Optimizing Security and Address Configuration in IPv6 SLAAC

The Neighbor Discovery Protocol (NDP) is the predominant component in IPv6; the next generation internet protocol providing for stateless address auto configuration of nodes (SLAAC), resolution of link layer addresses and neighbor unreachability detection. The stateless address auto configuration is designed for self configuration of nodes and achieving plug and play support for network devices. The protocol is rooted on the assumption that network consists of trusted nodes, however with emergence of public wireless networks; any node can join the link with minimal authentication and the condition changes drastically. With no inclusion of central address configuration servers or trusted authorities, the process is vulnerable to malicious activities. The attacker can impersonate legitimate nodes and launch Man-in-the-Middle (MITM), Denial of Service (DoS), and other network related attacks. The access to the link can be blocked and the network traffic can be redirected without the knowledge of users. To overcome the above problem, RFC 3971 suggests the use of Cryptographically Generated Addresses (CGA) which is an innate component of Secure Neighbor Discovery (SEND). Although CGA provides for message integrity, authentication and mitigating address impersonation, the process is computation intensive with higher bandwidth consumption and harbors some other limitations. This paper presents a novel technique for address generation having a minimal computation cost as compared to CGA. The technique generates a highly randomized Interface Identifier that helps maintain nodes privacy and allows the nodes to ascertain the uniqueness on the link. It also provides robust security against DoS attacks during the DAD process of IPv6 SLAAC.