A Survey on IPv6 Secure Link Local Communication Models, Techniques and Tools

ISSN(Online): 2456-8805
Dr. P. Sumathi et al., International Journal of Advanced Research in Innovative Discoveries in Engineering and Applications[IJARIDEA]
Vol.2, Issue 6,27 December 2017, pg. 1-6
© 2017, IJARIDEA All Rights Reserved
1
A Survey on IPv6 Secure Link Local
Communication Models, Techniques and Tools
Dr. P. Sumathi1
, Dr. Saroj Patel2
, A. Prabhakaran3
1
Assistant Professor, PG & Research, Department of Computer Science,
Government Arts College, Coimbatore, India
2
Associate Professor, Department of Mathematics, Jodhpur National University Jodhpur, Rajasthan, India
3
Ph.D. Scholar, Department of Computer Application, Jodhpur National University, Jodhpur, Rajasthan, India
Abstract— The Neighbor Discovery Protocol (NDP) is a protocol in the Internet Protocol suite used with
Internet Protocol Version (IPv6). The major responsible for NDP is auto-configuration of nodes, discovery of
other nodes on the link, determining the network and data link layer addresses of other nodes, detect
duplicate address detection, finding available routers, address prefix discovery, and maintaining reachability
information about the paths to other active neighbor nodes. If NDP is not secure and there is a potential for
breaking the local area network protection. NDP has some basic protection mechanisms based on the scope
of NDP. Neighbor Discovery Protocol message cannot be injected into the network infrastructure from
beyond the directly connected data link layer access networks. This protection shield is not enough to
completely protect local area network. Therefore without securing NDP vulnerable to various attacks which
can be categorized as spoofing, Denial of Service (DoS), Replay, Redirect and Rogue routing information
attacks. SEND is a newly specified technology that makes use of Cryptographically Generated Addresses
(CGA) to protect the NDP that is used in IPv6 networks to bind the network layer to the data link layer in the
protocol stack. Secure Neighbor Discovery (SEND) Protocol offers three additional features to NDP address
ownership proof, message protection and a router authorization mechanism. The aim of this paper is to
provide a better understanding IPv6 Secure Link Local communication Models, Techniques and Tools.
Keywords— IPv6, Link-Local Communication, NDP, SEND.
I. INTRODUCTION
The Internet Engineering Task Force (IETF) is the organization that is responsible for
defining the Internet Protocol standards. When the IETF developed IPv4, the global
expansion of the Internet and the current Internet security issues were not anticipated. In IPv4
original design, network security was only given minor consideration. The public Internet
grew to the point where people in most parts of the world could connect to the Internet, many
companies connected to the Internet for a variety of applications, with the predominate
applications being email and web. In the early 1990s, the IETF realized that a new version of
Internet Protocol would be needed, and the Task Force started by drafting the new protocol's
requirements. IP Next Generation (IPng) was created. IPv6 is the second network layer
standard protocol that follows IPv4 for computer communications across the Internet and
other computer networks. IPv6 offers several compelling functions and is really the next step
in the evolution of the Internet Protocol. These improvements came in the form of increased
address size, a streamlined header format, extensible headers, and the ability to preserve the
confidentiality and integrity of communications. IPv6 provides several improvements over its
predecessor. IPv6 and IPv4 are both network layer protocols, many of the network layer
vulnerabilities are therefore similar. However, because the protocol layers above and below
the IP layer remain the same for either IP version, many of those attacks will not change.
Because the two protocols are related, the similarities between the protocols can create

