This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.
DTN aims to provide usable Internet-way communications for long variable delays, asynchronous as well as interrupted heterogeneous environment where existing transport protocol and congestion control mechanism have limitations .
2.2 Delay Tolerant Network history and Overview
Delay Tolerant Networks (DTNs) have become a hot research topic among researchers and academicians since it was proposed by Kevin Fall in 2003 SIGCOMM seminar paper . Vinton Cerf who is recognized as "one of the fathers of Internet" contributed in designing and defining its reference Architecture  in DTNRG for IETFdraft of RFC-4838.
Basic DTN architecture by Internet Research Task Force's Delay-Tolerant Networking Research Group (IRTF DTNRG) involves use of 'Bundle protocol' which allows communication over multiple hops by means of 'custody transfers' and messages in DTN are routed in store-and-forward manner on each node[RFC-5050].
2.3 Delay Tolerant Networking Definition and Contexts of DTNs in Literature
A delay- or disruption-tolerant network has been defined in several ways in literature. In , the DTN is defined as challenged networks, which may not follow the assumptions of the Internet. In RFC-4838 describes it as occasionally and opportunistically -connected networks that may comprise more than one different set of protocols. It includes a hop-by-hop transfer of message for reliable delivery. A DTN as stated in  was defined as a network of regional networks, where it serves as a store-and-forward overlay on top of (and providing interoperability between) regional networks (Internet, the MANETs, sensor network or any other network).
Constraints in Delay Tolerant Networks
Node Constraints includes (a) Limited Memory (b) Limited and unreliable Power and Energy (c) limited transfer time for messages.
Network Constraints are (a) Unreliable Communication (b) Collisions and latency
Physical Limitations are (a) Unattended after deployment (b) Remotely managed
Link constraints (a) long and varying delays (b) changeable mobility pattern of devices
Major DTN Applications and Examples
In Opportunistic networks such as Sensor/Actuator networks that use scheduled intermittent connectivity (to conserve power), because they have extremely limited node power, storage memory, and CPU processing capability.
In Vehicular networks which use opportunistic (unpredictable) contact for message delivery.
In Satellite networks having medium delays or periodic connectivity
In Terrestrial wireless networks that connect mobile devices, including PDAs etc.
In Underwater acoustic (sensor) networks having frequent interruptions with moderate delays.
Outer (deep)-space networks (InterPlaNetary (IPN) Internet project).
Military Ad-hoc Networks such as a military battlefield where systems operate in highly hostile environments having mobility, bad environmental factors, or regulations causing disconnections like intentional jamming.
In Rural villages or developing regions low cost and remotely located networks that non-interactively and occasionally communicate with the Internet. For example remotely located schools, kiosks and computer centres are linked on occasional basis using satellite and data mules or local transport infrastructures.
In sparsely connected ad hoc networks where some wireless devices or networks may fall outside the required communication range of each other.
Routing in DTN **
Conventional routing protocols are based on the assumption that connectivity is continuous, delays are insignificant, and losses are minimal. However DTN is based on opportunistic connectivity over disconnected links. Therefore new routing protocols are needed and new system architectures must be defined. DTN proposes many routing protocols for different situations and based on these characteristics a variety of DTN network types are possible.
The four major routing schemes, among many proposed in the DTN literature, are discussed below:
Epidemic routing: In this routing the network is flooded with multiple copies of packets with the intention that at least one copy of the packet reaches the destination. This routing protocol is best suited when network bandwidth is high and storage capacity is plenty; however in reality that is seldom the case.
Prophet: This routing scheme is based on estimates of delivery predictability to destinations using the previous history of encounters.
MaxProp: This scheme is based on rank for each packet. The rank is based on delivery probability and based on this packets are queued in the transfer buffer. When a transfer opportunity arises, packets are de-queued and replicated.
Spray-and-Wait: This scheme is based on flooding, however with set limits for the total number of copies per packet.
Threats in DTN
In this section first terminology is examined, and then threats are defined and followed by discussion on why DoS is a potential problem in DTN. Security and attack literature reviews are given in next chapter.
Threat: A threat is any undesired event, which may or may not be malicious in nature. A potential occurrence might damage or compromise an asset or objective.
