Secure Neighbor Discovery. By- Pradeep Yalamanchili Parag Walimbe

Similar documents
Une attaque par rejeu sur le protocole SEND

Request for Comments: 3971 Category: Standards Track. DoCoMo Communications Labs USA B. Zill Microsoft P. Nikander. Ericsson.

SECURE ROUTER DISCOVERY MECHANISM TO OVERCOME MAN-IN THE MIDDLE ATTACK IN IPV6 NETWORK

Non-CGA addresses in SEND E. Levy-Abegnoli

Guide to TCP/IP Fourth Edition. Chapter 6: Neighbor Discovery in IPv6

IPv6 CGAs: Balancing between Security, Privacy and Usability

IPv6 maintenance Working Group (6man) Updates: 3971, 4861 (if approved) January 12, 2012 Intended status: Standards Track Expires: July 15, 2012

IPv6 Associated Protocols. Athanassios Liakopoulos 6DEPLOY IPv6 Training, Skopje, June 2011

Augmented SEND: Aligning Security, Privacy, and Usability. Dr. Ahmad Alsadeh Birzeit University Palestine

DELVING INTO SECURITY

IPv6 Snooping. Finding Feature Information. Restrictions for IPv6 Snooping

The Layer-2 Insecurities of IPv6 and the Mitigation Techniques

IPv6 Snooping. Finding Feature Information. Restrictions for IPv6 Snooping

Ch.6 Mapping Internet Addresses to Physical Addresses (ARP)

IPv6 Security Vendor Point of View. Eric Vyncke, Distinguished Engineer Cisco, CTO/Consulting Engineering

More about identity and authentication. Tuomas Aura T Network security Aalto University, autumn 2015

IPv6 Neighbor Discovery

Internet Engineering Task Force (IETF) Updates: 3971, 4861 August 2013 Category: Standards Track ISSN:

Monitoring the Neighbor Discovery Protocol

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

IPv6 Rogue Router Advertisement Attack Prepared By: Andrew Gray & Wil Hall Prepared For: Dr. Tom Calabrese

Internet Engineering Task Force (IETF) Request for Comments: M. Bonola Rome Tor Vergata University A. Garcia-Martinez UC3M February 2012

Network Security: Security of Internet Mobility. Tuomas Aura T Network security Aalto University, Nov-Dec 2014

IPv6 Security Fundamentals

The Study on Security Vulnerabilities in IPv6 Autoconfiguration

Wireless Network Security Spring 2016

Internet Engineering Task Force (IETF) Category: Standards Track. J. Halpern Ericsson E. Levy-Abegnoli, Ed. Cisco February 2017

The Layer-2 Security Issues and the Mitigation

IPv6 Client IP Address Learning

Security Considerations for IPv6 Networks. Yannis Nikolopoulos

Mobile IPv6. Raj Jain. Washington University in St. Louis

A Study of Two Different Attacks to IPv6 Network

An Analysis of Fast Handover Key Distribution Using SEND in Mobile IPv6

Advanced IPv6 Security: Securing Link- Operations at the First Hop

IPv6 Neighbor Discovery

IPv6 Neighbor Discovery

NETLMM Security Threats on the MN-AR Interface draft-kempf-netlmm-threats-00.txt

Insights on IPv6 Security

IPv6 Neighbor Discovery

IPv6 Traffic Hijack Test System and Defense Tools Using DNSSEC

Rule based Forwarding (RBF): improving the Internet s flexibility and security. Lucian Popa, Ion Stoica, Sylvia Ratnasamy UC Berkeley Intel Labs

Insights on IPv6 Security

Mobile IPv6. Washington University in St. Louis

Adopting Innovative Detection Technique To Detect ICMPv6 Based Vulnerability Attacks

Internet Engineering Task Force (IETF) Category: Standards Track. H. Li Huawei Technologies June 2013

