SEND Secure Neighbor Discovery
Secure Neighbor Discovery (SEND) is a protocol designed to enhance the security of the Neighbor Discovery Protocol (NDP) used in IPv6 networks. NDP is responsible for address autoconfiguration, router discovery, and neighbor discovery functions in IPv6 networks. However, NDP lacks built-in security measures, making it susceptible to various attacks. SEND addresses these security concerns by adding cryptographic mechanisms to protect the NDP messages and ensure the authenticity and integrity of network entities.
The main objectives of SEND are as follows:
- Secure Address Autoconfiguration: SEND ensures that a host obtains a unique and secure IPv6 address from a valid and authorized router. This prevents attacks such as address theft or spoofing.
- Router Authorization: SEND verifies the authenticity of routers in the network to prevent rogue or unauthorized routers from participating in the network infrastructure. It uses certificates and public key infrastructure (PKI) to authenticate routers.
- Secure Neighbor Discovery: SEND ensures the secure discovery and verification of neighboring devices to prevent address and routing-related attacks, such as neighbor spoofing or redirection.
To achieve these objectives, SEND introduces several security mechanisms:
- Cryptographically Generated Addresses (CGAs): CGAs are a type of IPv6 address that includes a cryptographic hash based on a public key. CGAs provide strong address ownership proof and prevent address theft or spoofing.
- Router Advertisements (RAs) Protection: RAs are messages sent by routers to announce their presence and provide network configuration information. SEND protects RAs by digitally signing them using the router's private key. Hosts can verify the signature using the router's public key to ensure the authenticity of the router.
- Certification Path Validation: SEND relies on a PKI infrastructure to validate the certificates used by routers and hosts. This involves verifying the certification path from a trusted root certificate authority (CA) down to the end entity's certificate. It ensures that the certificates are valid, trusted, and issued by a trusted authority.
- Neighbor Solicitation (NS) and Neighbor Advertisement (NA) Protection: SEND protects NS and NA messages by including a Cryptographically Generated Message Authentication Code (CG-MAC). The CG-MAC provides integrity protection and prevents message tampering.
- Timestamps and Nonces: SEND incorporates timestamps and nonces in the messages to prevent replay attacks. Nonces are random values used only once to ensure freshness and prevent attackers from reusing intercepted messages.
By integrating these security mechanisms, SEND enhances the security of IPv6 networks by ensuring the authenticity, integrity, and confidentiality of NDP messages. It provides protection against various attacks such as address theft, neighbor spoofing, and rogue router insertion. However, it's worth noting that SEND requires additional configuration and infrastructure support, such as deploying a PKI and managing certificates, to fully utilize its security features.