Improved Mechanism to Prevent Denial of Service Attack in IPv6 Duplicate Address Detection Process

From the days of ARPANET, with slightly over two hundred connected hosts involving five organizations to a massive global, always-on network connecting hosts in the billions, the Internet has become as important as the need for electricity and water. Internet Protocol version 4 (IPv4) could not sustain the growth of the Internet. In ensuring the growth is not stunted, a new protocol, i.e. Internet Protocol version 6 (IPv6) was introduced that resolves the addressing issue IPv4 had. In addition, IPv6 was also laden with new features and capabilities. One of them being address auto-configuration. This feature allows hosts to self-configure without the need for additional services. Nevertheless, the design of IPv6 has led to several security shortcomings. Duplicate Address Detection (DAD) process required for auto-configuration is prone to Denial of Service (DoS) attack in which hosts are unable to configure themselves to join the network. Various mechanisms, SeND, SSAS, and the most recent being Trust-ND, have been introduced to address this issue. Although these mechanisms were able to circumvent DoS attack on DAD process, they have introduced various side effects, i.e. complexities and degradation of performance. This paper reviews the shortcomings of these mechanism and proposes a new mechanism, Secure-DAD, that addresses them. The performance comparison between Trust-ND and Secure-ND also showed that Secure-DAD is more promising with improvement in terms of processing time reduction of 45.1% compared to Trust-ND while preventing DoS attack in IPv6 DAD process.

[1]  Thomas Narten,et al.  Neighbor Discovery for IP Version 6 (IPv6) , 1996, RFC.

[2]  Oliver Popov,et al.  Evaluation of security methods for ensuring the integrity of digital evidence , 2011, 2011 International Conference on Innovations in Information Technology.

[3]  William J. Clancey,et al.  Rule-based expert systems , 2017, Radiopaedia.org.

[4]  Silvia Hagen,et al.  IPv6 Essentials , 2002 .

[5]  Selvakumar Manickam,et al.  Significance of Duplicate Address Detection Mechanism in Ipv6 and its Security Issues: A Survey , 2015 .

[6]  Christoph Meinel,et al.  SSAS: A simple secure addressing scheme for IPv6 autoconfiguration , 2013, 2013 Eleventh Annual Conference on Privacy, Security and Trust.

[7]  Lida Xu,et al.  The internet of things: a survey , 2014, Information Systems Frontiers.

[8]  Sureswaran Ramadass,et al.  Survey of Internet Protocol Version 6 Link Local Communication Security Vulnerability and Mitigation Methods , 2013 .

[9]  Thomas Narten,et al.  IPv6 Stateless Address Autoconfiguration , 1996, RFC.

[10]  J.A. Bernard,et al.  Use of a rule-based system for process control , 1987, IEEE Control Systems Magazine.

[11]  Selvakumar Manickam,et al.  Integrated Framework to Detect and Mitigate Denial of Service (DoS) Attacks on Duplicate Address Detection Process in IPv6 Link Local Communication , 2015 .

[12]  Stephen E. Deering,et al.  Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) Specification , 2006, RFC.

[13]  Selvakumar Manickam,et al.  Denial of Service Attack in IPv6 Duplicate Address Detection Process , 2016 .

[14]  Ted Krovetz,et al.  UMAC: Message Authentication Code using Universal Hashing , 2006, RFC.

[15]  Christoph Meinel,et al.  Secure Neighbor Discovery: Review, Challenges, Perspectives, and Recommendations , 2012, IEEE Security & Privacy.

[16]  Christoph Meinel,et al.  IPv6 Stateless Address Autoconfiguration: Balancing between Security, Privacy and Usability , 2012, FPS.

[17]  Hugo Krawczyk,et al.  HMAC: Keyed-Hashing for Message Authentication , 1997, RFC.

[18]  Antonio Pescapè,et al.  Integration of Cloud computing and Internet of Things: A survey , 2016, Future Gener. Comput. Syst..

[19]  Stephen E. Deering,et al.  Internet Protocol, Version 6 (IPv6) Specification , 1995, RFC.

[20]  Eli Dart,et al.  Enhanced Duplicate Address Detection , 2015, RFC.

[21]  S. Stepney,et al.  The certification of the Mondex electronic purse to ITSEC Level E6 , 2007, Formal Aspects of Computing.

[22]  Thomas Narten,et al.  Neighbor Discovery for IP Version 6 , 1998 .

[23]  Stephen E. Deering,et al.  Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) , 1995, RFC.

[24]  Supriyanto Review on IPv6 Security Vulnerability Issues and Mitigation Methods , 2012 .

[25]  Eric Gamess,et al.  Easy-SEND: A Didactic Implementation of the Secure Neighbor Discovery Protocol for IPv6 , 2009 .

[26]  Xinyu Yang,et al.  Typical DoS/DDoS Threats under IPv6 , 2007, 2007 International Multi-Conference on Computing in the Global Information Technology (ICCGI'07).

[27]  Nick Moore,et al.  Optimistic Duplicate Address Detection (DAD) for IPv6 , 2006, RFC.

[28]  Karthikeyan Bhargavan,et al.  Transcript Collision Attacks: Breaking Authentication in TLS, IKE and SSH , 2016, NDSS.

[29]  Eric Levy-Abegnoli,et al.  FCFS SAVI: First-Come, First-Served Source Address Validation Improvement for Locally Assigned IPv6 Addresses , 2012, RFC.

[30]  Mohammed M. Kadhum,et al.  Security mechanism for IPv6 stateless address autoconfiguration , 2015, 2015 International Conference on Automation, Cognitive Science, Optics, Micro Electro-Mechanical System, and Information Technology (ICACOMIT).

[31]  Pekka Nikander,et al.  SEcure Neighbor Discovery (SEND) , 2005, RFC.

[32]  Harith Dawood IPv6 Security Vulnerabilities , 2012 .

[33]  Selvakumar Manickam,et al.  Rule-based mechanism to detect Denial of Service (DoS) attacks on Duplicate Address Detection process in IPv6 link local communication , 2015, INFOCOM 2015.

[34]  Yang Xiao,et al.  Network forensics analysis using Wireshark , 2015, Int. J. Secur. Networks.

[35]  Bart Preneel,et al.  Open problems in hash function security , 2015, Designs, Codes and Cryptography.

[36]  Stefan Savage,et al.  Inferring Internet denial-of-service activity , 2001, TOCS.

[37]  Victor Shoup,et al.  On Fast and Provably Secure Message Authentication Based on Universal Hashing , 1996, CRYPTO.