Bootstrapping deny-by-default access control for mobile ad-hoc networks

We investigate the bootstrapping of policy-based access control in a deny-by-default mission-critical MANET. In the absence of any initial policies, a deny-by-default system fundamentally prevents all traffic flow. Providing all policies prior to deployment assumes advanced knowledge of all possible future scenarios - an assumption that is often unrealistic in practice; furthermore, policies may change over time. Thus, alternatively, network nodes can be initialized with a small set of initial policies (which we refer to as an axiomatic set of policies) that allow them to obtain additional policies, update outdated policies, and establish connectivity with neighboring nodes - a process that we refer to as bootstrapping. We identify a set of axiomatic policies for bootstrapping a deny-by-default system, propose a bootstrap protocol for neighbor link setup, and study how policies can be propagated within the MANET. Safety and liveness of the proposed bootstrap protocol are formally proved via model checking in SPIN. We also analyze the tradeoff between network vulnerability (the fraction of time that a nodepsilas policy is out-of-date) and the overhead incurred by different policy-dissemination approaches.