Securing neighbor discovery of IPV6 by using preshared key

Abstract

Internet Protocol (IP) is a mechanism which has been widely deployed irrespective of back end device. In recent times, due to the proliferation of Internet of Things (IoT), the usage of IP address utilization has expanded drastically. Moreover, more and more mobile devices which are being used today are IP based. In previous times, Internet Protocol Version 4 (IPv4) laid out the foundation on how a common communication protocol should behave and how it can connect a large number of people. Unfortunately, the number of hosts that can connect in IPv4 is low compared with today's requirement. Thus combining the learning from IPv4, IPv6 was designed where a large number of address space was considered. Even though the address space appears to be limitless; some basic security related issues are unaddressed in the IPv6 as well. Most notably, how the MAC to IP address is looked up. The process was not upgraded so that users can get some bene t from security perspective but rather it was almost an in place replacement for Address Resolution Protocol (ARP) implementation which is found in IPv4. In IPv6, Neighbor Discovery Protocol (NDP) is used to discover the link-layer address of the connected hosts. In IPv4, a broadcast or a specially crafted packet is su cient to alter the IP address and MAC address table and poison the content of the victim. Similar concept is still in place where forged NA packet can have similar e ect and perform malicious activities. This is a serious security loophole as any unencrypted tra c can easily be sni ed by the attacker. To further exacerbate the security issue, in many cases, the user is unaware that a attack is in progress and under normal operation, it can be almost impossible for the user to detect. This paper presents a possible solution to this problem and compares other available solutions. In order to prevent this long outstanding issue, we have proposed a simple solution in IPv6 environment which is done by sharing a secret key between each pair of hosts in a broadcast domain so that any incoming Override packet is not processed without a challenge. This key is transferred between two hosts when they rst try to communicate between themselves. After transferring the key, both of them will retain this key so that if any request for upgrading the MAC address arrives, the key can be used to verify the authenticity of the request. Additional broadcasts are used, in case one of the host forgets the key, to ensure that attacker cannot impersonate as a valid node. Simulation in NS3 platform shows that the proposed scheme can e ectively solve this issue.