ND-Shield: Protecting against Neighbor Discovery Attacks

Slides:



Advertisements
Similar presentations
73rd IETF meeting, November 16-21, 2008
Advertisements

Security Assessment of Neighbor Discovery for IPv6
IETF – March 22, 2001 Improving Network Renumbering in Mobile IPv6 Changes to Tunneled Router Solicit/Advert T.J. Kniveton Nokia Research Center Mountain.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
IP Forwarding Relates to Lab 3.
Neighbor Discovery for IPv6 Mangesh Kaushikkar. Overview Introduction Terminology Protocol Overview Message Formats Conceptual Model of a Host.
Security Assessment of the Internet Protocol version 4 (IPv4) draft-ietf-opsec-ip-security Fernando Gont project carried out on behalf of UK CPNI 76th.
2: Comparing IPv4 and IPv6 Rick Graziani Cabrillo College
Routing Security Capabilities draft-zhao-opsec-routing-capabilities-02.txt OPSEC WG, IETF #66.
Mitigating Teredo Routing Loop Attacks (draft-gont-6man-teredo-loops-00 ) Fernando Gont on behalf of UK CPNI IETF 79 November 7-12, Beijing, China.
Security implications of Network Address Translators (NATs) (draft-gont-behave-nat-security) Fernando Gont Pyda Srisuresh UTN/FRH EMC Corporation 76th.
SAVI IP Source Guard draft-baker-sava- implementation Fred Baker.
Doc.: IEEE /1183r0 Submission September 2011 Masataka Ohta, Tokyo Institute of TechnologySlide 1 IP over Congested WLAN Date: Authors:
Pseudowire Endpoint Fast Failure Protection draft-shen-pwe3-endpoint-fast-protection-00 Rahul Aggarwal Yimin Shen
Reactive Discovery of Point-to-Point Routes in Low Power and Lossy Networks draft-ietf-roll-p2p-rpl-04 Mukul Goyal University of Wisconsin Milwaukee.
FMIPv6 Usage with DNA Protocol draft-koodli-dna-fmip-00 Rajeev Koodli, Syam Madanapalli DNA WG, 63 IETF - Paris.
TCP/IP Basics A review for firewall configuration.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
Guide to TCP/IP Fourth Edition
Internet Control Message Protocol ICMP. ICMP has two major purposes: –To report erroneous conditions –To diagnose network problems ICMP has two major.
Chapter 4: Managing LAN Traffic
Summary of Certification Process (part 1). IPv6 Client IPv6 packets inside IPv4 packets.
ICMP attacks against TCP draft-ietf-tcpm-icmp-attacks-01.txt Fernando Gont (UTN/FRH) 67 th IETF Meeting, San Diego, California, USA November 5-10, 2006.
1 IP Forwarding Relates to Lab 3. Covers the principles of end-to-end datagram delivery in IP networks.
Slide: 1 Neighbor Discovery. Slide: 2 Neighbor Discovery Overview Set of messages and processes that determine relationships between neighboring nodes.
Internet Protocols. Address Resolution IP Addresses are not recognized by hardware. If we know the IP address of a host, how do we find out the hardware.
DSR: Introduction Reference: D. B. Johnson, D. A. Maltz, Y.-C. Hu, and J. G. Jetcheva, “The Dynamic Source Routing Protocol for Mobile Ad Hoc Networks,”
Secure Neighbor Discovery in IPv6 Jari Arkko Ericsson Research James Kempf DoCoMo US Labs.
Understanding IPv6 Slide: 1 Lesson 12 IPv6 Mobility.
V6OPS WG – IETF #85 IPv6 for 3GPP Cellular Hosts draft-korhonen-v6ops-rfc3316bis-00 Jouni Korhonen, Jari Arkko, Teemu Savolainen, Suresh Krishnan.
ICMPv6 Error Message Types Informational Message Types.
Attacking on IPv6 W.lilakiatsakun Ref: ipv6-attack-defense-33904http://
Neighbor Discovery. IPv6 Terminology Additional subnets Router Host Neighbors Host Intra-subnet router Switch LAN segment Link Subnet Network.
Chapter 27 IPv6 Protocol.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Design Guidelines for IPv6 Networks draft-matthews-v6ops-design-guidelines Philip Matthews Alcatel-Lucent.
IPv6 over ’s IPv6 Convergence Sublayer IPv6 over ’s IPv6 Convergence Sublayer draft-madanapalli-ipv6-over ipv6cs-00 Syam Madanapalli.
Sheng Jiang (Speaker) Xu Chen Xuan Song Huawei Neighbor Cache Protection in Neighbor Discover Protocol draft-jiang-v6ops-nc-prtection-01 IETF 77 V6OPS.
03 Jun 2011There's no place like ::1 Introduction to IPv6 Protocol part 2 George Kargiotakis oss-unipi: Event #27.
Security Implications of Predictable Fragment Identification Values
Host Scanning in IPv6 Networks (draft-gont-opsec-ipv6-host-scanning) IETF 84 Vancouver, Canada. July 29-August 3, 2012.
Security Implications of IPv6 on IPv4 Networks
IPv6 101 pre-GDB - IPv6 workshop 7th of June 2016 edoardo
Booting up on the Home Link
Secure Proxy ND Support for SEND draft-krishnan-csi-proxy-send-00
Multicast Listener Discovery
CIS 116 IPv6 Fundamentals 2 – Primer Rick Graziani Cabrillo College
Syam Madanapalli Basavaraj Patil Erik Nordmark JinHyeock Choi
Carles Gomez, S. M. Darroudi
Ingress Filtering, Site Multihoming, and Source Address Selection
Gunter Van de Velde Kiran Kumar Chitimaneni Warren Kumari
IP Forwarding Covers the principles of end-to-end datagram delivery in IP networks.
Current Issues with DNS Configuration Options for SLAAC
76th IETF meeting, November 8-13, 2009
DHCPv6-Shield: Protecting Against Rogue DHCPv6 Servers
Fragmentation issues in IPv4/IPv6 translation
Encapsulation/Decapsulation
IP Forwarding Relates to Lab 3.
TCP for DNS security considerations
November 7-12, Beijing,China.
Internet Protocol Version 6
IP Forwarding Relates to Lab 3.
A Unified Approach to IP Segment Routing
IP Forwarding Relates to Lab 3.
Networking and Network Protocols (Part2)
IP Forwarding Relates to Lab 3.
BIER in IPv6 draft-zhang-bier-bierin6-03
draft-ietf-bier-ipv6-requirements-01
Chapter 4: outline 4.1 Overview of Network layer data plane
Presentation transcript:

ND-Shield: Protecting against Neighbor Discovery Attacks (draft-gont-opsec-nd-shield) IETF 84 Vancouver, Canada. July 29-August 3, 2012

Overview Aims at blocking Neighbor Discovery attacks at the link-layer It targets attack vectors based on: Neighbor Solicitation Neighbor Advertisement Router Solicitation Redirect messages Complements other technologies such as RA-Guard Even if you do RA-Guard, an attacker can still become the “Next-Hop Router” by sending other non-RA Neighbor Discovery packets

draft-gont-opsec-nd-shield Specifies the filtering rules for ND-Shield, i.e., how to filter: Neighbor Solicitations Neighbor Advertisements Router Solicitations Redirects Greatly benefits from work done in v6ops for RA-Guard

Filtering rules General rules for all messages: Follow the entire IPv6 header chain to identify the type of packet If the packet is a first-fragment and the upper-layer header is not found, drop the packet If the Source Address had not been previously seen, record the address, otherwise filter the packet if it has been received on a different port [Type-specific filtering] Otherwise, pass the packet as usual

Open issues Current I-D specifies the rules on a per-packet-type basis Might want to coalesce all filtering rules Probably more useful from an implementor's point of view

Moving forward Adopt as an OPSEC WG item?

Thanks! Fernando Gont fgont@si6networks.com www.si6networks.com

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.