SEcure Neighbor Discovery: A Cryptographic Solution for Securing IPv6 Local Link Operations

SEcure Neighbor Discovery: A Cryptographic Solution for Securing IPv6 Local Link Operations

Ahmad AlSa’deh (Hasso-Plattner-Institute, Germany), Hosnieh Rafiee (Hasso-Plattner-Institute, Germany) and Christoph Meinel (Hasso-Plattner-Institute, Germany)
DOI: 10.4018/978-1-4666-4030-6.ch008
OnDemand PDF Download:


SEcure Neighbor Discovery (SEND) was proposed to counteract threats to the Neighbor Discovery Protocol (NDP). It is a strong security extension that can make the IPv6 local link very safe. SEND relies on dynamically Cryptographically Generated Addresses (CGAs) and X.509 certificates. However, SEND is not easily deployed and is still vulnerable to some types of attacks. This chapter evaluates the practical considerations of a SEND deployment taking a cryptographic approach as a means of securing the IPv6 local link operations. It reviews the remaining vulnerabilities and gives some recommendations with which to facilitate SEND deployment.
Chapter Preview


The free pool of IPv4 address space will be depleted soon. On 3 February 2011, the Internet Assigned Numbers Authority (IANA) (2012, March 14) allocated the last remaining blocks of IPv4 address space to the Regional Internet Registries (RIRs). Therefore, the world is responding by transitioning from IPv4 to IPv6. On 8 June 2011, top websites and Internet Service Providers (ISPs) around the world joined together with more than 1000 other participating websites in a “World IPv6 Day”. Because of the success of this global-scale event, the Internet Society organized the “World IPv6 Launch Day” on 6 June 2012 (Internet Society, 2012). On this day major ISPs and companies around the world permanently enabled IPv6 for their products and services.

However, businesses need to migrate to IPv6 in a secure manner in order to avoid the possible security risks inherent in an IPv6 deployment. One of the security concerns comes from the new IPv6 features and mechanisms, which can expose the network to new security threats. For instance, StateLess Address Auto-Configuration (SLAAC) (Thomson, Narten, & Jinmei, 2007) and Neighbor Discovery (ND) (Narten, Nordmark, Simpson, & Soliman, 2007) messages are essential portions of the IPv6 suite. Both ND and SLAAC, together, are known as Neighbor Discovery Protocol (NDP). IPv6 nodes use NDP for several critical functions: to discover other nodes (routers/hosts) on the link, to find the mapping between the MAC and link local addresses, to detect duplicate addresses, and to maintain reachability information about the paths to active neighbors. Also, NDP plays a crucial role in mobile IPv6 (MIPv6) networks (Perkins, Johnson, & Arkko, 2011). However, NDP is vulnerable to spoofing and Denial-of-Service (DoS) attacks (Nikander, Kempf, & Nordmark, 2004) and attackers have already developed a set of tools to use in attacking ND functionalities (Hauser, 2012).

NDP specifications do not include any security provisions. It was designed to work in trustworthy links where all nodes on the link trust each other. However, we cannot assume that being on the same network is trustworthy as this assumption does not hold in number of different scenarios, such as, over wireless networks, where anyone can join a local link either with minimal or with no link layer authentication. Today people use public networks such as Wireless LAN at airports, hotels, and cafes, where a malicious user can impersonate legitimate nodes by forging NDP messages to generate serious attacks. RFC 3756 (Nikander, et al., 2004) shows a list of potential threats to NDP. Therefore, if NDP is not secured, it will be vulnerable to these various attacks. Some such attacks are Neighbor Solicitation (NS)/ Advertisement (NA) spoofing, Neighbor Unreachability Detection (NUD) faller, Duplicate Address Detection (DAD), Denial of Service (DoS), Malicious Last Hop Router, Spoofed Redirect Message, Bogus On-Link Prefix, Parameter Spoofing, and Replay attacks.

Therefore, RFC 3971 “SEcure Neighbor Discovery (SEND)” (Arkko, Kempf, Zill, & Nikander, 2005) was proposed as a set of enhancements to make the IPv6 neighbor and router discovery secure. SEND was designed to ensure message integrity, prevent IPv6 address theft, prevent replay attacks, and provide a mechanism for verifying the authority of routers. It uses Cryptographically Generated Addresses (CGA) (Aura, 2005), digital signature, and X.509 certification (Lynn, Kent, & Seo, 2004) to offer significant protection for NDP. A SEND-enabled node must generate or obtain a public-private key pair before it can claim an address. Then it generates the CGA address based on the public key and other auxiliary parameters. The associated private key is used to sign the outgoing ND messages from that address. For router authorization, every router must have a certificate from a trust anchor and the hosts provisioned with a trust anchor(s) list and picks routers that can show a valid certificate from a trust anchor. The SEND verifier node checks that the received address is a hash of the corresponding public key and that the signature, from the associated private key, is valid. If both verifications are successful, then the verifiers know that the address is not a stolen address and that it is from the address corresponding to public private key pairs.

