Documente Academic
Documente Profesional
Documente Cultură
net/publication/290843541
Secure neighbor discovery: A cryptographic solution for securing IPv6 local link
operations
CITATIONS READS
5 33
3 authors, including:
Ahmad Alsadeh
Birzeit University
16 PUBLICATIONS 144 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
All content following this page was uploaded by Ahmad Alsadeh on 09 June 2018.
Chapter 8
SEcure Neighbor Discovery:
A Cryptographic Solution for Securing
IPv6 Local Link Operations
Ahmad AlSa’deh
Hasso-Plattner-Institute, Germany
Hosnieh Rafiee
Hasso-Plattner-Institute, Germany
Christoph Meinel
Hasso-Plattner-Institute, Germany
ABSTRACT
SEcure Neighbor Discovery (SEND) was proposed to counteract threats to the Neighbor Discovery
Protocol (NDP). It is a strong security extension that can make the IPv6 local link very safe. SEND
relies on dynamically Cryptographically Generated Addresses (CGAs) and X.509 certificates. However,
SEND is not easily deployed and is still vulnerable to some types of attacks. This chapter evaluates the
practical considerations of a SEND deployment taking a cryptographic approach as a means of securing
the IPv6 local link operations. It reviews the remaining vulnerabilities and gives some recommendations
with which to facilitate SEND deployment.
DOI: 10.4018/978-1-4666-4030-6.ch008
Copyright © 2013, IGI Global. Copying or distributing in print or electronic forms without written permission of IGI Global is prohibited.
SEcure Neighbor Discovery
However, businesses need to migrate to IPv6 (DAD), Denial of Service (DoS), Malicious Last
in a secure manner in order to avoid the possible Hop Router, Spoofed Redirect Message, Bogus
security risks inherent in an IPv6 deployment. On-Link Prefix, Parameter Spoofing, and Replay
One of the security concerns comes from the new attacks.
IPv6 features and mechanisms, which can expose Therefore, RFC 3971 “SEcure Neighbor Dis-
the network to new security threats. For instance, covery (SEND)” (Arkko, Kempf, Zill, & Nikander,
StateLess Address Auto-Configuration (SLAAC) 2005) was proposed as a set of enhancements to
(Thomson, Narten, & Jinmei, 2007) and Neighbor make the IPv6 neighbor and router discovery
Discovery (ND) (Narten, Nordmark, Simpson, & secure. SEND was designed to ensure message
Soliman, 2007) messages are essential portions of integrity, prevent IPv6 address theft, prevent replay
the IPv6 suite. Both ND and SLAAC, together, are attacks, and provide a mechanism for verifying
known as Neighbor Discovery Protocol (NDP). the authority of routers. It uses Cryptographically
IPv6 nodes use NDP for several critical functions: Generated Addresses (CGA) (Aura, 2005), digital
to discover other nodes (routers/hosts) on the link, signature, and X.509 certification (Lynn, Kent, &
to find the mapping between the MAC and link Seo, 2004) to offer significant protection for NDP.
local addresses, to detect duplicate addresses, A SEND-enabled node must generate or obtain
and to maintain reachability information about a public-private key pair before it can claim an
the paths to active neighbors. Also, NDP plays address. Then it generates the CGA address based
a crucial role in mobile IPv6 (MIPv6) networks on the public key and other auxiliary parameters.
(Perkins, Johnson, & Arkko, 2011). However, NDP The associated private key is used to sign the out-
is vulnerable to spoofing and Denial-of-Service going ND messages from that address. For router
(DoS) attacks (Nikander, Kempf, & Nordmark, authorization, every router must have a certificate
2004) and attackers have already developed a set from a trust anchor and the hosts provisioned
of tools to use in attacking ND functionalities with a trust anchor(s) list and picks routers that
(Hauser, 2012). can show a valid certificate from a trust anchor.
NDP specifications do not include any security The SEND verifier node checks that the received
provisions. It was designed to work in trustworthy address is a hash of the corresponding public key
links where all nodes on the link trust each other. and that the signature, from the associated private
However, we cannot assume that being on the key, is valid. If both verifications are successful,
same network is trustworthy as this assumption then the verifiers know that the address is not a
does not hold in number of different scenarios, stolen address and that it is from the address cor-
such as, over wireless networks, where anyone can responding to public private key pairs.
join a local link either with minimal or with no Although SEND is considered to be a promis-
link layer authentication. Today people use public ing technique with which to protect NDP and to
networks such as Wireless LAN at airports, hotels, make IPv6 a very safe protocol, its deployment
and cafes, where a malicious user can imperson- is not easy and thus is very challenging. SEND
ate legitimate nodes by forging NDP messages to lacks mature implementations by developers of
generate serious attacks. RFC 3756 (Nikander, et operating systems. It is compute-intensive and
al., 2004) shows a list of potential threats to NDP. bandwidth-consuming. Moreover, SEND itself
Therefore, if NDP is not secured, it will be vulner- can be vulnerable to some types of attacks.
able to these various attacks. Some such attacks This chapter will introduce SEND functional-
are Neighbor Solicitation (NS)/ Advertisement ities and messages, discuss the practical consid-
(NA) spoofing, Neighbor Unreachability Detec- erations of SEND deployment as a cryptography
tion (NUD) faller, Duplicate Address Detection solution in securing IPv6 local networks, survey
179
19 more pages are available in the full version of this document, which may
be purchased using the "Add to Cart" button on the product's webpage:
www.igi-global.com/chapter/secure-neighbor-discovery/76516?camid=4v1
Related Content