A Secure IPv6-based Urban Wireless Mesh Network (SUMNv6)

Computer Communications 31 (2008) 3707–3718

Contents lists available at ScienceDirect

Computer Communications

journal homepage: www.elsevier .com/locate /comcom

A Secure IPv6-based Urban Wireless Mesh Network (SUMNv6)

Ramanarayana Kandikattu *, Lillykutty JacobElectronics and Communication Engineering Department, National Institute of Technology, Calicut 673601, India

a r t i c l e i n f o

Article history:Received 29 March 2008Received in revised form 7 July 2008Accepted 7 July 2008Available online 13 July 2008

Keywords:HandoverMobilityReturn Routability testRoute OptimizationSecurityWireless Mesh Network

0140-3664/$ - see front matter � 2008 Elsevier B.V. Adoi:10.1016/j.comcom.2008.07.003

* Corresponding author. Tel.: +91 495 2286700; faxE-mail addresses: [email protected], p

dikattu).

a b s t r a c t

Security and fast handover are the two major concerns for the existence of Wireless Mesh Network(WMN). Existing solutions for Internet access by mobile users – Mobile IPv6, and its enhancements suchas HMIPv6, F-HMIPv6 and HCF – have been designed to improve the handover latency without any lightweight security considerations. The Route Optimization (RO) of MIPv6 introduces new security threatsand the Return Routability (RR) test is only a weak solution for MIPv6 supplemented Internet. This paperproposes a secure F-HMIPv6-based framework to WMN that offers secure and fast handover as well assecure RO. The proposed framework addresses the security threats to both MIPv6 and WMN, improvesthe security of the existing RR test, and uses efficient key management. It is designed to enable secure,fast, and efficient signaling and communications for mesh clients within WMN as well as with outsideworld. This paper presents detailed cost analysis and numerical results to compare the proposed schemewith HMIPv6.

� 2008 Elsevier B.V. All rights reserved.

1. Introduction

Wireless Mesh Network (WMN) [1] is expected to play a majorrole in future anywhere-anytime communications. WMNs have re-ceived significant attention by the research community as well asby the industry and standard organizations because, they offerthe flexibility of wireless access, combined with a high coveragearea, reliability, and cost efficiency. WMN has been advocated asmajor component of the next generation Internet. It comprisesdedicated backbone wireless routers and gateways to offer lastmile broadband connectivity to the mesh clients. The demand fora variety of wireless applications that require a mesh network isexploding. Typical applications are, broadband home network,enterprise network, community network, metropolitan area net-work, intelligent transportation network, Industrial automationnetwork, sensor network, and emergency or rescue networks [1].

Users of WMN demand seamless Internet access while they arein move. This requires frequent handover from one WMN domainto another WMN domain. MIPv4 [2] and MIPv6 [3] give solution forIP support to mobile users. MIPv6 and its subsequent improve-ments such as HMIPv6 [4], FMIPv6 [5], F-HMIPv6 [6], and HCF[7] have been proposed to improve handover performance. Secu-rity is another important concern for the existence of WMN. MIPv6based protocols offer IPSec [8] based security. IPSec helps only inend-to-end authentication and security between two networkentities that already have the security association between them.

ll rights reserved.

: +91 495 [email protected] (R. Kan-

Without some pre-established security associations, especiallyover wireless and dynamic connections, building low-cost securechannel is still a challenge. IPv6 and its security extensions donot address the problem of handling public key infrastructure ina very large scale with many dynamic communication channels.Rapid changes in the network topology make the job even harder.Roaming mesh clients may not have the prior security associationsand trust relations among themselves. Considering these facts, it isnecessary to address key setup procedure, secure and fast mobilitymanagement architecture suitable for WMN.

Route Optimization (RO) is a built-in feature of MIPv6 thatavoids triangular routes between mobile node and correspondentnode. Though, RO improves network performance it invites newsecurity threats not only to MIPv6 network but also to the wholeInternet [15,16]. MIPv6 standard uses an infrastructure-less solu-tion called Return Routability test (RR test) [5] to make ‘MIPv6 sup-plemented Internet’ at least as safe as ‘IPv4 based Internet withoutmobility’. Though RR test eliminates many potential attacks onInternet, but still leaves certain weak links which allow smartattackers to carryout attacks.

This paper proposes a secure Wireless Mesh Network architec-ture called SUMNv6 that addresses both secure fast handover andimproved RO security. This paper has three major contributions.The first is the application of Identity-Based Cryptography (IBC)for public-private key setup and pair-wise shared key setup amongthe participating nodes in WMN to promote security. The secondcontribution is in providing mechanisms for ‘secure handover tosupport micro-mobility and macro-mobility’ in the realistic futurebroadband WMN that is assumed to be operated by different oper-ators, controlling several wireless domains, which are either geo-

mailto:[email protected]

mailto:[email protected]

http://www.sciencedirect.com/science/journal/01403664

http://www.elsevier.com/locate/comcom

3708 R. Kandikattu, L. Jacob / Computer Communications 31 (2008) 3707–3718

graphically adjacent or non-adjacent to each other. The third con-tribution is the design of an enhanced RR test suitable for SUMNv6.

The rest of the paper is organized as follows. Section 2 gives anoverview of preliminaries. Section 3 presents a detailed descriptionof the proposed framework. Section 4 presents a simple securityanalysis. Section 5 gives a detailed cost analysis and numerical re-sults to compare the proposed protocol with HMIPv6 protocol. Fi-nally Section 6 presents the conclusion and future work.

2. Background and related work

2.1. Mobile IPv6

Mobile IPv6 (MIPv6) [3] has been designed to facilitate mobilitysupport for mobile nodes in a IPv6-based wireless LAN integratedwith Internet. Route Optimization and IPSec based security arebuilt-in features of MIPv6, whereas these are non-standard exten-sions of MIPv4. The stateless address auto-configuration andneighbor discovery features in MIPv6 eliminate the need for For-eign Agents (FAs). According to MIPv6, a Mobile Node (MN) canlearn of its arrival to a new foreign network by receiving the RouterAdvertisements (RAs). If it is in a foreign network, MN can config-ure its Care-of Address (CoA) taking the foreign network prefix asthe first 64 bits and its MAC address in EUI-64 format as theremaining 64 bits using stateless address auto-configuration tech-nique. Then, the MN can register the CoA with its Home Agent (HA)by sending Binding Update (BU) message. HA records the bindinginformation between MN’s home address and CoA in binding cacheand then responds MN with Binding Acknowledgment (BA) mes-sage. After building the binding entry for the MN, the HA usesproxy neighbor discovery to intercept data packets routed to theMN’s home address and tunnel them to the MN’s current CoA.

The Route Optimization needs every MN to register its CoAbinding information with all its Correspondent Nodes (CNs). Thisallows a CN to send packets directly to a MN without the help ofthe HA. MIPv6 protects all the control packets such as BU, BA, usingIPSec. A security procedure called Return Routability (RR) test isused to authorize the establishment of binding with CNs.

MIPv6 does not address the security association and key setupprocedure among the participating entities. For highly mobileapplications that need frequent handover, MIPv6 is not a suitablesolution because it degrades overall efficiency of the networkdue to packet loss and handover latencies.

2.2. Hierarchical Mobile IPv6 (HMIPv6)

Hierarchical Hierarchical Mobilev6 (HMIPv6) [4] is an enhance-ment of Hierarchical Mobilev6 that reduces handover latency. Itintroduces a new entity called Mobile Anchor Point (MAP), whichis a mobility agent that manages many Access Routers (ARs). EachAR is interfaced with many Access Points (APs) covering a subnet.Thus, each MAP domain covers a larger geographical area compris-ing many subnets. MAP is the default gateway router to all the MNswithin its domain.

According to HMIPv6, each mobile node is addressable by a on-Link Care-of Address (LCoA) and a Regional Care-of Address (RCoA).LCoA gives the link or subnet to which it is attached, where asRCoA gives the mobile node’s current MAP domain.

