Secure Neighbor Discovery
||This article includes a list of references, related reading or external links, but its sources remain unclear because it lacks inline citations. (January 2011)|
The Neighbor Discovery Protocol (NDP) is responsible in IPv6 for discovery of other network nodes on the local link, to determine the link layer addresses of other nodes, and to find available routers, and maintain reachability information about the paths to other active neighbor nodes (RFC 4861). NDP is insecure and susceptible to malicious interference. It is the intent of SEND to provide an alternate mechanism for securing NDP with a cryptographic method that is independent of IPsec, the original and inherent method of securing IPv6 communications.
SEND was updated to use the Resource Public Key Infrastructure (RPKI) by RFC 6494 and RFC 6495 which define use of a SEND Certificate Profile utilizing a modified RFC 6487 RPKI Certificate Profile which must include a single RFC 3779 IP Address Delegation extension.
There have been concerns with algorithm agility vis-à-vis attacks on hash functions used by SEND expressed in RFC 6273, as CGA currently uses the SHA-1 hash algorithm and PKIX certificates and does not provide support for alternative hash algorithms.
- Cisco IOS 12.4(24)T and newer
- Docomo USL SEND fork
- ipv6-send-cga, Huawei and Beijing University of Posts and Telecommunications
- NDprotector, Telecom SudParis
- Native SeND kernel API
- USL SEND (discontinued), NTT DoCoMo
- RFC 3971, "SEcure Neighbor Discovery (SEND)", J.Arkko (Ed.), et al., March 2005
- RFC 4861, "Neighbor Discovery for IP version 6 (IPv6)", T.Narten, et al., September 2007
- RFC 6494, "Certificate Profile and Certificate Management for SEcure Neighbor Discovery (SEND)", R. Gagliano, et al., February 2012
|This computer networking article is a stub. You can help Infogalactic by expanding it.|