IPv6 Neighbor Discovery Protocol Specifications ... - IEEE Xplore

0 downloads 0 Views 8MB Size Report
Sep 27, 2017 - However, these solutions either introduced new ... net, the Internet Protocol was modified in IPv6 [4]. The ... the IPv6 suite, consist of Neighbor Discovery for IPv6 and ...... ARP request and TCP SYN packets into the link to test.

Received June 6, 2017, accepted July 20, 2017, date of publication August 30, 2017, date of current version September 27, 2017. Digital Object Identifier 10.1109/ACCESS.2017.2737524

IPv6 Neighbor Discovery Protocol Specifications, Threats and Countermeasures: A Survey AMJED SID AHMED MOHAMED SID AHMED, ROSILAH HASSAN, AND NOR EFFENDY OTHMAN Network and Communication Technology Laboratory (NCT), Research Centre for Software Technology and Management (SOFTAM), Faculty of Information Science and Technology (FTSM), Universiti Kebangsaan Malaysia (UKM), 43600 UKM, Bangi, Malaysia.

Corresponding author: Rosilah Hassan ([email protected]). This work was supported by University grant under Project TT-2017-002.

ABSTRACT Neighbor discovery protocol (NDP) is the core protocol of Internet protocol version 6 (IPv6) suite. The motive behind NDP is to replace address resolution protocol (ARP), router discovery, and redirect functions in Internet protocol version 4. NDP is known as the stateless protocol as it is utilized by the IPv6 nodes to determine joined hosts as well as routers in an IPv6 network without the need of dynamic host configuration protocol server. NDP is susceptible to attacks due to the deficiency in its authentication process. Securing NDP is extremely crucial as the Internet is prevalent nowadays and it is widely used in communal areas, for instance, airports, where trust does not exist among the users. A malicious host is able to expose denial of service or man-in-the-middle attacks by injecting spoofed address in NDP messages. With the intention to protect the NDP many solutions were proposed by researchers. However, these solutions either introduced new protocols that need to be supported by all nodes or built mechanisms that require the cooperation of all nodes. Moreover, some solutions are deviating from the layering principals of open system interconnection model. Therefore, the necessity to study NDP in details to recognize and identify the points that could be a source of enhancement has become mandatory task. This article revolves around the survey of the vulnerabilities mitigations approaches of NDP, since the time of the protocol development up to the date of finalized this paper. We described the technical specifications of NDP showing its components, functions, and working procedures. In addition, each threat of NDP is classified and explained in details. Open challenges of NDP and recommended future directions for scientific research are presented at the end of this paper. INDEX TERMS IPv6, NDP, SEND, CGA.

I. INTRODUCTION

As a result of rapid elevation in internet diffusion, due to the big number of portable smart devices, the internet is becoming universal. Moreover, the internet has become available for multifarious services and transactions. Because of the huge number of addresses demanded, for the connected devices, IPv6 will be common and soon replace IPv4. The motive behind the establishment of IPv6 was to address the queries of IPv4 address exhaustion [1]–[3]. With the intention to tackle the unexpected evolution of the internet, the Internet Protocol was modified in IPv6 [4]. The modifications include the transformations in format and the length of the IP address along with the packet format [5]. There are several functional enhancements proffered by IPv6 over IPv4, such as decent and tinier constant header [6]. The limited Option Field in IPv4 header along with Extension Headers, which is more flexible and extensible VOLUME 5, 2017

as not being a part of the main header, was replaced by IPv6 [7], [8]. IPv6 is better than IPv4 due to the utilization of IPsec, which is a built-in end-to-end security method [9]. IPsec consist of two extension headers which are known as Authentication Header (AH) and Encapsulation Security Payload (ESP) with the purpose to deliver data integrity and confidentiality. The NDP, which is the primary protocol in the IPv6 suite, consist of Neighbor Discovery for IPv6 and IPv6 stateless address auto configuration (SLAAC) [10]. Several critical functionalities can be handled with NDP. For instance, determining nodes on the same link, discovering link-layer addresses, identifying duplicate addresses, looking for routers, and preserving reachability information regarding paths to an active neighbor. Maintaining of Mobile IPv6 (MIPv6) networks, elimination of the necessity for foreign agents, along with the motivation for mobile nodes to join new foreign networks, is managed by the

2169-3536 2017 IEEE. Translations and content mining are permitted for academic research only. Personal use is also permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

18187

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

NDP as well. Therefore, the significance of NDP cannot be denied [11]. There are two advantages of IPv6 which the NDP usually offers. Firstly, the host initialization for IPv6 hosts with a purpose to join an IPv6 network. At this juncture, a router solicitation message will be sent by the host to routers in the same link with the purpose of attaining data such as prefix, default router, and other network parameters. This router solicitation message is also delivered to other hosts within the same link of the sender with the intention to get data regarding link layer and IP address of its neighbors to prevent duplicated address. Secondly, the address auto configuration, which is utilized to produce a host’s own IPv6 address without a need of a server. In light of the researcher’s opinions, it was thought that the current protocol of IPv6 with regards to layering principals would not affect other layers in the Open System Interconnection (OSI) hierarchy. Moreover, it was assumed that the security of IPv6 packets transmission would be covered by the IPsec. Therefore, the security mechanism of other layers was omitted throughout the IPv6 growth that comprises of link local security. Nevertheless, NDP has the ability to prone to the censorious attacks. The supposition that all nodes within the local link completely trust each other is not valid for various circumstances. For instance, a wireless network, which allows everyone to connect to a local network with minimal or no link layer authentication [12] efforts. Thereupon, legitimate nodes through forging NDP messages that produce attacks would be mimicked by the malicious users [13]. To address the security problem of NDP, the Internet Engineering Task Force (IETF) Secure Neighbor Discovery (SEND) working group provided a definition for the first SEND specifications in 2002 [9]. SEND is considered an extension of the NDP, not a new standard protocol, and it provides three more features; message protection, address ownership proof and a mechanism for router authorization. In order to attain these improvements, SEND creates four new option types. In order to craft a SEND packet, these four new options should be attached to the regular NDP message. The new four option types namely Cryptographically Generated Address (CGA), Nonce, RSA Signature and Timestamp. Moreover, SEND has two new ICMPv6 messages that can be used during the router authorization process Certificate Path Advertisement (CPA) and Certificate Path Solicitation (CPS) [19]. The motive of this paper is to survey the vulnerabilities of NDP, along with the overview of the responses of various approaches anticipated so as to mitigate these vulnerabilities. Technical specifications of the NDP including its components, messages structure, format, functions and description of how its procedures work are given in section II. Section III covering NDP vulnerabilities and dive in details with each attack showing how it works and to which category it belong. Section IV gives an intensive literature about solutions and countermeasures proposed since 2005 up to April 2017. Also we covered the existence of the problem 18188

within IPv4 world in order to connect and fill the gap between IPv4 and IPv6 address resolution spoofing-based attacks. Lastly, in section V the open challenges of NDP and recommendations about the future directions were given, following by conclusion in section VI. II. NEIGHBOR DISCOVERY PROTOCOL SPECIFICATIONS

NDP along with its working mechanisms and technical specifications will be summarized in the following section. The messages types, message format, processes and neighbor discovery’s options will be covered as well. TABLE 1. IPv4 equivalents to IPv6 neighbor messages and functions.

A. PROTOCOL OVERVIEW

[RFC4861] describes a set of processes and messages in NDP that constitute the procedures through which collaboration amongst neighboring nodes is determined. NDP was developed to overcome the limited functionality of IPv4. It also has the ability to perform operations with IPv6 and substitutes the Internet Control Message Protocol (ICMP) Redirect message, ARP and ICMP router discovery used in IPv4 [5]. TABLE 1 compares IPv4 neighbor messages, components, functions and their IPv6 equivalents. NDP is employed by the nodes to perform a number of activities. These entail router specific tasks and non-router based tasks. As far as the general tasks are concerned, the issues with the neighboring node regarding the link-layer address to which the IPv6 datagram is being forwarded are settled. Moreover, the reachability of a neighbor host or node together with its link-layer address is also determined by the NDP. Regarding router specific tasks, NDP looks up router alternatives for better next-hop performance to passing datagrams, to advertise router presence, and to perform configurations of on-link prefixes and routes. B. MESSAGE FORMAT

The Router Advertisement (ICMPv6 type 134), Router Solicitation (ICMPv6 type 133), Neighbor Advertisement (ICMPv6 type 136), Neighbor Solicitation (ICMPv6 type 135) and Redirect (ICMPv6 type 137) are among five different categories of NDP messages. To operate within an ICMPv6 message structure, the network administrators have VOLUME 5, 2017

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

4) NEIGHBOR ADVERTISEMENT

FIGURE 1. Neighbor discovery message structure.

formatted all NDP messages in a special manner. Following components, such as a message header, an NDP message and ICMPv6 header-specific data and zero or more NDP options are part of messaging in NDP [5]. To carry out specific functions, a number of options are available in NDP messages. Additional information is provided via these functions, for example, mobility information, redirection data, specific routes, indicating IP addresses and MAC, on-link Maximum Transmission Unit (MTU) information and on-link network prefixes. Fig. 1. shows the message format of NDP. C. MESSAGES TYPES

The messages performing a number of functions related to NDP were identified by [3] these are: • Router Solicitation (RS) • Router Advertisement (RA) • Neighbor Solicitation (NS) • Neighbor Advertisement (NA) • Redirect 1) ROUTER SOLICITATION

In response to a NS message, the NA message is sent by an IPv6 node. The unsolicited NA is also sent by the nodes, so that the neighboring nodes could be informed about changes in link-layer addresses or the node’s role. The information required by nodes is kept by the NA message, typically the link-layer address of the sender and the sender’s role on the network [5]. TABLE 2. NDP messages and functions.

5) REDIRECT

An originating host is informed about a better first-hop address for a specific destination after the redirect message is sent by an IPv6 router. Only routers send the redirect messages in a form of unicast traffic. Moreover, only hosts process them and they are unicast only to originating hosts. TABLE 2 summarizes the messages types, name and number [5]. D. PROTOCOL OPTIONS 1) SOURCE AND TARGET LINK-LAYER ADDRESS OPTION

The key concept behind RS messages is to allow nodes within a given subnet to explore the existence of IPv6 routers attached to this subnet. A message of multicast nature sent by hosts in the link, as immediate response an RA unicast message will be sent by the attached routers [5].

The link-layer address of the ND message sender is signified by the Source Link-Layer Address option. All NDP messages except NA and redirect messages include this option. When the source address of the ND message is the unspecified (::), then the Source Link-Layer Address option is not included in above-said components [5].

2) ROUTER ADVERTISEMENT

2) PREFIX INFORMATION OPTION

The unsolicited RA messages are pseudo-periodically sent by the IPv6 routers, i.e. when a link contains multiple advertising routers, then the synchronization issues can be reduced by randomizing the interval between unsolicited advertisements. Upon receipt of a RS message, the solicited Router Advertisement messages are also sent by the routers. The information need by hosts is found in the RA message, so that it could determine the link MTU, the link prefixes, specific routes, the duration and validity of addresses created through auto-configuration and whether to use address autoconfiguration or not [5].

For specifying information about address auto-configuration and address prefixes, the RA messages carry the Prefix Information option for its onward departure. A message of RA could have more than one prefix information option, thus specifying several address prefixes. 3) REDIRECTED HEADER OPTION

To specify the IPv6 packet through which a Redirect message was sent by the router, the Redirected Header option is sent in Redirect messages. Subject to the IPv6 packet that was sent in the beginning, it can contain all or part of the redirected IPv6 packet [5].