When a mobile node enters a new MAP domain, it receives rou-ter advertisements containing MAP’s information and it configuresits RCoA and LCoA. It sends BU message to register its new RCoAwith its HA and all CNs, and also registers its LCoA with MAP. HAtunnels the first packet destined to MN to its new RCoA. ThenMAP at RCoA tunnels the packet to the MN’s LCoA. Through ROthe subsequent packets are directly routed to RCoA. When the

MN moves to a different link in the same MAP domain, it requiresto register new LCoA with MAP. RCoA does not change as long asmobile node is in the same MAP domain. HA outside the MAP do-main knows only inter-domain movements of mobile nodes. Thus,HMIPv6 reduces the signaling overhead by limiting the binding up-date with local MAP for intra-domain handover.

However, HMIPv6 does not address any key distribution andsecurity association among different entities. Though HMIPv6 con-siders the delay saving due to location update, it does not considerany specific mechanism to reduce delay incurred in movementdetection and address auto-configuration.

2.3. Fast handover for MIPv6 (FMIPv6)

Handover mechanism involves three components: movementdetection, IP address configuration, location update. As FMIPv6[5] does not use a hierarchical mobility management architecturelike HMIPv6, it does not address location update latency. But it re-duces the latency due to the other two. According to FMIPv6 pro-tocol, a MN while in move gets the prospective next routerdetails either using link layer specific mechanisms like scan orusing special router discovery mechanisms. Then computes theprospective new CoA before handover takes place. This prior infor-mation reduces delays incurred in movement detection and ad-dress auto-configuration. FMIPv6 allows bidirectional tunnelingbetween previous access router and new access router to avoidpacket loss during binding update. This process makes real timeapplications transparent to handover. FMIPv6 gives a better mech-anism than MIPv6 to support real time traffic at the expense ofmore signaling overhead.

2.4. Fast handover for HMIPv6 (F-HMIPv6)

Fast HMIPv6 employs both the hierarchical structure of HMIPv6and improved movement detection and address auto-configura-tion of FMIPv6, with reduced signaling and processing overhead.In FMIPv6, MNs exchange signaling messages with ARs for move-ment detection and fast handover, where as in F-HIMPv6 [6]MNs exchange these messages with MAP.

2.5. Handover Control Function (HCF) based handover for MIPv6

HCF [7] is also an enhancement for MIPv6 to support fast hand-over. HCF based MIPv6 uses an entity called handover control func-tion similar to MAP in HMIPv6. HCF maintains a record ofinformation regarding network prefix of its attached ARs andMAC addresses of all the APs under its control. HCF based networkuses network-assisted handover, wherein a MN that requires fasthandover, gets the information about the MAC addresses of APsin its vicinity and their signal strength. MN informs these detailsto the associated HCF. Then HCF decides to which AR the MNshould associate with based on MN’s service conditions, and sendsthe new AR information to MN. Then MN configures its new CoAbased on new AR’s network prefix. This framework uses the factthat the configured CoA is unique globally, because it is based onits globally unique MAC address. Thus HCF avoids Duplicate Ad-dress Detection (DAD) [2] and thereby saves delay in processingDAD.

2.6. Security issues in MIPv6 and its enhancements

The prominent security issue in MIPv6 design is the RO securitybecause MIPv6 assumes no security association between the MNand a random CN. This gives room for various attacks on MIPv6nodes as well as on the Internet. MIPv6 designers assume that itis not feasible to build a global authentication infrastructure.

R. Kandikattu, L. Jacob / Computer Communications 31 (2008) 3707–3718 3709

But, authors of [13] argue the feasibility of building a globalauthentication infrastructure. This argument is based on the factthat IPv6 addressing is hierarchical in nature. In [13] authors illus-trate the procedure as follows: every MIPv6 node is administra-tively connected to its home domain. By cryptographicallyconnecting related fragmented individual administrative domainsto their upstream service providers, and then connecting upstreamservice providers to next level aggregator, and then connectingNext Level Aggregator (NLA), to Top Level Aggregator (TLA), con-structing a hierarchical security infrastructure is possible. Sincetop level aggregators belong to tier-1 ISPs and their number is lessand have strong security association among them, building globalinfrastructure is practicable.

In the global security infrastructure explained above, authenti-cation of a MN requires authentication of a hierarchy of adminis-trators either using Certificate-Based Cryptography (CBC) orIdentity-Based Cryptography (IBC). CBC requires verification of cer-tificates and signatures of hierarchy of all administrators. This pro-cess incurs heavy processing and communication overhead andcauses delay. It may not support real time or seamless handoverwhile the mobile is on move across domains, which challengesthe very purpose of handover.

Return Routability test (RR test) [15] is an infrastructure-lesssolution and has two components, Home address Test (HoT) andCare-of address Test (CoT). These tests ensure that the mobilenode’s home address and care of address are the same as what itclaims to be. RR test is a simple and elegant method that uses min-imal computations at both CN and MN side. Though RR test cannotcompletely rule out the possibility of attacks, it drastically reducesthe number of malicious nodes and restricts their locations.

Secure HMIPv6sec [22] is a security extension to HMIPv6 proto-col. This is based on a mechanism called Cryptographically Gener-ated Addresses (CGA) [14]. CGA is a technique whereby aninterface part of IPv6 address of a node is cryptographically associ-ated with node’s public key and some other parameters. But CGAsthemselves are not certified. Therefore, a malicious node can gen-erate CGA using its public key. This protocol also allows nodes touse its self generated public–private key pair and does not requiretrusted third party. Even though the IP address and public key arecryptographically associated, if the public key is not certified byany trusted authority then the association between public keyand node cannot be verified. Malicious node can generate itsown public–private key pair and can enter the network and thenaccess the resources illegally.

In summary, secure RO has two different solutions: an infra-structure-less and lightweight solution that still gives room forvarious attacks [17]; an infrastructure based solution that cannot meet the real time handover latency requirements. Therefore,secure RO is still an open research problem. Our proposed SUMNv6adopts RR test without any changes at CN side but uses the advan-tage gained by secure mesh network architecture. This solution re-duces the possibility of attacks on RO by minimizing weak links.Further, it uses IBC to simplify the key setup.

2.7. Identity-Based Cryptography—preliminaries

Conventional certificate-based cryptography requires a lengthy(typically 1K Byte) certificate to distribute the public key amongthe participating nodes. In the WMN scenario, the certificate ispiggy-backed on the control packets to distribute public key. Thismethod incurs heavy routing overhead, network bandwidth andcomputational resources.

IBC eliminates the need for certificates because public key of anauthorized participating node can be extracted from the identity ofthat node. Moreover IBC allows any pair of authenticated clients togenerate pair-wise shared key if their identities are known to each

other. Shamir introduced the concept of IBC [10]. Later Boneh et al.proposed a basic Identity-based signature scheme [11] and pre-sented Identity- based encryption scheme using pairing technique[12]. These schemes are based on bilinear maps using Weil or Tatepairing, defined over super singular elliptic curves. The introduc-tion of IBC revolutionized public key cryptography and openednew methods for distributing keys in pervasive and ubiquitousnetworks. A good survey on pairing-based cryptographic protocolsis provided by [9]. The following gives an overview of the basics ofpairing technique.

2.7.1. Bilinear pairingLet G1 be an additive group and G2 be a multiplicative group of the

same prime order q. Let P be an arbitrary generator of G1: Assumethat the discrete logarithm problem is hard in both G1 and G2:A map-ping F : G1 � G1 ! G2 satisfying the following properties is called acryptographic bilinear map as defined by Boneh et al. [11].

– Bilinearity: FðaP; bQÞ ¼ FðP;QÞab ¼ FðaP;QÞb ¼ FðP; bQÞa for allP;Q 2 G1 and a; b 2 Z�q, where Z�q ¼ f1;2; . . . . . . q� 1g.

– Non-degeneracy: If P is a generator of G1, then FðP; PÞ is the gen-erator of G2; in other words FðP; PÞ 6¼ 1.

– Computability: There exists an efficient algorithm to computeFðP;QÞ for all P;Q 2 G1.

Modified Weil and Tate pairings on an elliptic curve over a finitefield are examples of cryptographic bilinear maps.

