Article

Securing IPv6 neighbor and router discovery

Authors:

Vesa-Matti Mäntylä,

Pekka Nikander,

Michael RoeAuthors Info & Claims

WiSE '02: Proceedings of the 1st ACM workshop on Wireless security

Pages 77 - 86

https://doi.org/10.1145/570681.570690

Published: 28 September 2002 Publication History

Abstract

When IPv6 Neighbor and Router Discovery functions were defined, it was assumed that the local link would consist of mutually trusting nodes. However, the recent developments in public wireless networks, such as WLANs, have radically changed the situation. The nodes on a local link cannot necessarily trust each other any more, but they must become mutually suspicious even when the nodes have completed an authentication exchange with the network. This creates a number of operational difficulties and new security threats. In this paper we provide a taxonomy for the IPv6 Neighbor and Router Discovery threats, describe two new cryptographic methods, Cryptographically Generated Addresses (CGA) and Address Based Keys (ABK), and discuss how these new methods can be used to secure the Neighbor and Router discovery mechanisms.

References

[1]

S. Deering and R. Hinden, Internet Protocol, Version 6 (IPv6) Specification, RFC2460, Internet Engineering Task Force, December 1998.]]

Digital Library

[2]

A. Conta and S. Deering, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification, RFC2463, Internet Engineering Task Force, December 1998.]]

Digital Library

[3]

IEEE Draft P802.1X/D11: Standard for Port based Network Access Control, LAN MAN Standards Committee of the IEEE Computer Society, March 27, 2001.]]

[4]

IEEE Std. 802.11i/D2.0, Draft Supplement to IEEE 802.11 Standard: Specification for Enhanced Security, March 2002.]]

[5]

A. Mishra and W. A. Arbaugh, "An Initial Security Analysis of the IEEE 802.1X Standard", UMIACS-TR-2002-10, University of Maryland, February 2002.]]

[6]

R. M. Hinden and S. E. Deering. IP version 6 addressing architecture. RFC 2373, IETF Network Working Group, July 1998.]]

Digital Library

[7]

T. Narten, E. Nordmark and W. Simpson, Neighbor Discovery for IP Version 6 (IPv6), RFC2641, IETF, December 1998.]]

Digital Library

[8]

S. Thomson and T. Narten, IPv6 Stateless Address Autoconfiguration, RFC2462, Internet Engineering Task Force, December 1998.]]

Digital Library

[9]

T. Narten and R. Draves. Privacy extensions for stateless address autoconfiguration in IPv6. RFC 3041, IETF, January 2001.]]

Digital Library

[10]

J. Arkko, P. Nikander, T. Kivinen, and M. Rossi, Manual SA Configuration for IPv6 Link Local Messages, work in progress, draft-arkko-manual-icmpv6-sas-01.txt, June 2002.]]

[11]

P. Nikander, "Denial-of-Service, Address Ownership, and Early Authentication in the IPv6 World," presented at Cambridge Security Protocols Workshop 2001, April 25-27, 2001, Cambridge University.]]

Digital Library

[12]

P. Nikander, "A Scalable Architecture for IPv6 Address Ownership", unpublished manuscript, available at http://www.tml.hut.fi/~pnr/publications/draft-nikander-ipng-pbk-addresses-00.txt, March 2001.]]

[13]

D. Thaler and J. Hagino, "IPv6 Stateless DNS Discovery", draft-ietf-ipv6-dns-discovery-04.txt, work in progress.]]

[14]

Steven Bellovin, "Security Problems in the TCP/IP Protocol Suite", Computer Communication Review, Vol. 19, No. 2, pp. 32--48, April 1989.]]

Digital Library

[15]

J. Kempf and E. Nordmark, "Threat Analysis for IPv6 Public Multi-Access Links," draft-kempf-netaccess-threats-00.txt,work in progress.]]

[16]

Mankin, et. al., "Threat Models introduced by Mobile IPv6 and Requirements for Security in Mobile IPv6," draft-ietf-mobileip-mipv6-scrty-reqts-01.txt, work in progress.]]

