TELKOM
NIKA Indonesia
n
Journal of
Electrical En
gineering
Vol. 13, No. 1, Janua
ry 201
5, pp. 195 ~
202
DOI: 10.115
9
1
/telkomni
ka.
v
13i1.692
9
195
Re
cei
v
ed Se
ptem
ber 6, 2014; Re
vi
sed
Octob
e
r 30, 2
014; Accepte
d
No
vem
ber
22, 2014
Improvement of Address Reso
lution Security in IPv6
Local Network using Trust-ND
Supriy
anto*
1,
2
, Iz
nan H. Hasbullah
2
, Mohamed Anb
a
r
2
, Raja Kumar Murugesan
3
,
Azla
n Osm
a
n
4
1
Universitas S
u
ltan Age
ng T
i
rta
y
asa, Ind
ones
ia
2
Nation
al Adva
nced IPv6 Ce
n
t
re, Universiti S
a
ins Ma
la
ysi
a
3
T
a
y
l
or
’s Univ
e
r
sit
y
, Mala
ys
ia
4
School of Co
mputer Scie
nc
es, Univers
i
ti Sains Ma
la
ysi
a
*Corres
p
o
ndi
n
g
author, e-ma
i
l
: supri
y
a
n
to@f
t-untirta.ac.id
A
b
st
r
a
ct
T
he princ
i
pl
e o
f
a comp
uter n
e
tw
ork is transferring
i
n
for
m
ati
on in ter
m
s of packets fro
m
o
ne no
de
to another. T
o
do this the communic
a
tin
g
nod
es has to
be assi
gne
d a
n
Internet Protocol (IP) addr
ess
.
How
e
ver, in a l
o
cal ar
ea netw
o
rk, t
he avail
a
b
ility of IP addre
ss alon
e is not eno
ug
h to do communic
a
tio
n
. It
also
ne
eds
ne
i
ghb
orin
g
nod
e
s
Medi
u
m
Acc
e
ss C
ontrol
(M
AC) a
ddress.
T
he curr
ent Int
e
rnet
infrastruc
ture
IPv4 uses Ad
d
r
ess Reso
luti
o
n
Protoco
l
to resolv
e t
he n
e
i
ghb
ors MAC a
ddress if n
o
t know
n. IPv6 is th
e
next gen
erati
o
n communic
a
ti
on protoc
ol us
ed today to
ov
erco
me the ex
hausti
on of IPv4 addr
esses. IPv6
uses Ne
ig
hbor
Discovery Pr
o
t
ocol (NDP) to
do the a
ddr
es
s resoluti
on
an
d not ARP. N
D
P lacks sec
u
rity
and h
enc
e the
address res
o
l
u
tion
mec
h
a
n
i
s
m is vul
nera
b
l
e to vario
u
s a
ttacks that include
ma
n-in-th
e
-
mi
ddl
e a
nd D
e
nial
of Servic
e. Secure N
e
i
g
h
bor Disc
o
very (
S
eND)
mec
h
a
n
is
m that w
a
s i
n
troduc
ed to s
o
lv
e
this prob
le
m is
high
ly co
mp
le
x and the
mes
s
age si
z
e
is
lar
ge. T
h
is pa
per
introd
uces T
r
u
s
t-ND mec
h
a
n
i
s
m
to secure the
addr
ess reso
lu
tion in IPv6
lo
cal netw
o
rk. Experi
m
e
n
ts w
e
re don
e a
nd
ana
lysis o
n
th
e
exper
imenta
l
r
e
sult sh
ow
s the T
r
ust-ND co
uld d
e
cre
a
se
t
he co
mp
lex
i
ty of SeND. T
he
process
i
ng ti
me of
NDP messa
ge
coul
d be re
duc
ed fro
m
107
6 ti
mes for Se
ND
mec
h
a
n
is
m to only 1.9 ti
mes f
o
r T
r
ust-ND.
Ke
y
w
ords
: ad
dress reso
lutio
n
, neig
h
b
o
r dis
c
overy, IPv6, security, Trust-ND
Copy
right
©
2015 In
stitu
t
e o
f
Ad
van
ced
En
g
i
n
eerin
g and
Scien
ce. All
rig
h
t
s reser
ve
d
.
1. Introduc
tion
Addre
s
s resol
u
tion is a p
r
o
c
e
ss
on
disco
v
ering
neigh
b
o
ring
no
de’s l
i
nk laye
r a
d
d
r
ess by
mappin
g
IP address o
n
to
physi
cal ad
dre
ss. T
he
current Intern
et infrast
r
u
c
ture IPv4, uses
Addre
s
s Resolution Proto
c
ol
(ARP) to
do ad
dress
resolution [1]
.
Since a
ddress resolutio
n
is
very importa
n
t
in the IP packet tran
smi
s
sion, t
he
role
of ARP be
co
mes im
porta
n
t. Howeve
r, this
link layer prot
ocol reportedl
y has much vulner
ability includi
ng ARP cache poi
soning, Man in the
Middle a
nd
DoS attacks. A
numb
e
r of
rese
arch
e
r
s st
udied
on the
vulnera
b
ility and p
r
op
ose
d
a
solutio
n
su
ch as MITM
-Re
s
ista
nt [2],
ES-ARP [3], S-ARP [4] and TARP [5]. The
ARP
broa
dcast
s
ARP messa
ge
to obtain the corre
s
p
ondin
g
node
s phy
sical ad
dre
s
s. This b
r
oa
dca
s
t
is an overhead to nodes that do
not correspond
to
the IP address
as they
need to
still process
the ARP me
ssage. In o
r
der to ove
r
come this
ove
r
hea
d, IPv6 introdu
ce
d NDP [6] to do
the
address reso
lution inste
a
d
of ARP [7]. The NDP
use
s
multi
c
a
s
t [8] mech
a
n
ism in
stea
d
o
f
broa
dcast.
The
NDP do
e
s
the
ad
dress re
solutio
n
by
se
ndin
g
n
e
ig
hbor
solicitati
on
(NS
)
me
ssag
e to
neigh
bori
ng
node that g
r
oup
ed in
solicited n
ode
multica
s
t addre
s
s (S
NMA). Usi
ng
this
multica
s
ting mech
ani
sm
t
he
receiving node co
uld
b
e
limited. Thi
s
saves the
other
nod
e in
the
netwo
rk from
pro
c
e
ssi
ng a
ddre
s
s re
sol
u
tion unne
ce
ss
arily a
s
in A
R
P. Ho
wever, the vulnerab
ility
in ARP
exists in the
NDP
su
ch
as de
sti
nation
ca
ch
e
table p
o
isoni
ng, man
in th
e middl
e atta
ck
and al
so
Do
S attack [9]. NDP
may ha
ve other vuln
er
abilitie
s
as
it is a
ne
w p
r
otocol t
hat u
s
e
s
more tha
n
o
ne NDP me
ssage
s. Thre
ats and vuln
erability of NDP in
cludi
n
g
the add
re
ss
resolution
pro
t
ocol
wa
s stu
d
ied in [1
0], [11], and
[12].
