Survey of Internet Protocol Version 6 Link Local Communication ...

1 downloads 15703 Views 741KB Size Report
software monitoring tool [12] randomly from 2008 until. 2012 at the National ..... redirect message to inform host the best route to send. a packet. Attacker could ...

Survey of Internet Protocol Version 6 Link Local Communication Security Vulnerability and Mitigation Methods Supriyanto1,2, Iznan Husainy Hasbullah2, Raja Kumar Murugesan3 and Sureswaran Ramadass2 1

Department of Electrical Engineering, Universitas Sultan Ageng Tirtayasa (UNTIRTA), Indonesia, 2National Advanced IPv6 Centre, Universiti Sains Malaysia, 3School of Computing, Taylor’s University Lakeside Campus, Malaysia

Abstract IPv6 is a network layer protocol of the OSI reference model. IPv6 uses the Neighbor Discovery Protocol (NDP) that works on link local scope of IPv6 network. NDP covers host initialization and address auto configuration that is one of IPv6 advantages and other important functionalities. IPv6 mandates to support Internet Protocol Security (IPSec) for end‑to‑end communication security. However, this security protocol does not cover the link local communication that uses NDP. It is important to consider the link local security issues as the Internet being an open network is vulnerable to be exploited by attackers from both outside and inside the network. In addition, most of the security mechanisms typically block external threats but are relatively vulnerable to the threats originating from internal network. Thus, understanding the threat and vulnerability in the local network is very important. This paper surveys local network security phenomenon and the current defense methods on the IPv6 link local network security vulnerability mitigations. Keywords Internet protocol security, IPv6, Local network, Security, Secure neighbor discovery.

1. Introduction The Internet becoming more ubiquitous with the increasing Internet penetration through more hand‑held smart devices, and most services and transactions are made online, IPv6 will soon become prevalent. The Internet Society  (ISOC) had successfully conducted a World IPv6 Launch Day on 6th  June 2012. The event was intended to ensure that the Internet remains open and accessible to everyone including the other five billion people not yet connected to the Internet. IPv6 was designed and engineered to address the problem of IPv4 address exhaustion. While most Regional Internet Registries (RIRs) have very little IPv4 address space to be released, Asia Pacific Network Information Centre (APNIC) has already exhausted its pool of IPv4 addresses. Among the many functional improvement offered by IPv6 over IPv4 is a simpler and smaller fixed header format that result in faster processing in routers along the packet transmission path. IPv6 also replaces the limited Option Field in IPv4 header with Extension Headers that is more flexible and extensible as it is not part of the main header. The use of more than one extension header does not result in additional processing overhead to the intermediate devices since all Extension Headers, except for Hop‑by‑Hop Extension Header, will be ignored by the routers. Another advantage of IPv6 over IPv4 is using IPSec, a built‑in end‑to‑end security 64

mechanism. IPSec uses two extension headers, namely Authentication header and Encapsulation Security Payload, to provide data integrity and confidentiality. As IPv6 is a network layer protocol, it was believed that its introduction as a new protocol will not have any effect on other layers in the OSI model. Furthermore, it was believed that IPSec would cover all security aspects of IPv6 packets transmission. Thus, during IPv6 development, the security mechanism of other layers was ignored that includes link local security. Existing literature [1-4] focus on Neighbor Discovery Protocol (NDP) in discussing the impact of IPv6 to the link local communication. The NDP provides at least two advantages of IPv6 processing on nodes (host and router) in the same link that is not available in IPv4. Firstly, host initialization for a new IPv6 host that connects to an IPv6 network. Here, the host will send a Router Solicitation message to routers in the same link to obtain information such as prefix, default router, and other network parameters. The host also sends Neighbor Solicitation message to other hosts in the same link to get information about link layer and IP address of its neighbors to prevent duplicated address. Secondly, address auto configuration [5] that is used to generate a host’s own IPv6 address without a server. Failure in any one of the two processes will render the IPv6 host unable to communicate with other IPv6 hosts. IETE TECHNICAL REVIEW | Vol 30 | ISSUE 1 | JAN-FEB 2013

Supriyanto, et al.: Survey of IPv6 Link Local Communication Security Vulnerability and Mitigation Methods

