Mitigation of IPv6 Router Spoofing Attacks with P4

ABSTRACTThe IPv6 protocol will sooner or later replace IPv4 to cope with an exponentially increasing number of connected devices. Some of the most significant functions of IPv6 networks are network discovery, maintenance, and routing mechanisms to promote auto-configuration of the network with less manual effort. Network Discovery Protocol (NDP) is an important protocol in IPv6 to identify the relationships between different neighboring devices in a network. However, it is also subject to spoofing and man-in-the-middle attacks. This paper implements an attack detection and mitigation strategy called Router Advertisement Guard (RA-Guard) in P4 to defend IPv6 networks against router spoofing attacks directly on the data plane. In contrast to very few proprietary RA-Guard implementations with limited details, we consider different scenarios to exploit IPv6 packet structure and publish our implementation open-source. The experiments show that our P4-based implementation can detect and mitigate spoofing attacks leveraging RA-Guard together with its control plane extensions.