Re
sea
r
ch [1
3] has
justifie
d the existe
n
c
e
of the threats in the IPv6
neigh
bor di
scovery im
plem
entation e
s
pe
cially in publi
c
network su
ch
as in airpo
r
t, coffee shop a
nd bu
s statio
n.
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 13, No. 1, Janua
ry 2015 : 195 –
202
196
A numbe
r of
pro
p
o
s
al
s were m
ade
to
add
re
ss th
e
se
cu
rity pro
b
lem in th
e
address
resolution a
n
d
for NDP in
gene
ral. Secure Neigh
bor
Discove
r
y (SeND) [14] is the most com
p
lete
solutio
n
on se
curi
ng NDP processe
s espe
cially the add
re
ss
resolution m
e
ch
ani
sm. SeND
introduc
e
d four ICMPv6
options
to
mak
e
th
e ND
P me
ss
ag
es
s
e
c
u
re
. T
h
e
o
p
t
io
ns
inc
l
ud
e
Cryptog
r
a
phi
cally Ge
ne
rat
ed Add
r
e
s
se
s (CGA
),
No
nce, Ti
me
sta
m
p an
d RSA
sign
ature op
tion
.
Based on the study
condu
cted [15] and [16], these f
our
optio
ns i
n
troduced other vulnerabilities
in the NDP
processes.
T
he ne
w
vulnerability on SeND
includes
the
com
p
lexity of opti
on
gene
ration
a
s
well a
s
the
larg
e si
ze
o
f
the entire
o
p
tion. Thi
s
m
a
ke
s the
imp
l
ementation
of
SeND
non
-tri
vial. The com
p
lexity of SeND al
so vul
n
erabl
e to Do
S attacks in t
he form of S
e
ND
messag
es flo
oding. Attacker co
uld bom
bard the vi
cti
m
by sendin
g
more SeND
messag
e to force
the victim to pro
c
ess the
message
s.
Due to
the complexity problem, nod
e
s
that imple
m
ent
SeND
coul
d crash faste
r
than the normal
non-Se
ND n
ode
s.
This pap
er propo
se
s to
use Tr
ust
Nei
g
hbor Di
scove
r
y (T
ru
st-N
D) as an
integ
r
ation of
hard
se
cu
rity and soft secu
rity on se
curi
ng the nei
g
h
bor di
scovery
pro
c
e
sse
s
with the focus
on
address
re
solution fun
c
t
i
on. It implements
de
centrali
zed
trust ma
nag
e
m
ent bet
we
en
neigh
bori
ng node
s within
IPv6
local netwo
rks.
Th
e next secti
on of this paper p
r
ovide
s
an
overview of t
he a
ddress resol
u
tion m
e
cha
n
ism,
and
Sectio
n 3
di
scusse
s th
e t
h
reat
s
as wel
l
as
vulnerability of the mechanism. Section 4 pres
ent
s the related works
in securi
ng address
resolution a
n
d
Section 5 di
scusse
s the e
x
perime
n
tal re
sult
s. Sectio
n 6 con
c
lu
de
s the pap
er.
2.
Ov
er
v
i
e
w
of
Addre
ss Res
o
lution in IPv
6
IP packet i
s
transfe
rred i
n
Net
w
ork l
a
yer u
s
in
g IP a
ddre
s
s a
s
no
de id
entity [17]. The
packet
sh
oul
d kno
w
a p
a
rticul
ar de
st
ination IP
a
ddre
s
s to
re
ach
the
inte
nded
reci
pie
n
t.
Ho
wever, in
a local net
wo
rk all no
de
s are conn
ec
te
d dire
ctly via
layer 2 switch that needs
the
link layer ad
dre
ss for e
s
t
ablishing co
mmuni
cation
between th
e conn
ecte
d
nodes. Add
r
ess
resolution m
e
cha
n
ism
co
uld be used to
map the IP addre
s
s into a
link layer a
d
d
re
ss
and th
us
the neighb
ori
ng node
can
comm
uni
cate
with each ot
her. The ad
dress re
solutio
n
is also requ
ired
in the link lo
cal IPv6 opera
t
ion. IPv6 uses neig
hbo
r di
scovery proto
c
ol to do ad
dress re
solutio
n
.
Sending
an
IPv6 packet
ca
nnot
be
done
with
out
kn
owi
ng li
n
k
laye
r
add
ress of
neigh
bori
ng n
ode that a
c
ts
as the n
e
xt hop unle
s
s the
sen
der
ha
s
neigh
bor’
s
lin
k layer
add
re
ss
in its neigh
bo
r ca
ch
e. Ho
wever, normall
y even if
the
neigh
bori
ng n
ode are
conn
ected di
re
ctly; it
woul
d not
kn
ow the
neig
hbor’
s
lin
k la
yer add
re
ss
without a
n
y previou
s
inte
ractio
n. He
n
c
e,
before
the
sende
r
coul
d
sen
d
the IPv
6
pa
cket, it
sho
u
ld d
o
th
e ad
dre
s
s re
solutio
n
p
r
o
c
ess.
Figure 1 sho
w
s the ad
dre
ss resolution
betwe
en two
comp
uters that wish to co
mmuni
cate u
s
ing
ech
o
req
u
e
s
t – echo reply by runnin
g
ping comm
and.
It could be seen from this
figure that there
are t
w
o
pai
rs
of NS-NA m
e
ssage
s
before an
d afte
r th
e e
c
ho
me
ssage
s. The
ad
dre
s
s resoluti
on
is d
one
by th
e first NS
me
ssage.
De
sti
nat
ion
add
re
ss for the
NS
me
ssage
is
ff02::1:ff
3b:fc
9d
that is bas
ed on the
ec
ho reques
t
des
t
ination
whic
h is fe80::219:21ff:fe
3b:fc9
d
as
the target
address.
Figure 1. Address Resoluti
on
The
NDP
was
develo
p
e
d
with
at l
e
ast t
w
o im
p
r
oveme
n
ts
o
v
er ARP.