The NDP is a protocol that works on top of Internet Control Message Protocol for the Internet Protocol version  6  (ICMPv6)  [6]. It is a network layer protocol but works on link local communication. The design of IPSec mechanism renders it inappropriate to be used to secure IPv6 local communication. The authors of [3] have emphasized on the link local security issues. They have mentioned two problems on the IPSec implementation in link local scope communication reviewed in [7]. The first problem is bootstrapping when using Internet Key Exchange  (IKE) in order to bring up an IP stack. IKE requires an IP stack, specifically an IPv6 address, in order to work. However, the NDP messages passing on the host initialization is intended to get IPv6 address. The second problem is on verifying the ownership of assigned IPv6 address. In order to know the owner of an IPv6 address, a host may use Duplicate Address Detection (DAD), but this mechanism is done on the host initialization; thus, the host cannot do DAD with IPSec. In a nutshell, link local communication in IPv6 is very important and unfortunately there were no security mechanism designed at the time of development. This paper surveys link local security vulnerability and reviews several methods proposed to mitigate these vulnerabilities. The rest of the paper is organized as follows: Section 2 elaborates on link local attacks highlighting the importance of securing Link Local Communication. Section 3 presents the overview of IPv6 link local communication, while Section 4 identifies possible threat and vulnerability on IPv6 link local communication. Section 5 provides the current mitigation techniques followed by a discussion on Link Local Security in Section 6. Section 7 concludes this paper.


The Importance of Securing Link Local Communication

Generally, a LAN is connected to larger network via Internet that is very open channel [8]. Thus, people have to secure their link local network. However, link local security seldom gets the attention from the network researchers and designers. The main focus usually is on the security of Internet communication and not on the link local scope communication [9]. In order to protect link local network, typical measures usually involve the use of firewall to filter incoming malicious traffic. The authors of [9] identify three disadvantages of the defense method on link local communication: 1. Firewalls cannot possibly filter unknown attacks. A new vulnerability on allowable protocol will not be filtered 2. An insider can easily bypass border network protection of an organization that has a firewall in the border network while neglecting to protect its Local Area Network (LAN) 3. Large organization may require extending their orIETE TECHNICAL REVIEW | Vol 30 | ISSUE 1 | JAN-FEB 2013

ganization protection policy by restricting access of a department from other substructures. An attack from inside link local communication is called non‑blind attack. Neighboring nodes on link local are usually considered as trusted hosts. Potential attacker from the neighbors knows the targeted victim. Even though personally the user on the same link trust each other, in the current broad Internet connectivity, the spread of malware within the network may occur without the knowledge of the user. This phenomenon was reported by Computer Security Institute  (CSI) in their annual security report, the 15th Annual 2010/2011 Computer Crime and Security Survey [10]. It differentiates the origin of insider threats either from malicious insider or non‑malicious insider. The latter introduce bigger problem in the network. The report showed that 87.1% respondents said that 20% or less of their losses were attributed to malicious insiders, while 66.1% were due to non‑malicious insider. Compared with previous report, 43.2% respondents stated that their losses were due to malicious insider and only 16.1 percent were due to non‑malicious insider. It means the losses due to insider increases dramatically 101% for malicious insider and 310% for non‑malicious insider. The report of 2011 cyber security watch survey conducted by CSO magazine showed the phenomenon of increasing insider attack [11]. Even though the percentage of insider attack is only 21% compared to attack from outsider that reach 58%, the cost to recover the damages caused by malicious insider is higher. Most of the respondents (46%) including business and government, professionals and consultants reported that the damage caused by insider attacks is more than outsider attacks. The report also stated that insider attacks are not only costly but also cause additional harm to organizations that are difficult to quantify and recover. A similar study was conducted by running iNet Portable software monitoring tool [12] randomly from 2008 until 2012 at the National Advanced IPv6 Centre laboratory in Universiti Sains Malaysia that has an IPv4/IPv6 dual‑stack Internet connectivity. The system recorded that 106 worms have infected the local network from various sources. The record showed 76 percent of the worm sources are on the same link with the attacked computer identified by its IP address. While the rest of the record, 24 percent, was from various sources on the different subnet. The record also logged the ports used by attackers. 61 percent used port 445, 23 percent on port 80, and 15 percent on port 25. However, the severity of most worms was 93 percent alert and 7 percent warning. The record demonstrated that neighbors on the local network communication cannot afford to be trusted since all of them have the potential to be an attacker. 65

Supriyanto, et al.: Survey of IPv6 Link Local Communication Security Vulnerability and Mitigation Methods