2.7.2. IBC algorithmsIBC requires a trusted authority called Private Key Generator

(PKG). User submits any arbitrary bit string (e.g., IP address, e-mail) as its ID to PKG in order to obtain its private key. User can ex-tract its public key from its ID either directly or by applying a do-main hash function on it as per the rules stipulated in theemployed IBC system. An IBC system consists of the followingimportant algorithms:

– Setup: PKG generates domain parameters that are publiclyknown while the master key is kept secret.

– Extract: PKG generates private key corresponding to user’s IDusing its master key.

– Encrypt: User-1 encrypts the message using User-2’s public key,which is generated from User-2’s ID using a publicly knownfunction.

– Decrypt: User-2 decrypts the message using its private key.
– Signature: User-1 appends signature that is calculated over the
message using its private key.
– Verify: User-2 verifies User-1’s signature using User-1’s public
key that is extracted from User-1’s identity.

User-1 and User-2 are any two authorized IBC-entities havingknowledge of domain parameters. The survey by Dutta et al. [9]and the references therein provide more detailed description aboutvarious pairing based cryptographic protocols.

3. Proposed framework: Secure Urban Mesh Network (SUMNv6)

Secure Urban Mesh Network (SUMNv6) adopts the hierarchicalstructure and fast handover mechanisms that are used in F-HMIPv6. It is a secure version of F-HMIPv6 applied to WMN. Ithas efficient key management and relatively strong RO security.The hierarchical structure of SUMNv6 is shown in Fig. 1 and thenotations used in this framework are given in Table 3.

Each operator’s wireless network may contain a single regionaldomain or many regional domains that are either physically

Fig. 1. Secure Urban Wireless Mesh Network (SUMNv6).


adjacent to each other or isolated. Each regional domain containsthe hierarchical structure shown in Fig. 1. Regional Agent (RA), Lo-cal Agent (LA) and Access Point (AP) in this framework are func-tionally similar to Mobility Anchor Point (MAP), Access Router(AR) and Access Point (AP) defined in HMIPv6, respectively.SUMNv6 assumes that all the RAs and LAs are static or less mobileforming backbone network to support inter-mesh and mesh-Inter-net communications.

3.1. IP address setup

Unlike F-HMIPv6, SUMNv6 uses truly hierarchical addressstructure. According to MIPv6, IP address contains a 64-bit net-work prefix and 64-bit interface part. As per MIPv6, if each LAand its subnet in a regional domain is addressed by a different net-work prefix, they may use only a small portion of 64-bit addressspace and lot of address space may left unused. SUMNv6 addressesthis issue and uses the address space optimally: Each RA uses 64-bit uniquely routable network prefix. The corresponding addressspace is divided into two parts. One part with MSB ‘0’ followedby 63-bit space is allotted for RA, home address of MC, and regionalCare-of Address of MC. While the other half with MSB ‘1’ followedby 63-bit space is allotted for LA and LCoA of MC. This is illustratedin Table 1.

Each operator is identified by a unique 16-bit identifier withMSB set to zero. Each LA has an associated 16-bit identifier withMSB set to one. An LA, which is serving under a RA, uses the samenetwork prefix as that of RA followed by its associated 16-bit iden-tifier. Serving RA’s network prefix followed by LA’s 16-bit identifier(64 + 16 = 80 bits) serves as the extended network prefix to the LAwhich is unique within the regional domain. LA advertises ex-tended network prefix in its router advertisements withinSUMNv6. Therefore SUMNv6 allows each RA to serve 215 � 1 differ-ent LAs and each LA to serve 248 � 2 different APs and MCs, thusproviding efficient address utilization than the IPv6 standard. Inthis architecture, RA’s IP address and MC’s HoA/RCoA carry addi-tional information about its operator. Similarly, MC’s LCoA carriesadditional information about its serving LA. The extended networkprefix based addressing scheme used in SUMNv6 is transparent tothe outside world. Packet from any Internet node destined to MC,first reaches the concerned RA with the help of 64-bit unique net-work prefix. The RA routes the packet to the concerned LA with thehelp of 16-bit LA identifier embedded in the LCoA address of MC.The LA then forwards the packet to the concerned MC with thehelp of its unique MAC address. For efficient routing among themesh LAs SUMNv6 requires an intra-domain routing protocol,which is assumed to exist.

The concepts of LCoA, RCoA, HoA are the same as that ofHMIPv6 except for the change in address structure.

HoA is the permanent IP address of a mesh client. HoA is formedby concatenating its home network prefix (64 bits), operators iden-tifier (16 bits), and its MAC address (48 bits). MC is known to theoutside world by this address. Any packet addressed to MC’s HoAfirst reaches its HA through conventional IP routing. HA uses itsbinding cache to locate MC’s LCoA/RCoA and forwards the packet.

LCoA and its configuration: From the router/LA advertisements, aMC gets LA’s extended network prefix and ID. By comparing the first64 bits of received extended network prefix with its home networkprefix MC can check whether it is in home domain or foreign domain.Then it can also ensure whether the network operator is same as itsregistered operator by verifying operator identifier in the LA’s ID.This paper considers a single operator case. SUMNv6 can be ex-tended to multiple operators with inter-operator services as well.

When MC is in the home domain, it configures LCoA by concat-enating LA’s extended network prefix (80 bits) and its MAC address(48 bits) and sends the binding update to its RA, i.e., in this case it isHA. RA/HA records HoA, LCoA association in its binding cache. MCneeds to send binding update periodically to renew its locationinformation with RA/HA.

RCoA and its configuration: When MC is in a foreign domain butoperated by its registered operator then MC has to configure RCoAalso in addition to its LCoA. LCoA configuration is similar to theprocess explained above. MC sends the LCoA binding update toits RA (in this case it is FA). MC configures RCoA by concatenatingnetwork prefix, operator’s identifier and its MAC address. MC reg-isters its RCoA binding with HA. RCoA binding update is used forregistering macro-mobility and LCoA binding is for registering mi-cro-mobility. HA is transparent to MC’s micro-mobility within theforeign network and is informed only when movement takes placeacross regional domains. Local mobility within the regional domainis managed by RA itself.

In SUMNv6, LCoA and RCoA addresses of a node are unique be-cause they use unique MAC address, therefore Duplicate AddressDetection (DAD) process is not required at RA. Thus SUMNv6 savesdelay in performing DAD.

3.2. Identity setup

SUMNv6 requires each entity to get identity, private key, IBCdomain certificate, before entering the network. Operator issuesthem to the registered entity such as MC, LA, and RA by some se-cure means after thorough verification. Table 2 gives the identitystructure used and Table 3 gives the notations used. The freshnessof identity is decided by the expiry time.

3.3. IBC Operations

3.3.1. Domain parameter setupIBC requires a trusted third party called Private Key Generator

(PKG) to generate the public-private key pair corresponding toeach node’s identity using pairing based mechanisms. In SUMNv6,operator does the role of trusted third party. It performs the fol-lowing domain-parameter initialization:

– Generates the pairing parameters ðq;G1;G2; F; P;H1Þ.
– Picks a random s 2 Z�q as domain secret and computes domain-
public key as Ppub ¼ s:P.