[17]

G. O'Shea and M. Roe, Child-proof authentication for MIPv6 (CAM). Computer Communications Review, April 2001.]]

Digital Library

[18]

G. Montenegro and C. Castellucia, "SUCV Identifiers and Addresses," draft-montenegro-sucv-02.txt, work in progress.]]

[19]

J. Kempf, C. Gentry, and A. Silverberg, "Securing IPv6 Neighbor Discovery Using Address Based Keys (ABKs),"draft-kempf-ipng-secure-nd-00.txt, work in progress.]]

[20]

A. Shamir, "Identity-Based Cryptosystems and Signature Schemes", Advances in Cryptology -Crypto'84, Lecture Notes in Computer Science 196, (1984), Springer, 47--53.]]

Digital Library

[21]

A. Fiat and A. Shamir, "How to prove yourself: Practical solutions to identification and signature problems", Advances in Cryptology - Crypto'86, Lecture Notes in Computer Science 263, 1986), Springer, 186--194.]]

Digital Library

[22]

U. Feige, A. Fiat, and A. Shamir, "Zero-knowledge Proofs of Identity", Journal of Cryptology 1, (1988), 77--94.]]

Digital Library

[23]

U. Maurer and Y. Yacobi, "Non-interactive public-key cryptography," Advances in Cryptology - Eurocrypt'92, Lecture Notes in Computer Science 658,(1993), Springer, 458--460.]]

[24]

D. Boneh and M. Franklin, "Identity based encryption from the Weil pairing", Advances in Cryptology - Crypto 2001, LNCS 2139, (2001), Springer, 213--229, http://www.cs.stanford.edu/~dabo/papers/ibe.pdf]]

Digital Library

[25]

C. Cocks, "An identity based encryption scheme based on quadratic residues", http://www.cesg.gov.uk/technology/id-pkc/media/ciren.]]

[26]

A. Silverberg and K. Rubin, "Supersingular abelian varieties in cryptography", Cryptology e- Print Archive Report 2002/006, http://eprint.iacr.org/2002/006/, Advances in Cryptography - Crypto 2002, Springer, 2002.]]

Digital Library

[27]

C. Gentry and A. Silverberg, "Hierarchical ID-based Cryptography," Cryptology e-Print Archive Report 2002/056, http://eprint.iacr.org/2002/056/.]]

Cited By

Puhl ZGuo J(2024)Securing IPv6 Neighbor Discovery Address Resolution with Voucher-Based AddressingNetwork10.3390/network40300164:3(338-366)Online publication date: 14-Aug-2024
https://doi.org/10.3390/network4030016
Tajdini MKolivand H(2024)IPv6 Common Security Vulnerabilities and Tools: Overview of IPv6 with Respect to Online GamesEncyclopedia of Computer Graphics and Games10.1007/978-3-031-23161-2_388(1008-1019)Online publication date: 5-Jan-2024
https://doi.org/10.1007/978-3-031-23161-2_388
Arjuman NManickam SKaruppayah S(2022)An Improved Secure Router Discovery Mechanism to Prevent Fake RA Attack in Link Local IPv6 NetworkAdvances in Cyber Security10.1007/978-981-16-8059-5_15(248-276)Online publication date: 1-Jan-2022
https://doi.org/10.1007/978-981-16-8059-5_15
Show More Cited By

Index Terms

Securing IPv6 neighbor and router discovery

Recommendations

Detection of neighbor solicitation and advertisement spoofing in IPv6 neighbor discovery protocol
SIN '11: Proceedings of the 4th international conference on Security of information and networks

With the increase in number of hosts in the Internet, there is also a rise in the demand for IP address space. To cater to this issue, IP version 6 (IPv6) succeeded IPv4. Compared to 32 bit IP address space in IPv4, IP address in IPv6 is composed of 128 ...
RFC 5798: Virtual Router Redundancy Protocol (VRRP) Version 3 for IPv4 and IPv6
RFC 4286: Multicast Router Discovery

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

WiSE '02: Proceedings of the 1st ACM workshop on Wireless security

September 2002

100 pages

ISBN:1581135858

DOI:10.1145/570681

Conference Chairs:
Douglas Maughan
Defense Advanced Research Projects Agency
,
Nitin H. Vaidya
University of Illinois at Urbana-Champaign