3) NEIGHBOR SOLICITATION

To confirm a formerly established link-layer address or to discover the link-layer address of an on-link IPv6 node, the NS message is sent by the IPv6 nodes. The link-layer address of the sender is normally included on it. When the reachability of a neighboring node is under verification, typical NS messages are unicast and they are multicast for the purpose of address resolution [5]. VOLUME 5, 2017

4) MTU OPTION

To indicate the IPv6 MTU of the link, the RA messages carry the MTU option. The network analysts can use this option when the IPv6 MTU is not familiar with a link. This can be most probably due to a translational or mixed-media bridging configuration. As reported by interface hardware, the IPv6 MTU is overridden by the MTU option [5]. 18189

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

5) ROUTE INFORMATION OPTION

To specify individual routes to affix to their local routing table, the RA messages are to carry the Route Information option. The [RFC4191] describes the Route Information option. E. PROTOCOL FUNCTIONS

Given below are the objectives behind messages exchange within an NDP, these objectives are: • • • • •

Address Resolution Duplicate Address Detection (DAD) Neighbor Unreachability Detection (NUD) Router Discovery Redirect Function

1) ADDRESS RESOLUTION

Within IPv6 nodes environment, an exchange of NS and NA messages are included in the address resolution process. For a given destination, resolving the link-layer address of the onlink next-hop address is the purpose of this inclusion. A multicast NS message is sent by the sending host on the appropriate interface. From the target IP address, the consequent solicited node multicast address is basically known as the multicast address of the NS message. In the Source Link-Layer Address option, the link-layer address of the sending host is included in the NS message. When the NS message is received by the target host, its own neighbor cache is updated according to the source address of the link-layer address and the NS message. Afterwards, a unicast NA is sent by the target node to the NS sender. The Target Link-Layer Address option is included in the NA. Once the NA is received from the target the sending host, subject to the information in the Target LinkLayer Address option, updates its neighbor cache with an entry for the target. At this time, you can send the unicast IPv6 traffic between the target of the NS and the sending host [5]. 2) DUPLICATE ADDRESS DETECTION

For detection of a duplication of IPv4 address on the local link, a method called gratuitous ARP and ARP Request messages are used by the IPv4 nodes. Likewise, to detect duplicate address used on the local link, the NS messages used by the IPv6 nodes in a process known as DAD, and this is explained in [RFC4862] section [5]. Keeping in view the IPv4 gratuitous ARP, the ARP Request message header containing the Target Protocol Address and the Source Protocol Address fields are set to the IPv4 address for which duplication is being identified. As far as IPv6 DAD is concerned, the NS message based Target Address field is set to the IPv6 address for which duplication is being identified [14]. Once the multicast NA is received with the Target Address field the use of the duplicate IP address on the interface is disabled by the node. If a Neighbor Advertisement defending the use of the address is not received by the node, the address is then initialized on the interface. As far as 18190

anycast addresses are concerned, the DAD is not performed by an IPv6 node. 3) NEIGHBOR UNREACHABILITY DETECTION

We can have access to a neighboring node if it has been acknowledged that the neighboring node had received and processed the IPv6 packets sent to it. But it is not necessary that the end-to-end reachability of the destination is verified by the neighbor unreachability. Since the neighboring node might not be the final destination of the packet, it can be a router or host. Only the reachability of the first hop to the destination is verified by the neighbor unreachability [5]. 4) ROUTER DISCOVERY

The process, wherein, nodes trying to discover the set of routers on the local link is referred to as the Router Discovery. In IPv6, the router discovery is analogous to the IPv4 based ICMP router discovery described in [RFC1256]. A set of ICMP messages permitting IPv4 hosts to decide the existence of local routers is referred to as the ICMP router discovery. Whereby automatic configuration of a local router as a default gateway is to be determined besides its auto switching to a different router as their default gateway when the current default gateway is inaccessible. An Advertisement Lifetime field is featured by the RA message in IPv6 router discovery. The time after which the router can be considered nonfunctional is referred to as the Advertisement Lifetime. A router can become unavailable in some scenarios and identification of a new default router would not be attempted by hosts until the RA time has passed. Since the non-availability / inaccessibility of router is determined by the NUD, the default router list is seen to immediately choose a new router or a RS message is sent by the host to determine the availability of additional default routers [5]. 5) REDIRECT FUNCTION

To inform originating hosts about a better first-hop neighbor to which traffic should be forwarded, the redirect function is used by the routers. The redirect is used in two instances. First, an originating host of the IP address of a router on the local link closer to the destination is informed by a router. A routing metric function for reaching the destination network segment is referred to as the closer. When there are multiple routers on a network segment, this condition can take place and a default router is chosen by the originating host and it is not closer one to reach the destination. Second, an originating host is informed by a router that the destination is a neighbor. When the prefix of the destination is not included in the prefix list of a host, this condition can take place. The packet is forwarded to its default router by the originating host because a prefix is not matched by the destination in the list [5]. Redirect messages between source and destination are sent only by the first router. Redirect messages are never sent by the hosts and the routing tables subject to the receipt of a Redirect message are never updated by the routers. Redirect VOLUME 5, 2017

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

messages are rate limited in the same way as ICMPv6 error messages. III. NEIGHBOR DISCOVERY PROTOCOL VULNERABILITIES

The Internet adoption among the public is a growing concern and lack of trust amongst the users is observed in such environments, so securing NDP is a mandatory task. A huge number of NDP messages can flood the network. As a result, the connected device gets disconnected and freezing. Because of the limitations of its existing defense methods, NDP is still susceptible to a number of different network-based attacks. Before the deployment of IPv6 protocol stack, NDP security vulnerabilities must be taken into account. According to [RFC3756], NDP vulnerabilities have three common types. The redirect attacks are featured in the first vulnerabilities type, whereby the malicious nodes are to direct away the packets. Hence, we cannot trace the packets from the last hop router. It is important to mention that other genuine receivers are directed to alternative nodes upon facing the Redirect attacks. The DoS is believed to be the second category of attacks. The preventions of information flow between the attacked nodes and all other nodes are likely to describe these attacks. The communication is also disallowed between the attacked nodes and specific intended addresses. Lastly, the NDP is encountered by the attack of Flooding Denial-ofService [15]. In this type of Attack, the malicious nodes direct the traffic of other hosts to the victim nodes. In such attack scenario, flooded bogus traffic is created, whereby the victim host is on target. Three categories are used to identify threats with regards to routing process are given in the below section. These are, threats that are related to the routing data or threats that are router-connected, router-independent or unrelated to the routing data and threats that can be remotely manipulated. We used NDP trust models and threats in [RFC3756] to outline those categories of vulnerabilities.

FIGURE 2. Neighbor solicitation/advertisement spoofing attack.

The peer will reply with a NA, if it is still reachable. Nonetheless, it attempts a few more times, ultimately the neighbor cache entry is deleted, if no reply is received by the soliciting node. If deemed necessary, the standard address resolution protocol is triggered to learn the new MAC address. No higher level traffic can proceed if neighbor cache entries are flushed out by this procedure after determining (perhaps falsely) that the peer is not within reach. In response to NUD NS messages, the fabricated NAs might be kept on sending by a malicious node [16]. Using this technique, the attacker may be able to extend the attack if the NA messages are not protected in some way. Reasons for unapproachability of node for the first place led to the actual consequences. The results also depend on the behavior of target node if it knew that the node has become inaccessible [4]. This is referred to as a DoS attack.

A. NON ROUTING-BASED THREATS 1) NEIGHBOR SOLICITATION/ADVERTISEMENT SPOOFING

The attacks did well because the old entry is overwritten by the neighbor cache entry with the new link-layer address [14]. If we have valid spoofed link-layer address, then the packets will continue to be redirected given that the attacker responds to the unicast NS messages sent as part of the NUD as per Fig. 2. This is known as redirect/DoS attack.

FIGURE 3. Duplicate address detection attack.

3) DUPLICATE ADDRESS DETECTION DoS ATTACK 2) NEIGHBOR UNREACHABILITY DETECTION (NUD) FAILURE

Besides monitoring the routers with the NUD procedure, the reachability of local destinations is monitored by the nodes on the link. To determine as to whether or not the peer nodes are still reachable, the upper-layer information is usually considered by the nodes. In addition, the NUD procedure is invoked, if the replies from a peer node are not received by the node or if there is an obvious long delay on upper-layer traffic. A targeted NS is sent by the node to the peer node. VOLUME 5, 2017

The networks whereby the entering hosts using SLAAC, acquire their addresses, a DoS attack could be launched by an attacking node by reacting to every DAD attempt [17]. An address would never be acquired by the host if the address is continuously claimed by the attacker [3], the attack explained in Fig. 3. The address can be claimed in two ways, a reply can be given with an NA pretending that the address in use has already been taken or it can reply by NS pretending that DAD is being performed. The issue can also emerge 18191

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

during the usage of other types of address setup, i.e., whenever you invoke DAD before actually setting-up the proposed address. This is referred to as a DoS attack.

FIGURE 5. Default router is killed attack.

FIGURE 4. Malicious Last Hop Router attack.

B. ROUTING BASED THREATS 1) MALICIOUS LAST HOP ROUTER

The process in which attacking node within the same subnet of the victim pretending to act as a last hop router is defined as malicious last hop router, as in Fig. 4. This could be either by unicasting RA in response to RS or by multicasting legitimate-looking IPv6 RA. Once the attacker success to pretend as legitimate last hop router it has the ability to run MitM attack and redirect traffic from victim’s machine. The Redirect messages could be sent to hosts once accepted as a legitimate router then it disappears, as a result of it is covering its tracks, this is redirect/DoS attack [10]. 2) DEFAULT ROUTER IS KILLED

An attacker kills the default router(s) in this attack. Accordingly, the nodes on the link assumed that all attached nodes are local. According to [RFC2461] the sender imagines that the destination is on-link, if, the Default Router List is empty. Therefore, using Neighbor Discovery, the node will try to directly send the packets, if the attacker makes a node think that no default routers exist on the communication link. Subsequently the NS/NA spoofing can be used by the attacker even against off-link destinations. The default router(s) can be killed by an attacker in a number of ways. Sending a spoofed RA with a zero Router Lifetime is one way, as per Fig. 5. Launching a classic DoS attack against the router is the other way so that it does not appear responsive to any further extent. Primarily this attack is a DoS attack, however, through this attack traffic can also be redirected to the next better router which might be the attacker [18]. 3) GOOD ROUTER GOES BAD

A router that earlier was trusted is compromised in such attack. This is known as a redirect/DoS attack [15]. 18192

4) SPOOFED REDIRECT MESSAGE

For a given destination to any link-layer address on the link, the redirect message can be used to send packets through. To send a redirect message to a legitimate host, the linklocal address of the current first-hop router is used by the attacker. The host accepts the redirect message since the message is identified by the link-local address as coming from its first hop router. The redirect will remain valid provided that the attacker responds to NUD probes to the link-layer address [19]. This is a redirect/DoS attack. 5) BOGUS ON-LINK PREFIX

A RA message can be sent by an attacking node, where it is specified that some prefix of arbitrary length is on-link. A packet for that prefix would never send by the sending host to the router if it thinks the prefix is on-link. In its place, address resolution would be carried out by the host by sending NS however there would not be any response from NS and the service would be denied to the attacked host [15]. This is a DoS attack. 6) BOGUS ADDRESS CONFIGURATION PREFIX

A RA message having an invalid subnet prefix for address auto-configuration can be sent by an attacking node. To construct an address, the advertised prefix is used by a host executing the address auto-configuration algorithm, although for the subnet, that address is not a valid one. Resultantly, the host never obtains the return packets since the source address of the host is not valid [16]. This is called a DoS attack. 7) PARAMETER SPOOFING

A few parameters used by hosts are included in RA message, when packets are to be sent and when router have to tell hosts whether the stateful address configuration should be performed or not. A valid-seeming RA could be sent by an attacking node, through which the RA is duplicated from the legitimate default router, except for the legitimate traffic is likely to be disrupted by the included parameters [4]. This is a DoS attack. VOLUME 5, 2017

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

C. REPLAY THREATS 1) REPLAY ATTACKS

The replay attacks are susceptible to all router discovery and neighbor discovery messages. The valid messages can also be captured by an attacker and he/she would replay them later, even if they were cryptographically secured. Hence, a secure mechanism must be established for protection against replay attacks [18]. 2) NEIGHBOR DISCOVERY DoS ATTACK

The addresses are fabricated with the subnet prefix and packets are continuously being sent to them in such type of attack. After sending neighbor solicitation packets, these addresses are resolved by the last hop router. From the last hop router, the Neighbor Discovery service is not obtained by a legitimate host attempting to enter the network as it will be already busy with sending other solicitations. Since the attacker may be off-link, this DoS attack is different from the other attacks. In this case, the conceptual neighbor cache is the resource being attacked, which will be occupied with attempts to resolve IPv6 addresses containing a valid prefix but invalid suffix [15]. This is also known as a DoS attack. IV. COUNTERMEASURES

