4. Security Considerations
Proposals for the utilization of link indications may introduce new
security vulnerabilities. These include:
Denial of service
Where link layer control frames are unprotected, they may be spoofed
by an attacker. For example, PPP does not protect LCP frames such as
LCP-Terminate, and [IEEE-802.11] does not protect management frames
such as Associate/Reassociate, Disassociate, or Deauthenticate.
Spoofing of link layer control traffic may enable attackers to
exploit weaknesses in link indication proposals. For example,
proposals that do not implement congestion avoidance can enable
attackers to mount denial-of-service attacks.
However, even where the link layer incorporates security, attacks may
still be possible if the security model is not consistent. For
example, wireless LANs implementing [IEEE-802.11i] do not enable
stations to send or receive IP packets on the link until completion
of an authenticated key exchange protocol known as the "4-way
handshake". As a result, a link implementing [IEEE-802.11i] cannot
be considered usable at the Internet layer ("Link Up") until
completion of the authenticated key exchange.
However, while [IEEE-802.11i] requires sending of authenticated
frames in order to obtain a "Link Up" indication, it does not support
management frame authentication. This weakness can be exploited by
attackers to enable denial-of-service attacks on stations attached to
distant Access Points (APs).
In [IEEE-802.11F], "Link Up" is considered to occur when an AP sends
a Reassociation Response. At that point, the AP sends a spoofed
frame with the station's source address to a multicast address,
thereby causing switches within the Distribution System (DS) to learn
the station's MAC address. While this enables forwarding of frames
to the station at the new point of attachment, it also permits an
attacker to disassociate a station located anywhere within the ESS,
by sending an unauthenticated Reassociation Request frame.
4.2. Indication Validation
"Fault Isolation and Recovery" [RFC816], Section 3, describes how
hosts interact with routers for the purpose of fault recovery:
Since the gateways always attempt to have a consistent and correct
model of the internetwork topology, the host strategy for fault
recovery is very simple. Whenever the host feels that something is
wrong, it asks the gateway for advice, and, assuming the advice is
forthcoming, it believes the advice completely. The advice will be
wrong only during the transient period of negotiation, which
immediately follows an outage, but will otherwise be reliably
In fact, it is never necessary for a host to explicitly ask a gateway
for advice, because the gateway will provide it as appropriate. When
a host sends a datagram to some distant net, the host should be
prepared to receive back either of two advisory messages which the
gateway may send. The ICMP "redirect" message indicates that the
gateway to which the host sent the datagram is no longer the best
gateway to reach the net in question. The gateway will have
forwarded the datagram, but the host should revise its routing table
to have a different immediate address for this net. The ICMP
"destination unreachable" message indicates that as a result of an
outage, it is currently impossible to reach the addressed net or host
in any manner. On receipt of this message, a host can either abandon
the connection immediately without any further retransmission, or
resend slowly to see if the fault is corrected in reasonable time.
Given today's security environment, it is inadvisable for hosts to
act on indications provided by routers without careful consideration.
As noted in "ICMP attacks against TCP" [Gont], existing ICMP error
messages may be exploited by attackers in order to abort connections
in progress, prevent setup of new connections, or reduce throughput
of ongoing connections. Similar attacks may also be launched against
the Internet layer via forging of ICMP redirects.
Proposals for transported link indications need to demonstrate that
they will not add a new set of similar vulnerabilities. Since
transported link indications are typically unauthenticated, hosts
receiving them may not be able to determine whether they are
authentic, or even plausible.
Where link indication proposals may respond to unauthenticated link
layer frames, they should utilize upper-layer security mechanisms,
where possible. For example, even though a host might utilize an
unauthenticated link layer control frame to conclude that a link has
become operational, it can use SEND [RFC3971] or authenticated DHCP
[RFC3118] in order to obtain secure Internet layer configuration.
4.3. Denial of Service
Link indication proposals need to be particularly careful to avoid
enabling denial-of-service attacks that can be mounted at a distance.
