Professional Documents
Culture Documents
Iccnc 2015 7069510
Iccnc 2015 7069510
Iccnc 2015 7069510
nodes) and adds a layer of security against possible attacks. We sent. This kind of information can facilitate an attacker to
believe our proposed algorithm will enhance the same principle intercept, redirect and spoof data packages [14]. Even though
to work with the OSPF protocol and increase security without we can encrypt all the traffic to increase security, it is not ideal
adding more overhead. to completely rely on encryption [15]. The network traffic can
In this paper, we propose a new routing algorithm to enhance be better protected if the paths taken by the packets are less
the security of the Internet. Instead of using Dijkstra's algorithm predictable.
to find only one shortest path between each pair of
source-destination nodes, we will find multiple paths between
A. Hot Potato Routing Algorithm
each pair of source-destination nodes. We will then populate
the routing table with all the paths. When a data package arrives With the Hot Potato Routing algorithm, the path by which a
as a router, instead of always sending the package by the same package travels is completely random. The way this algorithm
path, the router will randomly choose one of the paths in the works is when a packet is received by a router, the packages are
routing table to send the package by. Because the path is randomly forwarded to one of the router’s neighbors [7]. The
randomly selected for each package, it becomes more difficult router does not take into consideration the ending node, the link
for an attacker to eavesdrop all packages of a communication costs or path minimization. This way the path by which a
session. This layer of added security conceals the package’s package travels is completely random. The positive aspect of
path and therefore better protects against interception, spoofing this algorithm is that it provides more security against spoofing
and redirecting. and sniffing because it is impossible for a hacker to determine
Here is how the rest of the paper is organized. In Section 2, the path or to track the data packages. However, this Hot Potato
we first describe the Dijkstra’s Algorithm and its security Algorithm is very inefficient as the paths may end up being
vulnerability; we then describe a routing algorithm which we very long. Consider a data packet received by router A and is
named “Hot Potato Routing”. This algorithm has the maximum destined to A’s neighboring router B. With this algorithm,
level of path randomness but suffers from inefficiency. We then router A may send the packet on a path through many other
describe and analyze our new approach which we believe will routers instead of directly to B. In small networks this might
achieve a high level of path randomness without sacrificing not be a huge deal, but in a very large network this will
efficiency. In Section 3, we will perform computer simulations substantially increase the time it takes for a package to reach its
to compare the different routing algorithms and verify the destination. Although the path may be very difficult for an
effectiveness of our new approach. In Section 4, we conclude attacker to track, the lack of efficiency makes this protocol
the paper. impractical.
In the next algorithm, we will combine the strengths of the
Hot Potato algorithm and the Dijkstra's Algorithm to provide a
II. SECURITY ENHANCED ROUTING ALGORITHM more secure but also efficient way of forwarding data packets.
Shortest-path algorithms such as Dijkstra’s Algorithm [6] are
integral part of the OSPF routing protocol. After a router has B. Disjoint Path Routing with Random Selections (DPRRS)
established the topology of the network, it uses Dijkstra’s As we saw, Dijkstra’s algorithm is a good way to ensure the
Algorithm to compute the best paths between the source-router path to the end node is always the shortest one. This is
and all possible destinations. It then populates the IP routing important as the routing process must be very efficient.
table with the lowest cost path for each destination. Every Therefore, in our approach we also use Dijkstra’s algorithm but
router has its own IP routing table which dictates where each we run the algorithm multiple times in order to find multiple
data package is forwarded to. The algorithm begins with shortest paths to an end node. Later when a data package arrives
marking all nodes to be unvisited, the initial node cost to be at the router, the router forwards the package to one of its
zero and every other node cost to be infinity. First, let the neighboring routers which are on the previously computed
starting node be the current node and then consider the cost to paths to the destination. While this approach adds a little more
reach all of the current node’s neighbors. Then, compare this work for the router when populating its routing table, it will
value to the currently assigned cost to the node and assign the boost our network confidentiality and ensure the integrity of the
smaller value. Next, mark the current node as visited and data packages.