Link Local Communication in IPv6

The principle of link local communication for IPv4 and IPv6 is similar. However, there is an important improvement that should be considered by an IPv6 network administrator in order to secure their local network. Computer in a local network is connected to other computer using network interface card that has a unique Media Access Control (MAC) address. However, computers cannot communicate with each other using the MAC address. A  computer communicates with other devices using IP address. IPv4 uses Address Resolution Protocol (ARP) to resolve the IP address and MAC address [9]. In IPv6 network, the role of link local network is very important to make an IPv6 host get ready to communicate with other nodes both locally and externally. The NDP protocol not only changed the ARP function of IPv4 but also introduced at least five new functionalities in order to make IP‑based communication ready [1]. 1. IPv6 address auto configuration, which reduces manual configuration by an operator and the address, can be generated automatically by the IPv6 host without the usage of Dynamic Host Configuration Protocol version 6 (DHCPv6) servers. 2. Neighbor unreachability detection, this mechanism always updates the state of reachability of all neighbors in the same link. 3. Duplicate address detection, a new IPv6 host uses this mechanism to make sure there are no other nodes in the same link that uses the address proposed. 4. Discover network parameter such as hop limit and path Maximum Transmission Unit  (MTU). IPv6 moves several router tasks to host in order to decrease router overhead. One of them is fragmentation that now is done by the sender. To do this, sender host need to know the size of path MTU of appropriate link to reach the destination. This information is sent using NDP message. 5. Next hop determination, when a host wants to send an IPv6 packet to certain destination, next hop is very important. By knowing the next hop, the host could quickly find a better link to pass the packet through. Otherwise, this will introduce an overhead on finding the next hop.

The main protocol on the above processes is NDP that works on top of ICMPv6. It uses five ICMPv6 messages such as Router Solicitation  (RS), Router Advertisement (RA), Neighbor Solicitation (NS), Neighbor Advertisement  (NS), and Redirect. Therefore, the security mechanism on IPv6 link local communication is more important than IPv4. Failure in any one of the processes will cause failure not only on local IPv6 communication but also global communication. Using NDP, a new IPv6 node may be assigned several IPv6 addresses for an interface. Figure 1 illustrates IPv6 address configuration on an IPv6 host interface as a result of NDP process. An interface can be assigned with more than one IPv6 addresses. In Figure  1, there are two types of IPv6 address, global address that begins with 2404 and link local address that starts with fe80. The global IPv6 address is used to communicate with other node over Internet, while link local may be used to communicate with other nodes on the same link. An IPv6 host always has a link local address even when it is not connected to external IPv6 network. Thus, in an isolated local IPv6 network, each host may use the link local address to communicate with each other using IPv6.


Threat and Vulnerability on IPv6 Link Local Communication

Security of IPv6 link local communication could be classified into two categories that are security on link layer and security on network layer. This is due to the reason that both data link layer and network layer are involved in link local communication. In addition, even though the communication uses the network layer, all nodes in link local is connected to the same physical connection. In other words, link local communication is an integration of both physical and logical connection. Authors of [13] included the physical layer on the classification due to all nodes directly connected physically. This section discusses threat and vulnerability on the two categories by combining physical and link layer. If the local network is also connected to Internet using a border router, the threat could be from inside and outside the network. 4.1 Security Threat on Link Layer The common layer 2 protocol is Ethernet such as fast Eth-

Figure 1: IPv6 address of an interface.



Supriyanto, et al.: Survey of IPv6 Link Local Communication Security Vulnerability and Mitigation Methods