We use the domain-parameters ðq;G1;G2; F; P;H1; PpubÞ; and de-fine the domain certificate as: (domain-parameters, s:H1 (domain-parameters). The operator must keep ‘s’ confidential, while makingdomain-certificate publicly known. All the entities under an oper-ator use the same domain parameters. The concept of bilinearity gi-

Table 1SUMNv6 IP address structure

Table 3Notations

Symbol Meaning Data structure

Ok Operator k Operator’s 16-bit identifierRAj;k RA j controlled by operator k RA’s IP addressLAi;j;k LA i under RA j controlled by

operator kLA’s IP address

MCi;j;k MC i under RA j controlled byoperator k

MC’s IP address(HomeAddress)

ID Identity —m;n bitwise concatenation of message

segments m and n—

IDRAj;kidentity of RAj;k ðRAj;k , operator’s identifier,

expiry time)IDLAi;j;k

identity of LAi;j;k ðLAi;j;k , operator’s identifier,expiry time)

IDMCi;j;kidentity of MCi;j;k ðMCi;j;k , operator’s identifier,

expiry time)HOk

1 Domain hash function H1 ofoperator k

—

Domain� certOkDomain certificate of operator k —

sOk Domain secret s of operator k —K�1

RAj;kPrivate key of RAj;k sOk :HOk

1 ðIDRAj;kÞ

KRAj;kPublic key of RAj;k HOk

1 ðIDRAj;kÞ

K�1LAi;j;k

Private key of LAi;j;k sOk :HOk1 ðIDLAi;j;k

ÞKLAi;j;k

Public key of LAi;j;k HOk1 ðIDLAi;j;k

ÞK�1

MCi;j;kPrivate key of MCi;j;k sOk :HOk

1 ðIDMCi;j;kÞ

KMCi;j;kPublic key of MCi;j;k HOk

1 ðIDMCi;j;kÞ

A! �: m Entity A broadcasts message m —A! B: m Entity A unicasts message m to

entity B—

m; SignK�1AðÞ Signature of entity A over message

m—

seqX Sequence number of node X 32-bit numberKX�Y Shared key between node X and

node Y—

MICX�Y Hash(KX�Y , message) —


ven in Section 2.7 allows checking the legitimacy of the domainparameters, by validating the domain certificate as follows:FðP; s:H1 (domain-parameters))=Fðs:P;H1 (domain-parameters))=FðPpub;H1 (domain-parameters)).

3.3.2. ExtractOperator generates public key from the ID of its entity by apply-

ing domain hash on it, and computes the corresponding private keyby multiplying public key with domain secret s. The public-privatekey pair for RA, LA, MC are generated as follows:

KRAjk¼ HOk

1 ðIDRAjkÞ

K�1RAjk¼ sOk :HOk

1 ðIDRAjkÞ

KLAijk¼ HOk

1 ðIDLAijkÞ

K�1LAijk¼ sOk :HOk

1 ðIDLAijkÞ

KMCijk¼ HOk

1 ðIDMCijkÞ

K�1MCijk¼ sOk :HOk

1 ðIDMCijkÞ

Note that, the superscript Ok is used to denote operator k0s domainparameters.

3.3.3. Pair-wise shared key setupOnce registered entities (e.g., MC1;1;1 and MC2;1;1) in an adminis-

trative domain are equipped with their ID, domain parameters, andpublic-private key pair, then they can establish pair-wise sharedkey with each other using bilinearity as given in (1).

KMC1;1;1 ;MC2;1;1 ¼ FO1 ðK�1MC1;1;1

;HO11 ðIDMC2;1;1 ÞÞ

¼ FO1 ðsO1 :HO11 ðIDMC1;1;1 Þ;H

O11 ðIDMC2;1;1 ÞÞ

¼ FO1 ðHO11 ðIDMC1;1;1 Þ; sO1 :HO1

1 ðIDMC2;1;1 ÞÞ

¼ FO1 ðHO11 ðIDMC1;1;1 Þ;K

�1MC2;1;1

Þ ¼ KMC2;1;1 ;MC1;1;1 ð1Þ

3.4. SUMNv6 signaling and security

SUMNv6 has two aspects of security: (i) security of signalingand data messages within the mesh network; (ii) authenticationand authorization of BU and BA during the RO process. IBC allowsonly authorized clients to take part in WMN communications. IBCbased shared key setup allows secure data packet communicationamong different mesh clients. The secure binding update with CNis based on the same assumption as in standard MIPv6, i.e., there

Table 2Identity structure of different entities in SUMNv6

is no security association between MC and a random correspon-dent node and there is no globally trusted infrastructure to supportsecure RO. SUMNv6 registration (binding update) process with HA/RA is illustrated in Fig. 2.

As soon as a MC is powered on, it first identifies its currentregional domain with the help of LA advertisements. LA period-ically broadcasts (link local multicasts) agent advertisementthrough all APs connected to its interfaces. Agent advertisementcontains its ID, i.e., IDLAijk

; domain� certOk, and a sequence num-

ber seqLAijk. It appends its signature over the entire message with

its private key K�1LAijk

as in (2). Note that SUMNv6 uses sequencenumber to protect the message from replay attacks. Node incre-ments sequence number by one each time it sends the similarmessage, e.g., LAijk increments seqLAijk

each time it generates anew advertisement.

LAijk ! � : IDLAijk; domain� certOk

; seqLAijk; SignK�1

LAijk

ðÞ ð2Þ

All the MCs which are at one hop distance from the LA can receivethe message. Upon reception of advertisement of LAijk by MC1;1;1, itfirst determines whether it is in the home domain or foreign do-main by comparing its network prefix and operator codes with that


of the agent LAijk. Note that LA’s ID itself contains its extended net-work prefix with embedded operator identifier. If it is in the sameoperator’s domain, it performs the following operations in se-quence: (i) checks whether the message is fresh with the help ofseqLAijk

; (ii) ensures that LAijk is not expired, by examining the ex-piry-time field; (iii) verifies the signature; If all these checks are sat-isfied, then MC1;1;1 authenticates agent LAijk. If MC happens toreceive the advertisement first time from that LA, then it cannotcheck (i); in that case it verifies (ii) and (iii) and if they are validthen MC creates a table to record LA’s ID, seqLAijk

and delete-time.Delete-time is the time after which the entry is deleted from the ta-ble. The following two cases can exist depending upon MC’s currentRA.

3.4.1. Home RA-Secure LCoA registrationIf MC1;1;1 is in its home domain, it configures LCoA as explained

in Section 3.1 and sends local binding update (LBU) as in (3)

MC1;1;1 ! LAijk : LBUðHoA; LCoAÞ; IDMC1;1;1 ;

domain� certO1 ; SignK�1MC1;1;1

ðÞ ð3Þ

LA does the following, after receiving the registration request: (i)checks if the message is fresh by checking sequence number inthe BU; (ii) ensures that the ID is not expired by verifying the expirytime; (iii) validates the signature; and, (iv)verifies whether LCoA isconfigured according to the current location by tallying its extendednetwork prefix with that of MC and also compares MAC address inthe ID with that in LCoA.

Fig. 2. Secure Location update and

These verifications ensure that: (i) the MC is an authorizednode; (ii) the request is fresh; and, (iii) LCoA is configured correctlyaccording to the MC’s current point of attachment. If all the verifi-cations are satisfactory then LA forwards this update as in (4) to itsassociated RA through secure channel between them otherwise itdrops the request.

LAijk ! RA : LBUðHoA; LCoAÞ; MICLAijk�RA ð4Þ

It is assumed that all the RAs and LAs under an operator estab-lish pair-wise shared keys among themselves and establish securechannel between each pair as soon as WMN is formed. LA/RA useskeyed Message Integrity check Code (MIC) to protect integrity ofcontrol packet. RA verifies the request and creates a binding entryin its binding cache and records the association between MC’s HoAand LCoA with expiry time. Each MC registered under RA shouldupdate its location information as and when MC moves to anotherlink in the same RA or before the lapse of expiry time, otherwiseentry will be deleted from RA’s cache. RA sends all the packetsmeant for a MC with the help of binding information. RA respondswith Binding Acknowledgment (BA) to MC. Note that, the LA doesthe BU signature verifications and responds with BA on behalf ofRA to reduce the computational overhead on RA. Since LA and RAhave mutual trust relations RA trusts the verifications done byLA. This distributed mechanism reduces computational load on RA.

3.4.2. Foreign RA-RCoA and LCoA registrationWhen MC moves away from its home region, it registers LCoA

with RA as explained in the previous subsection. In addition to that

fast binding update processes.

Table 4Entities involved and messages used in fast handover

NLA New local agentPLA Previous local agentNLCoA New on-link Care-of AddressPLCoA Previous on-link Care-of AddressRtSolPr Router solicitation for proxy advertisementPrRtAdv Proxy router advertisementFBU Fast binding updateFBACK Fast binding acknowledgmentLBU Local binding updateLBACK Local binding acknowledgmentHI Handover initiateHACK Handover acknowledgmentFNA Fast neighbor advertisement


it registers RCoA with HA. MC sends message (3) for LCoA bindingupdate and message (5) for RCoA update.

