Article

Review of Security Research on Address Resolution Protocols

Authors:
To read the full-text of this research, you can request a copy directly from the authors.

Abstract

Address resolution protocols (ARPs includes ARP, NDP, SEND, etc.) play an important role in network communication; the security of the ARPs is the premise and guarantee of network security. ARPs consists of three phases: acquisition of the mapping of the target address; duplicate address detection; data structure maintenance. In this paper, we analyze the existing ARPs according to these three phases, analyze security threats and the corresponding attack methods; classify and describe the existing studies on ARPs security. Our analysis shows that the main factors that restrict the development of ARPs are the contradiction between efficiency and cost and the lack of theoretical support in protocol design. Finally, the development of ARPs is prospected.

No full-text available

Request Full-text Paper PDF

To read the full-text of this research,
you can request a copy directly from the authors.

Conference Paper
Full-text available
Address Resolution Protocol (ARP) is the funda-mental and one of the most frequently used protocol involved in computer communications. Within a LAN, ARP messages are used to resolve IP addresses into corresponding MAC ad-dresses.Nevertheless, some of the limitations within this protocol make it rather vulnerable. The two most prominent limitations are -unauthenticated and stateless nature of ARP. The attackers can easily exploit these loopholes for their personal gain. ARP poisoning is considered as unitary of the basic attacks which is utilized to launch higher level attacks. Several solutions have been proposed in the literature to detect and prevent these attacks. However, all of the proposed solutions are limited to a certain extent. Some solutions are effective in a special set of scenarios while others are rather suited for scenarios belonging to a different band. As new techniques of ARP poisoning have evolved with time, researchers are getting motivated to propose new solutions. In this paper, we have presented a comparative analysis of different proposed solutions which are rather popular in the literature. We have compared different mitigation techniques based on some of the important factors that are considered as limitations to the proposed solutions. These factors are derived from the scenarios which are possible within a LAN when an ARP Poisoning attack is launched. A brief tabular format is likewise introduced in this paper which offers a fast overview of com-parison between different proposed schemes. This comparative study can further be used to offer and build up a more efficient and effective scheme which, on one hand, enjoys the combined advantage of different mitigation techniques and on the other hand, does not hold the old limitations.
Article
Full-text available
Neighbor Discovery Protocol (NDP) is one of the main protocols in IPv6 suite. However, it has no security mechanisms and is vulnerable to various attacks. Using an RSA key pair, cryptographically generated addresses, a digital signature, and X.509 certificates, Secure Neighbor Discovery (SEND) is designed to countermeasure NDP threats. Unfortunately, SEND deployment is still a challenge for several reasons. First, SEND is compute intensive. Second, its deployment isn't trivial, and its authorization delegation discovery mechanism is theoretical rather than practical. Third, operating systems lack sophisticated SEND implementations. In this article, the authors give an overview of the SEND deployment challenges and review some of the proposals to optimize SEND to make it applicable.
Article
Full-text available
Cryptographically Generated Addresses (CGA) are employed as an authentication mechanism in IPv6 network to realize the proof of address ownership without relying on any trust authority. The security parameter (Sec) indicates the security level of the CGA address. For Sec value greater than zero, there is no guarantee to stop the brute-force search after certain time. The address generator tries different values of Modifier until (16×Sec)-leftmost-bit of the second hash (Hash2) computes to zero. This paper proposes some modifications to the standard CGA “RFC 3972” in order to limit the time that CGA generation may takes. The modified CGA generation algorithm takes the upper bound of CGA running time as an input and the Sec value is determined as an output of the brute-force computations. The modified CGA keeps track of the best founded Hash2 value during the running time. The paper also proposes to reduce the granularity of the security level from “16” to “8”, to increase the chance to have better Sec value within the time limit. We called the modified CGA as Time-Based CGA (TB-CGA). The implementation and evaluation of TB-CGA are done in this paper.
