1. UKM Learning and Research Repository
  2. PHD Thesis / Tesis PHD
  3. Faculty of Information Science and Technology / Fakulti Teknologi dan Sains Maklumat
Please use this identifier to cite or link to this item: https://ptsldigital.ukm.my/jspui/handle/123456789/513341
Title: Balancing performance and security for IPV6 neighbour discovery protocol
Authors: Amjed Sid Ahmed Mohamed Sid Ahmed (P72755)
Supervisor: Rosilah Hassan, Assoc. Prof. Dr.
Keywords: TCP/IP (Computer network protocol)
Computer networks -- Security measures
Universiti Kebangsaan Malaysia -- Dissertations
Dissertations, Academic -- Malaysia
Issue Date: 27-Jul-2018
Description: Internet Protocol version 6 (IPv6) is a protocol designed as the successor to Internet Protocol version 4 (IPv4). It is used to solve the problems faced by IPv4 in today’s Internet, such as IP address space limitation, security, and scalability. The Neighbour Discovery Protocol (NDP) is an auxiliary protocol for IPv6, and it comprises two Requests for Comments (RFCs) IPv6 stateless address auto-configuration (SLAAC) and Neighbour Discovery for IPv6. The former allows the hosts to automatically configure the IPv6 address without the outside help and the latter is used for discovery of the IPv6 nodes on the same link. For the normal operations of IPv6, NDP also provides other functions including router discovery, address resolution, next-hop determination, Neighbour unreachability detection (NUD), duplicate address detection (DAD), and redirection. All of these functions are based on the transmission of NDP messages, which are encapsulated in Internet Control Message Protocol version 6 (ICMPv6) packets. NDP uses five types of ICMPv6 messages as which are Router Solicitation (RS), Router Advertisement (RA), Neighbour Solicitation (NS), Neighbour Advertisement (NA) and Redirect Message (RM). When NDP was initially developed there is an assumption that mutual hosts within a subnet will trust each other. This assumption was wrong when it turn into deployment especially in wireless environments, such as airports, coffee shops and public restaurants. NDP lack a security and is vulnerable to several Denial of Service (DoS) attacks. NDP messages are vulnerable to be attacked through spoofing, for example fake reply to address resolution may lead to man-in-the-middle attacks (MITM), and forged NAs to DAD will result in DoS attack. Therefore, malicious nodes can launch attacks through illegally using NDP messages that may lead to a total system hanging and crash. As a response, Secure Neighbour Discovery (SEND) is developed by the Internet Engineering Task Force (IETF) to specify security mechanisms for NDP. SEND proposed three mechanisms to protect NDP messages which are Authorization Delegation Discovery (ADD), Cryptographically Generated Addresses (CGA) and RSA signature. The main problem of CGA is the complexity on the address generation. In addition it is also vulnerable to several DoS attacks that could exploit the SEND messages. The aim of this research is to investigate the impacts of NDP attacks over IPv6 communication link and keep NDP protected and secure enough for its operations at the same time balance its performance to a reasonable and moderate ratio. A test bed setup was deployed and NDP attacks are implemented. Three performance metrics, throughput, RTT and resources consumption were selected to assess the impacts of these attacks over network operations using different types of operating systems. Two models were proposed, first CGA-Lighter to produce cryptographic addresses using MD5 hash function. Second Locked-CGA to secure CGA using sender’s interface identifier and packets time stamp to keep CGA protected against DoS attacks. Both models were implemented using different scenarios for existing CGA and proposed one. For the address generation time CGA-Lighter showing a better performance compared to standard CGA. Similarly, Locked-CGA was significantly improved the security of CGA against DoS attacks, a malicious node has become easily to be detected and terminated from the link. Comparing the experiment scenarios results we found the proposed models is efficient enough to solve the security problem and it works with a good performance ratio.,Ph.D.
Pages: 200
Call Number: TK5105.585.A376 2018 3 tesis
Publisher: UKM, Bangi
Appears in Collections:Faculty of Information Science and Technology / Fakulti Teknologi dan Sains Maklumat

Files in This Item:
File Description SizeFormat 
ukmvital_119249+SOURCE1+SOURCE1.0.PDF
  Restricted Access		3.69 MBAdobe PDFThumbnail
View/Open
Show full item record Recommend this item


Items in DSpace are protected by copyright, with all rights reserved, unless otherwise indicated.