ABSTRACT
This paper proposes and evaluates a new approach, based on Software Defined Networking (SDN), to secure the IPv6 Neighbor Discovery Protocol (NDP) message exchange and make the Stateless Address Autoconfiguration safer. We created an SDN application on the Ryu SDN framework which functions as an intelligent NDP-Proxy. The SDN application inspects all NDP messages in the data path of the access switch. Once the application has accumulated data about the respective network segment, it performs sanity checking and filtering. We used several relevant attacks from the THC IPv6 toolkit to assert resiliency against attacks on the Neighbor Discovery Protocol. Load tests showed that the overhead for the NDP packet inspection is not neglectable, but once the relevant flow-rules have been installed, subsequent packets are forwarded on the fast-path of the switch and network performance is only minimally affected.
- Ahmad Alsa'deh and Christoph Meinel. 2012. Secure Neighbor Discovery: Review, Challenges, Perspectives, and Recommendations. IEEE Security and Privacy 10, 4 (July 2012), 26--34. Google ScholarDigital Library
- Mohammed Anbar, Rosni Abdullah, Redhwan M. A. Saad, Esraa Alomari, and Samer Alsaleem. 2016. Review of Security Vulnerabilities in the IPv6 Neighbor Discovery Protocol. In Information Science and Applications (ICISA) 2016, Kuinam J. Kim and Nikolai Joukov (Eds.). Springer Singapore, Singapore, 603--612.Google Scholar
- Jari Arkko, Tuomas Aura, James Kempf, Vesa-Matti Mäntylä, Pekka Nikander, and Michael Roe. 2002. Securing IPv6 neighbor and router discovery. In WiSE '02: Proceedings of the 1st ACM workshop on Wireless security. ACM, New York, NY, USA, 77--86. Google ScholarDigital Library
- J. Arkko, J. Kempf, B. Zill, and P. Nikander. 2005. SEcure Neighbor Discovery (SEND). RFC 3971. Internet Engineering Task Force. http://tools.ietf.org/html/rfc3971Google Scholar
- Tim Chown and Stig Venaas. 2011. Rogue IPv6 Router Advertisement Problem Statement. RFC 6104. Internet Engineering Task Force. http://tools.ietf.org/html/rfc6104Google Scholar
- Cisco. n.d.. Cisco Wireless LAN Controller Deployment Guide. Technical Report. Cisco Systems. https://www.cisco.com/c/en/us/td/docs/wireless/controller/technotes/8-0/IPV6_DG.pdfGoogle Scholar
- A. Conta, S. Deering, and M. Gupta. 2006. Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification. RFC 4443. Internet Engineering Task Force. http://tools.ietf.org/html/rfc4443Google Scholar
- ETSI. 2012. Network Functions Virtualisation: An Introduction, Benefits, Enablers, Challenges & Call for Action. Technical Report. European Telecommunications Standards Institute. http://portal.etsi.org/NFV/NFV_White_Paper.pdfGoogle Scholar
- Niels Ferguson and Bruce Schneier. 2000. A Cryptographic Evaluation of IPsec. Technical Report. Counterpane Internet Security, Inc. https://www.schneier.com/academic/paperfiles/paper-ipsec.pdfGoogle Scholar
- Fernando Gont. 2014. Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard). RFC 7113. Internet Engineering Task Force. https://tools.ietf.org/html/rfc7113Google Scholar
- F. Hu, Q. Hao, and K. Bao. 2014. A Survey on Software-Defined Network and OpenFlow: From Concept to Implementation. IEEE Communications Surveys Tutorials 16, 4 (Fourthquarter 2014), 2181--2206.Google ScholarCross Ref
- S. Kent and K. Seo. 2005. Security Architecture for the Internet Protocol. RFC 4301. Internet Engineering Task Force. http://tools.ietf.org/html/rfc4301Google Scholar
- Eric Levy-Abegnoli, Gunter Van de Velde, Ciprian Popoviciu, and Janos Mohacsi. 2011. IPv6 Router Advertisement Guard. RFC 6105. Internet Engineering Task Force. http://tools.ietf.org/html/rfc6105Google Scholar
- T. Narten, E. Nordmark, W. Simpson, and H. Soliman. 2007. Neighbor Discovery for IP version 6 (IPv6). RFC 4861. Internet Engineering Task Force. http://tools.ietf.org/html/rfc4861Google Scholar
- Pekka Nikander. 2001. Denial-of-Service, Address Ownership, and Early Authentication in the IPv6 World. In In Proc. 9th International Workshop on Security Protocols, volume 2467 of LNCS. Springer, 25--27. Google ScholarDigital Library
- OpenFlow 2014. OpenFlow Switch Specification Version 1.3.4. Technical Report. Open Networking Foundation. https://www.opennetworking.org/wp-content/uploads/2014/10/openflow-switch-v1.3.4.pdfGoogle Scholar
- David C. Plummer. 1982. An Ethernet Address Resolution Protocol. RFC 826. Internet Engineering Task Force. http://tools.ietf.org/html/rfc826 Google ScholarDigital Library
- Enno Rey, Antonios Atlasis, and Jayson Salazar. 2016. MLD Considered Harmful. https://ripe72.ripe.net/presentations/74-ERNW_RIPE72_MLD_Considered_Harmful_v1_light_web.pdfGoogle Scholar
- S. Thomson, T. Narten, and T. Jinmei. 2007. IPv6 Stateless Address Autoconfiguration. RFC 4862. Internet Engineering Task Force. http://tools.ietf.org/html/rfc4862Google Scholar
- R. Vida and L. Costa. 2004. Multicast Listener Discovery Version 2 (MLDv2) for IPv6. RFC 3810. Internet Engineering Task Force. https://tools.ietf.org/html/rfc3810Google Scholar
- Y. Zhao, L. Iannone, and M. Riguidel. 2015. On the performance of SDN controllers: A reality check. In 2015 IEEE Conference on Network Function Virtualization and Software Defined Network (NFV-SDN). IEEE, 79--85.Google Scholar
Recommendations
Detection of neighbor solicitation and advertisement spoofing in IPv6 neighbor discovery protocol
SIN '11: Proceedings of the 4th international conference on Security of information and networksWith the increase in number of hosts in the Internet, there is also a rise in the demand for IP address space. To cater to this issue, IP version 6 (IPv6) succeeded IPv4. Compared to 32 bit IP address space in IPv4, IP address in IPv6 is composed of 128 ...
An SDN-Based Authentication Mechanism for Securing Neighbor Discovery Protocol in IPv6
The Neighbor Discovery Protocol (NDP) is one of the main protocols in the Internet Protocol version 6 (IPv6) suite, and it provides many basic functions for the normal operation of IPv6 in a local area network (LAN), such as address autoconfiguration and ...
Securing IPv6 neighbor and router discovery
WiSE '02: Proceedings of the 1st ACM workshop on Wireless securityWhen IPv6 Neighbor and Router Discovery functions were defined, it was assumed that the local link would consist of mutually trusting nodes. However, the recent developments in public wireless networks, such as WLANs, have radically changed the ...
Comments