ernet and gigabit Ethernet. Authors of [9] state two Ethernet disadvantages that introduces serious security threat in LAN. First, as all nodes in link local are connected to a single physical channel, this gives a passive attacker to get excellent opportunity for eavesdropping packets. Every packet sent into the local network could be received by other nodes in the same link. Second, there is no way in the Ethernet protocol to authenticate messages on sender identity or to verify message integrity. This condition could be used by active attackers to generate own data and insert into message stream or reply to earlier eavesdropped frame. Layer 2 function is mainly related to addressing and switching  [13]. Address mapping between IP address and MAC address and address auto configuration of an IPv6 network is done by NDP. Since there is no authentication of NDP messages, all possible threat listed in [2] such as NS/NA spoofing, modifying of NS messages will appear that causes Neighbor Unreachability Detection  (NUD) failure and DAD Denial‑of‑Service  (DoS) attack. Attacker could also manipulate NDP messages to make neighbor cache poisoning on any nodes. However, switching is usually done by a switch that is able to restrict frames forwarding. Also, it could be misled by an attacker sending a spoofed address. Once the attacker is allowed to get a frame of spoofed host, it is able to execute DoS or Man‑In‑The‑Middle (MITM) attack. To facilitate smooth IPv4 to IPv6 transition and to support Internet connectivity irrespective of the IPv4/IPv6 protocol used, vendors have equipped their product to support IPv6. However, common user may not know that their device is IPv6 supported. For example, current laptops and PCs are already IPv6 ready. These devices will automatically have an IPv6 link local address, although they do not connect to an IPv6 network. Insider attack can be eavesdrop communication between nodes in the LAN to get important information using the IPv6 link local address. They also could use this address to attack any node in the link. 4.2 Security Threat on Network Layer Network layer is concerned with routing. Thus, the threats to this layer mainly aim to derail the routing process. In IPv6, the routing process begins with the first host initialization by sending an RS message to multicast group router. The host will receive an RA message as a reply to RS sent regularly by router. An RA message contains information on default router, on‑link prefix, redirect messages, and network parameters. The network parameters include hop limit, address auto configuration type, and path MTU. Similar to link layer security threat which uses NDP messages that are not authenticated, those network layer‑related process done by NDP are IETE TECHNICAL REVIEW | Vol 30 | ISSUE 1 | JAN-FEB 2013

also vulnerable to NDP information modification. Existing literature [2,4,14] identifies the following threats: 1. Malicious IPv6 First Hop Router: First, hop router is a border router that plays as default gateway of any host inside a local network. Attacker from the same subnet could send crafted RA message that inform the entering host with malicious default router information. When the new host sends an IPv6 packet, the packet will go through the fake router instead of the legitimate router. Thus, the packet will not reach the intended destination. The attacker is also able to mount MITM attack 2. Bogus IPv6 Prefix: RA message informs prefix given to the host to generate its complete IPv6 address. An attacker may send a false RA message containing invalid prefix or arbitrary prefix length. This causes the host to generate invalid IPv6 address; it may not receive any reply to packets sent due to wrong source address 3. Redirect Spoofing: A router in the same link will send redirect message to inform host the best route to send a packet. Attacker could send rogue redirect message or spoof the message that makes the packet sent by the host goes to false link 4. Network Parameter Spoofing: Network parameters are also option on RA message. This parameter is very useful to the host to send IPv6 packets later. Rogue RA message may contain false parameters that attempt to disturb packet transmission. For example, a small hop limit causes packet drop before the packet could reach its destination.


Mitigation Methods

Realizing the importance of security, the developers of IPv6 have included a security mechanism in it to protect IP‑based communications. The most widely known IP security mechanism is IPSec that now is mandatory for IPv6. IPSec is believed to provide end‑to‑end security. However, the assumption that all neighbors on IPv6 network are trusted is not fully true. Therefore, IPSec cannot be used to protect link local communication appropriately. This is because bootstrapping problem arises in using IKE. To address this problem, the Internet Engineering Task Force (IETF) then released the extension to NDP called Secure Neighbor Discovery (SeND) [15]. SeND provides functionality to protect NDP messages against both link layer and network layer threat. 5.1 Internet Protocol Security One of IPv6 advantages is the mandatory support of IPSec. The detail explanation about IPSec can be found in [16]. It is a set of security mechanism that protects IP packets. It provides end‑to‑end security between two end hosts including all intermediate devices. However, 67

Supriyanto, et al.: Survey of IPv6 Link Local Communication Security Vulnerability and Mitigation Methods

