Browse Prior Art Database

IPv6 Neighbor Discovery (ND) Trust Models and Threats (RFC3756)

IP.com Disclosure Number: IPCOM000028341D
Original Publication Date: 2004-May-01
Included in the Prior Art Database: 2004-May-11
Document File: 24 page(s) / 57K

Publishing Venue

Internet Society Requests For Comment (RFCs)

Related People

P. Nikander: AUTHOR [+4]

Abstract

The existing IETF standards specify that IPv6 Neighbor Discovery (ND) and Address Autoconfiguration mechanisms may be protected with IPsec Authentication Header (AH). However, the current specifications limit the security solutions to manual keying due to practical problems faced with automatic key management. This document specifies three different trust models and discusses the threats pertinent to IPv6 Neighbor Discovery. The purpose of this discussion is to define the requirements for Securing IPv6 Neighbor Discovery.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 5% of the total text.

Network Working Group                                   P. Nikander, Ed.

Request for Comments: 3756                 Ericsson Research Nomadic Lab

Category: Informational                                         J. Kempf

                                                         DoCoMo USA Labs

                                                             E. Nordmark

                                           Sun Microsystems Laboratories

                                                                May 2004

         IPv6 Neighbor Discovery (ND) Trust Models and Threats

Status of this Memo

   This memo provides information for the Internet community.  It does

   not specify an Internet standard of any kind.  Distribution of this

   memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2004).  All Rights Reserved.

Abstract

   The existing IETF standards specify that IPv6 Neighbor Discovery (ND)

   and Address Autoconfiguration mechanisms may be protected with IPsec

   Authentication Header (AH).  However, the current specifications

   limit the security solutions to manual keying due to practical

   problems faced with automatic key management.  This document

   specifies three different trust models and discusses the threats

   pertinent to IPv6 Neighbor Discovery.  The purpose of this discussion

   is to define the requirements for Securing IPv6 Neighbor Discovery.

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2

       1.1. Remarks . . . . . . . . . . . . . . . . . . . . . . . . .  3

   2.  Previous Work. . . . . . . . . . . . . . . . . . . . . . . . .  4

   3.  Trust Models . . . . . . . . . . . . . . . . . . . . . . . . .  4

       3.1. Corporate Intranet Model. . . . . . . . . . . . . . . . .  5

       3.2. Public Wireless Network with an Operator. . . . . . . . .  6

       3.3. Ad Hoc Network. . . . . . . . . . . . . . . . . . . . . .  7

   4.  Threats on a (Public) Multi-Access Link. . . . . . . . . . . .  8

       4.1. Non router/routing related threats. . . . . . . . . . . .  9

            4.1.1. Neighbor Solicitation/Advertisement Spoofing . . .  9

            4.1.2. Neighbor Unreachability Detection (NUD) failure. . 10

            4.1.3. Duplicate Address Detection DoS Attack . . . . . . 11

       4.2. Router/routing involving threats. . . . . . . . . . . . . 12

            4.2.1. Malicious Last Hop Router. . . . . . . . . . . . . 12

Nikander, et al.             Informational                      [...