Ulrich Herberg, Ph.D.

This paper studies the routing protocol “Lightweight On-demand Ad hoc Distance-vector Routing Protocol – Next Generation (LOADng)”, designed to enable efficient, scalable and secure routing in low power and lossy networks. As a reactive protocol, it does not maintain a routing table for all destinations in the network, but initiates a route discovery to a destination only when there is data to be sent to that destination to reduce routing overhead and memory consumption. Designed with a modular… Mehr anzeigen

This paper studies the routing protocol “Lightweight On-demand Ad hoc Distance-vector Routing Protocol – Next Generation (LOADng)”, designed to enable efficient, scalable and secure routing in low power and lossy networks. As a reactive protocol, it does not maintain a routing table for all destinations in the network, but initiates a route discovery to a destination only when there is data to be sent to that destination to reduce routing overhead and memory consumption. Designed with a modular approach, LOADng can be extended with additional components for adapting the protocol to different topologies, traffic, and data-link layer characteristics. This paper studies several such additional components for extending LOADng: support for smart route requests and expanding ring search, an extension permitting maintaining collection trees, a fast rerouting extension. All those extensions are examined from the aspects of specification, interoperability with other mechanisms, security vulnerabilities, performance and applicability. A general framework is also proposed to secure the routing protocol. Weniger anzeigen

RFC 5444 specifies a generalized Mobile Ad Hoc Network (MANET)
packet/message format and describes an intended use for multiplexed
MANET routing protocol messages; this use is mandated by RFC 5498
when using the MANET port or protocol number that it specifies. This
document updates RFC 5444 by providing rules and recommendations for
how the multiplexer operates and how protocols can use the
packet/message format. In particular, the mandatory rules prohibit… Mehr anzeigen

RFC 5444 specifies a generalized Mobile Ad Hoc Network (MANET)
packet/message format and describes an intended use for multiplexed
MANET routing protocol messages; this use is mandated by RFC 5498
when using the MANET port or protocol number that it specifies. This
document updates RFC 5444 by providing rules and recommendations for
how the multiplexer operates and how protocols can use the
packet/message format. In particular, the mandatory rules prohibit a
number of uses that have been suggested in various proposals and that
would have led to interoperability problems, to the impediment of
protocol extension development, and/or to an inability to use
optional generic parsers. Weniger anzeigen

This document analyzes common security threats to the Optimized Link
State Routing Protocol version 2 (OLSRv2) and describes their
potential impacts on Mobile Ad Hoc Network (MANET) operations. It
also analyzes which of these security vulnerabilities can be
mitigated when using the mandatory-to-implement security mechanisms
for OLSRv2 and how the vulnerabilities are mitigated.

The recent advancements of IoT technologies, including broad penetration of Internet-connected smart appliances such as remotely controllable LED lights, thermostats, have changed the way we interact with the appliances in our homes and perform our daily activities. However, the significant heterogeneity in the emerging IoT devices has led to fragmented smart-home systems in which each single appliance vendor provides proprietary solution for appliance specific connectivity and user experience.… Mehr anzeigen

The recent advancements of IoT technologies, including broad penetration of Internet-connected smart appliances such as remotely controllable LED lights, thermostats, have changed the way we interact with the appliances in our homes and perform our daily activities. However, the significant heterogeneity in the emerging IoT devices has led to fragmented smart-home systems in which each single appliance vendor provides proprietary solution for appliance specific connectivity and user experience. To address this challenge, we present SPOT, a smartphone-based platform for multi-vendor smart-home appliances. SPOT consists of several novel mechanisms, including open device driver models using XML, which allow vendor-independent, user-driven device driver implementation and unified appliance control. To validate the flexibility and generality of our approach, we have built a SPOT prototype on Android platform that supports 8 real IoT devices in the market from different vendors. Weniger anzeigen

This document analyzes security threats to Simplified Multicast Forwarding (SMF), including vulnerabilities of duplicate packet detection and relay set selection mechanisms. This document is not intended to propose solutions to the threats described. In addition, this document updates RFC 7186 regarding threats to the relay set selection mechanisms using the Mobile Ad Hoc Network (MANET) Neighborhood Discovery Protocol (NHDP) (RFC 6130).

