What Does Secure Neighbor Discovery Protocol Mean?
Secure Neighbor Discovery Protocol (SEND Protocol) is a security extension of Neighbor Discovery Protocol (NDP) used in IPv6 for the discovery of neighboring nodes on the local link. NDP determines the link layer addresses of other nodes, finds available routers, maintains reachability information, performs address resolution and detects address duplication. SEND enhances this insecure protocol by employing cryptographically generated addresses (CGA) to encrypt NDP messages. This method is independent of IPSec, which is typically used to secure IPv6 transmissions. The introduction of CGA helps to nullify neighbor/solicitation/advertisement spoofing, neighbor unreachability detection failure, DOS attacks, router solicitation, and advertisement and replay attacks.
Techopedia Explains Secure Neighbor Discovery Protocol
If not secured, NDP is vulnerable to various attacks. The original NDP specifications called for the use of IPsec to protect NDP messages. However, the number of manually configured security applications needed to protect NDP can be very large, making that approach impractical for most purposes.
The SEND protocol is designed to counter the threats to NDP. SEND is applicable in environments where physical security on the link is not assured (such as over wireless) and attacks on NDP are a concern. SEND uses CGAs, a cryptographic method for binding a public signature key to an IPv6. CGAs are used to make sure that the sender of a neighbor discovery message is the “owner” of the claimed address. A public-private key pair is generated by all nodes before they can claim an address. A new NDP option, the CGA option, is used to carry the public key and associated parameters. CGA is formed by replacing the least-significant 64 bits of the 128-bit IPv6 address with the cryptographic hash of the address owner’s public key. The messages are signed with the corresponding private key. Only if the source address and the public key are known can the verifier authenticate the message from that corresponding sender.
The SEND protocol requires no public-key infrastructure. Valid CGAs may be generated by any sender, including a potential attacker, but they cannot use any existing CGAs. Public key signatures protect the integrity of the messages and authenticate the identities of those who send them. The authority of a public key is established via a number of processes depending on the configuration and the type of message that’s being protected.