Securing Wireless Mesh Networks

Author Glass, Steve, Portmann, Marius, Muthukkumarasamy, Vallipuram

Published 2008

Journal Title IEEE Internet Computing

DOI https://doi.org/10.1109/MIC.2008.85

Copyright Statement © 2008 IEEE. Personal use of this material is permitted. However, permission to reprint/ republish this material for advertising or promotional purposes or for creating new collective works for resale or redistribution to servers or lists, or to reuse any copyrighted component of this work in other works must be obtained from the IEEE.

Downloaded from http://hdl.handle.net/10072/22892

Link to published version http://ieeexplore.ieee.org/servlet/opac?punumber=4236

Griffith Research Online https://research-repository.griffith.edu.au 30 30 NICTA Lab, Research Queensland Muthukkumarasamy Vallipuram and Portmann, Marius Glass, Steve Mesh Networking Society Computer IEEE the by Published

Securing Wireless Mesh Networks ehooy nld cmuiy net community include technology on literature elsewhere. existing WMNs the surveyed have Wang Weilin and Wang, Akyildiz, Xudong and (Ian Internet services. wireless wired other provides the to and gateways performance network optimizes — that wireless often — itself, network back-haul re high-speed a on lies and radios multiple uses it that in manets from distinct is WMN A erties. prop self-organizing and self-healing network’s the enables and area wireless service the extends strategy This routing routing. multihop use they nets, be ma networks networks hoc ad mobile like cause, wireless conventional W the at faced threats layers. data-link and security network open IEEE the the discuss introduce and WMNs, standard, in draft 802.11s security ensuring of problem the consider authors the article, this In networks. and hoc ad mobile of self-organizing properties and self-healing area service large the with networks infrastructure mesh Wireless conventional of ubiquitous. performance and robustness the combine (WMNs) healthcare becoming networks and are military, networks wireless industrial, commercial, applications, domestic, in found Now Early adopters of wireless mesh mesh wireless of adopters Early er infrastructure costs than than costs infrastructure er low and utility improved offer (WMNs) networks mesh ireless IEEE ©2008 1089-7801/08/$25.00 1 ) ------

amendment, which will be known as as known be will which standards amendment, The WMNs. for re quirements the meet to a amendment prepare standards to 2004 in (TGs) “s” Group ex rapidly. to pand set is networking mesh for use 802.11 IEEE XO sales, projected in units wire of millions support With networking. mesh to less extensions has but standard 802.11 IEEE the to conforms that net software and hardware mesh using work wireless a implements and use educational for designed is laptop, XOwhich project’s Child per Laptop One the by evidenced as world, oping devel the in appealing also are WMNs mesh as such Meraki. companies from routers wireless inexpensive buying by neighborhoods whole to access ternet In low-cost provide can which works, The IEEE formed the 802.11 Task Task 802.11 the formed IEEE The IEEE INTERNET COMPUTING INTERNET IEEE ------Securing Wireless Mesh Networks