Article
Full-text available
SEcure Neighbor Discovery (SEND) is proposed to counter IPv6 Neighbor Discovery Protocol (NDP) security threats. However, SEND is compute-intensive. Fulfilling Hash2 condition in Cryptographically Generated Addresses (CGA) is the main heavy part of SEND. Unfortunately, CGA computation cannot see significant speed improvement when it runs on multicore machine because CGA generation algorithm is sequential. In this paper, we propose a multicore-based high performance SEND implementation for Windows families to speed up SEND computations. The proposed approach automatically detects the number of processors available on a machine and creates equivalent number of working threads to compute Hash2 condition. The parallelization mechanism is implemented to assign CGA computation to all the cores. When one thread satisfies CGA Hash2 condition, the others stop. With the parallel approach, the speedup time has been increased extremely by increasing the number of cores in the computing device. Besides the parallelization, we extend SEND implementation to generate the key pair for CGA algorithm on-the-fly to enhance the security and to protect the privacy.
Conference Paper
Full-text available
ARP cache poisoning is considered to be one of the easiest and dangerous attacks in local area networks. This paper proposes a solution to the ARP poisoning problem by extending the current ARP protocol implementation. Instead of the traditional stateless ARP cache, we use a stateful ARP cache in order to manage and secure the ARP cache. We also use a novel Fuzzy Logic approach to differentiate between normal and malicious ARP replies. The Fuzzy Logic controller uses a dynamically populated data base that adapts to network changes. The limits of the current approaches are discussed and analyzed.
Article
Full-text available
In this letter, an enhanced version of Address Resolution Protocol (ARP) is proposed to prevent ARP poisoning-based Man-in-the-Middle (MITM) attacks. The proposed mechanism is based on the following concept. When a node knows the correct Media Access Control (MAC) address for a given IP address, if it retains the IP/MAC address mapping while that machine is alive, then MITM attack is impossible for that IP address. In order to prevent MITM attacks even for a new IP address, a voting-based resolution mechanism is proposed. The proposed scheme is backward compatible with existing ARP and incrementally deployable.
Conference Paper
Full-text available
The current Internet addressing architecture does not verify the source address of a packet received and forwarded. This causes serious security and accounting problems. Based on the drastically increased IPv6 address space, a "source address validation architecture" (SAVA) is proposed in this paper, which can guarantee that every packet received and forwarded holds an authenticated source IP address. The design goals of the architecture are lightweight, loose coupling, "multi-fence support" and incremental deployment. This paper discusses the details of design and implementation for the architecture, including inter-AS, intra-AS and local subnet. This architecture is deployed into the CNGI-CERNET2 infrastructure -a large-scale native IPv6 backbone network of the China Next Generation Internet project. We believe that the source address validation architecture will help the transition to a new, more secure and sustainable Internet.
Conference Paper
Full-text available
Tapping into the communication between two hosts on a LAN has become quite simple thanks to tools that can be downloaded from the Internet. Such tools use the address resolution protocol (ARP) poisoning technique, which relies on hosts caching reply messages even though the corresponding requests were never sent. Since no message authentication is provided, any host of the LAN can forge a message containing malicious information. We present a secure version of ARP that provides protection against ARP poisoning. Each host has a public/private key pair certified by a local trusted party on the LAN, which acts as a certification authority. Messages are digitally signed by the sender, thus preventing the injection of spurious and/or spoofed information. As a proof of concept, the proposed solution was implemented on a Linux box. Performance measurements show that PKI based strong authentication is feasible to secure even low level protocols, as long as the overhead for key validity verification is kept small.
Article
CGAs are cryptographically generated IPv6 addresses and are one of the most novel features introduced in IPv6. They have the promising potential of being the basis of authentication mechanisms for Mobile IPv6 because they do not require hosts to share information or security infrastructure. A mobile environment however has several resource constraints that must be considered before any mechanism can be deemed feasible. This paper undertakes to survey all the work done on CGAs and their performance. The goal is to identify and discuss parameters that have an impact on performance (e.g. the public-key cryptosystem being used). This should help in proposing possible modifications and parameters to ease the adoption of CGAs in a mobile environment. As a starting point, the CGA generation and verification algorithms are implemented with the help of a cryptographic library designed especially for embedded systems. An evaluation of the performance of this implementation is undertaken and a comparison is made with the results reported in previous studies. Based on this, a recommendation is made for the parameters that should be used by mobile nodes when using CGAs. The long-term modification that has the most potential for improving the performance of CGAs in a resource-limited setup is also identified
Article
Next generation Internet is highly concerned with the issue of trustworthy. An important foundation of trustworthy is authentication of the source IP address. With existing signature-and-verification based defense mechanisms, there is a lack of hierarchical architecture, which makes the structure of the trust alliance excessively flat and single. Moreover, with the increasing scale of trust alliances, costs of validation grow so quickly that they do not adapt to incremental deployment. Via comparing with traditional solutions, this paper proposes a hierarchical, inter-domain authenticated source address validation solution named Hidasav. Hidasav employs two intelligent designs: lightweight tag replacement and a hierarchical partitioning scheme, each of which helps to ensure that Hidasav can construct trustworthy and hierarchical trust alliances without the negative influences and complex operations on de facto networks. Experiments in CNGI also indicate that Hidasav can effectively obtain the design goals of a hierarchical architecture, along with lightweight, loose coupling and "multi-fence support" as well as supporting incremental deployment.
