fbpx
Facebook f Twitter LinkedIn Youtube Instagram Whatsapp

IPv6 Security Features (Part 1)

  • Share this article
Facebook
Twitter
LinkedIn
WhatsApp
Telegram

IPv6 Safe Neighbor Discovery Protocol (SEND)

The Safe Neighbor Discovery Protocol (SEND: Safe Neighbor Discovery Protocol) is a protocol designed to improve security in the process of discovering and resolving IPv6 addresses in local networks.

SEND is based on the Neighbor Discovery Protocol (NDP) of IPv6 and provides authentication and integrity protection of neighbor discovery messages.

At the end of the article you will find a small test that will allow you assess the knowledge acquired in this reading

Go to Test

The main goal of SEND is to prevent spoofing and cache poisoning attacks, which are common in IPv6 networks. These attacks can allow an attacker to redirect legitimate traffic or intercept sensitive information. SEND uses cryptography and digital signatures to verify the identity of neighbors and ensure the authenticity of neighbor discovery messages.

The operation of SEND involves the following components:

Neighbor certificates

SEND uses X.509 certificates to authenticate the identity of neighbors. Each neighbor must obtain a certificate signed by a trusted certificate authority (CA). These certificates contain the information necessary to verify the identity and authenticity of the neighbor.

Secure neighbor request and response messages

SEND uses secure neighbor request and response messages to perform neighbor discovery securely. These messages are protected by cryptography and digital signatures. The requesting neighbor includes its certificate in the request message and the target neighbor responds with its certificate and a digital signature.

Verification process

When a neighbor receives a secure neighbor discovery message, it verifies the authenticity and integrity of the message using the certificate information and digital signature. If the verification is successful, the neighbor considers the remote neighbor authentic and trustworthy.

Detection of changes in network topology

SEND provides additional functionality to detect changes in network topology. If a neighbor detects significant changes in its network environment, such as the appearance of new neighbors or the absence of existing neighbors, it can send notification messages to other neighbors to inform them of the situation.

Neighbor cache update

If a neighbor receives a secure neighbor response and successfully verifies it, it updates its neighbor cache with the IPv6 address and information of the authenticated neighbor. This prevents the possible insertion of false information into the neighbor cache and helps ensure the correct path for communications.

Public Key Infrastructure (PKI) Requirements

Implementing SEND requires a public key infrastructure (PKI) to manage and validate the certificates used in the authentication process. This involves setting up and maintaining a trusted certificate authority (CA) that issues and signs neighbor certificates.

Security policy support

SEND allows the configuration of specific security policies to control the behavior of neighbors and the actions that should be taken in different situations. These policies can address aspects such as the acceptance or rejection of certain certificates, the handling of notification messages, and the actions to take in the event of security events.

Deployment considerations

Deploying SEND requires proper planning, especially in large and complex networks. Network administrators must consider network performance, certificate management, security policy configuration, and compatibility with existing devices and systems.

Protection against cache poisoning attacks

Cache poisoning is a type of attack in which an attacker attempts to corrupt or modify information stored in a node's neighbor cache. SEND helps protect against these attacks by authenticating and verifying the identity of neighbors before updating the neighbor cache with new information.

Performance considerations

Implementing SEND can have an impact on network performance due to the need to process and verify certificates, as well as sign and verify messages. Network administrators should evaluate the trade-off between security and performance to determine if implementing SEND is appropriate for their environment.

Integration with other security technologies

SEND can be used in conjunction with other security technologies in IPv6, such as IPSec. The combination of SEND and IPSec provides an additional layer of protection for communication in IPv6 networks, ensuring both the authentication of neighbors and the confidentiality and integrity of the transmitted data.

Benefits for IPv6 mobility

SEND also provides benefits for mobility on IPv6 networks. By using authentication and certificate verification in the neighbor discovery process, SEND helps ensure that mobile nodes connect to the correct neighbors and prevents attackers from intercepting traffic or redirecting communication.

 

SEND is especially useful in environments where neighbor authentication and protection against spoofing attacks are important, such as enterprise networks and service providers. However, implementing SEND may require a public key infrastructure (PKI) and cooperation between network administrators to establish appropriate security policies.

Importantly, SEND does not solve all security issues in IPv6, but it does provide an additional layer of protection for the neighbor discovery process. Furthermore, its implementation is optional and depends on the specific security needs and requirements of each network.

