Please wait a minute...
Tsinghua Science and Technology  2018, Vol. 23 Issue (1): 13-21    doi: 10.26599/TST.2018.9010020
Special Section on Cyberspace     
Secure DHCPv6 Mechanism for DHCPv6 Security and Privacy Protection
Lishan Li, Gang Ren, Ying Liu*, Jianping Wu
∙ Lishan Li, Gang Ren, Ying Liu, and Jianping Wu are with the Institute for Network Sciences and Cyberspace, Tsinghua University, Beijing 100084, China.
Download: PDF (1439 KB)      HTML
Export: BibTeX | EndNote (RIS)       Supporting Info
Guide   

Abstract  

With the rapid developmen of the Internet, the exhaustion of IPv4 address limited the development of the Internet for years. IPv6, as the core technology of the next generation Internet, has since been rapidly deployed around the world. As the widely deployed address configuration protocol, DHCPv6 is responsible for allocating globally unique IPv6 addresses to clients, which is the basis for all the network services. However, the initial design of the DHCPv6 protocol gave little consideration to the privacy and security issues, which has led to a proliferation of privacy and security accidents breaches in its real deployment. In this paper, to fundamentally solve a range of possible security and privacy issues, we propose a secure DHCPv6 mechanism, which adds authentication and encryption mechanisms into the original DHCPv6 protocol. Compared with other proposed security mechanisms for the DHCPv6, our method can achieve all-around protection for the DHCPv6 protocol with minimal change to the current protocol, easier deployment, and low computing cost.



Key wordsDHCPv6      security      privacy      IETF      authentication      encryption     
Received: 20 November 2016      Published: 12 April 2019
Corresponding Authors: Ying Liu   
About author:

Jianping Wu received the BS, MS, and PhD degrees from Tsinghua University, China. His research interests include next-generation Internet, IPv6 deployment and technologies, and Internet protocol design and engineering. He is currently a full professor in Tsinghua University, vice chairman of the information committee, and director of the Information Office, Dean of the CS Department and Director of the Network Research Center, Dean of Institute for Network Sciences and Cyberspace, and Director of Information Technology Center, Tsinghua University. He is director of Network Center and Technic Committee of China Education and Research Network CERNET, director of the National Engineering Laboratory for Next Generation Internet, a member of Advisory Committee of National Information Infrastructure for Secretariat of State Council of China, and vice president of Internet Society of China (ISC). He is an IEEE Fellow and was also the Chairman of Asia Pacific Advanced Network from 2007 to 2011. He received the Jonathan B. Postel Award from the Internet Society in 2010.

Cite this article:

Lishan Li, Gang Ren, Ying Liu, Jianping Wu. Secure DHCPv6 Mechanism for DHCPv6 Security and Privacy Protection. Tsinghua Science and Technology, 2018, 23(1): 13-21.

URL:

http://tst.tsinghuajournals.com/10.26599/TST.2018.9010020     OR     http://tst.tsinghuajournals.com/Y2018/V23/I1/13

