Detection of neighbor solicitation and advertisement spoofing in IPv6 neighbor discovery protocol

Abstract

With the increase in number of hosts in the Internet, there is also a rise in the demand for IP address space. To cater to this issue, IP version 6 (IPv6) succeeded IPv4. Compared to 32 bit IP address space in IPv4, IP address in IPv6 is composed of 128 bits. In IPv4, when a host wants to communicate with another host in an LAN, it needs to know the MAC address of the target host, which was possible through Address Resolution Protocol (ARP). As ARP is stateless and due to lack of authorization in ARP messages, many attacks like request spoofing, response spoofing, Man-in-the-Middle (MiTM), Denial-of- Service (DoS) etc. are possible. IPv6 uses Network Discovery Protocol (NDP) to find the MAC address. NDP is also stateless and lacks authentication of its messages by default. So NDP also suffers from many attacks similar to ARP. Although there are various attack detection and prevention mechanisms available for ARP attacks, they are not yet implemented for NDP (IPv6). In this paper we propose an attack detection mechanism for neighbor solicitation spoofing and neighbor advertisement spoofing.