IPv6 SEcure Neighbor Discovery (SEND) is an extension to countermeasure the security threats in IPv6 Neighbor Discovery Protocol (NDP). SEND provides address ownership proof, message protection, and router authorisation capabilities. The current lack of robust implementations of SEND at the end user devices limits its deployment and leave the door open for the attacks against NDP. The main goal of iSEND project is to provide an open source implementation of SEND for Linux-based operating system especially for Android devices.
IPv6 Neighbor Discovery protocol (NDP) provides all the mechanisms associated with the relations between the nodes of the link (neighbors). NDP considers the link as a trusted environment. Thus, NDP comes without robust mechanism to protect its exchanges. This leads to various threats when this assumption does not hold (on foreign network like hotspots, for instance). Without securing NDP, IPv6 neighbor discovery is vulnerable to spoofing, denial-of-service (DoS), replay, redirect, and rogue router attacks. The attackers already implemented a toolset to attack IPv6 (thc-ipv6).
To mitigate those threats, SEcure Neighbor Discovery (SEND) extends NDP with additional mechanisms for securing the relations between nodes on the link. SEND offers three additional features to NDP: address ownership proof, message protection, and a router authorisation mechanism. To achieve these enhancements, SEND comes with four new options (Cryptographically Generated Address (CGA), RSA signature, nonce, and Timestamp) and two ICMPv6 messages for identifying the router authorisation process.
Lack of Sophisticated Implementation of SEND
Most operating systems support NDP but lack support for SEND. Even though some major vendors, such as Cisco and Juniper, have various levels of support for SEND in their routers, no major operating system provides a good level of support. Current SEND implementations for specific OS distribution, such as Debian Linux, are proofs of concept rather than production-ready software. SEND is not supported on Mac OS/X, iOS, and Android.
The fundamental goal of the iSEND project is to provide an open source implementation of SEND for Linux-based operating systems especially for Android devices. We will provide the implementation with documentation to allow anyone who want to use it easly. With the help of the RIPE NCC Community Projects Fund, we look to achieve a solid implementation of iSEND for Android devices, which will help spread and accelerate the deployment of IPv6 in a secure manner.
For iSEND implementation, we developed the application in the Linux user-space that does not require modification at the kernel level. iSEND uses ip6tables filtering rules to filter the traffic between the network interface card and the IPv6 stack. These rules route all NDP messages to specific queues. iSEND takes the NDP messages out of those queues and secures the outgoing NDP messages, or verifies incoming ones. Afterwards, the NDP messages are either forwarded or dropped. Dropped if CGA addresses verification failed for instance.
Difficulties and Challenges
The main problem that we face during this project is rooting the Android devices. We cannot run commands in Android Kernel because its need root permission. Therefore, currently we rooting Android device manually for testing purposes.
We look forward to finish the implementation and testing and release the Alpha version before the end of this year 2018.
SEND is compute intensive especially when choosing high security level. In addition, deploying router authorisation and certificate validation is not easy and could be complex task especially in decentralised deployment model trust. Therefore, the next steps are to test the iSEND implementation performance and try finding other ways to make it light weight and more practical choose for end users.