基于P4的IPv6路由器欺骗攻击缓解

Proceedings of the Symposium on Architectures for Networking and Communications Systems Pub Date : 2021-12-13 DOI:10.1145/3493425.3502765

Moritz Mönnich, Nurefsan Sertbas Bülbül, Doğanalp Ergenç, Mathias Fischer

{"title":"基于P4的IPv6路由器欺骗攻击缓解","authors":"Moritz Mönnich, Nurefsan Sertbas Bülbül, Doğanalp Ergenç, Mathias Fischer","doi":"10.1145/3493425.3502765","DOIUrl":null,"url":null,"abstract":"The IPv6 protocol will sooner or later replace IPv4 to cope with an exponentially increasing number of connected devices. Some of the most significant functions of IPv6 networks are network discovery, maintenance, and routing mechanisms to promote auto-configuration of the network with less manual effort. Network Discovery Protocol (NDP) is an important protocol in IPv6 to identify the relationships between different neighboring devices in a network. However, it is also subject to spoofing and man-in-the-middle attacks. This paper implements an attack detection and mitigation strategy called Router Advertisement Guard (RA-Guard) in P4 to defend IPv6 networks against router spoofing attacks directly on the data plane. In contrast to very few proprietary RA-Guard implementations with limited details, we consider different scenarios to exploit IPv6 packet structure and publish our implementation open-source. The experiments show that our P4-based implementation can detect and mitigate spoofing attacks leveraging RA-Guard together with its control plane extensions.","PeriodicalId":426581,"journal":{"name":"Proceedings of the Symposium on Architectures for Networking and Communications Systems","volume":"57 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2021-12-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":"{\"title\":\"Mitigation of IPv6 Router Spoofing Attacks with P4\",\"authors\":\"Moritz Mönnich, Nurefsan Sertbas Bülbül, Doğanalp Ergenç, Mathias Fischer\",\"doi\":\"10.1145/3493425.3502765\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"The IPv6 protocol will sooner or later replace IPv4 to cope with an exponentially increasing number of connected devices. Some of the most significant functions of IPv6 networks are network discovery, maintenance, and routing mechanisms to promote auto-configuration of the network with less manual effort. Network Discovery Protocol (NDP) is an important protocol in IPv6 to identify the relationships between different neighboring devices in a network. However, it is also subject to spoofing and man-in-the-middle attacks. This paper implements an attack detection and mitigation strategy called Router Advertisement Guard (RA-Guard) in P4 to defend IPv6 networks against router spoofing attacks directly on the data plane. In contrast to very few proprietary RA-Guard implementations with limited details, we consider different scenarios to exploit IPv6 packet structure and publish our implementation open-source. The experiments show that our P4-based implementation can detect and mitigate spoofing attacks leveraging RA-Guard together with its control plane extensions.\",\"PeriodicalId\":426581,\"journal\":{\"name\":\"Proceedings of the Symposium on Architectures for Networking and Communications Systems\",\"volume\":\"57 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2021-12-13\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"3\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Proceedings of the Symposium on Architectures for Networking and Communications Systems\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1145/3493425.3502765\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings of the Symposium on Architectures for Networking and Communications Systems","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/3493425.3502765","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

摘要

IPv6协议迟早会取代IPv4，以应对呈指数级增长的连接设备数量。IPv6网络的一些最重要的功能是网络发现、维护和路由机制，以减少人工工作来促进网络的自动配置。NDP (Network Discovery Protocol)是IPv6协议中的一个重要协议，用于识别网络中不同相邻设备之间的关系。然而，它也容易受到欺骗和中间人攻击。本文在P4中实现了一种名为路由器通告保护(Router Advertisement Guard, RA-Guard)的攻击检测和缓解策略，以保护IPv6网络免受直接来自数据平面的路由器欺骗攻击。与极少数专有的RA-Guard实现相比，我们考虑了不同的场景来利用IPv6数据包结构并发布我们的实现开源。实验表明，我们基于p4的实现可以利用RA-Guard及其控制平面扩展来检测和减轻欺骗攻击。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Mitigation of IPv6 Router Spoofing Attacks with P4

The IPv6 protocol will sooner or later replace IPv4 to cope with an exponentially increasing number of connected devices. Some of the most significant functions of IPv6 networks are network discovery, maintenance, and routing mechanisms to promote auto-configuration of the network with less manual effort. Network Discovery Protocol (NDP) is an important protocol in IPv6 to identify the relationships between different neighboring devices in a network. However, it is also subject to spoofing and man-in-the-middle attacks. This paper implements an attack detection and mitigation strategy called Router Advertisement Guard (RA-Guard) in P4 to defend IPv6 networks against router spoofing attacks directly on the data plane. In contrast to very few proprietary RA-Guard implementations with limited details, we consider different scenarios to exploit IPv6 packet structure and publish our implementation open-source. The experiments show that our P4-based implementation can detect and mitigate spoofing attacks leveraging RA-Guard together with its control plane extensions.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Proceedings of the Symposium on Architectures for Networking and Communications Systems

自引率

0.00%

发文量