Towards a New Algorithm to Optimize IPv6 Neighbor Discovery Security for Small Objects Networks

Ksimi, Ali El; Leghris, Cherkaoui

doi:10.1155/2018/1816462

Cited by 12 publications

(6 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…normal and attack) to evaluate the proposed Match-Prevention technique and check whether it fulfils the study requirements. These metrics, including processing time, bandwidth consumption and DoS prevention success rate, were the same as those used in previous researches [20], [25], [39].…”

Section: Experiments and Resultsmentioning

confidence: 99%

Match-Prevention Technique Against Denial-of-Service Attack on Address Resolution and Duplicate Address Detection Processes in IPv6 Link-Local Network

2020

View full text Add to dashboard Cite

Protocol version 6 (IPv6) host communicating with other neighbouring hosts. Two NDP messages are used during AR and DAD to communicate with one another in the same IPv6 link-local network, namely Neighbour Solicitation (NS) and Neighbour Advertisement (NA) messages. However, NDP messages have non-secure designs and lack verification mechanisms for authenticating whether incoming messages originate from a legitimate or illegitimate node. Therefore, any node in the same link can manipulate NS or NA messages and then launch a Denial-of-Service (DoS) attack. Techniques proposed to secure AR and DAD include Secure NDP (SeND) and Trust-NDP (Trust-ND); however, these techniques either entail high processing time and bandwidth consumption or are vulnerable to DoS attacks because of their designs. Therefore, to secure AR and DAD, this study aims to introduce a prevention technique called Match-Prevention, which secures target IP addresses and exchange messages (i.e. NS and NA). The processing time, bandwidth consumption and DoS prevention success rate of Match-Prevention in different scenarios are evaluated, and its performance is compared with those of existing techniques, including Standard-Process (i.e., Standard-AR and Standard-DAD), SeND and Trust-ND. Results show that Match-Prevention requires less processing time during AR and DAD processes and less bandwidth consumption compared with other existing techniques. In terms of DoS prevention success rate, the experiments show that Standard-Process and Trust-ND are unable to secure AR and DAD from DoS attacks, whilst SeND is vulnerable to flooding attacks. By contrast, Match-Prevention allows IPv6 nodes to verify the incoming message, discard the fake message before further processing and prevent a DoS attack during AR and DAD in an IPv6 link-local network.

show abstract

Section: Experiments and Resultsmentioning

confidence: 99%

Match-Prevention Technique Against Denial-of-Service Attack on Address Resolution and Duplicate Address Detection Processes in IPv6 Link-Local Network

2020

View full text Add to dashboard Cite

show abstract

“…While evaluating the technique it, there is an issue with bandwidth consumption and processing time that cannot be accepted in order to protect DAD from denial of service (DoS) attack. The authors of El Ksimi and Leghris [12] presented a solution for protecting a target IPv6 address by employing a combination of strong hash key and robust encryption technology, which was to be employed before transmitting any NS messages, in a similar vein. The outcome demonstrates that a good security mechanism has been put in place, but the computing complexity is extremely high.…”

Section: Related Workmentioning

confidence: 99%

“…It is worth noting that the aforementioned previous research works [7][8][9][10][11][12][13][14][15] continue to place an emphasis on theoretical information on DAD as well as the blocking access of transmission sessions that does not involve in the DAD processes. However, there hasn't been much discussion about how to apply diligent checking operations in actual applications.…”

Section: Related Workmentioning

confidence: 99%

A New Concept of Duplicate Address Detection Processes in IPv6 Link-Local Network