on link local communication, this protocol has a number of disadvantages that makes it difficult to implement as discussed in  [17,18]. The disadvantages could be summarized as follows: 1. IPsec does not provide security support at upper layer as well as link layer. It is used to secure communication between two nodes on network level by encrypting the transmitted IP packet. 2. IPSec needs key exchange using IKE management that requires a valid IPv6 address. This cannot be done during the initialization phase of a new IPv6 host. Thus, IPSec is not able to protect NDP communication. 3. IPSec lacks authorization of source address due to large number of Security Associations (SAs) needed. To provide SAs manually is quite cumbersome [3]. Even though IPSec is mandatory in IPv6, its implementation in link local communication is challenging. In reality, most of Internet users do not implement IPSec due to configuration knowledge limitation  [19]. As such, the link local communication is still vulnerable to security threats and attacks. 5.2 Secure Neighbor Discovery In order to address security problem in link local communication not covered by IPSec, authors of  [3,15] proposed Secure Neighbor Discovery (SeND) to protect NDP messages against attackers. SeND is an extension of NDP protocol that adds several options such as Cryptographically Generated Addresses  (CGA) parameters, RSA signature nonce, and timestamp. It also introduces two new ICMPv6 messages: Certificate Path Solicitation (CPS) and Certificate Path Advertisement (CPA). This security extension is reviewed in [4]. Though SeND addresses all threat and vulnerability issues with neighbor discovery as listed in [2], it does not cover NDP communication confidentiality and link layer security [15]. Based on review in [4], SeND has a number of disadvantages that causes the NDP extension not being widely implemented. The CGA option cannot assure the identity of real node and it also not sufficient to ensure the CGA address that belongs to appropriate node. Thus, attacker could steal NDP message and change the CGA parameters. Another disadvantage is the implementation of SeND results in more processing cycles that consume CPU of nodes as well as bandwidth. If implemented in a router, its authorization and certificate validation routine can be a heavy weight and complicated process. 5.3 Source Address Validation Each IP packet transmitted by a computer to another contains source address. In terms of security, verification 68

of the source address is very important to ensure the packet comes from a trusted source. The source address is usually exploited by attackers for spoofing. A number of researchers  [20-22] proposed Source Address Validation (SAVA) to validate the source address. SAVA could be implemented inter Autonomous System (AS), intra AS, and local network. Local network means the validation is done in the first hop. The validation is intended to prevent spoofing from another host with the same IPv6 prefix. This can be done by binding switch port and valid source IPv6 address or a binding between link layer address, IP address, and switch port [20]. In order to protect access network from source address spoofing, IETF proposed an improvement of SAVA called Source Address Validation Improvement  (SAVI)  [23]. SAVI technology principle is by snoop the interaction processes of IPv6 packets. The snooping of trust information will get anchor information. Then, SAVI creates binding between link layer address, source IPv6 address, and switch port. Based on the information, SAVI does the filtering by forwarding the match packet and otherwise discard [22]. In order to make the SAVI work optimally in local link communication, several combination of existing protocol was proposed such as [24,25]. They combined the concept of SAVI and SeND to protect link local scope network from address spoofing then called SEND SAVI. The NDP message relevant to this mechanism is NA (neighbor advertisement) that contains binding between CGA address and link layer information. In addition, the message also provides target link layer address on the NDP option that is actually the address of packet source. The information could be used by SAVI to make binding between source address, MAC address, and switch port. Table  1 highlights a summary of the three mitigation methods on IPv6 security identifying their strength and weaknesses.


Discussion on Link Local Security

The principle of network security is to protect end host that could be a server or a PC from both insider and outsider from stealing any information and damage to any network services. With the Internet becoming more ubiquitous and prevalently used today in day‑to‑day life, the local network security is very critical on end host protection. Therefore, the challenge is how to find a link local communication mitigation method that is able to protect end host with minimal cost. The cost could include investment on security equipments, complexity of mitigation methods, and user education. IETE TECHNICAL REVIEW | Vol 30 | ISSUE 1 | JAN-FEB 2013

Supriyanto, et al.: Survey of IPv6 Link Local Communication Security Vulnerability and Mitigation Methods

Table 1: Summary of mitigation methods Method IPSec



Strength Participating peers can achieve data confidentiality, integrity, and authentication at the network layer Open standard and interoperability between different devices Supported on various operating system platforms  Prevent address stealing using CGA Prevent CGA address spoofing using RSA signature Prevent replay attack using nonce option Using timestamp option against unsolicited advertisement Provide router authorization mechanism Prevent spoofed packet from various network scopes Ensure the legitimate IPv6 source address

Weakness Bootstrapping problem on key exchange in IPv6 host initialization

IPSec does not provide security for link layer

Difficult to provide many SAs manually Lack of source validation No confidentiality and not applicable for all OS

Consume large bandwidth

Heavy weight in router due to more calculation

More processing cycles

Not cover other NDP vulnerabilities

If binding anchor is spoofable, SAVI may open new attack vector

IPSec - Internet Protocol Security; SeND - Secure Neighbor Discovery; SAVA - Source Address Validation

