Cisco Cisco IOS Software Release 12.4(4)T Données agrégées
Product Bulletin
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 10 of 299
Product Management Contact:
Kevin Delgadillo (
)
2.2) IP Services
2.2.1) Secure Neighbor Discovery (SeND)
Secure Neighbor Discovery (SeND) protocol is designed to counter the threats of Neighbor
Discovery Protocol (NDP), as detailed in RFC3756. SeND comes as an addendum on top of ND. It
defines a set of new ND options, and two new ND messages (Certification Path Solicitation &
Answer). It also defines a new auto-configuration mechanism, to be used in conjunction with the
new ND options, to establish address ownership.
Secure Neighbor Discovery (SeND) protocol is designed to counter the threats of Neighbor
Discovery Protocol (NDP), as detailed in RFC3756. SeND comes as an addendum on top of ND. It
defines a set of new ND options, and two new ND messages (Certification Path Solicitation &
Answer). It also defines a new auto-configuration mechanism, to be used in conjunction with the
new ND options, to establish address ownership.
There are essentially two security features introduced by SeND to mitigate address spoofing and
rogue routers, two of the biggest threats related to NDP. The first feature enables nodes to
establish address ownership using IPv6 Cryptographically Generated addresses (CGA), as
specified in RFC3972. The second feature provides router authorization through X.509 certificates,
and is specified in RFC3971.
rogue routers, two of the biggest threats related to NDP. The first feature enables nodes to
establish address ownership using IPv6 Cryptographically Generated addresses (CGA), as
specified in RFC3972. The second feature provides router authorization through X.509 certificates,
and is specified in RFC3971.
Deployment-wise, CGA is a very light-weight mechanism, as it does not involve cryptographic key
distribution (other than providing the public key in one of the new NDP option), nor any identity of
any sort or certificates.
distribution (other than providing the public key in one of the new NDP option), nor any identity of
any sort or certificates.
Router authorization is more challenging, since router must have an “identify”, certified through a
certificate signed by a Certificate Authority, and that Certificate Authority must be known by all
nodes. RFC3971 also specifies two important additional elements. Certificates can contain the list
of prefixes that the router owns, so that any node could verify prefixes announced by the router
prior to performing stateless auto-configuration. And last but not least, a node running SeND is
expected to be able to arbitrage between concurrent claims coming from a mixture of peers
speaking SeND and nodes speaking ND, in favor of the former.
certificate signed by a Certificate Authority, and that Certificate Authority must be known by all
nodes. RFC3971 also specifies two important additional elements. Certificates can contain the list
of prefixes that the router owns, so that any node could verify prefixes announced by the router
prior to performing stateless auto-configuration. And last but not least, a node running SeND is
expected to be able to arbitrage between concurrent claims coming from a mixture of peers
speaking SeND and nodes speaking ND, in favor of the former.
The Cisco implementation, which is fully compliant with SFC3971 and 3972, supports:
●
Cryptographically Generated addresses (CGA)
●
Router authorization through X.509 certificates
●
Prefixes embedded in certificates, as specified in RFC 3779
●
Transitioning situation, where it is capable of giving preference to SeND peers over ND
peers
peers
In addition, the IOS-PKI and the IOS-CS (Certificate Server) has been upgraded to allow building
certificate requests with embedded IPv6 prefixes, read and store these prefixes, and validate a
certificate chain with embedded IPv6 prefixes. This is useful to install on a Cisco SeND router, a
fully complied X.509 certificate with embedded prefixes, and enable Router Authorization.
certificate requests with embedded IPv6 prefixes, read and store these prefixes, and validate a
certificate chain with embedded IPv6 prefixes. This is useful to install on a Cisco SeND router, a
fully complied X.509 certificate with embedded prefixes, and enable Router Authorization.
Figure 7.
Generation of a SeND Packet (simplified version)