Micro-Moving Target IPv6 Defense for 6LoWPAN and the Internet of Things

Sherburne, Matthew Gilbert

07 May 2015

The Internet of Things (IoT) is composed of billions of sensors and actuators that have varying tasks aimed at making industry, healthcare, and home life more efficient. These sensors and actuators are mainly low-powered and resource-constrained embedded devices with little room for implementing IP security in addition to their main function. With the fact that more of these devices are using IPv6 addressing, we seek to adapt a moving-target defense measure called Moving Target IPv6 Defense for use with embedded devices in order to add an additional layer of security. This adaptation, which we call Micro-Moving Target IPv6 Defense, operates within IPv6 over Low power Wireless Personal Area Networks (6LoWPAN) which is used in IEEE 802.15.4 wireless networks in order to establish IPv6 communications. The purpose of this defense is to obfuscate the communications between a sensor and a server in order to thwart a potential attacker from performing eavesdropping, denial-of-service, or man-in-the-middle attacks. We present our work in establishing this security mechanism and analyze the required control overhead on the wireless network. / Master of Science

Internet of Things

IPv6 Security

6LoWPAN

Moving Target Defense

Address spreading in future Internet supporting both the unlinkability of communication relations and the filtering of non legitimate traffic

Fourcot, Florent

19 January 2015

The rotation of identifiers is a common security mechanism to protect telecommunication; one example is the frequency hopping in wireless communication, used against interception, radio jamming and interferences. In this thesis, we extend this rotation concept to the Internet. We use the large IPv6 address space to build pseudo-random sequences of IPv6 addresses, known only by senders and receivers. The sequences are used to periodically generate new identifiers, each of them being ephemeral. It provides a new solution to identify a flow of data, packets not following the sequence of addresses will be rejected. We called this technique “address spreading”. Since the attackers cannot guess the next addresses, it is no longer possible to inject packets. The real IPv6 addresses are obfuscated, protecting against targeted attacks and against identification of the computer sending a flow of data. We have not modified the routing part of IPv6 addresses, so the spreading can be easily deployed on the Internet. The “address spreading” needs a synchronization between devices, and it has to take care of latency in the network. Otherwise, the identification will reject the packets (false positive detection). We evaluate this risk with a theoretical estimation of packet loss and by running tests on the Internet. We propose a solution to provide a synchronization between devices. Since the address spreading cannot be deployed without cooperation of end networks, we propose to use ephemeral addresses. Such addresses have a lifetime limited to the communication lifetime between two devices. The ephemeral addresses are based on a cooperation between end devices, they add a tag to each flow of packets, and an intermediate device on the path of the communication, which obfuscates the real address of data flows. The tagging is based on the Flow Label field of IPv6 packets. We propose an evaluation of the current implementations on common operating systems. We fixed on the Linux Kernel behaviours not following the current standards, and bugs on the TCP stack for flow labels. We also provide new features like reading the incoming flow labels and reflecting the flow labels on a socket.

info:eu-repo/classification/ddc/000

ddc:000

Netzwerk, IPv6, Datenschutz

Privacy, IPv6, Security

Säker grannupptäck i IPv6 / Secure Neighbor Discovery in IPv6

Huss, Philip

January 2011

The IPv6 protocol offers with some new functions, one of them is auto configuration. With auto configuration it is possible for nodes, i.e. hosts and routers, for automatically associated with IPv6 addresses without manual configuration. Auto configuration it is another protocol as it uses Neighbor Discovery protocol (ND) messages (ND is mandatory in the IPv6 stack). The main purpose of ND is that nodes can discover other nodes on the local link, perform address resolution, check that addresses are unique, and check the reachability with active nodes. There are exactly the same vulnerabilities of IPv6 as IPv4 and is now exception, ND if not properly secured. IPsec is a standard security mechanism for IPv6 but it does not solve the problem of secure auto configuration due the bootstrapping problem. Therefore the Internet Engineering Task Force (IETF) introduced Secure Neighbor Discovery (SEND). SEND is a mechanism for authentication, message protection, and router authentication. One important element of SEND is the use of Cryptographically Generated Address (CGA) an important mechanism to prove that the sender of the ND message is the actual owner of the address it claims NDprotector is an open-source implementation of SEND served as the basis for the analysis presented in this report. This implementation was evaluated in a small lab environment against some attacks in order to establish if it can defend itself from these attacks. / IPv6 protokollet kom det ett par nya funktioner där en av dem är autokonfiguration. Autokonfiguration gör det möjligt för noder, d.v.s. hostar och routrar för att automatiskt bli tilldelade IPv6 adresser manuell konfigurering. För att autokonfiguration ska fungera så används Neighbor Discovery (ND) meddelanden som är ett obligatoriskt protokoll i IPv6- stacken. ND har till huvudsaklig uppgift att noder kan upptäcka andra noder på den lokala länken, utföra adressöversättningar, kolltrollera så att adresser är unika samt kontrollera tillgängligheten hos aktiva noder. Precis som IPv4 så har IPv6 en hel del sårbarheter och med ND så är det inget undantag då det inte är säkrat. IPsec som är en den standard säkerhets mekanism till IPv6 löser inte problemet på grund av bootstrapping problemet. Det var därför Internet Engineering Task Force (IETF) introducerade Secure Neighbor Discovery (SEND). SEND är en mekanism för autentisering, meddelande skydd och router autentisering. En viktig del av SEND är Cryptographilcally Generated Address (CGA), en teknik som används för att försäkra sig så att det är den sändaren av ND meddelandet som är den riktiga ägaren av den hävdade adressen. NDprotector är en öppen källkods implementation av SEND som jag har valt att ha som grund för denna rapport. Jag kommer att sätta upp NDprotector i en liten labbmiljö där jag kommer att utföra olika attacker samt se efter om det klarar att försvara sig emot attackerna.