Attack: An attack is an action taken that utilizes one or more vulnerabilities to realize a threat. This could be someone following through on a threat or exploiting some vulnerability.
Non DTN node threats: This class of threat arises outside of DTN for example from the network. DTN is an overlay on other lower network layers and bundles traverse these lower network layers, where any vulnerability can be exploited .
Denial of Service (DoS): Denial of service
Classically, the definition of denial-of-service (DOS) involves three components: authorized users, a shared service, and a maximum waiting time .
In DoS Authorized users are said to deny service to other authorized users when they prevent access to or use of a shared service for longer than some maximum waiting time.
More generally to denial-of-service in DTN: The result of any action that prevents any part of a DTN from functioning correctly or in a timely manner so that intended user cannot use it. It is directly a breach to availability .
2.8 Denial of Service Attacks:
In addition to the basic resource consumption threats mentioned above there is also a range of denial of service (DoS) attacks which must be considered in the DTN context.
DoS attacks can be mounted at any layer, from physical to application. In a DTN environment, the generally longer latencies involved will probably act to make DoS attempts more effective. As with all networks, security mechanisms will themselves create new DoS opportunities. Therefore whatever services and mechanisms are defined for DTN security should explicitly consider DoS. For example, mechanisms which involve certificate status checking (via some protocol to a key) based on received messages create new DoS opportunities since such lookups consume resources on both the receiving node and the key server. Common DoS attacks:
Attacks that are common to DTNs are
Dropping of packets,
Flooding the network with unnecessary spurious packets,
Spoofing a different node's address to intercept all the packets destined to that node, orrupting routing states and
Counterfeiting network acknowledgments
Resource consumption (Battery exhaustion, creating routing loops)
Due to the resource-scarcity that characterizes DTNs, unauthorized access and use of DTN resources is a serious concern. Specifically, the following can consume DTN resources and be considered threats against a DTN infrastructure :
1. Access by unauthorized entities,
2. Unauthorized applications controlling the DTN infrastructure,
3. Authorized applications sending bundles at a rate or class of service for which they lack permission.
4. Unauthorised bundle content modification -tempering
5. Compromised network elements, be they DTN nodes or not.
In addition to these threats, DTN nodes can act to assist or amplify such resource consuming behaviour as follows:
Forwarding bundles that were not sent by authorized DTN nodes.
Generating reports not originally requested (e.g. if a bundle has been modified)
Not detecting unplanned replays or other misbehaviours.
DoS prevention: As described above, denial-of-service is a breach of the security characteristic of availability. Along with availability, confidentiality and integrity are the primary concerns of security.
DoS cannot be prevented because most attacks leverage the use of routing and other network activity but there are countermeasures to mitigate it like:
Spread spectrum techniques (using network coding)
Proper authentication using either Public-key cryptography (computationally expensive)
or Fast symmetric-key cryptography must be used sparingly
Currently work has been done using Identity based cryptography (IBC) or Hierarchical based cryptography (HIBC).
DTN Security Requirements:  According to DTNRG The emphasis of DTN security is
on protecting the DTN infrastructure from unauthorized access and use Prevent access by unauthorized applications,
Prevent unauthorized applications from asserting control over the DTN infrastructure,
Prevent authorized applications from sending bundles at a rate or class of service for which they lack permission,
Promptly detect and discard bundles that were not sent by authorized users, (early detection within infrastructure rather than at destination),
Promptly detect and discard bundles whose headers have been modified
Promptly detect and disable compromised entities
Secondary emphasis is on providing optional end-to-end security services to bundle applications.
Chapter 3: My proposed approach to DOS in DTN
In this section I summarise my analysis of previous work done in the areas of security and attacks in DTN, especially Denial of Service in DTN. Also I identify conditions that are can materialise an attack materialise. Then I show that based on these conditions the attack effectively happening in a representative model, with a set number of nodes and chosen network topology, routing schemes and security scheme.
I also demonstrate that security and privacy are crucial in DTN and using cryptographic techniques we can secure DTN. I assert that because of constrained nature of DTN, participants have limited access to Trusted Authority.
