Abstract—Duplicate Address Detection (DAD) is one of the core procedures in Internet Protocol version 6 (IPv6). It allows all the nodes locate on the same link to communicate and join the network with a unique IP address. However, DAD is vulnerable to security threats. The DAD procedure is based on two Neighbour Discovery (ND) messages, namely, Neighbour Solicitation (NS) and Neighbour Advertisement (NA), to verify that the tentative IP is multicast to all existing hosts through an NS message. Thus, DAD allows any malicious node on the same link to receive the NS message, and the malicious node may send a spoof reply to prevent the address configuration of a target node, thereby resulting in a Denial of Service (DoS) attack. This study aims to secure the DAD procedure by hiding the tentative IP address during the process, thereby preventing a malicious node from disturbing the target node IP configuration process. The proposed security DAD-match technique builds on SHA-3 hash function by proposing a new option called DADmatch, which holds the hash value of tentative IP address and attaches to NS and NA messages to become NS-match and NA-match messages. We expect the DAD-match technique can provide less complex lightweight security and will fully prevent DoS attacks during the DAD procedure in IPv6 link-local network.


Index Terms—Duplicate Address Detection, DAD, DoS attack, IPv6 Security, hash function, DAD-match technique


Cite: Ahmed K. Al-Ani, Mohammed Anbar, Selvakumar Manickam, and Ayman Al-Ani,   " DAD-Match: Technique to Prevent DoS Attack on Duplicate Address Detection Process in IPv6 Link-local Network, vol. 13, no. 6, pp. 317-324 2018. Doi: 10.12720/jcm.13.6.317-324.