IPv6 SEND

This section describes the IPv6 Secure Neighbor Discovery (SEND) protocol.

RFC 3756 defines key security threats to network access using ND, and in response, RFC 3971 defines SEcure Neighbor Discovery (SEND) and provides two SEND mechanisms: SEND cryptographically generated address (CGA) and SEND authorization delegation discovery (ADD). SEND CGA is able to counter most network attacks. To counter the malicious last-hop router attacks and bogus address prefix attacks, SEND ADD needs to be deployed.

• ND-specific Security Threats and Mechanisms

  Table 1 outlines security threats to the ND protocol as well as the security mechanisms designed to address these threats.

  Table 1 ND-specific security threats and mechanisms

  Security Threat	Security Mechanism	Attack Principle	Defense Principle
  NS/NA spoofing	SEND CGA	An attacker sends a legitimate node (host or FW) a neighbor solicitation (NS) message that contains a bogus source link-layer address option or a neighbor advertisement (NA) message that contains a bogus target link-layer address option. NS/NA spoofing causes messages for the legitimate node to be sent to the bogus address.	The key reason why such an attack is launched during ND address resolution is that legitimate nodes fail to determine the IPv6 addresses and link-layer addresses as well as the bindings between them. Therefore, legitimate nodes incorrectly receive NS or NA messages sent from the attacker. In response to this attack, SEND CGA combines a CGA address, a CGA option, and an RSA option to authenticate the validity of the source address carried in an ND message.
  Neighbor unreachability detection (NUD) failure	SEND CGA	An attacker repeatedly sends falsified NA messages in response to an NS message sent by a legitimate node during NUD. As a consequence, the legitimate node fails to detect neighbor unreachability. The consequences of this attack depend on why the neighbor became unreachable and how the legitimate node would behave if it knew that the neighbor has become unreachable.	SEND counters this attack by requiring the NA message in response to an NS message to include an RSA Signature option as a proof of authorization to use the interface identifier in the address being tested. If these prerequisites are not met, the node performing NUD discards NA messages.
  Duplicate address detection (DAD) attacks	SEND CGA	An attacker responds to every DAD attempt made by a host that accesses the network. If the attacker claims the address, then the host will never obtain an address.	SEND counters this attack by requiring the NA message in response to an NS message to include an RSA Signature option as a proof of authorization to use the interface identifier in the address being tested. If these prerequisites are not met, the node performing DAD discards NA messages.
  Spoofed Redirect message	SEND CGA	An attacker uses the link-layer address of the current first-hop router to send a Redirect message to a legitimate host. The legitimate host accepts this message because the host mistakenly considers that the message came from the first-hop router.	SEND counters this attack by requiring a Redirect message to contain an RSA Signature option. The RSA signature is calculated using the public key of the legitimate host. All messages that fail to pass the RSA signature-based authentication are discarded.
  Replay attacks	SEND CGA	An attacker captures valid messages and replays them. That is, even if Neighbor Discovery Protocol (NDP) messages are cryptographically protected so that their contents cannot be forged, they are still prone to replay attacks.	SEND protects against this attack from solicited messages (such as NS/RS messages) by including a Nonce option and requiring response messages (such as NA/RA messages) to include a matching Nonce option. SEND protects against this attack from unsolicited messages (such as NA/RA/Redirect messages) by including a Timestamp option.
  Malicious last-hop router	SEND ADD	An attacker multicasts bogus RA messages or unicasts bogus RA messages in response to multicast RS messages to a host attempting to discover a last-hop router. If the host selects the attacker as its default router, the attacker is able to intercept all messages exchanged between the host and its destination and inserts new contents into messages. This attack is also called a man-in-the-middle attack.	NDP allows a node to perform autoconfiguration based on information learned shortly after connecting to a new link. It would be particularly difficult for a node to distinguish between valid and invalid sources of router information, because the node needs this information before communicating with nodes outside of the link. As the newly-connected node cannot communicate off-link, it cannot be responsible for searching information to help validate routers. However, given a certificate path, the node can check another device's search results and conclude that a particular message comes from an authorized source.
  Bogus address prefix	SEND ADD	An attacker sends a falsified RA message specifying that some prefixes are on-link. If a prefix is on-link, a host will not send any packets that contain this prefix to the router. Instead, the host will send NS messages to attempt address resolution, but the NS messages will not result in a response, denying services to the attacked host.	The security mechanism designed for this attack is similar to that of the last-hop router attack. SEND requires that routers be certified. This certification is jointly implemented by hosts and routers. Specifically, a host must be configured with a trust anchor to which a router has a certification path before the host selects the router as its default router.