Steps and considerations

Implementing the Safe Neighbor Discovery (SEND) Protocol involves a number of steps and considerations. Below are the general steps to implement SEND on an IPv6 network:

  • Security Requirements Assessment
  • Setting up a public key infrastructure (PKI)
  • Generation and distribution of certificates
  • Security policy configuration
  • Implementation on network devices
  • Testing and verification

Monitoring and maintenance

RA-Guard

RA-Guard (Router Advertisement Guard) is a security feature in IPv6 that helps protect against spoofed router attacks and ensures that only legitimate router advertisements are processed and accepted by nodes on the network.

RA-Guard is deployed on network devices and examines Router Advertisement (RA) messages to detect and block unauthorized or malicious router advertisements.

When RA-Guard is enabled on a network device, it analyzes received RA messages and compares the information in them with a list of authorized routers. If the RA message does not match authorized routers or displays suspicious characteristics, the device can block the RA message, ignore it, or take other security actions defined in the settings.

Techniques to identify and block

RA-Guard uses several techniques to identify and block spoofed router ads, including:

Source filtering

RA-Guard checks the source address of the RA message and compares this address with the list of authorized routers. If the source address does not match, the RA message may be considered unauthorized and blocked.

RA Options Inspection

RA-Guard examines the options included in the RA message to detect options that are suspicious or incompatible with the expected configuration. For example, if unexpected options or incorrect configurations are found, the RA message may be considered unauthorized.

Frequency and patterns of RA messages

RA-Guard can also analyze the frequency and patterns of received RA messages. If a large number of RA messages are detected in a short period of time or if there are unusual patterns of RA messages, the device may take action to block or limit suspicious messages.

 

RA-Guard implementation may vary depending on the specific device and manufacturer. Some network devices have RA-Guard built in as a native functionality, while other devices may require you to enable and configure RA-Guard explicitly.

RA-Guard is an effective security measure to mitigate the risks associated with spoofed router advertisements and protect the IPv6 network against unauthorized router attacks. By enabling RA-Guard, network nodes can trust legitimate RA messages and ensure that network routers are trusted and authenticated.

 

DHCPv6 Secure

DHCPv6 Secure is an IPv6 security feature that provides authentication and authorization of DHCPv6 clients. Enables you to verify the identity of DHCPv6 clients and ensure that only authorized clients can obtain IPv6 addresses and network configurations.

Here's an in-depth look at how it works. DHCPv6 Secure:

DHCPv6 Client Authentication

DHCPv6 Secure uses authentication techniques to verify the identity of DHCPv6 clients. It is based on the use of X.509 certificates and digital signatures to authenticate clients. Each DHCPv6 client has a unique digital certificate that is signed by a trusted certificate authority (CA).

DHCPv6 Client Authorization

In addition to authentication, DHCPv6 Secure also allows client authorization. This means that not only is the client's identity verified, but it is also checked to see if the client has the necessary permissions to obtain an IPv6 address and the associated network configurations.

Interaction with public key infrastructure (PKI)

DHCPv6 Secure integrates with a public key infrastructure (PKI) to manage certificates and public and private keys required for authentication and digital signing. This involves configuring an internal CA or using an external trusted CA to issue and manage DHCPv6 client certificates.

Process of obtaining IPv6 addresses

When a DHCPv6 client begins the process of obtaining an IPv6 address and network settings, it sends a DHCPv6 request to the DHCPv6 server. This request contains the information necessary for authentication, such as the client's certificate and digital signature.

Certificate verification and digital signature

The DHCPv6 server verifies the client's certificate and its digital signature using the configured public key infrastructure (PKI). Verifies the authenticity of the certificate, ensuring that it came from the trusted CA and has not been revoked. It also checks the validity of the digital signature to ensure that it has not been modified in transit.

Authorization check

Once the DHCPv6 client has been successfully authenticated, the DHCPv6 server performs an authorization check to verify whether the client has the necessary permissions to obtain an IPv6 address and the associated network settings. This is based on the authorization policies defined on the DHCPv6 server.

IPv6 Address Assignment and Network Configurations

If the DHCPv6 client has been successfully authenticated and authorized, the DHCPv6 server assigns an IPv6 address and provides the corresponding network configurations to the client. These settings can include information such as the subnet mask, default gateway, DNS servers, and other network parameters.

Renewal and periodic verification

DHCPv6 Secure also includes mechanisms to periodically renew and verify IPv6 addresses and network configurations assigned to clients. This ensures that only authorized clients can maintain and use the assigned addresses and settings over time.

