earticle

영어

In addition to addressing the scarcity of IP address space, Internet Protocol version 6 (IPv6) also addressed some of the shortcomings of Internet Protocol version 4(IPv4). These include neighbor discovery, address auto-configuration, and others. Many of this message exchange are done via the Internet Control Message Protocol (ICMP) and the use of this protocol in the IPv6 paradigm, i.e. ICMPv6 plays a bigger role compared to ICMPv4. One of the key process that is carried during neighbor discovery process is to check if the address generated already exists. This process is called the Duplicate Address Detection (DAD). Nevertheless, the design of this process has led to a severe security vulnerability allowing attackers to easily carry out Denial-of-Service (DoS) attack by causing every address generated to be a duplicate leading to new hosts unable to join the network. Various techniques and mechanisms have been introduced to address this vulnerability such as NDPMon, SeND, and SAVA. Nevertheless, these techniques are either not robust or have performance implications vis-à-vis with the DAD DoS detection and mitigation. In this paper, we put forward a novel framework that is able to detect, mitigate DoS attacks while being light-weight at the same time.