2
similar attack patterns. IPv6 could improve security in some areas, but in other areas, it could
also open new threats.
Neighbor Discovery Protocol is one of the main protocols in the IPv6 suite. It is
heavily used for several critical functions such as discovering other existing nodes on the
same link, determining others link layer addresses, detecting duplicate addresses, finding
routers and maintaining reachability information about paths to active neighbor. Only a few
and limited techniques have been introduced to eliminate threats within Neighbor Discovery
Protocol. Internet Protocol Security (IPSec) is mandatory for IPv6, so it is logic consequence
to use IPSec as a solution for the threats within Neighbor Discovery Protocol. IPSec
Authentication Header (AH) could be implemented with Neighbor Discovery Protocol
Neighbor Solicitation and Neighbor Advertisement messages to secure the communication
between the nodes. Because of the bootstrap problem arise when using Internet Key
Exchange (IKE) to create the Security Association (SA) of the IPSec; SA could only be
configured manually which is impractical and tedious task when the networks have large
number of nodes. [6] discussed about a project, The effective incentive scheme is proposed to
stimulate the forwarding cooperation of nodes in VANETs. In a coalitional game model,
every relevant node cooperates in forwarding messages as required by the routing protocol.
This scheme is extended with constrained storage space. A lightweight approach is also
proposed to stimulate the cooperation. As a Future Enhancement, we further reduce the
length of communication overhead and there by the link failures can be reduced.
II. IPV6 SECURE LINK LOCAL COMMUNICATION
The NDP for IPv6 provides the mechanism required to accomplish the Router Discovery,
Prefix Discovery, Parameter Discovery, Address Auto configuration, Address resolution,
Next-hop determination, Neighbor Unreachability Detection, Duplicate Address Detection,
and Redirect. NDP defines a number of new ICMPv6 messages: Router Solicitation (RS),
Router Advertisement (RA), Neighbor Solicitation (NS), Neighbor Advertisement (NA), and
Redirect. During bootstrapping hosts need to discover routers and network information and
configure their IPv6 interfaces [7]. To accomplish the router discovery the node sends RS
messages to all routers multicast address. The response from the routers should be a RA
carrying the expected information. To achieve the prefix discovery, a node uses either a
manually configured IPv6 address for each interface or generates a link-local IPv6 address as
specified in RFC 4862 [1]. In addition, DAD (Duplicate Address Detection) must be
performed for every address prior to assigning this address to an interface. DAD consists of
sending up to DupAddrDetectTransmits, Neighbor Solicitation messages that carry the
address that the node is checking for duplicates in the Target Address field.
The IPv6 source address of NS is the unspecified address and the destination address
is the Solicited node multicast address of the target. If there is no answer within a certain
period of time then depending on the value of DupAddrDetectTransmits, another NS is sent
or the address is assumed to be unique that no other node is using the same address. Both
constants are defined in RFC 4861 [2] and RFC 4862 [1] respectively, with default values of
1,000 milliseconds and one respectively. After the node’s interfaces are configured, when a
node wants to send a packet to a neighbor, it first sends a NS message to the Solicited node
multicast address in order to resolve the target’s link-layer address. One of the most common
assumptions about IPv6 is that it is designed to be secure. Such assumptions are a result of
incorporating IPSec Authentication Headers into the IPv6 protocol suite.