Fig. 1 Rogue DHCPv6 server attack.
Fig. 2 DHCPv6 message tampering attack.
Fig. 3 Denial-of-service attack for DHCPv6.
No.Faced threatPossible attacksSecure requirement
1SpoofingRogue server attackServer authentication
2Temperingmitm attackMessage integrity check
3Denial of serviceDDoS attackServer availability
4Information disclosureNetwork activity tracking, location tracking address scanning, device-specific vulnerabilityConfidentiality
Table 1 Threat model for DHCPv6.
Fig. 4 Secure DHCPv6 configuration process.
Fig. 5 Format of the Encrypted-Query message.
Fig. 6 Format of the signature option.
Fig. 7 Implementation result on the client side.
Fig. 8 Implementation result on the server side.
ArticleKey technologyDefense capabilityImpact on the current protocolDeployment difficultyComputing cost
RFC7844Randomized DUID generation method on the client side3Replace the before stable DUID generation methodHardNo extra cost
RFC3315Message authentication based on symmetric key1, 2, 4Add Authentication optionHardSmall cost
Secure DHCPv6Authentication and encryption based on asymmetric keys1, 2, 3, 4Add server authentication before normal processEasySmall cost
Table 2 Comparison of the secure mechanisms for DHCPv6.
[1]   Huston G., IPv4 address report, , 2011.
[2]   Deering S. and Hinden R., RFC2460: Internet protocol, version 6 (IPv6) specification, IETF, 1998.
[3]   Jinmei T., Thomson S., and Narten T., RFC4862: IPv6 stateless address autoconfiguration, IETF, 2007.
[4]   Droms R., Bound J., Volz B., Lemon T., Perkins C., and Carney M., RFC3315: Dynamic host configuration protocol for IPV6 (DHCPv6), 2003.
[5]   m4tt, Smart trash can knows how fast you walk and which smartphone you use, , 2013.
[6]   White G., Inside the shopping Centre that tracks your every move, , 2014.
[7]   Volz B., IETF DHC WG charter, , 2017.
[8]   Krishnan S., Mrugalski T., and Jiang S., RFC7824: Privacy considerations for DHCPv6, IETF, 2016.
[9]   Huitema C., Mrugalski T., and Krishnan S., RFC7844: Anonymity profile for DHCP clients, IETF, 2016.
[10]   Mrugalski T., Siodelski M., Volz B., Yourtchenko A., Richardson M., Jiang S., and Lemon T., Dynamic host configuration protocol for IPV6 (DHCPv6) bis, IETF, 2017.
[11]   Groat S., Dunlop M., Marchany R., and Tront J., What DHCPv6 says about you, in Proc. 2011 World Congress on Internet Security, London, UK, 2011, pp. 146-151.
[12]   Farrell S., and Tschofenig H., RFC7258: Pervasive monitoring is an attack, IETF, 2014.
[13]   Yee P., RFC5280: Updates to the internet X.509 public key infrastructure certificate and Certificate Revocation List (CRL) profile, IETF, 2013.
[14]   Dukhovni V., RFC7435: Opportunistic security: Some protection most of the time?, IETF, 2014.
[15]   Sun W. Q., Li H. W., and Wu J. P., Fast mobility solutions in software-defined networks, (in Chinese), J. Tsinghua Univ. (Sci. Technol)., vol. 55, no. 8, pp. 900-905, 2015.
[16]   Internet Systems Consortium, ISC DHCP, , 2016.
[17]   kea, Secure DHCPv6, , 2015.
[18]   IETF-93 (Prague) DHC WG Meeting, , 2015.
[19]   Li L., Jiang S., Cui Y., Jinmei T., Lemon T., and Zhang D., Secure DHCPv6, draft-ietf-dhc-sedhcpv6-21, IETF, 2017.
[20]   Wu J., Bi J., Bagnulo M., Baker F., and Vogt C., RFC7039: Source address validation improvement (SAVI) framework, IETF, 2013.
[21]   Bi J., Wu J., Yao G., and Baker F., RFC7513: Source address validation improvement (SAVI) solution for DHCP, IETF, 2015.