Complete Chapter List

Search this Book:
Editorial Advisory Board
Table of Contents
Elisa Bertino
Atilla Elçi, Mehmet A. Orgun, Josef Pieprzyk, Alexander G. Chefranov, Huaxiong Wang, Rajan Shankaran
Atilla Elçi, Mehmet A. Orgun, Josef Pieprzyk, Alexander G. Chefranov, Huaxiong Wang, Rajan Shankaran
Chapter 1
Alexey Y. Atiskov, Fedor A. Novikov, Ludmila N. Fedorchenko, Vladimir I. Vorobiev, Nickolay A. Moldovyan
Security means for shared computer, networking, and information resources are not balanced, inefficient, and poorly integrative. This chapter gives... Sample PDF
Ontology-Based Analysis of Cryptography Standards and Possibilities of Their Harmonization
Chapter 2
Ludmila Babenko, Evgeniya Ishchukova, Ekaterina Maro
This chapter considers approaches to analysis of the GOST 28147-89 encryption algorithm (also known as simply GOST), which is the basis of most... Sample PDF
GOST Encryption Algorithm and Approaches to its Analysis
Chapter 3
Thomas Martin
There are many challenges for a forensic investigator when it comes to digital evidence. These include the constantly changing technology that may... Sample PDF
Cryptography for the Forensics Investigator
Chapter 4
Qiang Tang
Recently, the concept of Search in Encrypted Data (SED) has become a highlight in cryptography. A SED scheme enables a client to have third-party... Sample PDF
Search in Encrypted Data: Theoretical Models and Practical Applications
Chapter 5
Evgueni Doukhnitch, Alexander G. Chefranov, Ahmed Mahmoud
Quaternion Encryption Scheme (QES) is shown to be susceptible to the Known Plaintext-Ciphertext Attack (KPCA) due to improper choice of frame size... Sample PDF
Encryption Schemes with Hyper-Complex Number Systems and Their Hardware-Oriented Implementation
Chapter 6
Alessandro Barenghi, Luca Breveglieri, Fabrizio De Santis, Filippo Melzani, Andrea Palomba, Gerardo Pelosi
Dependable and trustworthy security solutions have emerged as a crucial requirement in the specification of the applications and protocols employed... Sample PDF
Design Time Engineering of Side Channel Resistant Cipher Implementations
Chapter 7
Piyi Yang, Tanveer A Zia
A set of attributes instead of a single string to represent the signer’s identity is a challenging problem under standard cryptographic assumption... Sample PDF
An Efficient Attribute-Based Signature with Application to Secure Attribute-Based Messaging System
Chapter 8
Ahmad AlSa’deh, Hosnieh Rafiee, Christoph Meinel
SEcure Neighbor Discovery (SEND) was proposed to counteract threats to the Neighbor Discovery Protocol (NDP). It is a strong security extension that... Sample PDF
SEcure Neighbor Discovery: A Cryptographic Solution for Securing IPv6 Local Link Operations
Chapter 9
Wen-Jung Hsin, Lein Harn
Mobile ad hoc network is a network comprised of mobile nodes quickly forming an autonomous network for a particular purpose such as emergency search... Sample PDF
Offline/Online Security in Mobile Ad Hoc Networks
Chapter 10
Ilker Korkmaz, Orhan Dagdeviren, Fatih Tekbacak, Mehmet Emin Dalkilic
Wireless Sensor Network (WSN) is a promising technology that has attracted the interest of research in the last decade. Security is one of the... Sample PDF
A Survey on Security in Wireless Sensor Networks: Attacks and Defense Mechanisms
Chapter 11
Mert Özarar, Attila Özgit
The number of opportunities for cooperative computation has exponentially been increasing with growing interaction via Internet technologies. These... Sample PDF
Secure Multiparty Computation via Oblivious Polynomial Evaluation
Chapter 12
PKI Trust Models  (pages 279-301)
Audun Jøsang
A PKI can be described as a set of technologies, procedures, and policies for propagating trust from where it initially exists to where it is needed... Sample PDF
PKI Trust Models
Chapter 13
Md. Sadek Ferdous, Audun Jøsang
Recognition of identities and certainty about identity ownership are crucial factors for secure communication in digital environments. Identity... Sample PDF
Entity Authentication and Trust Validation in PKI Using Petname Systems
Chapter 14
Giovanni Cabiddu, Antonio Lioy, Gianluca Ramunno
Security controls (such as encryption endpoints, payment gateways, and firewalls) rely on correct program execution and secure storage of critical... Sample PDF
Building a Trusted Environment for Security Applications
Chapter 15
Babak Sokouti, Massoud Sokouti
Although email security needs more attention, a small amount of research has been conducted. Most of the security properties that can be applied to... Sample PDF
Enhancing Security at Email End Point: A Feasible Task for Fingerprint Identification System
Chapter 16
Hosnieh Rafiee, Martin von Löwis, Christoph Meinel
Electronic Mail (email) is a very important method of communicating across the Internet, but the protocols used to handle emails during... Sample PDF
Cryptography in Electronic Mail
Chapter 17
Kun Peng
Electronic voting is a popular application of cryptographic and network techniques to e-government. Most of the existing e-voting schemes can be... Sample PDF
Theory and Practice of Secure E-Voting Systems
Chapter 18
Kun Peng
In the Internet era electronic commerce is an important and popular industry. Electronic auctions provide a key function in e-commerce, enabling... Sample PDF
Sealed-Bid Auction Protocols
Chapter 19
Mahmoud Elkhodr, Seyed Shahrestani, Hon Cheung
The goal of this chapter is to discuss the challenges of generic security protocols and platforms for securing Electronic Health Records (EHR) in... Sample PDF
Preserving the Privacy of Patient Records in Health Monitoring Systems
About the Contributors