[DON'T MISS] Optimal Forecasting: Save Time, Money and Trouble

Secure Neighbor Discovery Protocol (SEND Protocol)

Definition - What does Secure Neighbor Discovery Protocol (SEND Protocol) mean?

Secure Neighbor Discovery Protocol (SEND Protocol) is a security extension of Neighbor Discovery Protocol (NDP) used in IPv6 for the discovery of neighboring nodes on the local link. NDP determines the link layer addresses of other nodes, finds available routers, maintains reachability information, performs address resolution and detects address duplication. SEND enhances this insecure protocol by employing cryptographically generated addresses (CGA) to encrypt NDP messages. This method is independent of IPSec, which is typically used to secure IPv6 transmissions. The introduction of CGA helps to nullify neighbor/solicitation/advertisement spoofing, neighbor unreachability detection failure, DOS attacks, router solicitation, and advertisement and replay attacks.

Techopedia explains Secure Neighbor Discovery Protocol (SEND Protocol)

If not secured, NDP is vulnerable to various attacks. The original NDP specifications called for the use of IPsec to protect NDP messages. However, the number of manually configured security applications needed to protect NDP can be very large, making that approach impractical for most purposes.

The SEND protocol is designed to counter the threats to NDP. SEND is applicable in environments where physical security on the link is not assured (such as over wireless) and attacks on NDP are a concern. SEND uses CGAs, a cryptographic method for binding a public signature key to an IPv6. CGAs are used to make sure that the sender of a neighbor discovery message is the "owner" of the claimed address. A public-private key pair is generated by all nodes before they can claim an address. A new NDP option, the CGA option, is used to carry the public key and associated parameters. CGA is formed by replacing the least-significant 64 bits of the 128-bit IPv6 address with the cryptographic hash of the address owner's public key. The messages are signed with the corresponding private key. Only if the source address and the public key are known can the verifier authenticate the message from that corresponding sender.

The SEND protocol requires no public-key infrastructure. Valid CGAs may be generated by any sender, including a potential attacker, but they cannot use any existing CGAs. Public key signatures protect the integrity of the messages and authenticate the identities of those who send them. The authority of a public key is established via a number of processes depending on the configuration and the type of message that's being protected.

Share this:

Connect with us

Email Newsletter

Join thousands of others with our weekly newsletter

The 4th Era of IT Infrastructure: Superconverged Systems
The 4th Era of IT Infrastructure: Superconverged Systems:
Learn the benefits and limitations of the 3 generations of IT infrastructure – siloed, converged and hyperconverged – and discover how the 4th...
Approaches and Benefits of Network Virtualization
Approaches and Benefits of Network Virtualization:
Businesses today aspire to achieve a software-defined datacenter (SDDC) to enhance business agility and reduce operational complexity. However, the...
Free E-Book: Public Cloud Guide
Free E-Book: Public Cloud Guide:
This white paper is for leaders of Operations, Engineering, or Infrastructure teams who are creating or executing an IT roadmap.
Free Tool: Virtual Health Monitor
Free Tool: Virtual Health Monitor:
Virtual Health Monitor is a free virtualization monitoring and reporting tool for VMware, Hyper-V, RHEV, and XenServer environments.
Free 30 Day Trial – Turbonomic
Free 30 Day Trial – Turbonomic:
Turbonomic delivers an autonomic platform where virtual and cloud environments self-manage in real-time to assure application performance.