Spoofing the physical address is not new with IPv6 only, in the world of IPv4 the problem also exists and several solutions are presented by many researchers. Due to the attacks on both world, IPv4 and IPv6, are based on the physical address fabrication and the aim of this paper which is to provide a comprehensive source for the researchers we also review the solutions presented for ARP spoofing attack. Some techniques from IPv4 world could be re-designed to be IPv6 compatible. In the following part we will first give an overview of the literature exists for ARP spoofing within the IPv4 world then we will move forward to the problem within IPv6 world. We can classify available literature belonging IPv6 world into four categories i) solutions that using IPsec ii) SEcure Neighbor Discovery (SEND) iii) solutions to enhance SEND and Cryptographically Generated Address (CGA) iv) standalone solutions. A. ADDRESS RESOLUTION PROTOCOL

ARP spoofing is a practice by which an attacker pretending another node identity to disrupt the flow of the network traffic. Usually, this happens by associating the attacker physical address with another node source IP address [19]. By performing ARP spoofing attacks or ARP cache poisoning, an attacker can imitate another host and gain access to private data [20]. The attacker can use spoofing for a diverse range of purposes, for instance, to create a DoS attack, to control MitM attack, to abuse the trust relation between the legitimated nodes and to hide the attacker’s identity. Many solutions are presented by researchers to solve such a problem. Reference [22] came up with a successive strategy by incepting outer hardware component to the LAN connection VOLUME 5, 2017

to act as a sniffer. These outer components are joined in coherent building design for functional execution in the working LAN. The output of this literary work indicates great results, yet the method relies upon external equipment. Reference [23] tries to distinguish and forfend ARP spoofing by extending the snort processor plug-ins in addition to including an ARP detection unit. A new Discreet Event System (DES) method proposed by [24] and [25] for distinguishing ARP spoofing attack. The methodology is not in need of any additional imperatives like static IP-MAC or abusing network layering model, however, it boots the ARP traffic because of failure of offering authenticated and spoofed tables. A new approach for identifying ARP attacks proposed by [26] focused around low-end networking gear running Openwrt firmware. The method obstructs all ARP attacks, however, it takes on at an expense of lessened execution, particularly for ARP replies. Reference [27] came up with another plan to moderate ARP poisoning MitM attack focused around two key concepts: long term IP/MAC mapping table and computational puzzle based voting. The long term table secures the IP/MAC address for all working nodes in the subnet from the ARP reserve harming attack. The computational puzzle-based voting averts ARP poisoning based MitM attack at whatever point a node is restarted or another node joins the link. A Secure Unicast Protocol (S-UARP) to protect from ARP spoofing introduced by [28]. The proposal of S-UARP change over the transmission nature of ARP to unicast makes it centralized and secure. Furthermore the proposal gives an outline to a protected and secure DHCP. The new S-UARP is more productive as far as execution and security, because of the unicast nature of the S-UARP request and it is guided just to securing DHCP server. A new building design to identify ARP spoofing attacks on switched networks were suggested by [29]. Their structural engineering obliges no additional software to be attached to nodes. Rather, it appoints the assignment of identification into one or more identification machines. Their investigations demonstrated that the structural planning was great at recognizing ARP attacks without producing false positives. Still, attackers can hole up behind high volume traffic to stay unidentified for sensibly lengthy stretches. As a way to point confinement of the existence of ARP attacks [30] recommended that system can be isolated to an extensive number of subnetworks with a little number of nodes on every subnet. The main drawback of this methodology is the additional administration expenses included. A middleware methodology to offbeat and regressive good recognition and anticipation of ARP cache poisoning attacks introduced by [31]. Their execution obliges a Streams based protocol stack, yet could be imported to different platforms. The proposed mechanism is to forbid unsolicited ARP replies and alert cautions when a replay is conflicting with the currently cached ARP record. Deploying this plan requires the establishment of the middleware on every single 18193

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

device within the network. The middleware was additionally intended to work in the vicinity of unnecessary ARP messages and intermediary ARP servers. One critical disadvantage of this method is that, since it relies on upon redundancy to identify attacks, does not forbid/locate attacks in which the host being spoofed is down or being DoSed. Reference [32] proposed a building design for determining IP addresses into hardware addresses over an Ethernet. The construction modeling comprises of a secured server joined with the link dual protocols utilized to correspond with the server, an invite-accept protocol and a request-replay protocol. This mechanism is not handy as it obliges modifying the ARP protocol deployment of each host with the newly proposed ARP. An alternate hindrance of this mechanism is that the secure server speaks to a solitary purpose of malfunction in the network, and turns into an evident focus for DoS attacks. Many mechanisms that include cryptographic solution to validate the origin of ARP frames were introduced. References [33], [34] deploy security by appropriating centrally generate secure IP-MAC address binding validations (named tickets) via present ARP messages. Those tickets are centrally produced and marked by a Local Ticket Agent (LTA), and hold a lapse time. Hosts assign those tickets to ARP replies to allow recipient to check the legitimacy of address associations. A reverting good expansion to ARP that depends on public key cryptography to validate ARP replies were introduced by [35]. For this mechanism to be deployed in the network, each node to be protected ought to be altered to utilize Secure Address Resolution Protocol (S-ARP) rather than ARP. Furthermore, a certification authority, called the Asynchronous Key Distributor (AKD), that is reached to get the public key of a node so replies can be validated by checking the attached signature should exist. The AKD likewise disperses its clock esteem so that alternate nodes can synchronize to it. A disadvantage of this approach is that the AKD constitutes a solitary purpose of failure in the network. In the event that the AKD is down, a node can’t confirm ARP packets that are sent by previously obscure node. Regardless of the possibility that the AKD is working legitimately, an attacker can imitate a node that goes down by propagating the MAC address of the node (however just until the cached record of the attacked node lapses). Reference [36] proposed a change to S-ARP founded on the mix of digital signature and one time password focused around hash chain to verify ARP IP-MAC mappings. Their approach is focused on the same construction modeling as S-ARP, yet its smart utilization of cryptography permits it to be considerably quicker. Host-based Intrusion Detection System (IDS) proposed in [37]. The solution utilizes a dynamic probing mechanism for recognizing ARP attack. At present the solution can just recognize the attacks. A dynamic technique to identify ARP spoofing by infusing ARP request and TCP SYN packets into the link to test 18194

for inconsistencies proposed in [38]. The method is quicker, shrewd, versatile and dependable in discovering ARP attacks than the passive techniques. Reference [39] suggested an ARP spoofing attack identification method with Simple Network Management Protocol (SNMP) traffic data mining techniques of Naïve Bayesian, Decision Tree (C4.5) and Support Vector Machine (SVM). A summary of best countermeasures for ARP is given in TABLE 3. B. INTERNET PROTOCOL SECURITY

Implementations based on the IPv6 are strictly required to provide IPsec [40], [41]. Hence, current operating systems and devices offer IPsec that conforms to established standards [42]. However, such compliance to IPsec requirements has not been as aggressive as expected because of problematic standardization processes and the extensive use of Secure Socket Host (SSH) [43] and Transport Layer Security (TLS) [44] protocols [45]. Nevertheless, the progress of IPsec is noteworthy because it has prompted the use of IPsec as a universal solution to problems in security [46]. IPsec is used to ensure that the IP packets between network/IP layer and the transport layer remain confidential and accurate. This protocol comprises the AH protocol, the ESP protocol, and the Internet Key Exchange (IKE) protocol. The AH protocol [47] mainly keeps transmitted packets private and accurate. The ESP protocol [48] ensures the authenticity of the origin in the encryption process. The IKE protocol [49] uses a Diffie–Hellman key exchange mechanism to prepare security association (SA) for IPsec communication. Specifically, hosts validate each other in the implementation of the IKE protocol, and a successful validation allows a normal key distribution. The establishment of the SA subsequently facilitates IPsec communication and ensures the confidentiality and integrity of data. The two modes of IPsec as per Fig. 6, namely, the transport mode and the tunnel mode, enables users to implement IPsec even under various network environments [50], [51].

FIGURE 6. IPsec modes.

IPsec under the transport mode protects the information being delivered from the transport layer to the network layer. Essentially, the payload meant for encapsulation in the VOLUME 5, 2017

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

TABLE 3. Best ARP countermeasures.

network layer, which is also referred to as the network layer payload, is protected under the transport mode of IPsec [52]. In this IPsec mode, the information originating from the transport layer is initially added with the IPsec header and trailer, followed by the addition of the IP header. We must note that IPsec only protects the information relied by the transport layer and not the added IP header. Typically, the transport mode is implemented in instances that necessitate node-tonode data protection. Specifically, the sending node authenticates and/or encrypts the payload from the transport layer through IPsec. Using the same protocol, the receiving host checks the authentication and/or decrypts the packet before forwarding it to the transport layer. On the contrary, IPsec under the tunnel mode protects entire IP packets. In this mode, IPsec employs security mechanisms for IP packets, including their headers, and subsequently adds new IP headers [53]. Notably, the information held by new IP headers is not the same as that held by the original IP headers. The tunnel mode is generally implemented in instances involving two routers, a host and a router, or a router and a host. That is, the tunnel mode is used when neither the sender nor the receiver is a host. Under this mode, IPsec protects original packets from intrusions generated by the sender and receiver such that original packets appear to pass through an imaginary tunnel. The genuine draft of NDP required the utilization of IPsec as a way to ensure the protection of NDP messages. Nonetheless, VOLUME 5, 2017

its utilization is illogical because of the substantial number of manually configured SA required for ensuring the protection of NDP [54], [55].

FIGURE 7. IPsec chicken and egg problem.

Presently, the right now conspicuous strategy for making IPsec SA, the IKE convention, is both moderately substantial and obliges that the underlying IP stacks are already completely functional, in any minimum to the point that Unit Datagram Protocol (UDP) may be utilized. As an issue, the blend of the augmented obligation of IPsec and the relative substantial weight of IKE makes an endless loop that is a potential wellspring of DoS attacks. Also, in the event that we need to utilize IPsec to secure IPv6 auto configuration a chicken-and-egg obstacle is made, completely functional IPsec is required to setup IP and completely functional IP is required to setup IPsec, [56], [57] as per Fig. 7. 18195

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

In addition IKE has various lacks, the three most imperative being that the quantity of rounds is high, that it is defenseless against DoS attacks, and the unpredictability of its specifications. This multifaceted nature has prompted interoperability issues, to such an extent that, many years after its starting selection by the IETF, there is still totally noninteroperating deployment [58]. As a try to utilize IPsec for securing NDP [59] proposed Model structure of IPsec-SEND. The mentioned model consists of the design of management protocol, as well as multicast IKE. Inside this model, AH protocol is implemented as a protocol for communication of security neighbor discovery protocol (SNDP), authentication, integrity, anti-replay attack. Binding of IP address and MAC address authentication method is being utilized, which helps to prevent attacks which are designed to falsify the IP address. Neighbor node on a connection is characterized as a group. Every node is characterized as a member of the group; a neighbor group incorporates group members and a neighbor controller. The exceptional administrator implemented in a neighbor group (NG) is called neighbor controller (NC). NC in a NG oversees different multicast and unicast group in the system. In this model, IP addresses along with linklayer address, were bound in the AH authentication data. In addition to this, an algorithm of key management of star structure was also mentioned. The multicast present in the Multi-point Internet Key Exchange (MIKE) protocol is used as well as star key management algorithm based on multicast is also proposed. Because of IPsec being the default security protocol in IPv6 the security is increased more and has a realistic importance. The confinement of this methodology is relying on upon single machine, NC, once it fizzles all nodes go down. Reference [60] introduced a design to share the validation data among the SEND method and the IPsec protocol. The system performance was leveled up by minimizing process of validation, while the IPsec negotiation resulting in effective running of IPsec with SEND protocol. Furthermore, a significant job to reduce the utilization of resources for movable gadgets was advised. Through sharing of validation data of the host with the SEND mechanism, a decrease in cost is expected by IPsec protocol to maintain a safe communication medium. C. SECURE NEIGHBOR DISCOVERY

Due to feedbacks regarding the vulnerability of NDP, the (IETF) developed SEND [61]. The motive of SEND is to accomplish the addition of three features of NDP that includes proof of addressing ownership, router authorization process, and message protection. Four options, comprising of CGA, RSA Signature, Timestamp and Nonce along with two ICMPv6 messages are proposed by the SEND, as in Fig. 8, in order to attain these enhancements [62]. Responses from SEND to NDP attacks are given in TABLE 4. SEND itself is still susceptible to particular safety attacks, specifically the DoS attacks, even after it offers protection procedures 18196

FIGURE 8. Send components and functions.

to NDP and the IPv6 evolution [18]. For instance, there is a possibility that the victim host or the router could be damaged by the intruder by producing a huge number of packets, which has to be confirmed by the victim. Authorization Delegation Discovery (ADD) DoS attack is another category of attack that is disposed to the SEND. A target router may be flooded by the attacker by means of demanding a huge number of certification paths to be explored for diverse trust anchors. Furthermore, attackers could target hosts by dispatching an abundant quantity of worthless certification paths so as to make it mandatory for them to devote unnecessary confirmation resources and memory on those certification paths. Besides this DoS attacks SEND faces the drawback of producing CGA, which is quite costly; therefore ultimately leading to hindrances for mobile devices with restricted assets [63]. SEND up to the date implementations are summarized in TABLE 5. A controlling-based NDP message of diversified scheme was offered in [64]. In light of the theory, the target IP address is examined whether it remained or not on the destined LAN by researching the Neighbor Information Table (NIT), as soon as an IPv6 access router obtains an IP packet. The router delivers an NDP message (i.e., NS message), linked with the packet by consuming finest Quality of Service (QoS) in packet forwarding service, only if the NIT consist of the IP address of the incoming packet. If not, the NDP message with dysfunctional QoS is carried out by the router. With the intention to learn the topology of the intended LAN (i.e., to build NIT), all the NS messages, which are arising from the destination, are absorbed by the router. Despite this, network monitoring is the foundation of this system and it is just an attack recognition technique. Locally Authentication Process is disclosed by [65]. According to this solution, only those nodes can connect with the networks that have been authorized via delivering legal token issued by an indigenous trustworthy node. The token permit node to confirm link local address as well as its possession of public key. Moreover, safety parameter has to be encoded at any cost along with the address type into address bits. This can be a source of further functioning problems and other sophistications also. An attacker could distort VOLUME 5, 2017

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

TABLE 4. Send Responses to NDP threats.