While wireless links are naturally vulnerable to interference, such
attacks can only be perpetrated by an attacker capable of
establishing radio contact with the target network. However, attacks
that can be mounted from a distance, either by an attacker on another
point of attachment within the same network or by an off-link
attacker, expand the level of vulnerability.
The transport of link indications can increase risk by enabling
vulnerabilities exploitable only by attackers on the local link to be
executed across the Internet. Similarly, by integrating link
indications with upper layers, proposals may enable a spoofed link
layer frame to consume more resources on the host than might
otherwise be the case. As a result, while it is important for upper
layers to validate link indications, they should not expend excessive
resources in doing so.
Congestion control is not only a transport issue, it is also a
security issue. In order to not provide leverage to an attacker, a
single forged link layer frame should not elicit a magnified response
from one or more hosts, by generating either multiple responses or a
single larger response. For example, proposals should not enable
multiple hosts to respond to a frame with a multicast destination
5.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997.
5.2. Informative References
[RFC816] Clark, D., "Fault Isolation and Recovery", RFC 816,
[RFC1058] Hedrick, C., "Routing Information Protocol", RFC 1058,
[RFC1122] Braden, R., "Requirements for Internet Hosts --
Communication Layers", STD 3, RFC 1122, October 1989.
[RFC1131] Moy, J., "The OSPF Specification", RFC 1131, October
[RFC1191] Mogul, J. and S. Deering, "Path MTU discovery", RFC
1191, November 1990.
[RFC1256] Deering, S., "ICMP Router Discovery Messages", RFC
1256, September 1991.
[RFC1305] Mills, D., "Network Time Protocol (Version 3)
Specification, Implementation and Analysis", RFC 1305,
[RFC1307] Young, J. and A. Nicholson, "Dynamically Switched Link
Control Protocol", RFC 1307, March 1992.
[RFC1661] Simpson, W., "The Point-to-Point Protocol (PPP)", STD
51, RFC 1661, July 1994.
[RFC1812] Baker, F., "Requirements for IP Version 4 Routers",
RFC 1812, June 1995.
[RFC1918] Rekhter, Y., Moskowitz, B., Karrenberg, D., de Groot,
D., and E. Lear, "Address Allocation for Private
Internets", BCP 5, RFC 1918, February 1996.
[RFC1981] McCann, J., Deering, S. and J. Mogul, "Path MTU
Discovery for IP version 6", RFC 1981, June 1996.
[RFC2131] Droms, R., "Dynamic Host Configuration Protocol", RFC
2131, March 1997.
[RFC2328] Moy, J., "OSPF Version 2", STD 54, RFC 2328, April
[RFC2461] Narten, T., Nordmark, E., and W. Simpson, "Neighbor
Discovery for IP Version 6 (IPv6)", RFC 2461, December
[RFC2778] Day, M., Rosenberg, J., and H. Sugano, "A Model for
Presence and Instant Messaging", RFC 2778, February
[RFC2861] Handley, M., Padhye, J., and S. Floyd, "TCP Congestion
Window Validation", RFC 2861, June 2000.
[RFC2914] Floyd, S., "Congestion Control Principles", RFC 2914,
BCP 41, September 2000.
[RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", RFC
2923, September 2000.
[RFC2960] Stewart, R., Xie, Q., Morneault, K., Sharp, C.,
Schwarzbauer, H. Taylor, T., Rytina, I., Kalla, M.,
Zhang, L., and V. Paxson, "Stream Control Transmission
Protocol" RFC 2960, October 2000.
[RFC3118] Droms, R. and B. Arbaugh, "Authentication for DHCP
Messages", RFC 3118, June 2001.
[RFC3315] Droms, R., Bound, J., Volz, B., Lemon, T., Perkins,
C., and M. Carney, "Dynamic Host Configuration
Protocol for IPv6 (DHCPv6)", RFC 3315, July 2003.
[RFC3366] Fairhurst, G. and L. Wood, "Advice to link designers
on link Automatic Repeat reQuest (ARQ)", BCP 62, RFC
3366, August 2002.
