Secure Neighbor Discovery Protocol: Review and Recommendations

Secure Neighbor Discovery Protocol: Review and Recommendations

Junaid Latief Shah
DOI: 10.4018/IJBDCN.2019010105
(Individual Articles)
No Current Special Offers


The neighbor discovery protocol (NDP) is a stateless protocol facilitating link local communication in IPv6 networks. The nodes employ IPv6 NDP to locate other hosts/routers on the link, cover resolution of link layer addresses, duplicate address detections and track reachability status about paths to active nodes. However, link local communication using NDP is susceptible to some severe attacks, which if neglected leave the network vulnerable. Attackers can spoof source addresses of legitimate nodes by forging NDP messages and propel attacks like Denial of Service (DoS) and Man-in-the-Middle (MITM) leading to failure of IPv6 host initialization. To avert this, RFC 3971 advocates employing Secure Neighbor Discovery (SeND) to make the process inviolable. SeND fortifies message tampering, prevents IPv6 address theft, including protection against replay attacks and enable validation of routers on the link. Although SeND is a robust link layer security mechanism, its practical implementation is reported to have serious shortcomings like cryptographic algorithms which impact computational complexity including bandwidth utilization, as such negate their implementation and adoption. Moreover, the protocol itself fails to provide the confidentiality factor in the network. SeND also falls short of mature unabridged implementations in commercial operating systems and network devices. This paper revisits the protocol implementation and reviews its deployment challenges. This article also discusses some feasible proposals and recommendations for facilitating practical deployment of SeND in IPv6 networks including resource constrained devices like mobile phones.
Article Preview

1. Introduction

Internet Protocol Version Six or IPv6 which was designed more than a decade ago provides a tangible and pliable replacement choice for shortcomings of IPv4.The main espousing element for IPv6 adoption is scarcity of IPv4 addresses which was perceived by the end of 90’s (Chen & Liao, 2017). The gigantic address space of IPv6 is 2128 i.e. negating exigency for NAT and thus dispensing end-to-end connectivity. The protocol extends additional attributes for QoS like Traffic class and Flow label. Furthermore, having a simplified header structure aids in efficient routing (Forouzan, 2006). IPv6 employs the services of Neighbor Discovery Protocol (NDP) for Link Local communication. The NDP forms the fundamental element of ICMPv6 and operates using its format. IPv6 nodes use Link Local communication to locate other nodes/routers on the link, cover resolution of link layer addresses, duplicate address detections and track reachability status about paths to active nodes (RFC 3971). Additionally, Neighbor Discovery protocol also enacts a principal role in Mobile IPv6 (MIPv6) communication thereby permitting the mobile nodes for seamless handoff between various remote networks. The NDP presumes that network comprises of authentic and entrusted hosts only, however with inception of wireless networks available in public domains; any host can affix itself to the network with trivial authentication which changes the scenario radically. The attackers can effectuate MITM attacks during the address resolution process thereby redirecting legitimate traffic away from the nodes. Likewise, attacks anchored on host initialization and router selection impedes genuine nodes from joining the link (Anbar et al., 2016). This is practicable in situations where spoofed Neighbor Advertisement messages successfully poison node’s neighbor cache. Although designers of IPv6 had recommended IPsec as the innate security protocol dispensing reliability to IPv6 communication; but, due to incompatibilities as discussed in (Supriyantol et al., 2013; AlSa'deh & Meinel, 2012), this protocol extension isn’t feasible for fortifying link layer communication. RFC 3971 proposes SeND as the security enhancement for mitigating link local vulnerabilities in NDP (AlSa'deh & Meinel, 2012). SeND uses cryptographic procedures to obviate source address spoofing, safeguards message integrity and also ensures authenticity of routers on the link. Although SeND is a durable method of securing NDP, its implementation into operational networks is equally difficult. The CGA component in SeND is computationally heavy on generation time and bandwidth utilization. This lays a significant impact especially on resource constrained devices like mobile phones. Although, CGA’s may prevent address spoofing but cannot prevent a malicious user from generating a valid CGA. As such, an attacker can generate a new and valid address using its own public key, and initiate the communication. Also, SeND does not find any commercial deployments in modern operating systems. This paper carries an in-depth review of Neighbor discovery protocol and explicates discussion over its security implications. The paper revisits discussion on the SeND protocol highlighting some of its constraints and summarizing its various implementations and their challenges. Lastly, the paper summarizes existing work and feasible recommendations that will facilitate deployment of SeND in current operational networks.

Complete Article List

Search this Journal:
Volume 20: 1 Issue (2024): Forthcoming, Available for Pre-Order
Volume 19: 1 Issue (2023): Forthcoming, Available for Pre-Order
Volume 18: 2 Issues (2022): 1 Released, 1 Forthcoming
Volume 17: 2 Issues (2021)
Volume 16: 2 Issues (2020)
Volume 15: 2 Issues (2019)
Volume 14: 2 Issues (2018)
Volume 13: 2 Issues (2017)
Volume 12: 2 Issues (2016)
Volume 11: 2 Issues (2015)
Volume 10: 4 Issues (2014)
Volume 9: 4 Issues (2013)
Volume 8: 4 Issues (2012)
Volume 7: 4 Issues (2011)
Volume 6: 4 Issues (2010)
Volume 5: 4 Issues (2009)
Volume 4: 4 Issues (2008)
Volume 3: 4 Issues (2007)
Volume 2: 4 Issues (2006)
Volume 1: 4 Issues (2005)
View Complete Journal Contents Listing