MC1;1;1 ! LAijk : BUðHoA;RCoAÞ; IDMC1;1;1 ;

MICMC1;1;1�HA;MICMC1;1;1�LAijk

ð5Þ

Upon receiving BU, serving LA verifies signature in (3) and authen-ticates MC. LA validates MIC in (5). Then it validates RCoA and LCoAaddresses based on MC’s location similar to the verification processdetailed in Section 3.4.1. This process avoids any malicious node tosend fake BU to any LA. LA drops such impersonated BU. Once BU isauthenticated then LA sends BU to its associated RA. LA sends mes-sages (4) and (6) one after another.

LAijk ! RA : BUðHoA;RCoAÞ; IDMC1;1;1 ;

MICMC1;1;1�HA;MICLAijk�RAð6Þ

Foreign RA verifies MICLAijk�RA and then sends the BU(HoA,RCoA)to MC’s HA after attaching its MICRA�HA as in (7).

RA! HA : BUðHoA;RCoAÞ; IDMC1;1;1 ;

MICMC1;1;1�HA; IDRAi;j;MICRA�HA

ð7Þ

HA verifies MICRA�HA of foreign RA and authenticates Foreign RA. Italso verifies MICMC1;1;1�HA. After satisfactory verification, home RA re-cords the association between MC’s HoA and RCoA in its bindingcache and then sends binding acknowledgment (BA) to foreign RAwith MICHA�RA as in (8).

HA! RA : BAðHoA;RCoAÞ; IDHA;MICHA�RA;

MICHA�MCð8Þ

Upon receiving BA, Foreign RA verifies MICRA�HA and on satisfactoryverification, it creates an entry in its binding cache and records theassociation between RCoA and LCoA, then it forwards BA to MC. MCthen verifies MICHA�MC and authenticates HA. MC then initiatesRoute Optimization with the CNs that it is currently communicatingwith, as detailed in the next subsection.

This process completes the binding update mechanism with HAand foreign RA. Binding process also ensures mutual authentica-tion of MC, Foreign RA and HA. It is to be noted that every RA com-putes its pair-wise shared key with its every neighboring RAsimilar to the pairwise shared key setup given in (1) and maintainsthe key list in a lookup table. RAs use MIC with their shared key forauthentication and data integrity check instead of signatures tosave delay and computational overhead. After binding update pro-cess, MC and RA generate pair-wise shared key among them. Thisprocess sets up secure channel between MC, Home RA and ForeignRA.

3.4.3. Fast handover in SUMNv6HMIPv6-based architecture reduces the signaling overhead

and delay associated with the BU in MIPv6. To support real timeapplications it is essential to reduce latency further. When a MCmoves from previous LA (PLA) to new LA(NLA) within a regionaldomain, fast handover described in [5] allows to complete move-ment detection and IP address auto-configuration while MC isstill associated with the PLA. This mechanism decreases hand-over latency further and reduces packet drop. But [5] has nomechanism to protect handover signals from attackers. SUMNv6provides security during fast handover. The secure fast handoverprocess described in this section is in line with that described in[5]. But uses IBC based security for protecting the control mes-sages such as: RtSolPr, PrRtAdv, FBU, HI, HACK, FBACK, LBU,LBACK. The entities and messages used in fast handover arelisted in Table 4 and the definitions of these messages are as gi-ven in [5]. Various steps involved in the secure and fast hand-over procedure are depicted in Fig. 2 and the procedure isdiscussed below.

(i) MC sends Router Solicitation Proxy (RtSolPr) to RA indicat-ing that it wishes to perform a fast handover to a newattachment point. The RtSolPr includes the informationabout the link layer address or identifier of the concernedNLA, which is derived from NLA’s beacon message. MCappends its ID and MICMC�RA to RtSolPr as in (9).

MC ! RA : RtSolPr; IDMC ;MICMC�RA ð9Þ

(ii) RA validates MICMC�RA and sends a Proxy Router Advertise-ment (PrRtAdv) message as response to MC as in (10). RAappends its ID and MICRA�MC to protect PrRtAdv message.PrRtAdv contains [AP-ID, LA-Info] tuple for the MC to usein NLA region. Note that, in SUMNv6, the RA knows theextended network prefix and link layer address of the asso-ciated NLAs.

RA! MC : PrRtAdv; IDRA;MICRA�MC ð10Þ

(iii) MC validates MICRA�MC , generates NLCoA with the help ofextended network prefix of NLA in PrRtAdv, and sends fastBinding update (FBU) message to RA. The FBU message con-tains NLCoA, PLCoA, IP address of the NLA. Additionally MCappends MC’s ID, hash(nonce,KMC�RA) called token1 andMICMC�RA to the FBU as in (11). Token1 is for authenticatingMC by NLA.

MC ! RA : FBU; IDMC ; token1;MICMC�RA ð11Þ

(iv) RA sends a HI message to the NLA to establish a bidirectionaltunnel. RA sends its ID, token1 and MICRA�NLA along with HIas in (12).

RA! NLA : HI; IDRA; token1;MICRA�NLA ð12Þ

In response to the HI message, the NLA sets up host route en-try for the MC’s PLCoA and then responds with a handover re-sponse (HACK) message. NLA uses MICNLA�RA to protect HACKmessage as in (13) and token1 to authenticate MC.

NLA! RA : HACK; IDNLA;MICNLA�RA ð13Þ

As a result, a bi-directional tunnel between RA and NLA isestablished. The NLA may cache those data packets flowingfrom the RA, until it receives Router solicitation (RS) message(possibly with FNA option) from the newly incoming MC.

(v) RA sends FBACK messages toward the MC over PLCoA andNLCoA as in (14). Then, the RA will begin to forward the datapackets destined to MC to the NLA by using the establishedtunnel.

RA! MCðPLCoAÞ=MCðNLCoAÞ : FBACK;

IDRA;MICRA�MCð14Þ

(vi) MC sends FNA message along with hash(token1, KMC�NLA)called token2 as in (15) to NLA.


Table 5Abbrevi

CNRR TestROCGAHOTICOTIHOTCOTN0N1K0K1Kbm

MCðNLCoAÞ ! NLA : FNA; IDMC ; token2;MICMC�NLA

ð15Þ

Upon reception of (15), NLA computes hash(token1, KMC�NLA)and compares with token2 received in (15). If both are samethen NLA authenticates MC and then delivers the buffereddata packets to the MC over NLCoA, otherwise drops the FNA.

Fig. 3. Secure route optimization.

(vii) MC then follows the normal HMIPv6 procedures by sendinga Local Binding Update (LBU) to RA, as per HMIPv6. Whenthe RA receives the new Local Binding Update with NLCoAfrom the MN, it stops the packet forwarding to NLA and thenclear the tunnel established for fast handover.

(viii) In response to LBU, RA sends Local Binding ACK (LBACK) toMC, and the remaining procedures are as in HMIPv6.

3.5. Secure route optimization

SUMNv6 does not assume any security association between CNand MC. The security is such that SUMNv6 does not add any newsecurity threats to the Internet and provides security at least thatof IPv4 without mobility. SUMNv6 does not require global infra-structure but it provides security better than that provided bythe existing methods such as RR test and CGA. The detailed proce-dure is given below.

Once MC completes the binding update with home RA and For-eign RA successfully, all the three entities believe each other andcan establish pair-wise shared keys with each other using (1). Withthe help of the pair-wise shared keys they can communicate usingRR test messages such as HOTI, COTI, HOT, COT, BU and BA. Themessages used are listed in Table 5 and the definitions are as givenin [3].