Layer Threats

Application Logic errors, buffer over ows, privilege escalation 802.11s, is expected to be ratified in the last quarter of 2009, and efforts are already under Transport DNS spoong, session hijacking, trafc injection way to integrate it into the GNU/Linux kernel. (An overview of the 802.11s architecture and Network Black/gray/worm holes, misrouting, rushing attacks concepts is available elsewhere.2)When used in sensitive applications, WMNs need robust secu- Data-link Trafc ooding, virtual jamming, man-in-the-middle rity protocols to ensure secure operation. The protocols should ensure the confidentiality, in- Physical Collision jamming, device tampering tegrity, and authenticity of network traffic and preserve the availability of communications. A Figure 1. Wireless Security Risks: Security threats are present at all more comprehensive set of requirements might layers of the wireless mesh network stack. also address the problems of intrusion detection and location privacy. As Figure 1 illustrates, security threats are Fairness present at all levels of the protocol stack, so se- In a mesh network, the MAC must ensure that curity is a high priority within TGs. The draft no station is starved of bandwidth. Ensuring amendment builds on the successful security fairness includes two distinct aspects: access protocols of the base standard and extends them to the radio channel and access for traffic for- so that they may be used in a WMN environ- warded through a given station. The former is ment. In this article, we consider the challenges the MAC layer’s responsibility, and the latter to WMN security at the data-link or MAC layer falls to the routing or path-selection protocols. and the network layer. 802.11 defines several coordination func- tions (CFs) to provide contention-based and con- WMN MAC-Layer Security tention-free access to the wireless channel. The A secure MAC layer is responsible for ensur- contention-based mechanisms allows collisions ing that a mesh network carries traffic only for in transmission to occur and use an exponen- authorized stations, thus preventing attacks by tial back-off that favors stations that place the unauthorized ones. The following sections de- network under heavy load. Adversaries can ex- scribe the requirements for a secure MAC as ploit this inherent unfairness via traffic-flooding well as the 802.11s MAC-layer extensions that or MAC-layer attacks to deliberately starve other address them. stations of bandwidth. 802.11s partly addresses the fairness problem by requiring the standard Availability contention-based enhanced distributed channel In the context of wireless networks, availability access (EDCA) — a QoS-aware CF. That said, using refers to the network services’ survivability in EDCA in a WMN can set the stage for potential the face of denial-of-service attacks. Availabil- performance problems in the presence of hidden ity is one of the most important properties for a terminals. Such hidden terminals are within the wireless network; it’s also one of the most dif- radio range of the receiver but not of each oth- ficult to ensure, which is a serious problem in er and so can cause interference at the receiver 802.11 networks because jamming attacks are should they broadcast simultaneously. To counter easy to mount but almost impossible to prevent. this possibility, the standard defines an optional Given that an attacker can always resort to a mesh deterministic access (MDA) CF that permits jamming attack, IEEE 802.11 doesn’t address congestion-aware, contention-based, and con- availability concerns. Alternatively, the self- tention-free access for WMNs. Contention-free healing property in 802.11s WMNs — a prop- access lets a station reserve exclusive access to erty shared with manets — lets the WMN route the radio channel - preventing interference from traffic around jammed areas automatically. The hidden terminals. The risks associated with con- WMN itself has another possible response be- tention-free access are that a rogue station can cause traffic might be routed to a different ra- continuously request bandwidth in order to pre- dio that uses a channel that the adversary isn’t vent legitimate stations from communicating. jamming. Although the adversary might also jam that channel, it does increase the work re- Authentication quired for doing so. Authentication allows one station to prove its

JULY/AUGUST 2008 31 Mesh Networking

identity to another. In conventional 802.11 net- which the association is being established, and works, the problem of authentication and key the authentication server (AS) that’s responsible distribution is explicitly outside the specifica- for verifying the identities. 802.1X is very ef- tion’s scope. It assumes the existence of an en- fective in conventional infrastructure environ- rollment mechanism that ties a user identity to ments, but it has shortcomings when used for an encryption key that can be used to establish WMNs. In the former, a single IEEE 802.1X ex- credentials. Two basic approaches are available change takes place between the supplicant sta- for authenticating within WMNs: tion seeking to join the network and the access point, which is the authenticator. When used in • Preshared key (PSK) approaches use pass- a WMN, 802.1X requires that phrases or other key material provided to each station in advance. • both stations must make two prior, complete • Public key (certificate-based) approaches use IEEE 802.1X authentication exchanges to es- private keys to authenticate each station’s tablish mutual authentication; identity. • both stations implement the supplicant and authenticator state machines, given that PSK is simple and efficient, but it’s flawed in both roles must be performed; that a single passphrase is often shared among • each station have access to the AS; and all stations in the network. Knowledge of the • one station access the AS via the other, as- passphrase is sufficient for decrypting any ses- yet untrusted, station. sion or masquerading as any other station. Per- haps most serious is that attackers can defeat This approach is complex and time-consum- the 802.11 PSK using dictionary attacks, and ing, and it negatively impacts the WMN’s self- several open-source tools, such as coWPAtty organizing property. Significant interest thus http://www.churchofwi.org/, can automate that exists in alternative authentication protocols attack process. In light of this, 802.11s prohibits for mesh access. The dual wireless authentica- the use of 802.11 PSK mode and implements a tion protocol (DWAP) protocol,3 for example, is new mechanism known as MKD-PSK. This re- an efficient alternative that substantially reduc- quires a unique 256-bit PSK for each station, es the overhead associated with 802.1X. During which is shared only with a trusted third party the drafting of the standard, TGs considered known as the mesh key distributor (MKD). This another protocol, known as Comminus, that’s eliminates the principal risks of the original designed specifically for the WMN environ- PSK approach but requires the creation and dis- ment.4 Comminus is an efficient, lightweight, tribution of unique PSKs for each mesh station. peer-based authentication protocol based on the Public-key-based approaches are extremely secure key-exchange mechanism (SKEME) key flexible and use certificates to verify station iden- exchange and management protocol. In con- tities. Yet, this flexibility comes at a cost of in- trast to 802.1X, Comminus doesn’t distinguish creased complexity. From the WMN perspective, between the roles played by the parties being the main drawback is that all stations must be authenticated and uses authentication frames able to authenticate the certificates they receive. rather than data frames to conduct its exchange. Unfortunately, a station joining the WMN for the Some loss of generality occurs because Com- first time will be unable to contact the certificate minus supports only certificate or PSK modes, authority (CA) to check a certificate’s revocation - although the latter mode is vulnerable to a status until after it has authenticated itself. dictionary attack. Although it is an interesting protocol, it does not support the extensible suite Authentication and of authentication protocol EAP authentication Access-Control Protocols types that’s possible in 802.1X and is unlikely 802.11 uses the 802.1X port-based access-con- to make it into the standard. trol mechanism to manage authentication exchange and initiate the four-way handshake Risks from Compromised Stations used for key establishment. The authentication A nasty problem for WMNs is the lack of physi- exchange includes three parties: the supplicant cal security for network stations, which might seeking to be authenticated, the authenticator to be widely distributed geographically. An ad-