The recent progress of IoT technologies, including broad penetration of smart appliances such as remotely controllable lights, thermostats and cameras, have changed the way we interact with the appliances in our homes and perform our daily activities. However, the significant heterogeneity in the emerging IoT devices has led to fragmented smart-home systems in which each single appliance vendor provides proprietary solution for appliance specific connectivity and user experience. One of the… Mehr anzeigen

The recent progress of IoT technologies, including broad penetration of smart appliances such as remotely controllable lights, thermostats and cameras, have changed the way we interact with the appliances in our homes and perform our daily activities. However, the significant heterogeneity in the emerging IoT devices has led to fragmented smart-home systems in which each single appliance vendor provides proprietary solution for appliance specific connectivity and user experience. One of the desired solutions in smart-home systems is to have a unified smartphone app that can control any arbitrary IoT appliances. In this extended abstract we focus on the design of such an app only from the user interaction viewpoint. In particular, we present SPOT app, a smartphone-based platform for multi-vendor smart-home appliances, that features an adaptive and device-agnostic user interface enabled by a novel device driver mechanism. To validate the flexibility and feasibility of our design, we have built a SPOT prototype based on 8 real IoT devices and present the quality of generating such adaptive graphical user interface by the measure of screen smoothness in the prototyped android app. Weniger anzeigen

This document replaces RFC 6779; it contains revisions and extensions to the original document. It defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes objects for configuring parameters of the Neighborhood Discovery Protocol (NHDP) process on a router. The extensions described in this document add objects and values to support the NHDP optimization specified in RFC 7466. The MIB module… Mehr anzeigen

This document replaces RFC 6779; it contains revisions and extensions to the original document. It defines a portion of the Management Information Base (MIB) for use with network management protocols in the Internet community. In particular, it describes objects for configuring parameters of the Neighborhood Discovery Protocol (NHDP) process on a router. The extensions described in this document add objects and values to support the NHDP optimization specified in RFC 7466. The MIB module defined in this document, denoted NHDP-MIB, also reports state, performance information, and notifications about NHDP. This additional state and performance information is useful to troubleshoot problems and performance issues during neighbor discovery. Weniger anzeigen

This document provides a problem statement, deployment and management topology options, as well as requirements addressing the different use cases of the management of networks where constrained devices are involved.

This paper introduces extensions and applications of depth-first forwarding (DFF)-a data forwarding mechanism for use in unreliable networks such as sensor networks and Mobile Ad hoc NETworks with limited computational power and storage, low-capacity channels, device mobility, etc. Routing protocols for these networks try to balance conflicting requirements of being reactive to topology and channel variation while also being frugal in resource requirements-but when the underlying topology… Mehr anzeigen

This paper introduces extensions and applications of depth-first forwarding (DFF)-a data forwarding mechanism for use in unreliable networks such as sensor networks and Mobile Ad hoc NETworks with limited computational power and storage, low-capacity channels, device mobility, etc. Routing protocols for these networks try to balance conflicting requirements of being reactive to topology and channel variation while also being frugal in resource requirements-but when the underlying topology changes, routing protocols require time to re converge, during which data delivery failure may occur. DFF was developed to alleviate this situation: it reacts rapidly to local data delivery failures and attempts to successfully deliver data while giving a routing protocol time to recover from such a failure. An extension of DFF, denoted as DFF++, is proposed in this paper, in order to optimize the performance of DFF by way of introducing a more efficient search ordering. This paper also studies the applicability of DFF to three major routing protocols for the Internet of Things (IoT), including the Lightweight On-demand Ad hoc Distance-vector Routing Protocol-Next Generation (LOADng), the optimized link state routing protocol version 2 (OLSRv2), and the IPv6 routing protocol for low-power and lossy networks (RPL), and presents the performance of these protocols, with and without DFF, in lossy and unreliable networks. Weniger anzeigen

** Winner of the SmartGridComm 2014 Best Paper Award **

Encryption is a key ingredient in the preservation of the confidentiality of network communications but can also be at odds with the mission of Intrusion Detection Systems (IDSes) to monitor traffic. This affects Advanced Metering Infrastructures (AMIs) too where the scale of the network and the sensitivity of communication make deploying IDSes along with encryption solutions mandatory. In this paper, we study four different… Mehr anzeigen

** Winner of the SmartGridComm 2014 Best Paper Award **

Encryption is a key ingredient in the preservation of the confidentiality of network communications but can also be at odds with the mission of Intrusion Detection Systems (IDSes) to monitor traffic. This affects Advanced Metering Infrastructures (AMIs) too where the scale of the network and the sensitivity of communication make deploying IDSes along with encryption solutions mandatory. In this paper, we study four different approaches for reconciling the twin goals of confidentiality and
monitoring by investigating their practical use on a set of real-world packet-level traces collected at an operational AMI network.
Weniger anzeigen