[RFC3428] Campbell, B., Rosenberg, J., Schulzrinne, H., Huitema,
C., and D. Gurle, "Session Initiation Protocol (SIP)
Extension for Instant Messaging", RFC 3428, December
[RFC3748] Aboba, B., Blunk, L., Vollbrecht, J., Carlson, J., and
H. Levkowetz, "Extensible Authentication Protocol
(EAP)", RFC 3748, June 2004.
[RFC3775] Johnson, D., Perkins, C., and J. Arkko, "Mobility
Support in IPv6", RFC 3775, June 2004.
[RFC3921] Saint-Andre, P., "Extensible Messaging and Presence
protocol (XMPP): Instant Messaging and Presence", RFC
3921, October 2004.
[RFC3927] Cheshire, S., Aboba, B., and E. Guttman, "Dynamic
Configuration of Link-Local IPv4 Addresses", RFC 3927,
[RFC3971] Arkko, J., Kempf, J., Zill, B., and P. Nikander,
"SEcure Neighbor Discovery (SEND)", RFC 3971, March
[RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram
Congestion Control Protocol (DCCP)", RFC 4340, March
[RFC4423] Moskowitz, R. and P. Nikander, "Host Identity Protocol
(HIP) Architecture", RFC 4423, May 2006.
[RFC4429] Moore, N., "Optimistic Duplicate Address Detection
(DAD) for IPv6", RFC 4429, April 2006.
[RFC4436] Aboba, B., Carlson, J., and S. Cheshire, "Detecting
Network Attachment in IPv4 (DNAv4)", RFC 4436, March
[RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path
MTU Discovery", RFC 4821, March 2007.
[Alimian] Alimian, A., "Roaming Interval Measurements",
802.11 submission (work in progress), March 2004.
[Aguayo] Aguayo, D., Bicket, J., Biswas, S., Judd, G., and R.
Morris, "Link-level Measurements from an 802.11b Mesh
Network", SIGCOMM '04, September 2004, Portland,
[Bakshi] Bakshi, B., Krishna, P., Vadiya, N., and D.Pradhan,
"Improving Performance of TCP over Wireless Networks",
Proceedings of the 1997 International Conference on
Distributed Computer Systems, Baltimore, May 1997.
[BFD] Katz, D. and D. Ward, "Bidirectional Forwarding
Detection", Work in Progress, March 2007.
[Biaz] Biaz, S. and N. Vaidya, "Discriminating Congestion
Losses from Wireless Losses Using Interarrival Times
at the Receiver", Proceedings of the IEEE Symposium on
Application-Specific Systems and Software Engineering
and Technology, Richardson, TX, Mar 1999.
[CARA] Kim, J., Kim, S., and S. Choi, "CARA: Collision-Aware
Rate Adaptation for IEEE 802.11 WLANs", Korean
Institute of Communication Sciences (KICS) Journal,
[Chandran] Chandran, K., Raghunathan, S., Venkatesan, S., and R.
Prakash, "A Feedback-Based Scheme for Improving TCP
Performance in Ad-Hoc Wireless Networks", Proceedings
of the 18th International Conference on Distributed
Computing Systems (ICDCS), Amsterdam, May 1998.
[DNAv6] Narayanan, S., "Detecting Network Attachment in IPv6
(DNAv6)", Work in Progress, March 2007.
[E2ELinkup] Dawkins, S. and C. Williams, "End-to-end, Implicit
'Link-Up' Notification", Work in Progress, October
[EAPIKEv2] Tschofenig, H., Kroeselberg, D., Pashalidis, A., Ohba,
Y., and F. Bersani, "EAP IKEv2 Method", Work in
Progress, March 2007.
[Eckhardt] Eckhardt, D. and P. Steenkiste, "Measurement and
Analysis of the Error Characteristics of an In-
Building Wireless Network", SIGCOMM '96, August 1996,
[Eddy] Eddy, W. and Y. Swami, "Adapting End Host Congestion
Control for Mobility", Technical Report CR-2005-
213838, NASA Glenn Research Center, July 2005.
