P4NSA: P4-based security protection technology for IPv6 neighbor solicitation and advertisement spoofing

Abstract

Neighbor solicitation and neighbor advertisement messages from neighbor discovery protocol are used for address resolution in IPv6 network. However, the NDP protocol lacks authentication mechanisms for exchanged messages, so hosts in a local area network are vulnerable to malicious threats during the address resolution process. Existing detection and protection solutions have high complexity, consume many resources, and have poor scalability and deployability. To this end, the SDN P4-based Neighbour Discovery Protocol security protection technology is proposed for the protection of NS and NA message processes by taking advantage of the open and programmable nature of P4 technology that can flexibly customize the threat detection and protection mechanisms. This technology collects the IPv6 addresses and corresponding switching ports of IPv6 hosts joining the network, and discards the spoofed packets that do not belong to the corresponding ports according to the spoofed packet filtering algorithm. Experimental results show that this technology can properly collect information about hosts joining IPv6 networks and filter and discard NS/NA spoofed messages sent by spoofing tools such as THC-IPv6 and IPv6 Toolkit. Compared with security protection technologies such as Match-Prevention and NDPsec, this technology does not add additional neighbour discovery protocol parameter options or use hash cryptography, so it is less complex, consumes fewer resources, and is more feasible in deployment and application.