Abstract
Internet Protocol version 6 (IPv6) uses Network Discovery Protocol (NDP) to find the Media Access Control (MAC) address to communicate with hosts in a LAN. Like its predecessor, Address Resolution Protocol (ARP) in IPv4, NDP is stateless and lacks authentication by default. The traditional spoofing attacks for exploiting the IP to MAC resolution using ARP in IPv4 are also relevant in NDP. By using spoofed MAC addresses, a malicious host can also launch Denial-of-Service (DoS), Man-in-the-Middle(MiTM) attacks etc. in IPv6 network. Although there are various detection/prevention mechanisms available for IPv4, many of them are not yet implemented in IPv6 as the protocol is relatively new and slowly coming in use. Few mechanisms have been proposed for detection/prevention of these attacks in IPv6, but they either are non-scalable, computationally expensive, require management of cryptographic keys or change in the protocol itself. In this paper, we propose an active detection mechanism for NDP based attacks in IPv6 network to overcome these problems. Experimental results illustrate the efficacy and performance of the scheme.
Similar content being viewed by others
References
J. Davies, “Introduction to IPv6,” in Microsoft TechNet Archive. 2008.
N. Hubbali, S. Biswas, S. Roopa, R. Ratti, and S. Nandi, “LAN attack detection using discrete event systems,” ISA Trans., vol. 50, no. 1, pp. 119–130, Jan. 2010.
C. M. Kozierok, The TCP/IP Guide. San Francisco, CA, USA: No Starch Press, 2005.
Cisco Systems. Cisco 6500 Catalyst Switches [Online]. Available: http://www.cisco.com. Accessed Oct. 2012.
LBL Network Research Group. Arpwatch [Online]. http://www.securityfocus.com/tools/142. Accessed Oct. 2012.
C. L. Abad and R. I. Bonilla, “An analysis on the schemes for detecting and preventing ARP cache poisoning attacks,” in Proc. 27th Int. Conf. Distributed Computing Systems Workshops, Toronto, Canada, 2007, pp. 60–67.
V. Ramachandran and S. Nandi, “Detecting ARP spoofing: An active technique,” in Proc. 1st Int. Conf. Information Security Systems. Heidelberg: Springer, 2005, pp. 239–250.
Z. Trabelsi and K. Shuaib, “Man in the middle intrusion detection,” in Proc. GLOBECOM, San Francisco, CA, USA, 2006, pp. 1–6.
F. A. Barbhuiya, S. Biswas, and S. Nandi, “Detection of neighbor solicitation and advertisement spoofing in IPv6 neighbor discovery protocol,” in Proc. Int. Conf. Security of Information and Networks. New York: ACM, 2011, pp. 111–118.
T. Narten, E. Nordmark, and W. Simpson, “RFC 2461: Neighbor Discovery for IP Version 6 (IPv6),” IETF, Dec. 1998.
A. Conta, S. Deering, and M. Gupta, “RFC 4443: Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification,” IETF, Mar. 2006.
S. Thomson, T. Narten, and T. Jinmei, “RFC 4862: IPv6 stateless address autoconfiguration,” IETF, Sept. 2007.
P. Nikander, J. Kempf, and E. Nordmark, “RFC 3756: IPv6 Neighbor Discovery (ND) Trust Models dnd Threats,” IETF, May 2004.
P. H. Seton, “Security features in IPv6,” Whitepaper, SANS Institute, 2002.
J. Arkko, J. Kempf, B. Zill, and P. Nikander, “RFC 3971: SEcure Neighbor Discovery (SEND),” IETF, Mar. 2005.
H. Rafiee, A. Alsa’deh, and C. Meinel, “WinSEND: Windows secure neighbor discovery,” in Proc. Int. Conf. Security of Information and Networks. New York: ACM, 2011, pp. 243–246.
NDPmon [Online]. Available: http://www.ndpmon.sourceforge.net. Accessed Oct. 2012.
THC-IPV6 [Online]. Available: http://www.thc.org/thc-ipv6. Accessed Oct. 2012.
Cisco Systems. Cisco 3560 Catalyst Switches [Online]. Available: http://www.cisco.com. Accessed Oct. 2012.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Barbhuiya, F.A., Bansal, G., Kumar, N. et al. Detection of neighbor discovery protocol based attacks in IPv6 network. Netw.Sci. 2, 91–113 (2013). https://doi.org/10.1007/s13119-013-0018-2
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13119-013-0018-2