Integrated Framework For Secure Distributed Management Of Duplicated Ipv6 Address Detection

Alamat bernegara auto-konfigurasi adalah ciri utama protokol IPv6, yang membolehkan tuan rumah untuk mengkonfigurasi alamat IP secara automatik tanpa perlu apa-apa perkhidmatan tambahan seperti; DHCPv6 Stateless address auto-configuration is the primary feature of IPv6 protocol, which allows hosts to configure IP addresses automatically without the need of any additional services such as; DHCPv

Denial of Service Attack over Secure Neighbor Discovery (SeND)

IPv6, the Internet Protocol suite version 6, uses a Neighbor Discovery Protocol (NDP). NDP mainly replaces router discovery and the Address Resolution Protocol (ARP) and thereafter redirects the functions used in IPv4 i.e. the Internet Protocol suite version 4. The NDP system is a stateless protocol since it does not need the dynamic host’s configuration protocol server to enable the various IPv6 nodes for determining the connected hosts along with the IPv6 network routers. To add layers of protection to NDP, the SeND (Secure Neighbor Discovery) extension was developed, which provides router authorization, proof of address ownership, and message protection for the protocol. SeND employs CGAs (Cryptographically Generated Addresses) and X.509 certificates. Despite its many advantages, deploying SeND is not easy, and it is still vulnerable to certain DoS (Denial-of-Service) attacks. The components of SeND and its responses to NDP threats are further elaborated in this paper. In addition, an overview of the implementation of SeND, its limitations, existing vulnerabilities, and current deployment challenges are also presented.  Furthermore, to test the performance of SeND under a DoS attack, a test bed was implemented and the results discussed.

IPv6: a new security challenge

Tese de mestrado em Segurança Informática, apresentada à Universidade de Lisboa, através da Faculdade de Ciências, 2011O Protocolo de Internet versão 6 (IPv6) foi desenvolvido com o intuito de resolver alguns dos problemas não endereçados pelo seu antecessor, o Protocolo de Internet versão 4 (IPv4), nomeadamente questões relacionadas com segurança e com o espaço de endereçamento disponível. São muitos os que na última década têm desenvolvido estudos sobre os investimentos necessários à sua adoção e sobre qual o momento certo para que o mesmo seja adotado por todos os players no mercado. Recentemente, o problema da extinção de endereçamentos públicos a ser disponibilizado pelas diversas Region Internet registry – RIRs - despertou o conjunto de entidades envolvidas para que se agilizasse o processo de migração do IPv4 para o IPv6. Ao contrário do IPv4, esta nova versão considera a segurança como um objetivo fundamental na sua implementação, nesse sentido é recomendado o uso do protocolo IPsec ao nível da camada de rede. No entanto, e devido à imaturidade do protocolo e à complexidade que este período de transição comporta, existem inúmeras implicações de segurança que devem ser consideradas neste período de migração. O objetivo principal deste trabalho é definir um conjunto de boas práticas no âmbito da segurança na implementação do IPv6 que possa ser utilizado pelos administradores de redes de dados e pelas equipas de segurança dos diversos players no mercado. Nesta fase de transição, é de todo útil e conveniente contribuir de forma eficiente na interpretação dos pontos fortes deste novo protocolo assim como nas vulnerabilidades a ele associadas.IPv6 was developed to address the exhaustion of IPv4 addresses, but has not yet seen global deployment. Recent trends are now finally changing this picture and IPv6 is expected to take off soon. Contrary to the original, this new version of the Internet Protocol has security as a design goal, for example with its mandatory support for network layer security. However, due to the immaturity of the protocol and the complexity of the transition period, there are several security implications that have to be considered when deploying IPv6. In this project, our goal is to define a set of best practices for IPv6 Security that could be used by IT staff and network administrators within an Internet Service Provider. To this end, an assessment of some of the available security techniques for IPv6 will be made by means of a set of laboratory experiments using real equipment from an Internet Service Provider in Portugal. As the transition for IPv6 seems inevitable this work can help ISPs in understanding the threats that exist in IPv6 networks and some of the prophylactic measures available, by offering recommendations to protect internal as well as customers’ networks