IPSec is the most popular mechanism used in IPv6. It can provide three purpose of network security namely, Confidentiality, Integrity, and Authenticity (CIA). IPSec is a framework that is able to integrate with various platform as well as operating systems. The protocol is mainly for protecting IP packets in network layer. However, it was not equipped to secure link local scope communication. In addition, it introduced a new problem if implemented in neighbor discovery as discussed in the previous section. Security problem in link local communication that cannot be addressed by IPSec had triggered IETF to have developed SeND to protect NDP messages transmission. With the new options of SeND, it is believed that they can protect NDP communication from address stealing, spoofing, replay attack, and unsolicited advertisement. Nevertheless, the complicated process within SeND causes implementation of the security mechanism to be challenging. Several windows OS does not use SeND IETE TECHNICAL REVIEW | Vol 30 | ISSUE 1 | JAN-FEB 2013

as their security mechanism [26]. This is because SeND requires more bandwidth as well as more processing that occupies more CPU utilization not only on host but also on router. Recently, implementation of SeND is limited as experimental on certain operating systems such as Linux and FreeBSD. Furthermore, SeND [15] does not provide confidentiality on NDP communication. It means that there is possibility of exploit by attackers to steal NDP messages to change its content as well as drop messages. The main idea of SeND is protecting address using CGA option. However, it does not provide source validation. Therefore, a node that implements SeND does not know whether a NDP message comes from CGA node or not. Both IPSec and SeND are security mechanisms that could be implemented in an IPv6 infrastructure. However, implementation of them together causes problem on security redundancy by introducing authentication repeatedly [27]. An IPv6 node has to authenticate NDP messages using SeND during neighbor discovery. The authentication will be repeated when the host attempts to send an IP packet to other host using IPSec. In the original NDP standard [1], IPSec was used as the security mechanism for neighbor discovery. But due to the bootstrapping problem, IPSec was not used in SeND on securing NDP [15]. Integration of the two IPv6 security mechanisms is also challenging. In addition, the two mechanisms lack source address validation consideration. They just authenticate whatever address used by an interface. It may not know whether the address used is a normal or abnormal address. In order to get secure neighbor discovery and to validate source address of IPv6 packet, FCFS SAVI was proposed [28]. The proposed mechanism is intended to complement ingress filtering techniques to help detect and prevent source address spoofing. Thus, in the case of link local communication, the SAVI does not consider other security vulnerabilities on the network. This also depends on the binding anchor mechanism. If the binding anchor is spoofable, it could open new attack vector, especially DoS attack [20]. All the existing mitigation methods mainly work in the network layer meaning the address type used is IPv6 global unicast address. For example, it is the CGA option of SeND that generates a global unicast address. Whereas, an interface of an IPv6 node could have more IPv6 addresses that include link local address, global address, and group multicast address. In addition, NDP communication does not only use the global unicast address but also use multicast and link local addresses. As such, a mitigation method that considers all kinds of IPv6 addresses is required. 69

Supriyanto, et al.: Survey of IPv6 Link Local Communication Security Vulnerability and Mitigation Methods


Summary and Future Work

Security is always a challenging issue for the computer network, especially in the current Internet that is considered as open unsecure network. The IP Address exhaustion problem that the world is currently facing is the testament to the rapid and dramatic growth of the Internet. IPv6 was designed and engineered to address this problem and it also introduces several improvements to make the IP packet transmission not only faster but also more secure. The widely used protocol to secure Internet communication is called IP security  (IPSec). However, there is a problem related to IKE management when implemented in local network. Due to increasing trend of insider attacks that affect link local communication, IETF proposed SeND to secure NDP on link local network. SeND claimed to address most of the NDP security vulnerability. Nevertheless, SeND does not provide confidentiality, and the calculation routines consume more resources such as CPU and bandwidth. Several researchers consider source address as the most important information to attackers. They proposed source address validation to prevent address spoofing by binding the link layer address, IP address, and switch port. The existing mitigation methods focus on network layer and use IPv6 global address. As the IPv6 link local communication is an important space for an IPv6 host, methods that cover link local network and other IPv6 address types are required. However, to some extent, mitigation method may result in overhead on the network. Therefore, the methods also need to consider the processing time in term of authentication as well as encryption. Thus, security vulnerability and mitigation methods on the IPv6 link local communication that are efficient in terms of processing overhead are needed.

8. Acknowledgment This research was supported by the Directorate General of Higher Education, Ministry of Education and Culture, the Republic of Indonesia, in collaboration with National Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia, and Taylor’s University, Malaysia.

References 1.




