Securing IPv6 neighbor discovery and SLAAC in access networks through SDN

This paper proposes and evaluates a new approach, based on Software Defined Networking (SDN), to secure the IPv6 Neighbor Discovery Protocol (NDP) message exchange and make the Stateless Address Autoconfiguration safer. We created an SDN application on the Ryu SDN framework which functions as an intelligent NDP-Proxy. The SDN application inspects all NDP messages in the data path of the access switch. Once the application has accumulated data about the respective network segment, it performs sanity checking and filtering. We used several relevant attacks from the THC IPv6 toolkit to assert resiliency against attacks on the Neighbor Discovery Protocol. Load tests showed that the overhead for the NDP packet inspection is not neglectable, but once the relevant flow-rules have been installed, subsequent packets are forwarded on the fast-path of the switch and network performance is only minimally affected.

[1]  Stephen E. Deering,et al.  Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) , 1995, RFC.

[2]  Rolland Vida,et al.  Multicast Listener Discovery Version 2 (MLDv2) for IPv6 , 2004, RFC.

[3]  Thomas Narten,et al.  Neighbor Discovery for IP Version 6 (IPv6) , 1998, RFC.

[4]  Pekka Nikander Denial-of-Service, Address Ownership, and Early Authentication in the IPv6 World , 2001, Security Protocols Workshop.

[5]  Pekka Nikander,et al.  SEcure Neighbor Discovery (SEND) , 2005, RFC.

[6]  Fernando Gont Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard) , 2014, RFC.

[7]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[8]  Tim Chown,et al.  RFC 6104: rogue IPv6 Router Advertisement problem statement , 2011 .

[9]  Tim Chown,et al.  Rogue IPv6 Router Advertisement Problem Statement , 2011, RFC.

[10]  Qi Hao,et al.  A Survey on Software-Defined Network and OpenFlow: From Concept to Implementation , 2014, IEEE Communications Surveys & Tutorials.

[11]  Rosni Abdullah,et al.  Review of Security Vulnerabilities in the IPv6 Neighbor Discovery Protocol , 2016 .

[12]  Bruce Schneier,et al.  A Cryptographic Evaluation of IPsec , 1999 .

[13]  Pekka Nikander,et al.  Securing IPv6 neighbor and router discovery , 2002, WiSE '02.

[14]  Thomas Narten,et al.  IPv6 Stateless Address Autoconfiguration , 1996, RFC.

[15]  Christoph Meinel,et al.  Secure Neighbor Discovery: Review, Challenges, Perspectives, and Recommendations , 2012, IEEE Security & Privacy.

[16]  Thomas Narten,et al.  Neighbor Discovery for IP Version 6 (IPv6) , 1996, RFC.

[17]  Luigi Iannone,et al.  On the performance of SDN controllers: A reality check , 2015, 2015 IEEE Conference on Network Function Virtualization and Software Defined Network (NFV-SDN).