551
Su-Kit Tang1, Kai-Hau Yeung2, Kin-Yeung Wong1 School of Public Administration, Macao Polytechnic Institute, China 2 Department of Electronic Engineering, City University of Hong Kong, China
[email protected],
[email protected],
[email protected] 1
protocols in IPv6 networks, a solution called Secure paper. Unlike the previous solutions that mainly use the
The major merit of SAC6 is that its operations are transparent to the network and do not require the
resource requirements.
infrastructure. systems. The experiment results show that SAC6 can successfully protect the network nodes from various kinds
in a network. Examples of this kind of protocols are
server centrally administers the IPv6 addresses in the network.
ports are only for network infrastructure devices such as of ports is to separate the network nodes from infrastructure
minimizes the amount of address administrative work.
02-Tang.indd 551
2012/7/25 下午 01:37:44
Protocols
Attacks
Consequences Non-existent node is reported on-link Victim cannot setup its IP address
Replay attack
Victim is stuffed with out-dated information solicitation
Malicious router
Victim selects attacker as its default router No default router is found on the link
Victim thinks the prefix is on-link, so that it doesn’t use default router
used Replay attack
Victim is stuffed with out-dated information
Resource starvation nodes Replay attack
Victim is stuffed with out-dated information
nodes connected to the NN ports are suspicious, whereas
Recall that, in IPv6 networks, each network node has a
Link-layer address (also called MAC address): It is a IPv6 global address [4] IPv6 link-local address [16]
must not forward any packets with link-local source or destination addresses to other links. Link-local addresses with its IPv6 address in SAC6, which is illustrated in
02-Tang.indd 552
2012/7/25 下午 01:37:44
SAC6 operations are transparent to them. Besides, the router is not aware of the existent of SAC6 and announces As directly connected to network nodes, SAC6 can
will keep the network information.
implemented SAC6 as a kernel module in a Linux
To verify the correctness of SAC6, the scenario shown in if there is no reply, the node will turn its tentative linklocal address to preferred link-local address.
will store the link-local address locally for that node. In
network information.
network node. A network node is then setup with its link-
02-Tang.indd 553
2012/7/25 下午 01:37:44
554
if NS then if ARP or NUD then
and connectivity of its network nodes and maintains the
reply with NA else if DAD then add link-local address to address table end if else if NA then
network node, SAC6 will reply with network information
refresh the status of the node else if RS then reply with network info (RA) else if RA then update network info. else // NDP messages out of scope end if
attack is launched from remote networks, which is out of experiment. It is shown that all platforms suffer from all
02-Tang.indd 554
2012/7/25 下午 01:37:44
555
Protocol
Attacks
Attacks successfully launched to Linux
Replay attack Malicious router
Spoofed redirect
Replay attack Resource starvation Replay attack
Attacks
Vista
SAC6
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
-
-
-
-
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
-
-
-
Yes
-
-
-
Yes
-
-
-
Yes
The operation of SAC6 is transparent to the router and
02-Tang.indd 555
2012/7/25 下午 01:37:44
556
References Bootstrap protocol risk. In addition, if the amount of resource SAC6 needs in
(BOOTP) ,
Simpson, Neighbor discovery for IP version 6 (IPv6), Stateless
Perkins and Mike Carney, protocol for IPv6 (DHCPv6) IPv6 neighbor discovery (ND) trust models and threats Cryptographically generated addresses (CGA)
new IPv6 address space with the drivers of Internet
Securing IPv6 Neighbor Discovery Using Address Based Keys (ABKs)
Nikander, SEcure neighbor discovery (SEND),
Markku Rossi, Manual Configuration of Security Associations for IPv6 Neighbor Discovery
To evaluate SAC6, we implemented it in a Linux Robust Header Compression, Journal of Information Processing Systems Quantum Entanglement and Non-locality Based Secure Computation for Future Communication, IET Information Security Early Security Key Exchange for Encryption in Mobile IPv6 Handoff, Security and Communication Networks
Robust Header Compression, Journal of Information Processing Systems Building Secure Network Infrastructure for LANs, The IPSI Transactions on Advanced Research
02-Tang.indd 556
2012/7/25 下午 01:37:45
SAC6 Infrastructure requirement store addresses of network node is needed.
or maintenance costs
infrastructure support is needed.
joins the network. switch is needed. node joins a network. maintenance is needed to
even it is computationally expensive, especially on routers.
computationally expensive, especially on routers.
needed. seamlessly and easily to
the switches. Limitations with normal switches in a
create security hole.
02-Tang.indd 557
2012/7/25 下午 01:37:45
Internet protocol version 6 (IPv6) addressing architecture,
received his BSc and
THC-IPV6 thc-ipv6 Address Lookup A l g o r i t h m s f o r I P v 6 , I E E P ro c e e d i n g s o f Communications
for Fast IP Address Lookup, IEE Proceedings of Computing Digital Technology
Efficient IP Routing Table Lookup Scheme, IEE Proceedings of Communications Cell Phones as Mobile Computing Devices, IT Professional The Near-Me Area Network, IEEE Internet Computing Network Infrastructure Security
is a lecturer at Macao
include network infrastructure security, ad
is an associate professor
communication systems, and Internet
and communication systems.
02-Tang.indd 558
2012/7/25 下午 01:37:45
