Access your Pro+ Content below.
Proving ownership of IPv6 addresses
Sponsored by ComputerWeekly.com
In this article in our Royal Holloway security series, we examine the mechanisms that have been invented to allow users of Internet Protocol version 6 (IPv6), which replaces IPv4, to prove their rightful ownership of an address, preventing others from using it falsely, as well as showing some of the ways in which these measures are incomplete.
Table Of Contents
- When a computer joins a network, there are three things it has to do before it can communicate on the internet:
1. It needs find out what other computers are on the network, and how best to send messages to each one; in particular, it needs to be able to recognise when an IP address refers to one of its neighbours on the local network, and to be able to translate those IP addresses into the local network’s addressing system.
2. It needs to know where at least one router on the network is, so that it knows where to send messages destined for the wider internet.
3. It needs to acquire an IP address of its own, so that other computers will be able to send messages to it.
In IPv4, these functions are all handled by different protocols, but in IPv6 they have been consolidated into one protocol, called the Neighbour Discovery Protocol (NDP).
- NDP treats the network as if every device on it were honest and trustworthy. This is a dangerous way to operate even now, as many networks lack any form of access control, and any network can in theory be infiltrated by a malicious party.
- To defend against potential attacks, we need a way for devices to prove ownership of an IP address, and to attach that proof to every message they send.