• Basic Concepts

  Table 2 SEND options and messages

  SEND Mechanism	Options and Messages	Description
  CGA	CGA address	The interface identifier of a CGA address is generated using a one-way hash function from the sender's public key and some additional parameters.
  	CGA option	The CGA option includes the sender's amendment value and public key. The receiver can use the CGA option to verify the sender's CGA.
  	RSA Signature option	The RSA Signature option includes the hash value of the sender's public key and the digital signature constructed using the sender's private key and ND messages. The receiver uses the RSA Signature option to verify the integrity of ND messages and authenticate the identity of the sender.
  	Timestamp option	The value of the Timestamp option is a 64-bit unsigned integer, indicating the number of seconds since January 1, 1970, 00:00 (UTC). The receiver needs to use the Timestamp option to ensure that the last received packet has the latest timestamp, protecting unsolicited advertisement and redirect messages from being replayed.
  	Nonce option	The Nonce option contains a random number selected by the sender of a solicitation message. For example, if an NS message carries the Nonce option, the sender considers the NA message in response to the NS message valid only when the NA message also carries the Nonce option. In this manner, the Nonce option prevents replay attacks launched during exchange of request and response messages.
  ADD	Certification Path Solicitation (CPS) message	A CPS message is sent by a host when it wishes to request a certificate path between a FW and one of the host's trust anchors. When a router advertisement (RA) message has been received with a public key that is not available from a certificate in the host's cache, or when there is no certification path to one of the host's trust anchors, the host will send a CPS message carrying the Trusted Anchor option to search for the certification path. Currently, the Options field in a CPS message includes one or more Trust Anchor options.
  	Certification Path Advertisement (CPA) message	A CPA message is sent by a FW to a host to advertise the requested certificate. The Options field in a CPA message includes a Certificate option and zero or more Trust Anchor options.
  	Trust Anchor option	The Trust Anchor option identifies a trust anchor for which a given certification path should be constructed.
  	Certificate option	The Certificate option is included only in a CPA message and carries the certificate contents requested by a CPS message.

SEND, enhanced IPv6 ND, introduces the following new types of message and extension fields:

The new types of message and extension fields are as follows:

• Extension fields: Cryptographically Generated Address (CGA), Rivest-Shamir-Adleman Algorithm (RSA), Timestamp, and Nonce

• Message types: Certification Path Solicitation (CPS) and Certification Path Advertisement (CPA)

SEND supports the following enhanced security functions:

• Address ownership verification

  A CGA binds IPv6 addresses to packets to prevent IPv6 address embezzlement. Communication parties generate and authenticate CGA information. CGA information helps prevent address spoofing and effectively defend against Neighbor Solicitation (NS)/Neighbor Advertisement (NA) spoofing and duplicate address detection (DAD) attacks.

• Message protection

  The communication parties use RSA signatures and authentication to protect message integrity. The parties also check the Timestamp and Nonce fields, which enhances the time sequence of packets and defends against replay attacks.

• Router authorization

  Certificate authentication helps verify router identities, which prevents malicious packets in the name of routers and defends against Redirect attacks and parameter spoofing.

CGA

A CGA is an IPv6 address that a node uses a public key and the hash algorithm to generate. A node discards packets that fail CGA authentication to defend against spoofing attacks. CGAs are used with the RSA signature mechanism to protect packet integrity.

The procedure for generating a CGA and an RSA signature on a node is as follows:

1. Obtains an RSA key pair.
2. Generates the CGA parameter data structure, including a public key.
3. Computes a hash value based on the CGA parameter data structure. The least significant 64 bits in the data structure represent a network ID.
4. Generates a CGA based on the prefix and network ID.
5. Forges a packet with the CGA as a source IP address, fills the CGA parameters data structure in the CGA option, assigns the packet a private key, and fills a signature in the RSA option.

After receiving a packet with CGA and RSA options, a node authenticates the packet as follows:

1. Obtains the CGA parameter data structure from the CGA option.
2. Computes a hash value based on the CGA parameters data structure, with the least significant 64 bits as the network ID.
3. Checks whether the generated network ID matches that in the source IP address of the packet.
4. Obtains the public key from the CGA parameter data structure to authenticate the RSA signature.

After a CGA is generated, ND packets to be sent by the interface must meet the following requirements:

• NS (excluding DAD messages), NA, RA, and Redirect messages carry CGAs as source addresses.
• NS, NA, RA, and Redirect messages carry the following options:
  • CGA option: contains the CGA parameter data structure.
  • RSA option: contains signatures.
  • Timestamp option: the current time of the device.
• The NS message carries the Nonce option that contains a random number. The NA message responding to the NS message also carries the same Nonce option.

Content in the Timestamp and Nonce options is automatically generated.