Secure NeighborDiscovery in IPv6

Jari Arkko

Ericsson Research

James Kempf

DoCoMo US Labs

Neighbor and Router Discovery Security

RouterHost

RD

NUD

Host

ND

DAD Host

Vulnerabilities: Routers could be spoofed Neighbors could be spoofed Blocking address allocation Secure upper layers help, but

do not prevent all attacks

Problems with “just use IPsec”

Number of SAs very high 2*N+2 per node

Chicken-and-egg problem Does not help with authorization

SEND WG Approach

• BOF in 2002• Final RFCs out this week (we hope)

• Solution consists of• Securing router discovery• Securing operations on hosts’ addresses, such as

DAD, or responses to solicitations

Solution - Router Discovery

• Every router has a certificate from a trust anchor• Clients know what trust anchor they trust• Hosts pick routers that can show a certificate chain to trust anchor (During a transition hosts can still allow non-secure routers if no secure routers are present.)

Solution - Operations on Addresses

HostA

Address A = prefix | hash(public key A)

• Approach based on “zero config” security• Cryptographically Generated Addresses (CGAs):

In verifying a response to neighbor discovery, duplicate address detection, and so on, check that:

1) Responder’s address is a hash of a public key 2) There is a signature from the associated private key

Attackers can come up with new addresses, but they can not take over an address of an existing host or router -- they do not have the private key!

(IPR -- but with friendly licenses)