In view of these constraints, I propose a model based on a symmetric and asymmetric key cryptography to mitigate DOS attacks in DTN. My model is based on prior creation and distribution of keys to participants at setup stage, where each trusted participant knows keys of others.
My scenario is based on IETF DNRG architecture on Delay tolerant network. There are multiple operating groups in this DTN. Each group has its own trusted and well known registering agency/organisation which can work as an affiliation agency or service provider. These could be any mobile service provider or any company which will register its employees and knows them prior or any university/school/hospitals which can register members by verifying their identity and credentials. This means that members of this group are now trusted and known and are not malicious.
With this set up we have limited authenticated participant nodes and we can avoid any malicious activity by unknown/ untrusted nodes. Such network is a special DTN and can also be useful for example in a conflict zone where participation by anonymous nodes is not desired.
I consider a scenario in which these mutually trusted DTN mobile nodes exchange messages within its group (using PDA/Bluetooth devices/mobile phones) with one another after authentication phase is successful. Fig1: Used Scnario
3.2 Background/Review of Security and DOS in DTN In Literature
Here I will discuss solutions and reviews based on literature survey on DTN security and DOS attacks. There is a particular lack of research papers addressing DOS attacks in DTN. Most work is based on assuming that routing or security mechanism of DTN will prevent DOS to some extent. Nevertheless these schemes can never underlie the necessity of authentication protocols.
Farrell and Cahill  review the current state of DTN security work inspired by Internet. They identify and analyse threats for DTN and the security requirements in bundle protocol. Then they discuss open issues in bundle security and implementation issues in DTN security as follows. (1.) First set of threats are from outside network due to being overlay nature of DTN. (2.) modification of messages or bundles in transit for malicious purposes. (3.) Unauthorized use of scarce DTN resources like replay attacks and (4.) denial of service which can be mounted on any network layer, and (5.) confidentiality and integrity threats like changing the destination in bundle.
The author propose for DOS that firstly using random values instead of counters for identifying messages will make it hard to guess valid message content. Secondly, accepting only fresh authenticated messages and dropping all others will be advantageous in mitigating attacks. Thirdly, authors point that networks and security protocols themselves can create new DOS if not carefully designed. I am building on the second concept in my proposal i.e. exchange message after successful authentication.
Moreover, Farrell and Cahill  propose that security architecture is needed in which security services can be provided both on hop-by-hop and end-to-end basis, and additionally between two intermediary nodes in the middle of a route. They also mention that several open issues remain in DTN security like the implementation cost and level of complexity should not rise too high, since typically complicated solutions are not secure in practice. Another big open issue is key management  briefly addresses security services on an end-to-end basis (e.g. confidentiality and DoS), but does not go into specifics nor considers the case of initial communication between two nodes without any prior security context.
The Delay Tolerant Networking Research Group (IRTF-DTNRG) has produced an Internet draft for bundle security protocol specification  and an additional draft  explaining the security overview and design choices made in the specification. The draft which is near completion describes security headers that can be added to bundles to provide different security services.
Security Blocks in Bundle security Specification: According to RFC draft  there are four types of security block that can be included in a bundle. These are the (1.)Bundle Authentication Block (BAB), (2.) Payload Integrity Block (PIB), (3.) Payload Confidentiality Block (PCB) and (4.) Extension Security Block (ESB).
The BAB is used to assure the authenticity and integrity of the bundle along a single hop from forwarder to intermediate receiver.
The PIB is used to assure the authenticity and integrity of the payload from the PIB security-source, which creates the PIB, to the PIB security-destination, which verifies the PIB authenticator.
The PCB indicates that the payload has been encrypted, in whole or in part, at the PCB security-source in order to protect the bundle content while in transit to the PCB security-destination. PIB and PCB protect the payload.
The ESB provides security for non-payload blocks in a bundle. ESB therefore is not applied to PIB or PCBs, and of course is not appropriate for either the payload block or primary block.
Primary Blocks (Time Stamp, Life Span, Flags, Source EID, Destination EID, Report to EID, Custodian EID)
Security Blocks (optional)
BAB, PIB, PCB, ESB
Each security block contains source and destination information and a cipher-suite defines the algorithms that should be used to process the received security headers. The security-sender and the cipher-suite information together determine the choice of keys. Different combinations of these four security headers can be used simultaneously.
