Research Of Security Threats Based On IPv6 Neighbor Discovery Protocol

IPv6 will gradually replace IPv4 as the next generation of the Internet protocol. It will gain widespread deployment as a significant evolution of IPv4. Neighbor Discovery Protocol (NDP) is a network layer protocol in IPv6 protocol stack, and it is mainly used for solving the interconnection problems among all nodes on the same link. However, with the widespread use of IPv6, NDP becomes a vulnerable target of most attacks because of the lack of security mechanisms. Though, IPSec, the default security protocol in IPv6, is used to protect IP and upper layer protocols, and Authentication Header (AH) protocol can provide data integrity and identical authentication services, Internet Key Exchange (IKE) can only handle unicast communication between point to point, and can not be used for multicast communication.This dissertation introduces basic protocols in IPv6, analyses IPSec, Neighbor Discovery Protocol, and security threats of NDP. Then, combined with IPSec authentication system, the improved program which introduces AH protocol into Neighbor Discovery Protocol to provide authentication for data packets and ensure communication safety is proposed. In order to prevent a variety of attacks by forgering NDP packets, an improved strategy based on IPSec AH and the binding address is given. In order to solve the key management problem, the implementation of key management scheme for neighbor multicast communication is discussed in detail. At last, the implementation of redirect attacks basing on forging NS/NA is simulated using Libnet Development Packet. By comparing the attack impacts before and after the introduction of AH authentication mechanism, the effectiveness of improved program for ensuring neighbor discovery protocol security is verified.From the results of the simulation we can see that the improved program can effectively defense a variety of redirect and denial of service attacks that forge NDP packets, and guarantee the safety of neighbor discovery process. As the core of IPv6 network security, IPSec can also seamlessly connect with NDP. Therefore, this improved program has certain significance for strengthening the security of IPv6 network.