An SDN-Based Authentication Mechanism for Securing Neighbor Discovery Protocol in IPv6

The Neighbor Discovery Protocol (NDP) is one of the main protocols in the Internet Protocol version 6 (IPv6) suite, and it provides many basic functions for the normal operation of IPv6 in a local area network (LAN), such as address autoconfiguration and address resolution. However, it has many vulnerabilities that can be used by malicious nodes to launch attacks, because the NDP messages are easily spoofed without protection. Surrounding this problem, many solutions have been proposed for securing NDP, but these solutions either proposed new protocols that need to be supported by all nodes or built mechanisms that require the cooperation of all nodes, which is inevitable in the traditional distributed networks. Nevertheless, Software-Defined Networking (SDN) provides a new perspective to think about protecting NDP. In this paper, we proposed an SDN-based authentication mechanism to verify the identity of NDP packets transmitted in a LAN. Using the centralized control and programmability of SDN, it can effectively prevent the spoofing attacks and other derived attacks based on spoofing. In addition, this mechanism needs no additional protocol supporting or configuration at hosts and routers and does not introduce any dedicated devices

IMPLEMENTATION OF TRUST NEIGHBOR DISCOVERY ON SECURING IPv6 LINK LOCAL COMMUNICATION

Neighbour Discovery Protocol is a core IPv6 protocol used within the local network to provide functionalities such as Router Discovery and Neighbour Discovery. However, the standard of the protocol does not specify any security mechanism but only recommends the use of either Internet Protocol Security (IPSec) or Secure Neighbor Discovery (SEND) that has drawbacks when used within IPv6 local network. Furthermore, neither is enabled by default in the IPv6 local network; leaving the protocol unsecured. This paper proposes Trust-ND with reduced complexity by combining hard security and soft security approaches to be implemented on securing IPv6 link-local communication. The experimentation results showed that Trust-ND managed to successfully secure the IPv6 Neighbour Discovery. Trust-ND significantly cuts down the time to process NDP messages up to 77.21 ms for solicitation message and 100.732 ms for advertisement message. It also provides additional benefit over regular NDP in terms of data integrity for all Trust-ND messages with the introduction of Trust Option

Security Mechanisms For The Ipv4 To Ipv6 Transition.

Transition from lpv4 to lpv6 has been made possible through various transition mechanisms, categorized as dual-stack tunneling and translation. However, period of transition may take years to complete which both protocols will coexist due to Internet services deployed are widely in lpv4

A New Router Certification Authority Protocol For Securing Mobile Internet Protocol Version 6

Protokol Internet Bergerak versi 6 (IPv6 Bergerak) telah dicadangkan sebagai satu protokol piawai untuk memberikan mobility dalam Rangkaian Generasi Seterusnya. Mobile Internet Protocol version 6 (Mobile IPv6) has been proposed as a standard protocol to provide mobility in Next Generation Networks

Moving Target Defense for Securing SCADA Communications

In this paper, we introduce a framework for building a secure and private peer to peer communication used in supervisory control and data acquisition networks with a novel Mobile IPv6-based moving target defense strategy. Our approach aids in combating remote cyber-attacks against peer hosts by thwarting any potential attacks at their reconnaissance stage. The IP address of each host is randomly changed at a certain interval creating a moving target to make it difficult for an attacker to find the host. At the same time, the peer host is updated through the use of the binding update procedure (standard Mobile IPv6 protocol). Compared with existing results that can incur significant packet-loss during address rotations, the proposed solution is loss-less. Improving privacy and anonymity for communicating hosts by removing permanent IP addresses from all packets is also one of the major contributions of this paper. Another contribution is preventing black hole attacks and bandwidth depletion DDoS attacks through the use of extra paths between the peer hosts. Recovering the communication after rebooting a host is also a new contribution of this paper. Lab-based simulation results are presented to demonstrate the performance of the method in action, including its overheads. The testbed experiments show zero packet-loss rate during handoff delay