Towards securing Duplicate Address Detection using P4

Abstract Duplicate Address Detection (DAD) is one of the functions of the Neighbor Discovery Protocol (NDP), which determines whether the IPv6 address of a node conflicts with those of other nodes. However, due to the lack of verification of NDP messages, DAD is vulnerable to Denial of Service (DoS) attacks. Existing solutions suffer from high complexity and low security, need to modify the NDP, or have a single point of failure, which renders them infeasible to be deployed. To solve the above problems, we propose P4DAD, which is a secure DAD mechanism based on P4. By creating and maintaining a binding entry between an IPv6 address and a link-layer property of a host’s network attachment, P4DAD can filter spoofed NDP messages in an in-network manner to prevent DoS attacks on DAD without modification to the NDP or host stack. We implement a prototype of P4DAD and evaluate it in terms of functionality, performance, and scalability. Evaluation results show that P4DAD can prevent DoS attacks on DAD successfully with negligible overhead and has satisfactory scalability.

[1]  Arvind Krishnamurthy,et al.  Gallium: Automated Software Middlebox Offloading to Programmable Switches , 2020, SIGCOMM.

[2]  Antonio F. Gómez-Skarmeta,et al.  Lightweight Mobile IPv6: A mobility protocol for enabling transparent IPv6 mobility in the Internet of Things , 2013, 2013 IEEE Global Communications Conference (GLOBECOM).

[3]  Latif Ladid,et al.  Challenges of the Internet of Things: IPv6 and Network Management , 2014, 2014 Eighth International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing.

[4]  Vladimir Braverman,et al.  NetLock: Fast, Centralized Lock Management Using Programmable Switches , 2020, SIGCOMM.

[5]  Minlan Yu,et al.  SilkRoad: Making Stateful Layer-4 Load Balancing Fast and Cheap Using Switching ASICs , 2017, SIGCOMM.

[6]  Sakir Sezer,et al.  Sdn Security: A Survey , 2013, 2013 IEEE SDN for Future Networks and Services (SDN4FNS).

[7]  Sakir Sezer,et al.  A Survey of Security in Software Defined Networks , 2016, IEEE Communications Surveys & Tutorials.

[8]  Thomas Scheffler,et al.  Securing IPv6 neighbor discovery and SLAAC in access networks through SDN , 2019, ANRW.

[9]  Mohammad M. Kadhum,et al.  Securing Duplicate Address Detection on IPv6 Using Distributed Trust Mechanism , 2020 .

[10]  Andrei V. Gurtov,et al.  Security in Software Defined Networks: A Survey , 2015, IEEE Communications Surveys & Tutorials.

[11]  Jun Bi,et al.  A pull model IPv6 Duplicate Address Detection , 2010, IEEE Local Computer Network Conference.

[12]  Andrew Yourtchenko,et al.  Dynamic Host Configuration Protocol for IPv6 (DHCPv6) , 2003, RFC.

[13]  George Varghese,et al.  Forwarding metamorphosis: fast programmable match-action processing in hardware for SDN , 2013, SIGCOMM.

[14]  Selvakumar Manickam,et al.  Rule-based mechanism to detect Denial of Service (DoS) attacks on Duplicate Address Detection process in IPv6 link local communication , 2015, INFOCOM 2015.

[15]  Selvakumar Manickam,et al.  Improved Mechanism to Prevent Denial of Service Attack in IPv6 Duplicate Address Detection Process , 2017 .

[16]  Ying Liu,et al.  P4DAD: Securing Duplicate Address Detection Using P4 , 2020, ICC 2020 - 2020 IEEE International Conference on Communications (ICC).

[17]  George Varghese,et al.  P4: programming protocol-independent packet processors , 2013, CCRV.

[18]  Srinivasan Seshan,et al.  TEA: Enabling State-Intensive Network Functions on Programmable Switches , 2020, SIGCOMM.

[19]  Yufeng Yao,et al.  Addressing With an Improved DAD for 6LoWPAN , 2016, IEEE Communications Letters.

[20]  Mohammed Anbar,et al.  DAD-Match: Technique to Prevent DoS Attack on Duplicate Address Detection Process in IPv6 Link-local Network , 2018, J. Commun..

[21]  Bilhanan Silverajan,et al.  IPv6 Addressing Strategies for IoT , 2013, IEEE Sensors Journal.

[22]  Srinivasan Seshan,et al.  Generic External Memory for Switch Data Planes , 2018, HotNets.

[23]  Mihai Budiu,et al.  The P416 Programming Language , 2017, OPSR.

[24]  Kim-Kwang Raymond Choo,et al.  Security, Privacy, and Anonymity in Computation, Communication, and Storage , 2017, Lecture Notes in Computer Science.