Advertisement

On the Generation of Fast Verifiable IPv6 Addresses

  • Qianli Zhang
  • Xing Li
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3994)

Abstract

Many network attacks forge the source address in their IP packets to block traceback. This situation does not change much in IPv6 network since IPSEC is not enabled generally and most IP address spoof attacks have taken effect before packets reached destination. Although ingress filtering can be used to validate source addresses, it could only ensure that the network portion of an address is not spoofed. Since subnets are much larger in IPv6, even with RFC 2827-like filtering an adversary can spoof an enormous range of addresses. In this paper, we propose an IPv6 address assignment scheme to generate verifiable IPv6 addresses in one network. With this scheme, router could validate the IPv6 addresses quickly, thus allow all outgoing packets with improper source addresses and all incoming packets with improper destination addresses to be immediately identified. Apart from the obvious merit to counter denial of service attacks, this scheme also make network audit and pricing easier.

Keywords

Source Address Incoming Packet IPv6 Address Service Attack Cryptographic Hash Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

References

  1. 1.
    Computer Emergency Response Team. CERT Advisory CA-2000-01 Denial-of-Service Developments (January 2000), http://www.cert.org/advisories/CA-2000-01.html
  2. 2.
    Computer Emergency Response Team. CERT Advisory CA-1998-01 Smurf IP Denial-of-Service Attacks (January 2000), http://www.cert.org/advisories/CA-1998-01.html
  3. 3.
    Schuba, C.L., Krsul, I.V., Kuhn, M.G., Spafford, E.H., Sundaram, A., Zamboni, D.: Analysis of a denial of service attack on TCP. In: Proceedings of IEEE Symposium on Security and Privacy (1997)Google Scholar
  4. 4.
    Ferguson, P., Senie, D.: Network Ingress Filtering: Defeating Denial of Service Attacks Which Employ IP Source Address Spoofing, RFC 2827 (May 2000)Google Scholar
  5. 5.
    Savage, S., Wetherall, D., Karlin, A., Anderson, T.: Network Support for IP Traceback. IEEE/ACM Transactions on Networking 9(3) (June 2001)Google Scholar
  6. 6.
    Madson, C., Glenn, R.: The Use of HMAC-SHA-1-96 within ESP and AH, RFC 2404 (November 1998)Google Scholar
  7. 7.
    Menezes, A.J., van Oorschot, P.C., Vanstone, S.A.: Handbook of Applied Cryptography, p. 265. CRC Press, New York (1997)MATHGoogle Scholar
  8. 8.
    Rivest, R.L., Shamir, A., Adleman, L.M.: A Method for Obtaining Digital Signatures and Public-Key Cryptosystems. Communications of the ACM 21(2), 120–126 (1978)MATHCrossRefMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Qianli Zhang
    • 1
  • Xing Li
    • 1
  1. 1.Tsinghua UniversityBeijingChina

Personalised recommendations