Denial of service attack over secure neighbor discovery (SeND)

Abstract

IPv6, the Internet Protocol suite version 6, uses a Neighbor Discovery Protocol (NDP). NDP mainly replaces router discovery and the Address Resolution Protocol (ARP) and after that redirects the functions used in IPv4, i.e. the Internet Protocol suite version 4. The NDP system is a stateless protocol since it does not need the dynamic host's configuration protocol server to enable the various IPv6 nodes for determining the connected hosts along with the IPv6 network routers. To add layers of protection to NDP, the SeND (Secure Neighbor Discovery) extension was developed, which provides router authorization, proof of address ownership, and message protection for the protocol. SeND employs CGAs (Cryptographically Generated Addresses) and X.509 certificates. Despite its many advantages, deploying SeND is not easy, and it is still vulnerable to specific DoS (Denial-of-Service) attacks. The components of SeND and its responses to NDP threats are further elaborated in this paper. Also, an overview of the implementation of SeND, its limitations, existing vulnerabilities, and current deployment challenges are also presented. Furthermore, to test the performance of SeND under a DoS attack, a test bed was implemented, and the results discussed.