The Secure Neighbor Discovery (SEND) protocol is a security extension of the

Neighbor Discovery Protocol The Neighbor Discovery Protocol (NDP), or simply Neighbor Discovery (ND), is a protocol of the Internet protocol suite used with Internet Protocol Version 6 (IPv6). It operates at the link layer of the Internet model, and is responsible for gat ...

(NDP) in

IPv6 Internet Protocol version 6 (IPv6) is the most recent version of the Internet Protocol (IP), the communications protocol that provides an identification and location system for computers on networks and routes traffic across the Internet. IPv ...

defined in RFC 3971 and updated by RFC 6494. The

(NDP) is responsible in

for discovery of other network nodes on the local link, to determine the link layer addresses of other nodes, and to find available routers, and maintain reachability information about the paths to other active neighbor nodes (RFC 4861). NDP is insecureHolding IPv6 Neighbor Discovery to a Higher Standard of Security
community.infoblox.com, 2.10.2015 and susceptible to malicious interference. It is the intent of SEND to provide an alternate mechanism for securing NDP with a cryptographic method that is independent of

IPsec In computing, Internet Protocol Security (IPsec) is a secure network protocol suite that authenticates and encrypts packets of data to provide secure encrypted communication between two computers over an Internet Protocol network. It is used in ...

, the original and inherent method of securing IPv6 communications. SEND uses

Cryptographically Generated Address A Cryptographically Generated Address (CGA) is an Internet Protocol Version 6 (IPv6) address that has a host identifier computed from a cryptographic hash function. This procedure is a method for binding a public signature key to an IPv6 address in ...

es (CGA) and other new NDP options for the

ICMPv6 Internet Control Message Protocol version 6 (ICMPv6) is the implementation of the Internet Control Message Protocol (ICMP) for Internet Protocol version 6 (IPv6). ICMPv6 is an integral part of IPv6 and performs error reporting and diagnostic fu ...

packet types used in NDP. SEND was updated to use the Resource Public Key Infrastructure (RPKI) by RFC 6494 and RFC 6495 which define use of a SEND Certificate Profile utilizing a modified RFC 6487 RPKI Certificate Profile which must include a single RFC 3779 IP Address Delegation extension. There have been concerns with algorithm agility vis-à-vis attacks on hash functions used by SEND expressed in RFC 6273, as CGA currently uses the

SHA-1 In cryptography, SHA-1 (Secure Hash Algorithm 1) is a cryptographically broken but still widely used hash function which takes an input and produces a 160-bit (20- byte) hash value known as a message digest – typically rendered as 40 hexadec ...

hash algorithm and PKIX certificates and does not provide support for alternative hash algorithms.

Implementations

Cisco IOS 12.4(24)T and newer

Easy-SEND

ipv6-send-cga

Huawei Huawei Technologies Co., Ltd. ( ; ) is a Chinese multinational technology corporation headquartered in Shenzhen, Guangdong, China. It designs, develops, produces and sells telecommunications equipment, consumer electronics and various smar ...

and Beijing University of Posts and Telecommunications
NDprotector

Telecom SudParis Télécom SudParis (formerly known as Télécom INT) is one of the top French engineering schools (public institutions) of higher education and research (French: Grandes Écoles) that award engineering degrees in France. It produces engineers wit ...

Native SeND kernel API

TrustRouter

(discontinued), NTT DoCoMo
WinSEND

References

* * * Internet protocols Cryptographic protocols Link protocols IPv6 {{IPv6

Implementations

See also

References