By Topic

Using SEND Signature Algorithm Agility and Multiple-Key CGA to Secure Proxy Neighbor Discovery and Anycast Addressing

Sign In

Cookies must be enabled to login.After enabling cookies , please use refresh or reload or ctrl+f5 on the browser for the login options.

Formats Non-Member Member
$33 $13
Learn how you can qualify for the best price for this item!
Become an IEEE Member or Subscribe to
IEEE Xplore for exclusive pricing!
close button

puzzle piece

IEEE membership options for an individual and IEEE Xplore subscriptions for an organization offer the most affordable access to essential journal articles, conference papers, standards, eBooks, and eLearning courses.

Learn more about:

IEEE membership

IEEE Xplore subscriptions

2 Author(s)
Tony Cheneau ; Inst. TELECOM, TELECOM SudParis, Evry, France ; Maryline Laurent

The Neighbor Discovery Protocol (NDP) is a fundamental component of the IPv6 protocol suite in charge of the Link-layer interactions (Address Resolution, Router Discovery, etc.). Over the years, it has been extended to new usages, such as Mobility (Mobile IPv6), proxy advertisements (Neighbor Discovery Proxies) and security (Secure Neighbor Discovery, SEND). However, SEND's protection is currently incompatible with two NDP functions, namely the proxy Neighbor Discovery function (used in Mobile IPv6) and the IPv6 anycast addresses (i.e. shared addresses on a same link). On one hand, Cryptographically Generated Addresses (CGA) and SEND protect the NDP messages. The former, an address generation scheme, binds a single public key to an address. The latter secures NDP messages by signing them with the corresponding private key of the source address, thus achieving a proof of address ownership. On the other hand, proxy Neighbor Discovery and IPv6 anycast addressing are mechanisms binding one address to multiple nodes. In this article, we present an overview of the existing solutions addressing these divergent objectives and tackle their limitations. We then propose an alternate solution and introduce the Multiple-Key Cryptographically Generated Addresses (MCGA) concept. This proposal relies on SEND's Signature Algorithm Agility extensions (also defined by the authors) to bind more than one Public Key to an address. As such, it enables multiple nodes to properly share and protect the same address and thus resolves proxy Neighbor Discovery and Anycast issues. Finally, we present implementation results and discuss the advantages of our approach over the existing solutions.

Published in:

Network and Information Systems Security (SAR-SSI), 2011 Conference on

Date of Conference:

18-21 May 2011