Article
The exploitation of a network system's vulnerabilities will result in security breach, whose possibility reflected by the exploitation cost of vulnerabilities. This paper proposes an Evaluation Model of Vulnerability Exploitation Cost(EMVEC) for network system. It analyzes attributes of a network system and locates the correlative vulnerabilities due to inter-connections among hosts. Based on the correlating method of action rules, it constructs a transferring graph of system states, to represent the vulnerable conditions of the network system. Thereon, it computes the Expectation of Exploitation Cost of vulnerabilities, i.e., the cost of successfully exploiting vulnerabilities of the system to make security breach, with the intention of evaluating the vulnerable extent of the network system.
Article
With recent advances in network based technology and increased dependability of every day life on this technology, assuring reliable operation of network based systems is very important. During recent years, number of attacks on networks has dramatically increased and consequently interest in network intrusion detection and response has increased among the researchers. But as other network security technologies are being widely applied and achieving good results, intrusion detection and response technology is lagging. One reason is that current intrusion detection technology is limited in the detecting algorithm itself, the other is that system's incentive and alternation of attacker's strategies isn't taken into consideration sufficiently in current alerts response research. A dynamic intrusion response model based on game theory (DIRBGT) is proposed to solve the second problem. On the one hand, DIRBGT takes account of incentives of system and attacker across the board, therefore the incentive of system can be assured. And on the other hand, it deals well with attack's intent and alternation of strategies and therefore the optimal answer is stable and reliable while the optimal responses inferred from systems alone are unstable. The experimental results show that the DIRBGT model can effectively improve the accuracy and effectiveness of alert response.
Article
To evaluate the security of network information systems and perform active defense, this paper presents some models including defense graph model, attack-defense taxonomy and cost quantitative method, and Attack-Defense Game (ADG) model. Algorithms for selecting optimizing active defense strategy based on those models are proposed and analyzed in a representative network example. Results indicate that the models and methods are effective and efficient.
Article
To assess the security risk of network information systems, this paper proposes a risk propagation model including a risk network and a risk propagation algorithm. A representative example is given to illustrate the application of this model to network risk assessment and validate the correctness of the propagation algorithm. The analysis of the example indicates that the evaluating method using the risk propagation model is superior to the traditional methods in the accuracy of evaluating conclusions and making cost-effective security advices.
Conference Paper
With the deployment of IPv6 and the rising threat of ND security issues, SEND is desiderated to be deployed in subnets. SEND binds the node's identifier to IP address and adds the digital signature to its message to resist hijacking and man-in-the-middle attacks. However, during the stage of transition, the coexistence of ND and SEND may cause security issues. This paper analyzes the specific security vulnerabilities in the mixed environment of SEND and ND, and proposes a method of routing attack in the coexistence environment, which takes advantages of the source address selection algorithm to induce the host to send packets through the unsecure addresses and routers, in order to bypass the protection of router advertisement and the authentication of router identity by SEND option. The research of this paper will help the wide deployment of SEND mechanism and provide protection for the IPv6 subnets.
Conference Paper
The Man-in-the-Middle (MITM) attack on ARP is presently a common attack and nuisance to the typical LAN environment. This type of MITM is brought to effect by ARP cache poisoning which is achieved using forged ARP packets. ARP poisoning is a mechanism in which a node poisons ARP cache table of another node forcing it to send packets to a destination other than the intended one. This paper presents a feasible solution to the ARP cache poisoning, removing inconsistencies from all ARP tables of all hosts in the network. This paper uses a centralized system and ARP Central Server (ACS) to manage ARP table entries in all hosts. All hosts in the network uses the ACS to validate their ARP table entries. The ACS validates and corrects the poisoned ARP entries of the attacked hosts and hence prevents ARP poisoning in the network.