TABLE 5. Send implementations.

the values and attack a feebler procedure as compared to the one picked by the address proprietor if the safety parameter were able to connect a protocol message and were encoded into the IP address. WinSEND for Windows family is one of the most widespread and leading operating systems, which is enforced by [66]. WinSEND is established under Microsoft .NET. It is possible to install or assimilate it with the Windows platform by way of a service to deliver the processes of SEND. It presents a user-friendly interface so as to permit the user to fix the anticipated safety parameters. With the motive to evade the interruption, arising because of CGA creation algorithm, WinSEND has the capability to accumulate the CGA in an Extensible Markup Language (XML) file. Whenever a node is connected to a new subnet, these parameters are modified. A multi-core-founded leading SEND implementation to accelerating SEND processing was offered by [67]. The offered methodology creates a relative number of working strings figuring Hash2 condition as well as recognizes a number of processors existing on a device. To allocate the CGA computation to all the cores, the parallelization approach needs to be implemented. As soon as one string accomplishes CGA Hash2 condition, the others cease. By the utilization of VOLUME 5, 2017

the parallel technique, the processing time has been reduced remarkably by escalating a number of cores in the processing devices. IETF SEND operational group structured and standardized SEND protocol, which was promoted by the NDP defense procedure so as to protect NDP. However, NDP Proxy cannot be contributed by it, in a protected manner, as it is significant for mobility. Consequently, the latest procedure known as Multi-Key Cryptographically Generated Addresses (MCGAs) was also presented. CGA must be extended to promote mobility of SEND protocol. The extension of CGA was planned by [68] and the process is named as MCGAs and was carried out by [69]. An expansion to SEND for the protection of proxying is proposed by [68], which provides an arrangement by which (CGAs) can be expanded to promote more than one hosts. The resultant multi-key CGAs and ring signatures are consumed by it so as to extend the SEND protocol to favor safe address proxying. Whenever the host possessing the address is on the link, the SEND extension permits a router on the link to proxy a CGA. MCGAs comprises of two theories. The first is quite simple as it is consumed to attain CGA by the utilization of multiple keys. The other one is used to produce and confirm signature by the adaptation of 18197

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

Rivest-Shamir-Tauman (RST) ring signature. The ring signature is actually a category of signature and it can be produced by using the private key of any node from a collection of nodes; however, it requires the public keys of all group members to validate. Due to the aforementioned two theories, MCGAs will be firmly proxied by all nodes that add keys to the address. Moreover, any new mobile node arriving on the link from the demands of the mobile node’s address is evaded by the MCGAs. Besides, it preserves location confidentiality and it cannot be evaluated by the receiver that whether the node or the proxy is securing the address or not; therefore, the node is on or off the link. Reference [70] offer a substitute way and presents the MCGA theory. SEND’s signature algorithm agility extensions are the basis of this proposal with the intention to bind multiple public keys to an address. For instance, numerous nodes are permitted by it to appropriately share and defend the same address and hence, solve the proxy neighbor discovery and anycast complications. However, the solution comprise of some restrictions founded on the MCGA for storing various public keys. It is recommended that SEND protected NDP messages include the CGA Option that includes various public keys extensions. Consequently, the length of the message is directly proportional to the number of public keys relying upon the safety level of the node’s public key and the safety level of the proxy(s)’s public key(s). The total strength of the MCGA is evaluated by the feeblest public key. Hence, it is crucial to establish all the nodes of the same administrative domain with likewise secured type and size of public keys whenever conceivable. Lastly, after the CGA address is produced, it is not capable of eliminating the proxy. When news proxies arrive on the network, this restriction proves to be harmful, particularly for reliable connections. With the purpose to deliver the safeguard of SEND protocol in Mobile IPv6 environment, a mechanism is proposed by the [71]. Which avoid SEND from part of DoS bouts by involving a set message interaction prior to CGA verification deprived of a Certificate Authority (CA) or any defense arrangements. In this procedure, an uncomplicated hash confirmation of the CGA property of the address is implemented earlier to the costlier signature authentication. However, despite the accomplishment of CGA confirmation, no asserts regarding the confirmation of the message can be made till the signature is inspected. MCGA is offered by [72]. In light of this process, the host is able to implement confidentiality to ICMPv6 message chased by IPv6 base header for SEND, SLAAC service. Replay attack, DDoS attack, and IP-MAC binding attack can be obstructed by it as well. Therefore, it is basically the motive behind the delivery of both nodes’ hashed interface 64 bit of IPv6 address dispatched by the corresponder containing a public key of address proprietor. In order to support the hash agility in SEND [73] recommend the negotiation approach. Cryptographic negotiation can be done either in a la carte way or based on compromised 18198

TABLE 6. Send best countermeasures.

suites. Best solutions covered by this literature to enhance SEND are summarized in TABLE 6. D. CRYPTOGRAPHICALLY GENERATED ADDRESSES

CGAs are defined as the IPv6 addresses, which require the Interface Identifier (IID) to be produced by processing a cryptographic one-way hash function from a public key and auxiliary parameters. With the view to confirm the binding amid the public key and the address, the hash value can be re-computed, along with comparing the hash with the IID. With the purpose to protect the messages delivered from IPv6 address, a public key, and auxiliary key parameters should be dispatched along with signing the message with the corresponding private key. The protection can only be availed in the absence of CA or any other security components. The genuine protocol for production and proof of IPv6 addresses that are self-certified employing CGA is present in [RFC3972]. A method known as hash extension is employed by CGA which is recognized by the safety constraint sec; this factor balances the total bits included in the hash extension in a linear manner through enforcing of 16_sec several bits to zero, referred to as Hash2. The major purpose of CGA is to work on the effectiveness for safety reasons. In the process of production of an address, a computer has to fulfill a number of parameters: the hash extension, which lowers the effectiveness of the process of address creation. Since the malicious program also has VOLUME 5, 2017

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

TABLE 7. Notations for CGA generation.

performed these additional tasks, the safety measures are now more effective in relation as to when there were no hash extensions employed in the creation of the addresses. Then authentication calls for a fixed period of time and doesn’t lower its effectiveness. This makes sure that the malicious attacker goes through all the procedures involved first and in that way inhibiting the denial of service of the authenticators. TABLE 7 shows the notations used in CGA procedures [74]. An enhanced protocol to CGA, called CGA++ developed by [74]. This protocol disposes of many attacks relevant to CGA and enhances the general security. To avoid attack the first clear alteration is to incorporate the subnet prefix in the calculation of Hash2. The verifier ought to make a point to check the full IPv6 address and not the link-local address only. TABLE 8. CGA generation time for different sec values.

In Cryptographically Generated Address, the address production period is equal to 216_sec +1. This is majorly on safety features, taking sec > 0 while the address authentication time is fixed (Time = 2). The total expected period necessary to full fill the Hash2 demands is as shown in TABLE 8 [75]. These outcomes match with the performance outcomes in [76]. From the table, we can note that it is impossible to create an effective address with an increased safety parameter sec. Fig. 9 shows the sequences and processes of generating CGA. Reference [77] offered a methodology with the motive to improve CGA, as it has the ability to recognize the number of available CPUs on a device, as well as produce an equal number of operational costs to compute Hash2 condition. The motive of parallelization procedure is to allocate CGA computation to all the cores. As soon as the thread fulfils VOLUME 5, 2017

FIGURE 9. CGA generation flow.

CGA Hash2 constraints, the others cease. The speedup time is highly elevated due to the increment in the number of CPUs in the manipulating machine with the parallel technique. Another CGA mechanism whose check obliges less than 18199

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

10 modular multiplications was introduced by [63]. It accomplishes this execution by selecting a productive signature scheme and tuning the cryptographic parameters of signature scheme to the security quality of the CGA. The principle hindrance of this approach that it call for more fittings assets (processors), which influence devices with restricted abilities, versatile nodes, adversely. Reference [78] suggests the utilization of expansions and upgrades to the CGA verification to annihilation the DoS attack against the DAD algorithm. They additionally propose the utilization of the Timestamp Option inside CGA when it is run alone and not as a part of SEND. CGA might be susceptible to privacy related attacks. Tagging a lifetime for a CGA address can resolve this privacy issue. In any case, this methodology without a doubt includes tradeoffs between privacy and security, yet it is an extremely practical arrangement. Reference [79] made a few alterations to the standard CGA so as to utmost the time that CGA generation may take. The adjusted CGA generation algorithm takes the upper bound of CGA running time as input and the Sec value is resolved as a yield of the brute force attacks. The altered CGA stays informed regarding the best established Hash2 value amid the running time. The proposed approach called Time-Based CGA (TB-CGA). To sufficiently enhance the exhibitions of the CGA [80] search first supplanting RSA with Elliptic Curve Cryptography (ECC) and Elliptic Curve DSA (ECDSA), and second utilizing the General-Purpose calculations on Graphical Processing Units (GPGPU). An altered CGA generation method that permits a recently connected node to create a CGA address rapidly presented in [81]. The method obliges including a key-pair server node to perform a piece of CGA era processing ahead of time. Since the most lengthy and time-consuming computation is performed on the server in advance, the CGA generation time is reduced gradually. The proposed methodology demonstrates a decent performance yet at the same time have the downside of relying upon an outer server, if the server itself attacked all different nodes will endure, new nodes won’t have the capability to join the network. Reference [82] put an effort in the enhancement of the CGA computation haste, the parallelized CGA production procedure and utilized the reachable resources in a reliable network. Also, the impacts of the occurrence of attacking nodes on the complete load of non-attacking ones in the network will also be assessed. Trust management is utilized by this approach it has the ability to identify and insulate the malicious node to eliminate the possible incentive for malicious actions. CGA solutions along its pros and cons are given in TABLE 9. E. STANDALONE APPROACHES

Several, independent, mechanisms have been proposed by researchers to either defend one or more security threats in NDP. Below we put an effort to overview all of the available proposals in the era up to the date. An IP inspection and 18200

TABLE 9. CGA countermeasures.

packets stamping mechanism which is deployed to an IPv6 access router is introduced by [83]. The mentioned technique can successfully secure IPv6 LAN from NDPDoS attack, utilizing fabricated source IP, by giving the packets suspected to utilize fake source and/or destination IP addresses with QoS. The idea for recognizing ND-DoS attack is to check whether the source and destination IP addresses of the inbound packet truly exist on the source and destination LANs, respectively. In the event that yes, the packets is viewed as normal. Else, it is suspected as an unusual packet. To gather the topology data of the source and the destination LAN, the IPv6 access router of every LAN screens all the packets originating from its own particular LAN. Despite the fact that the technique can crush NDPDoS attack utilizing anomalous IP fantastically, as a drawback this approach cannot take care of DoS attack utilizing working IP. To reduce the computation time a new security method was suggested by [84] known as Trust Based Security (TBS) for IPv6 that is a not a centralized trust management. The key concept of the method is to circulate trust among the local network members. As a result, trust is established among all nodes in the absence of specific CA. To achieve this, a method is needed to form a trusted area. TBS method is then used, it inserts one more column inside the neighboring cache table that is known as trust states. The trust status decides which trust states of the neighbors should be trusted or not. RS message is created by Trust Solicitation Option (TSO) that has a trust option. The most important components are contained by TSO which are known as hash value of message authentication, message generation time, as well as sequence number. VOLUME 5, 2017

