Secure Neighbor Discovery Protocol

Abstract

The neighbor discovery protocol (NDP) is a stateless protocol facilitating link local communication in IPv6 networks. The nodes employ IPv6 NDP to locate other hosts/routers on the link, cover resolution of link layer addresses, duplicate address detections and track reachability status about paths to active nodes. However, link local communication using NDP is susceptible to some severe attacks, which if neglected leave the network vulnerable. Attackers can spoof source addresses of legitimate nodes by forging NDP messages and propel attacks like Denial of Service (DoS) and Man-in-the-Middle (MITM) leading to failure of IPv6 host initialization. To avert this, RFC 3971 advocates employing Secure Neighbor Discovery (SeND) to make the process inviolable. SeND fortifies message tampering, prevents IPv6 address theft, including protection against replay attacks and enable validation of routers on the link. Although SeND is a robust link layer security mechanism, its practical implementation is reported to have serious shortcomings like cryptographic algorithms which impact computational complexity including bandwidth utilization, as such negate their implementation and adoption. Moreover, the protocol itself fails to provide the confidentiality factor in the network. SeND also falls short of mature unabridged implementations in commercial operating systems and network devices. This paper revisits the protocol implementation and reviews its deployment challenges. This article also discusses some feasible proposals and recommendations for facilitating practical deployment of SeND in IPv6 networks including resource constrained devices like mobile phones.