Secure Neighbor Discovery : review, challenges, perspectives, and recommendations

Abstract

Neighbor Discovery Protocol (NDP), one of the main protocols in the IPv6 suite, comprises Neighbor Discovery for IPv6 (Request for Comments [RFC] 48611) and IPv6 stateless address autoconfiguration (SLAAC).2 It’s used for several critical functionalities, such as discovering nodes on the same link, determining link-layer addresses, detecting duplicate addresses, finding routers, and maintaining reachability information about paths to an active neighbor. In addition, NDP plays a crucial role in mobile IPv6 (MIPv6) networks, eliminating the need for foreign agents and allowing mobile nodes to join new foreign networks. However, NDP is prone to critical attacks assumes that all nodes on the link trust each other, but this assumption doesn’t hold for several scenarios, such as over a wireless network, in which anyone can join a local link with minimal or no link-layer authentication. Consequently, malicious users could impersonate legitimate nodes by forging NDP messages to generate attacks. As a result, RFC 3971, “Secure Neighbor Discovery (SEND),” became a standard.4 SEND uses cryptographically generated addresses(CGAs),5 a digital signature, and an X.509 certification to protect NDP.