Compass Security Blog

Offensive Defense

IPv6 Secure Neighbor Discovery (SeND)

Finally, IPv6 is arriving… Since the IPv6 Launch Day in 2012, the number of native IPv6 users have been sextupled. In Switzerland, the IPv6 adoption rate is around 10%, which is quite impressive. In this blog post, the successor of ARP, namely the Neighbor Discovery Protocol (NDP), is introduced and its security features described. IPv4 ARP attacks are well known and documented. Similar attack vectors exist for IPv6’s NDP. To overcome these limitations, the IPv6 SeND (Secure Neighbor Discovery) was introduced back in 2005.

NDP is responsible for:

  • finding other nodes on the same network
  • providing the needed IPv6 prefix exchange mechanism
  • allowing IPv6 address auto-configurationand therefore enabling some IPv6 specific features like DAD (duplicate address detection)

NDP’s main messages are the advertisement and solicitation packets for either the router or the neighbor (host). Common attacks are spoofing (also used in IPv4, known as ARP spoofing), flooding router advertisements or denial-of-service. When a host creates his auto-generated IPv6 address, all other nodes on the same link are asked if this address is already taken. A malicious network participant could always claim he already uses this address for which a request was just sent, creating a denial-of-service condition.

SeND uses cryptographically generated addresses (CGA) based on private/public key pairs to generate IPv6 addresses. A recipient of such an IPv6 packet can verify the authenticity of the IPv6 address with the provided public key. Furthermore, SeND uses a router authorization process to identify valid router advertisements (IPv6 prefixes among other things) based on a trust anchor (e.g. a certificate authority).

Due to the design of IPv6 SeND, DoS attacks are possible because of its computational costs. Furthermore, it only makes sense to use IPv6 SeND in pure IPv6 networks. Privacy issues also exist, because the public key doesn’t change and is sent with every IPv6 SeND packet, regardless of the currently connected network.

Most vendors do not natively implement SeND in their products (e.g. Google’s Android, Apple’s IOS, *nix, Windows) for the moment. Cisco’s IOS 12.4-24(T) and Juniper JUNOS version 9.3 onwards ship with a SeND implementation. On the operating system side, experimental implementations exist for Linux and Windows. Due to this sparse support (and the requirement of running exclusively IPv6), SeND cannot be used today to secure larger environments down to the workstation or server. But SeND can be an option to secure your inter-router traffic provided your network equipment supports it.

Further details can be found in the following presentation: IPv6 Secure Neighbor Discovery.

Thanks to Mateusz Khalil and Alexandre Herzog for the review and comments for this post.

References

  • RFC3971: Secure Neighbor Discovery (SEND)
  • RFC3972: Cryptographically Generated Addresses (CGAs)
  • Ed Horley IPv6 Bootcamp presentation, 2014
  • http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/ip6-send.html, «IPv6 Secure Neighbor Discovery», 2012
  • «IPv6 Security», Eric Vyncke, Cisco, 2014
  • Short summary of SeND, “IPv6 Secure Neighbor Discovery”, EPFL, Claire Musso, Syrine Boujnah, Khalil Hajji, Dec 2013

2 Comments

  1. Frank Herberg

    Nice slides on the SeND topic. While I think that SeND itself is almost dead, attack tools for SeND are already available (sendpees6 for CGA-DoS).

  2. Andreas Hunkeler

    Thanks for your input.

    The tool mentioned above is included in the THC-IPv6 toolkit, available under https://www.thc.org/thc-ipv6/.

    sendpees6: a tool by willdamn (–ad–) gmail — com, which generates neighbor solicitation requests with a lot of CGAs to keep the CPU busy

Leave a Reply to Frank Herberg Cancel reply

Your email address will not be published. Required fields are marked *