRP deals with authentication for only a source and a destination, Ariadne enables intermediate nodes to authenticate route information in order to prevent threats by malicious intermediate nodes. As more recent results, Gosh and Datta [8] have proposed the secure dynamic routing protocol (SDRP) via short signatures by Boneh et al. [5]. These are mainly for DSR and thus become strict applications of our definition. In particular, MAC and digital signatures for each protocol are sequentially attended in a part of packets. They can be then embedded into Aux of our definition as described above in a manner of \(Aux = Aux \bigcup \{(R_i,D, C, x)\}\), where \((R_i, D, C)\) are parts of route information such that \(R_i = (V_i, \cdots , V_1)\) for any i and x represents a set of MAC and/or digital signatures.

Meanwhile, as a furthermore application, our definition is extendibles to the ad hoc on-demand distance vector (AODV), which utilizes sequence numbers to strengthen the availability. In particular, the sequent numbers are utilized to represent a unique identifier for each entry in a routing table, and then can be embedded into Aux as a part of route information in a manner of \(Aux = Aux \bigcup \{(R_i,D, C, S_i)\}\), where \(S_i\) is a sequence number related to \(R_i\). There are several secure routing protocols for AODV. For instance, Zapata and Asokan proposed the secure ad hoc on-demand distance vector (SAODV) protocol with both MAC and digital signatures. Next, Sangiri et al. [22] pointed out the vulnerability of SAODV and then proposed the authenticated routing for ad hoc networks (ARAN) by utilizing public key cryptography. Gosh and Datta [7] have proposed the identity-based secure ad hoc on-demand distance vector (IDSAODV) from sequential aggregate signatures [18] to combine individual signatures into a single signature. The most recent result is secure routing protocols by Muranaka et al. [19], which is closed to IDSAODV but is almost generic. MAC and digital signatures in these schemes can be also embedded in a similar manner of the secure protocols for DSR, i.e., \(Aux = Aux \bigcup \{(R_i,D, C, S_i, x)\}\).

We leave as a future work to prove the security of these protocols.

6 Conclusion

In this work, we formalized a specification of DSR, which is a routing protocol on sensor networks, towards the provable security. Although we focused on DSR, our definition can be extended into a class of topology-based routing protocols and ad-hoc networks. Meanwhile, our definition is far from routing protocols in other network layers. This is consistent with our motivation, i.e., formalization of specifications of existing protocols. Our future work is to prove the security of the existing secure routing protocols.