The secure RR test message exchanges are depicted in Fig. 3. Allthe RO message exchanges between RA1, RA2 and MC are en-crypted using the respective pair-wise shared keys. This avoidspassive eavesdropping and consequent active attacks on RO pro-cess. MC sends encrypted N0 in HOTI message to home RA and en-crypted N1 in COTI message to foreign RA with the respectiveshared keys. Therefore only the respective RA is aware of N0 orN1. Similarly RA1 sends HOT message to MC after encrypting itwith the shared key and RA2 sends COT message to MC afterencrypting with its shared key. Therefore only authorized MCwhich has shared keys with both RA1 and RA2 can get back thecontents of the HOT and COT messages and can compute Kbm. Thisprocess avoids most common internal attacks such as impersona-tion, fabrication, and replay attacks on SUMNv6. Hierarchical ad-dress structure avoids most of the attacks by external node onSUMNv6. Since SUMNv6 RO security is based on basic RR test, itinherits security against most common MIPv6 attacks such as con-nection hijacking attack, bombing attack, state storage exhaustionattack, CPU exhaustion attack, reflection and amplification attack.

ations used in secure route optimization

Correspondent nodeReturn Routability testRoute OptimizationCryptographically generated addressesHome test initCare-of test initHome testCare-of testA Nonce called Home init cookieA Nonce called Care-of init cookieHome Keygen tokenCare-of Keygen tokenBinding management key

4. Security analysis

4.1. Urban mesh network security

All the entities involved in the SUMNv6 have to obtain ID, IP ad-dress, and public-private key pair from the operator before enter-ing the network. A node’s identity contains information aboutRA, operator, expiry time, and is cryptographically bonded withpublic-private key pair. Therefore, any entity can verify the authen-ticity of a node in question by checking expiry time and signature.MIPv6 or its extensions do not have this kind of security check,therefore give room for attacks. SUMNv6 LCoA address is hierarchi-cal in nature and is location dependent. An MC’s LCoA is verifiedagainst its present location (or network link that is presently asso-ciated with) by the LA through which MC wants to send bindingupdate to RA. Therefore, an MC cannot configure its LCoA withan impersonated address and cannot do any attacks.

The secure registration process adopted in the protocol pro-motes mutual authentication of LA, MC and RA. All the registrationmessages contain: i) sequence number to avoid replay attacks; ii)signature to protect the message from modification attacks andto ensure that the message is originated by an authorized party.Registration process builds trust among LA, MC and RA and ensuresthat they are communicating with authorized party and not withany fraudulent node. This process also helps to setup pair-wiseshared keys among themselves, for their future secure communica-tions. SUMNv6 ensures secure communications among the homeRA, foreign RA and MC with the help of either IBC or pair-wiseshared keys. Extended RR test exploits this to eliminate weak linkbetween MC and CN.

4.2. RO security

RO security is the most challenging task to achieve because arandom CN should believe that the binding between HoA and RCoAis correct. Since global infrastructure is either difficult to achieve orcomputationally expensive, SUMNv6 prefers infrastructure-lesssolution. In SUMNv6 the RO security is built upon RR test men-tioned in MIPv6 RFC. Therefore a random CN cannot distinguishbetween SUMNv6 node and a MIPv6 node. But the important dif-ference is that SUMNv6 uses foreign RA’s services also in additionto Home RA’s services during RR test. MIPv6 communicates RR testmessages in plain text thus gives attackers a chance to eavesdropon to the radio link between RA-MC and to carryout impersona-tion, fabrication and replay attacks. In SUMNv6, RR test messagesare sent after encryption with the shared key of the respectiveMC-RA pair. Thus eliminates the weak link between MC and RA.

Table 6Notations used in cost analysis

Entity Representation


5. Estimation of cost and analysis

In this section we estimate the cost of location update with RAand with HA based on the transmission costs on different radiolinks and processing costs at different nodes that various controlpackets experience during each location update. Then using ananalytic model, we find out: (i) probability that a MC performs re-gional registration; (ii) probability that it performs home registra-tion. Based on the estimated costs and probabilities we comparethe performance of SUMNv6 with HMIPv6. In this analysis we as-sume that HMIPv6 control packets are protected using IPSec withRSA cryptosystem. This analysis does not consider fast binding up-date in order to simplify the analysis. Also assumes no security forRR test messages and data packets in SUMNv6 in order to evaluatethe systems on similar security grounds.

5.1. Analytical model

In this subsection we describe an analytical model based on a2D cellular configuration [26] for the WMN and random walk mod-el for mobility. We make the following assumptions: (i) each sub-net that is managed by an LA is in the form of hexagonal cell; (ii)each regional domain that is managed by a RA contains hexagonalcells, with the structure as shown in the Fig. 4. The inner most cellis labeled with ‘0’ and the cell labeled with ‘1’ forms the first ringaround cell ‘0’ and so on; and, (iii) All the regional domains areof same size.

Let q be the probability that a MC stays in the current cell, thenusing random walk mobility model [26], the probability thatmovement of the MC will result in increasing distance r (pþðrÞ)or decreasing distance (p�ðrÞ) from cell ‘0’ are given by:

pþðrÞ ¼ 13þ 1

6rand p�ðrÞ ¼ 1

3� 1

6rð16Þ

The movement of the MC with respect to cell ‘0’ can be representedas a Markovian chain. Let ar;rþ1 represents the transition probabilitythat the movement will result in increasing distance from cell ‘0’and br;r�1 represents the transition probability that the movementwill result in decreasing distance from cell ‘0’. Assuming a regionaldomain of R rings, the transition probabilities are given by:

ar;rþ1 ¼ð1� qÞ if r ¼ 0ð1� qÞð13þ 1

6rÞ if 1 6 r 6 R

(ð17Þ

br;r�1 ¼ ð1� qÞð13� 16rÞ if 1 6 r 6 R ð18Þ

3

0

11

11

1

1

22

2

2

22

22

2

2

22

33

33

3

3

33

33

33

3

3

3

33

3

44

44

44

4

4

4

4

44

44

44

44

44

4

4

4

4

5

5

5

55

5

5

5

55

5

5

5

5

5

55

55 5

5

55

5

5

5

5

5

55

3

0

11

11

1

1

22

2

2

22

22

2

2

22

33

33

3

3

33

33

33

3

3

3

33

3

44

44

44

4

4

4

4

44

44

44

44

44

4

4

4

4

5

5

5

55

5

5

5

55

5

5

5

5

5

55

55 5

5

55

5

5

5

5

5

55

Fig. 4. Cellular representation of SUMNv6.

Using the above transition probabilities, the steady state probabilityof state r, pr , can be expressed as:

pr ¼ p0

Yr�1

i¼0

ai;iþ1

biþ1;ifor 1 6 r 6 R ð19Þ

with the requirementPR

r¼0 ¼ 1, and p0 can be expressed as

p0 ¼1

1þPR

r¼1

Qr�1i¼0

ai;iþ1biþ1;i

ð20Þ

Let CxUr , Cx

Uh and CxRO represent costs for regional location update (lo-

cal binding update), home location update (global binding update)and Route Optimization, respectively. Here, the superscript x repre-sents either HMIPv6 or SUMNv6. The average location update costper unit time can be expressed as [28]:

CxLU ¼

pR:aR;Rþ1:ðCxUh þ Cx

ROÞ þ ð1� pRaR;Rþ1ÞCxUr

Tð21Þ

where T represents the average cell residence time that MC stays ina cell.

5.2. Location update cost

In this subsection we compute the cost overhead for SUMNv6and HMIPv6 systems. Table 6 depicts the notations and symbolsused in this cost analysis, and similar to those in [23].

5.2.1. HMIPv6 location update costThe message flow illustrated in Fig. 2 is considered for estimat-

ing the transmission and processing cost for each location update.This analysis follows the notations given in [23].