OpenADR 2.0, an internationally-recognized standard for Automated Demand Response (ADR), defines the interaction between an ADR server and client, but does not specify all the possible multi-tier deployment architectures that are valid relative to the standard's specification. In this paper, we analyze the properties of a number of OpenADR-based architectures that have been proposed for deployment by ADR vendors, in terms of interoperability (compliance with the standard), scalability… Mehr anzeigen

OpenADR 2.0, an internationally-recognized standard for Automated Demand Response (ADR), defines the interaction between an ADR server and client, but does not specify all the possible multi-tier deployment architectures that are valid relative to the standard's specification. In this paper, we analyze the properties of a number of OpenADR-based architectures that have been proposed for deployment by ADR vendors, in terms of interoperability (compliance with the standard), scalability, complexity, and security, with the goal of helping utilities and third party DR aggregators make informed decisions about their planned ADR deployments to ensure high performing, future-proof, and secure DR services. Weniger anzeigen

This specification describes version 2 of the Optimized Link State Routing (OLSRv2) protocol for Mobile Ad hoc NETworks (MANETs).

This document revises, extends, and replaces RFC 6622. It describes
general and flexible TLVs for representing cryptographic Integrity
Check Values (ICVs) and timestamps, using the generalized Mobile Ad
Hoc Network (MANET) packet/message format defined in RFC 5444. It
defines two Packet TLVs, two Message TLVs, and two Address Block TLVs
for affixing ICVs and timestamps to a packet, a message, and one or
more addresses, respectively.

This document specifies integrity and replay protection for the MANET Neighborhood Discovery Protocol (NHDP) and the Optimized Link State Routing Protocol version 2 (OLSRv2). This protection is achieved by using an HMAC-SHA-256 Integrity Check Value (ICV) TLV and a timestamp TLV based on POSIX time.

The mechanism in this specification can also be used for other protocols that use the generalized packet/message format described in RFC 5444.

This document updates RFC 6130 and RFC… Mehr anzeigen

This document specifies integrity and replay protection for the MANET Neighborhood Discovery Protocol (NHDP) and the Optimized Link State Routing Protocol version 2 (OLSRv2). This protection is achieved by using an HMAC-SHA-256 Integrity Check Value (ICV) TLV and a timestamp TLV based on POSIX time.

The mechanism in this specification can also be used for other protocols that use the generalized packet/message format described in RFC 5444.

This document updates RFC 6130 and RFC xxxx by mandating the implementation of this integrity and replay protection in NHDP and OLSRv2. Weniger anzeigen

This document defines the Management Information Base (MIB) module
for configuring and managing the Optimized Link State Routing
Protocol version 2 (OLSRv2). The OLSRv2-MIB module is structured
into configuration information, state information, performance
information, and notifications. This additional state and
performance information is useful for troubleshooting problems and
performance issues of the routing protocol. Two levels of compliance
… Mehr anzeigen

This document defines the Management Information Base (MIB) module
for configuring and managing the Optimized Link State Routing
Protocol version 2 (OLSRv2). The OLSRv2-MIB module is structured
into configuration information, state information, performance
information, and notifications. This additional state and
performance information is useful for troubleshooting problems and
performance issues of the routing protocol. Two levels of compliance
allow this MIB module to be deployed on constrained routers. Weniger anzeigen

This document analyzes common security threats of the Neighborhood Discovery Protocol (NHDP), and describes their potential impacts on MANET routing protocols using NHDP. This document is not intended to propose solutions to the threats described.

OpenADR 2.0b is an international standard for automated Demand Response.

This document specifies the Depth-First Forwarding (DFF) protocol for
IPv6 networks, a data-forwarding mechanism that can increase
reliability of data delivery in networks with dynamic topology and/or
lossy links. The protocol operates entirely on the forwarding plane
but may interact with the routing plane. DFF forwards data packets
using a mechanism similar to a "depth-first search" for the
destination of a packet. The routing plane may be informed… Mehr anzeigen

This document specifies the Depth-First Forwarding (DFF) protocol for
IPv6 networks, a data-forwarding mechanism that can increase
reliability of data delivery in networks with dynamic topology and/or
lossy links. The protocol operates entirely on the forwarding plane
but may interact with the routing plane. DFF forwards data packets
using a mechanism similar to a "depth-first search" for the
destination of a packet. The routing plane may be informed of
failures to deliver a packet or loops. This document specifies the
DFF mechanism both for IPv6 networks (as specified in RFC 2460) and
for "mesh-under" Low-Power Wireless Personal Area Networks (LoWPANs),
as specified in RFC 4944. The design of DFF assumes that the
underlying link layer provides means to detect if a packet has been
successfully delivered to the Next Hop or not. It is applicable for
networks with little traffic and is used for unicast transmissions
only. Weniger anzeigen

