IPv6 nodes use the Neighbor Discovery Protocol (NDP) to discover their neighbors, determine their link-layer addresses, find associated routers, and to maintain reachability information about paths to active neighbors. If not secured, NDP is vulnerable to various attacks described in the IPv6 Neighbor Discovery (ND) Trust Models and Threats specification (rfc3756). The Secure Neighbor Discovery protocol (SeND) (rfc3971) counters threats to NDP. SeND uses new NDP options to carry the public key - based signatures for protecting ND messages, Cryptographically Generated Addresses for proving address ownership on individual nodes, and uses X.509 certificates for authorizing nodes to act as routers and to delegate certain prefixes.

None of the contemporary open source operating systems include built-in support for SeND. A referent open-source (BSD licensed) SeND implementation [send-0.2], originally developed by DoCoMo NTT, works only on Linux and FreeBSD. On FreeBSD, this implementation uses a Berkley packet filter (BPF) program in a netgraph node (ng_bpf) to divert SeND traffic from kernel to an userland daemon, and vice versa. This approach has two major drawbacks. First, all network traffic (both SeND and non-SeND) has to traverse through a ng_bpf filtering node (and through the netgraph subsystem in general), which introduces significant processing overhead, effectively prohibiting production deployment of SeND in high-speed networking environments. And second, the current send-0.2 implementation depends on the netgraph subsytem, which is only available in FreeBSD and DragonFlyBSD, making in send-0.2 implementation being unusable on other BSD-derived operating systems, such as NetBSD, OpenBSD or OS-X.

The goal of this project is design and implementation of a new userspace-kernel API for SeND, which will mitigate overhead associated with netgraph and BPF. In order to accomplish the implementation of such API, the userspace-kernel hooks will be added in the existing Neighbor Discovery (ND) code in the kernel.

This work is be under the BSD license.

The implementation was presented at AsiaBSDCon 2010, Tokyo: paper, talk.

Sources of the kernel API (sys diff) and SEND daemon (sendd) are available here.



SOC2009AnaKukec (last edited 2012-02-27 07:39:34 by RoyceWilliams)