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

The router should take into consideration the accessibility of TSO which is the latest option in NDP. After this option is received, the message is supposed to be verified particularly on the validation phase. The time of generation is significant to stop the DoS attack on the solicitation sender. Trust advertisement option (TAO) should be carried by RA message in addition. A dynamic strategy for identifying NDP based attacks in IPv6 network proposed in [19]. The approach utilizes a dynamic probing technique to catch all attacks, in light of NDP to be specific, NA/NS spoofing, DAD, NUD, replay, router redirect and so forth. The technique likewise recognizes MitM and DoS attacks produced by NA/NS spoofing. As the dynamic probes are only typical NDP messages, the technique does not oblige any change in NDP. The proposed scheme is centralized network based technique, but yet just attack recognition based method. Reference [85] proposed attack recognition scheme focused around two separate techniques, passive monitoring scheme and dynamic identification technique utilizing probing. The proposed scheme, constitute state of the network utilizing Multicast Listener Discovery (MLD) inquiries and approve caught packets with this state. The proposed scheme stores condition of system IP-MAC binding network in a table called IP-MAC Table. The size of this table is genuinely little, because the nodes number is not so big in a given network. This table can be constructed by different network examining instruments. The drawback of proposed scheme is network monitoring based methodology, single gadget disappointment and is just detection based method. Reference [86] design an apparatus (NDPmon) for observing the NDP functions. It keeps up breakthrough a neighbor database which contains the correspondences in between of IPv6 and MAC addresses, nearby with a Timestamp. At the point when a NDP packets is caught, the substance is contrasted with the entries in the database in the same way that Arpwatch, activities and suspicious behaviors raise alerts and reports. Reference [87] integrated a bandwidth improvement into standard NDP. The proposed enhancement which is called Compact Neighbor Discovery (CND), is a novel neighbor solicitation method that uses Bloom filters. Numerous IPv6 addresses (fake or genuine) in the access router’s address resolution line are minimally admitted to utilizing a Bloom filter. By broadcasting a solitary neighbor solicitation message that conveys the Bloom filter, numerous IPv6 addresses are simultaneously solicited. True blue neighbor solicitation activating packets are not denied service, since Bloom filter help participation queries. An on-link host can catch its address in the required Bloom filters and return its MAC correctly to entrance router. Bloom channels yield a little false positive likelihood. Thusly in CND, the hosts in the target subnet send unnecessary neighbor advertisements at low rates because of neighbor solicitation messages that solicited different nodes. VOLUME 5, 2017

A method for discovering NS/NA spoofing attacks in IPv6 NDP were proposed by [88]. Further, the method likewise catches MitM and DoS attacks produced by NA/NS spoofing. The method uses and dynamic probing technique. As the dynamic probes are only NS messages, the method does not oblige any change in NDP. Impediment at present the method can just identify NS spoofing, NA spoofing, MitM and DoS attacks. There are many different attacks conceivable on NDP specifically, malicious router attack, neighbor un-reachability detection attack, and duplicate address detection attack which have not been covered by this method. Trusted Router Discovery Protocol (TRDP) to make router discovery a safe procedure for a host is introduced in [89]. The TRDP protocol permits the node that is accepting RA to make sure that the router is legal and approves in a very professional and safe way. Any long certificates chain validations that are made by the end user are not needed by TRDP. TRDP does better than ADD with regard to the evaluation of manipulating cost on certification path validation. The objective of TRDP is to distribute the load so as to authenticate router’s information between the present trusted routers, in its place transferring the load to host. Local network traffic resulting from various certificates transferring on the local network lessens DoS attacks which can occur on the hosts as well as routers. Two pairs of ICMPv6 messages, first one known as Trusted Router Passport Solicitation (TRPS), along with Trusted Router Passport Advertisement (TRPA), were launched under TRDP, that were needed by the host along with the router. TRPS is forwarded by the host along with a TA which stands for Trust Anchor, after that it is nonce to make sure that a certain TRPA is connected to the TRPS that initiated it. A response is made by the router by forwarding an encrypted TRPA in return. TRPA is considered as a default access router by the host. The second pair of ICMPv6 messages is known as Trusted Router-to-Router Passport Solicitation (TR2PS) and Trusted Router-to-Router Passport Advertisement (TR2PA). In order to obtain a passport from trust anchor on a certification path by both the intermediate and access routers, use of these messages is made. A mechanism was proposed to minimize the processing of certificate chain on ADD caused by the end host by bringing a midway router. The mechanism is as follows, TR2PS has forwarded by the router that consists of nonce, along with TA that is replicated from TRPS to Trust Anchor. When the TR2PS is acquired a passport which is to be forwarded to the access router is created by trust anchor as a part of TR2PA. However, the mechanism is little bit complex because of the introduction of the new ICMPv6 messages along with many routers that are needed. Hence, there even now exists a need of central certification authority, as well as certificate signing, so this method is considered as expensive. A model which consists of two mixed algorithms were suggested by [90]. The first for securing nodes against MitM attack during address resolution in the link-layer and the second is for securing SLAAC operations from DoS attack. The key concept of this model is based on making the process 18201

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

of approximating IID very difficult to guess, consequently determine the location of the node will be very hard to know and in turn forbid attackers from running attacks against this node. Use of new algorithm was made by [91] for creating IID so as to minimize the cost of processing, whereas at the same time, making the node safe from attacks such as IP spoofing. Such attacks are stopped by adding a signature to messages that are being sent on a network and by directly utilizing the public key inside the IP address. Randomization of IID, searching binding among IP address/public key, giving security along with signature to the NDP messages, and making use of Resource Public Key Infrastructure (RPKI) are all methods of giving privacy by using the new algorithm. Reference [92] present source address validation for IPv6, a mechanism for a fine-grained intra-domain filtering, based on the creation of a trust chain between the source IP address and associated Layer-2 binding address. The proposed solution relies on existing protocols and mechanisms, in particular in the usage of SEND protocol and CGAs. The proposed mechanism complements the ingress filtering and the unicast reverse path forwarding techniques. It allows the validation of the source address of the local traffic, i.e. it allows for the verification of the source address of the packets generated by the hosts attached to the local link that not been spoofed. In addition, it also provides the means to verify that packets containing off-link prefixes in the source address which generated by authorized routers. The SEND Source Address Validation Improvement (SAVI) mechanism proposed compatible with the mobile nodes, hosts with the multiple interfaces connected to the same LAN and the any-cast services. One advantage of proposed solution is that does not introduce any changes to hosts or current protocols, and it uses only the already existing protocols and mechanisms, i.e. SEND and CGAs. A pull model DAD is planned and outlined in [93] that accomplish enhancements in trustfulness and safety by modifying the solicitation model. By comparing with SEND, it contains benefits such as less weight operating costs and adjustability. Hash value of the address is computed and inquires which address is having similar hash value over the link. Once address which is having a collision is known, the presence unconfirmed address in the list is checked. When no a collision is detected, the address is configured, and if collision is detected, new address has to be created and the repetition of the process takes place. By using this mechanism, security of address resolution along with unreachability detection function of NDP is enhanced. Reference [94] put forward a host-based IDS by making use of active detection method for IPv6 NDP. Verification of all the changes that takes place in the host cache is done in this method by utilizing data tables (passive) or by forwarding active probes during real time. This technique makes a careful observation about the modifications created in neighbor cache inside the host. In real time conditions, inside a steady LAN, modifications such as removing or adding a new host is 18202

not common, and as a result, amount of error can be endured. When detection of an attack is done, the next step to be taken depends on the user, such as halting the communication with that node. Each modification is carefully screened and unusual modifications are considered as an attack. Modifications in the IP-MAC mapping can be detected by sending the active probes and monitoring the reaction. If machine receiving packets tells more than one layers of two addresses, then it indicates an attack. This technique is implemented as host-based Intrusion Prevention System (IPS) system by having a duplicate copy of model neighbor cache and to refrain from making any modifications prior to any sort of validation. Reference [95] put forward a method of generating address which consists of least calculation cost with comparison to CGA. This method creates a highly randomized IID which assists in ensuring the privacy of the nodes and permits the nodes to determine the uniqueness on the link. In addition to this, it also offers strong security against DoS attacks throughout the DAD process of IPv6 SLAAC. The method is laying the foundation on the supposition that by causing it to be difficult to estimate IID, the person generating attack will not be successful in locating the node, and as a result, will not be able to attack the nodes. This method is made up of two parts, generation of address that is carried out at the node of the sender and verification of address that is done on the node of the receiver. A hash method was proposed by [96] to keep the target address hidden in DAD process which called DAD hash (DAD-h). When the address of a regular node is found to be similar to the detected address, the hash value is supposed to be similar to Hash_64 field inside the NS messages. As a result, DAD is considered to be effectively finished. Single way hash function for the purpose of keeping the target address hidden throughout DAD is used by DAD-h. This method just unwraps the hash value of the target address. The attacker node is unable to falsify a reply that is based on the Target address field. At the same time, DAD-h makes use of blacklist method to avoid continuous attacks from the attacker nodes. Reference [97] uses Finite State Machines (FSM) and Extended Finite State Machine (EFSM) to model the main mechanism used by NDP for detecting NDP anomalies based on strict anomaly detection. These models can be used as a network security tool or as a research tool to study and investigate the behavior of NDP behavior. Strict Anomaly Detection technique is utilized to observe any violation in NDP. As the characteristics of anomalies behavior differ from normal behavior, new failure states are defined to indicate any disallowed events or illegal transactions attempts. Strict anomaly detection used to define the failure state in EFMS, and report any violation of protocol fundamentals. These violations can be a result of protocol misconfiguration or attacks. Thus, the model presented has the ability to detect NDP attacks, such as DAD attack and NDP flooding attacks, since most of the attacks violate the protocol rules. VOLUME 5, 2017

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

TABLE 10. Summary of standalone proposals.

It is important to mention that the model can only detect NDP attacks that violate the protocol fundamentals, since it considers only the protocol rules violation. Other violations such as the spoofed IP or MAC addresses cannot be detected; for instance, the attacker can flood the network with NDP messages using spoofed IP address. This model cannot recognize if the IP address is real or spoofed. Hence, this model must be combined with other models to build a complete system for securing NDP. In [98] and [99], a new method is suggested to effectively avoid the DoS attacks in IPv6 DAD processes. To meet the requirements of security for DAD process, a method called Node Controller Model (NCM) is intended on the basis of the of Rule-based systems. Control scheme, set of rules, message authentication along with Neighbor cache table are elements of NCM. A secure tag option is used by this novel mechanism and it is added to NDP messages for the purpose of establishing integrity among both the sender and receiver throughout the whole process of DAD. This method permits the host to carry out the confirmation of whether the self-generated IP address is unique or not, while preventing attacked hosts from altering the process of verification. As a result, the new host is allowed to be a part of the IPv6 network, even during the DoS attack. In line with the decentralized nature of SLAAC, Trust-ND makes use of distributed trust management concept to secure SLAAC on [100] and [101]. Trust-ND nodes performing SLAAC operation is allowed to generate and verify TrustND messages as well as to maintain and update its own trust VOLUME 5, 2017

table. Each Trust-ND node could either be a sender or a receiver of Trust-ND messages. Each node independently calculates trust value of its neighboring nodes on the same link. Trust-ND nodes do not distribute trust value, thus do not require a central authority or a server for such purpose. The trust value calculation is based on Beta Reputation System. Trust-ND improves security on the NDP by introducing a new ICMPv6 option called Trust Option. The Trust Option includes three main fields: Message Generation Time, Nonce and Message Authentication Data. The Message Authentication Data is a result of SHA-1 operation as the message integrity check. It is attached to all five NDP messages to fulfill the security goals. The NDP messages are then named as Trust-RS, Trust-RA, Trust-NS, Trust-NA and Trust-Redirect respectively. A new security mechanism, called Trust Based Neighbor Discovery Protocol (T-NDP), which reduces the computational cost introduced on [102]. In order to achieve high security mechanism a centralized encryption mechanism for neighbor discovery is proposed. The proposed T-NDP achieves more security by means of reduced transmission delay and traffic overhead. The proposed T-NDP is based on trust management concept and it uses very simple encryption algorithm which minimizes generated key size. A novel ECC technique which is based on public key cryptography is used. ECC uses a key size of 164 bit which yields more security than any other existing (RSA, AES) encryption techniques. An integrated framework which is able to detect and reduce the DoS attacks on DAD process [103]. It utilizes method 18203

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

TABLE 11. Number of attacks covered by each solution.

based on rules to validate the uniqueness of the IP address that is self-generated. It compares its present IP address database to detect and reduce the DoS attacks on DAD process while address auto-configuration. Furthermore, it makes use of straight forward questions to validate the presence of created IP addresses. The use of Artificial Intelligence (AI) techniques, particularly Back-Propagation Neural Network, to detect DoS attacks against ICMPv6 is given on [104]. Even though the results showed a faster detection time compared to existing techniques and accuracy of almost 99 %, still the technique is a type of IDS/IPS based systems and rely on a single device as well. Novel extension for the privacy of IPv6 addresses generation by using internal hardware was introduced in [105]. For empirically strong random number generation The HArdware Volatile Entropy Gathering and Expansion (HAVEGE) algorithm have been used. Addresses computed based on HAVEGE had extreme randomness rate, 18204

consequently provide a very high secure SLAAC operations. The results outperform when compared to SEND and prove good performance, yet the solution need to be implemented in every single device and have interoperability and deployment issues. AI machine learning technique, strict anomaly detection methodology to be more specific, to detect NDP flooding attacks were used in [106]. C.45 was found to be the best technique to be used with strict anomaly for this model. The model reduces the complexity of the detection process greatly. In TABLE 10 a list of up-to-date standalone approaches to defend NDP attacks along with advantages and disadvantages of each solution was given. Reference [107] proposed the use of Software Defined Network (SDN) as a mechanism to authenticate NDP messages exchange. The solution has the advantages of not manipulating the original NDP structure and messages format, in addition no third party device will added for monitoring and controlling the flow of NDP messages. As a drawback of this VOLUME 5, 2017

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

technique, the concept of SDN itself still on early stages and not implemented widely within the industry. The four categories of solutions presented in this paper, IPSec, SEND, SNED/CGA enhancements and standalone solutions, are compared in terms of the number of attacks covered by each solution in TABLE 11. The attacks numbering follow the same classifications and sequence we provide in part three. On the other hand in terms of computation cost, security level, technical applicability, ease of deployment and whether the solution presented matching the protocol standard or not we make another comparison in TABLE 12 for the solutions covered by this paper.

FIGURE 10. Processor consumption for Windows 10 home before and during SEND DoS attack.

V. CHALLENGES AND FUTURE DIRECTIONS

The internet adoption among public areas is a growing concern and lack of trust amongst the users is observed in such environments. Because of the limitations of its existing defense methods NDP is still susceptible to a number of different network-based attacks. In addition, the reason for DoS or DDoS attack could be some of the existing defense mechanisms themselves, such as SEND method. SEND is the only industry standard implemented solution, up to date, to secure NDP. Regrettably, SEND itself is vulnerable to some DoS attacks. In addition lack of deployment and the high computation costs made SEND a non-reliable solution. This section will provide further details about these challenges and limitations that slowing down utilization of SEND.

means that nodes that still make use of CGAs will be more vulnerable to privacy related attacks. C. COMPUTATION COMPLEXITY AND BANDWIDTH CONSUMPTION

In reality, the average for the CGA address generation time is affected and dependent on the Sec bit setting. It is expected that the CGA generation time for Sec=3 would be about 24 years via workstation (AMD64). Moreover, SEND requires each node to include the public key and other parameters in the message and for each node to attach its Signature to every single packet that it produces. Thus, more than 1 Kilobyte is added to every packet. This leads to an increase in the communication overhead. It also uses up more computational resources and network bandwidth.

A. SEND REMAINING ATTACKS

SEND can help avoid the theft of another node’s address. However, it is not able to offer assurance on the real node’s identity and it cannot guarantee that the CGA address is being utilized by the appropriate node. Because CGAs are not certified, an attacker has the capability to produce a new and valid address using its own public key. It can then initiate the communication. Thus, an attacker is able to mimic another node address from a valid public key, but it will not be able to take over an address for an existing host since the attacker does not possess the private key. Furthermore, SEND may also be vulnerable to DoS attacks. An attacker may be able to launch DoS attacks on certain steps of the CGA verification process. An attacker can also launch a DoS attack on the DAD check and the CGA parameter verification so that it can block a new CGA node from being a part of the link. Attackers could also target hosts by sending them a large amount of unnecessary certification paths that would force these hosts to allot useless memory and verification resources on these. The CGAs may also be susceptible to another type of attack called the global Time-Memory Trade-Off (TMTO) attack. B. PRIVACY ISSUES

Because of the high computation complexity that is needed to create a CGA, it is likely that when a node produces an acceptable CGA, it goes on utilizing it at that subnet. This VOLUME 5, 2017

D. LACK OF DEPLOYMENT

There is still scarce implementation of SEND-aware. Most modern operating systems support NDP, but it does not have enough support for SEND. Despite the fact that a number of major vendors like Cisco and Juniper have varying levels support for SEND in their routers, most of the operating systems still lack a good support level for SEND We conduct an experiment to evaluate SEND, using sendpees6 within THC-IPv6 attacking tools package, under different operating systems platforms, Linux and Windows. We observed that SEND under DoS attack having different impacts on computer resources consumptions, based on operating system type, as per Fig. 10 to Fig. 15. If the attack were further extended to DDoS SEND attack, using multiple attacking nodes, it may lead to a complete system crash. A modification to current SEND structure OR building a new solution to defend NDP attacks is highly demanded by industry. A survey is conducted by [108] in 2012 mentioned that 70% of the organizations concerns regarding security were attacks within their internal IPv6 networks. Researchers have presented an analysis to gain an insight with the detection methodologies of NDP attacks, wherein the open issues within each category of the detection taxonomy are highly focused. There are a number of cases where some shortcomings, related to the covered attacks, are reported 18205

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

FIGURE 11. Processor consumption for Ubuntu 16.04 before and during SEND DoS attack.

FIGURE 15. Bandwidth consumption for Khali-Rolling before and during SEND DoS attack.

FIGURE 12. Processor consumption for Khali-Rolling before and during SEND DoS attack.

FIGURE 16. Computational puzzle.

FIGURE 13. Bandwidth consumption for Windows 10 home before and during SEND DoS attack.

FIGURE 14. Bandwidth consumption for Ubuntu 16.04 before and during SEND DoS attack.

by existing approaches in this literature. Consequently, new techniques for the detection of NDP-based attacks need to be developed. 18206

According to the findings of this review, certain pros and cons are linked with each of the existing approaches. Therefore, we need a smart and effective mitigation technique for security vulnerabilities on the IPv6 link local communication. By reviewing the existing solutions, we realized that, a combination of two or more of the existing techniques could be proposed so that their strengths could be utilized and their limitations could be ignored. Accordingly, better tools and techniques, as a result of hybridization, can be produced by the research community. Two parallel lines we do suggest to work with in order to make NDP more secure and faster. Speeding up performance and hardening security. For security to be improved, and DoS/DDoS attacks forbidden, a computational puzzle suggested during NDP messages transmission. A concern about the triggering condition that invoked the puzzle is still a research question. The puzzle could be implemented either based on monitoring the packets flow or on preconfigured time manner as shown in Fig. 16. VOLUME 5, 2017

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

TABLE 12. Solutions comparison in terms of applicability and efficiency.

TABLE 13. Recommendations to enhance NDP defenders.

performance, in term of the priority, is the key factor for why we chosen MD5. TABLE 13 below summarized the points, which we have extracted from this review, to modify and enhance NDP in terms performance and security. VI. CONCLUSION

For simplicity and to avoid administration and programing overhead we suggest preconfigured time-based puzzle. Although the addition of puzzle’s messages may be an overhead for the networks, NDP is a local protocol and the bandwidth within a local link is always available. We provide a conceptual model that matching the above said suggestions on [109]. In addition replacing SHA1 with lighter cryptographic hash function, Message Digest 5 (MD5), has been proposed. Balancing between security and VOLUME 5, 2017

The common NDP-based attacks have been presented in this paper. NDP depends upon ICMPv6 exchange messages, that are unsecured, so occurrence of such attacks is inevitable. Moreover, prevention mechanisms proposed to protect NDP have also been highlighted by this paper. The IPsec, SEND, SNED/CGA enhancements and standalone approaches are thought to be the four categories of available protection mechanisms. Regrettably, the IPv6 link is still accessible to the attackers and they successfully evade the prevention techniques. An experiment that proves the weakness of the only industry implemented protection mechanism, SEND, is conducted. Future research directions to find a final solution against NDP attacks have been discussed in this paper as well. 18207

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

ACKNOWLEDGMENT

The authors would like to acknowledge the assistance provided by the Network and Communication Technology Research Group, FTSM, UKM in providing facilities throughout the research. REFERENCES [1] M. Zulkiflee, M. S. Azmi, S. S. S. Ahmad, S. Sahib, and M. K. A. Ghani, ‘‘A framework of features selection for IPv6 network attacks detection,’’ WSEAS Trans. Commun., vol. 14, no. 46, pp. 399–408, 2015. [2] A. S. Ahmed, R. Hassan, and N. E. Othman, ‘‘Security threats for IPv6 transition strategies: A review,’’ in Proc. 4th Int. Conf. Eng. Technol. Technopreneuship (ICE2T), 2014, pp. 83–88. [3] A. Alsa’deh, H. Rafiee, and C. Meinel, ‘‘IPv6 stateless address autoconfiguration: Balancing between security, privacy and usability,’’ in Foundations and Practice of Security (Lecture Notes in Computer Science). Berlin, Germany: Springer, 2013, pp. 149–161. [4] Supriyanto, I. H. Hasbullah, R. K. Murugesan, and S. Ramadass, ‘‘Survey of Internet protocol version 6 link local communication security vulnerability and mitigation methods,’’ IETE Tech. Rev., vol. 30, no. 1, pp. 64–71, 2013. [5] J. Davies, Understanding IPv6, 3rd ed. USA: Microsoft, 2012. [6] S. E. Deering, Internet Protocol Version 6 (IPv6), document RFC 2460, 1998. [7] S. Hagen, IPV6 Essentials, 2nd ed. Sebastopol, CA, USA: O’Reilly & Associates, Inc., Jan. 2008. [8] R. K. Murugesan and S. Ramadass, ‘‘Fast CEH: An algorithm to enhance performance of IPv6 packets with CRC extension header,’’ Int. J. Control Autom., vol. 5, no. 1, pp. 137–144, 2012. [9] A. Alsa’deh and C. Meinel, ‘‘Secure neighbor discovery: Review, challenges, perspectives, and recommendations,’’ IEEE Secur. Privacy, vol. 10, no. 4, pp. 26–34, Jul./Aug. 2012. [10] M. Anbar, R. Abdullah, R. M. A. Saad, E. Alomari, and S. Alsaleem, ‘‘Review of security vulnerabilities in the IPv6 neighbor discovery protocol,’’ in Information Science and Applications (ICISA) (Lecture Notes in Electrical Engineering). Singapore: Springer, 2016, pp. 603–612. [11] M. Blanchet, Migrating to IPv6. Chichester, U.K.: Wiley, Feb. 2005. [12] K. Batiha, K. Batiha, and A. AbuAli, ‘‘The need for IPv6,’’ Int. J. Acad. Res., vol. 3, no. 3, pp. 431–448, 2011. [Online]. Available: http://www.ijar.lit.az [13] A. R. Choudhary and A. Sekelsky, ‘‘Securing IPv6 network infrastructure: A new security model,’’ in Proc. IEEE Int. Conf. Technol. Homeland Secur. (HST), Nov. 2010, pp. 500–506. [14] R. Hassan, A. S. Ahmed, and N. E. Osman, ‘‘Enhancing security for IPv6 neighbor discovery protocol using cryptography,’’ Amer. J. Appl. Sci., vol. 11, no. 9, pp. 1472–1479, Jan. 2014. [15] A. S. Ahmed, R. Hassan, and N. E. Othman, ‘‘Improving security for IPv6 neighbor discovery,’’ in Proc. Int. Conf. Elect. Eng. Inf. (ICEEI), Aug. 2015, pp. 271–274. [16] X. Yang, T. Ma, and Y. Shi, ‘‘Typical DoS/DDoS threats under IPv6,’’ in Proc. Int. Multi-Conf. Comput. Global Inf. Technol. (ICCGI), Mar. 2007, p. 55. [17] S. U. Rehman and S. Manickam, ‘‘Significance of duplicate address detection mechanism in Ipv6 and its security issues: A survey,’’ Indian J. Sci. Technol., vol. 8, no. 30, pp. 1–8, Nov. 2015. [18] O. E. Elejla, M. Anbar, and B. Belaton, ‘‘ICMPv6-based DoS and DDoS attacks and defense mechanisms: Review,’’ IETE Tech. Rev., vol. 34, no. 4, pp. 390–407, Feb. 2016. [19] F. A. Barbhuiya, G. Bansal, N. Kumar, S. Biswas, and S. Nandi, ‘‘Detection of neighbor discovery protocol based attacks in IPv6 network,’’ Netw. Sci., vol. 2, nos. 3–4, pp. 91–113, Jul. 2013. [20] M. Al-Hemairy, S. Amin, and Z. Trabelsi, ‘‘Towards more sophisticated ARP spoofing detection/prevention systems in LAN networks,’’ in Proc. Int. Conf. Current Trends Inf. Technol. (CTIT), Dec. 2009, pp. 1–6. [21] C. L. Abad and R. I. Bonilla, ‘‘An analysis on the schemes for detecting and preventing ARP cache poisoning attacks,’’ in Proc. 27th Int. Conf. Distrib. Comput. Syst. Workshops (ICDCSW), Jun. 2007, p. 60. [22] M. M. Dessouky, N. Elkilany, and N. Alfishawy, ‘‘A hardware approach for detecting the ARP attack,’’ in Proc. 7th Int. Conf. Inf. Syst. (INFOS), Mar. 2010, pp. 1–8. 18208