IPV6 security

Neighbor Discovery

Secure Neighbor Discovery

Cryptographically Generated Addresses

Engineering and Technology

Teknik och teknologier

Cybersecurity for the Internet of Things:  A Micro Moving Target IPv6 Defense

Zeitz, Kimberly Ann

04 September 2019

As the use of low-power and low-resource embedded devices continues to increase dramatically with the introduction of new Internet of Things (IoT) devices, security techniques are necessary which are compatible with these devices. This research advances the knowledge in the area of cybersecurity for the IoT through the exploration of a moving target defense to apply for limiting the time attackers may conduct reconnaissance on embedded systems while considering the challenges presented from IoT devices such as resource and performance constraints. We introduce the design and optimizations for µMT6D, a Micro-Moving Target IPv6 Defense, including a description of the modes of operation and use of lightweight hash algorithms. Through simulations and experiments µMT6D is shown to be viable for use on low power and low resource embedded devices in terms of footprint, power consumption, and energy consumption increases in comparison to the given security benefits. Finally, this provides information on other future considerations and possible avenues of further experimentation and research. / Doctor of Philosophy / This research aims to advance knowledge in the area of cybersecurity for the Internet of Things through the exploration and validation of a moving target defense to apply for limiting the time attackers may conduct reconnaissance on low powered embedded system devices considering the challenges presented from IoT devices such as resource and performance constraints. When an attack is carried out against a network, reconnaissance is utilized to identify the target machine or device. Limiting the time for reconnaissance, therefore has a direct impact on the ability of an adversary to carry out an attack. Many of the security techniques utilized today do not fit the IoT constraints. Research in this area is just beginning and security is often not considered. Sensors collecting and sending information can be compromised both through the network and access to the physical devices. How can these devices securely send information? How can these devices withstand attacks aiming to stop their functionality or to gain information? There are many aspects which need to be investigated to understand security vulnerabilities and potential defenses. As our technologies evolve our security defenses need to evolve as well. My research aims to further the understanding of the security of the IoT devices which have quickly become pervasive in our society. This research will expand the knowledge of the ability to safe guard connected devices from cyber-attacks and provide insight into the space and performance requirements of a technique previously only used on large scale systems. By designing, implementing experimental prototypes, and conducting simulations and experiments this research assesses the viable use of a Micro Moving Target IPv6 Defense (µMT6D).

Internet of Things

IPv6 Security

Embedded Systems

Moving Target Defense

Wireless Sensor Networks

HE-MT6D: A Network Security Processor with Hardware Engine for Moving Target IPv6 Defense (MT6D) over 1 Gbps IEEE 802.3 Ethernet

Sagisi, Joseph Lozano

28 July 2017

Traditional static network addressing allows attackers the incredible advantage of taking time to plan and execute attacks against a network. To counter, Moving Target IPv6 Defense (MT6D) provides a network host obfuscation technique that dynamically obscures network and transport layer addresses. Software driven implementations have posed many challenges, namely, constant code maintenance to remain compliant with all library and kernel dependencies, less than optimal throughput, and the requirement for a dedicated general purpose hardware. The work of this thesis presents Network Security Processor and Hardware Engine for MT6D (HE-MT6D) to overcome these challenges. HE-MT6D is a soft core Intellectual Property (IP) block developed in full Register Transfer Level (RTL) and is the first hardware-oriented design of MT6D. Major contributions of HE-MT6D include the complete separation of the data and control planes, development of a nonlinear Complex Instruction Set Computer (CISC) Network Security Processor for in-flight packet modification, a specialized Packet Assembly language, a configurable and a parallelized memory search through tag-based Hybrid Content Addressable Memory (HCAM) L1 write-through cache, full RTL Network Time Protocol version 4 hardware module, and a modular crypto engine. HE-MT6D supports multiple nodes and provides 1,025% throughput performance increase over earlier C-based MT6D at 863 Mbps with full encapsulation and decapsulation, and it matches bare wire throughput performance for all other traffic. The HE-MT6D IP block can be configured as an independent physical gateway device, built as embedded Application Specific Integrated Circuit (ASIC), or serve as a System on Chip (SoC) integrated submodule. / Master of Science

IPv6 Security

Moving Target Defense

Network Security Processor

Field programmable gate arrays

Moving Target IPv6 Defense

System on Chip

Packet Processor