3
The implementation of a process responsible for securely transporting the keys has
eight different modes of operation. Some key exchanges can be done automatically others
must have a manual element. One of the goals of auto configuration is to have the entire
process occur automatically and without any human interaction. The automatic key
exchanges can occur only between hosts with already established IPv6 addresses. Neighbor
Discovery Protocol is not secure and there is a potential for breaking the local network
protection. Neighbor Discovery Protocol has some basic protection mechanisms based on the
scope of Neighbor Discovery Protocol. It is a link-local protocol, so the source address must
be either unspecified (::/128) or a link-local address, and the hop limit must be set to 255.
Also, the routers do not forward link-local address. Thus NDP message cannot be injected
into the network infrastructure from beyond the directly connected data link layer access
networks.
III. THREAT AND VULNERABILITY ON IPV6 LINK LOCAL COMMUNICATION
IP Security(IPSec), is a framework of open standards developed by the Internet Engineering
Task Force that provide security for transmission of sensitive information over unprotected
networks such as the Internet. IPSec acts at the network layer, protecting and authenticating
IP packets between participating IPSec devices. In IPv6, IPSec is implemented using the AH
authentication header and the ESP extension header. The authentication header provides
integrity and authentication of the source. The authentication header protects the integrity of
most of the IP header fields and authenticates the source through a signature-based algorithm.
The ESP header provides confidentiality, authentication of the source, connectionless
integrity of the inner packet and limited traffic flow confidentiality. The Internet Key
Exchange (IKE) protocol is a key management protocol standard that is used in conjunction
with IPSec. IPsec can be configured without IKE, but IKE enhances IPSec by providing
additional features, flexibility, and ease of configuration for the IPSec standard. IKE is a
hybrid protocol that implements the key exchange inside the Internet Security Association
Key Management Protocol (ISAKMP) framework ISAKMP, Key exchange are security
protocols implemented by IKE. This functionality is similar to the security gateway model
using IPv4 IPSec protection.
IV.SECURE NEIGHBOR DISCOVERY PROTOCOL
Secure Neighbor Discovery (SEND) Protocol is a newly specified technology that makes use
of Cryptographically Generated Addresses (CGA) to protect the NDP that is used in IPv6
networks to bind the network layer to the data link layer in the protocol stack. SEND offers
three additional features to NDP address ownership proof, message protection and a router
authorization mechanism. To achieve these additional features, SEND comes with five new
options CGA Generation, CGA Verification, RSA signature, nonce, and Timestamp [4].
1. CGA Generation
The CGA algorithm uses input values as Public Key, Modifier (128 bits), Subnet
Prefix (64bits) and Sec value. The cost of creating a new CGA depends on the security
parameter Sec, which can take on values from 0 to 3. If Sec = 0, a CGA can be created from
the hash input with a straightforward algorithm that just computes a suitable hash and embeds
it into the address [5]. The output from the CGA algorithm is a CGA address and a CGA

4
Parameters. The CGA generation begins with the determination of the address owner's Public
Key and by selecting the proper “Sec” value.
2. CGA Verification
The first step of the verification process is to extract various parameters from the
ICMPv6 CGA Option. HASH1 and HASH2 are then calculated with the exception of the 7th
and 8th
bits (universal/global bits) and the first three Sec bits, the leftmost 64 bits of HASH1
should be identical to the interface identifier portion of the IPv6 address.
3. RSA Signature
SEND uses the RSA Signature option to authenticate the identity of the sender and to
prevent an attacker from spoofing CGA addresses. The public key signatures maintain the
integrity of the messages and authenticate the sender identity. Once the public key is obtained
from CGA Option, the receiver can use it to decrypt messages encrypted with the
corresponding private key. ICMPv6 Option 12 allows us to use RSA digital signatures to
establish authenticity of such packet exchanges. Key Hash—leftmost 128 bits of SHA-1 of
the public key used for constructing the signature [8].
4. Timestamp
The Timestamp option provides replay protection and ensures that unsolicited
advertisements and redirects have not been replayed such as periodic RA and Redirect. The
timestamp contains the time elapsed since Jan 1st, 1970, 00:00 UTC. 48 bits are used for
seconds, and 16 bits for 1/64K seconds. The RFC 3971 [3] defines some parameters for
adjusting the permissible drift in sender and receiver clocks.
5. Nonce
A random or pseudo-random number generated by a node and used exactly once. In SEND
Protocol, the option is used to prevent a replay attack in solicited messages, such as NS/NA
and RS/RA. SEND Protocol can use third parties as verifiers of node identity. This process is
referred to as the Authentication Delegation Discovery. To begin such a process, a host needs
to know a Trust Anchor to confirm that a given router is authorized to perform router duties.
This is a feature without a corresponding ND function, and to accommodate it the SEND
protocol implements two new ICMPv6 Message Types are Certification Path Solicitation
(CPS) and Certification Path Advertisement (CPA) [9].
V. DISCUSSION ON SECURE LINK LOCAL
Realizing the importance of NDP security, IPv6 have included a security mechanism in it
to protect IP based communications. The modern operating system lacks support for SEND
Protocol, the security standard without sophisticated implementations [10]. Cisco and Juniper,
have various levels of support for SEND Protocol in their routers, no major operating system
provides a good level of support. Current SEND implementations for specific OS distribution,
some of these implementations DoCoMo's SeND (send-0.2), NDprotector, Easy-SEND, and
Windows Secure Neighbor Discovery (WinSEND) are done in the user space and others
Native SeND Kernel API for BSD (send-0.3), TrustRouter and ipv6-send-cga at the kernel
level [11]. Table 1 shows the Summary of the Different type of SEND Methods with a brief
description
TABLE I
SUMMARY OF THE DIFFERENT TYPE OF SEND PROTOCOL METHODS
Method First
Release
Language Based
On
Operating
System
Availability (site)