[23] X. Hou, Z. Jiang, and X. Tian, ‘‘The detection and prevention for ARP Spoofing based on Snort,’’ in Proc. Int. Conf. Comput. Appl. Syst. Modeling (ICCASM), Oct. 2010, pp. V5-137–V5-139. [24] H. Neminath et al., ‘‘A DES approach to intrusion detection system for ARP spoofing attacks,’’ in Proc. 18th Medit. Conf. Control Autom. (MED), Jun. 2010, pp. 695–700. [25] A. P. Ortega, X. E. Marcos, L. D. Chiang, and C. L. Abad, ‘‘Preventing ARP cache poisoning attacks: A proof of concept using OpenWrt,’’ in Proc. Latin Amer. Netw. Oper. Manage. Symp., Oct. 2009, pp. 1–9. [26] F. A. Barbhuiya, S. Biswas, N. Hubballi, and S. Nandi, ‘‘A host based DES approach for detecting ARP spoofing,’’ in Proc. IEEE Symp. Comput. Intell. Cyber Secur. (CICS), Apr. 2011, pp. 114–121. [27] S. Y. Nam, S. Jurayev, S.-S. Kim, K. Choi, and G. S. Choi, ‘‘Mitigating ARP poisoning-based man-in-the-middle attacks in wired or wireless LAN,’’ EURASIP J. Wireless Commun. Netw., vol. 1, no. 1, p. 89, 2012. [28] B. Issac, ‘‘Secure ARP and secure DHCP protocols to mitigate security attacks,’’ Int. J. Netw. Secur., vol. 8, no. 2, pp. 107–118, 2009. [29] M. A. Carnut and J. J. C. Gondim, ‘‘ARP spoofing detection on switched Ethernet networks: A feasibility study,’’ in Proc. 5th Simposio Seguranca Inf., 2003, pp. 1–10. [30] T. Demuth and A. Leitner, ‘‘ARP spoofing and poisoning: Traffic tricks,’’ Linux Mag., vol. 56, pp. 26–31, Jul. 2005. [31] M. V. Tripunitara and P. Dutta, ‘‘A middleware approach to asynchronous and backward compatible detection and prevention of ARP cache poisoning,’’ in Proc. 15th Annu. Comput. Secur. Appl. Conf. (ACSAC), Dec. 1999, pp. 303–309. [32] M. G. Gouda and C.-T. Huang, ‘‘A secure address resolution protocol,’’ Comput. Netw., vol. 41, no. 1, pp. 57–71, Jan. 2003. [33] W. Lootah, W. Enck, and P. McDaniel, ‘‘TARP: Ticket-based address resolution protocol,’’ Comput. Netw., Int. J. Comput. Telecommun. Netw., vol. 51, no. 15, pp. 4322–4337, 2007. [34] W. Lootah, W. Enck, and P. McDaniel, ‘‘TARP: Ticket-based address resolution protocol,’’ Comput. Netw., vol. 51, no. 15, pp. 4322–4337, Oct. 2007. [35] D. Bruschi, A. Ornaghi, and E. Rosti, ‘‘S-ARP: A secure address resolution protocol,’’ in Proc. 19th Annu. Comput. Secur. Appl. Conf., Dec. 2003, pp. 66–74. [36] V. Goyal and R. Tripathy, ‘‘An efficient solution to the ARP cache poisoning problem,’’ in Information Security and Privacy (Lecture Notes in Computer Science). Berlin, Germany: Springer, 2005, pp. 40–51. [37] F. A. Barbhuiya, S. Biswas, and S. Nandi, ‘‘An active host-based intrusion detection system for ARP-related attacks and its verification,’’ Int. J. Netw. Secur. Appl., vol. 3, no. 3, pp. 163–180, May 2011. [38] V. Ramachandran and S. Nandi, ‘‘Detecting ARP spoofing: An active technique,’’ in Information Systems Security (Lecture Notes in Computer Science). Berlin, Germany: Springer-Verlag, 2005, pp. 239–250. [39] H.-W. Hsiao, C. S. Lin, and S.-Y. Chang, ‘‘Constructing an ARP attack detection system with SNMP traffic data mining,’’ in Proc. 11th Int. Conf. Electron. Commerce (ICEC), 2009, pp. 341–345. [40] A. M. Radwan, ‘‘Using IPSec in IPv6 security,’’ in Proc. 4th Int. Multi Conf. Comput. Sci. Inf. Technol. (SIT), 2005, pp. 471–474. [41] ‘‘IPsec and its use in IPv6 environments,’’ in Security in an IPv6 Environment. 2008, pp. 207–223. [42] S. Kent and R. Atkinson, Security Architecture for the Internet Protocol, document RFC 4301, 1998. [43] T. Ylonen, The Secure Shell (SSH) Protocol Architecture, document RFC 4251, 2006. [44] T. Dierks and E. Rescorla, The Transport Layer Security (TLS) Protocol Version 1.1, document RFC 5246, 2006. [45] J. Ioannidis, ‘‘Why don’t we still have IPsec, dammit,’’ in Proc. Invited Talk USENIX Secur. Symp., Aug. 2002. [46] C. P. L. Gouvêa and J. López, ‘‘Implementing GCM on ARMv8,’’ in Topics in Cryptology—CT-RSA (Lecture Notes in Computer Science). Berlin, Germany: Springer-Verlag, 2015, pp. 167–180. [47] S. Kent, IP Authentication Header, document RFC 4302, 2005. [48] S. Kent, IP Encapsulating Security Payload (ESP), document RFC 2406, 2005. [49] C. Kaufman, Internet Key Exchange (IKEv2) Protocol, document RFC 4306, 2005. [50] S. Kent and K. Seo, Security Architecture for the Internet Protocol, document RFC 4301, 2005. [51] J. M. Kizza, Computer Network Security. New York, NY, USA: Springer-Verlag, 2005. VOLUME 5, 2017

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

[52] R. Hassan, A. S. Ahmed, N. E. Othman, and S. Sami, ‘‘Enhanced encapsulated security payload a new mechanism to secure Internet protocol version 6 over Internet protocol version 4,’’ J. Comput. Sci., vol. 10, no. 7, pp. 1344–1354, Jan. 2014. [53] R. Hassan and A. S. Ahmed, ‘‘Avoiding spoofing threat in IPv6 tunnel by enhancing IPsec,’’ Int. J. Advancements Comput. Technol., vol. 5, no. 5, pp. 1241–1250, 2013. [54] S. Chiu and E. Gamess, ‘‘A free and didactic implementation of the SEND protocol for IPv6,’’ in Machine Learning and Systems Engineering (Lecture Notes in Electrical Engineering). Dordrecht, The Netherlands: Springer, 2010, pp. 451–463. [55] J. Arkko, T. Aura, J. Kempf, V.-M. Mäntylä, P. Nikander, and M. Roe, ‘‘Securing IPv6 neighbor and router discovery,’’ in Proc. ACM Workshop Wireless Secur. (WiSE), 2002, pp. 77–86. [56] P. Nikander, ‘‘Denial-of-service, address ownership, and early authentication in the IPv6 world,’’ in Security Protocols (Lecture Notes in Computer Science). Berlin, Germany: Springer, 2002, pp. 12–21. [57] J. Arkko and P. Nikander, ‘‘Limitations of IPsec policy mechanisms,’’ in Security Protocols (Lecture Notes in Computer Science). Berlin, Germany: Springer, 2005, pp. 241–251. [58] M. Blaze, ‘‘Efficient, DoS-resistant, secure key exchange for Internet protocols,’’ Security Protocols (Lecture Notes in Computer Science). New York, NY, USA: ACM, 2002, pp. 40–48. [59] H. C. Liu and Q. G. Dai, ‘‘Design of security neighbor discovery protocol,’’ in Proc. Int. Conf. Commun. Syst. Netw. Technol., Apr. 2013, pp. 538–541. [60] T. Kim, I. Kim, Z. Zhen, J. H. Kim, G. Gyeong, and Y. I. Eom, ‘‘A cooperative authentication of IPsec and SEND mechanisms in IPv6 environments,’’ in Proc. Int. Conf. Adv. Lang. Process. Web Inf. Technol., Jul. 2008, pp. 418–423. [61] A. Alsa’deh, H. Rafiee, and C. Meinel, ‘‘SEcure neighbor discovery: A cryptographic solution for securing IPv6 local link operations,’’ in Proc. Theory Pract. Cryptogr. Solutions Secure Inf. Syst., 2013, pp. 178–198. [62] Y. E. Gelogo, R. D. Caytiles, and B. Park, ‘‘Threats and security analysis for enhanced secure neighbor discovery protocol (SEND) of IPv6 NDP security,’’ Int. J. Control Autom., vol. 4, no. 4, pp. 179–184, 2011. [63] C. Castelluccia, ‘‘Cryptographically generated addresses for constrained Devices*,’’ Wireless Pers. Commun., vol. 29, nos. 3–4, pp. 221–232, Jun. 2004. [64] G. An, K. Kim, J. Jang, and Y. Jeon, ‘‘Analysis of SEND protocol through implementation and simulation,’’ in Proc. Int. Conf. Converg. Inf. Technol. (ICCIT), 2007, pp. 670–676. [65] S. Sarma, ‘‘Securing IPv6’s neighbour and router discovery, using locally authentication process,’’ IOSR J. Comput. Eng., vol. 16, no. 3, pp. 22–31, 2014. [66] H. Rafiee, A. Alsa’deh, and C. Meinel, ‘‘WinSEND,’’ in Proc. 4th Int. Conf. Secur. Inf. Netw. (SIN), 2011, p. 243. [67] M. N. Doja and R. Saggar, ‘‘Securing IPv6’s neighbour discovery, using locally authentication process,’’ Int. J. Comput. Eng. Res., vol. 2, no. 5, pp. 1234–1242, 2012. [68] J. Kempf, J. Wood, Z. Ramzan, and C. Gentry, ‘‘IP address authorization for secure address proxying using multi-key CGAs and ring signatures,’’ in Advances in Information and Computer Security (Lecture Notes in Computer Science). Berlin, Germany: Springer-Verlag, 2006, pp. 196–211. [69] J. H. Park, K. H. Choi, J. S. Kim, C. I. Cho, H. J. Jang, and E. G. Im, ‘‘A survey of the secure neighbor discovery (SEND) and multi-key cryptographically generated addresses (MCGAs),’’ in Proc. 9th Int. Conf. Adv. Commun. Technol., 2007, pp. 2124–2127. [70] T. Cheneau and M. Laurent, ‘‘Using SEND signature algorithm agility and multiple-key CGA to secure proxy neighbor discovery and anycast addressing,’’ in Proc. Conf. Netw. Inf. Syst. Secur., 2011, pp. 1–7. [71] M. Huang, J. Liu, and Y. Zhou, ‘‘An improved SEND protocol against DoS attacks in mobile IPv6 environment,’’ in Proc. IEEE Int. Conf. Netw. Infrastruct. Dig. Content, Nov. 2009, pp. 232–235. [72] H. Oh and K. Chae, ‘‘An efficient security management in IPv6 network via MCGA,’’ in Proc. 9th Int. Conf. Adv. Commun. Technol., Feb. 2007, pp. 1179–1181. [73] V. Vasić, A. Kukec, and M. Mikuc, ‘‘Deploying new hash algorithms in secure neighbor discovery,’’ in Proc. 19th Int. Conf. Softw., Telecommun. Comput. Netw. (SoftCOM), Sep. 2011, pp. 1–5. VOLUME 5, 2017

