Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Rethinking IPv6 Defense: A Unified Edge-Centric Zero-Trust Data-Plane Architecture

Walid Aljoby, Mohammed Alzayani, Md. Kamrul Hossain, Khaled A. Harras

TL;DR

This work tackles IPv6's combined spoofing and flooding threat by delivering a unified, edge-centric zero-trust defense implemented in a single P4 data-plane pipeline. The approach combines four modules—External Spoofing, Internal Spoofing, External Flooding, and Internal Flooding—sequentially to enforce identity plausibility before rate control, using prefix-level Hop Limit bands, DAD/NS-based bindings, and Count-Min Sketch windowed counters. The evaluation demonstrates strong detection performance on both BMv2 and a Netronome SmartNIC across a 15-scenario suite, highlighting high precision and near-perfect recall on hardware. The results imply that practical IPv6 defense can be deployed in the data plane without sacrificing essential IPv6 operations, with open avenues for adaptive thresholds and richer edge signals.

Abstract

IPv6 dependability is increasingly inseparable from IPv6 security: Neighbor Discovery (ND), Router Advertisements (RA), and ICMPv6 are essential for correct operation yet expose a broad attack surface for spoofing and flooding. Meanwhile, IPv6's massive address space breaks per-IP reputation and makes many defenses either non-scalable or narrowly scoped (e.g., only internal threats, only RA abuse, or only volumetric floods). We propose a zero-trust edge architecture implemented in a single programmable data-plane pipeline that unifies four modules: external spoofing, internal spoofing, external flooding, and internal flooding. A key design choice is to enforce identity plausibility before rate plausibility: stateless per-packet validation filters spoofed traffic early so that time-window statistics for flooding operate on credible identities. We outline a concrete P4 design (prefix Hop-Limit bands, DAD-anchored address-port bindings, and Count-Min Sketch windowed counting) and evaluate it across a systematic 15-scenario suite spanning single-, dual-, and multi-vector compositions. We report results from a BMv2 prototype and validate the same pipeline on a Netronome NFP-4000 SmartNIC, and we discuss limitations and open directions.

Rethinking IPv6 Defense: A Unified Edge-Centric Zero-Trust Data-Plane Architecture

TL;DR

This work tackles IPv6's combined spoofing and flooding threat by delivering a unified, edge-centric zero-trust defense implemented in a single P4 data-plane pipeline. The approach combines four modules—External Spoofing, Internal Spoofing, External Flooding, and Internal Flooding—sequentially to enforce identity plausibility before rate control, using prefix-level Hop Limit bands, DAD/NS-based bindings, and Count-Min Sketch windowed counters. The evaluation demonstrates strong detection performance on both BMv2 and a Netronome SmartNIC across a 15-scenario suite, highlighting high precision and near-perfect recall on hardware. The results imply that practical IPv6 defense can be deployed in the data plane without sacrificing essential IPv6 operations, with open avenues for adaptive thresholds and richer edge signals.

Abstract

IPv6 dependability is increasingly inseparable from IPv6 security: Neighbor Discovery (ND), Router Advertisements (RA), and ICMPv6 are essential for correct operation yet expose a broad attack surface for spoofing and flooding. Meanwhile, IPv6's massive address space breaks per-IP reputation and makes many defenses either non-scalable or narrowly scoped (e.g., only internal threats, only RA abuse, or only volumetric floods). We propose a zero-trust edge architecture implemented in a single programmable data-plane pipeline that unifies four modules: external spoofing, internal spoofing, external flooding, and internal flooding. A key design choice is to enforce identity plausibility before rate plausibility: stateless per-packet validation filters spoofed traffic early so that time-window statistics for flooding operate on credible identities. We outline a concrete P4 design (prefix Hop-Limit bands, DAD-anchored address-port bindings, and Count-Min Sketch windowed counting) and evaluate it across a systematic 15-scenario suite spanning single-, dual-, and multi-vector compositions. We report results from a BMv2 prototype and validate the same pipeline on a Netronome NFP-4000 SmartNIC, and we discuss limitations and open directions.
Paper Structure (15 sections, 2 figures, 1 table, 4 algorithms)

This paper contains 15 sections, 2 figures, 1 table, 4 algorithms.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Threat Model and Design Goals
  4. Zero-Trust P4 Defense Architecture
  5. Pipeline Overview
  6. External Spoofing Module: Prefix-Level HL Plausibility
  7. Internal Spoofing Module: Address--Port Binding from DAD/NS
  8. External Flooding Module: Windowed Rate Control per Prefix
  9. Internal Flooding Module: Rate Control per Flow
  10. Implementation on BMv2 and SmartNIC
  11. Evaluation
  12. Testbed Setup
  13. Detection Effectiveness
  14. Limitations
  15. Conclusion

Figures (2)

  • Figure 1: A unified zero-trust IPv6 defense pipeline in a P4 data plane.
  • Figure 2: Evaluation setup and IPv6 topology