Moritz Mönnich
ABSTRACT
The IPv6 protocol will sooner or later replace IPv4 to cope with an exponentially increasing number of connected devices. Some of the most significant functions of IPv6 networks are network discovery, maintenance, and routing mechanisms to promote auto-configuration of the network with less manual effort. Network Discovery Protocol (NDP) is an important protocol in IPv6 to identify the relationships between different neighboring devices in a network. However, it is also subject to spoofing and man-in-the-middle attacks. This paper implements an attack detection and mitigation strategy called Router Advertisement Guard (RA-Guard) in P4 to defend IPv6 networks against router spoofing attacks directly on the data plane. In contrast to very few proprietary RA-Guard implementations with limited details, we consider different scenarios to exploit IPv6 packet structure and publish our implementation open-source. The experiments show that our P4-based implementation can detect and mitigate spoofing attacks leveraging RA-Guard together with its control plane extensions.
Supplemental Material
- Ahmad Alsadeh and Christoph Meinel. 2012. Secure Neighbor Discovery: Review, Challenges, Perspectives, and Recommendations. Security & Privacy, IEEE (2012).Google Scholar
- Jari Arkko, James Kempf, Brian Zill, and Pekka Nikander. 2005. SEcure Neighbor Discovery (SEND). RFC. RFC Editor. https://www.rfc-editor.org/rfc/rfc3971.txtGoogle Scholar
- Pat Bosshart, Dan Daly, Glen Gibb, Martin Izzard, Nick McKeown, Jennifer Rexford, Cole Schlesinger, Dan Talayco, Amin Vahdat, George Varghese, et al. 2014. P4: Programming protocol-independent packet processors. ACM SIGCOMM Computer Communication Review (2014).Google Scholar
- Tim Chown and Stig Venaas. 2011. Rogue IPv6 Router Advertisement Problem State- ment. RFC. RFC Editor. https://www.rfc-editor.org/rfc/rfc6104.txtGoogle Scholar
- Stephen E. Deering and Robert M. Hinden. 2017. Internet Protocol, Version 6 (IPv6) Specification. RFC. RFC Editor. https://www.rfc-editor.org/info/rfc8200Google Scholar
- R Draves and D Thaler. 2005. Default Router Preferences and More-Specific Routes. RFC. RFC Editor. https://rfc-editor.org/rfc/rfc4191.txtGoogle Scholar
- Fernando Gont. 2011. IPv6 Router Advertisement Guard (RA-Guard) Evasion. Technical Report. https://datatracker.ietf.org/doc/html/draft-gont-v6ops-ra-guard-evasion-01Google Scholar
- Gont, Fernando. 2014. Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard). RFC. RFC Editor. https://www.rfc-editor.org/info/rfc7113Google Scholar
- Elie F. Kfoury, Jorge Crichigno, and Elias Bou-Harb. 2021. An Exhaustive Survey on P4 Programmable Data Plane Switches: Taxonomy, Applications, Challenges, and Future Trends. IEEE Access 9 (2021), 87094--87155. https://doi.org/10.1109/ACCESS.2021.3086704Google ScholarCross Ref
- Peng Kuang, Ying Liu, and Lin He. 2020. P4DAD: Securing Duplicate Address Detection Using P4. In ICC 2020 - 2020 IEEE International Conference on Communications (ICC). 1--7. https://doi.org/10.1109/ICC40277.2020.9149310Google ScholarCross Ref
- Eric Levy-Abegnoli, Gunter Van de Velde, Ciprian Popoviciu, and Janos Mohacsi. 2011. IPv6 Router Advertisement Guard. RFC. RFC Editor. https://www.rfc-editor.org/rfc/rfc6105.txtGoogle Scholar
- Gang Liu, Wei Quan, Nan Cheng, Ning Lu, Hongke Zhang, and Xuemin Shen. 2020. P4NIS: Improving network immunity against eavesdropping with programmable data planes. In IEEE INFOCOM 2020 - IEEE Conference on Computer Communications Workshops (INFOCOM WKSHPS). 91--96. https://doi.org/10.1109/INFOCOMWKSHPS50562.2020.9162975Google ScholarCross Ref
- Niranjhana Narayanan, Ganesh C. Sankaran, and Krishna M. Sivalingam. 2019. Mitigation of security attacks in the SDN data plane using P4-enabled switches. In 2019 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS). 1--6. https://doi.org/10.1109/ANTS47819.2019.9118071Google ScholarDigital Library
- Thomas Narten, Erik Nordmark, William Simpson, and Hesham Soliman. 2007. Neighbor Discovery for IP version 6 (IPv6). RFC. RFC Editor. https://rfc-editor.org/rfc/rfc4861.txtGoogle Scholar
- E Nikander, J Kempf, and E Nordmark. 2004. IPv6 Neighbor Discovery (ND) Trust Models and Threats. RFC. RFC Editor. https://rfc-editor.org/rfc/rfc3756.txtGoogle Scholar
- Olivier Tilmans. [n. d.]. IPMininet. https://ipmininet.readthedocs.io/en/latest/index.htmlGoogle Scholar
- Nathan Ward. 2009. IPv6 Autoconfig Filtering on Ethernet Switches. (2009). https://datatracker.ietf.org/doc/html/draft-nwardipv6- autoconfig- filtering-ethernet-00Google Scholar
Index Terms
- Mitigation of IPv6 Router Spoofing Attacks with P4
Recommendations
Research on DDoS Attacks in IPv6
CSAE '20: Proceedings of the 4th International Conference on Computer Science and Application EngineeringWith the gradual replacement of IPv4 by IPv6, Distributed Denial-of-Service (DDoS) attacks that have plagued IPv4 appear in IPv6 more or less, and affect the normal operation of IPv6. However, the current research on how to construct a secure DDoS ...
Performance analysis of probabilistic packet marking in IPv6
Probabilistic packet marking (PPM) has received considerable attention as an IP traceback approach against distributed Denial-of-Service attack, which is one of the most challenging security threat in the Internet. PPM is a technique that seeks to ...
SECAP Switch—Defeating Topology Poisoning Attacks Using P4 Data Planes
AbstractProgrammable networking is evolving from programmable control plane solutions such as OpenFlow-based software-defined networking (SDN) to programmable data planes such as P4-based SDN. To support the functionality of the SDN, the correct view of ...
Comments