choose the unvisited node with the lowest cost as your next In the implementation of Dijkstra’s algorithm, to send a
current node. The algorithm will continue moving through the package between two neighboring routers, let’s say node A to
network in this way until all nodes have been visited. The node B, there must be a quantified cost assigned to the link. On
running time of the Dijkstra’s algorithm is O(|V|2) or O(|E| + the other hand, if there is no link between the routers the cost
|V|log|V|), where |V| is the number of vertices and |E| is the for the link is set to infinity and the two routers are not
number of edges in the network [13]. considered neighbors. This is important for the algorithm to
This is an efficient and seamless process to find the lowest determine whether or not to send a package through that path.
cost path from the starting node to every other node in a Our solution utilizes this same principle of the algorithm.
network. The downside is that Dijkstra’s Algorithm is a The first step is to run the algorithm like it would normally be
well-known algorithm. Once the topology is known, an attacker run in OSPF. When the shortest path is selected and saved, we
can compute the exact path by which any data packages will be
1138
2015 International Workshop on Sensor, Peer-to-peer and SociAl Networks, ICNC Workshop
change the link cost of all the links used in that path to be packages sent by the same router as the router will send the
infinity. Basically, we will remove the shortest path from the packages along different paths. Therefore not only does the
set of available routes to send data by. We then run Dijkstra’s randomization process lower the chances that a data package
algorithm again to find another path which will be link disjoint will be intercepted at all but it also minimizes the harm if an
from the first one. We will keep repeating this process until we attacker does succeed.
obtain the desired number of disjoint paths. Lastly, the router With either the Hot Potato Routing Algorithm or the DPRRS
will save all of the paths found into its routing table, which will Algorithm, the paths traveled by the data packets may be longer
ensure we will have access to all paths later when the router than that of the paths generated by a shortest path algorithm
needs to route a data package. We may exclude the next-hop on such as Dijkstra’s algorithm. With additional path length, there
the shortest path to further improve the security as discussed may be more packets traveling in the network at any given
later. moment which may require more network resource to process
At this point all our network paths are computed and we can these packets. Network user may also experience longer delays.
start forwarding the packages. Each time a data package is Therefore it is important to study our new approaches’ impacts
received, the router will randomly choose one of the paths on path lengths.
which it has computed earlier to send the package by. By
creating this randomization process, we expect to lower the
chances for an attacker being able to track and find the III. COMPUTER SIMULATIONS AND ANALYSIS
packages as they travel through the network. In this section we conduct computer simulations to
In the case when an attacker is able to calculate the shortest determine the effectiveness of the Disjoint Path Routing with
path between the source node and the destination node and Random Selections (DPRRS) algorithm. We have three
he/she is also able to gain access to one of the links on the path, variations for the DPRRS algorithm: DPRRS-2, DPPRRS-3,
the attacker can capture all traffic from the source node to the and DPRRS-4, with which a router randomly chooses one of
destination node if the routers are running Dijkstra’s Algorithm two, three, and four disjoint paths respectively from its routing
and hence all packets pass through the same path. On the other table to the destination node. We compare their performance
hand, if the routers are running either the Hot Potato Routing with those of the Hot Potato Routing and those of the Dijkstra’s
algorithm or the DPRRS algorithm, the amount of packets algorithm. We use LEDA programs to randomly generate
being captured by the attacker may be significantly reduced. network graphs of sizes ranging from 10, 20 and 40 nodes and a
We can calculate the upper bound on the amount of traffic nodal degree (i.e., the number of links ending in a node) of 2.8
captured by the attacker in the latter cases as follows. [17].