Fi
rst, the
des
tination address
of the link la
yer
frame is
multic
as
t
(33:33:ff:
3b:fc:
9
d
) type inste
ad
of
broadcas
t (ff:ff:f
f:ff
:ff
:ff). Th
is
c
an limit the rec
i
pient of the Ethernet frame c
o
ntaining the NS
messag
e [18
]. The lowest
byte of the
destin
a
ti
on is obtained fro
m
the last si
x chara
c
te
rs
of
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
Im
provem
ent of Addre
ss
Resol
u
tion Security in IP
v6 L
o
cal
Network usin
g Tru
s
t-ND (Sup
riyanto
)
197
destin
a
tion IPv6 addre
s
s. Second, the
NDP messa
ges a
r
e a
c
tu
ally IPv6 packet that has
IP
head
er t
hat i
s
very diffe
rent
with A
R
P m
e
ssag
e that
u
s
e
s
a
spe
c
ific protocol. Thi
s
i
s
efficient
on
the proto
c
ol
usa
ge as the
NDP is wo
rking on
top
of ICMPv6 messag
e. The destin
a
tion IPv6
address in t
he add
re
ss
resol
u
tion me
cha
n
ism i
s
started by
ff
0
2
::
1:
ff
that i
s
soli
cited n
ode
multica
s
t gro
up and e
nde
d
by
f3b:fc9d
t
a
ke
n from the
intended d
e
stination IPv6
address.
As only those node
s that
have the sa
me
add
re
ss
will re
ceive the NS me
ssage, the
numbe
r of re
cepi
ent is very limited. This is an
im
pro
v
ement of the origin
al ad
dre
ss
re
soluti
on
that use
s
bro
adcast me
ch
anism. A correspon
dent
n
ode that ha
s the same l
a
st 24 bits
wo
uld
sen
d
NA m
e
ssage
a
s
re
spond
to th
e
sendin
g
NS
m
e
ssag
e. On
ce the
sende
r
receives the
NA
messag
e, the echo requ
est can be se
nt to the des
tination. Failing
to do the add
ress resolutio
n
cau
s
e
s
the e
c
ho
requ
est
not to rea
c
h
the intende
d destin
a
tion
. Further, the
commu
nication
can
not be
co
ndu
cted b
e
tween the
two
n
ode
s. In or
de
r to sto
r
e th
e i
dentity of nei
ghbo
ring
nod
es,
NDP u
s
e
s
nei
ghbo
r ca
ch
e that has the
same functio
n
as ARP cach
e.
3. Threats o
n
IPv
6
Address Re
solutio
n
Addre
s
s reso
lution in IPv6
is
done
by t
he n
e
ighb
or se
curity
p
r
oto
c
ol usi
ng NS and NA
messag
e exchang
e. At th
e time of IPv6 devel
op
me
nt and de
plo
y
ment, NDP
did not in
clud
e a
se
curity me
chani
sm with
a po
ssibl
e a
s
sumption
th
at neighb
ori
n
g node
s a
r
e
trusted. T
h
is is
vulnera
b
le to
variou
s atta
cks
as li
sted
in [10]
and
st
udied i
n
[19], [15], [12] an
d [13]. Since
the
address
re
so
lution p
r
o
c
e
s
s i
s
u
nde
r th
e NDP, it
is
also
prone
to the
attacks. Ho
wever, t
he
address resol
u
tion itself is
vulnera
b
le to
other
ki
nd
s of attacks. The followi
ng
are
some of
the
threats in IPv6 address resolution.
3.1. NS/NA s
poofing
Since the add
ress re
sol
u
tio
n
use
s
the NS
and NA message on its
oper
ation, an attacker
coul
d expl
oit
one
or
more f
i
elds within
th
e me
ssage
s.
NS an
d
NA
messag
e i
s
d
epicte
d
in
Fig
u
re
2 and
Figu
re
3 respe
c
tively. There i
s
a source
link layer
add
re
ss in th
e
NS
messag
e, an
d a
target lin
k l
a
yer a
ddress i
n
the NA
me
ssage.
No
rmall
y
, receive
r
m
a
chi
ne
coul
d
be ho
st a
nd t
he
router will update its neighbor ca
che based on the information
ca
rried by the m
e
ssages. It then
cre
a
tes
a ne
w entry or
up
dates a
n
old
entry wi
th the r
e
ceived link layer
addr
e
ss
. Attac
k
e
r
can
spo
o
f the lin
k laye
r a
ddress
within
NS or
NA
me
ssage
with
n
onexiste
nt lin
k laye
r a
ddress.
Hen
c
e,
a
wro
ng bi
nding
of
IPv6 add
re
ss a
nd li
nk lay
e
r a
d
d
r
e
s
s would
be
creat
ed. Late
r
, wh
en
the ma
chin
e
want
s to
se
n
d
any IPv6
p
a
cket, the
pa
cket will
go
t
o
a
wron
g d
e
stinatio
n. It
will
rea
c
h the
wro
ng link l
a
yer
machi
ne eve
n
though th
e use
r
types a
valid IPv6 addre
ss. Pop
u
la
ting
neigh
bor
ca
che entry
with a wrong IP –
link laye
r
bin
d
ing is
call
ed
neighb
or
ca
che poi
soni
ng.
In
addition, this
kind of thre
at can le
ad to other threats in
cludi
ng MiTM
attack, and
DoS attack.
Figure 2. Format of NS Message
with Source
Link L
a
yer Ad
dre
ss
Option
Figure 3. The
Format of NA Message
with
Targ
et Link L
a
yer Address Option
3.2. Man-in-the-Middle
Attack
Attacke
r may
sen
d
NS o
r
NA me
ssag
e to
a target
ed victim wit
h
valid IPv6 address
belon
ging to
two le
gitimate neig
hbo
rs (Alice a
nd Bo
b) b
oun
d
with
attacker’
s
li
n
k
laye
r a
ddre
ss.
Once the nei
ghbo
r ca
ch
e
of host Alice and Bob
p
o
iso
ned, the
man-in
-the-middle attack is
su
ccessfull. Ho
st Alice wi
ll send p
a
cke
t
to hos
t Bob
but rea
c
h th
e host
C (Attacker) an
d vice
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 13, No. 1, Janua
ry 2015 : 195 –
202
198
versa.
Fu
rth
e
r, the
attacker
coul
d
chang
e th
e
t
r
an
smitted I
P
v6 pa
cket
that may
ca
use
miscommu
nication betwee
n
host Alice a
nd Bob as in
Figure 4.
Figure 4. Man-in
-the-Middl
e Attacks
3.3. DoS Attack
MiTM happ
e
n
s if the attacker forwa
r
d
s
the
transmitt
ed pa
cket to other
corre
s
p
ondin
g
node
s. If the attacker di
scards
or n
o
t forwa
r
d
s
the
packet to the
destin
a
tion, it is calle
d DoS
attack.
The
in
tended
de
stin
ation
woul
d n
o
t re
ceiv
e
an
y IPv6 packet
from
the
se
n
der. T
h
is Do
S
attack may
continue
even
after th
e
sen
der ma
ch
in
e is re
started.
The neigh
bo
r
ca
ch
e
e
n
try for
the attacker
may still exist.
4. Relate
d Works on Sec
u
ring Addr
e
ss Re
solutio
n
in IPv
6
A
numb
e
r
of prop
osals
ha
ve been mad
e
by resea
r
ch
ers to add
re
ss the se
curity
problem
in the IPv6 address
reso
lution. Some
of them
use crypto
grap
hy while, so
me othe
rs u
s
e
improve
d
me
cha
n
ism
with
out any crypt
ogra
phy
. Intrusio
n dete
c
ti
on me
cha
n
ism wa
s p
r
op
o
s
ed
by [20] and [21]. It maintains the IPv6 network
traffic
informatio
n in
cludi
ng NS a
nd NA me
ssa
g
e
into at lea
s
t six data table
s
: NS table, NA t
able, Probl
em table, Aut
henticated Ta
ble, Log
Tabl
e
and Un
soli
cited
table. Ho
wever,
m
o
re tables
co
uld
introdu
ce
oth
e
r p
r
obl
ems
on the a
d
d
r
e
ss
resolution in
cl
uding mo
re m
e
mory spa
c
e
as well as
Do
s attack or flo
oding atta
ck t
hat may make
all the
table
s
full. Mutaf, P., & Castell
u
cci
a
p
r
op
osed Compa
c
t Neig
hbor Discove
r
y
that repl
aces
the 128
bit target IPv6 ad
dre
ss i
n
NS
messag
e into
m
bit Bloom filter [11]. The NS m
e
ssage
also
co
ntain
s
the optimal
numbe
r of
h
a
sh fu
ncti
o
n
s to minimi
ze
the false
po
sitive prob
abili
ty.
The mini
mum false
posi
tive possibilit
y would
reduce the num
ber
of
unnecessary
neighbor
advertiseme
n
t. This me
ch
anism
could
minimize th
e ban
dwi
d
th
con
s
u
m
ptio
n in IPv6 lo
cal
network. However, the security
probl
em on the address resolu
tion is still not resol
v
ed.
Arkko propo
sed
Se
cu
re Neighb
or Di
sco
v
ery
(S
e
N
D) [
19] an
d h
a
s b
een
acce
pted
by the
IETF as
RF
C 3
971 [1
4]
to se
cu
re th
e neig
hbo
r
d
i
scovery p
r
ot
ocol
in IPv6
inclu
d
ing
ro
u
t
er
discovery a
n
d
neigh
bo
r di
scovery. It introdu
ced
fo
ur NDP optio
n
s
whi
c
h
are
CGA ad
dre
ss to
prevent IPv6 address ste
a
l
i
ng, non
ce a
nd timestam
p
option to pro
t
ect NDP fro
m
replay atta
ck
and
RSA si
g
nature
optio
n
to do
authe
n
t
ication. Ea
ch
of the
NDP
messag
es m
u
st
carry all t
h
e
option
s
in every NDP p
r
o
c
esse
s. NDP
messag
es
without the opti
ons a
r
e tre
a
ted as u
n
secu
red
and the
re
cei
v
er shoul
d di
scard
the m
e
ssage
s. Th
i
s
se
curity m
e
chani
sm
coul
d
prote
c
t the
NDP
pro
c
e
s
ses from variou
s a
ttacks incl
udi
ng DoS atta
ck, man-i
n
-the
-middl
e attack, replay atta
ck
and remote a
ttack. Howev
e
r, the availa
bility of t
he fo
ur optio
ns al
so introd
uced
other p
r
obl
e
m
s.
The main p
r
oblem on S
e
ND is the
compl
e
xity on the addre
ss g
ene
ratio
n
, CGA option
gene
ration
as well a
s
the
si
gning of the
RSA sig
nat
ure option [16],
[22] and [15].
The compl
e
xity
probl
em also appe
ars on the receiver on
verifying the
option
s
. In addition, it is also vulnera
b
le to
DoS atta
ck t
hat co
uld ex
ploit the Se
ND me
ssag
es.
Attacke
r ma
y send
more
packet
s
with
the
four NDP opt
ions to fo
rce
the victim to pro
c
e
ss it. T
he expe
rimen
t
ation here o
n
flooding
attack
targeting
a SeND ma
chin
e sh
owe
d
th
at the SeND
machi
ne
coul
d only proce
ss
up to 44
2
NS
messag
es wit
h
in 1.4
3
seco
nd. Thi
s
cau
s
es
a la
ck of p
r
ope
r
se
cu
rity mechani
sm
impleme
n
tatio
n
for add
re
ss resol
u
tion in IPv6 environm
ent.
Sourc
e
Address
Validation
Improvement (SAVI) [23] was
proposed by
res
e
arc
h
ers in
Tsinghua Uni
v
ersity, Chi
n
a. SAVI is int
ended to
prevent source
address
spoofing in the same
s
u
bnet as
there
are
many
NDP
mess
age exchange.
The SAVI princ
i
ple is
to
cons
truc
t
anc
h
or
informatio
n containin
g
tru
s
ted informati
on su
ch
as p
o
rt and MA
C address on
an IPv6 host. It
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
Im
provem
ent of Addre
ss
Resol
u
tion Security in IP
v6 L
o
cal
Network usin
g Tru
s
t-ND (Sup
riyanto
)
199
then
cre
a
tes a bi
nding
b
e
twee
n the
anchor info
rmation a
nd t
he
sou
r
ce IP
add
re
ss. It
also
applie
s a filte
r
ing p
o
licy [2
4] to forwa
r
d
packet
s
matching filter
rule
s an
d othe
rwi
s
e di
scard th
em.
SAVI is
generally configured in acc
e
ss
switch of
the IPv6 loc
a
l network
as
ingress
filtering.
Ho
wever, SA
VI is also vu
lnera
b
le to v
a
riou
s atta
cks. In the RF
C 69
59 [24]
some
po
ssi
bl
e
threats as well as the chall
enges in SA
VI im
plement
ation are described. Applyi
ng SAVI on the
acce
ss network
would cr
eate p
r
oble
m
on dyna
mic
address
co
nf
iguratio
n
su
ch
as SLAA
C a
n
d
DHCPv6. Thi
s
i
s
b
e
cause
the difficulty to creat
e
th
e bin
d
ing
of
anchor info
rmation d
ue t
o
the
changing of IP address. T
he ot
her chal
lenge of SAVI binding creati
on is when it is a LAN a
nd
device
s
with
multiple IPv6 addre
s
s
su
ch a
s
ro
u
t
ers, multi L
A
N ho
sts a
nd Fire
wall
s are
connected. Paper [25] add
ed other limitation of SAVI on the lack
of protocol in connecting SA
VI
devic
es
. As
a c
o
ns
equence, eac
h SAVI devic
e s
h
ould
work
separately from other devic
es
tha
t
are vulne
r
a
b
le to traffic sp
oofing.
5. Securing Addre
ss Res
o
lution Usin
g Trust-ND
Con
s
id
erin
g the we
akne
sses of the relat
ed wo
rk in th
e previou
s
se
ction, an atte
mpt has
been ma
de
here to find
a new
soluti
on to se
cure
neighbo
r di
scovery in
clud
ing the add
ress
resolution. T
he main pro
b
lem in the
existing se
curity mechanism is the
lack of integrity
verification
a
s
well
as p
r
o
v
iding avail
a
b
ility of
se
rvices. Even
tho
ugh th
ere
i
s
che
c
ksum fiel
d in
the ICMPv6 heade
r [26] to
do the integrit
y check,
it is
not enoug
h to resi
st pre
-
i
m
age a
s
well
as
colli
sion
attacks. It is ve
ry easy for an a
ttacke
r to
ch
ange th
e me
ssage
co
nten
t with the sa
me
che
c
ksum co
de.
Anothe
r shortcomin
g in
the existin
g
method
s i
s
th
e complexity
of the me
ssa
g
e
gene
ration
as well a
s
m
o
re
re
sou
r
ces
re
quire
ment.
Trust-ND is
pro
posed h
e
re
a
s
an i
n
teg
r
ati
o
n
of hard
se
cu
rity and soft secu
rity. Hard
se
curity
in
clu
des
crypto
gra
phy to provid
e data integ
r
i
t
y
che
c
king, whi
l
e soft securit
y
is based on
social
inte
ra
ction that use
s
trust man
a
gement con
c
ept
[27].
T
h
e
h
a
r
d
s
e
c
u
r
i
t
y
i
s
i
n
t
h
e
f
o
r
m
o
f
h
a
s
h
f
unction
alg
o
r
ithm to a
s
su
re the
data i
n
tegrity.
Ho
wever, the
hash fu
nctio
n
use
d
is the
one that
sati
sfies the th
re
e hash re
quirement in
cludi
ng
pre-image resistant, second pre-im
age resi
stant and collisi
on resi
stant. SHA-1 [28] is the
hash
function
alg
o
r
ithm u
s
e
d
i
n
the
propo
sed
Trust
-
ND that
is al
so
used
in
netwo
rk
se
curity
mech
ani
sm
s
su
ch
as IPse
c a
nd S
e
ND.
In o
r
de
r to
prevent
re
pla
y
attack,
no
n
c
e fiel
d i
s
u
s
ed
instea
d of no
nce
option
as in SeND me
cha
n
ism.
F
u
rt
her, the
gene
ration time i
s
use
d
that sho
w
s
whe
n
the me
ssage i
s
gen
erated at the
sen
der to
p
r
e
v
ent DoS attack. As a resul
t, the new NDP
option i
s
p
r
o
p
o
se
d that i
s
t
hen
calle
d T
r
ust O
p
tion
as depi
cted
in
Figure 5. T
h
e
format
of Trust
Option follo
ws the sta
nda
rd of ICMPv6 option that b
egin
s
with Ty
pe and L
engt
h field with the
minimum val
ue of 32 bits.
The length
should b
e
mu
l
t
iples of 8 by
tes. The total
length of Trust
Option i
s
32
bytes o
r
4 ti
mes 8
bytes.
The
ha
sh fu
n
c
tion
output i
s
rep
r
e
s
ente
d
a
s
the
20
b
y
tes
Messag
e Authentication Data or MAD fi
eld t
hat is the
main field of Tru
s
t Option.
Figure 5. The
Format of Trust Option
The soft se
curity i
s
in th
e form
of de
centrali
zed
tru
s
t man
agem
ent sy
stem.
The trust
manag
eme
n
t begin
s
with the cal
c
ul
atio
n of trust
value of sen
der
of Trust
-
ND
messag
e on
each
receiver no
d
e
in
stead
of
in
one
cent
ral
nod
e.
In
the case
of
address re
so
lution, the
trust
manag
eme
n
t is illust
rated i
n
Figu
re 6. T
he sende
r
with the rol
e
a
s
a truste
e ge
n
e
rate
s Trust
-
NS
messag
e sen
t
to multicast
grou
p of soli
cited
no
de (S
NMA). Trusto
r is the recei
v
ing node th
at
has to
verify the Tru
s
t-NS
messa
ge. T
he tru
s
t calculation i
s
ba
sed on t
w
o
co
mpone
nts
wh
ich
are di
re
ct tru
s
t and
kno
w
l
edge trust. T
he direct tru
s
t repre
s
e
n
ts t
he me
ssage
verification
re
sult,
while th
e kno
w
led
ge tru
s
t
rep
r
e
s
ent
s th
e se
nde
r hi
st
ory sto
r
ed i
n
its neig
hbo
r
cach
e. The t
r
u
s
t
T
s
(message g
ener
ation time)
– 4 b
y
tes
Ty
p
e
Len
gth
Reserv
ed
Nonc
e – 4 b
y
te
s
Messag
e
Auth
enticati
on D
a
ta
– 20 b
y
t
e
s
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 13, No. 1, Janua
ry 2015 : 195 –
202
200
cal
c
ulatio
n re
sults in three
possibilities:
trusted if
the trust value is
highe
r than 0
.
5, distruste
d
i
f
the trust valu
e is lowe
r tha
n
0.5, and un
certai
nty if
th
e trust value i
s
0.5. Whatev
er the re
sult, the
trusto
r ha
s to store o
r
up
da
te the trust value in its neig
hbor
ca
che ta
ble.
Figure 6. Tru
s
t Manag
eme
n
t on Tru
s
t-ND
6. Result a
n
d Discus
s
io
n
Experiment
h
a
s
bee
n d
one
in m
e
a
s
uri
n
g
the
p
e
rfo
r
ma
nce
of T
r
u
s
t-ND on
securi
ng IPv6
address reso
lution. The e
x
perime
n
ts i
n
clu
ded t
he
address reso
lution proc
ess of the ori
g
i
nal
NDP, SeND
mech
ani
sm a
nd the propo
sed T
r
u
s
t-ND
. All the implementation
wh
ere o
n
the sa
me
machi
ne
with Intel (R)
Core (TM)
2
Duo
CPU
and
Wind
ows 7 O
p
e
r
ati
ng System.
The
experim
ental
results involv
ed proce
s
sin
g
time in
both
send
er a
nd receive
r
, band
width utilization
and
some
attacking
scen
a
r
ios. T
he p
r
o
c
e
ssi
ng time
of NDP m
e
ssage
s could
b
e
se
en in
Ta
ble
1. The
pro
c
e
ssi
ng time
co
ntains both
p
r
ocessin
g
time
in
s
e
nd
er
an
d
re
ce
ive
r
fo
r
th
e th
r
e
e
N
D
P
mech
ani
sm
s. The origi
nal
NDP a
s
the
baseline
sho
w
s the l
o
we
st processin
g
time. The Trust-
ND h
a
s a
higher
pro
c
e
ssing time of about 1.9
time
s for NS me
ssage a
nd 1.
8 times for
NA
messag
e fro
m
the ba
sel
i
ne. In opp
o
s
ite,
the Se
ND
me
chani
sm introdu
ces the
high
est
pro
c
e
ssi
ng time that rea
c
h
e
s 10
76 time
s for NS me
ssag
e and 1
3
7
6
times for NA message.
Table 1. Pro
c
essing Tim
e
of Addre
ss
Resol
u
tion Me
ssage
s
Address
Resolution
Message
Processing Time (millise
c
ond)
Original NDP
Trust-N
D
SeND Mechanism
Sender
Receiver
Total
Sender
Receiver
Total
Sender
Receiver
Total
NS
0.053
0.019
0.072
0.066
0.071
0.137
54.563
22.784
77.347
NA
0.054
0.020
0.073
0.068
0.067
0.135
76.441
24.425
100.866
The Tabl
e 1 demon
strates that the Trust-
ND could
decrea
s
e the
complexity of SeND
mech
ani
sm b
y
redu
cin
g
th
e NDP me
ssage
s p
r
o
c
e
s
sing time. In te
rms of ad
dre
s
s resolution, t
he
pro
c
e
ss of g
e
tting neigh
b
o
ring n
ode li
nk layer a
d
d
r
ess
could b
e
done fa
ste
r
than SeND
mech
ani
sm.
The ad
dition
of Tru
s
t Op
tion in NS a
nd NA me
ssage do
es
no
t add sig
n
ificant
overhe
ad
but
it co
uld
de
crea
se th
e ov
erhe
ad
si
g
n
ificantly
whe
n
comp
ared to
SeND. As the
address
re
sol
u
tion may be
con
d
u
c
ted in
every IP
v6 packet tran
smi
ssi
on, the net
work ove
r
he
a
d
coul
d deg
rad
e
the netwo
rk as well as
machi
ne pe
rforma
nce. He
nce, the re
du
ced ove
r
he
a
d
in
Trus
t-ND as
a s
e
c
u
rity mec
h
anis
m is
very us
eful.
Bandwi
d
th utilization i
s
an
other pa
ram
e
ter of
the IPv6 local n
e
two
r
k p
e
rfo
r
man
c
e. As
observed in [
13], the frequ
ency of NDP messag
es in
an IPv6 local netwo
rk i
s
very high. 84% of
the total num
bers of ICMP
v6 messag
e captu
r
ed
ar
e
NDP me
ssag
es that ge
nerally are in th
e
form
of NS a
nd NA
me
ssa
ges. Furth
e
r, the
ND
P m
e
ssag
es excha
nge
co
uld
affect the
availa
ble
band
width
in
the l
o
cal n
e
twork.
The
ad
dre
s
s resoluti
on p
r
o
c
e
s
s i
n
volves t
w
o
NDP
me
ssag
es
whi
c
h a
r
e
NS
and
NA m
e
ssag
es. T
he
n
u
mbe
r
of
NS
messag
es se
nt by the
sen
der
ma
chine
i
s
Evaluation Warning : The document was created with Spire.PDF for Python.
TELKOM
NIKA
ISSN:
2302-4
046
Im
provem
ent of Addre
ss
Resol
u
tion Security in IP
v6 L
o
cal
Network usin
g Tru
s
t-ND (Sup
riyanto
)
201
the numbe
r of SNMA node. This is b
e
ca
use the
NS messa
g
e
is sent as
multica
s
t to SNMA
addresse
s th
at is u
s
u
a
lly a
singl
e me
ssa
ge. The
NA
messag
e i
s
sent as uni
ca
st to the se
nde
r of
NS messa
ge,
so the numb
e
r of reply me
ssage i
s
also one.
Table 2. Bandwidth
Utilization
NDP Message T
y
pe
The Size of Message (b
y
t
es)
Band
w
i
dth Utilization (Kbps)
NDP Trust-N
D
SeND
NDP
Trust-N
D
SeND
NS 86
118
454
3.44 4.72
18.16
NA 86
118
454
Typically, the NS message ca
rri
es
sou
r
ce
link l
a
yer add
re
ss option and
the NA
messag
e
carries ta
rget lin
k layer
add
re
ss. Hen
c
e
the
size of
NS an
d NA m
e
ssa
g
e
is th
e
same
for add
re
ss resol
u
tion. Since th
e ba
nd
width utili
zati
on is
cal
c
ul
ated by compa
r
ing the
si
ze
of
messag
e an
d
delay time, the ba
ndwi
d
th
con
s
um
ption
is compa
r
abl
e with the m
e
ssage
si
ze. T
h
e
cal
c
ulatio
n re
sults a
r
e liste
d in Table 2. Tru
s
t-ND
con
s
ume
d
high
er band
width th
an the origi
n
al
NDP, ab
out 37% more. I
n
cont
ra
st, the SeND m
e
ch
ani
sm introdu
ce
d 18.1
6
Kbps o
r
4
28%
highe
r than t
he origi
nal NDP. It means the Tru
s
t-ND co
uld save
band
width when compa
r
e
d
to
SeND m
e
cha
n
ism that is u
p
to 13.44 Kb
ps or 2
85%
more b
and
wi
dth efficient.
The fun
c
tion
of a se
curity
mech
ani
sm i
s
ho
w
to provide se
cu
rity service
s
a
s
re
quire
d in
the security o
b
ject. T
h
is pa
per f
o
cu
se
s o
n
securin
g
th
e ad
dre
s
s
re
solution i
n
IPv6 lo
cal
netwo
rk
usin
g the Tru
s
t-ND me
ch
a
n
ism. As aforemention
ed
i
n
Section 3, the main threa
t
on the address
resolution i
s
NS/NA spoofi
ng that lea
d
s
to man-i
n
-the
-middl
e attack an
d DoS at
tack. In o
r
d
e
r to
evaluate the
performan
ce of Tru
s
t-ND on p
r
eve
n
ting sp
oofin
g attack, thi
s
propo
sal
has
experim
ented
by attacking
the Trust-ND ma
chi
ne u
s
ing
pa
ra
site6
tool that
co
uld ge
nerate
NS
and
NA spoo
fing attacks.
There a
r
e two scen
ari
o
s
on the
attacking a
c
tivity. First, it u
s
e
s
the
existing
pa
r
a
s
i
te
6
tool th
at gene
rate
s typical
NS an
d
NA
spoofing. The spoofe
d
messag
e
on
t
h
is
scena
rio i
s
wi
thout Trust
O
p
tion. Hen
c
e
all the
sp
oofe
d
me
ssage
s
are
dete
c
ted
by the
re
ceiv
er
and di
scard
e
d
. Secon
d
, spoofed T
r
u
s
t-NS and T
r
u
s
t-NA me
ssag
e
were gen
era
t
ed usin
g Sca
p
y
since there i
s
possibility that an
attacker could g
enerate Trust-ND
messag
es.
T
he availability of
Tru
s
t Optio
n
in the
sp
oofe
d
Trust
-
ND
messag
es
co
uld m
a
ke the
re
ceive
r
fail
on d
e
tectin
g
the
spo
o
fed me
ssag
e. Ho
wev
e
r, sin
c
e the
messag
e carries the me
ssage auth
entication data (M
AD)
as output of SHA-1 operation; any
changes in the
NDP messages
will
be detect
ed.
6. Conclusio
n
Addre
s
s re
so
lution is o
n
e
of the NDP
functi
ons
in IPv6 loc
a
l network
.
It is
us
ed to
discover lin
k l
a
yer a
ddress
of neigh
bo
rin
g
nod
e.
With
out link layer
address
of th
e next ho
p n
o
d
e
or
de
stination
nod
e, a
n
IP
v6 nod
e
ca
n
not send
a
n
y IPv6 packet. Hence, address re
solutio
n
is
importa
nt on l
o
cal
are
a
net
works. Since, the add
re
ss
resolution i
n
IPv6 does not
impleme
n
t a
n
y
se
curit
y
v
e
rif
i
cat
i
on;
t
h
i
s
mech
ani
sm i
s
v
u
lne
r
a
b
le
to variou
s
attacks or thre
a
t
s. Even thou
gh,
there a
r
e a
n
u
mbe
r
of wo
rks
on securi
n
g
add
re
ss
re
solutio
n
in IPv6, the imple
m
entation i
s
still
non trivial.
We propo
se
Trust-ND
to
sol
v
e the
se
curit
y
probl
em o
n
address
re
sol
u
tion in
an IP
v6
local n
e
two
r
k. The Tru
s
t-ND int
r
od
uce
s
Trust Opti
on to be ca
rrie
d
by all NDP me
ssa
ges
esp
e
ci
ally NS message
and NA m
e
ssag
e that ar
e use
d
in th
e add
re
ss
re
solutio
n
. Since the
length of Tru
s
t Option is o
n
ly 32 bytes, it does
not ad
d signifi
cant
band
width
co
nsum
ption in
the
local n
e
two
r
k. In addition, Tru
s
t-ND m
e
ssag
e
processing i
s
faster com
p
a
r
e
d
to the SeND
mech
ani
sm.
The T
r
u
s
t-ND me
ch
ani
sm co
uld
sav
e
13.44
Kbp
s
of b
and
wid
t
h on IPv6 l
o
cal
netwo
rk
an
d coul
d save h
undred
s
of m
illise
c
ond
in t
e
rm
s of tim
e
on
NDP
me
ssag
e p
r
o
c
e
s
sing.
Experiment
s
on the atta
cking sce
nari
o
on ad
dre
s
s resol
u
tion a
r
e
also
sh
own
to demon
stra
te
that the Trust
-
ND co
uld satisfy the securi
ty requirem
e
n
t.
Ackn
o
w
l
e
dg
ements
This research
was supp
ort
ed by the Re
se
a
r
ch Unive
r
sity Gra
n
t No: 1001/PNA
V
/846064
funded
by Universiti Sai
n
s Mal
a
ysia,
in coll
abo
rati
on with
Di
re
ctorate
Ge
n
e
ral
of Hig
h
er
Educatio
n, Ministry of Education
and Cul
t
ure, the Rep
ublic of Ind
o
n
e
sia, an
d Taylor’s
Universit
y
,
Malaysia.
Evaluation Warning : The document was created with Spire.PDF for Python.
ISSN: 23
02-4
046
TELKOM
NI
KA
Vol. 13, No. 1, Janua
ry 2015 : 195 –
202
202
Referen
ces
[1] Plummer
DC.
An Ether
net
Address
Res
o
luti
on Pr
otoc
ol
. Re
qu
est for Comm
ents
826, Inter
net
Engi
neer
in
g T
a
sk F
o
rce. 1982
.
[2]
Seun
g Yeo
b
N
,
K Dong
w
o
n, K Jeon
geu
n. Enha
nce
d
ARP: preventi
ng AR
P poiso
ni
ng-b
a
s
ed man-
in
-
the-middle attacks
.
Commu
n
i
c
ations L
e
tters
. IEEE. 2010; 14(2): 187-
18
9.
[3]
Ataull
ah M, N
Chau
ha
n.
ES-ARP: An efficient a
nd se
cure Ad
dress
Resol
u
tio
n
Protocol
. IEEE
Students'
Co
nferenc
e on El
ec
trical, Electron
i
cs and Com
put
er Scienc
e (SC
EECS). 2012.
[4]
Bruschi
D, A
Ornagh
i, E R
o
sti.
S-ARP: a secure addre
ss resol
u
tio
n
protoco
l
. Proc
eed
ings.
19
t
h
Annu
al Com
p
u
t
er Securit
y
A
p
plicati
ons C
onf
erenc
e. 200
3
.
[5]
Loota
h
W
,
W Enck, P McDani
el, T
A
RP: T
i
cket-based
addr
ess res
o
luti
on pr
otoc
ol
.
Co
mp
uter
Networks.
200
7; 51(15): 4
322
-433
7.
[6]
Narten T
,
et al
.
Neigh
bor Dis
covery for IP versio
n 6 (IPv6)
. Requ
est for Comments 4
861. Intern
et
Engi
neer
in
g T
a
sk F
o
rce. 2007
.
[7] Davies
J.
Un
de
rstandi
ng IPv6.
W
a
shingto
n
: Microsoft Press. 2008.
[8]
W
a
y
a
w
o
A. T
he T
r
ansmissio
n
Multicast a
n
d
T
he C
ontrol
of QoS for IPV6 Us
in
g T
he Insfrastructure
MPLS
.
Internation
a
l Jour
na
l of Informat
ion and Network Security (IJINS)
. 2
012; 1(1): 9-2
7
.
[9]
Conv
er
y
S, D Miller.
IPv6 an
d IPv4 T
h
reat Co
mp
aris
o
n
a
nd Best-Practi
c
e Evalu
a
tion
Avail
abl
e
from
www
.
s
ea
nco
n
v
e
r
y
.com/v6-v
4
-
t
hreats.pdf.
