Secure and Efficient IP Mobility Support for Aeronautical Communications

Kurzfassung

A survey of NEMO route optimization protocols has been conducted, with the result that a correspondent router based approach, where a tunnel for traffic forwarding is established between a mobile router and a correspondent router, is the most adequate approach for the safety related aeronautical communications environment. This protocol provides several benefits, which are (1) a short end-to-end communications delay, (2) an optimized route to several correspondent nodes provided by a single correspondent router simultaneously and (3) transparency to the end-systems in the mobile network and on the ground. The correspondent router does not suffer from a single point of failure problem either – the failure of a correspondent router only affects correspondent nodes located within the same correspondent network. Communication with correspondent nodes located in other networks, served by different correspondent routers, is still possible. This is not the case for the basic NEMO protocol, where routing from and to the mobile router is not possible anymore in case of home agent failures. Within this thesis, security deficiencies have been identified for the original correspondent router protocol that prevent its usage within a safety related communications environment. Also, the original protocol requires a reachable home agent for establishing the direct routing path to the correspondent router. An improved correspondent router protocol – SeNERO – was therefore defined that provides the advantages of increased security, reduced handover delay and reduced signaling overhead. Furthermore, the new protocol does not rely on a home agent anymore, that has to be considered being a single point of failure. SeNERO is unique in offering all these properties, which is not the case for the related work. The authentication method used within SeNERO relies on X.509 certificates that authenticate the IP address prefixes of mobile router and correspondent router. Asymmetric cryptography is therefore used within the initial authentication. In subsequent authentications, only symmetric cryptography is used, based on a session key established between mobile router and correspondent router. For the security evaluation, a threat model was specified to support a detailed security analysis of mobility/route optimization protocols. Based on this model, it was shown that the new protocol resolves the mobile network prefix and correspondent router prefix hijacking attacks that were identified for the original correspondent router protocol. A performance improvement was shown for the handover latency and signaling overhead when comparing SeNERO to the original correspondent router protocol. For the handover latency, the analytical results showed a latency improvement of 9–50% for SeNERO, depending on the scenario. The same holds for the simulation results with an improvement in the range of 12%–51%. These results were also confirmed by the test-bed based evaluation that showed an improvement of 13–51%. Additional simulations were performed using the aeronautical wireless link technology L-DACS 1. This allowed to study the impact of a varying radio cell load upon the handover latency. More detailed, the three investigated scenarios covered the range from small to medium up to overload traffic situations. It was shown that SeNERO performs better throughout all scenarios, although the performance improvement decreases with an increased radio cell load. While a 81% improvement can be achieved in a situation with a small radio cell load, this performance advantage decreases to 58% and 32% for the medium and overload scenarios. A reduced handover latency is important for safety related communications, as a shorter latency decreases the number of packets dropped during a handover. The signaling overhead of the original correspondent router protocol, while initially small, was shown to increase over time due to periodic signaling. SeNERO has a high initial overhead that remains constant over time. It was shown that the new protocol is more bandwidth efficient if an optimized path between a mobile router and correspondent router has to be kept alive for more than 20 minutes. As this is usually the case for ATS communications, the new protocol can be considered being more bandwidth efficient within the aeronautical setting. SeNERO resolves the single point of failure represented by the home agent by using certificates instead of signaling message exchanges via the home agent for prefix authentication. This requires a public key infrastructure with a certificate authority (trust anchor) that is authoritative for IP prefix assignments and trusted by both mobile router and correspondent router. This would constitute another single point of failure. In addition, this approach would not reflect the air traffic control communications environment, where the decision on who can receive a certificate and authenticate within a country or region should be subject to the decision of said country or region. This issue has been resolved by the X.509 identity certificate extension defined within this thesis. It introduces a distributed architecture that replaces the single global trust anchor with a distributed set of local trust anchors. Such a local trust anchor should be operated by each country or region where an aircraft has to perform authentication operations. An extended identity certificate contains several properties (such as the identity and an IP address prefix) assigned by different certificate authorities. Signatures generated by these authorities bind the properties to the public key of the certificate holder. Certificate authorities located within the correspondent networks, so called local certificate authorities, issue and sign the these certificates containing the assigned properties. Verifiers within the same network/trust domain as the local certificate authority can then validate a certificate issued by a local certificate authority based on the signature and revocation information provided by the local certificate authority only. No inter-domain operations with any other certificate authority are therefore necessary for the verifier at runtime. When used with SeNERO, a correspondent router can verify a mobile router’s certificate by only relying on the certificate authority that is located within the correspondent router’s network domain. The same holds for the verification of the correspondent router’s certificate by the mobile router. During the preconfiguration (pre-flight) phase, the aircraft (mobile router) only has to verify the validity of the certificate of the correspondent router’s local certificate authority and its delegation certificates. When performing route optimization signaling, the mobile router can verify the correspondent router certificate by relying on the correspondent router’s local certificate authority only. An illustration for this is provided in Figure 9.1. This distributed architecture eliminates the single point of failure problem that is present for other approaches. The non-availability of a local certificate authority only prevents authentication operations within the domain represented by this certificate authority, but does not affect other domains. An additional advantage of the extended certificate model is that the mobile router can only authenticate to the correspondent router with a certificate signed and issued by the correspondent router’s local certificate authority. The correspondent router does not have to use any trust anchors except for the local one. This certificate authority will in turn only have to trust other certificate authorities for assigning properties from domains for whom these are authoritative. Hence, the decision on who can authenticate within a country or region (local domain) is with the certificate authority of this country or region. Maurer’s calculus was extended to support modeling cross-certification and the extended identity certificates. Based on this calculus, the authenticity of a public key and its associated properties can be inferred from the perspective of the verifier, the mobile router or correspondent router. The extended identity certificates, as defined for use within the SeNERO protocol, have been verified based on this approach. This was performed based on both a local and an inter-domain verification. In the local verification, the logical inferencing only requires the local but no foreign certificate authorities. In the inter-domain verification, the inferencing does require inter-domain operations with foreign certificate authorities for verifying every individual property assignment or delegation. Either way, the authenticity of the mobile router’s and correspondent router’s public keys and associated properties – identity and IP address prefixes – have been successfully derived.