For the DPRRS algorithm, let n to be the number of next-hop As mentioned at the end of Section II, longer routing paths
entries in the routing table stored for each destination, then the can lead to additional network resource consumption and
average amount of traffic may be captured by an attacker is 1/n longer delays experienced by network users. Since the most
of the total traffic if the attacker has access to one of the links on significant network resource consumptions and delays occur at
the shortest path. The larger n is, the more difficult for an the routers, we run the algorithms on these networks and
attacker to capture all packets. If the n entries in the routing compare the average hop-counts between all node-pairs of the
table exclude the next-hop on the shortest path, then the amount networks. A hop-count is the number of routers on a path
of traffic may be captured by an attacker is zero! connecting the source node and the destination node. It equates
For the Hot Potato Algorithm, each packet travels on a to path length when all link cost is 1.
random path before reaching the destination node. The amount The data from the simulation is contained in Table 1 and
of traffic captured by the attacker depends on the nodal degree depicted in Fig 1 and Fig 2. As expected, with the Hot Potato
of the network, as well as on the attacker’s hop distance to the Routing algorithm, a router passes an incoming packet to one of
source node and the destination node. Let the nodal degree to be its neighboring routers at random, thus the packet is likely to
d. Also assume the attacker have access to the i-th link on the experience the longest path length and delay before reaching its
shortest path from the source node thus 1 ≤ i ≤ h, or equally the final destination. In the worst case, a packet may be traveling in
(h – i + 1)-th link to the destination node. When min(i, h – i + 1) circles in the network while not reaching the destination. On the
= 1 where function min(x, y) returns the lesser value of x and y, other hand, with Dijkstra’s Algorithm, a router always passes
the packets from the source node to the destination are equally an incoming packet to its neighbor who is on the shortest path
distributed on d paths, then the average amount of traffic may to the packet’s final destination, thus the packet always
be captured by an attacker is 1/d of the total traffic. For other experience the shortest path and delay. DPRRS algorithms
values of min(i, h – i + 1), the traffic from the source node to the generate paths whose hop counts are slightly higher than that of
destination are equally distributed on dmin(i, h – i + 1) paths, thus Dijkstra’s Algorithm but significantly lower than that of the
the average amount of traffic may be captured by an attacker is Hot Potato Routing algorithm. Out of the three variations of
1/ d min(i, h – i + 1) of the total traffic. Lager nodal degree d makes it DPRRS algorithms, DPRRS-2 has the hop counts that are
more difficult for an attacker to capture all packets. closest to that of Dijkstra’s Algorithm while DPRRS-4 has the
With either the DPRRS algorithm or the Hot Potato largest difference. This can be explained as follows. When each
algorithm, if an attacker were to intercept a communication, it router has a larger collection of neighboring routers to forward
will be difficult for him/her to continuously intercept all an incoming packets, there are more variations of possible
1139
2015 International Workshop on Sensor, Peer-to-peer and SociAl Networks, ICNC Workshop
paths for the packets to reach their destination which cause the
paths’ average hop counts to increase. However, as we 4
40 DPRRS-4 Web.
[10] Sandra Murphy, and Madelyn Badger. "OSPF with Digital
30 Signatures." Network Working Group. N.p., June 1996. Web.
[11] Kamal, S., and B. Isaac. "Analysis of Network Communication
Attacks." IEEE Xplore. N.p., Dec. 2007. Web.
20
[12] Wenjing Lou, Wei Liu, and Yuguang Fang. "Spread: Improving
Network Security by Multipath Routing." IEEE Xplore. N.p., n.d.
10
Web.
[13] Moshe Sniedovich. "Dijkstra’s Algorithm Revisited: The
0 Dynamic Programming Connexion (Vol. 35 No. 3)." Control and
10 20 30 40 Cybernetics. Warszawa: Państw. Wyd. Nauk., 1972.
Number of Nodes in Network [14] A. Barbir, S. Murphy, and Y. Yang. "Generic Threats to Routing
Protocols."Network Working Group. N.p., Apr. 2004. Web.
Fig. 1. Average hop counts of the paths using three different routing [15] Rangarajan, Sampath, Takkallapalli, Anil, Mukherjee, Sarit,
algorithms: Hot Potato Routing, Dijkstra’s Algorithm, and DPRRS-4. Paul, Sanjoy, and Miller, Scott. "Adaptive VPN: Tradeoff
between Security Levels and Value-added Services in Virtual
1140
2015 International Workshop on Sensor, Peer-to-peer and SociAl Networks, ICNC Workshop
1141