Nothing Special   »   [go: up one dir, main page]

skip to main content
10.1145/570681.570690acmconferencesArticle/Chapter ViewAbstractPublication PagesmobicomConference Proceedingsconference-collections
Article

Securing IPv6 neighbor and router discovery

Published: 28 September 2002 Publication History

Abstract

When IPv6 Neighbor and Router Discovery functions were defined, it was assumed that the local link would consist of mutually trusting nodes. However, the recent developments in public wireless networks, such as WLANs, have radically changed the situation. The nodes on a local link cannot necessarily trust each other any more, but they must become mutually suspicious even when the nodes have completed an authentication exchange with the network. This creates a number of operational difficulties and new security threats. In this paper we provide a taxonomy for the IPv6 Neighbor and Router Discovery threats, describe two new cryptographic methods, Cryptographically Generated Addresses (CGA) and Address Based Keys (ABK), and discuss how these new methods can be used to secure the Neighbor and Router discovery mechanisms.

References

[1]
S. Deering and R. Hinden, Internet Protocol, Version 6 (IPv6) Specification, RFC2460, Internet Engineering Task Force, December 1998.]]
[2]
A. Conta and S. Deering, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification, RFC2463, Internet Engineering Task Force, December 1998.]]
[3]
IEEE Draft P802.1X/D11: Standard for Port based Network Access Control, LAN MAN Standards Committee of the IEEE Computer Society, March 27, 2001.]]
[4]
IEEE Std. 802.11i/D2.0, Draft Supplement to IEEE 802.11 Standard: Specification for Enhanced Security, March 2002.]]
[5]
A. Mishra and W. A. Arbaugh, "An Initial Security Analysis of the IEEE 802.1X Standard", UMIACS-TR-2002-10, University of Maryland, February 2002.]]
[6]
R. M. Hinden and S. E. Deering. IP version 6 addressing architecture. RFC 2373, IETF Network Working Group, July 1998.]]
[7]
T. Narten, E. Nordmark and W. Simpson, Neighbor Discovery for IP Version 6 (IPv6), RFC2641, IETF, December 1998.]]
[8]
S. Thomson and T. Narten, IPv6 Stateless Address Autoconfiguration, RFC2462, Internet Engineering Task Force, December 1998.]]
[9]
T. Narten and R. Draves. Privacy extensions for stateless address autoconfiguration in IPv6. RFC 3041, IETF, January 2001.]]
[10]
J. Arkko, P. Nikander, T. Kivinen, and M. Rossi, Manual SA Configuration for IPv6 Link Local Messages, work in progress, draft-arkko-manual-icmpv6-sas-01.txt, June 2002.]]
[11]
P. Nikander, "Denial-of-Service, Address Ownership, and Early Authentication in the IPv6 World," presented at Cambridge Security Protocols Workshop 2001, April 25-27, 2001, Cambridge University.]]
[12]
P. Nikander, "A Scalable Architecture for IPv6 Address Ownership", unpublished manuscript, available at http://www.tml.hut.fi/~pnr/publications/draft-nikander-ipng-pbk-addresses-00.txt, March 2001.]]
[13]
D. Thaler and J. Hagino, "IPv6 Stateless DNS Discovery", draft-ietf-ipv6-dns-discovery-04.txt, work in progress.]]
[14]
Steven Bellovin, "Security Problems in the TCP/IP Protocol Suite", Computer Communication Review, Vol. 19, No. 2, pp. 32--48, April 1989.]]
[15]
J. Kempf and E. Nordmark, "Threat Analysis for IPv6 Public Multi-Access Links," draft-kempf-netaccess-threats-00.txt,work in progress.]]
[16]
Mankin, et. al., "Threat Models introduced by Mobile IPv6 and Requirements for Security in Mobile IPv6," draft-ietf-mobileip-mipv6-scrty-reqts-01.txt, work in progress.]]
[17]
G. O'Shea and M. Roe, Child-proof authentication for MIPv6 (CAM). Computer Communications Review, April 2001.]]
[18]
G. Montenegro and C. Castellucia, "SUCV Identifiers and Addresses," draft-montenegro-sucv-02.txt, work in progress.]]
[19]
J. Kempf, C. Gentry, and A. Silverberg, "Securing IPv6 Neighbor Discovery Using Address Based Keys (ABKs),"draft-kempf-ipng-secure-nd-00.txt, work in progress.]]
[20]
A. Shamir, "Identity-Based Cryptosystems and Signature Schemes", Advances in Cryptology -Crypto'84, Lecture Notes in Computer Science 196, (1984), Springer, 47--53.]]
[21]
A. Fiat and A. Shamir, "How to prove yourself: Practical solutions to identification and signature problems", Advances in Cryptology - Crypto'86, Lecture Notes in Computer Science 263, 1986), Springer, 186--194.]]
[22]
U. Feige, A. Fiat, and A. Shamir, "Zero-knowledge Proofs of Identity", Journal of Cryptology 1, (1988), 77--94.]]
[23]
U. Maurer and Y. Yacobi, "Non-interactive public-key cryptography," Advances in Cryptology - Eurocrypt'92, Lecture Notes in Computer Science 658,(1993), Springer, 458--460.]]
[24]
D. Boneh and M. Franklin, "Identity based encryption from the Weil pairing", Advances in Cryptology - Crypto 2001, LNCS 2139, (2001), Springer, 213--229, http://www.cs.stanford.edu/~dabo/papers/ibe.pdf]]
[25]
C. Cocks, "An identity based encryption scheme based on quadratic residues", http://www.cesg.gov.uk/technology/id-pkc/media/ciren.]]
[26]
A. Silverberg and K. Rubin, "Supersingular abelian varieties in cryptography", Cryptology e- Print Archive Report 2002/006, http://eprint.iacr.org/2002/006/, Advances in Cryptography - Crypto 2002, Springer, 2002.]]
[27]
C. Gentry and A. Silverberg, "Hierarchical ID-based Cryptography," Cryptology e-Print Archive Report 2002/056, http://eprint.iacr.org/2002/056/.]]

Cited By

View all
  • (2024)Securing IPv6 Neighbor Discovery Address Resolution with Voucher-Based AddressingNetwork10.3390/network40300164:3(338-366)Online publication date: 14-Aug-2024
  • (2024)IPv6 Common Security Vulnerabilities and Tools: Overview of IPv6 with Respect to Online GamesEncyclopedia of Computer Graphics and Games10.1007/978-3-031-23161-2_388(1008-1019)Online publication date: 5-Jan-2024
  • (2022)An Improved Secure Router Discovery Mechanism to Prevent Fake RA Attack in Link Local IPv6 NetworkAdvances in Cyber Security10.1007/978-981-16-8059-5_15(248-276)Online publication date: 1-Jan-2022
  • Show More Cited By

Recommendations

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences
WiSE '02: Proceedings of the 1st ACM workshop on Wireless security
September 2002
100 pages
ISBN:1581135858
DOI:10.1145/570681
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 28 September 2002

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. autoconfiguration
  2. detection
  3. duplicate address
  4. identity-based cryptosystems
  5. neighbor discovery
  6. router discovery

Qualifiers

  • Article

Conference

WiSe02
Sponsor:

Acceptance Rates

Overall Acceptance Rate 10 of 41 submissions, 24%

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)5
  • Downloads (Last 6 weeks)0
Reflects downloads up to 19 Nov 2024

Other Metrics

Citations

Cited By

View all
  • (2024)Securing IPv6 Neighbor Discovery Address Resolution with Voucher-Based AddressingNetwork10.3390/network40300164:3(338-366)Online publication date: 14-Aug-2024
  • (2024)IPv6 Common Security Vulnerabilities and Tools: Overview of IPv6 with Respect to Online GamesEncyclopedia of Computer Graphics and Games10.1007/978-3-031-23161-2_388(1008-1019)Online publication date: 5-Jan-2024
  • (2022)An Improved Secure Router Discovery Mechanism to Prevent Fake RA Attack in Link Local IPv6 NetworkAdvances in Cyber Security10.1007/978-981-16-8059-5_15(248-276)Online publication date: 1-Jan-2022
  • (2020)IPv6 Common Security Vulnerabilities and Tools: Overview of IPv6 with Respect to Online GamesEncyclopedia of Computer Graphics and Games10.1007/978-3-319-08234-9_388-1(1-12)Online publication date: 11-Jun-2020
  • (2019)Secure Neighbor Discovery ProtocolInternational Journal of Business Data Communications and Networking10.4018/IJBDCN.201901010515:1(71-87)Online publication date: Jan-2019
  • (2019)Securing IPv6 neighbor discovery and SLAAC in access networks through SDNProceedings of the 2019 Applied Networking Research Workshop10.1145/3340301.3341132(23-29)Online publication date: 22-Jul-2019
  • (2018)DAD-Match: Technique to Prevent DoS Attack on Duplicate Address Detection Process in IPv6 Link-local NetworkJournal of Communications10.12720/jcm.13.6.317-324(317-324)Online publication date: 2018
  • (2018)Hybridizing Entropy Based Mechanism with Adaptive Threshold Algorithm to Detect RA Flooding Attack in IPv6 NetworksComputational Science and Technology10.1007/978-981-13-2622-6_31(315-323)Online publication date: 28-Aug-2018
  • (2018)Proposed DAD-match Mechanism for Securing Duplicate Address Detection Process in IPv6 Link-Local Network Based on Symmetric-Key AlgorithmComputational Science and Technology10.1007/978-981-10-8276-4_11(108-118)Online publication date: 24-Feb-2018
  • (2017)Proposed DAD-match Security Technique based on Hash Function to Secure Duplicate Address Detection in IPv6 Link-local NetworkProceedings of the 2017 International Conference on Information Technology10.1145/3176653.3176707(175-179)Online publication date: 27-Dec-2017
  • Show More Cited By

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Media

Figures

Other

Tables

Share

Share

Share this Publication link

Share on social media