Using FDAD to Prevent DAD Attack in SEcure Neighbor Discovery Protocol

Abstract EN

The SEND uses CGA as its address configuration method.

CGA binds the IPv6 address with multiple auxiliary parameters, thereby making the dependency relationship between IPv6 address and host provable, which prevents address embezzlement.

Owing to the considerable overhead in CGA parameter verification, the malicious host can use this point to carry out DoS attacks.

To prevent DoS, the paper proposes a new duplicate address detection method in an SDN environment called FDAD.

Two additional mechanisms are added to the FDAD, namely, query and feedback; messages used by the new mechanisms are also designed.

Through these two mechanisms, on the one hand, the host can query the MAC address of the suspect host to the controller.

On the other hand, if the CGA parameter verification fails, the controller will use feedback information to suppress malicious host from its source port in order to prevent subsequent attacks.

Experiments show that the CPU overhead of FDAD is much lower than the normal CGA when suffering Denial of Service attack.

The increased CPU consumption and memory overhead of the controller are also within acceptable range, and the network communication overhead is greatly reduced.