Link Layer Hashed Based Addresses (LL-HBA) for Secure Neighbor Discovery (SEND)

Document Type Expired Internet-Draft (individual)
Last updated 2005-09-14
Stream (None)
Intended RFC status (None)
Expired & archived
pdf htmlized bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state Expired
Telechat date
Responsible AD (None)
Send notices to (None)

This Internet-Draft is no longer active. A copy of the expired Internet-Draft can be found at


The current mechanisms used by Secure Neighbor Discovery (SEND) to secure the Neighbor Discovery Protocol (NDP) relies almost solely on public key cryptography (i.e. Certificates and/or Cryptographically Generated Addresses). While these approaches provide very strong guarantees on the authenticity of an IP address to link layer address mapping, they are computationally expensive, which might be a problem on resource-constrained devices. It is also recognized in the SEND specification that it does not compensate for an insecure link layer; more specifically, no protections are offered against spoofing, link disruption, or bombing DoS attacks launched at the link layer. Accordingly, this note suggests an alternative to the current specification of SEND which leverage on the deemed required link layer security to secure NDP. This technique is based on the use of a specific kind of IPv6 addresses, the so-called Link Layer Hashed Based Addresses (LL-HBA), and of link layer address reachability tests. When the link layer security prevents attacker to redirect frames at the link layer layer, this technique allows to provide some level of security to NDP while relying solely on symmetric (i.e., computationally inexpensive) cryptography.


Julien Laganier (
Gabriel Montenegro (

(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)