Ahmad AlSadeh: Augmented SEND

Augmented SEND for Early IPv6 Authentication and Authorization

When

Apr 23, 2013 from 04:15 PM to 05:15 PM (Europe/Berlin / UTC200)

Where

R 560

Contact Name

Add event to calendar

iCal

SEcure Neighbor Discovery (SEND) extends IPv6 Neighbor Discovery Protocol (NDP) with some security options and messages to protect it against various kinds of attacks. SEND relies on Cryptographically Generated Addresses (CGA) and RSA signature Options for address authentication. For the router authorization, SEND uses Authorization Delegation Discovery (ADD) mechanism that is based on hierarchical X.509 certificates. SEND offers the protection for NDP messages against replay attacks by using Nonce and Timestamp Options.

However, SEND is a security standard without matured implementations and its deployment is not easy and thus is challenging. SEND is computation-intensive and bandwidth-consuming. Additionally, SEND's ADD is theoretical rather than practical. Moreover, SEND itself can be vulnerable to Denial of Service (DoS) and privacy-related attacks. Consequently, SEND needs to be adopted for end user. Otherwise, IPv6 local network will be left vulnerable to various kinds of attacks.

This work tackles the problem of SEND deployments.  It has the following contributions. (i) Develop Windows SEcure Neighbor Discovery (WinSEND). It is the first SEND implementation for Windows operating system. (ii) Extend the standard CGA verification algorithm to mitigate DoS attacks. The node discards the NDP message that contains the exact CGA parameters and signature packet as its own because the probability that two legitimate CGA nodes will generate the same interface ID is very low. (iii) Propose the Time-based CGA, where the users determine the desired time as an input for CGA generation and the CGA algorithm return the 'most secure' CGA address within this period of time. (iv) Propose an extension for CGA to protect the user's privacy. The high cost of CGA generation may keep hosts that use a high security values from periodically changing their addresses on a frequent basis. This leaves hosts subject to privacy related attacks. CGA can be more privacy-conscious by changing the addresses over time. (v) Pursue the idea of using the Resource Public Key Infrastructure (RPKI) for ADD mechanism in SEND.

Slides