The need to authenticate bundles using Security blocks is very useful to protect against denial-of service (DOS) attacks against a bundle agent's resources, but need more insight knowledge how to implement it.
In ,  (Seth and Kate) authors discuss the challenges of providing secure communication (i.e., confidentiality) in DTN and suggest employing Identity-Based Encryption (IBE) to let a source derive the destination public key from some associated identity string, e.g., an e-mail address. In  Seth et al. discuss in detail about rural area DTN and shows that traditional mechanisms including a combination of Public Key Infrastructure (PKI) and certificates issued by trusted third party are not suitable for DTN. They develop a security mechanism for DTN using Hierarchical Identity-Based Cryptography (HIBC) for creating secure channels, providing mutual authentication, and key revocation.
 Kate et al. uses identity based cryptography (IBC) for source authentication and anonymous communication as well as message confidentiality are provided using IBC. Its main idea is to make an entity's public key directly derivable from its publicly known identity information such as e-mail address. Eliminating the need for public-key certificates and their management makes IBC much more appealing for securing DTNs, where the need to transmit and check certificates has been identified as a significant limitation. I note that the existing techniques to secure DTNs are aimed to provide data confidentiality and authentication only.
In  Burgess et al. suggested that some Delay tolerant networks coupled with replication-based routing protocols are intrinsically fault tolerant even without authentication mechanisms. They compare four different routing algorithms (MaxProp and its three variants) against four different attack models: dropping of packets, flooding of packets, routing table falsification and counterfeiting delivery acknowledgments. They distinguish between two types of attack; weak and strong attacks on the basis of prior knowledge of DTN scenario. One of the major themes in the paper is the two-fold benefit of epidemic-style packet dissemination in DTN routing which improves packet delivery rates and greater attack tolerance. However, this paper does not provide any attack specific simulation.
In  authors poses the question of the necessity of authentication or the level of authentication required especially since authentication imposes overhead. Without authentication, the number of nodes willing to join the network may actually increase due to the easier deployment, resulting in better overall performance. They identify conditions for an attack and present an attack based on a combination of targeted flooding and acknowledgement counterfeiting. They suggested that generally, attacks become increasingly effective when the minimum hop count required increases.
Coclusion: Identity-based cryptography requires a global trusted third party to guarantee for new nodes entering the network (by generating the necessary private keys). But IBC is no better than traditional PKI in terms of authentication and only a little better than traditional PKI in terms of encryption since network connectivity is not necessarily needed at the time of reception and decryption.
In  authors propose a scheme that gives confidentiality and authentication to messages leveraging social contact information and past present affiliation of peers. Author evaluates the proposed scheme by analysing real-world social network data of Facebook, simulating communication scenarios, and through an informal security analysis.
In  authors focus on DOS and describe few possible DOS attacks for DTN and propose a token based mechanism against those attacks. Authors suggest attack depends on routing protocol. Therefore, it is obvious that the routing protocol that maintains routing table like in-node states can be subject to severe DOS attacks. Spray-and-wait protocol is a stateless protocol in that nodes do not maintain any routing states; instead a tiny state is kept in each packet header. Their first approach is very trivial but second approach based on Token utilising collision count with every peer node provides countermeasures against spoofing and packet dropping in a limited scenario. There are many drawbacks in this approach for example an honest node always meets the same malicious node spoofing the same address and that honest node never meets with the actual address holder or any other adversary spoofing that address. In this case the honest node does not suspect this peer to be an adversary and always follows basic Spray and will transfer message to malicious node.
In  A. Wood very broadly discusses about DOS attack taxonomy to identify the attacker, his capabilities, and the target of the attack, vulnerabilities used, and the end result. Although, author surveys vulnerabilities and give possible defences in Wireless sensor network some of which issues are useful in gaining insight of DOS attacks in DTN. According to author denial-of-service is the result of any action that prevents any part of a network from functioning correctly or in a timely manner. It is directly a breach to availability.