2022

View full text Add to dashboard Cite

The Neighbor Discovery Protocol (NDP) enables nodes on the same IPv6 link to advertise their existence to their neighbors and learn about their neighbors’ existences in an IPv6 link-local network. Duplicate Address Detection (DAD) on NDP is used to determine whether or not an address requested by a node is already in use by another node. The Neighbor Solicitation (NS) and Neighbor Advertisement (NA) operations are associated to DAD checks in order to ensure that each interface within the transmission session is unique. Unfortunately, NS and NA operations have a significant disadvantage in that they are based on insecure architectures and lack verification procedures for determining whether incoming messages originate from a valid or illegitimate node. This will eventually allow any node in the same link to be manipulated during NS and NA message transmission sessions. Despite some attempts to secure the entire NDP operations, they still suffer from computing resources requirement for their operations. As a result, this study proposes an Initial Neighbor Inspection (INI) on DAD operation. The proposed techniques allow for an initial round of verification of the nodes on the same link before a broadcast request on the existence of neighbors, which is followed by another round of learning about neighbors’ existences. Conclusively, using this idea, as a simple verification will indicate the presence of neighbors, we may restrict solicitation and advertising to only those who are eligible. This means that the computational processing time for NS and NA on DAD operations would not rise.

show abstract

“…Models that utilize identity-based cryptography, [14] DNS hierarchies, [15] time-slotted channel hopping (TSCH), [16] network-aware internet-wide scan, [17] privacy-preserving communication schemes, [18] non-batch verification method scheme (NBVMS), [19] and efficient, secure, and privacypreserving proxy mobile IPv6 (ESP-PMIPv6) [20] are also discussed; these models help optimize security along with quality of service while These models, which have a high level of complexity, are not suitable for use in network configurations that call for simplified addressing schemes because of the level of complexity they possess. The research presented in [21][22][23] suggests the use of low-power lossy networks, fast handovers for mobile IPv6 (FMIPv6), and block chains.…”

Section: Background and Related Workmentioning

confidence: 99%

Design of a Hybrid Bio-inspired Model for Improving Addressing Capabilities of IPv6 Networks

Shahapurkar,

Roychaudhary

2022

SMSJ

View full text Add to dashboard Cite

Addressing in IPv6 networks is a complex task, that involves multiple decision criterion that include base addressing, subnet addressing, location & energy aware addressing, and temporal performance aware addressing constraints. To incorporate these constraints a wide variety of models are proposed by researchers, and most them utilize location-aware addressing and do not consider multimodal parameters. Schemes that consider these parameters are either highly complex, or cannot be scaled for heterogeneous network scenarios. To overcome these limitations, this text proposes design of a novel hybrid bioinspired model that assists in improving addressing capabilities of IPv6 networks. The proposed model bee colony optimization (BCO), genetic algorithm (GA), and particle swarm optimization (PSO) in order to improve addressing quality for different network types. Initially, GA is used to stochastically assign location-specific addresses to a simulated network, which is incrementally tuned by PSO via a cognitive & social learning process. The fine-tuned addresses are further optimized via integration of BCO model, which assists in integrating energy awareness. Final addresses are initially simulated with exhaustive communication test, and then deployed to real-time networks for optimized operations. Due to which, the assigned addresses are observed to be delay & energy efficient, thereby assisting in deploying them for real-time use cases. The proposed addressing model was tested under different scaled networks, and an energy efficiency of 8.3%, with delay reduction of 6.5% was achieved when compared with various state-of-the-art methods, which assists in deploying the model for multiple scaled network scenarios.

show abstract

Towards a New Algorithm to Optimize IPv6 Neighbor Discovery Security for Small Objects Networks

Cited by 12 publications

References 18 publications

Match-Prevention Technique Against Denial-of-Service Attack on Address Resolution and Duplicate Address Detection Processes in IPv6 Link-Local Network

Match-Prevention Technique Against Denial-of-Service Attack on Address Resolution and Duplicate Address Detection Processes in IPv6 Link-Local Network

A New Concept of Duplicate Address Detection Processes in IPv6 Link-Local Network

Design of a Hybrid Bio-inspired Model for Improving Addressing Capabilities of IPv6 Networks

Contact Info

Product

Resources

About