32 www.computer.org/internet/ IEEE INTERNET COMPUTING Securing Wireless Mesh Networks

versary might be able to physically capture a primitives and rules from the ad hoc on-demand station, which presents risks not frequently distance vector (AODV) routing protocol.9 You experienced with an infrastructure network. can find an introduction to the 802.11s HWMP Naouel Ben-Salem and Jean-Pierre Hubaux de- path selection protocol elsewhere.10 scribe four key threats arising from the lack of physical security:5 Routing Attacks Attacks on the path selection and routing pro- • removal of network stations; tocols can impact availability across large parts • inspection of stations to, for example, re- of the network. A hostile adversary can subvert cover key material, routing tables, or traffic the protocol by either transiting the station; • modification of a station’s internal state; and • attacking the route discovery mechanism • cloning and deployment of compromised by injecting, modifying, or misdirecting stations. the route request (PREQ/RREQ), route reply (PREP/RREP), and route error (PERR/RERR) All but the first of these threats are particularly messages to affect the routing metrics, in- serious in that they expose the network to hos- troduce gratuitous detours, attempt to create tile attack. The latter two raise the possibility of routing loops, or overflow routing tables; or byzantine attacks at a later stage. At this time, • forwarding attacks in which a station agrees effective solutions to these problems remain to join a path but fails to route traffic in ac- open research problems. cordance with the protocol by dropping, de- laying, or failing to forward traffic fairly. Path Selection and Routing Security To address these risks, researchers have pro- Hybrid Wireless Mesh Protocol posed several secure routing protocols that use 802.11s is unusual in that the MAC layer is re- cryptography-based approaches to prevent at- sponsible for ensuring that a frame reaches tacks. (A survey of such protocols is available its final destination across multiple hops and elsewhere.11) Using cryptography allows sta- multiple potential paths. In manents and other tions to authenticate the routing messages. The WMNs, this role is usually performed by the Authenticated Routing for Ad Hoc Networks routing protocol at the network layer. In 802.11s, (ARAN) protocol uses digital signatures to sign Hybrid Wireless Mesh Protocol (HWMP) per- a message’s contents at each hop.12 Using pub- forms path selection at the MAC layer, and the lic-key cryptography in this way is expensive, protocol forwards frames at this layer. Because however, so researchers have sought other ap- HWMP is a MAC layer protocol, it uses MAC proaches. One common alternative is to use addresses and not IP addresses; otherwise, it hash chains as introduced in the Secure Ad Hoc employs the same process as routing at the net- On-Demand Distance Vector (SEAD) protocol.13 work layer. We can configure an 802.11s WMN Hash chains are efficient and guarantee authen- to use either HWMP or a conventional network- ticity and integrity similar to digital signatures layer routing protocol. but at a lower cost. HWMP is a hybrid protocol in that it com- bines both proactive and reactive approaches to Rushing Attacks path selection. If a “root node” exists, HWMP Rushing attacks subvert the route-discovery uses proactive routing to find and maintain a process to increase the likelihood that the hos- route to it. Root nodes are special and will usu- tile station is included in a given route. The at- ally represent what 802.11 denotes as mesh tacker quickly forwards route request messages portals (MPs) — mesh stations that serve as to ensure that duplicate requests arriving later gateways to non-802.11 networks. Proactively from other stations will be suppressed.14 The maintaining a path to a root node is, therefore, purpose of this attack is to increase the likeli- an optimization for one of the most likely traffic hood that the adversary’s station is included in a destinations. For all other stations, the protocol given route. The defense against this attack has uses reactive or on-demand path discovery ex- two parts: a secure neighbor discovery proto- clusively. Reactive path discovery uses protocol col and a modification to the routing protocol’s

JULY/AUGUST 2008 33 Mesh Networking

W1 W2

range of the WMN, and traffic overheard by one end of the wormhole is relayed to the other where it’s then rebroadcast and similarly in the A C X Y reverse direction. In this example, station A would appear to have B, C, X, and Y as its direct neighbors, whereas Y would presume it has A, C, and X for B D its direct neighbours. Station B would conclude that it has three two-hop routes to station X, but Figure 2. An example wormhole attack. The only the route B -> D -> X avoids the adversary. connection between stations W1 and W2 creates The threat posed by wormhole attacks is a “wormhole” in the WMN topology analogous severe, and researchers have proposed several to the wormholes of theoretical physics. means of combating this threat. In essence such approaches seek to verify the authenticity of the transmission itself as well as the authen- route-discovery logic. At present, these aren’t ticity of the information actually exchanged. integrated into popular WMN routing protocols. This attack remains a potential threat, especial- Distance bounding protocols. Distance-bound- ly when the WMN isn’t using higher-layer end- ing protocols seek to set an upper bound on the to-end security protocols. distance between legitimate parties by using precise timing of a cryptographic challenge/ Gray Holes and Black Holes response. One such distance-bounding proto- A black hole is a station that advertises its will- col is the secure tracking of node encounters ingness to take part in a route but forwards no (SECTOR) mutual authentication with distance- traffic. A gray hole is a more difficult to detect bounding (MAD) protocol, which we can use as variety that conditionally decides on which a defense against wormhole and more general traffic it will forward. One key property of gray impersonation attacks.15 MAD relies on mea- and black holes is that they must attract traf- suring the round-trip times of a bit-commit- fic through themselves to be effective. Gray or ment protocol and also unfortunately requires black hole attacks might alter route replies or special hardware support for the distance- use a rushing attack to improve their routing bounding protocol. metrics and become the preferred route for net- Yih Chin Hu and colleagues’ paper, which work traffic. first discussed wormhole attacks, also suggested using packet leashes to defend against Wormholes them.16 Packet leashes require either trustwor- Wormhole attacks can be severely problem- thy geographical data or precisely synchronized atic. With such attacks, the hostile adversary clocks to restrict a packet’s travel within a de- doesn’t need to control any legitimate stations fined geographical area. As with Sector, the re- but still poses a significant outsider threat to quirement for special hardware support limits the WMN’s routing integrity. The wormhole at- this solution’s appeal. tack forms a tunnel connecting different parts of the network, thus tricking stations adjacent Neighbour verification. Turgay Korkmaz also to one end of the wormhole into believing that considers the wormhole problem, but he uses they’re neighbors with stations at the other end. time-of-flight and signal-power models as part At first sight, a wormhole appears beneficial be- of a neighbor-verification protocol (NVP).17 NVP cause it optimizes traffic flow across the mesh. uses timing and power information to authen- The threat is that it also permits an adversary ticate the exchanges. Unlike the secure veri- to conduct active traffic analysis and large- fication protocol suggested to defend against scale denial-of-service attacks. rushing attacks, the NVP protocol isn’t crypt- Figure 2 shows an example wormhole at- graphically secure. It is, nevertheless, a poten- tack in which the hostile adversary has two tial obstacle to hostile adversaries. stations linked to each other via a high-speed Jakob Eriksson advocates the TrueLink pro- data link. The stations are located within radio tocol18 as an alternative approach. TrueLink

34 www.computer.org/internet/ IEEE INTERNET COMPUTING Securing Wireless Mesh Networks

isn’t intended to be a true distance-bounding require changes in both the operating system protocol, but stations can use it to establish the device driver architectures and software-devel- authenticity of neighboring stations. The pro- opment practices. tocol has two phases. First, stations exchange Finally, some security problems come from request-to-send (RTS) and clear-to-send (CTS) insecure operational practices. Common mis- packets containing nonces - randomly-gener- configurations, such as the use of self-signed ated numbers. The timing requirements in this certificates for authentication, can render well- exchange are such that wormholes can’t relay designed protocols ineffective. We can verify the RTS/CTS packets. Stations then use these secure operational practices by periodically us- nonces to answer non-time-critical periodic au- ing penetration-testing toolkits. thentication challenges to prove that the RTS/ CTS nonces are original which they do by send- ing signed messages authenticating themselves he benefits of using a WMN are substantial as the originator of their nonce value. Among T in terms of improved utility, availability, and the advantages of this approach are that it re- reliability, but considerable challenges remain quires only minor changes to the MAC protocol to securing real-world WMNs. and that it can work with standard hardware. Securing the MAC layer can prevent unauthorized access to the WMN. The IEEE 802.11s Reputation-Based Defenses amendment promises to be a major step forward Reputation-based approaches such as the watch- in this respect by adapting the successful secu- dog/pathrater protocol19 offer a novel approach to rity protocols of the base standard to the WMN detecting misbehaving stations (including routing environment. These mechanisms rely on the pres- unfairness and gray and black holes): they rely on ence of either the mesh key distributors (MKDs) neighbors to monitor each other and avoid paths or authentication servers (ASs) to authenticate via stations that don’t behave properly. Unfortu- new stations, and these servers must be avail- nately, such reputation-based approaches have able during mesh formation. Alternative authen- limited applicability in WMNs because many tication protocols that are lightweight and do not stations employ multiple radios. A station could place restrictions on mesh formation remain an thus forward traffic using radio channels that its area for future work. The experience of the Com- neighbors can’t hear or monitor. minus protocol shows this is possible but under- scores the importance of rigorous validation. Security Verification The security risks to path selection are al- How can we prove that 802.11s is secure? The ready familiar from the routing layer protocols proposed standards amendment’s security builds used by manets. A variety of secure routing on the 802.11 committee’s experience with TGi, protocols such as ARAN and SEAD have been which defined the TKIP and AES/CCMP pro- implemented to address these threats. A key tocols. Considerable attention has been paid to challenge will be their adaptation to the WMN ensuring the security of any amendments. Doug environment. New metrics and security designs Kuhlman and his colleagues developed a formal will be needed to account for the WMN environ- proof of security for the draft 802.11s specifica- ment where the use of multiple radios changes tion6 that uses Protocol Composition Logic (PCL) some of the basic assumptions. to demonstrate that the draft protocol is secure. Finally, secure designs need to be matched Security flaws are present not just in the by secure implementations. The use of mod- WMN’s design, but also in both its implemen- el-checking techniques can identify security tation and operation. Bugs in the implementa- problems in the design of the security proto- tion are a major source of security flaws. In one cols. Employing secure implementation tech- study, device drivers had error rates three times niques and careful auditing can eliminate many higher than other kernel code and rates as much problems before the protocol implementations as seven times higher for some classes of errors.7 enter live use. New techniques for implement- Security flaws are already evident in wireless ing device-drivers can reduce the impact when device drivers, as we can see from notable se- problems occur. One particularly promising ap- curity compromises of flawed wireless device proach is to compartmentalize the drivers so drivers. Provably secure implementations will they run with only the minimum necessary