Copyright © 2002 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 September 2002

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Article

Conference

WiSe02

Sponsor:

WiSe02: Workshop on Wireless Security 2002 ( co-located with MobiCom 2002 Conference)

September 28, 2002

GA, Atlanta, USA

Acceptance Rates

Overall Acceptance Rate 10 of 41 submissions, 24%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

35
Total Citations
View Citations
2,086
Total Downloads

Downloads (Last 12 months)5
Downloads (Last 6 weeks)0

Reflects downloads up to 17 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Puhl ZGuo J(2024)Securing IPv6 Neighbor Discovery Address Resolution with Voucher-Based AddressingNetwork10.3390/network40300164:3(338-366)Online publication date: 14-Aug-2024
https://doi.org/10.3390/network4030016
Tajdini MKolivand H(2024)IPv6 Common Security Vulnerabilities and Tools: Overview of IPv6 with Respect to Online GamesEncyclopedia of Computer Graphics and Games10.1007/978-3-031-23161-2_388(1008-1019)Online publication date: 5-Jan-2024
https://doi.org/10.1007/978-3-031-23161-2_388
Arjuman NManickam SKaruppayah S(2022)An Improved Secure Router Discovery Mechanism to Prevent Fake RA Attack in Link Local IPv6 NetworkAdvances in Cyber Security10.1007/978-981-16-8059-5_15(248-276)Online publication date: 1-Jan-2022
https://doi.org/10.1007/978-981-16-8059-5_15
Tajdini MKolivand H(2020)IPv6 Common Security Vulnerabilities and Tools: Overview of IPv6 with Respect to Online GamesEncyclopedia of Computer Graphics and Games10.1007/978-3-319-08234-9_388-1(1-12)Online publication date: 11-Jun-2020
https://doi.org/10.1007/978-3-319-08234-9_388-1
Shah J(2019)Secure Neighbor Discovery ProtocolInternational Journal of Business Data Communications and Networking10.4018/IJBDCN.201901010515:1(71-87)Online publication date: Jan-2019
https://doi.org/10.4018/IJBDCN.2019010105
Nelle DScheffler TGill PIyengar J(2019)Securing IPv6 neighbor discovery and SLAAC in access networks through SDNProceedings of the 2019 Applied Networking Research Workshop10.1145/3340301.3341132(23-29)Online publication date: 22-Jul-2019
https://dl.acm.org/doi/10.1145/3340301.3341132
Al-Ani AAnbar MManickam SAl-Ani A(2018)DAD-Match: Technique to Prevent DoS Attack on Duplicate Address Detection Process in IPv6 Link-local NetworkJournal of Communications10.12720/jcm.13.6.317-324(317-324)Online publication date: 2018
https://doi.org/10.12720/jcm.13.6.317-324
Shah SAnbar MAl-Ani AAl-Ani A(2018)Hybridizing Entropy Based Mechanism with Adaptive Threshold Algorithm to Detect RA Flooding Attack in IPv6 NetworksComputational Science and Technology10.1007/978-981-13-2622-6_31(315-323)Online publication date: 28-Aug-2018
https://doi.org/10.1007/978-981-13-2622-6_31
Al-Ani AAnbar MManickam SAl-Ani ALeau Y(2018)Proposed DAD-match Mechanism for Securing Duplicate Address Detection Process in IPv6 Link-Local Network Based on Symmetric-Key AlgorithmComputational Science and Technology10.1007/978-981-10-8276-4_11(108-118)Online publication date: 24-Feb-2018
https://doi.org/10.1007/978-981-10-8276-4_11
Al-Ani AAnbar MManickam SAl-Ani ALeau Y(2017)Proposed DAD-match Security Technique based on Hash Function to Secure Duplicate Address Detection in IPv6 Link-local NetworkProceedings of the 2017 International Conference on Information Technology10.1145/3176653.3176707(175-179)Online publication date: 27-Dec-2017
https://dl.acm.org/doi/10.1145/3176653.3176707
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents