|
SEcure Neighbor Discovery (SEND), enhanced ND, introduces new message types and extension fields, and thus ensures ND security in terms of address ownership verification, message protection, and router authorization. Objective ND is used on secure networks, and thus assumes that all nodes are standard-compliant and further send normal ND messages. As a result, certain security threats may exist. The following shows the common ones: -
NS/NA spoofing An attacker sends the NS/NA messages containing the forged link-layer address to update the neighbor cache of the attacked. Consequently, the attacked sends packets to the forged address, which is similar to ARP spoofing of IPv4. -
DAD attack Duplicate Address Detect (DAD) checks whether the obtained IPv6 address of the local node is already used by another node, which is similar to the gratuitous ARP function. -
Redirect attack The attacker adopts the link-layer address of the default gateway (first-hop router) of the attacked as the source address to send a Redirect packet to the attacked, and redirects the next hop to a nonexistent address, thereby causing communications interruption of the attacked. -
Parameter spoofing The attacker sends a forged RA message (containing the prefix of a forged network segment and tagged with Autonomous) in the name of the local router. The attacked adopts this prefix for stateless address auto-configuration and thus obtains a forged IPv6 address. When the attacked uses this forged address to communicate with external networks, the response packets are discarded by the local router, causing communications failure of the attacked. -
Replay attack The attacker intercepts the message sent from the node and re-sends the message after a period, so that the attacked receives the expired message. The application of SEND can effectively defend against the previous security threats, thus improving ND security. Benefit SEND extends ND by adding the following information: -
Extension field Cryptographically Generated Address (CGA), Rivest Shamir and Adleman (RSA), Timestamp, and Nonce. -
Message type Certification Path Solicitation (CPS) and Certification Path Advertisement (CPA). Owing to the new messages types and extension fields, the following enhanced security functions are provided: -
Address ownership verification CGA realizes the binding of IPv6 addresses and packets, thereby preventing malicious IPv6 address embezzlement. The communications parties generate and authenticate the CGA, which prevents address spoofing and thus effectively defends against NS/NA spoofing and DAD attacks. -
Message protection Through RSA signature and authentication, message integrity can be protected. The communications parties check the Timestamp and Nonce fields, which enhances message timeliness and effectively defends against replay attacks. -
Router authorization Through certificate authentication, the identities of routers can be verified, which prevents attackers from sending malicious packets in the name of routers and effectively defends against Redirect attacks and parameter spoofing. | 
Favorite (0)
Reply
