The rapid expansion of small devices and the Internet of Things (IoT) has heightened the significance of secure, reliable communication. Internet-enabled devices require unique IP addresses to facilitate effective data exchange. Given the limitations of IPv4, IPv6 has been adopted under RFC 2460 as a more advanced and secure protocol, particularly suited for IoT networks. IPv6 offers unique addressing that supports not only expanded connectivity but also improved security features like IP Security (IPSEC). However, even IPv6 is not without vulnerabilities, particularly when it comes to certain elements of its auto-configuration and addressing mechanisms.
The Stateless Auto Address Configuration (SLAAC) mechanism in IPv6 allows for efficient, autonomous generation of IP addresses. However, the uniqueness of the generated addresses typically relies on the Duplicate Address Detection (DAD) protocol. Prior research has identified vulnerabilities in both SLAAC and DAD, making the IPv6 network susceptible to threats such as reconnaissance and Denial of Service (DoS) attacks. In response to these security issues, a new IPv6 generation scheme has been proposed. This scheme incorporates an enhanced secure DAD mechanism designed to address these specific vulnerabilities. The new method involves generating IPv6 addresses using a hybrid approach that includes the vendor ID of the Medium Access Control (MAC) address, a physical location identifier, and arbitrary random numbers, thereby mitigating the effects of reconnaissance attacks. Additionally, hybrid values of the Interface Identifier (IID) are multicast instead of actual values to fend off DoS attacks. Evaluation results have shown that this new method can effectively improve the address success rate (ASR), decrease energy consumption, and reduce communication overhead compared to existing schemes like EUI-64 and SEUI-64.
1. Generate Interface Identifier (IID)
The first significant step in this new method is the generation of the Interface Identifier (IID). Unlike traditional methods that rely heavily on pre-existing, easily predictable parameters, the new solution employs a hybrid approach to create a unique, unpredictable IID. This reduces the risks associated with MAC address-based IID construction, which often makes networks vulnerable to reconnaissance attacks. The proposed IID consists of three components: the Coordinate Value Code (CVC), Vendor Identifier (VID), and a Random Identifier (RID).
The CVC is derived from the node’s physical location, making it intrinsically variable and difficult to predict. Specifically, it utilizes the XOR values of the x, y, and z coordinates of the device’s position, represented as 3-byte values. The VID is more intricately computed. Initially, it involves the XOR of the first three bytes of a MAC address with the last three bytes. This interim value is then XOR with a current timestamp to generate the final VID. The RID component is a simple 2-byte random number, which is freshly generated every time a new IID is created. This three-pronged approach ensures that the IID is unique, hard to predict, and immune to conventional reconnaissance tactics.
2. Multicast Neighbor Solicitation (NS)
Once the IID is generated, the next step involves ensuring its uniqueness through the Neighbor Solicitation (NS) process, facilitated by a secure DAD mechanism. This step is crucial because an unverified IID could lead to address conflicts and severe security vulnerabilities. The NS message is multicast across the network to verify whether the newly created IID is already in use.
The proposed improved secure DAD scheme elevates the traditional DAD process by dividing the IID into three distinct components: DAD ID, Secure ID, and Node ID. The XOR value of the DAD ID and Secure ID is then multicast in a Class-1 frame with a temporary link address as its source. This step fosters partial connectivity for the node while ensuring that the NS message contains no usable information for potential attackers. The integrity check within this step ensures that the new DAD ID does not match any existing ones, adhering to pre-set allowable attempts before logging a configuration error.
3. Combine Global Routing Prefix (GRP) with IID
The rapid growth of small devices and the Internet of Things (IoT) has underscored the importance of secure, reliable communication. Internet-enabled gadgets need unique IP addresses for efficient data exchange. Due to limitations with IPv4, IPv6 was adopted under RFC 2460 as a more advanced and secure protocol suited for IoT networks. IPv6 offers unique addressing, enhancing connectivity and incorporating improved security features like IP Security (IPSEC). However, IPv6 isn’t without its flaws, especially concerning auto-configuration and addressing mechanisms.
The Stateless Auto Address Configuration (SLAAC) in IPv6 allows for automatic IP address generation. Typically, the uniqueness of these addresses depends on the Duplicate Address Detection (DAD) protocol. Studies have highlighted vulnerabilities in both SLAAC and DAD, exposing IPv6 networks to threats such as reconnaissance and Denial of Service (DoS) attacks. Tackling these security concerns, a new IPv6 generation scheme has been proposed. This method integrates an enhanced secure DAD mechanism aimed at addressing specific vulnerabilities. It generates IPv6 addresses using a hybrid approach that includes the vendor ID of the Medium Access Control (MAC) address, a physical location identifier, and arbitrary random numbers. This mitigates reconnaissance attacks. Additionally, hybrid values of the Interface Identifier (IID) are multicast instead of actual values, fending off DoS attacks. Evaluation results show this new method improves the address success rate (ASR), lowers energy consumption, and reduces communication overhead compared to schemes like EUI-64 and SEUI-64.