Improvement of Address Resolution Security in IPv6 Local Network using Trust-ND

LECTURE 8. Mobile IP

Juniper Netscreen Security Device. How to Enable IPv6 Page-51

IPv6 Neighbor Discovery

MESSAGES error-reporting messages and query messages. problems processes IP packet specific information

netkit lab IPv6 Neighbor Discovery (NDP)

Optimized Neighbor Discovery for 6LoWPANs: Implementation and Performance Evaluation

Internet Control Message Protocol (ICMP)

IPv6 associated protocols

Configuring IPv6 First-Hop Security

Operational Security Capabilities for IP Network Infrastructure

Network Working Group Request for Comments: Nokia Research Center F. Dupont GET/ENST Bretagne June 2004

Internet Engineering Task Force (IETF) G. Daley Netstar Logicalis July Securing Neighbor Discovery Proxy: Problem Statement

Operation Manual IPv6 H3C S3610&S5510 Series Ethernet Switches Table of Contents. Table of Contents

Remember Extension Headers?

IPv6 address configuration and local operation

A Review on ICMPv6 Vulnerabilities and its Mitigation Techniques: Classification and Art

Network Working Group. Category: Standards Track Universitaet Karlsruhe (TH) W. Haddad Ericsson Research May 2007

IPv6 First-Hop Security Binding Table

Wireless Network Security Spring 2015

IPv6 ND Configuration Example

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Veryx ATTEST TM Conformance Test Suite

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

HPE FlexFabric 5940 Switch Series

Configuring Wireless Multicast

Table of Contents 1 IPv6 Configuration IPv6 Application Configuration 2-1

Introduction to IPv6 - II

SECURE ROUTING PROTOCOLS IN AD HOC NETWORKS

T Computer Networks II. Mobility Issues Contents. Mobility. Mobility. Classifying Mobility Protocols. Routing vs.

IPv6 Stateless Autoconfiguration

Internet Engineering Task Force (IETF) Ericsson July 2011

Module 28 Mobile IP: Discovery, Registration and Tunneling

A NOVEL APPROACH FOR PREVENTING DOS ATTACK IN DUPLICATE ADDRESS DETECTION OF IPV6

IPv6 Prefix Delegation for Hosts. Fred L. Templin IETF100 v6ops Working Group November 16, 2017

Introduction to IPv6. IPv6 addresses

Chapter 9: Key Management

Secure Bootstrapping and Routing in an IPv6-Based Ad Hoc Network

Introduction to IPv6. IPv6 addresses

How efficient is Efficient NDP?

A Survey of BGP Security Review

Configuring IPv6 basics

ODL Summit Bangalore - Nov 2016 IPv6 Design in OpenDaylight

Table of Contents 1 IPv6 Basics Configuration 1-1

IPv6 Security Course Preview RIPE 76

Cryptography and Network Security Chapter 14

Internet Control Message Protocol

Introduction to IPv6. IPv6 addresses

HPE FlexNetwork 5510 HI Switch Series

IP CONSORTIUM TEST SUITE Internet Protocol, Version 6

Experimenting with early opportunistic key agreement

IPv6 Security. Rocky Mountain IPv6 Summit. Scott Hogg. GTRI - Director of Advanced Technology Services CCIE #5133, CISSP #4610

A Network Access Control Framework for 6LoWPAN Networks

Address Resolution Protocol (ARP), RFC 826

HP FlexFabric 5930 Switch Series

Transcription:

Secure Neighbor Discovery By- Pradeep Yalamanchili Parag Walimbe

Overview Neighbor Discovery Protocol (NDP) Main Functions of NDP Secure Neighbor Discovery (SEND) Overview Types of attacks.

NDP Nodes on the same link use NDP to discover each other presence and link-layer addresses, to find routers. It is used by both hosts and the routers.

Main Functions of NDP Router Discovery (RD). Redirect Function. Address Auto configuration. Duplicate Address Detection (DAD). Address Resolution Function. Neighbor Unreachability (NUD).

