Embed Size (px)
Citation preview
1
DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad-hoc Network
Jaehoon Jeong, [email protected]
http://www.adhoc.6ants.net/~paul/
ICACT 2004
2
Contents Introduction Related Work Name Service within IPv6 MANET Scenario of Name Service within MANET Authentication of DNS Message Procedure of Secure DNS Name Resolution Testbed for IPv6 MANET Conclusion
3
Introduction
Name Service in Mobile Ad-hoc Network(MANET) MANET has dynamic network topology
Current DNS can not be adopted in MANET! Because it needs a fixed and well-known name server
Idea of Name Service in MANET All the mobile nodes take part in name service
Every mobile node administers its own name information It responds to the other node’s DNS query related to its
domain name and IP address
4
Related Work (1/2): Link-Local Multicast Name Resolution (LLMNR)
DNS service based on IP multicast in link-local scoped network IETF DNSEXT working group item
Each node performs the role of DNS name server for its own domain name.
LLMNR Sender LLMNR Responder
LLMNR query message (What is IPv6 address of “host.private.local.”?) - It is sent in link-local multicast
LLMNR response message (IPv6 address of “host.private.local.”) - It is sent in link-local unicast
Verification of LLMNR response - Does the value of the response conform to the addressing requirements? - Is hop-limit of IPv6 header 1?
If the result is valid, then the Sender caches and passes the response to the application that initiated DNS query.
else the Sender ignores the response and continues to wait for other responses.
5
Related Work (2/2): Autoconfiguration Technology IP Interface Configuration Name Service
Translation between host name and IP address Generation of unique domain name
IP Multicast Address Allocation Service Discovery
Unicast Service Multicast Service
AutoconfigurationTechnology
IP Interface Configuration
Nam
e S
erv
ice
Ser
vic
e D
isc
ov
ery
IP Multicast Address Allocation
6
Ad-hoc Name Service Systemfor IPv6 MANET (ANS)
ANS provides Name Service in MANET MANET DNS Domain
ADHOC.
MANET IPv6 Prefix IPv6 Site-local Prefix
FEC0:0:0:0::/64
Architecture of ANS System ANS Responder
It performs the role of DNS Name Server
ANS Resolver It performs the role of DNS Resolver
7
ANS System (1/2)
ANSResolver
ApplicationApplication
Process
Database
Node
Mobile Node A
UNIX Datagram Socket
ANSResponder
ANSZone DB
Memory Read / Write
ANSResolver
ApplicationApplication
Mobile Node B
ANSResponder
ANSZone DB
Wireless Link
ANSResolver
ApplicationApplication
ANSResponder
ANSZone DB
ANSResolver
ApplicationApplication
ANSResponder
ANSZone DB
Mobile Node C
ANSResponder
ANSResolver
ApplicationApplicationApplicationApplicationANS
Zone DB
DNS Query
DNS Response
DNS Message
8
ANS System (2/2)
Main-Thread
DUR-Thread
ANSZone DB
ANS Responder
Process
Thread
Database
Memeory Read / Write
Internal Connection
Main-Thread
Resolv-ThreadTimer-Thread
ANS Cache
ANS Resolver
Process
Thread
Cache
UNIX Datagram Socket
Memeory Read / Write
Internal Connection
Application
ANS API
DNS Query
DNSResponse
DNS Query / DNS Response
UDP Socket Connection
UDP Socket Connection
9
Name Service in ANS Zone File Generation
generates ANS zone file with mobile node’s DNS name and corresponding IPv6 address
Name Resolution performs the name-to-address translation
Service Discovery performs the service discovery through DNS
SRV resource record, which indicates the location of server or the multicast address of the service
10
Scenario of Name Service within MANET
MN-A MN-B MN-C
DNS Query Message(MN-C.ADHOC.)
DNS Query Messageis sent in Multicast Receipt of
DNS Query Message
Request ofHost DNS Name
Resolution
Receipt and Processof DNS Query Message
DNS Response Message(MN-C’s IPv6 Address)
Gain ofDNS Information
MN-A tries to connect to the server on MN-C
The server on MN-C acceptsthe request of the connection
from MN-A
DNS Query Message(MN-C.ADHOC.)
DNS Response Messageis sent in Unicast
11
Authentication of DNS Message
Why is necessary the authentication of DNS message? To prevent attacker from informing a DNS querier of wrong DNS re
sponse
How to authenticate DNS message? IPsec ESP with a null-transform Secret key transaction authentication for DNS, called as TSIG [RF
C2845]
Our Scheme of Authentication TSIG message authentication where the trusted nodes share a gr
oup secret key for authenticating DNS messages.
12
DNS Message Format
Header Section
Question Section
Answer Section:e.g., AAAA RR
Authority Section
Additional Section:e.g., TSIG RR
DNS message header
Question for the name server
Resource records answering the question
Resource records pointing towardan authority (e.g., AAAA resource record)
Resource records holding additional information (e.g., TSIG resource record)
13
Procedure of Secure DNS Resolution
Mobile Node A(MN-A.ADHOC.)
Mobile Node C(MN-C.ADHOC.)
DNS Query (What is the IPv6 address of “MN-C.ADHOC.”?)via site-local multicast and UDP
DNS Response (IPv6 address of “MN-C.ADHOC.”)via site-local unicast and UDP
Verification of DNS Response - Does the source address of the response conform to the ad hoc addressing requirements? - Is the TSIG resource record valid?
If the Response is valid, then ANS Resolver delivers the result to application program else ANS Resolver sends DNS Query again and waits for another DNS Response by the allowed retry number
14
Testbed for IPv6 MANET
We used IPv6 MAODV for Ad Hoc multicast routing protocol
For testing multi-hop network configuration, We control Tx and Rx power of IEEE 802.11b NIC. Also, we use MAC-filtering to filter out packets in o
ther link. We implemented Wireless Mobile Router base
d on embedded linux for testing Ad Hoc routing protocols and other applications
15
Experiment of Secure Multicast DNS in MANET Testbed
IPv6 Wireless Mobile Router
MN1
WR1
WR2 WR3
MN2
MANET
Test of Secure Multicast DNS
16
Conclusion ANS (Ad-hoc Name Service System for IPv6 MANET)
A new name service scheme based on multicast in IPv6 MANET, providing secure name resolution
Name Service of ANS Automatic zone file generation Name-to-address translation Service discovery DNS message authentication based on TSIG
Future Work We will enhance secure multicast DNS, ANS, in the aspect of performance,
considering MANET’s characteristics, such as caching of DNS information reduction of broadcast DNS query messages