[74] J. W. Bos, O. Özen, and J.-P. Hubaux, ‘‘Analysis and optimization of cryptographically generated addresses,’’ in Information Security (Lecture Notes in Computer Science). Berlin, Germany: Springer, 2009, pp. 17–32. [75] S. Qadir and M. U. Siddiqi, ‘‘Cryptographically generated addresses (CGAs): A survey and an analysis of performance for use in mobile environment,’’ IJCSNS Int. J. Comput. Sci. Netw. Secur., vol. 11, no. 2, pp. 24–31, 2011. [76] J. Arkko, J. Kempf, B. Zill, and P. Nikander, Secure Neighbor Discovery (SEND), document RFC 3971, 2005. [77] A. Alsa’deh, H. Rafiee, and C. Meinel, ‘‘Stopping time condition for practical IPv6 cryptographically generated addresses,’’ in Proc. Int. Conf. Inf. Netw., 2012, pp. 257–262. [78] H. Rafiee, A. Alsa’deh, and C. Meinel, ‘‘Multicore-based auto-scaling SEcure neighbor discovery for windows operating systems,’’ in Proc. Int. Conf. Inf. Netw., 2012, pp. 269–274. [79] A. Alsadeh, H. Rafiee, and C. Meinel, ‘‘Cryptographically generated addresses (CGAs): Possible attacks and proposed mitigation approaches,’’ in Proc. IEEE 12th Int. Conf. Comput. Inf. Technol., 2012, pp. 332–339. [80] T. Cheneau, A. Boudguiga, and M. Laurent, ‘‘Significantly improved performances of the cryptographically generated addresses thanks to ECC and GPGPU,’’ Comput. Secur., vol. 29, no. 4, pp. 419–431, Jun. 2010. [81] S. Guangxue, W. Wendong, G. Xiangyang, Q. Xirong, J. Sheng, and G. Xuesong, ‘‘A quick CGA generation method,’’ in Proc. 2nd Int. Conf. Future Comput. Commun., 2010, pp. V1-769–V1-773. [82] M. Moslehpour and S. Khorsandi, ‘‘Improving cryptographically generated address algorithm in IPv6 secure neighbor discovery protocol through trust management,’’ in Proc. 18th Int. Conf. Inf. Commun. Secur. (ICICS), 2016, pp. 1–5. [83] G. An and K. Kim, ‘‘Real-time IP checking and packet marking for preventing ND-DoS attack employing fake source IP in IPv6 LAN,’’ in Autonomic and Trusted Computing (Lecture Notes in Computer Science). Berlin, Germany: Springer, 2008, pp. 36–46. [84] S. Praptodiyono, R. K. Murugesan, A. Osman, and S. Ramadass, ‘‘Security mechanism for IPv6 router discovery based on distributed trust management,’’ in Proc. IEEE Int. Conf. RFID-Technol. Appl. (RFID-TA), Sep. 2013, pp. 1–6. [85] G. Bansal, N. Kumar, S. Nandi, and S. Biswas, ‘‘Detection of NDP based attacks using MLD,’’ in Proc. 5th Int. Conf. Secur. Inf. Netw. (SIN), 2012, pp. 163–167. [86] F. Beck, T. Cholez, O. Festor, and I. Chrisment, ‘‘Monitoring the neighbor discovery protocol,’’ in Proc. Int. Multi-Conf. Comput. Global Inf. Technol. (ICCGI), 2007, p. 57. [87] P. Mutaf and C. Castelluccia, ‘‘Compact neighbor discovery: A bandwidth defense through bandwidth optimization,’’ in Proc. IEEE 24th Annu. Joint Conf. Comput. Commun. Soc., vol. 4. Mar. 2005, pp. 2711–2719. [88] F. A. Barbhuiya, S. Biswas, and S. Nandi, ‘‘Detection of neighbor solicitation and advertisement spoofing in IPv6 neighbor discovery protocol,’’ in Proc. 4th Int. Conf. Secur. Inf. Netw. (SIN), 2011, pp. 111–118. [89] J. Zhang, J. Liu, Z. Xu, J. Li, and X.-M. Ye, ‘‘TRDP: A trusted router discovery protocol,’’ in Proc. Int. Symp. Commun. Inf. Technol., 2007, pp. 660–665. [90] J. L. Shah, ‘‘A novel approach for securing IPv6 link local communication,’’ Inf. Secur. J., A Global Perspect., vol. 25, nos. 1–3, pp. 136–150, Apr. 2016. [91] H. Rafiee and C. Meinel, ‘‘SSAS: A simple secure addressing scheme for IPv6 autoconfiguration,’’ in Proc. 11th Annu. Conf. Privacy, Secur. Trust, Jul. 2013, pp. 275–282. [92] A. Kukec, M. Bagnulo, and M. Mikuc, ‘‘SEND-based source address validation for IPv6,’’ in Proc. 10th Int. Conf. Telecommun. (ConTEL), Jun. 2009, pp. 199–204. [93] G. Yao, J. Bi, S. Wang, Y. Zhang, and Y. Li, ‘‘A pull model IPv6 duplicate address detection,’’ in Proc. IEEE 35th Conf. Local Comput. Netw., Oct. 2010, pp. 372–375. [94] N. Kumar, G. Bansal, S. Biswas, and S. Nandi, ‘‘Host based IDS for NDP related attacks: NS and NA Spoofing,’’ in Proc. Annu. IEEE India Conf. (INDICON), Dec. 2013, pp. 1–6. [95] J. L. Shah and J. Parvez, ‘‘Optimizing security and address configuration in IPv6 SLAAC,’’ Proc. Comput. Sci., vol. 54, pp. 177–185, Jan. 2015. 18209

A. S. A. Mohamed Sid Ahmed et al.: IPv6 NDP Specifications, Threats and Countermeasures: A Survey

[96] G. Song and Z. Ji, ‘‘Novel duplicate address detection with hash function,’’ PLoS ONE, vol. 11, no. 3, p. e0151612, 2016. [97] F. Najjar, M. Kadhum, and H. El-Taj, ‘‘Neighbor discovery protocol anomaly detection using finite state machine and strict anomaly detection,’’ in Proc. 4th Int. Conf. Internet Appl., Protocols Ser. (NETAPPS), 2015, pp. 967–978. [98] S. U. Rehman and S. Manickam, ‘‘Novel mechanism to prevent denial of service (DoS) attacks in IPv6 duplicate address detection process,’’ Int. J. Secur. Appl., vol. 10, no. 4, pp. 143–154, Apr. 2016. [99] S. U. Rehman and S. Manickam, ‘‘Rule-based mechanism to detect denial of service (DoS) attacks on duplicate address detection process in IPv6 link local communication,’’ in Proc. 4th Int. Conf. Rel., Infocom Technol. Opt. (ICRITO), 2015, pp. 1–6. [100] S. Praptodiyono, R. K. Murugesan, I. H. Hasbullah, C. Y. Wey, M. M. Kadhum, and A. Osman, ‘‘Security mechanism for IPv6 stateless address autoconfiguration,’’ in Proc. Int. Conf. Autom., Cognit. Sci., Opt., Micro Electro-Mech. Syst., Inf. Technol. (ICACOMIT), 2015, pp. 31–36. [101] S. Praptodiyono, I. H. Hasbullah, M. Anbar, R. K. Murugesan, and A. Osman, ‘‘Improvement of address resolution security in IPv6 local network using trust-ND,’’ TELKOMNIKA Indonesian J. Electr. Eng., vol. 13, no. 1, pp. 195–202, Jan. 2015. [102] K. Perumal and M. J. P. J. Priya, ‘‘Trust based security enhancement mechanism for neighbor discovery protocol In IPV6,’’ Int. J. Appl. Eng. Res., vol. 11, no. 7, pp. 4787–4796, 2016. [103] S. U. Rehman and S. Manickam, ‘‘Integrated framework to detect and mitigate denial of service (DoS) attacks on duplicate address detection process in IPv6 link local communication,’’ Int. J. Secur. Appl., vol. 9, no. 11, pp. 77–86, Nov. 2015. [104] R. M. A. Saad, M. Anbar, S. Manickam, and E. Alomari, ‘‘An intelligent ICMPv6 DDoS flooding-attack detection framework (v6IIDS) using back-propagation neural network,’’ IETE Tech. Rev., vol. 33, no. 3, pp. 244–255, 2015. [105] T. R. Reshmi, S. M. Manoharan, and K. Murugan, ‘‘Internal hardware states based privacy extension of IPv6 addresses,’’ in Security in Computing and Communications. Berlin, Germany: Springer, 2014, pp. 263–271. [106] F. Najjar, M. M. Kadhum, and H. El-Taj, ‘‘Detecting neighbor discovery protocol-based flooding attack using machine learning techniques,’’ in Advances in Machine Learning and Signal Processing (Lecture Notes in Electrical Engineering). Cham, Switzerland: Springer, 2016, pp. 129–139. [107] Y. Lu, M. Wang, and P. Huang, ‘‘An SDN-based authentication mechanism for securing neighbor discovery protocol in IPv6,’’ Secur. Commun. Netw., vol. 2017, Jan. 2017, Art. no. 5838657. [108] D. Anstee, C. F. Chui, P. Bowen, and G. Sockrider, Worldwide Infrastructure Security Report, vol. 11. Burlington, MA, USA: Arbor Networks. [109] A. S. Ahmed, N. H. A. Ismail, R. Hassan, and N. E. Othman, ‘‘Balancing performance and security for IPv6 neighbor discovery,’’ Int. J. Appl. Eng. Res., vol. 10, no. 19, pp. 40191–40196, 2015.

18210

AMJED SID AHMED MOHAMED SID AHMED received the bachelor’s degree (Hons.) in computer science from The Future University, Sudan, in 2005, and the master’s degree in information technology (computer science) from Universiti Kebangsaan Malaysia in 2013, where he is currently pursuing the Ph.D. degree in computer networks with the Network and Communication Technology Laboratory, Faculty of Information Science and Technology. He is a Teaching Assistant with The Future University before joining China National Petroleum Corporation, Sudan Branch, as a Network Engineer, in 2008. He is currently a Network Engineer. His research areas of interest are computers networks, Internet security, and IPv6 security.

ROSILAH HASSAN was born in Malaysia. She received the first degree in electronic engineering from Hanyang University, Seoul, South Korea, the M.E.E. degree in computer and communication from UKM in 1999, and the Ph.D. degree in mobile communication from the University of Strathclyde in Glassgow, Scotland, in 2008. She is an Engineer with Samsung Electronic Malaysia, Seremban, before joining Universiti Kebangsaan Malaysia (UKM) in 1997. She is a Senior Lecturer with UKM for more than 20 years. She is currently an Associate Professor with the Faculty of Information Science and Technology (FTSM), Universiti Kebangsaan Malaysia (UKM) and the Head of Network and Communication Technology (NCT Lab) with FTSM. She also pointed by UKM as the Deputy Director in Academic Entrepreneurships since 2013. Her research interest is in mobile communication, networking, and academic entrepreneurship.

NOR EFFENDY OTHMAN received the degree in electrical and electronic engineering from Universiti Kebangsaan Malaysia (UKM) in 2006 and the Ph.D. degree in computer science from the Trinity College, Dublin, in 2013. He is currently a Senior Lecturer with the Faculty of Information Science and Technology (FTSM), UKM, and a Principal Researcher with the Network and Communication Technology Laboratory, FTSM, UKM.

VOLUME 5, 2017

Suggest Documents