Why is ARP replaced by NDP in IPv6?
Are there any security issues in ARP?
Yes. Here are some:
-
ARP Spoofing.
False ARP messages are sent over a LAN, resulting in the linking of an attacker's MAC address with the IP address of a legitimate computer or server on the network.
See below for more information on ARP Spoofing/Poisoning.
-
MAC Flooding.
The translation table that tracks which MAC addresses are on which physical ports has a limited amount of memory. This allows a switch to be exploited by flooding the translation table. Primitive switches, not knowing how to handle the excess data, will 'fail open' and broadcast all network frames to all ports.
-
MAC Duplicating.
In a MAC Duplicating attack a switch is confused into thinking two ports have the same MAC address. Since the data will be forwarded to both ports, no IP forwarding is necessary.
Source Security of TCP/IP Address Resolution Protocol (ARP)
Why was ARP replaced by NDP?
It provides improvements and additional features for IPv6.
See below for a comparison of NDP and the protocols Address Resolution Protocol [ARP], ICMP Router Discovery [RDISC], and ICMP Redirect [ICMPv4].
How does NDP defend against ARP Spoofing/Poisoning?
It uses the Secure Neighbor Discovery (SEND) Protocol. Cryptographically generated addresses ensure that the claimed source of an NDP message is the owner of the claimed address.
One of the functions of the IPv6 Neighbor Discovery Protocol (NDP) is to resolve network layer (IP) addresses to link layer (for example, Ethernet) addresses, a function performed in IPv4 by Address Resolution Protocol (ARP). The Secure Neighbor Discovery (SEND) Protocol prevents an attacker who has access to the broadcast segment from abusing NDP or ARP to trick hosts into sending the attacker traffic destined for someone else, a technique known as ARP poisoning.
To protect against ARP poisoning and other attacks against NDP functions, SEND should be deployed where preventing access to the broadcast segment might not be possible.
SEND uses RSA key pairs to produce cryptographically generated addresses, as defined in RFC 3972, Cryptographically Generated Addresses (CGA). This ensures that the claimed source of an NDP message is the owner of the claimed address.
Source Configuring Secure IPv6 Neighbor Discovery
How does ARP Spoofing work?
ARP Spoofing is also referred to as ARP Poison Routing (APR) or ARP Cache Poisoning.
ARP spoofing is a type of attack in which a malicious actor sends falsified ARP (Address Resolution Protocol) messages over a local area network. This results in the linking of an attacker’s MAC address with the IP address of a legitimate computer or server on the network.
Once the attacker’s MAC address is connected to an authentic IP address, the attacker will begin receiving any data that is intended for that IP address.
ARP spoofing can enable malicious parties to intercept, modify or even stop data in-transit. ARP spoofing attacks can only occur on local area networks that utilize the Address Resolution Protocol.
Source Veracode ARP Spoofing
How does an ARP Spoofing Attack work?
The steps to an ARP spoofing attack usually include:
The attacker opens an ARP spoofing tool and sets the tool’s IP address to match the IP subnet of a target. Examples of popular ARP spoofing software include Arpspoof, Cain & Abel, Arpoison and Ettercap.
The attacker uses the ARP spoofing tool to scan for the IP and MAC addresses of hosts in the target’s subnet.
The attacker chooses its target and begins sending ARP packets across the LAN that contain the attacker’s MAC address and the target’s IP address.
As other hosts on the LAN cache the spoofed ARP packets, data that those hosts send to the victim will go to the attacker instead. From here, the attacker can steal data or launch a more sophisticated follow-up attack.
Source Veracode ARP Spoofing
The attacker may choose to inspect the packets (spying), while forwarding the traffic to the actual default gateway to avoid discovery, modify the data before forwarding it (man-in-the-middle attack), or launch a denial-of-service attack by causing some or all of the packets on the network to be dropped.
Source Wikipedia ARP spoofing
Comparison [of NDP] with IPv4
The IPv6 Neighbor Discovery protocol corresponds to a combination of the IPv4 protocols Address Resolution Protocol [ARP], ICMP Router Discovery [RDISC], and ICMP Redirect [ICMPv4].
In IPv4 there is no generally agreed upon protocol or mechanism for Neighbor Unreachability Detection, although the Hosts Requirements document [HR-CL] does specify some possible algorithms for Dead Gateway Detection (a subset of the problems Neighbor Unreachability Detection tackles).
The Neighbor Discovery protocol provides a multitude of improvements over the IPv4 set of protocols:
Router Discovery is part of the base protocol set; there is no need for hosts to "snoop" the routing protocols.
Router Advertisements carry link-layer addresses; no additional packet exchange is needed to resolve the router's link-layer address.
Router Advertisements carry prefixes for a link; there is no need to have a separate mechanism to configure the "netmask".
Router Advertisements enable Address Autoconfiguration.
Routers can advertise an MTU for hosts to use on the link, ensuring that all nodes use the same MTU value on links lacking a well-defined MTU.