T. Narten, E. Nordmark, W. Simpson, and H. Soliman, “Neighbor Discovery for IP version 6 (IPv6)”, Request for Comments 4861 [online], Available from:, Sept. 2007. [Last accessed on 2012 Oct 1]. P. Nikander, Ed., J. Kempf, and E. Nordmark, "IPv6 Neighbor Discovery (ND) Trust Models and Threats", Request for Comments 3756 [online], Available from:, May 2004. [Last accessed on 2012 Oct 1]. J. Arkko, T. Aura, J. Kempf, VM. Mantyla, P. Nikander, and M. Roe, “Securing IPv6 neighbor and router discovey”, in 1st ACM workshop on Wireless security, pp. 77‑86, Sept. 2002.


A. Alsa’deh, and C. Meinel, “SEcure Neighbor Discovery: Review, Challenges, Perspectives and Recommendations”. IEEE Security and Privacy, Vol. 10, no. 4, pp. 26‑34, July‑Aug. 2012. 5. S. Thomson, T. Narten, and T. Jinmei, “IPv6 Stateless Address Autoconfiguration”, Request for Comments 4862 [online]. Available from:, September 2007. [Last accessed on 2012 Oct 1]. 6. A. Conta, S. Deering, and M. Gupta, “Internet Control Message Protocol (ICMPv6) for the Internet Protocol version 6 (IPv6)”, Request for Comments 4443 [online]. Available from: http://www., March 2006. [Last accessed on 2012 Oct 1]. 7. P. Nikander, “Denial of Service, Address Ownership, and Early Authentication in the IPv6 World Security Protocols”, in B. Christianson et al. (Eds): Security Protocols, LNCS 2467, Berlin/Heidelberg: Springer; pp. 22‑6, 2002. 8. N.K. Sehgal, S. Sohoni, Y. Xiong, D. Fritz, W. Mulia, and J.M. Acken, "A Cross Section of the Issues and Research Activities Related to Both Information Security and Cloud Computing," IETE Technical Review, Vol. 28 no. 4, pp. 27991, Jul-Aug. 2011. 9. R. Khoussainov, and A. Patel, “LAN security: Problems and solutions for Ethernet networks”. Comput. Stand. Interfaces, Vol. 22 no. 3, pp. 191‑202, May. 2000. 10. R. Richardson, “2010/2011 CSI Computer Crime and Security Survey” [online], Computer Security Institute, Available from:, 2011. [Last accessed on 2012 July 10]. 11. L. Holmlund, “2011 Cyber Security Watch Survey: Organizations Need More Skilled Cyber Profesionals to Stay Secure” [online], Available from:, 2011. [Last accessed on 2012 July 10]. 12. iNet Portable: The network monitoring tool. Available from: http:// [Last accessed on 2012 July 10]. 13. A. Zúquete, and H. Marques, "A Security Architecture for Protecting LAN Interactions Information Security", In: S. Katsikas, K. Katsikas, J. López, M. Backes, S. Gritzalis, and B. Preneel, et al., (Editors): ISC 2006, LNCS 4176, Berlin/Heidelberg: Springer; pp. 311-26. 2006. 14. Y.E. Gelogo, R.D. Caytiles, and B. Park, “Threats and Security Analysis for Enhanced Secure Neighbor Discovery Protocol (SEND) of IPv6 NDP Security”, International Journal of Control and Automation, Vol. 4, no. 4, pp. 179‑84, Dec. 2011. 15. J. Arkko, J. Kempf, B. Zill, and P. Nikander, “Secure Neighbor Discovery (SEND)”, Request for Comments 3971 [online]. Available from: March 2005. [Last accessed on 2012 July 10]. 16. S. Kent, and K. Seo, “Security Architecture for the Internet Protocol”, Request for Comments 4301 [online]. Available from: December 2005. [Last accessed on 2012 July 10] 17. J. Arkko, and P. Nikander, “Limitations of IPsec policy mechanisms”, in the 11th international conference on Security Protocols 2005, Cambridge, UK: Springer‑Verlag; pp. 1‑11, 2005. 18. D. Yang, X. Song, and Q. Guo, "Security on IPv6", in 2nd International Conference on Advanced Computer Control (ICACC), pp. 3236, 2010. 19. C.E. Caicedo, J.B. Joshi, and S.R. Tuladhar, “IPv6 Security Challenges”. IEEE Computer, Vol. 42, no.2. pp. 36‑42, 2009. 20. W. Jianping, R. Gang, and L. Xing, “Source Address Validation: Architecture and Protocol Design”, in IEEE International Conference on Network Protocols. ICNP 2007, pp. 276‑283, 2007. 21. B. Jun, J. Wu, X. Li, and X. Cheng, “An IPv6 Test‑Bed Implementation for a Future Source Address Validation Architecture”. in Next Generation Internet Networks, NGI 2008, pp. 108‑14. 2008. 22. Y. Zhihui, D. Gengsheng, and W. Junyun, “SAVI‑based IPv6 source address validation implementation of the access network”. in International Conference on Computer Science and Service System (CSSS), pp. 2530‑3, 2011. 23. J. Wu, J. Bi, M. Bagnulo, and F. Baker, “Source Address Validation Improvement Framework”, Internet Draft [online], Available from:


Supriyanto, et al.: Survey of IPv6 Link Local Communication Security Vulnerability and Mitigation Methods‑ietf‑savi‑framework‑06. December 2011. [Last accessed on 2012 July 10]. 24. A. Kukec, M. Bagnulo, and M. Mikuc, “SEND‑based source address validation for IPv6”, in 10th International Conference on Telecommunications. 2009. 25. L. Pingping, and B. Jun, “A Novel SeND Based Source Address Validation Mechanism (SAVM‑SeND)”, in Ninth Annual International Symposium on Applications and the Internet, pp. 149‑52. 2009. 26. S. Hogg, and E. Vyncke, “IPv6 Security”, Indianapolis, Indiana: Cisco Press; 2009.


T. Kim, I. Kim, Z. Zhen, J. Han Kim, G. Gyeong, and Y. Ik Eom, et al., "A Cooperative Authentication of IPSec and SEND Mechanisms in IPv6 Environments", in the 2008 International Conference on Advanced Language Processing and Web Information Technology 2008, IEEE Computer Society, pp. 41823, 2008.


E. Nordmark, M. Bagnulo, and E. Levy‑Abegnoli, “FCFS SAVI: First‑Come, First‑Served Source Address Validation Improvement for Locally Assigned IPv6 Addresses”, Request for Comments 6620 [online], Available from: May 2012, [Last accessed on 2012 Oct 1].


Raja Kumar Murugesan is a Senior Lecturer, and leads research at the School of Computing in Taylor’s University, Malaysia. He received his PhD in Advanced Computer Networks from Universiti Sains Malaysia, M.Phil. in Computer Science, M.Sc. in Computer Electronics, PG Diploma in Computer Science & Applications (PGDCA), and B.Sc. in Physics from Bharathidasan University, India. His research interest includes Internet Communication Protocols (IPv6), Internet Addressing Architecture, Network Architecture, Internet Governance, Future Internet, and Microprocessor based systems.

Supriyanto received his B.Eng. degree in Electrical Engineering from Brawijaya University Malang, Indonesia in 1999, and M.Sc in Computer Sciences from Universiti Sains Malaysia (USM) in 2010. Currently, he is a PhD fellow in National Advanced IPv6 Centre, Universiti Sains Malaysia. He is a lecturer in the Electrical Engineering Department at the Universitas Sultan Ageng Tirtayasa (UNTIRTA) Indonesia. His research interest includes computer networks, IPv6 security, IPTV over overlay network and wireless communication. E-mail: [email protected] Iznan Husainy Hasbullah is a Research Officer under Next Generation Unified Communication Group at National Advanced IPv6 Centre (NAv6), Universiti Sains Malaysia (USM). His research interest includes unified communication, video conferencing, next generation network, and Graphical User Interface (GUI) and lecture capture system. He has experience working as software developer, project manager, R &D consultant, CTO and security auditor prior to joining NAv6 in 2010. He holds a B.Sc. degree in Electrical Engineering from Rensselaer Polytechnic Institute, New York. E-mail: [email protected]

E-mail: [email protected] Sureswaran Ramadass is the Director of the National Advanced IPv6 Centre of Excellence (NAv6) at Universiti Sains Malaysia. He obtained his BsEE/CE (Magna Cum Laude) and Masters in Electrical and Computer Engineering from the University of Miami in 1987 and 1990 respectively. He obtained his PhD from Universiti Sains Malaysia (USM) in 2000 while serving as a full time faculty in the School of Computer Sciences. His research interest includes IPv6, Network Monitoring and Security, and Multimedia Conferencing Systems. E-mail: [email protected]

DOI: 10.4103/0256-4602.107341; Paper No. TR 379_12; Copyright © 2013 by the IETE