This document defines a portion of the Management Information Base
(MIB) for use with network management protocols in the Internet
community. In particular, it describes objects for configuring
parameters of the Neighborhood Discovery Protocol (NHDP) process on a
router. The MIB module defined in this document, denoted NHDP-MIB,
also reports state, performance information, and notifications about
NHDP. This additional state and performance information is… Mehr anzeigen

This document defines a portion of the Management Information Base
(MIB) for use with network management protocols in the Internet
community. In particular, it describes objects for configuring
parameters of the Neighborhood Discovery Protocol (NHDP) process on a
router. The MIB module defined in this document, denoted NHDP-MIB,
also reports state, performance information, and notifications about
NHDP. This additional state and performance information is useful to
troubleshoot problems and performance issues during neighbor
discovery. Weniger anzeigen

This document describes general and flexible TLVs for representing cryptographic Integrity Check Values (ICVs) (i.e., digital signatures or Message Authentication Codes (MACs)) as well as timestamps, using the generalized Mobile Ad Hoc Network (MANET) packet/message format defined in RFC 5444. It defines two Packet TLVs, two Message TLVs, and two Address Block TLVs for affixing ICVs and timestamps to a packet, a message, and an address, respectively.

Recent trends in Wireless Sensor Networks (WSNs) have suggested converging to such being
IPv6-based. To this effect, the Internet Engineering Task Force has chartered a Working Group
to develop a routing protocol specification, enabling IPv6-based multi-hop Wireless Sensor
Networks. This routing protocol, denoted “IPv6 Routing Protocol for Low Power and Lossy
Networks” (RPL), has been under development for approximately a year, and this paper takes
a critical look at the state of… Mehr anzeigen

Recent trends in Wireless Sensor Networks (WSNs) have suggested converging to such being
IPv6-based. To this effect, the Internet Engineering Task Force has chartered a Working Group
to develop a routing protocol specification, enabling IPv6-based multi-hop Wireless Sensor
Networks. This routing protocol, denoted “IPv6 Routing Protocol for Low Power and Lossy
Networks” (RPL), has been under development for approximately a year, and this paper takes
a critical look at the state of advancement hereof: it provides a brief algorithmic description
of the protocol, and discusses areas where – in the authors view – further efforts are required
in order for the protocol to become a viable candidate for general use in WSNs. Among these
areas is the lack of a proper broadcast mechanism. This paper suggests several such broadcast
mechanisms, all aiming at (i) exploiting the existing routing state of RPL, while (ii) requiring
no additional state maintenance, and studies the performance of RPL and of these suggested
mechanisms. Weniger anzeigen

Ad hoc networks have left the confines of research: community ad hoc networks,
such as the FunkFeuer network in Vienna or the FreiFunk network in Berlin,
have exceeded the size of several hundred routers each. Both these networks
run the Optimized Link State Routing Protocol (OLSR), which itself does not
provide security protection of the network integrity. Certain assumptions and
legal requirements for these networks require to design specific security solutions,
but also… Mehr anzeigen

Ad hoc networks have left the confines of research: community ad hoc networks,
such as the FunkFeuer network in Vienna or the FreiFunk network in Berlin,
have exceeded the size of several hundred routers each. Both these networks
run the Optimized Link State Routing Protocol (OLSR), which itself does not
provide security protection of the network integrity. Certain assumptions and
legal requirements for these networks require to design specific security solutions,
but also allow to create simpler security mechanisms than for the general case
of ad hoc networks.
This paper presents a security mechanism for router and link admittance
control, focused on such ad hoc networks based on the successor of OLSR, called
OLSRv2. Digitally signing OLSRv2 control messages allows recipient routers
to choose to admit or exclude the originating router for when populating linkstate
databases, calculating Multi-Point Relay (MPR) sets etc. By additionally
embedding signatures for each advertised link, recipient routers can also control
admittance of each advertised link in the message, rendering an OLSRv2 network
resilient to both identity-spoofing and link-spoofing attacks. The impact
of adding a link-admittance control mechanism to OLSRv2 is studied, both in
terms of additional control-traffic overhead and additional in-router processing
resources, using several cryptographic algorithms, such as RSA and Elliptic
Curve Cryptography for very short signatures.
In addition to the router and admittance control, this paper proposes a
simple key acquisition and distribution mechanism for use in the specific kind
of ad hoc networks, based on X.509 Public Key Infrastructure (PKI). Using an
X.509 extension, each certificate can be bound to an IP subnet, assuring that
each router advertises only its allocated subnet, alleviating certain man-in-themiddle
attacks. Weniger anzeigen