5
DoCoMo's SEND 2008 C - Language Linux,
FreeBSD
Support has been stopped
Native SeND Kernel
API
2010 C - Language Linux,
FreeBSD
http://p4web.freebsd.org
ipv6-send-cga(Huawei
and BUPT)
2009 C-Language Linux https://code.google.com/p/ipv6-send-cga/
Easy-SEND 2009 Java Linux http://easy-send.sourceforge.net/
ND
Protector
2011 Python Linux http://amnesiak.org/NDprotector/
WinSEND 2011 .NET Windows Not support by Microsoft
TrustRouter 2012 Python and C Linux, Windows,
Mac OS X
https://github.com/TrustRouter/TrustRouter
Cisco IOS 12.4(24)T 2009 IOS 12.4T Cisco Router http://www.cisco.com/cisco/web/support/inde
x.html
SEND Protocol perform two ICMPv6 messages for identifying the router authorization
process. All the methods (Table 1) mainly work in the network layer. All ND messages
without the CGA and RSA signature options are to be treated as regular ND. There is also an
option for specifying which authorization method. SEND Protocol has a number of
disadvantages that causes the NDP extension not being widely implemented [12]. The CGA
option cannot assure the identity of real node and it also not sufficient to ensure the CGA
address that belongs to appropriate node. Attacker could steal NDP message and change the
CGA parameters. Another major disadvantage is the implementation of SEND Protocol
results in more processing cycles that consume CPU of nodes as well as bandwidth. Table 2
highlights a summary of mitigation methods on IPv6 security and identifying their strength
and weaknesses.
TABLE II
STRENGTH AND WEAKNESS OF SEND METHODS
Method Strength Weakness
DoCoMo's
SEND
Operating system user space. Users can verify
information related to the internal states and the
operations executed by the application and
distributed independently.
Limited debugging mode. Implementation does not handle DAD
collisions. Processing overhead, effectively prohibiting production
deployment in high-speed networking environments. Available only
in FreeBSD and DragonFlyBSD.
Native SeND
Kernel API for
BSD
Easy to use and portable. Implementation is
completely in user space and self-contained.
Implementation is completely independent of the kernel. And
does not handle DAD collisions. No reliability and security.
Huawei and
BUPT
(ipv6-send-
cga)
Operating system user-space. ECC algorithm is
implemented as an alternative signature algorithm.
A simple CRL verification mechanism.
Research prototype, bugs that sometimes could even cause
kernel crashes.
Easy-SEND Works as a firewall between the network
interface card and the IPv6 stack.
Actual version is limited to the creation of a secure environment
for IPv6 nodes. Hosts are not able to participate in the Router
Discovery process.
NDprotector The implementation uses the Private Key and
adds an RSA signature option.
The implementation is currently limited to Linux platform.
WinSEND The User Interface allows users to set or modify
WinSEND input parameters,
Not supported in Windows Operating System.
TrustRouter One-click solution that can be installed on
clients running Linux, Mac OS X, and Windows.
TrustRouter does not implement CGAs and does not secure
neighbor advertisements.
Cisco IOS IPv6 RA Guard, IPv6 ND Inspection mitigates Implementation is completely dependent and limited to other