20
04; 1.0
[10]
P Nikan
der E, J Kempf, E N
o
rdmark,
IPv6 Neig
hb
or Disc
o
very (ND) T
r
ust Models a
n
d
T
h
reats
, in
Req
uest for Co
mments 375
6, 200
4,
Internet Engi
neer
in
g T
a
sk F
o
rce.
[11]
Mutaf P, C C
a
stell
u
ccia.
C
o
mp
act ne
ig
hb
or disc
overy:
a ba
ndw
idth
defens
e thro
u
gh b
a
n
d
w
i
dth
opti
m
i
z
at
ion
.
Proceedings
of 24th Annual J
o
int
Conferenc
e of
the
IEEE Computer
and
Communications Societies
.
2005.
[12]
Supri
y
a
n
to, et
al. Surve
y
of Internet Pr
ot
ocol V
e
rsio
n
6 Li
nk L
o
ca
l Commu
nic
a
ti
on Sec
u
rit
y
Vuln
erab
ilit
y a
nd Mitig
a
tion M
e
thods
.
IETE Technical Review
, 2013.
30
(1):
p. 64-71.
[13] Supri
y
a
n
to,
et
al.
Risk An
alys
is of the Imple
m
e
n
tatio
n
of IP
v6
Nei
g
h
bor Discovery in
P
ublic Netw
ork
.
in Internati
o
n
a
l
Confere
n
ce o
n
Electrical E
n
gi
n
eeri
ng, Co
mputer Scie
nc
e and Informa
tics (EECSI)
Yog
y
ak
arta, Indon
esia. 2
014.
[14]
Arkko J, et
al.
,
Secure
n
e
ig
hbor
disc
overy
(SEND)
. R
e
q
uest for
Com
m
ents 3
9
7
1
, 2
005. Inter
n
e
t
Engi
neer
in
g T
a
sk F
o
rce.
[15]
AlSa'
d
e
h
A, C Mein
el. Secure n
e
i
ghb
or
discov
e
r
y
:
Revie
w
, ch
alle
ng
es, pers
pectives, a
n
d
recomme
ndati
ons.
Security &
Privacy
. IEEE. 2012; 1
0
(4): 2
6
-34.
[16]
Gaeil A, et al.
Analysis of S
E
ND Protoco
l
throug
h Imp
l
e
m
e
n
tatio
n
an
d
Simu
lati
on
. in International
Confer
ence
on
. Converg
enc
e Information T
e
chno
log
y
. 2
007
.
[17]
Z
hang
J, et
al.
,
F
r
actals o
n
I
P
v6 N
e
t
w
ork T
opo
log
y
.
T
E
LK
OMNIKA Indo
nesi
an J
our
nal
of El
ectrical
Engi
neer
in
g
, 2013; 11(
2): 577
-582.
[18] Cra
w
ford.
T
r
a
n
s
miss
ion
of IPv6 Packets ov
er
Ethernet N
e
tw
orks
. Req
uest for Comme
nts 246
4, 19
98,
Internet Eng
i
ne
erig T
a
sk F
o
rce.
[19]
Arkko J, et al.
Securi
ng IPv6
nei
ghb
or a
nd r
outer d
i
scovery
. in Proce
edi
ng
s of the 1st AC
M
w
o
rksho
p
on W
i
rel
e
ss se
curit
y
. Atla
nta, GA, USA: AC
M. 2002.
[2
0
]
Ba
rb
hu
iy
a
FA,
S Bis
w
as, S
Nandi.
D
e
tecti
on of
ne
igh
bor
solic
itatio
n a
n
d
adv
ertise
me
nt spo
o
fing
in
IPv6 nei
gh
bor
discov
e
ry pr
o
t
ocol
. Proce
e
d
i
ngs
of the
4th inter
nati
ona
l
confere
n
ce
o
n
Secur
i
t
y
of
informati
on an
d net
w
o
rks, AC
M: Sydn
e
y
, Au
stralia. 20
11; 1
11-1
18.
[21]
Bansa
l
G, et al.
Detection of NDP bas
ed attacks using MLD
. in Procee
di
ngs of the F
i
fth Internation
a
l
Confer
ence
on
Securit
y
of Informatio
n
an
d Net
w
orks. 20
1
2
. ACM.
[22]
Gelogo YE, RD Cay
t
iles, B Park.
T
h
reats
and S
e
curit
y
Analy
s
is for Enhanced Secure Neighbor
Discover
y
Prot
ocol (S
END)
of IPv6 NDP S
e
curit
y
.
Intern
a
t
iona
l Jo
urn
a
l
of Co
ntrol
and
Auto
mati
on
,
201
1; 4(4): 179
- 184.
[23]
Bi J, et al.
S
ource Address
Validation Im
provement (SAVI) Fram
ework.
Internet Draft. Internet
Engi
neer
in
g T
a
sk F
o
rce. 2013
.
[24]
McPherso
n D,
J H
a
lp
ern, F
Baker.
Source Addr
ess V
a
lidation Im
prov
em
ent (SAVI) T
h
reat Sc
ope.
Req
uest for Co
mments 695
9. Internet Eng
i
ne
erin
g T
a
sk F
o
rce. 2013.
[25]
Guang Y, B J
un,
X Pei
y
a
o
.
Source
addr
es
s valid
atio
n sol
u
tion w
i
th Ope
n
F
l
ow
/NOX architecture
. i
n
19th IEEE International
Confer
ence on Net
w
o
r
k Protocols (ICNP).
2011.
[26]
Conta
A, S
De
erin
g, M Gu
pta
.
Internet
Cont
rol M
e
ssag
e
P
r
otocol
(I
CMPv
6) for th
e Inter
net Protoc
o
l
Versio
n 6 (IPv6) Specific
atio
n
. Requ
est for Comments 4
4
4
3
. Internet Engi
neer
ing T
a
sk Force. 200
6.
[27]
Sar
w
ar A, et
al. A Revi
e
w
of T
r
ust Aspects in Clo
ud
C
o
mputi
ng Sec
u
rit
y
.
Inter
natio
nal J
ourn
a
l o
f
Clou
d
Co
mputi
ng an
d Servic
e
s
Science (IJ-C
L
OSER)
. 2013;
2(2): 116-1
22.
[28]
Polk T
,
L Chen, S T
u
rner,
P Hoffma
n
. Sec
u
rity Cons
id
er
ations for th
e SHA-0 an
d SH
A-1 Messag
e
-
Digest Al
gorith
m
s
, in Re
qu
est for Comments
6194. 2
011.
Evaluation Warning : The document was created with Spire.PDF for Python.