In [2s0] authors also use Identity based cryptography to investigate how security in DTNs can be bootstrapped and present an improved scheme for authentication of fragments. We show that DTN with replicative routing protocols are not necessarily robust under known denial of service attacks if there are no authentication mechanism in place. Under many networking settings and mobility patterns, carefully designed attacks based on well-known techniques can cause considerable performance degradation. They investigate the attack effectiveness under various settings and identify properties of the networking environment that attribute to the vulnerability of the network. They observed that routing protocols which globally floods routing metadata to guide routing decisions are more susceptible to attacks as the routing metadata can be easily spoofed. They also observed that the minimum hop count required for packet delivery plays an important role.
3.3 Attack Model
My objective is to determine how performance of a DTN network suffers when no authentication scheme is used. This also depends on other variables set aside in assumptions about the security model and what attacks I want to consider. By recognise that these little variations can cause DTN to perform badly even in the presence of few attackers, for example in case of extremely low mobility of nodes and one node positions itself at a crucial location along the routing path. If that node misbehaves, by dropping or flooding bundles, DTN will perform miserably at least along that routing path.
I have chosen a hop by hop authentication model where main aim of adversary nodes is to create DOS by preventing the successful delivery of packets to their intended destinations. The adversary nodes can join together to launch a coordinated attack or a standalone adversary node can perform an opportunistic attack.
Without authentication no estimation can be formed about the identities of nodes and therefore the intentions of peers can be determined. In traditional TCP/IP, data frames are transmitted to all other nodes on a network. Each receiving node checks the destination address of each frame, and simply ignores any frame not addressed to its own MAC. Because it is a local broadcast domain, MAC address spoofing is fairly easy. Attackers can spoof address of any node and can become any node at any time including the destination node of the bundle.
3.4 Routing Model
While routing is important consideration and routing data exchange between nodes is an important factor, the need for peer to peer and end to end authentication cannot be precluded. In my model I am ignoring any attacks based on routing data exchange and also at application layer such as spoofing requests that floods legitimate nodes to flood each other with unneeded traffic.
3.4 Mobility Model
An attacker's mobility can be variable. It can attack all nodes that come within its transmission range or it can choose to remain in the vicinity of one node in the network for extended periods. Tailgating is also possible.  Burgess et al call the latter approach a parasite attack - the most effective use of the attacker's resources.
3.5 Attack types
In the above situation DOS attacks are possible by misbehaving nodes. I am considering the following two:
Packet Dropping: An adversary node does not replicate, forward or store a packet that is received from its peer. These nodes act like black holes in the network and impair packet propagation in the network, although routing choices such as Spray provide some resilience to such attacks, because additional copies of packets might exist at other locations.
Address Spoofing: An adversary fakes the some other node's address when it encounters another node in the network. An unsuspecting node sends packets to this malicious node and removes packets from its queue. The unsuspecting node might also delete the packet after delivery.
If the malicious node receives packets with a high replication count, the successful delivery of such packets becomes highly unlikely. Spoofing created more problems in the network than dropping with respect to packet delivery. An attacker can also perform both types of attacks simultaneously.
In this section I describe assumptions for my proposed resilience mechanism to prevent DOS attacks in DTN. I'm considering two schemes; one based on pre shared symmetric keys and other based on public key cryptography.
There is a Trusted Authority is assumed not to be compromised and nodes can only be registered by proving their credentials. Registration Authority can be any service providing company or any local company or government organisation. Also malicious nodes cannot be registered and registered nodes are not malicious.
Each node has a unique ID and I assume that all group nodes have enough power and storage capability to perform cryptographic operations.
For pre pre-shared keys scheme, each node at registration phase is given a group key, which it uses for authenticating other nodes.
For public key cryptography based scheme, each node is given a public- private key pair at registration phase. Also, each node maintains a table of every other node in the group and their public keys. This table is provided at registration phase.
3.6 Proposed Resilience Mechanism
My proposed schemes are based on creating a mutually trusting network of nodes. Spoofing nodes cannot utilise this network because they cannot pass authentication checks.
Scheme based on pre-shared group key:
The communicating nodes thwart potential DOS attacks of packet flooding by malicious sender and packet dropping by malicious receiver. Nodes authenticate each other before sending packets. The intention is to find if a peer is spoofing someone's address. This is done as follows.