6
12.4(24)T some of the inherent vulnerabilities of duplicate
address detection.
Internetworking Operating System (IOS).
VI.CONCLUSION
NDP is important in IPv6 network for address resolution process. The implementation of
SEND Protocol have a default assumption that communication link is safe and reliable, which
is not correct in reality, the protocol facing biggest issue with the idea of CGA based on the
speed of the computers currently in use. SEND Protocol is a research prototype need focused
on protocol correctness, as well as much to be done in hardening the daemon itself against
attack and making it more robust and stable also not commercial grade reliability and security.
However, not many detailed instructions for using SEND protocol are available. The number
of manually configured security associations needed for protecting NDP can be very large,
which makes that approach impractical for most purposes. These threats need to be
considered and eliminated. Future researches are requested in order to overcome the
limitation of the proposed mechanism and to find a complete model to SEND Protocol.
VII. REFERENCES
[1] Dhanoj Mohan, Rathikarani, Gopakumar, Automation of Ration Shop Using PLC, IJMER, ISSN: 2249-6645, Vol. 3, Issue. 5, Sep - Oct.
2013 pp-2971-297. S. Thomson, T. Narten, and T. Jinmei, “IPv6 Stateless Address Autoconfiguration”, RFC 4862 (Standard), Internet
Engineering Task Force, September 2007. URL https://tools.ietf.org/rfc/rfc4862.txt. Obsoletes by 2462.
[2] Narten T., et al., “Neighbor Discovery for IP version 6 (IPv6)”, RFC 4861 (Standard), Internet Engineering Task Force, September
2007. URL https://tools.ietf.org/html/rfc4861. Obsoletes by 2461.
[3] J. Arkko, J. Kempf, B. Zill, P. Nikander, “Secure Neighbor Discovery (SEND),” RFC 3971 (Proposed Standard), Internet Engineering
Task Force, March 2005. URL https://tools.ietf.org/html/rfc3971.
[4] J. Arkko, et al., “Securing IPv6 Neighbor and Router Discovery”, WiSE '02 Proceedings of the 1st ACM workshop on Wireless
security, pp. 77-86, Sep. 2002. ISBN: 1-58113-585-8, DOI: 10.1145/570681.570690.
[5] Implementing First Hop-Security in IPv6, Cisco Systems, 2011; Retrieved from www.cisco.com/c/en/us/td/docs/ios/ipv6/configuration/
guide/15_0sy/ipv6_15_0sy_book/ip6-first_hop_security.html.
[6] Christo Ananth, "Incentive Scheme for Stimulation of Forwarding Cooperation of nodes in VANETs ", Rakuten Kobo Inc. Publishing,
Toronto, Canada, ISBN: 978-81-910-751-4-4, October 2017, pp: 12-56.
[7] Wendell Odom, “CCNP ROUTE 642-902”, Pearson Education Inc., Cisco Press, January 2010. pp. 529. ISBN-10: 1-58720-253-0,
ISBN-13: 978-1-58720-253-7.
[8] Weilin Xu et al., “NAPT66-Stateful IPv6-to IPv6 Network Address Port Translation”, Retrieved from
https://code.google.com/p/napt66/. Accessed 20-June-2015.
[9] Xiaoyu Zhao, et al., “A Lightweight AplusP Approach for public IPv4 Address Sharing in IPv6 Environments”, In 5th International
Multi-Conference on Computing in the Global Information Technology (ICCGI), page 256-261, Valencia, Spain, September 20-25, 2010.
Retrieved from http://dx.doi.org/10.1109/ICCGI.2010.21.
[10]Ahmad AlSa'deh, HosniehRafiee, ChristophMeinel, “Secure Neighbor Discovey: A Cryptographic Solution for Securing Ipv6 Local
Link Operations,” Chapter 8, pp : 178-196.
[11]A. AlSa’deh and C. Meinel,"Secure Neighbor Discovery: Review, Challenges, Perspectives, and Recommendations," IEEE Security &
Privacy Magazine, vol. 10, no. 4, pp. 26 –34, Aug. 2012.
[12]Supriyanto, I.H. Hasbullah, R.J. Murugesan, S. Ramadass, “Survey of IPv6 Link Local Communication Security Vulnerability and
Mitigation Methods,” IETE TECHNICAL REVIEW, vol 30, issue 1, pp. 64-71, Jan-Feb 2013.

A Survey on IPv6 Secure Link Local Communication Models, Techniques and Tools

More Related Content

What's hot (19)

Similar to A Survey on IPv6 Secure Link Local Communication Models, Techniques and Tools (20)

Recently uploaded (20)

A Survey on IPv6 Secure Link Local Communication Models, Techniques and Tools