Article Preview
Top1. Introduction
Internet Protocol Version Six or IPv6 which was designed more than a decade ago provides a tangible and pliable replacement choice for shortcomings of IPv4.The main espousing element for IPv6 adoption is scarcity of IPv4 addresses which was perceived by the end of 90’s (Chen & Liao, 2017). The gigantic address space of IPv6 is 2128 i.e. negating exigency for NAT and thus dispensing end-to-end connectivity. The protocol extends additional attributes for QoS like Traffic class and Flow label. Furthermore, having a simplified header structure aids in efficient routing (Forouzan, 2006). IPv6 employs the services of Neighbor Discovery Protocol (NDP) for Link Local communication. The NDP forms the fundamental element of ICMPv6 and operates using its format. IPv6 nodes use Link Local communication to locate other nodes/routers on the link, cover resolution of link layer addresses, duplicate address detections and track reachability status about paths to active nodes (RFC 3971). Additionally, Neighbor Discovery protocol also enacts a principal role in Mobile IPv6 (MIPv6) communication thereby permitting the mobile nodes for seamless handoff between various remote networks. The NDP presumes that network comprises of authentic and entrusted hosts only, however with inception of wireless networks available in public domains; any host can affix itself to the network with trivial authentication which changes the scenario radically. The attackers can effectuate MITM attacks during the address resolution process thereby redirecting legitimate traffic away from the nodes. Likewise, attacks anchored on host initialization and router selection impedes genuine nodes from joining the link (Anbar et al., 2016). This is practicable in situations where spoofed Neighbor Advertisement messages successfully poison node’s neighbor cache. Although designers of IPv6 had recommended IPsec as the innate security protocol dispensing reliability to IPv6 communication; but, due to incompatibilities as discussed in (Supriyantol et al., 2013; AlSa'deh & Meinel, 2012), this protocol extension isn’t feasible for fortifying link layer communication. RFC 3971 proposes SeND as the security enhancement for mitigating link local vulnerabilities in NDP (AlSa'deh & Meinel, 2012). SeND uses cryptographic procedures to obviate source address spoofing, safeguards message integrity and also ensures authenticity of routers on the link. Although SeND is a durable method of securing NDP, its implementation into operational networks is equally difficult. The CGA component in SeND is computationally heavy on generation time and bandwidth utilization. This lays a significant impact especially on resource constrained devices like mobile phones. Although, CGA’s may prevent address spoofing but cannot prevent a malicious user from generating a valid CGA. As such, an attacker can generate a new and valid address using its own public key, and initiate the communication. Also, SeND does not find any commercial deployments in modern operating systems. This paper carries an in-depth review of Neighbor discovery protocol and explicates discussion over its security implications. The paper revisits discussion on the SeND protocol highlighting some of its constraints and summarizing its various implementations and their challenges. Lastly, the paper summarizes existing work and feasible recommendations that will facilitate deployment of SeND in current operational networks.