Security mechanism for IPv6 router discovery based on distributed trust management

Abstract

IPv6 requires the support of other protocols such as neighbor discovery and ICMPv6 for its functioning. Neighbor discovery includes router discovery, and redirect. Router discovery is used by an IPv6 host to discover the presence of routers and network parameters. It enables the host to configure list of default gateway, list of address prefixes, Maximum Transmission Unit (MTU) in the link and hop limit setting for sending IPv6 packets. Failure to complete the initialization process will cause the network to have no IPv6 addresses, disabling it from sending any IPv6 packets and communication with others. As the original router discovery standard does not specify a security mechanism for it, they are vulnerable for any exploitation. This paper investigates the current router discovery mitigation methods such as ADD, SAVI, TRDP and RA Guard. The investigation would further increase the understanding on their weakness so that it could be used to formalize a new security method for router discovery. We propose a new security mechanism based on distributed trust management. Theoretical analysis of this mechanism shows a decrease in bandwidth consumption compared to ADD on Secure Neighbor Discovery mechanism up to 3.15 times lesser.