Gunaratne, C. and K. Christensen, "Ethernet Adaptive
Link Rate: System Design and Performance Evaluation",
Proceedings of the IEEE Conference on Local Computer
Networks, pp. 28-35, November 2006.
[Eggert] Eggert, L., Schuetz, S., and S. Schmid, "TCP
Extensions for Immediate Retransmissions", Work in
Progress, June 2005.
[Eggert2] Eggert, L. and W. Eddy, "Towards More Expressive
Transport-Layer Interfaces", MobiArch '06, San
[ETX] Douglas S. J. De Couto, Daniel Aguayo, John Bicket,
and Robert Morris, "A High-Throughput Path Metric for
Multi-Hop Wireless Routing", Proceedings of the 9th
ACM International Conference on Mobile Computing and
Networking (MobiCom '03), San Diego, California,
[ETX-Rate] Padhye, J., Draves, R. and B. Zill, "Routing in
multi-radio, multi-hop wireless mesh networks",
Proceedings of ACM MobiCom Conference, September 2003.
[ETX-Radio] Kulkarni, G., Nandan, A., Gerla, M., and M.
Srivastava, "A Radio Aware Routing Protocol for
Wireless Mesh Networks", UCLA Computer Science
Department, Los Angeles, CA.
[GenTrig] Gupta, V. and D. Johnston, "A Generalized Model for
Link Layer Triggers", submission to IEEE 802.21 (work
in progress), March 2004, available at:
[Goel] Goel, S. and D. Sanghi, "Improving TCP Performance
over Wireless Links", Proceedings of TENCON'98, pages
332-335. IEEE, December 1998.
[Gont] Gont, F., "ICMP attacks against TCP", Work in
Progress, October 2006.
[Gurtov] Gurtov, A. and J. Korhonen, "Effect of Vertical
Handovers on Performance of TCP-Friendly Rate
Control", to appear in ACM MCCR, 2004.
[GurtovFloyd] Gurtov, A. and S. Floyd, "Modeling Wireless Links for
Transport Protocols", Computer Communications Review
(CCR) 34, 2 (2003).
[Haratcherev] Haratcherev, I., Lagendijk, R., Langendoen, K., and H.
Sips, "Hybrid Rate Control for IEEE 802.11", MobiWac
'04, October 1, 2004, Philadelphia, Pennsylvania, USA.
[Haratcherev2] Haratcherev, I., "Application-oriented Link Adaptation
for IEEE 802.11", Ph.D. Thesis, Technical University
of Delft, Netherlands, ISBN-10:90-9020513-6, ISBN-
13:978-90-9020513-7, March 2006.
[HMP] Lee, S., Cho, J., and A. Campbell, "Hotspot Mitigation
Protocol (HMP)", Work in Progress, October 2003.
[Holland] Holland, G. and N. Vaidya, "Analysis of TCP
Performance over Mobile Ad Hoc Networks", Proceedings
of the Fifth International Conference on Mobile
Computing and Networking, pages 219-230. ACM/IEEE,
Seattle, August 1999.
[Iannaccone] Iannaccone, G., Chuah, C., Mortier, R., Bhattacharyya,
S., and C. Diot, "Analysis of link failures in an IP
backbone", Proc. of ACM Sigcomm Internet Measurement
Workshop, November, 2002.
[IEEE-802.1X] Institute of Electrical and Electronics Engineers,
"Local and Metropolitan Area Networks: Port-Based
Network Access Control", IEEE Standard 802.1X,
[IEEE-802.11] Institute of Electrical and Electronics Engineers,
"Wireless LAN Medium Access Control (MAC) and Physical
Layer (PHY) Specifications", IEEE Standard 802.11,
[IEEE-802.11e] Institute of Electrical and Electronics Engineers,
"Standard for Telecommunications and Information
Exchange Between Systems - LAN/MAN Specific
Requirements - Part 11: Wireless LAN Medium Access
Control (MAC) and Physical Layer (PHY) Specifications
- Amendment 8: Medium Access Control (MAC) Quality of
Service Enhancements", IEEE 802.11e, November 2005.