NDP-message It includes an NDP message header, consisting of an ICMPV6 header and ND message specific data and zero or more NDP- Options.

Secure Neighbor Discovery Overview A set of new NDP options is introduced to secure various functions of NDP. This specification introduces.. new options. Authorization Discovery Process (ADD). Address ownership proof mechanism.

Secure Neighbor Discovery Overview (cntd..) The main components involved are as follows certification paths, anchored on trusted parties are expected to certify the authority of routers. Host must be configured to a trust anchor. No need to go for RD messages.

Secure Neighbor Discovery Overview (cntd..) Cryptographically Generated Addresses are used to make sure the sender of a ND message is the owner of the claimed address. It also allows a node to use non-cgas with certificates that authorize their use. RSA signature Option allows the Public-key based signatures to be attached to NDP messages the RSA signature option, is used to protect all messages relating to ND and RD.

Secure Neighbor Discovery Overview (cntd..) To Prevent replay attacks, two ND options Timestamp and nonce are introduced. Timestamp is to make sure that unsolicited advertisements and redirects have not been replayed. Nonce is to make sure that an advertisement is fresh response to a solicitation sent earlier by the node.

Types of attacks. Neighbor Solicitation / Advertisement spoofing. Neighbor un reach ability detection failure. Duplicate address detection DoS attacks. Router solicitation and advertisement attacks. Replay Attacks. Neighbor discovery Dos Attack. Attacks against SEND itself.

Neighbor Solicitation / Advertisement spoofing. Attacker approaches router with router solicitation, router inserts a entry in the neighbor cache. Now a node performing DAD for that address stops it because it gets a neighbor solicitation for same address and feels that it is a conflict.

Neighbor Solicitation / Advertisement spoofing. Solution SEND requires nodes to send solicitation messages with RSA signature CGA options, CGA source address which the router can verify and so the neighbor cache binding is correct.

Neighbor Unreachability Detection Failure. An attacker can send a neighbor unreachabiltity detection failure message. SEND counters it by requiring that a node responding to neighbor solicitations sent as a neighbor unreachability detection probes include an RSA signature option and a proof of authorization to use the interface identifier in the address being probed. If these prerequisites are not met the node performing Neighbor unreachability discards the responses.

Duplicate address detection DoS Attacks If a node is performing Duplicate Address Detection then an attacker may send a message to node stating that it has the address. This is countered by SEND in the following way. Neighbor advertisements that are sent as responses to DAD include an RSA signature option and proof of authorization to use the interface identifier. If this is not found then node discards the messages.

Router solicitation and advertisement attacks An attacker may send router advertisement to a node and thus cause harm to node to avoid this SEND requires router advertisement to have a RSA signature that is calculated using the nodes public key. Thus only node can access it and use it. The router proves its authorization by showing a certificate containing the specific prefix that its is allowed or permitted to route.

Replay Attacks Replay attacks are averted using SEND. SEND uses a nonce and timestamp to implement a challenge response mechanism. But a window of vulnerability exists till time stamp expires. Time synchronization can be tampered with thus extending the life of timestamps. So proper security measures must be taken against tampering of time synchronization.

Neighbor discovery DoS attacks. An attacker may bombard the router with packets for fictitious address on the link, causing the router to busy itself by performing neighbor solicitation for addresses that do not exist. SEND does not address this problem as it can be handled by intelligent router management.

Attacks against SEND itself Flooding not prevented. Authorization delegation discovery may be vulnerable to DoS. Attacker may send large number of certification path to be discovered to the router. Attacker may also send large number of certification paths to the node forcing node to spend much time on processing them.

CONCLUSION. Thus we have seen that SEND protocol is used to Secure NDP off flaws and we have also seen the Security threats that SEND deals with

References RFC 3971 ftp://ftp.rfc-editor.org/in-notes/rfc3971.txt

Contact ypradeep4u@yahoo.com Paragwalimbe@yahoo.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback