2013 2nd International Symposium on Instrumentation and Measurement, Sensor Network and Automation (IMSNA)
Security Analysis for IPv6 Neighbor Discovery Protocol
Feng Xiaorong
Software Quality Testing Engineering Research Center,
China Electronic Product Reliability and Environmental
Testing Research Institute, Guangzhou, Guangdong,
510610, China
Email:
[email protected]
Abstract—Neighbor Discovery Protocol (NDP) is used by
IPv6 nodes to discover other nodes on the link, which assigns
link-layer address to find routers, so as to obtain reachability
information about the paths to active neighbors. This paper
presents security threats and deeply analysis for IPv6 NDP and
discusses about typical attacks in details. Meanwhile, the
attack tools developed in accordance with NDP are
demonstrated, which provides certain theoretical basis for
improving the security feature of NDP. Finally, an improved
security strategy based on IPSec AH and MAC address option
is proposed which aims at providing effectively defense against
denial of service attacks and redirection attacks. The optimized
NDP process has certain significance for strengthening the
security of IPv6 network.
Keywords—IPv6, Neighbor Discovery Protocol, Security
Attack, Authentication
I. INTRODUCTION
IPv4 would gradually be replaced by IPv6 as the next
generation of Internet protocol, which has wide applications
as a significant evolution of IPv4. Neighbor Discovery
Protocol (NDP) is mainly used in IPv6 nodes to discover
other nodes on the local link, where determines link-layer
addresses to find routers so as to get reachability
information about the paths of neighbor nodes [1]. NDP
operated with IPv6 protocol stack in the link-layer is
responsible for auto address configuration, the discovery of
other nodes and determination for link-layer addresses of
other nodes. Meanwhile, it duplicates address detection and
helps to find available routers and Domain Name System
(DNS).
The original NDP specifications take use of IPSec to
protect NDP messages. However, owing to bootstrapping
problems for using IKE, the IPSec can just be used with a
manual configuration of security associations, which results
in the approach impractical [2]. Because of its lack of proper
security mechanisms, NDP becomes a vulnerable target of
most network attacks. Due to the critical and multifaceted
role of NDP, its security and robustness must be ensured,
and safety problems should be taken into consideration in
NDP design, so as to realize route discovery and data
forwarding [3].
978-1-4799-2716-6/13/$31.00 ©2013 IEEE
Lin Jun, Jia Shizhun
Software Quality Testing Engineering Research Center,
China Electronic Product Reliability and Environmental
Testing Research Institute, Guangzhou, Guangdong,
510610, China
The initial value of hop limit in all ND packets is set to
255, while the value minus 1 when passing a router. The
receiver would check the IPv6 header hop limit value when
receiving a ND packet. If the value is equal to 255, which
means that the packet derives from legal nodes in home link,
the receiver would accept the packet; otherwise the packet
would be discarded [4]. However, NDP security
authentication by means of hop limit validation in ND
packets is not enough, which only prevent network attacks
launched by adjacent nodes in foreign links and could not
avoid security threatens from malicious nodes in home links.
Thus security problems between nodes in home links
communication could not be guaranteed effectively.
II. SECURITY THREATS BASED ON IPV6 NDP
As NDP is used by both hosts and routers, it is more
vulnerable to various attacks, which induces several security
threats in networks based on IPv6. Nodes including hosts and
routers confirm neighbor nodes’ link address through NDP
and find neighbor routers for packets forwarding. Meanwhile,
the nodes take use of neighbor discovery mechanism to
determine neighbor nodes’ accessibility and verify the
changed address in link-layer [5]. NDP is proposed on the
basis of reliable network and its security threats are mainly
divided into three types.
A. Denial of Service Attack (DoS)
1) SYN flood attack
The security attack takes use of TCP protocol defects and
sends a large number of fake source addresses of SYN
request, which results in resources exhaustion and CPU
capacity overloaded so as to make the victim computer
unable to work.
2) Land flood attack
A land attack is a DoS attack that consists of sending a
special poison spoofed packet to a computer, causing it to
lock up. The security attack makes use of a spoofed SYN
packet whose source address and destination address are set
to address the same server, which leads to the server sends
SYN-ACK message to itself continuously. Meanwhile it
sends back ACK message and generate a null connection,
303
 2013 2nd International Symposium on Instrumentation and Measurement, Sensor Network and Automation (IMSNA)

causing repeated replies, and it keeps such connection until cheating has time limitation, the attacker must respond to the
time out. fake address so as to make the attacks continue.
3) Fake redirected packet
B. DoS Attacks based on IPv6
1) Fake prefix address and network configuration The packets sent to fixed destination node can be
parameters redirected to other nodes on the link. The attacker takes use
of the last hop router as a source address and redirects data
Hosts in communication link implement network packets to the legitimate host. The host checks the validation
configuration in accordance with RA message. Malicious of the packets through the source address. Since the source
nodes counterfeit RA address, which would seriously address derives from its fault router, the host accepts the
interference the network configuration for victim nodes. The malicious redirection.
attacker sends RA message with forged subnet prefix
information, which leads to hosts unable to operate normally In according to the five types of NDP messages, the
in the subnet. The attacker pretends to be a router and network attacks mentioned above can be easily implemented
destroys legal communications such as counterfeits MTU, through forged NS/NA, RS/RA and redirected message.
hop limit and router lifetime with improper value. The victim Apart from this, the modifications of packets parameters
makes network configuration in according to those which change the data structure would also realize NDP
parameters and results in the data packets unable to reach the attacks directly.
destination node.
