SEcure Neighbor Discovery (SEND) Implementation

mhkabir1952  Diamond  (1)
6 years 7 months ago  View: 1074  Reply: 3

Implementation

As shown in Figure 1, the Eudemon serves as the default router of the host on the local link, and is connected to the extranet.

Figure 1:  Networking diagram of configuring SEND

To defend against the attacks launched by malicious nodes on the local link against ND, you can apply SEND on all nodes to construct a secure neighbor discovery environment. For example, you can configure the following functions on the Eudemon:

  • The CGA is generated on GigabitEthernet 1/0/1 to prevent address spoofing. The received ND packets without CGA, RSA, Timestamp, and Nonce options are discarded at the same time on the interface.
  • According to the timestamp authentication mechanism in RFC 3971, GigabitEthernet 1/0/1 checks the timeliness of ND packets through parameters delta and fuzz, thus defending against replay attacks.
  • Configure the certificate for GigabitEthernet 1/0/1, when receiving the CPS message sent by the host, GigabitEthernet 1/0/1 sends the CPA message containing certificate information to respond to the host, thus preventing the attacker from launching attacks in the name of the Eudemon.
Armetta  Diamond 
6 years 7 months ago
documentation very useful for my job

foisal  Gold 
6 years 7 months ago
very nice
user_2837311  Diamond 
2 years 9 months ago
useful document, thanks