Two nodes N1 and N2 are part of the group, which shares the group key G that they received at registration phase and wants to authenticate each other.
Node N1 generates a random token RN1 and encrypts is with the group key G and sends the encrypted message G[RN1] to N2
Node N2 decrypts G[RN1] with G and sends result G'[G[RN1]] to N2
Node N1 checks whether RN1 is equal to G'[G[RN1]], if mismatch, N1 terminates further communication, otherwise proceed to next steps
Node N2 generates a random token RN2 and encrypts is with the group key G and sends the encrypted message G[RN2] to N1
Node N1 decrypts G[RN2] with G and sends result G'[G[RN2]] to N2
Node N2 checks whether RN2 is equal to G'[G[RN2]], if mismatch, N2 terminates further communication, otherwise proceed to next steps
N1 and N2 exchanges message.
The drawback of this scheme is if pre-shared group key is compromised a malicious node can spoof any other node and coordinated attacks can be very disastrous.
Scheme based on public key cryptography:
In this scheme each trusted node maintains a table of other nodes and their public keys. This list is originally provided by Trusted Authority and refreshed when subject node comes in contact with Trusted Authority opportunistically or at scheduled times.
The communicating nodes authenticate each other based on each other's public keys before sending packets. This is done as follows.
Two nodes N1 and N2 are part of the group, with each having their public private key pair [NiPub, NiPvt] received at registration phase.
N1 generates a random Token RN1
N1 creates encrypted Token N2pub[RN1] Using shared N2's public key and sends to N2
N2 decrypts N2pub[RN1] using its private key and responds with N2pvt[N2pub[RN1]]
N1 checks whether N2pvt[N2pub[RN1]] is equal to RN1. If mismatch, N1 terminates further communication, otherwise proceed to next steps
N2 generates a random Token RN2
N2 creates encrypted Token N1pub[RN2] Using shared N1's public key and sends to N1
N1 decrypts N1pub[RN2] using its private key and responds with N1pvt[N1pub[RN2]]
N2 checks whether N1pvt[N1pub[RN2]] is equal to RN2. If mismatch, N2 terminates further communication, otherwise proceed to next steps
N1 and N2 exchanges message.
In both of these schemes one node needs to know if
the bundle originates from a trusted community in order to prevent flooding attack by a malicious node and
the bundle is sent to a trustworthy node in order to prevent packed dropping
If a malicious node spoofs some other node's address, it cannot decrypt the encrypted random token it received from its peer.
Analysis of Proposed Mechanism:
I have chosen the above mutual authentication schemes as a mechanism to prevent DOS attacks on DTN because this is a reliable way to identify malicious nodes and prevent packet flooding by rejecting packets from untrusted nodes and also prevent the risk of packet dropping by not sending packets to untrusted nodes.
If a malicious node tries to send junk packets to legitimate nodes, the packets can be discarded at first contact with a legitimate node because a malicious node cannot authenticate itself to the network without pre-shared group key or public-private keys issued by Trusted Authority.
There is a need to address current distribution of security information among nodes. This will involve key management and revocation issues. But this is part of more general DTN configuration management solution.
3.8 Simulation model and parameters
The simulation results will show that packet delivery rate decreases significantly in the presence of malicious nodes, i.e., packet droppers and/or address spoofers.
The results will also show that delivery rate is increased with our countermeasures.
In addition to that, I will also measure the overheads caused by the countermeasures in terms of number of copies of a single packet.
One Simulator (used for simulation)
The Opportunistic Networking Environment (ONE) simulator has been specially designed for evaluating DTN routing and application protocols. It is written in JAVA. It provides
Generation of node movement using different movement models e.g. 1. Random Movement
2. Map based Random Movement 3. Human behaviour Based Movement
Routing messages between nodes with various DTN routing algorithms and sender and receiver types.
Visualizing both mobility and message passing in real time in its graphical user interface.
I have run some scenarios and already Implement protocols in ONE like 1.) MaxProp 2.)Direct Delivery, 3.) Epidemic, 4.) First Contact, 5.) PROPHET 6.) Spray and Wait
I have tried to read and understand Code of different classes,
I have configured ONE using Eclipse