HMIPv6 control packet includes the basic IPv6 header(40 bytes),some of the optional IPv6 extension headers and IPSec securitypayload. The length of BU, BA, HOTI, COTI, COT without securitypayload are, respectively 72, 64, 56, 64, 56, and 64 Bytes [25].Therefore for the sake of simplicity the average control packet sizeof HMIPv6 without security payload is taken as 128 bytes. The pro-portionality constant for transmission cost for the control packet of128 bytes over WMN backbone wireless link (e.g., 802.16 radio

RA rLA lMC mHA hNLA nPLA pCN c

Symbol Meaning

dxy Average distance (in hops) between entity x and entity yax Processing cost of control packet at entity xdU Proportionality constant for control packet deliverydD Transmission cost for data packet deliverynx

y Average number of entity y in entity x’s coverage areavx Data packet processing cost at entity xka Data packet arrival rate at foreign RAkb Arrival rate of first packet in a session at HAg Data Packet processing cost at HA�I Cost for IBC signature verificationwI Cost for IBC signature generation�S Cost for RSA signature verificationwS Cost for RSA signature generationq Proportionality constant for MC-LA wireless linkc Cost for MIC computations Cost for IBC pairing computationu Cost for shared key encryption/decryption


link) is denoted by dU . IPSec with RSA cryptosystem requires about745 bytes additional overhead to carry certificate and signature[27]. Then the average control packet with security payload be-comes 873 bytes. This makes the proportionality constant fortransmission cost to carry the HMIPv6 control packet with securitypayload seven times that of HMIPv6 control packet without secu-rity. Therefore the proportionality constant for transmission costof control packet in HMIPv6 with security is set to 7dU .

IPSec security with RSA uses digital signatures to protect thepackets. It requires five signature verification and four signaturegeneration operations during regional registration. It requires tensignature verifications and seven signature generation operationsduring home registration.

Thus costs for location update with HA (termed as home regis-tration cost) and location update with RA (termed as regional reg-istration cost) for each location update in HMIPv6 are given asfollows:

CHMIPv6Uh ¼ 2al þ 2ar þ ah þ 2ðqþ drl þ dhrÞð7dUÞþ

10�S þ 7wS

ð22Þ

CHMIPv6Ur ¼ 2al þ ar þ 2ðqþ drlÞð7dUÞ þ 5�S þ 4wS ð23Þ

5.2.2. SUMNv6 location update costIBC uses about 64 bytes additional overhead to carry sequence

number, identity, and signature/MIC making the average controlpacket size in SUMNv6 (128 + 64) as 192 bytes, which is 1.5 timesthat of HMIPv6 control packet without security. Therefore the pro-portionality constant for transmission cost in SUMNv6 is set to1.5dU . Also, SUMNv6 has security process overhead in addition tothe normal process at each node. Due to the different crypto-graphic operations, the processing cost at each node during regis-tration request and reply phases are not the same. SUMNv6requires two signature verifications, one signature generation,two pairing computations to compute shared keys and six MICoperations during regional registration. We assume that the sharedkey between MC and HA is precomputed. SUMNv6 requires threesignature verifications, one signature generation and twelve MICoperations during home registration. Thus for SUMNv6 the homeregistration cost and the regional registration cost for each locationupdate are given below:

CSUMNv6Uh ¼ 2al þ 2ar þ ah þ 2ðqþ drl þ dhrÞð1:5dUÞ

þ3�þ wþ 2sþ 12cð24Þ

CSUMNv6Ur ¼ 2al þ ar þ 2ðqþ drlÞð1:5dUÞ þ 2�þ wþ 2sþ 6c ð25Þ

5.3. Packet delivery cost

Let nlm be average number of MC’s in a LA’s coverage area, np

m

be the average number of MC’s in a RA’s coverage area, and npl

be the number of LAs in a RA’s coverage area. Then they are re-lated by

npm ¼ np

l nlm ð26Þ

Table 7Cost parameters

Parameter al ap ah ac am q

Value 10 5 5 5 5 10

Parameter �S wS �I wI s a

Value 0.4 7.9 2.22 45.8 20 0.3

The packet delivery cost comprises three cost components: (i) thepacket processing cost at foreign RA; (ii) the packet processing costat HA; and, (iii) the packet transmission cost from CN to MC. The to-tal packet processing cost in HMIPv6 can be expressed as:

CHMIPv6PD ¼ vp þ vh þ ðdcp þ dplÞdD ð27Þ

The packet processing cost at RA, i.e., vp has the following compo-nents: (i) cost for lookup into table for mapping of RCoA into LCoA;and (ii) cost for lookup in the routing table for routing the packet tothe concerned LA. Route Optimization process allows CN to send thepackets directly to MC without passing through HA. But the firstpacket from CN should tunnel through HA. Then the packet process-ing cost at RA includes de-capsulation and en-capsulation costs ofthe tunneled packet from HA. These costs are neglected for the sakeof simplicity of analysis. The cost for lookup into (RCoA, LCoA) map-ping table is proportional to the size of mapping table. The size ofmapping table is proportional to the number of MCs in the regionaldomain. The cost for lookup into routing table is proportional to thelogarithm of the length of the routing table [23] which is equal to thenumber of LAs in the regional domain. Let ka be the packet arrivalrate at RA, the packet processing cost at RA can be expressed as:

vp ¼ kaðanpm þ blogðnp

l ÞÞ ð28Þ

where a and b are the proportionality constants for binding tablelookup and routing table lookup, respectively. The packet process-ing at HA is proportional to the arrival rate of first packet in the ses-sion and is given as follows:

vh ¼ kbg ð29Þ

where kb is the session arrival rate and g is the unit packet process-ing cost at HA. Assuming that the average session size is r packets,kb is ka

r .Substituting (28) and (29) in (27), the total packet processing

cost per unit time is given by

CHMIPv6PD ¼ kaðanp

m þ blogðnpl ÞÞ þ kbgþ ðdcp þ dplÞdD ð30Þ

Since this analysis assumes that SUMNv6 data packets are notencrypted, the above packet processing cost calculations hold forSUMNv6 also. Therefore the total signaling cost for HMIPv6/SUMNv6 is given by:

CxT ¼ Cx

LU þ CxPD ð31Þ

Here, the superscript x represents either HMIPv6 or SUMNv6.

5.4. Numerical results and discussion

The computation times on a node with 1 GHz, Pentium-III pro-cessor are considered for numerical values. We use the followingvalues from [20]: RSA signature generation and verification timesof 7.9 ms and 0.4 ms, respectively; and, pairing computation forshared key generation of 20 ms. AES encryption/decryption timefor 128 Byte data is about 8.4 ls and SHA-1 takes 5.73 ls [21].

A 100-Kbps average data rate is assumed over the wireless linkbetween MC and LA, and 1-Mbps average data rate over wireless linkbetween LA and RA and between RAs. With 128 byte control packet(without security), the average transmission delay over MC-LA wire-

dpl dhp dhc dpc dU dD

5 32 32 32 1 8

b npm g q kb c

0.7 15 10 0.5 kar 0.00573

Table 8Numerical results

Cost parameter CHMIPv6Uh CSUMNv6

Uh CHMIPv6RO CHMIPv6

Ur CSUMNv6Ur CSUMNv6

RO

Value 752.3 268.53 476 268.6 160.27 476

10–1

100

101

3000

3500

4000

4500

5000

5500

6000

6500

Average cell residence time

Tot

al s

igna

ling

cost

HMIPv6SUMNv6

Fig. 5. Effect of cell residence time (T).

10–1

100

101

500

1000

1500

2000

2500

3000

3500

Packet arrival rate

Tot

al s

ignl

ing

cost

HMIPv6SUMNv6

Fig. 6. Effect of packet arrival rate.

10–1

100

101

102

103

0

2000

4000

6000

8000

10000

12000

Packet–to–mobility ratio, PMR

Tot

al s

igna

ling

cost

HMIPv6SUMNv6

Fig. 7. Effect of packet-to-mobility ratio (PMR) on total signaling cost.


less link is 10.24 ms, and over LA-RA and RA-RA wireless link it is1 ms. Therefore dU becomes 1 ms. Assuming the average data packetsize of 1KByte, the transmission cost for data packet delivery dD is8 ms. The parameter values are given in Table 7, and the correspond-ing numerical results are tabulated in Table 8.

From the numerical results presented in Table 8, the home reg-istration cost and regional registration costs for SUMNv6 arerespectively 35% and 60% of that of HMIPv6. From this we infer thatIBC based cryptosystem reduces the cost overhead drastically thanthe conventional IPSec with RSA cryptosystem.