[IEEE-802.11F] Institute of Electrical and Electronics Engineers,
"IEEE Trial-Use Recommended Practice for Multi-Vendor
Access Point Interoperability via an Inter-Access
Point Protocol Across Distribution Systems Supporting
IEEE 802.11 Operation", IEEE 802.11F, June 2003 (now
[IEEE-802.11i] Institute of Electrical and Electronics Engineers,
"Supplement to Standard for Telecommunications and
Information Exchange Between Systems - LAN/MAN
Specific Requirements - Part 11: Wireless LAN Medium
Access Control (MAC) and Physical Layer (PHY)
Specifications: Specification for Enhanced Security",
IEEE 802.11i, July 2004.
[IEEE-802.11k] Institute of Electrical and Electronics Engineers,
"Draft Amendment to Telecommunications and Information
Exchange Between Systems - LAN/MAN Specific
Requirements - Part 11: Wireless LAN Medium Access
Control (MAC) and Physical Layer (PHY) Specifications
- Amendment 7: Radio Resource Management", IEEE
802.11k/D7.0, January 2007.
[IEEE-802.21] Institute of Electrical and Electronics Engineers,
"Draft Standard for Telecommunications and Information
Exchange Between Systems - LAN/MAN Specific
Requirements - Part 21: Media Independent Handover",
IEEE 802.21D0, June 2005.
[Kamerman] Kamerman, A. and L. Monteban, "WaveLAN II: A High-
Performance Wireless LAN for the Unlicensed Band",
Bell Labs Technical Journal, Summer 1997.
[Kim] Kim, K., Park, Y., Suh, K., and Y. Park, "The BU-
trigger method for improving TCP performance over
Mobile IPv6", Work in Progress, August 2004.
[Kotz] Kotz, D., Newport, C., and C. Elliot, "The mistaken
axioms of wireless-network research", Dartmouth
College Computer Science Technical Report TR2003-467,
[Krishnan] Krishnan, R., Sterbenz, J., Eddy, W., Partridge, C.,
and M. Allman, "Explicit Transport Error Notification
(ETEN) for Error-Prone Wireless and Satellite
Networks", Computer Networks, 46 (3), October 2004.
[Lacage] Lacage, M., Manshaei, M., and T. Turletti, "IEEE
802.11 Rate Adaptation: A Practical Approach", MSWiM
'04, October 4-6, 2004, Venezia, Italy.
[Lee] Park, S., Lee, M., and J. Korhonen, "Link
Characteristics Information for Mobile IP", Work in
Progress, January 2007.
[Ludwig] Ludwig, R. and B. Rathonyi, "Link-layer Enhancements
for TCP/IP over GSM", Proceedings of IEEE Infocom '99,
[MIPEAP] Giaretta, C., Guardini, I., Demaria, E., Bournelle,
J., and M. Laurent-Maknavicius, "MIPv6 Authorization
and Configuration based on EAP", Work in Progress,
[Mishra] Mitra, A., Shin, M., and W. Arbaugh, "An Empirical
Analysis of the IEEE 802.11 MAC Layer Handoff
Process", CS-TR-4395, University of Maryland
Department of Computer Science, September 2002.
[Morgan] Morgan, S. and S. Keshav, "Packet-Pair Rate Control -
Buffer Requirements and Overload Performance",
Technical Memorandum, AT&T Bell Laboratories, October
[Mun] Mun, Y. and J. Park, "Layer 2 Handoff for Mobile-IPv4
with 802.11", Work in Progress, March 2004.
[ONOE] Onoe Rate Control,
[Park] Park, S., Njedjou, E., and N. Montavont, "L2 Triggers
Optimized Mobile IPv6 Vertical Handover: The
802.11/GPRS Example", Work in Progress, July 2004.