JULY/AUGUST 2008 35 Mesh Networking

privileges outside of the main body of the oper- puting Systems and Applications (WMCSA 02), pages ating system kernel. 3–13, June 2002. 14. Y.-C. Hu, A. Perrig, and D.B. Johnson, “Rushing At- Acknowledgments tacks and Defense in Wireless Ad Hoc Network Rout- NICTA is funded by the Australian Government as repre- ing Protocols,” Proc. 2003 ACM Workshop on Wireless sented by the Department of Broadband Communications, Security, ACM Press, 2003, pp. 30–40. and the Digital Economy, the Australian Research Coun- 15. S. apkun, L. Buttyán, and J.-P. Hubaux, SECTOR: Se- cil through the ICT Centre of Excellence program, and the cure Tracking of Node Encounters in Multihop Wireless Queensland government. Networks. Proc. 1st ACM Workshop on Security of Ad Hoc and Sensor Networks, ACM Press, 2003, pp. 21–32. References 16. Y.-C. Hu, A. Perrig, and D.B. Johnson, “Wormhole At- 1. I.F. Akyildiz, X. Wang, and W. Wang, “Wireless Mesh tacks in Wireless Networks,” IEEE J. Selected Areas in Networks: A Survey,” Computer Networks and ISDN Comm., vol. 24, no. 2, Feb. 2006, pp.370–380. Systems, vol. 47, no. 4, 2005, pp. 445–487. 17. T. Korkmaz, “Verifying Physical Presence of Neighbors 2. G.R. Hiertz et al., “Principles of IEEE 802.11s,” Proc. Against Replay-Based Attacks in Wireless Ad Hoc Net- 16th Int’l Conf. Computer Comm. and Networks (ICCCN works, Proc. Int’l Conf. Information Technology: Coding 07), IEEE CS Press, 2007, pp. 1002–1007. and Computing (ITCC 05), IEEE CS Press, vol. 2, 2005, 3. X. Zheng et al., “A Dual Authentication Protocol for pp. 704–709. IEEE 802.11 wireless LANs,” Proc. 2nd Int’l Symp. Wire- 18. J. Eriksson, S.V. Krishnamurthy, and M. Faloutsos, less Comm. Systems, IEEE CS Press, 2005, pp. 565–569. “Truelink: A Practical Countermeasure to the Worm- 4. D. Harkins and C. Kuhtz, Secure Mesh Formation, tech. hole Attack in Wireless Networks, Proc. 14th Ann. report 802.11-06/1092r2, IEEE, 2006. IEEE Conf. Network Protocols (ICNP 06), IEEE Computer 5. N.B. Salem and J.-P. Hubaux, “Securing Wireless Society 2006, pp. 75–84. Mesh Networks,” Wireless Comm., vol. 13, no. 2, 2006, 19. S. Marti et al., “Mitigating Routing Misbehavior in pp. 50–55. Mobile Ad Hoc Networks,” Proc. 6th Ann. Int’l Conf. 6. D. Kuhlman et al., A Proof of Security of a Mesh Secu- Mobile Computing and Networking (MobiCon 00), ACM rity Architecture, tech. report 802.11-07/2436r0, IEEE Press, 2000, pp. 255–265. Press, 2007; https://mentor.ieee.org/802.11/public-file/ 07/11-07-2436-00-000s-a-proof-of-security-of-a Steve Glass is a research engineer at Queensland Research -mesh-security-architecture.doc. Lab, NICTA. His research interests include security in 7. A. Chou et al., “An Empirical Study of Operating Sys- wireless mesh networks, intrusion detection and pre- tem Errors,” ACM Operating Systems Rev., vol. 35, vention systems, and public-safety communications. 2001, pp. 73–88. Glass has MSc in Computing from the Open University. 8. Q. Lu, Vulnerability of Wireless Routing Protocols, Contact him at [email protected]. tech. report, Univ. of Massachusetts, Amherst, Dec. 2002; www.nvc.vt.edu/ceege/qifeng/lukelu_files/ Marius Portmann is a senior lecturer at the University of Vulnerability_Qifeng%20Lu.pdf. Queensland, and a researcher at Queensland Research 9. C.E. Perkins and E.M. Royer, “Ad-Hoc On-Demand Dis- Lab, NICTA. His research interests include Pervasive tance Vector Routing,”: Proc. 2nd IEEE Workshop on Computing, Wireless Mesh Networks, P2P Computing Mobile Computer Systems and Applications (WMCSA and Network Security. Portmann has a PhD in Elec- 99), IEEE CS Press, 1999, pp. 90–100. trical Engineering from the Swiss Federal Institute of 10. M. Bahr, Proposed routing for IEEE 802.11s WLAN mesh Technology (ETH), Zurich. He is a member of the IEEE networks. Proc. 2nd annual international workshop on and can be contacted at [email protected]. wireless internet (WICON 06), ACM Press, 2006, p. 5. 11. Y.-C. Hu and A. Perrig, “A Survey of Secure Wireless Vallipuram Muthukkumarasamy is a senior lecturer in the Ad Hoc Routing,” IEEE Security & Privacy, vol. 2, no. 3, School of Information and Communication Technology, 2004, pp. 28–39. Griffith University. His research interests include Secu- 12. K. Sanzgiri et al., “A Secure Routing Protocol for Ad rity in Wireless Networks, Intrusion Detection and Pre- Hoc Networks,” Proc. 10th IEEE Int’l Conf. Network vention Systems, Sensor Network Security, Information Protocols, IEEE CS Press, 2002, pp. 78–89. Assurance in e-Government Models, Adaptive Equali- 13. Y.-C. Hu, D.B. Johnson, and A. Perrig, “SEAD: Secure sation. Muthukkumarasamy has a PhD in Communica- Efficient Distance Vector Routing in Mobile Wireless tions from University of Cambridge. He is a member of Ad Hoc Networks,” 4th IEEE Workshop on Mobile Com- the IEEE. Contact him at [email protected].

36 www.computer.org/internet/ IEEE INTERNET COMPUTING