SEcure Neighbor Discovery (SEND)

mhkabir1952  Diamond  (1)
6 years 7 months ago  View: 1200  Reply: 4

SEcure Neighbor Discovery (SEND), enhanced ND, introduces new message types and extension fields, and thus ensures ND security in terms of address ownership verification, message protection, and router authorization.

Objective

ND is used on secure networks, and thus assumes that all nodes are standard-compliant and further send normal ND messages. As a result, certain security threats may exist. The following shows the common ones:

  • NS/NA spoofing

    An attacker sends the NS/NA messages containing the forged link-layer address to update the neighbor cache of the attacked. Consequently, the attacked sends packets to the forged address, which is similar to ARP spoofing of IPv4.

  • DAD attack

    Duplicate Address Detect (DAD) checks whether the obtained IPv6 address of the local node is already used by another node, which is similar to the gratuitous ARP function.

  • Redirect attack

    The attacker adopts the link-layer address of the default gateway (first-hop router) of the attacked as the source address to send a Redirect packet to the attacked, and redirects the next hop to a nonexistent address, thereby causing communications interruption of the attacked.

  • Parameter spoofing

    The attacker sends a forged RA message (containing the prefix of a forged network segment and tagged with Autonomous) in the name of the local router. The attacked adopts this prefix for stateless address auto-configuration and thus obtains a forged IPv6 address. When the attacked uses this forged address to communicate with external networks, the response packets are discarded by the local router, causing communications failure of the attacked.

  • Replay attack

    The attacker intercepts the message sent from the node and re-sends the message after a period, so that the attacked receives the expired message.

The application of SEND can effectively defend against the previous security threats, thus improving ND security.

Benefit

SEND extends ND by adding the following information:

  • Extension field

    Cryptographically Generated Address (CGA), Rivest Shamir and Adleman (RSA), Timestamp, and Nonce.

  • Message type

    Certification Path Solicitation (CPS) and Certification Path Advertisement (CPA).

Owing to the new messages types and extension fields, the following enhanced security functions are provided:

  • Address ownership verification

    CGA realizes the binding of IPv6 addresses and packets, thereby preventing malicious IPv6 address embezzlement. The communications parties generate and authenticate the CGA, which prevents address spoofing and thus effectively defends against NS/NA spoofing and DAD attacks.

  • Message protection

    Through RSA signature and authentication, message integrity can be protected. The communications parties check the Timestamp and Nonce fields, which enhances message timeliness and effectively defends against replay attacks.

  • Router authorization

    Through certificate authentication, the identities of routers can be verified, which prevents attackers from sending malicious packets in the name of routers and effectively defends against Redirect attacks and parameter spoofing.

Armetta  Diamond 
6 years 7 months ago
documentation very useful for my job

khizir  Silver 
6 years 7 months ago

Excellent.

foisal  Gold 
6 years 7 months ago

Thanks for your Excellent Post.

user_2837311  Diamond 
2 years 9 months ago
Useful document, thanks