IPv6 Safe Neighbor Discovery Protocol (SEND)
The Safe Neighbor Discovery Protocol (SEND: Safe Neighbor Discovery Protocol) is a protocol designed to improve security in the process of discovering and resolving IPv6 addresses in local networks.
SEND is based on the Neighbor Discovery Protocol (NDP) of IPv6 and provides authentication and integrity protection of neighbor discovery messages.
At the end of the article you will find a small test that will allow you assess the knowledge acquired in this reading
The main goal of SEND is to prevent spoofing and cache poisoning attacks, which are common in IPv6 networks. These attacks can allow an attacker to redirect legitimate traffic or intercept sensitive information. SEND uses cryptography and digital signatures to verify the identity of neighbors and ensure the authenticity of neighbor discovery messages.
The operation of SEND involves the following components:
Neighbor certificates
SEND uses X.509 certificates to authenticate the identity of neighbors. Each neighbor must obtain a certificate signed by a trusted certificate authority (CA). These certificates contain the information necessary to verify the identity and authenticity of the neighbor.
Secure neighbor request and response messages
SEND uses secure neighbor request and response messages to perform neighbor discovery securely. These messages are protected by cryptography and digital signatures. The requesting neighbor includes its certificate in the request message and the target neighbor responds with its certificate and a digital signature.
Verification process
When a neighbor receives a secure neighbor discovery message, it verifies the authenticity and integrity of the message using the certificate information and digital signature. If the verification is successful, the neighbor considers the remote neighbor authentic and trustworthy.
Detection of changes in network topology
SEND provides additional functionality to detect changes in network topology. If a neighbor detects significant changes in its network environment, such as the appearance of new neighbors or the absence of existing neighbors, it can send notification messages to other neighbors to inform them of the situation.
Neighbor cache update
If a neighbor receives a secure neighbor response and successfully verifies it, it updates its neighbor cache with the IPv6 address and information of the authenticated neighbor. This prevents the possible insertion of false information into the neighbor cache and helps ensure the correct path for communications.
Public Key Infrastructure (PKI) Requirements
Implementing SEND requires a public key infrastructure (PKI) to manage and validate the certificates used in the authentication process. This involves setting up and maintaining a trusted certificate authority (CA) that issues and signs neighbor certificates.
Security policy support
SEND allows the configuration of specific security policies to control the behavior of neighbors and the actions that should be taken in different situations. These policies can address aspects such as the acceptance or rejection of certain certificates, the handling of notification messages, and the actions to take in the event of security events.
Deployment considerations
Deploying SEND requires proper planning, especially in large and complex networks. Network administrators must consider network performance, certificate management, security policy configuration, and compatibility with existing devices and systems.
Protection against cache poisoning attacks
Cache poisoning is a type of attack in which an attacker attempts to corrupt or modify information stored in a node's neighbor cache. SEND helps protect against these attacks by authenticating and verifying the identity of neighbors before updating the neighbor cache with new information.
Performance considerations
Implementing SEND can have an impact on network performance due to the need to process and verify certificates, as well as sign and verify messages. Network administrators should evaluate the trade-off between security and performance to determine if implementing SEND is appropriate for their environment.
Integration with other security technologies
SEND can be used in conjunction with other security technologies in IPv6, such as IPSec. The combination of SEND and IPSec provides an additional layer of protection for communication in IPv6 networks, ensuring both the authentication of neighbors and the confidentiality and integrity of the transmitted data.
Benefits for IPv6 mobility
SEND also provides benefits for mobility on IPv6 networks. By using authentication and certificate verification in the neighbor discovery process, SEND helps ensure that mobile nodes connect to the correct neighbors and prevents attackers from intercepting traffic or redirecting communication.
SEND is especially useful in environments where neighbor authentication and protection against spoofing attacks are important, such as enterprise networks and service providers. However, implementing SEND may require a public key infrastructure (PKI) and cooperation between network administrators to establish appropriate security policies.
Importantly, SEND does not solve all security issues in IPv6, but it does provide an additional layer of protection for the neighbor discovery process. Furthermore, its implementation is optional and depends on the specific security needs and requirements of each network.
Steps and considerations
Implementing the Safe Neighbor Discovery (SEND) Protocol involves a number of steps and considerations. Below are the general steps to implement SEND on an IPv6 network:
- Security Requirements Assessment
- Setting up a public key infrastructure (PKI)
- Generation and distribution of certificates
- Security policy configuration
- Implementation on network devices
- Testing and verification
Monitoring and maintenance
RA-Guard
RA-Guard (Router Advertisement Guard) is a security feature in IPv6 that helps protect against spoofed router attacks and ensures that only legitimate router advertisements are processed and accepted by nodes on the network.
RA-Guard is deployed on network devices and examines Router Advertisement (RA) messages to detect and block unauthorized or malicious router advertisements.
When RA-Guard is enabled on a network device, it analyzes received RA messages and compares the information in them with a list of authorized routers. If the RA message does not match authorized routers or displays suspicious characteristics, the device can block the RA message, ignore it, or take other security actions defined in the settings.
Techniques to identify and block
RA-Guard uses several techniques to identify and block spoofed router ads, including:
Source filtering
RA-Guard checks the source address of the RA message and compares this address with the list of authorized routers. If the source address does not match, the RA message may be considered unauthorized and blocked.
RA Options Inspection
RA-Guard examines the options included in the RA message to detect options that are suspicious or incompatible with the expected configuration. For example, if unexpected options or incorrect configurations are found, the RA message may be considered unauthorized.
Frequency and patterns of RA messages
RA-Guard can also analyze the frequency and patterns of received RA messages. If a large number of RA messages are detected in a short period of time or if there are unusual patterns of RA messages, the device may take action to block or limit suspicious messages.
RA-Guard implementation may vary depending on the specific device and manufacturer. Some network devices have RA-Guard built in as a native functionality, while other devices may require you to enable and configure RA-Guard explicitly.
RA-Guard is an effective security measure to mitigate the risks associated with spoofed router advertisements and protect the IPv6 network against unauthorized router attacks. By enabling RA-Guard, network nodes can trust legitimate RA messages and ensure that network routers are trusted and authenticated.
DHCPv6 Secure
DHCPv6 Secure is an IPv6 security feature that provides authentication and authorization of DHCPv6 clients. Enables you to verify the identity of DHCPv6 clients and ensure that only authorized clients can obtain IPv6 addresses and network configurations.
Here's an in-depth look at how it works. DHCPv6 Secure:
DHCPv6 Client Authentication
DHCPv6 Secure uses authentication techniques to verify the identity of DHCPv6 clients. It is based on the use of X.509 certificates and digital signatures to authenticate clients. Each DHCPv6 client has a unique digital certificate that is signed by a trusted certificate authority (CA).
DHCPv6 Client Authorization
In addition to authentication, DHCPv6 Secure also allows client authorization. This means that not only is the client's identity verified, but it is also checked to see if the client has the necessary permissions to obtain an IPv6 address and the associated network configurations.
Interaction with public key infrastructure (PKI)
DHCPv6 Secure integrates with a public key infrastructure (PKI) to manage certificates and public and private keys required for authentication and digital signing. This involves configuring an internal CA or using an external trusted CA to issue and manage DHCPv6 client certificates.
Process of obtaining IPv6 addresses
When a DHCPv6 client begins the process of obtaining an IPv6 address and network settings, it sends a DHCPv6 request to the DHCPv6 server. This request contains the information necessary for authentication, such as the client's certificate and digital signature.
Certificate verification and digital signature
The DHCPv6 server verifies the client's certificate and its digital signature using the configured public key infrastructure (PKI). Verifies the authenticity of the certificate, ensuring that it came from the trusted CA and has not been revoked. It also checks the validity of the digital signature to ensure that it has not been modified in transit.
Authorization check
Once the DHCPv6 client has been successfully authenticated, the DHCPv6 server performs an authorization check to verify whether the client has the necessary permissions to obtain an IPv6 address and the associated network settings. This is based on the authorization policies defined on the DHCPv6 server.
IPv6 Address Assignment and Network Configurations
If the DHCPv6 client has been successfully authenticated and authorized, the DHCPv6 server assigns an IPv6 address and provides the corresponding network configurations to the client. These settings can include information such as the subnet mask, default gateway, DNS servers, and other network parameters.
Renewal and periodic verification
DHCPv6 Secure also includes mechanisms to periodically renew and verify IPv6 addresses and network configurations assigned to clients. This ensures that only authorized clients can maintain and use the assigned addresses and settings over time.
Deploying DHCPv6 Secure requires proper configuration of the public key infrastructure (PKI), generation and management of certificates, and configuration of authentication and authorization policies on the DHCPv6 server. Each DHCPv6 client must have a valid certificate and digitally sign its DHCPv6 requests to be properly authenticated by the DHCPv6 server.
Brief knowledge quiz
What do you think of this article?
Do you dare to evaluate your learned knowledge?
Recommended book for this article
IPv6 book with MikroTik, RouterOS v7
Study material for the MTCIPv6E Certification Course updated to RouterOS v7