[Commotion-dev] Quick Update

Thu Apr 7 09:41:24 UTC 2011

Hi Aaron,

Thanks for the quick reply.

On 07/04/11 10:19, L. Aaron Kaplan wrote:
> Yes, you have two choices:
> a) make it distributed. In this case you need 3*N+1 nodes to detect N "byzantine-liars"
> (see http://en.wikipedia.org/wiki/Byzantine_fault_tolerance)
> In other words: yes, if it is distributed, you can be corrupted by on third of the 
> nodes. Or another way to say it: voting helps in such cases ;-)

Unfortunately, without some control over the creation of identities,
voting doesn't help - the attacker can just create an arbitrary number
of identities that out-vote the non-corrupt nodes (the Sybil attack).

> Right now, if you don't protect the routing plane, even in OLSR you can 
> screw up the whole routing in the network pretty badly. There is an
> initial secure plugin in OLSR which signs routing messages. However, I 
> am sure it could use some maintainer ;-)

;-) I'm not sure that signatures provide much benefit without an
identity infrastructure. Yes, they prevent forgery, but "This message
was signed by Bob" doesn't mean much if you don't know who Bob is... or
if Bob might be the same person as Alice, etc.

> Well, DOSing communication is generally pretty easy on Wi-Fi: just jam 
> it. Take a microwave oven, connect it to a strong reflector (Sat dish?) and 
> direct it at the mesh crowd ;-) Zap!
> Very low tech. The obvious counter strategy is to simply be very close together.
> Then the jammers signal is weaker than yours. A jammer always has to invest lots of 
> energy to jam a large area (signal strength_at_receiver = initial_strength * 1/distance^2)

Wow, I hadn't even thought about attacks against the physical layer! But
jamming a large mesh would require a lot of resources, as you say,
whereas by attacking the routing protocol you could potentially disable
the whole mesh from a single point.

> Well, you can improve minor things:
> a) use all encryption layers available (Wi-Fi), secure plugin, VPN for data
> b) re-work the secure plugin to make it tolerant to byzantine liars (malicious 
> insiders). 
> c) give people tools to check if something wrong happened with the routing layer
> d) create an IDS (intrusion detection system) for the routing layer and trigger automatic alarms 
> e) create a filter system similar to the filters in BGP. You might want to just simply 
>  block the announcements of a specific node.

Good point, security isn't all-or-nothing. These defences are definitely
worth considering, but I suspect that (b) will be vulnerable to an
attacker who can maintain multiple identities (Sybil attack) and (e)
will be vulnerable to an attacker who can change identities at will
(whitewashing). Still, implementing such defences would at least force
the attacker to be more sophisticated.

> Thanks for your inspiring mail!

Likewise! Sorry I don't have something more positive to offer. ;-)

Cheers,
Michael