Sheng Jiang (Speaker) Xu Chen Xuan Song Huawei Neighbor Cache Protection in Neighbor Discover Protocol draft-jiang-v6ops-nc-prtection-01 IETF 77 V6OPS.

Slides:



Advertisements
Similar presentations
ARP AND RARP ROUTED AND ROUTING Tyler Bish. ARP There are a variety of ways that devices can determine the MAC addresses they need to add to the encapsulated.
Advertisements

A Client Side Defense against Address Resolution Protocol (ARP) Poisoning George Mason University INFS 612, Spring 2013 Group #3 (C. Blair, N. Eisele,
2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Media Access Control (MAC) addresses in the network access layer ▫ Associated w/ network interface card (NIC) ▫ 48 bits or 64 bits IP addresses for the.
1 Address Resolution Protocol (ARP) Relates to Lab 2. This module is about the address resolution protocol.
Internet Control Protocols Savera Tanwir. Internet Control Protocols ICMP ARP RARP DHCP.
Computer Security and Penetration Testing
 As defined in RFC 826 ARP consists of the following messages ■ ARP Request ■ ARP Reply.
Network Attacks Mark Shtern.
© Mobile Platform Laboratory | SAMSUNG Electronics IPv6 DAD Optimization Goals and Requirements Soohong Daniel Park / Youn-Hee Han / Greg Daley
Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Secure Routing and Intrusion Detection For Mobile Ad Hoc Networks Anand Patwardhan Jim.
CSCE 790: Computer Network Security Chin-Tser Huang University of South Carolina.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Information.
Guide to TCP/IP Fourth Edition
DDoS Attack and Its Defense1 CSE 5473: Network Security Prof. Dong Xuan.
Mobile IP: Introduction Reference: “Mobile networking through Mobile IP”; Perkins, C.E.; IEEE Internet Computing, Volume: 2 Issue: 1, Jan.- Feb. 1998;
CSCE 715: Network Systems Security Chin-Tser Huang University of South Carolina.
Overview of SHIM6 Multihoming Protocol Fuad Bin Naser Std. No A presentation for CSE6806: Wireless & Mobile Communication Networks.
IIT Indore © Neminath Hubballi
Denial of Service (DoS) Attacks in Green Mobile Ad–hoc Networks Ashok M.Kanthe*, Dina Simunic**and Marijan Djurek*** MIPRO 2012, May 21-25,2012, Opatija,
Network Security Principles & Practices
Final Exam Review Knowledge questions True or false statement (explain why) Protocol Calculation Cover the second half contents.
A SAVI Solution for DHCP Draf-ietf-savi-dhcp-06 J. Bi, J. Wu, G. Yao, F. Baker IETF79, Beijing Nov. 9, 2010.
CCNP Network Route IPV-6 Part-II IPV-6 Routing: Configuring IPV-6: Let say we will configure the address on Router R1 R1# Conf t  R1(Conf t)# ipv6 address.
1 Topic 2: Lesson 3 Intro to Firewalls Summary. 2 Basic questions What is a firewall? What is a firewall? What can a firewall do? What can a firewall.
ARP Spoofing Attacks Dr. Neminath Hubballi IIT Indore © Neminath Hubballi.
Security in Ad Hoc Networks. What is an Ad hoc network? “…a collection of wireless mobile hosts forming a temporary network without the aid of any established.
IPsec Introduction 18.2 Security associations 18.3 Internet Security Association and Key Management Protocol (ISAKMP) 18.4 Internet Key Exchange.
Engineering Workshops Purposes of Neighbor Solicitation.
A Proof of MITM Vulnerability in Public WLANs Guarded by Captive Portal Speaker : Po-Kang Chen Advisor : Quincy Wu Date : 2010/06/13.
BAI513 - PROTOCOLS ARP BAIST – Network Management.
Secure Neighbor Discovery in IPv6 Jari Arkko Ericsson Research James Kempf DoCoMo US Labs.
An Analysis of IPv6 Security CmpE-209: Team Research Paper Presentation CmpE-209 / Spring Presented by: Dedicated Instructor: Hiteshkumar Thakker.
6lowpan ND Optimization draft Update Samita Chakrabarti Erik Nordmark IETF 69, 2007 draft-chakrabarti-6lowpan-ipv6-nd-03.txt.
A Source Address Validation Architecture (SAVA) and IETF SAVI Working Group Jun Bi Tsinghua University/CERNET Oct 20, 2008.
CSIT 220 (Blum)1 ARP Based on Computer Networks and Internets (Comer)
TCP Security Vulnerabilities Phil Cayton CSE
ICMPv6 Error Message Types Informational Message Types.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
Neighbor Discovery. IPv6 Terminology Additional subnets Router Host Neighbors Host Intra-subnet router Switch LAN segment Link Subnet Network.
DNS Security 1. Fundamental Problems of Network Security Internet was designed without security in mind –Initial design focused more on how to make it.
( Address Resolution Protocol )
Ethernet Network Systems Security Mort Anvari. 9/28/20042 Ethernet Most widely used LAN technology Low cost and high flexibility Versions of different.
MIPv6Security: Dimension Of Danger Unauthorized creation (or deletion) of the Binding Cache Entry (BCE).
Network Security Principles & Practices By Saadat Malik Cisco Press 2003.
Slide title In CAPITALS 50 pt Slide subtitle 32 pt Simple DNA draft-ietf-dna-simple-03 Suresh Krishnan Greg Daley.
1 68th IETF, Prague, March 2007 Address Resolution for GMPLS controlled PSC Ethernet Interfaces draft-ali-arp-over-gmpls-controlled-ethernet-psc-i-04.txt.
ADDRESS MAPPING ADDRESS MAPPING The delivery of a packet to a host or a router requires two levels of addressing: logical and physical. We need to be able.
Address Resolution Protocol Yasir Jan 20 th March 2008 Future Internet.
BAI513 - Protocols IP Version 6 Operation BAIST – Network Management.
Routing Loop Attack Using IPv6 Automatic Tunnels: Problem Statement and Proposed Mitigations (RFC 6324) Po-Kang Chen Oct 19,
Improving Security Over Ipv6 Authentication Header Protocol using IP Traceback and TTL Devon Thomas, Alex Isaac, Majdi Alharthi, Ali Albatainah & Abdelshakour.
1/22 ARP Problems and Solutions Yasir Jan Future Internet 15 th May 2008.
1 Address Resolution Protocol (ARP). 2 Overview 3 Need for Address Translation Note: –The Internet is based on IP addresses –Local area networks use.
ARP spoofing ARP tutorial with pictures -7 Watch animation to learn networking. Visualize.
Behrouz A. Forouzan TCP/IP Protocol Suite, 3rd Ed.
Address Resolution Protocol (ARP)
Address Resolution Protocol (ARP)
DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers
Radius Attribute for MAP draft-jiang-softwire-map-radius-03
ND-Shield: Protecting against Neighbor Discovery Attacks
Net 323: NETWORK Protocols
Instructor & Todd Lammle
Ethernet Network Systems Security
ARP: Address Resolution Protocol
Address Resolution Protocol (ARP)
ARP Spoofing.
Address Resolution Protocol (ARP)
Computer Networks ARP and RARP
Presentation transcript:

Sheng Jiang (Speaker) Xu Chen Xuan Song Huawei Neighbor Cache Protection in Neighbor Discover Protocol draft-jiang-v6ops-nc-prtection-01 IETF 77 V6OPS WG March 26, 2010

Threats to Neighbor Cache In the Neighbor Discover Protocol (RFC 4861) The neighbors' information, such as the paired mapping of link-layer addresses and IPv6 addresses, is recorded in a local Neighbor Cache database. NC is vulnerable to malicious attacks. A DoS attack against the NC of an IPv6 router can fill up with faked entries and exhaust the cache's resources.

A DoS Attack Example against NC NS (faked address) Hacker ARouter B NS (faked address) Example Neighbor Cache IPv6 AddressStatMac FE80::21D:A1FF:FE79:A437STALExxxx FE80::21D:A1FF:FE79:A438STALExxxx FE80::21D:A1FF:FE79:A439STALExxxx An attacker sends minimally sized Neighbor Solicitation (NS) packets, which is 90 Bytes, to a target router on a 100 Mbps Ethernet link It can, in theory, build up and sustain perhaps 145k bogus entries in a second Note: the size of Neighbor Cache on most of access router devices are between 1k~50k Even the biggest Routers NC are fully filled in less than half second New host access requests are blocked out Recovery depends on the expire time of NC items. It takes minutes after the attack stops

A Lightweight Secure Mechanism is needed SeND [RFC3971] provides a feasible solution, but too heavy. A lightweight secure mechanism is needed  focus on NC protection only  Minimize the change requests for the existing ND protocol  NO change requests on the normal hosts (initiator side) In-Scope Requirements  anti DoS attack  anti replay attack  anti IP address spoofing Out-Scope Requirements  Privacy (or encryption)  Authentication  Message Integrity  Non-repudiation

IPv | Host A | | Router B | | (1) RS/NS/NA | + ===========================> + | | (2) Create NS record | (3) Reverse Detect NS | (Impl. in high speed memory) | | (record ) + <=========================== + | (4) RD-Reply NA | + ===========================> + | | (5) Create NC entry | (6) RA/NA | ((5a)verify ) + <=========================== + | | Reverse Detection for Neighbor Cache Protection By receive the first RS/NS/NA message, the router puts this message into a high speed NS record table (action (2)) It then sends a RD NS message to the initiated host (action (3)) The initiated host responds a NS-replied NA message (action (4)) When the router received the RD-replied NA message, it verifies whether the pair of the source IPv6 address and the source MAC address matches any entry in the NS records table (action (5a)) If verified, fetch the matched NS record and continue the normal CPU-based slow path NS procedure (action (5) and (6))

Questions, clarification, comment?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.