IMPLEMENTATION OF TRUST NEIGHBOR DISCOVERY ON SECURING IPv6 LINK LOCAL COMMUNICATION

Neighbour Discovery Protocol is a core IPv6 protocol used within the local network to provide functionalities such as Router Discovery and Neighbour Discovery. However, the standard of the protocol does not specify any security mechanism but only recommends the use of either Internet Protocol Security (IPSec) or Secure Neighbor Discovery (SEND) that has drawbacks when used within IPv6 local network. Furthermore, neither is enabled by default in the IPv6 local network; leaving the protocol unsecured. This paper proposes Trust-ND with reduced complexity by combining hard security and soft security approaches to be implemented on securing IPv6 link-local communication. The experimentation results showed that Trust-ND managed to successfully secure the IPv6 Neighbour Discovery. Trust-ND significantly cuts down the time to process NDP messages up to 77.21 ms for solicitation message and 100.732 ms for advertisement message. It also provides additional benefit over regular NDP in terms of data integrity for all Trust-ND messages with the introduction of Trust Option

Risk Analysis of the Implementation of IPv6 Neighbor Discovery in Public Network

Internet is ubiquitous, and in recent times its growth has been exponential. This rapid growth caused the depletion of the current Internet Protocol version 4 (IPv4) address, prompting IETF with the design of the new Internet Protocol version 6 (IPv6) in the 1990’s. IPv6 is the next generation of the Internet Protocol designed with much larger address space and additional functions to ease its use for the users. One of the new functions is address auto configuration of new host’s via Neighbor Discovery Protocol (NDP). However, the implementation of NDP is not without risk in terms of security. This paper analyzes the risk of NDP implementation in public network. The result shows a number of risks that appear on the implementation of NDP over a Public Network. Neighbors cannot be trusted 100%. One of them could be an attacker who may exploit the NDP message to get their own benefit. In addition the number of insiders increases time to time

IPv6: a new security challenge

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011O Protocolo de Internet versão 6 (IPv6) foi desenvolvido com o intuito de resolver alguns dos problemas não endereçados pelo seu antecessor, o Protocolo de Internet versão 4 (IPv4), nomeadamente questões relacionadas com segurança e com o espaço de endereçamento disponível. São muitos os que na última década têm desenvolvido estudos sobre os investimentos necessários à sua adoção e sobre qual o momento certo para que o mesmo seja adotado por todos os players no mercado. Recentemente, o problema da extinção de endereçamentos públicos a ser disponibilizado pelas diversas Region Internet registry – RIRs - despertou o conjunto de entidades envolvidas para que se agilizasse o processo de migração do IPv4 para o IPv6. Ao contrário do IPv4, esta nova versão considera a segurança como um objetivo fundamental na sua implementação, nesse sentido é recomendado o uso do protocolo IPsec ao nível da camada de rede. No entanto, e devido à imaturidade do protocolo e à complexidade que este período de transição comporta, existem inúmeras implicações de segurança que devem ser consideradas neste período de migração. O objetivo principal deste trabalho é definir um conjunto de boas práticas no âmbito da segurança na implementação do IPv6 que possa ser utilizado pelos administradores de redes de dados e pelas equipas de segurança dos diversos players no mercado. Nesta fase de transição, é de todo útil e conveniente contribuir de forma eficiente na interpretação dos pontos fortes deste novo protocolo assim como nas vulnerabilidades a ele associadas.IPv6 was developed to address the exhaustion of IPv4 addresses, but has not yet seen global deployment. Recent trends are now finally changing this picture and IPv6 is expected to take off soon. Contrary to the original, this new version of the Internet Protocol has security as a design goal, for example with its mandatory support for network layer security. However, due to the immaturity of the protocol and the complexity of the transition period, there are several security implications that have to be considered when deploying IPv6. In this project, our goal is to define a set of best practices for IPv6 Security that could be used by IT staff and network administrators within an Internet Service Provider. To this end, an assessment of some of the available security techniques for IPv6 will be made by means of a set of laboratory experiments using real equipment from an Internet Service Provider in Portugal. As the transition for IPv6 seems inevitable this work can help ISPs in understanding the threats that exist in IPv6 networks and some of the prophylactic measures available, by offering recommendations to protect internal as well as customers’ networks

Addressless: A New Internet Server Model to Prevent Network Scanning

Eliminating unnecessary exposure is a principle of server security. The huge IPv6 address space enhances security by making scanning infeasible, however, with recent advances of IPv6 scanning technologies, network scanning is again threatening server security. In this paper, we propose a new model named addressless server, which separates the server into an entrance module and a main service module, and assigns an IPv6 prefix instead of an IPv6 address to the main service module. The entrance module generates a legitimate IPv6 address under this prefix by encrypting the client address, so that the client can access the main server on a destination address that is different in each connection. In this way, the model provides isolation to the main server, prevents network scanning, and minimizes exposure. Moreover it provides a novel framework that supports flexible load balancing, high-availability, and other desirable features. The model is simple and does not require any modification to the client or the network. We implement a prototype and experiments show that our model can prevent the main server from being scanned at a slight performance cost

Security Concepts in IPv6 Based Aeronautical Communications

Space scienc

Chapter Security Concepts in IPv6 Based Aeronautical Communications

Space scienc