[Pavon] Pavon, J. and S. Choi, "Link adaptation strategy for
IEEE802.11 WLAN via received signal strength
measurement", IEEE International Conference on
Communications, 2003 (ICC '03), volume 2, pages 1108-
1113, Anchorage, Alaska, USA, May 2003.
[PEAP] Palekar, A., Simon, D., Salowey, J., Zhou, H., Zorn,
G., and S. Josefsson, "Protected EAP Protocol (PEAP)
Version 2", Work in Progress, October 2004.
[PRNET] Jubin, J. and J. Tornow, "The DARPA packet radio
network protocols", Proceedings of the IEEE, 75(1),
[Qiao] Qiao D., Choi, S., Jain, A., and Kang G. Shin, "MiSer:
An Optimal Low-Energy Transmission Strategy for IEEE
802.11 a/h", in Proc. ACM MobiCom'03, San Diego, CA,
[RBAR] Holland, G., Vaidya, N., and P. Bahl, "A Rate-Adaptive
MAC Protocol for Multi-Hop Wireless Networks",
Proceedings ACM MOBICOM, July 2001.
[Ramani] Ramani, I. and S. Savage, "SyncScan: Practical Fast
Handoff for 802.11 Infrastructure Networks",
Proceedings of the IEEE InfoCon 2005, March 2005.
[Robust] Wong, S., Yang, H ., Lu, S., and V. Bharghavan,
"Robust Rate Adaptation for 802.11 Wireless Networks",
ACM MobiCom'06, Los Angeles, CA, September 2006.
[SampleRate] Bicket, J., "Bit-rate Selection in Wireless networks",
MIT Master's Thesis, 2005.
[Scott] Scott, J., Mapp, G., "Link Layer Based TCP
Optimisation for Disconnecting Networks", ACM SIGCOMM
Computer Communication Review, 33(5), October 2003.
[Schuetz] Schutz, S., Eggert, L., Schmid, S., and M. Brunner,
"Protocol Enhancements for Intermittently Connected
Hosts", ACM SIGCOMM Computer Communications Review,
Volume 35, Number 2, July 2005.
[Shortest] Douglas S. J. De Couto, Daniel Aguayo, Benjamin A.
Chambers and Robert Morris, "Performance of Multihop
Wireless Networks: Shortest Path is Not Enough",
Proceedings of the First Workshop on Hot Topics in
Networking (HotNets-I), Princeton, New Jersey, October
[TRIGTRAN] Dawkins, S., Williams, C., and A. Yegin, "Framework
and Requirements for TRIGTRAN", Work in Progress,
[Vatn] Vatn, J., "An experimental study of IEEE 802.11b
handover performance and its effect on voice traffic",
TRITA-IMIT-TSLAB R 03:01, KTH Royal Institute of
Technology, Stockholm, Sweden, July 2003.
[Velayos] Velayos, H. and G. Karlsson, "Techniques to Reduce
IEEE 802.11b MAC Layer Handover Time", TRITA-IMIT-LCN
R 03:02, KTH Royal Institute of Technology, Stockholm,
Sweden, April 2003.
[Vertical] Zhang, Q., Guo, C., Guo, Z., and W. Zhu, "Efficient
Mobility Management for Vertical Handoff between WWAN
and WLAN", IEEE Communications Magazine, November
[Villamizar] Villamizar, C., "OSPF Optimized Multipath (OSPF-OMP)",
Work in Progress, February 1999.
[Xylomenos] Xylomenos, G., "Multi Service Link Layers: An Approach
to Enhancing Internet Performance over Wireless
Links", Ph.D. thesis, University of California at San
[Yegin] Yegin, A., "Link-layer Triggers Protocol", Work in
Progress, June 2002.
The authors would like to acknowledge James Kempf, Phil Roberts,
Gorry Fairhurst, John Wroclawski, Aaron Falk, Sally Floyd, Pekka
Savola, Pekka Nikander, Dave Thaler, Yogesh Swami, Wesley Eddy, and
Janne Peisa for contributions to this document.