Secure the IPv6 Network Access with SEcure Neighbor Discovery (SEND, rfc3971 and CGA, rfc3972)


IPv6 Nodes on the same link use NDP (rfc4861) to discover each other’s presence and link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors.  Both hosts and routers use NDP.  Its functions include Neighbor Discovery (ND), Router Discovery (RD), Address Autoconfiguration, Address Resolution, Neighbor Unreachability Detection (NUD), Duplicate Address Detection (DAD), and Redirection.

If not secured, NDP is vulnerable to various attacks. SEND specifies security mechanisms for NDP.  Unlike those in the original NDP specifications, these mechanisms do not use IPsec.

The document « IPv6 Neighbor Discovery (ND) Trust Models and Threats, rfc3756 » specifies three different trust models and discusses the threats pertinent to IPv6 Neighbor Discovery. Its purpose is to define the requirements for SEND. It describes all the possible attacks on Neighbor Discovery and should be understood to start studying SEND.

Another RFC is dedicated to the Rogue IPv6 Router Advertisement, this is rfc6104. It provides many possible answers to this problem including SEND.

To complement SEND, the RA Guard feature, proposed in rfc6105 supports SEND on Layer 2 switches. The switch is then responsible to block the invalid RA. The benefit of RA Guard is that hosts don’t have to care about SEND, the switches do.


SEND Components

SEND, rfc3971 introduces four new ND options (CGA, RSA Signature, Nonce and Timestamp) and two new ND Protocol Data Unit messages (Certificate Path Solicitation, Certificate Path Advertisements).

Cryptographically Generated Addresses are used to make sure that the sender of a Neighbor Discovery message is the “owner” of the claimed address. All nodes generate a public-private key pair before they can claim an address. A new NDP option, the CGA option, is used to carry the public key and the associated parameters. CGA are described in a separate RFC, rfc3972.

Authorization Delegation Discovery is used to certify the authority of routers. The receipt of a Router Advertisement message triggers the sending of a Certificate Path Solicitation (CPS) message from the host to the router. The router answers with a Certificate Path Advertisement (CPA) message containing its X.509 Certificate. If the Certificate comes from an authority that is trusted by the host, the Router Advertisement is validated otherwise it is rejected.

A new NDP option, the RSA Signature option is used to protect all messages relating to Neighbor and Router Discovery.

Two new options, Nonce and Timestamp are used against replay attacks. Nonce is used to associate a Solicitation with a Reply message. Timestamp option is used to prevent any replay attack with unsolicited multicast advertisements.



SEND is a very strong security protocol which could make of IPv6 the safest protocol in the world! But SEND is also found non-trivial to deploy as it needs both time synchronization among hosts and routers and PKI Architecture for X.509 Certificates.

RA Guard could help SEND deployment with the help of Layer 2 switches.

SEND is only implemented in CISCO IOS and Linux so far.






Fred Bovy, CCIE #3013
Fast Lane’s Resident IPv6 Guru

(Visited 712 times, 1 visits today)

Leave a Reply