Conference Paper
In today's competitive world consideration of maintaining the security of information is must. Nowadays LAN is generally the most common and popular network domain. Network domains are always prone to number of network attacks. One of the most dangerous form of such network attacks is ARP Cache Poisoning also known as ARP Spoofing. ARP is a stateless protocol and ARP Spoofing takes place mainly because it lacks any mechanism of verifying the identity of sending host. It has been seen that most of the LAN attacks results from ARP Spoofing. So prevention, detection and mitigation of this problem can stop number of network attacks. ARP Spoofing is the act of vindictively changing the IP,MAC associations stored in ARP cache of any network host. In this paper we have proposed a probe based technique with an Enhanced Spoof Detection Engine (E- SDE) which not only detects ARP Spoofing but also identifies the genuine IP,MAC association. ARP and ICMP packets have been used as probe packets. Working of E-SDE is explained with the help of algorithm. We have also proposed an attacking model to clearly understand the incremental development of E-SDE to work effectively against most of the type of attackers. We have also measured the network traffic added by the proposed technique.
Article
Address resolution protocol (ARP) is widely used to maintain mapping between data link (e.g. MAC) and network (e.g. IP) layer addresses. Although most hosts rely on automated and dynamic management of ARP cache entries, current implementation is well-known to be vulnerable to spoofing or denial of service (DoS) attacks. There are many tools that exploit vulnerabilities of ARP protocols, and past proposals to address the weaknesses of the `original` ARP design have been unsatisfactory. Suggestions that ARP protocol definition be modified would cause serious and unacceptable compatibility problems. Other proposals require customised hardware be installed to monitor malicious ARP traffic, and many organisations cannot afford such cost. This study demonstrates that one can effectively eliminate most threats caused by the ARP vulnerabilities by installing anti-ARP spoofing agent (ASA), which intercepts unauthenticated exchange of ARP packets and blocks potentially insecure communications. The proposed approach requires neither modification of kernel ARP software nor installation of traffic monitors. Agent uses user datagram protocol (UDP) packets to enable networking among hosts in a transparent and secure manner. The authors implemented agent software on Windows XP and conducted an experiment. The results showed that ARP hacking tools could not penetrate hosts protected by ASA.
Article
In this article we describe Source Address Validation Implementation (SAVI), a security architecture being standardized by the IETF to prevent source address spoofing within a link. SAVI devices, usually layer 2 switches, create bindings between the IP address of a node and a property of the host¿s network attachment, such as the port through which the packet is received. Bindings are created by monitoring the packet exchange associated with IP address configuration mechanisms such as DHCP, SLAAC, or SEND. SAVI devices filter out packets whose source IP address does not match with an existing binding.
Article
We propose an integrated approach to protect from address spoofing for both IPv6 and Layer-2 addresses, and from address resolution attacks. The proposed approach is an extension to the FCFS SAVI specification, and relies on the inspection and generation of standard Neighbor Solicitation messages. It does not require host modification and manual configuration is only needed to indicate the ports to which routers connect.
Article
IPv6 uses Neighbor Discovery Protocol (NDP) to perform neighbor discovery in link-local scope. Since NDP itself has no security mechanism, Secure Neighbor Discovery protocol (SEND) is designed to protect NDP. SEND is based on the usage of an asymmetric key pair, and provides security mechanism by using Crypto Generated Address (CGA), digital signature and X.509 certification. Since CGA generation might be a time-consuming process, in this paper we present a modified CGA generation method that allows a newly connected node to generate a CGA address quickly. The method requires adding a key-pair server node to perform a part of CGA generation computation in advance. Since the most time-consuming calculation is performed on the server beforehand, the CGA generation time is shortened significantly.
Article
This document defines a new security precondition for the Session Description Protocol (SDP) precondition framework described in RFCs 3312 and 4032. A security precondition can be used to delay session establishment or modification until media stream security for a secure media stream has been negotiated successfully.