III. IMPLEMENTATION AND EFFECT OF IPV6 NDP
2) DoS attack based on duplicate address detection (DAD)
SECURITY ATTACK
Malicious nodes could monitor the link’s DAD packets, The experimental environment mainly includes one router,
collect each DAD packet’s address to be detected and forge a one switch and three hosts. Its topology structure is shown
new NA to reply. Thus the victim would consider the address
in Fig1.
has been used and need to generate another address in order
to implement DAD. The attacker keeps on sending reply
packets where the victim is unable to obtain IP address, thus
the normal communication would be cut off.
3) DoS attack based on neighbor unreachability detection
Hosts define the link’s reachability with other nodes in
accordance with message in upper layer. While, if the
communicate session delay on upper layer is insufficient, the
node would activate NUD, and send NS message to
destination node. If the link is reachable, the destination node
would make corresponding reactivity to NA, otherwise the
node will delete the relevant neighbor cache records with
several failures. The attacker makes denial of service attacks Fig1. The topology structure of NDP security attacks
through sending forged NA in response to NUD
continuously.
A. SYN Flood Attack
C. Redirection Attack SYN flood attack would result in higher CPU utilization,
running out of memory and hysteretic response, which leads
1) Malicious the last hop router to the victim machine unable to work normally and can’t
The attacker sends RA periodically, pretends to be the communicate with other machine. The attack scenario is
last hop router and makes a statement on its lifetime value shown in Fig2. When the attack is launched, a large amount
equals 0. The cheated host would consider that the router no of router advertisements are flooded to the network. Take
longer provides services and therefore chooses the fake host client B for example, the CPU utilization rate increased to
as a default router. As a result, the attacker has opportunity to 99%; while, the bandwidth utilization occupied up to higher
cutoff the victim’s communication with hosts or complement than 95%.
man-in-the–middle (MITM) attack.
2) ARP cheating
Since the neighbors prefer to make use of new
information to override records in default cache, the attacker
could induce cache table errors just through sending NS or
NA with different link addresses, which can successfully
block the normal communication. However, as the ARP

304
 2013 2nd International Symposium on Instrumentation and Measurement, Sensor Network and Automation (IMSNA)
Fig2. The result of SYN flood attack
B. Fake Prefix Address Attack
The attacked host has no global address but only with
temporary local link address. When obtaining a global
address assigned by NDP, the host can implement normal
communication. However, the prefix address is
2001:da8:0:0:0/64, which is a false prefix address and is
unable to get access to communicate with other hosts. The
attack result is shown in Fig3.
Fig3. The fake IPv6 global address obtained by counterfeit NDP
parameters
C. ARP Cheating Attack
Assume that there are three machines within the local
area network (LAN), while, A is for server, B is a client and
C is an attacker. The local link IP addresses and MAC
addresses are as follows:
Server A: IP (fe80::2d0a:4f91:8821:d7a0); MAC (00-21-
CC-BA-88-1E);
Client B: IP (fe80::221:97ff:fedd:5260); MAC (00-21-
97-DD-52-60);
Attacker C: IP (fe80::4687:fcff:fed4:4e6e); MAC (44-87-
FC-D4-4E-6E);
The attacker sends NA to server A and makes cache table
changes in server A, where the legal MAC address of client
305
B is replaced by attacker C, which results in the data
redirection from client B to attacker C.
In the Fig4, we can see that the RCHO-request message
of server A has been tampered with attacker C. While, the
MAC address of client B (fe80::221:97ff:fedd:5260) is (44-
87-FC-D4-4E-6E), which is the same as attacker C’s MAC
address, so the data sent to client B from Server A is
intercepted by attacker C. In the same way, the attacker C
could intercept information sent to Sever A from Client B,
which results in MITM attack.
Fig4. The RCHO-request message after ARP cheating with forged NA
IV. IMPROVEMENT SOULTIONS BASED ON NDP SECURITY
Although the protection mechanism has taken into
consideration in NDP design, however, since it is based on
premise of fully trusted network, and has less effective
security authentication protection measures to optimize
specific configuration information exchange process [6], a
variety of potential safety hazards still could not be avoided.
The mainly safety defects of NDP is lack of
corresponding authentication mechanism. There are several
proposed security mechanisms to avoid ND safety defects,
such as ND message authentication, legal message
identification and so on, aiming to ensure about the
credibility and integrity for NDP. Secure Neighbor
Discovery Protocol (SEND Protocol) proposed by IETF is a
security extension of NDP [7]. Due to the complex
authentication mechanism, SEND could not be well
guaranteed in the physical access control and is not suitable
for general network environment [8]. As a key technology
of IPv6 network security mechanism, IPSec adapted in the
protocol is plagued by the key management, where each
node needs an IP address to run IKE. However, IKE is used
to establish security association (SA) of IPSec which is
needed in address configuration. Currently the IKE is set by
administrator manually to establish SA and make
configuration to obtain IP address. When the network has a
large number of nodes and SA to be established, the IPSec
implementation would meet trouble. Considering about the
NDP security strategies mentioned above, several
improvements on IPSec scheme are needed to solve the
NDP security problems.
A. Framework of Improvement strategies
The improved NDP security authentication scheme is
shown in Fig5.
 2013 2nd International Symposium on Instrumentation and Measurement, Sensor Network and Automation (IMSNA)
Fig5. The system diagram of improved NDP security strategies
In the optimized system mentioned above, IPSec AH is
introduced in neighbor discovery protocol, which realizes
the communication packet authentication and prevents
counterfeit neighbor discovery message attack. Meanwhile,
we insert MAC address option in NDP so as to prevent the
forgery of IP address or MAC address redirection attack. By
means of this new combination, the AH could implement
both IP and MAC address authentication at the same time.
Apart from this, in order to solve multicast problems in
neighbor discovery, MIKE, which is based on multicast key
management protocol, is applied in the neighbor discovery
process. With the introduced key system, we can realize
prior to access control and back to the access control after
AH certification in multicast communication to achieve
safety protection.
B. Detailed Illustration
AH takes use of integrity verification, identity
authentication and replay prevention to provide security
protection for IP message. Add IPSec AH to NDP and insert
AH to the right place through transmission mode or tunnel
mode, where the end-to-end effective payload and constant
parameters could realize certification. AH implements
packets certification in accordance with IPSec specification
process.
Add MAC address option to neighbor discovery message,
thus when making AH certification, MAC address option
would be included in the neighbor discovery message,
which can verify both IPv6 address and MAC address on
link layer. With the improved ND message, we can defense
the redirection attack and denial of service attacks derived
from forged IP address or MAC address. The MAC address
format options defined in ND message is shown in Fig6, and
the value of each field is defined in Table1.
306
Fig6. The MAC address option defination
Table 1. The field value of MAC address option in details
Field Value Details
Type 9 /
Length 1 the whole option has 8 bytes
including type field and
length field
Reserved Field 0/null Sender/Receiver
MAC Address / Verified MAC link Address
As a key management protocol of application layer,
MIKE is running in the user space with background mode,
which provides key authentication for neighbor
communication. Based on multicast security association
(MSA) in IPSec protocol, MIKE receives control
information sent by neighbor group controller, so as to
ensure about the security of the members joining in or
removing from the neighbor group.
V. CONCLUSION
This paper deeply analyzed the threats and security
attacks based on IPv6 NDP and presented several denial of
service attacks and redirection attacks, including SYN flood,
fake prefix address attack and ARP cheating. According to
IPSec authentication mechanism, we put forward an
improved NDP security strategy, which is in combination
with AH validation and MAC address option. The
optimization could realize security certification for both IP
address and MAC address, and provide effective defense on
NDP security attacks, which has practical value for IPv6
network security enhancement.
ACKNOWLEDGMENT
The work was partially supported by the important and
special project “Research on Mobile Intelligent Terminal
Security Assessment Technology” sponsored by Ministry of
National Science and Technique.
REFERENCES
[1] Deering S,Hinden R.Internet Protocol, Version 6 (IPv6) Specification.
RFC2460. 1998.
[2] Caicedo, Carlos E.Joshi, James B D etc. “IPv6 Security Challenges”,
[J]. IEEE Computer Society, Vol.42, No.2, pp. 36-42.2010
[3] T. Narten,E. Nordmark,W. Simpson, et al. Neighbor Discovery for IP
Version 6 (IPv6). IETF, RFC 4861. 2007
 2013 2nd International Symposium on Instrumentation and Measurement, Sensor Network and Automation (IMSNA)

[4] Yu Cunjiang,Jiang Li, “Authentication Algorithms of Internet [7] AlSa’deh Ahmad, Meinel Christoph, “Secure Neighbor Discovery:
Protocol Security in An IPV6-Based Environment” [A]. Proceedings Review, Challenges, Perspectives, and Recommendations”, IEEE
of 2010 4th International Conference on Intelligent Information Security&Privacy, Vol.10, No.4, pp. 26-34, 2011.
Technology Application (Volume 4) [C]. 2010. [8] Meigen Huang, Jianrong Liu, Yunjie Zhou, “An Improved SEND
[5] Baig Z.A., Adeniye, S.C., “A Trust-based Mechanism for Protecting Protocol against DoS Attacks in Mobile IPv6
IPv6 Networks against Stateless Address Auto-configuration Attacks”, Environment”,[A].Proceedings of 2009 IEEE International
2011 17th IEEE International Conference on Networks (ICON), pp. Conference on Network Infrastructure and Digital Content[C]. 2009
171-176, 2011.
[6] Stamatios V.Kartalopoulos, “Differentiating Data Security and
Network Security”, [C]. Proceedings of the Symposium on
information and Network Security of ICC.2008

307