IPv6 Neighbor Discovery (ND) defines a group of messages and processes for discovering neighboring nodes. The IPv6 Secure Neighbor Discovery (SEND) protocol is an enhancement of IPv6 ND.
The IPv6 NDP uses Internet Control Message Protocol version 6 (ICMPv6) messages to discover neighbors. NDP functions include IPv4 Address Resolution Protocol (ARP), ICMP router discovery (RD), and ICMP redirection.
SEND uses a set of new ND options to implement the authorization delegation discovery process, address ownership proof mechanism, and message verification, which secures neighbor discovery.
ND enables the address auto-configuration and information interaction between different nodes of one link on the IPv6 network.
ND does not provide any security mechanisms and is vulnerable to the following threats:
NS/NA spoofing
Neighbor Solicitation/Advertisement Spoofing (NS/NA spoofing) is similar to IPv4 ARP spoofing. An attacker sends NS/NA messages containing a forged link-layer address to update the neighbor cache of a target node. Consequently, the target node sends packets to the forged address.
DAD attack
On networks where the hosts obtain their addresses using stateless address autoconfiguration, an attacker can respond every duplicate address detection (DAD) attempt made by the host to launch an attack. If the attacker claims the address, the host will never be able to obtain an address.
Redirect attack
An attacker uses the link-layer address of the default gateway of a target node as a source address to send a Redirect message to the target node. The message carries a nonexistent next-hop address for the target node. Upon receiving the message, the target node sends packets to the nonexistent next-hop address. As a result, the packets fail to reach their destinations.
Parameter spoofing
An attacker impersonates a local router and sends a forged Router Advertisement (RA) message to a target node. The forged RA message contains a fake network prefix with a set autonomous flag. After the message arrives, the target node performs stateless address autoconfiguration and uses the fake prefix to generate an IPv6 address. When the target node uses this IPv6 address as a source address to communicate with other hosts, the traffic destined for the target node is discarded by the local router.
Replay attack
An attacker obtains valid messages and replays them later to send expired messages to a target node.
SEND effectively defends against these security threats to secure neighbor discovery.