Article
A single physical link can have multiple prefixes assigned to it. In that environment, end hosts might have multiple IP addresses and be required to use them selectively. RFC 3484 defines default source and destination address selection rules and is implemented in a variety of OSs. But, it has been too difficult to use operationally for several reasons. In some environments where multiple prefixes are assigned on a single physical link, the host using the default address selection rules will experience some trouble in communication. This document describes the possible problems that end hosts could encounter in an environment with multiple prefixes.
Article
The DoS/DDoS attacks are always the leading threats to the Internet. With the development of Internet, IPv6 is inevitably taking the place of IPv4 as the main protocol of Internet. So the security issues of IPv6 become the focus of the present research. In this paper we mainly focus on the typical DoS/DDoS attacks under IPv6, which including the DoS attacks pertinent to IPv6 Neighbor Discovery protocol and DDoS attacks based on the four representative attack modes, they are respectively TCP-Flood, UDP-Flood, ICMP-Flood and Smurf. We do these attack experiments under IPv6 with and without IPSec configuration respectively. The experiments without IPSec validate the effectiveness of the typical DoS/DDoS attacks under IPv6, and those with IPSec show the effectiveness of IPSec against these attacks whose source addresses are spoofed.
Conference Paper
IPv6 has appeared for solving the address exhaustion of IPv4 and for guaranteeing the problems of security and QoS. It occurs because of the unexpected new attacks of IPv6 as well as the existing attacks of IPv4 because of the increasing address space to 128 bits and the address hierarchies for efficient network management and additions of the new messages between nodes and routers like neighbor discovery and auto address configuration for the various comfortable services. For the successful transition from IPv4 to IPv6, we should get the secure compatibility between IPv4 hosts or routers working based on secure and systematic policy and IPv6. The network manager should design security technologies for efficient management in IPv4/IPv6 co-existence network and IPv6 network and security management framework designation. In this paper, we inspected the characteristics of IPv4 and IPv6, study the security requirement for efficient security management of various attacks, protocol, service in IPv4/IPv6 co-existence and IPv6 network, and finally suggest solution about security vulnerability of IPv6 network in considering MCGA (modified cryptographically generated address).
Article
We propose an architecture for securely resolving IP addresses into hardware addresses over an Ethernet. The proposed architecture consists of a secure server connected to the Ethernet and two protocols: an invite–accept protocol and a request–reply protocol. Each computer connected to the Ethernet can use the invite–accept protocol to periodically record its IP address and its hardware address in the database of the secure server. Each computer can later use the request–reply protocol to obtain the hardware address of any other computer connected to the Ethernet from the database of the secure server. These two protocols are designed to overcome the actions of any adversary that can lose sent messages, arbitrarily modify the fields of sent messages, and replay old messages.
Conference Paper
Loal Area Network (LAN) based attacks are caused by compromised hosts in the LAN and mainly in volve spoofing with falsified IP-MAC pairs. Since Address Resolution Protocol (ARP) is a stateless protocol such attacks are possible. Several schemes have been proposed in the literature to circumvent these attacks, however, these techniques either make IP-MAC pairing static, modify the existing ARP, patch operating systems of all the hosts etc. In this paper we propose a Discrete Event System (DES) approach for detecting ARP spoofing attacks. This approach does not require any extra constra in tlike static IP-MAC or changing the ARP.
Conference Paper
Cryptographically generated addresses (CGA) are IPv6 addresses some address bits are generated by hashing the address owner’s public key. The address owner uses the corresponding private key to assert address ownership and to sign messages sent from the address without a PKI or other security infrastructure. This paper describes a generic CGA format that can be used in multiple applications. Our focus is on removing weaknesses of earlier proposals and on the ease of implementation. A major contribution of this paper is a hash extension technique that increases the effective hash length beyond the 64-bit limit of earlier proposals.
Conference Paper
A network Intrusion Detection System (IDS) is a device or software that monitors network activities and raises alerts on detection of malicious behavior. State-transition based framework like Finite State Machines (FSM), extended FSM, timed FSM, Discrete Event Systems (DES) etc. are widely used in network IDSs because the framework enables formal modeling, analysis, verification etc. The attack detection capability in these IDSs is based on passive monitoring of sequence of events with the assumption that intrusions lead to change in the sequence (which needs to be detected). However, there are certain attacks like ARP spoofing, Internet Control Message Protocol (ICMP) error message based attacks etc. for which passive monitoring schemes have several limitations because in such attacks there is no change in sequence of events. IDSs with active probing are now being proposed for such attacks which involve sending of probe packets that cause difference in sequence of events under attack condition and can be then detected using passive monitoring. In this paper we propose an IDS to detect ARP spoofing attacks using active state-transition framework called “active DES”.
