Please use this identifier to cite or link to this item:
標題: IPv6無線網路環境下之ND攻擊的防禦
Defending Neighbor Discovery Attacks in IPv6 Wireless Networks
作者: 林建霖
Lin, Jian-lin
關鍵字: IPv6;IPv6;Neighbor Discovery;SEND;DAD;WLAN;Network Security;Neighbor Discovery;SEND;DAD;WLAN;網路安全
出版社: 資訊科學與工程學系所
引用: [1] S. Deering and R. Hinden, "Internet Protocol, Version 6 (IPv6) Specification", RFC 2460, December 1998. [2] T. Narten, E. Nordmark, and W. Simpson, "Neighbor Discovery for IP Version 6 (IPv6)", RFC 2461, December 1998. [3] S. Thomson and T. Narten, "IPv6 Stateless Address Autoconfiguration", RFC 2462, December 1998. [4] P. Nikander, Ed., J. Kempf, and E. Nordmark, "IPv6 Neighbor Discovery (ND) Trust Models and Threats", RFC 3756, May 2004. [5] Jari Arkko, Tuomas Aura, James Kempf, Vesa-Matti Mäntylä, Pekka Nikander, Michael Roe, "Securing IPv6 Neighbor and Router Discovery", Proceedings of the 3rd ACM workshop on Wireless security, Atlanta, GA, USA, 2002. [6] S. Kent and R. Atkinson, "Security Architecture for the Internet Protocol", RFC 2401, November 1998. [7] J. Arkko, Ed., Kempf, J., Zill, B., and P. Nikander, "SEcure Neighbor Discovery (SEND)", RFC 3971, March 2005. [8] Iljitsch van Beijnum, "Running IPv6", pp. 160, Apress, 2006. [9] Jari Arkko and Pekka Nikander, "Limitations of IPsec Policy Mechanisms", Security Protocols Workshop, Cambridge, UK, April 2003. [10] D. Harkins and D. Carrel, "The Internet Key Exchange (IKE) ", RFC 2409, November 1998. [11] T. Aura, "Cryptographically Generated Addresses (CGA)", RFC 3972, March 2005. [12] B. Crow, et al. "IEEE 802.11 Wireless Local Area Networks", IEEE Communications Magazine, September 1997. [13] Matthew Gast, "802.11 Wireless Networks The Definitive Guide", O''Reilly, April 2005. [14] Jouni Malinen, "Host AP driver for Intersil Prism2/2.5/3", [15] 陳一瑋、林盈達, "Linux網路卡驅動程式 追蹤與效能分析", 網路通訊 136期, November 2002. [16] Van Hauser, "THC IPv6 Attack Toolkit", [17] The Hacker''s Choice, [18] WinPcap: The Windows Packet Capture Library, [19] Xavier Calbet, "Writing device drivers in Linux: A brief tutorial", [20] DoCoMo, "Open Source SEND Project",, April 2006. [21] Linux IPv6 Router Advertisement Daemon, [22] MySQL, [23] TWNIC 2007年「台灣無線網路使用調查」報告,
在IPv6網路中,相同連結(link)上的各個節點使用Neighbor Discovery Protocol(NDP)來確定相鄰節點之間的關係(如:確定對方是否存在、解析對方的連結層位址)及進行基本的網路組態配置。在沒有確保連結上的節點都是可信任的情形下,此協定容易遭受惡意偽造封包的威脅,尤其在無線的網路環境下,此威脅更加難以防範。
針對此問題Internet Engineering Task Force(IETF)提出了SEcure Neighbor Discovery(SEND)協定來保護Neighbor Discovery(ND)安全,其運作方式是利用Cryptographically Generated Addresses(CGA)機制產生IPv6位址及非對稱式金鑰對ND訊息簽章,以確定訊息是由IPv6位址的擁有者所送且沒有被竄改。但一般輕型的無線網路的裝置,趨向於愈節省電力及計算資源愈好。因此在本文中,我們設計與實作一個防禦ND攻擊的系統,以達到安全且適合輕型無線裝置的網路環境。
在實作上,我們使用HostAP來實現無線基地台的功能,HostAP是Linux上無線網卡的驅動程式,可切換成Master模式,以提供AP的功能。本文透過修改HostAP來實作ND的防禦系統,由於IPv6節點在取得合法IP位址使用前,會先送出Duplicate Address Detection(DAD)訊息來確保位址的唯一性,本系統透過分析DAD訊息封包及追蹤使用者連線狀態,來保護節點不受偽造ND封包的攻擊,提供兼顧效率與安全的環境。另外,我們也實作了NDAttacker的攻擊程式來展現此防禦系統確實可以有效的阻擋攻擊。

In IPv6 networks, Neighbor Discovery Protocol (NDP) is usually used to determine the relationship (for instance, whether a neighboring node is still reachable or what is the link-layer address of a neighboring node) between nodes on the same link and to configure the network interface. The protocol is vulnerable to suffer from the threat of spoofing packets due to the lackness of mutual trust mechanism among the communication nodes, especially under a wireless environment.
Accordingly, Internet Engineering Task Force (IETF) proposed a protocol, namely Secure Neighbor Discovery (SEND), to secure Neighbor Discovery(ND) by providing an asymmetric key cryptosystem and Cryptographically Generated Addresses(CGA). Currently, common light-weight wireless network devices tend to reduce resource consumption, which conflicts to the requirement of heavy SEND message computation. In this paper, we propose an ND Attacks defensive system for the light-weight wireless devices network environment.
In the system, HostAP is adopted for the realization of the wireless base station''s functions, HostAP is the Linux wireless interface driver which can be switched into Master mode to provide functions of access points(APs). We implement a defensive system for ND attacks. by adding several enhances features to HostAP. Due to the requirement of unique address for each IPv6 node, the defensvie system takes advantage of this feature. Whenever an ND Packet arrives, we examine and record the request through the Duplicate Address Detection(DAD). Accordingly, an attacker which issue forged ND packets not able to successfully pass through the AP. In addition, an attacking program, NDAttacker was developed to demonstrate the effectiveness of the defensive system.
其他識別: U0005-1801200820074600
Appears in Collections:資訊科學與工程學系所

Show full item record

Google ScholarTM


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.