An SDN-Based Authentication Mechanism for Securing Neighbor Discovery Protocol in IPv6

The Neighbor Discovery Protocol (NDP) is one of the main protocols in the Internet Protocol version 6 (IPv6) suite, and it provides many basic functions for the normal operation of IPv6 in a local area network (LAN), such as address autoconfiguration and address resolution. However, it has many vulnerabilities that can be used by malicious nodes to launch attacks, because the NDP messages are easily spoofed without protection. Surrounding this problem, many solutions have been proposed for securing NDP, but these solutions either proposed new protocols that need to be supported by all nodes or built mechanisms that require the cooperation of all nodes, which is inevitable in the traditional distributed networks. Nevertheless, Software-Defined Networking (SDN) provides a new perspective to think about protecting NDP. In this paper, we proposed an SDN-based authentication mechanism to verify the identity of NDP packets transmitted in a LAN. Using the centralized control and programmability of SDN, it can effectively prevent the spoofing attacks and other derived attacks based on spoofing. In addition, this mechanism needs no additional protocol supporting or configuration at hosts and routers and does not introduce any dedicated devices.