Article
Next generation Internet is highly concerned about the issue of reliability. Principally, the foundation of reliability is authentication of the source IP address. With the signature-and-verification based defense mechanisms available today, unfortunately, there is a lack of hierarchical architecture, which makes the structure of the trust alliance excessively flat and single. Moreover, with the increasing scale of the trust alliance, costs of validation grow so quickly that they do not adapt to incremental deployment. Via comparison with traditional solutions, this article proposes a hierarchical, inter-domain authenticated source address validation solution named SafeZone. SafeZone employs two intelligent designs, lightweight tag replacement and a hierarchical partitioning scheme, each of which helps to ensure that SafeZone can construct trustworthy and hierarchical trust alliances without the negative influences and complex operations on de facto networks. Extensive experiments also indicate that SafeZone can effectively obtain the design goals of a hierarchical architecture, along with lightweight, loose coupling and "multi-fence support" and as well as an incremental deployment scheme.
Conference Paper
In IPv4 networks, address resolution protocol (ARP) is used when a source computer wants to find the MAC address corresponding to a particular IP address (of target computer), it wants to contact. The source broadcasts this request and all the hosts in the domain get that request. This broadcast helps the target to reply with the necessary details to the source. The IP-MAC mapping would then be stored in the ARP cache of the source, which remains valid for some time. This broadcasting is a decentralized way to get the IP address to MAC address mapping, which brings in consistent overhead to the network traffic. It is well documented that ARP process is also liable to ARP poisoning attacks. In this paper we seek to propose a secure unicast address resolution protocol (SUARP) which takes a centralized approach that reduces the broadcast overhead and makes ARP poisoning attacks difficult.
Secure neighbor discovery (SEND)
  • J Arkko
  • J Kempf
  • B Zill
J. Arkko, ED, J. Kempf, B. Zill, P, Nikander. RFC 3971: Secure neighbor discovery (SEND). March, (2005).
RFC 5227: IPv4 Address conflict detection
  • Stuart Cheshire
Cheshire, Stuart. RFC 5227: IPv4 Address conflict detection, (2008).
  • S Thomson
  • T Narten
  • T Jinmei
Thomson, S., T. Narten, and T. Jinmei. RFC 4862: Ipv6 stateless address autoconfiguration, (2007) September, Status: Draft Standard.
SAVI for Mixed Address Assignment Methods Scenario
  • J Bi
  • G Yao
  • J Halpen
  • Ed Levy-Abegnoli
Bi, J, Yao G, Halpen J and Levy-Abegnoli, Ed. SAVI for Mixed Address Assignment Methods Scenario. RFC-draft, (2014).
The Secure Neighbor Discovery (SEND) Hash Threat Analysis
  • Ana Kukec
  • Suresha Krishnan
  • Shenga Jiang
Kukec, Ana, Suresha Krishnan, and Shenga Jiang. The Secure Neighbor Discovery (SEND) Hash Threat Analysis. RFC 6274, (2011) June.
CS-CGA: compact and more secure CGA
  • Ahmad Alsa'deh
  • Feng Cheng
  • Christoph Meinel
AlSa'deh, Ahmad, Feng Cheng, and Christoph Meinel. CS-CGA: compact and more secure CGA. Proceedings of IEEE International Conference on Networks (ICON), (2011).
  • Kevin R Fall
  • W Richard Stevens
Fall, Kevin R., and W. Richard Stevens. TCP/IP illustrated, volume 1: The protocols. Addison-Wesley, (2011).
  • J Bi
  • G Yao
  • J Halpen
  • Levy-Abegnoli
Bi, J, Yao G, Halpen J and Levy-Abegnoli, Ed. SAVI for Mixed Address Assignment Methods Scenario. RFC-draft, (2014).
OpenFlow Based Intra-AS Source Address Validation
  • Pei-Yao Xiao
  • Jun Bi
XIAO, Pei-yao, and Jun BI. OpenFlow Based Intra-AS Source Address Validation. Journal of Chinese Computer Systems, (2013), Vol. 34, No. 9, pp.1999-2003.