 

Deploying DHCPv6 Secure requires proper configuration of the public key infrastructure (PKI), generation and management of certificates, and configuration of authentication and authorization policies on the DHCPv6 server. Each DHCPv6 client must have a valid certificate and digitally sign its DHCPv6 requests to be properly authenticated by the DHCPv6 server.

Brief knowledge quiz

What do you think of this article?
Do you dare to evaluate your learned knowledge?

QUIZ - IPv6 Security Features (Part 1)

Recommended book for this article

Tags: X.509 Certificates Public Key Cryptography, DHCPv6 Secure, Public key infrastructure (PKI), IPv6, Security politics, Security protocols, RA-Guard, network security, SEND

Related Posts

Related Posts

Microlabs

Other topics that may interest you

Do you want to suggest a topic?

Every week we post new content. Do you want us to talk about something specific?
Topic for the next blog

Upcoming online courses

MikroTik Books (Spanish)

Leave a comment

Your email address will not be published. Required fields are marked with *

ABC Xperts color logo

Follow Us

Facebook f Twitter LinkedIn Youtube Instagram

About Us

Headquarters

Av. Juan T. Marengo and J. Orrantia

Professional Center Building, Office 507

Guayaquil. Ecuador

Zip Code 090505

Contact

Subscribe

to our weekly newsletters

Newsletter

MikroTik Books

Certification Courses

NAS series

Network Administration Specialist

UAS Series

Ubiquiti Equipment Management Specialist

MAS Series

MikroTik Administration Specialist

NAE Series

Network Administration Engineer

MAE Series

MikroTik Administration Engineer

MikroTik Certifications

Security

Cybersecurity
Security of the information
  • SIN-NSI
    Information security regulations How to implement? (soon)

Data Science

Python

Copyright © 2024 abcxperts.com – All Rights Reserved

Developed by Network Xperts SA
Register for the Introduction to Advanced Routing OSPF BGP MPLS course

click here if you want
see more information

Days
Hours
Minutes
Seconds

Introduction to
OSPF - BGP - MPLS

Sign up for this Free course

MAE-RAV-ROS-240118
(MAS-ROS) Free Introduction to MikroTik RouterOS version 7 course

click here if you want
see more information

Days
Hours
Minutes
Seconds

Sign up for this Free course

MAS-ROS-240111

Promo for Three Kings Day!

KINGS24

15%

all the products

MikroTik courses
Academy courses
MikroTik books

Take advantage of the Three Kings Day discount code!

* promotion valid until Sunday January 7, 2024
** the code (KINGS24) applies to shopping cart
*** buy your course now and take it until March 31, 2024

New Year's Eve Promo!

NY24

20%

all the products

MikroTik courses
Academy courses
MikroTik books

Take advantage of the New Year's Eve discount code!

* promotion valid until Monday, January 1, 2024
** the code (NY24) applies to shopping cart
*** buy your course now and take it until March 31, 2024

Christmas discounts!

XMAS23

30%

all the products

MikroTik courses
Academy courses
MikroTik books

Take advantage of the discount code for Christmas!!!

**codes are applied in the shopping cart
Promo valid until Monday December 25, 2023

CYBER WEEK DISCOUNTS

CW23-MK

17%

all MikroTik OnLine courses

CW23-AX

30%

all Academy courses

CW23-LIB

25%

all MikroTik Books and Book Packs

Take advantage of the discount codes for Cyber ​​Week!!!

**codes are applied in the shopping cart
Promo valid until Sunday December 3, 2023

BLACK FRIDAY DISCOUNTS

BF23-MX

22%

all MikroTik OnLine courses

BF23-AX

35%

all Academy courses

BF23-LIB

30%

all MikroTik Books and Book Packs

Take advantage of the discount codes for Black Friday!!!

**Codes are applied in the shopping cart

codes are applied in the shopping cart
valid until Sunday November 26, 2023

MikroTik VPN Webinar with ZeroTier

click here if you want
see more information

Days
Hours
Minutes
Seconds

Sign up for this Free course

MAE-VPN-SET-231115

Halloween promo

Take advantage of discount codes for Halloween.

Codes are applied in the shopping cart

HW23-MK

11% discount on all MikroTik OnLine courses

11%

HW23-AX

30% discount on all Academy courses

30%

HW23-LIB

25% discount on all MikroTik Books and Book Packs

25%

close menu icon

Register and participate in the free course Introduction to Advanced Routing with MikroTik (MAE-RAV-ROS)

Today (Wednesday) October 11, 2023
7pm to 11pm (Colombia, Ecuador, Peru)

MAE-RAV-ROS-231011