1. 1 DNS Name Service based on Secure Multicast DNS for IPv6 Mobile Ad-hoc Network Jaehoon Jeong, ETRI paul@etri.re.kr http://www.adhoc.6ants.net/~paul/ ICACT 2004

2. 2 Contents Introduction Related Work Name Service within IPv6 MANET Scenario of Name Service within MANET Authentication of DNS Message Procedure of Secure DNS Name Resolution Testbed for IPv6 MANET Conclusion

3. 3 Introduction Name Service in Mobile Ad-hoc Network(MANET) MANET has dynamic network topology Current DNS can not be adopted in MANET!  Because it needs a fixed and well-known name server Idea of Name Service in MANET All the mobile nodes take part in name service  Every mobile node administers its own name information  It responds to the other node’s DNS query related to its domain name and IP address

4. 4 Related Work (1/2) : Link-Local Multicast Name Resolution (LLMNR) DNS service based on IP multicast in link-local scoped network IETF DNSEXT working group item Each node performs the role of DNS name server for its own domain name. LLMNR SenderLLMNR Responder LLMNR query message (What is IPv6 address of “host.private.local.”?) - It is sent in link-local multicast LLMNR response message (IPv6 address of “host.private.local.”) - It is sent in link-local unicast Verification of LLMNR response - Does the value of the response conform to the addressing requirements? - Is hop-limit of IPv6 header 1? If the result is valid, then the Sender caches and passes the response to the application that initiated DNS query. else the Sender ignores the response and continues to wait for other responses.

5. 5 Related Work (2/2) : Autoconfiguration Technology IP Interface Configuration Name Service Translation between host name and IP address Generation of unique domain name IP Multicast Address Allocation Service Discovery Unicast Service Multicast Service Autoconfiguration Technology IP Interface Configuration Name Service Service Discovery IP Multicast Address Allocation

6. 6 Ad-hoc Name Service System for IPv6 MANET (ANS) ANS provides Name Service in MANET MANET DNS Domain ADHOC. MANET IPv6 Prefix IPv6 Site-local Prefix  FEC0:0:0:0::/64 Architecture of ANS System ANS Responder It performs the role of DNS Name Server ANS Resolver It performs the role of DNS Resolver

7. 7 ANS System (1/2)

8. 8 ANS System (2/2) Main-Thread DUR-Thread ANS Zone DB ANS Responder Process Thread Database Memeory Read / Write Internal Connection Main-Thread Resolv-Thread Timer-Thread ANS Cache ANS Resolver Process Thread Cache UNIX Datagram Socket Memeory Read / Write Internal Connection Application ANS API DNS Query DNS Response DNS Query / DNS Response UDP Socket Connection

9. 9 Name Service in ANS Zone File Generation generates ANS zone file with mobile node’s DNS name and corresponding IPv6 address Name Resolution performs the name-to-address translation Service Discovery performs the service discovery through DNS SRV resource record, which indicates the location of server or the multicast address of the service

10. 10 Scenario of Name Service within MANET MN-A MN-B MN-C DNS Query Message (MN-C.ADHOC.) DNS Query Message is sent in Multicast Receipt of DNS Query Message Request of Host DNS Name Resolution Receipt and Process of DNS Query Message DNS Response Message (MN-C’s IPv6 Address) Gain of DNS Information MN-A tries to connect to the server on MN-C The server on MN-C accepts the request of the connection from MN-A DNS Query Message (MN-C.ADHOC.) DNS Response Message is sent in Unicast

11. 11 Authentication of DNS Message Why is necessary the authentication of DNS message? To prevent attacker from informing a DNS querier of wrong DNS response How to authenticate DNS message? IPsec ESP with a null-transform Secret key transaction authentication for DNS, called as TSIG [RFC2845] Our Scheme of Authentication TSIG message authentication where the trusted nodes share a group secret key for authenticating DNS messages.

12. 12 DNS Message Format Header Section Question Section Answer Section: e.g., AAAA RR Authority Section Additional Section: e.g., TSIG RR DNS message header Question for the name server Resource records answering the question Resource records pointing toward an authority (e.g., AAAA resource record) Resource records holding additional information (e.g., TSIG resource record)

13. 13 Procedure of Secure DNS Resolution Mobile Node A (MN-A.ADHOC.) Mobile Node C (MN-C.ADHOC.) DNS Query (What is the IPv6 address of “MN-C.ADHOC.”?) via site-local multicast and UDP DNS Response (IPv6 address of “MN-C.ADHOC.”) via site-local unicast and UDP Verification of DNS Response - Does the source address of the response conform to the ad hoc addressing requirements? - Is the TSIG resource record valid? If the Response is valid, then ANS Resolver delivers the result to application program else ANS Resolver sends DNS Query again and waits for another DNS Response by the allowed retry number

14. 14 Testbed for IPv6 MANET We used IPv6 MAODV for Ad Hoc multicast routing protocol For testing multi-hop network configuration, We control Tx and Rx power of IEEE 802.11b NIC. Also, we use MAC-filtering to filter out packets in other link. We implemented Wireless Mobile Router based on embedded linux for testing Ad Hoc routing protocols and other applications

15. 15 Experiment of Secure Multicast DNS in MANET Testbed IPv6 Wireless Mobile RouterTest of Secure Multicast DNS

16. 16 Conclusion ANS (Ad-hoc Name Service System for IPv6 MANET) A new name service scheme based on multicast in IPv6 MANET, providing secure name resolution Name Service of ANS Automatic zone file generation Name-to-address translation Service discovery DNS message authentication based on TSIG Future Work We will enhance secure multicast DNS, ANS, in the aspect of performance, considering MANET’s characteristics, such as caching of DNS information reduction of broadcast DNS query messages