| Neighbor Discovery Protocol is an important part of IPv6 protocol, which corresponds to a combination of ARP protocol, ICMP router discovery and ICMP redirect function in IPv4, and solves interconnection among all nodes on the same link. Generally speaking, the nodes can enter a local link without authentication in an open network environment, and maybe there are malicious nodes on a local link. With the widely used of IPv6, malicious nodes will result in various kinds of attack. Consequently the security of Neighbor Discovery becomes highly important.According to main function of IPv6 Neighbor Discovery, various kinds of attack that may be subjected to Neighbor Discovery Protocol have been analysed. Considering IP address spoofing attack, MCGA which is a kind of CGA (Cryptographically Generated Addresses) based on MAC address has been proposed. The MCGA is a kind of IPv6 address of which the interface identifier is generated by a cryptographic one-way hash function using public key of the address'owner, subnet prefix, MAC address and auxiliary parameters. Messages sent from a MCGA address must be signed by using the private key of the address'owner. The nodes that receive the messages need to validate the MCGA and the signature of the messages by using the public key. The address is legal only if the validation of MCGA and signature are both successful. The generation and verification of MCGA, MCGA option and MCGA signature option are presented, and strongpoint of MCGA is described. Moreover, trust anchor model, timestamp and nonce to secure Neighbor Discovery Protocol are also proposed.The simulation using MCGA to denfend the attack of address resolution shows that MCGA method is fully effective. |
PDF Full Text Request