NDPsec: Neighbor Discovery Protocol Security Mechanism

Internet Protocol version 6 (IPv6) is envisioned as the cornerstone for future internet connectivity and information technology (IT) expansion. Due to its enormous address pool, extendable headers, high level of security, and mobility, IPv6 is positioned as the next-generation Internet Protocol. NDP is an integral component of IPv6 since it resolves addresses, locates routers, and finds duplicated addresses in a local-link network. Because NDP is based on the premise that all nodes in the network are trustworthy, it is subject to a variety of attacks, including Denial of Service (DoS) on Duplicate Address Detection (DAD) attacks (aka. DoS-on-DAD), Address Resolution-based attacks, Router Advertisement (RA) based attacks, and Redirect attacks. This paper proposes an NDP security (NDPsec) mechanism based on the Ed25519 digital signature to authenticate IPv6 hosts to prevent unauthorized devices from joining the network. The proposed NDPsec mechanism is evaluated and compared to Secure NDP (SeND), Match-Prevention, and Trust-ND mechanisms. The performance is measured in terms of processing time, traffic overhead, and resilience against network-based attacks. The results obtained from the experiments showed that NDPsec successfully prevented cyberattacks, with approximately 144% less processing time and over 50% less traffic overhead compared to SeND (the default security mechanism for NDP protocol). The proposed NDPsec mechanism has remarkable superiority in terms of resilience against attacks compared to Match-Prevention and Trust-ND mechanisms.