Next, we compare the performance of SUMNv6 with HMIPv6 onthe basis of total signaling cost at varying: (i) average data packetarrival rate; (ii) average cell residence time,T; and, (i) Packet-to-Mobility Ratio (PMR); PMR is defined as the ratio of packet arrivalrate to mobility rate, i.e., PMR is kaT . In all these cases regional net-work size (R) of 4 is considered.

5.4.1. The impact of average cell residence timeIn this analysis the packet arrival rate (ka) of 10 packets/s is con-

sidered. Fig. 5 shows the effect of cell residence time (T) on totalsignaling cost for HMIPv6 and SUMNv6 systems. From the figurewe observe that, SUMNv6 has the lower total signaling cost thanHMIPv6 at lower values of cell residence time and both are con-verging to some minimal value as the cell residence time increases.This is because of the fact that, as the cell residence time increasesthe location update cost per unit time decreases. As a result thepacket delivery cost dominates location update cost.

5.4.2. The impact of average packet arrival rateThe cell residence time (T) of 1 U of time, and packet arrival

rate ka=[0.1 10] packets/s are considered for analysis. Fig. 6shows the impact of packet arrival rate on HMIPv6 and SUMNv6.Again, SUMNv6 shows a clear advantage in cost overhead thanHMIPv6 for all values of packet arrival rate. Since cell residencetime is fixed, at lower packet arrival rates the location updatecost dominates the total cost. At higher packet arrival rates,the curves converged each other because of the fact that, the to-tal cost is influenced by packet arrival rate alone. But the total

cost in all cases are increasing monotonically with increase inpacket arrival rate.

5.4.3. The impact of packet-to-mobility ratioFig. 7 shows the total signaling cost as a function of PMR for

SUMNv6 and HMIPv6. Packet arrival rate, ka = [1-40] packets/s, cellresidence time, T = [0.1–20] are considered for the analysis. Fromthe figure we can observe that, at lower values of PMR there is alarge deviation in the total signaling costs and the curves are co-insiding each other as the PMR increases. This is because of the factthat at lower PMR values either cell residence time is low or packetarrival rate is low, then the location update cost per unit time dom-inates packet delivery cost and when PMR is high (either user res-idence time in a cell (T) is large or packet arrival rate is high) thenpacket delivery cost dominates location update cost for all the sys-tems. At certain range of (medium) PMR values the performance ofthe system is observed as optimum with lowest total signaling cost.

6. Conclusion

Secure WMN with fast handover mechanisms is required for fu-ture WMN. In this paper we proposed SUMNv6 that addresses both


security and fast handover, and also secure RO process for WMN.MIPv6 and its extensions have no integrated framework for key dis-tribution mechanism, and have weak MC-RA link. SUMNv6 gives acomprehensive solution addressing key distribution, fast handover,and mutual authentication of MC, RA (home) and RA (foreign). Itadopts secure RR test to eliminate weak link between MC and RA(foreign). From the numerical results, it is clear that SUMNv6 incursonly 35% and 60% cost overhead of that of HMIPv6 per each homeregistration and regional registration process respectively. The per-formance graphs show that SUMNv6 outperforms HMIPv6 at lowervalues of PMR, packet arrival rate, cell resident times, but at heighervalues these curves are converging each other, because of the dom-ination of packet processing cost over location update cost at hei-gher vaues. SUMNv6 is discussed for single operator WMN. It canbe extended to multiple operators as well.

References

[1] I.F. Akyildiz, X. Wang, W. Wang, Wireless Mesh Networks: a survey, ComputerNetworks 47 (4) (2005) 445–487.

[2] C. Perkins, IP Mobility Support for IPv4, IETF, RFC 3220.[3] D. Johnson, C. Perkins, J. Arkko, Mobility Support in IPv6, IETF, RFC 3775.[4] H. Soliman, C. Castelluccia, K. Malki, L. Bellier, Hierarchical Mobile IPv6

mobility management (HMIPv6), IETF, RFC 4140.[5] R. Koodli(Ed), Fast Handovers for Mobile IPv6, IETF, RFC 4068.[6] H.Y. Jung, S.J. Koh, Fast Handover Support in Hierarchical Mobile IPv6, in:

proceedings of the 6th International conference on Advanced CommunicationTechnology 2 (2004) 551-554.

[7] G.Z. Wei, A. Wei, K. Xu, H. Deng, Handover Control Function Based Handoverfor Mobile IPv6, Proceedings of ICCS, vol. 3994, LNCS, 2006, pp. 17–24.

[8] N. Doraswamy, D. Harkins, IPSec: The New Security Standard for the Internet,Intranets, and Virtual Private Networks, Prentice Hall PTR, 2003.

[9] R. Dutta, R. Barua, P. Sarkar, Pairing-Based Cryptographic Protocols: A Survey,Cryptology ePrint Archive, 2004.

[10] A. Shamir, Identity-based cryptosystems and signature schemes, in:Proceedings of CRYPTO 84 on Advances in Cryptography, (1985) (47-53).

[11] D. Boneh, B. Lynn, H. Shacham, Short Signatures from the Weil Pairing, Journalof Cryptology 17 (4) (2004) 297–319.

[12] D. Boneh, M.K. Franklin, Identity-based encryption from the Weil pairing, SIAMJournal on Computing 32 (3) (2003) 586–615.

[13] K. Ren, W. Lou, K. Zeng, F. Bao, J. Zhou, R. Deng, Routing Optimization Securityin Mobile IPv6, Computer Networks 50 (13) (2006) 2401–2419.

[14] T. Aura, Cryptographically generated addresses (CGA), IETF, RFC 3972.[15] T. Aura, Mobile IPv6 security, in: Proceedings of the Security Protocols, LNCS,

2467 (2002).[16] T. Aura, M. Roe, Designing the IPv6 Security Protocol, Annals of

Telecommunications 61 (3-4) (2006).[17] K. Elgoarany, M. Eltoweissy, Security in Mobile Ipv6:A Survey, Information

Security Tech. Report, 12(1) (2007) 32-43.[20] S.L. Paulo, M. Barreto, et al., Efficient Implementation of Pairing-Based

Cryptosystems, Journal of Cryptoplogy (2004) 321–334.[21] Botan-a BSD licensed crypto library-benchmarks, available at <http://

botan.randombit.net/bmarks.html>.[22] W. Haddad, S. Krishnan, H. Soliman, Using Cryptographically Generated

Addresses (CGA) to secure HMIPv6 Protocol (HMIPv6sec), Internet draft,available at <http://tools.ietf.org/html/draft-haddad-mipshop-hmipv6-security-06>, August 2006.

[23] J. Xie and I.F. Akyildiz, A distributed dynamic regional location managementscheme for Mobile IP, in: Proceedings of IEEE INFOCOM (2002).

[25] J. Arkko, and C. Vogt, ‘‘Credit-Based Authorization for Binding LifetimeExtension, Internet draft <http://tools.ietf.org/html/draft-arkko-mipv6-binding-lifetime-extension-00>, May 2004.

[26] I.F. Akyildiz, W. Wang, A dynamic location management scheme for nextgeneration multitier PCS systems, IEEE Transactions on WirelessCommunications 1 (1) (2002) 178–189.

[27] R. Housley, W. Polk, W. Ford, and D. Solo, ‘‘ Internet X.509 Public KeyInfrastructure Certificate and Certificate Revocation List (CRL) Profile, RFC3280, 2002.

[28] S. Pack, and Y. Choi, ‘‘Performance Analysis of Hierarchical Mobile IPv6 in IP-based cellular Networks, in Proceedings of PIMRC 2003, 2003.

http://botan.randombit.net/bmarks.html

http://botan.randombit.net/bmarks.html

http://tools.ietf.org/html/draft-haddad-mipshop-hmipv6-security-06

http://tools.ietf.org/html/draft-haddad-mipshop-hmipv6-security-06

http://tools.ietf.org/html/draft-arkko-mipv6-binding-lifetime-extension-00

http://tools.ietf.org/html/draft-arkko-mipv6-binding-lifetime-extension-00

A Secure IPv6-based Urban Wireless Mesh Network (SUMNv6)

Documents

Transcript of A Secure IPv6-based Urban Wireless Mesh Network (SUMNv6)