CGA Configuration Detection Method of IPv6 Nodes by Combining Active Probing with Passive Sniffing

Abstract

To ensure the security of neighbor discovery messages and processes, IPv6 subnets are increasingly deploying secure neighbor discovery (SEND) mechanisms. Although the cryptographically generated address (CGA) mechanism is the operating basis of the SEND mechanism, there is currently no technology or method for CGA configuration detection. To this end, the difficult problems lacking of CGA configuration detection method (such as the constraints caused by built-in neighbor discovery mechanism, identification of different SEND transition scenes, IPv6 address transformation) are analyzed through the in-depth analysis of the SEND mechanism and the CGA mechanism. Moreover, a CGA configuration detection method of IPv6 nodes by combining active probing and passive sniffing (CCD6-APPS) is proposed. Based on active probing and passive sniffing of active IPv6 nodes in the target IPv6 subnet, the proposed CCD6-APPS method can learn the SEND implementation methods and CGA configuration parameters of IPv6 nodes, and finally detect the coverage of SEND nodes in the target IPv6 subnet. By setting up a typical IPv6 neighbor discovery experimental environment and conducting targeted tests, the experimental results prove the effectiveness of the SSD6-APPS method, and the additional impact on the target IPv6 subnet is very small.