Address resolution multicasts are "spread" over 16 million (2^24) multicast addresses, greatly reducing address-resolution-related interrupts on nodes other than the target. Moreover, non-IPv6 machines should not be interrupted at all.
Redirects contain the link-layer address of the new first hop; separate address resolution is not needed upon receiving a redirect.
Multiple prefixes can be associated with the same link. By default, hosts learn all on-link prefixes from Router Advertisements. However, routers may be configured to omit some or all prefixes from Router Advertisements. In such cases hosts assume that destinations are off-link and send traffic to routers. A router can then issue redirects as appropriate.
Unlike IPv4, the recipient of an IPv6 redirect assumes that the new next-hop is on-link. In IPv4, a host ignores redirects specifying a next-hop that is not on-link according to the link's network mask. The IPv6 redirect mechanism is analogous to the XRedirect facility specified in [SH-MEDIA]. It is expected to be useful on non-broadcast and shared media links in which it is undesirable or not possible for nodes to know all prefixes for on-link destinations.
Neighbor Unreachability Detection is part of the base, which significantly improves the robustness of packet delivery in the presence of failing routers, partially failing or partitioned links, or nodes that change their link-layer addresses. For
instance, mobile nodes can move off-link without losing any connectivity due to stale ARP caches.
Unlike ARP, Neighbor Discovery detects half-link failures (using Neighbor Unreachability Detection) and avoids sending traffic to neighbors with which two-way connectivity is absent.
Unlike in IPv4 Router Discovery, the Router Advertisement messages do not contain a preference field. The preference field is not needed to handle routers of different "stability"; the Neighbor Unreachability Detection will detect dead routers and switch to a working one.
The use of link-local addresses to uniquely identify routers (for Router Advertisement and Redirect messages) makes it possible for hosts to maintain the router associations in the event of the site renumbering to use new global prefixes.
By setting the Hop Limit to 255, Neighbor Discovery is immune to off-link senders that accidentally or intentionally send ND messages. In IPv4, off-link senders can send both ICMP Redirects and Router Advertisement messages.
Placing address resolution at the ICMP layer makes the protocol more media-independent than ARP and makes it possible to use generic IP-layer authentication and security mechanisms as appropriate.
Source RFC 4861 Neighbor Discovery in IPv6
Further reading
- ARP Poisoning (Man-in-the-Middle) Attack and Mitigation Techniques
- Understanding Man-in-the-Middle Attacks – ARP Cache Poisoning (Part 1)
- How Does ARP Poisoning Work?
- RFC 4861 Neighbor Discovery in IPv6
NDP has more features than ARP, including:
Through NDP, devices on the network can determine the MAC/link-layer address (same function as ARP).
Using NDP, devices on the network can locate the path to reach another device in an external network, locating the best router to the destination device.
NDP enables auto-configuration of IPv6 addresses.
Comparing it with ARP, the mechanism is different:
ARP uses broadcast messages, while NDP uses multicast ICMPv6 messages.
The device sends a multicast message called a "Neighbor Solicitation ICMP Message" or NS. The destination device responds with a "Neighbor Advertisement ICMP message" or NA.
The NS message uses a special multicast destination address called a solicited node multicast address that represents all hosts with the same last 24 bits of their IPv6 addresses. The use of multicast instead of broadcast reduces the flow of unnecessary traffic on the network.
The introduction of NDP in lieu of ARP was mostly due to the desire to consolidate the control protocols around IP. IPv4 enjoys several control protocols such as ICMP, IGMP, and ARP/RARP. With IPv6 NDP (successor of ARP) as well as MLD (successor of IGMP) were designed as sub-protocols of ICMPv6 so that there is only one control protocol. There was no security reason for this, ND is as susceptible to spoofing as ARP is, and ND was not designed for security.
In the early days of IPv6 development IPsec was seen as the generic security measure and thus was mandatory. This requirement, however, has been downgraded to a recommendation (RFC 6434, I believe mostly due to to embedded devices and IoT, which are simply not capable of carrying out public-key computations, plus they'd trip over PKI issues of all kinds, anyway) and does not work well (politely speaking) for securing ND. SeND was introduced to tack security onto ND, but as for virtually all previous attempts in software design of retroactive security the result was, say, less than optimal. Since there are still no implementations of SeND save some experimental ones, for all practical purposes SeND is non-existent. Moreover, there is reason to believe that SeND - at least in its current form - will never lift off.
In contrast, SAVI looks more promising but requires changes to the switching infrastructure and SAVI-capable equipment is not quite low priced, thus it is also not going to proliferate quickly. SAVI works on the ground that within a site it should be "known" which mappings between HW addresses (i.e. MAC address) and IP addresses are legitimate and thus it should be possible to identify and remove fake NDP messages.
The best recipes are the simplest ones but are often overlooked: Break large LANs into smaller ones, for ARP- and ND-spoofing work only for targets in the same LAN. Therefore, just placing untrustworthy devices into their own LAN segment(s) (no firewall/filtering rules necessary) will greatly reduce the attack surface.