Ana Kukec: Native SeND kernel API for *BSD

AsiaBSDCon 2010 paper session.

Abstract: In the legacy world of Internet Protocol Version 4 (IPv4), the link layer protocol, the Address Resolution protocol (ARP) is known to be vulnerable to spoofing attacks, but has nevertheless been in use entirely unsecured. The Neighbor Discovery Protocol (NDP), which in the IPv6 world roughly corresponds to IPv4 ARP, is vulnerable to a similar set of threats if not secured. The Secure Neighbor Discovery (SeND) extensions counter security threats to NDP by offering proof of address ownership, message protection, and router authorization. The current lack of robust support for SeND within BSD operating system family and drawbacks in the existing reference SeND implementation limits its deployment. We illustrate the protocol enhancements and their implemenation by rehashing the known problem scenarios with unsecured NDP and providing the short information about SeND. We then describe the design and implementation of a new, BSD licensed, kernel-userspace API for SeND, which mitigates the overhead associated with the reference implementation in FreeBSD, and which aims to improve portability to other BSD-derived operating systems.

Category:

Science & Technology

Tags:

• AsiaBSDCon 2010
• FreeBSD
• Google Summer of Code

License:

Standard YouTube License