Lightweight Address Hopping for Defending the IPv6 IoT

The rapid deployment of IoT systems on the public Internet is not without concerns for the security and privacy of consumers. Security in IoT systems is often poorly engineered and engineering for privacy does notseemtobea concern for vendors at all. Thecombination of poor security hygiene and access to valuable knowledge renders IoT systems a much-sought target for attacks. IoT systems are not only Internet-accessible but also play the role of servers according to the established client-server communication model and are thus configured with static and/or easily predictable IPv6 addresses, rendering them an easy target for attacks. We present 6HOP, a novel addressing scheme for IoT devices. Our proposal is lightweight in operation, requires minimal administration overhead, and defends against reconnaissance attacks, address based correlation as well as denial-of-service attacks. 6HOP therefore exploits the ample address space available in IPv6 networks and provides effective protection this way.

[1]  Danny Dhillon,et al.  Developer-Driven Threat Modeling: Lessons Learned in the Trenches , 2011, IEEE Security & Privacy.

[2]  David Plonka,et al.  Entropy/IP: Uncovering Structure in IPv6 Addresses , 2016, Internet Measurement Conference.

[3]  Tuomas Aura,et al.  Cryptographically Generated Addresses (CGA) , 2005, ISC.

[4]  Vladimir Krylov,et al.  IP fast hopping protocol design , 2014 .

[5]  Georg Carle,et al.  Scanning the IPv6 Internet: Towards a Comprehensive Hitlist , 2016, TMA.

[6]  Fernando Gont A Method for Generating Semantically Opaque Interface Identifiers with IPv6 Stateless Address Autoconfiguration (SLAAC) , 2014, RFC.

[7]  Adam Shostack,et al.  Experiences Threat Modeling at Microsoft , 2008, MODSEC@MoDELS.

[8]  David M'Raïhi,et al.  TOTP: Time-Based One-Time Password Algorithm , 2011 .

[9]  Urs Gasser,et al.  Don't Panic: Making Progress on the "Going Dark" Debate , 2016 .

[10]  Stephen E. Deering,et al.  IP Version 6 Addressing Architecture , 1995, RFC.

[11]  Joseph G. Tront,et al.  MT6D: A Moving Target IPv6 Defense , 2011, 2011 - MILCOM 2011 Military Communications Conference.

[12]  Edgar R. Weippl,et al.  IPv6 Security: Attacks and Countermeasures in a Nutshell , 2014, WOOT.

[13]  Fernando Gont,et al.  Network Reconnaissance in IPv6 Networks , 2016, RFC.

[14]  Saman Taghavi Zargar,et al.  A Survey of Defense Mechanisms Against Distributed Denial of Service (DDoS) Flooding Attacks , 2013, IEEE Communications Surveys & Tutorials.

[15]  Edgar R. Weippl,et al.  On Reconnaissance with IPv6: A Pattern-Based Scanning Approach , 2015, 2015 10th International Conference on Availability, Reliability and Security.

[16]  David Thaler,et al.  Recommendation on Stable IPv6 Interface Identifiers , 2017, RFC.

[17]  Thomas Narten,et al.  Privacy Extensions for Stateless Address Autoconfiguration in IPv6 , 2001, RFC.

[18]  Joseph G. Tront,et al.  The Blind Man's Bluff Approach to Security Using IPv6 , 2012, IEEE Security & Privacy.

[19]  Erik C. Rye,et al.  Decomposition of MAC address structure for granular device inference , 2016, ACSAC.

[20]  Edgar R. Weippl,et al.  Privacy is Not an Option: Attacking the IPv6 Privacy Extension , 2015, RAID.

[21]  Van Jacobson,et al.  TCP Extensions for High Performance , 1992, RFC.

[22]  Nick Moore,et al.  Optimistic Duplicate Address Detection (DAD) for IPv6 , 2006, RFC.