[22]   IETF dhc wg maillist, , 2017.
[23]   He L., Ren G., and Liu Y., General requirement driven IPv6 address generation mechanisms management system, (in Chinese), Huazhong Univ. Sci. Technol. Nat. Sci. Ed., vol. 44, no. S1, pp. 89-93, 2016.
[24]   Liu Y., Ren G., Wu J. P., Zhang S. L., He L., and Jia Y. H., Building an IPv6 address generation and traceback system with NIDTGA in Address Driven Network, Sci. China Inf. Sci., vol. 58, no. 12, pp. 1-14, 2015.
[1] Yuzhu Cheng, Weiping Wang, Jianxin Wang, Haodong Wang. FPC: A New Approach to Firewall Policies Compression[J]. Tsinghua Science and Technology, 2019, 24(1): 65-76.
[2] Kai Fan, Hui Li, Wei Jiang, Chengsheng Xiao, Yintang Yang. Secure Authentication Protocol for Mobile Payment[J]. Tsinghua Science and Technology, 2018, 23(5): 610-620.
[3] Dawei Li, Jianwei Liu, Zongyang Zhang, Qianhong Wu, Weiran Liu. Revocable Hierarchical Identity-Based Broadcast Encryption[J]. Tsinghua Science and Technology, 2018, 23(5): 539-549.
[4] Zaobo He, Yingshu Li, Ji Li, Kaiyang Li, Qing Cai, Yi Liang. Achieving Differential Privacy of Genomic Data Releasing via Belief Propagation[J]. Tsinghua Science and Technology, 2018, 23(4): 389-395.
[5] Fugang Liu, Jiawei Xu, Feng Hu, Chao Wang, Jie Wu. Lightweight Trusted Security for Emergency Communication Networks of Small Groups[J]. Tsinghua Science and Technology, 2018, 23(2): 195-202.
[6] Tao Li, Shidong Zhou. Achievable Secrecy Rate Region of Two-Way Communication with Secret Key Feedback[J]. Tsinghua Science and Technology, 2018, 23(2): 126-134.
[7] Rui Chang,Liehui Jiang,Wenzhi Chen,Yaobin Xie,Zhongyong Lu. A TrustEnclave-Based Architecture for Ensuring Run-Time Security in Embedded Terminals[J]. Tsinghua Science and Technology, 2017, 22(5): 447-457.
[8] Mengmeng Wang,Jianwei Liu,Jian Mao,Haosu Cheng,Jie Chen,Chan Qi. RouteGuardian: Constructing Secure Routing Paths in Software-Defined Networking[J]. Tsinghua Science and Technology, 2017, 22(4): 400-412.
[9] Danda B. Rawat,Moses Garuba,Lei Chen,Qing Yang. On the Security of Information Dissemination in the Internet-of-Vehicles[J]. Tsinghua Science and Technology, 2017, 22(4): 437-445.
[10] Yu-E Sun,He Huang,Xiang-Yang Li,Yang Du,Miaomiao Tian,Hongli Xu,Mingjun Xiao. Privacy-Preserving Strategyproof Auction Mechanisms for Resource Allocation[J]. Tsinghua Science and Technology, 2017, 22(2): 119-134.
[11] Bo Zhao,Yu Xiao,Yuqing Huang,Xiaoyu Cui. A Private User Data Protection Mechanism in TrustZone Architecture Based on Identity Authentication[J]. Tsinghua Science and Technology, 2017, 22(2): 218-225.
[12] Hong Zhong,Jingyu Wen,Jie Cui,Shun Zhang. Efficient Conditional Privacy-Preserving and Authentication Scheme for Secure Service Provision in VANET[J]. Tsinghua Science and Technology, 2016, 21(6): 620-629.
[13] Haiping Huang,Tianhe Gong,Ping Chen,Reza Malekian,Tao Chen. Secure Two-Party Distance Computation Protocol Based on Privacy Homomorphism and Scalar Product in Wireless Sensor Networks[J]. Tsinghua Science and Technology, 2016, 21(4): 385-396.
[14] Bin Mu,Spiridon Bakiras. Private Proximity Detection for Convex Polygons[J]. Tsinghua Science and Technology, 2016, 21(3): 270-280.
[15] Jinfu Chen,Saihua Cai,Lili Zhu,Yuchi Guo,Rubing Huang,Xiaolei Zhao,Yunqi Sheng. An Improved String-Searching Algorithm and Its Application in Component Security Testing[J]. Tsinghua Science and Technology, 2016, 21(3): 281-294.