# Secure Neighbor Discovery

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/Secure_Neighbor_Discovery
> Markdown URL: https://mediated.wiki/source/Secure_Neighbor_Discovery.md
> Source: https://en.wikipedia.org/wiki/Secure_Neighbor_Discovery
> Source revision: 1331484628
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

IPv6 network protocol extension

This article includes a list of references, related reading, or external links, but its sources remain unclear because it lacks inline citations. Please help improve this article by introducing more precise citations. (January 2011) (Learn how and when to remove this message)

The **Secure Neighbor Discovery** (**SEND**) protocol is a security extension of the [Neighbor Discovery Protocol](/source/Neighbor_Discovery_Protocol) (NDP) in [IPv6](/source/IPv6) defined in [RFC](/source/RFC_(identifier)) [3971](https://www.rfc-editor.org/rfc/rfc3971) and updated by [RFC](/source/RFC_(identifier)) [6494](https://www.rfc-editor.org/rfc/rfc6494).

The [Neighbor Discovery Protocol](/source/Neighbor_Discovery_Protocol) (NDP) is responsible in [IPv6](/source/IPv6) for discovery of other network nodes on the local link, to determine the link layer addresses of other nodes, and to find available routers, and maintain reachability information about the paths to other active neighbor nodes ([RFC](/source/RFC_(identifier)) [4861](https://www.rfc-editor.org/rfc/rfc4861)). NDP is insecure[1] and susceptible to malicious interference. It is the intent of SEND to provide an alternate mechanism for securing NDP with a cryptographic method that is independent of [IPsec](/source/IPsec), the original and inherent method of securing IPv6 communications.

SEND uses [Cryptographically Generated Addresses](/source/Cryptographically_Generated_Address) (CGA) and other new NDP options for the [ICMPv6](/source/ICMPv6) packet types used in NDP.

SEND was updated to use the [Resource Public Key Infrastructure](/source/Resource_Public_Key_Infrastructure) (RPKI) by RFC 6494 and [RFC](/source/RFC_(identifier)) [6495](https://www.rfc-editor.org/rfc/rfc6495) which define the use of a SEND Certificate Profile utilizing a modified RFC 6487 RPKI Certificate Profile which must include a single RFC 3779 IP Address Delegation extension.

There have been concerns with [algorithm agility](/source/Algorithm_agility) vis-à-vis attacks on hash functions used by SEND expressed in [RFC](/source/RFC_(identifier)) [6273](https://www.rfc-editor.org/rfc/rfc6273), as CGA currently uses the [SHA-1](/source/SHA-1) hash algorithm and PKIX certificates and does not provide support for alternative hash algorithms.

## Implementations

- [Cisco IOS 12.4(24)T and newer](http://www.cisco.com/en/US/docs/ios-xml/ios/sec_data_acl/configuration/15-2mt/ip6-send.html)

- [Docomo USL SEND fork](http://mobisend.org/software.html)[*[permanent dead link](https://en.wikipedia.org/wiki/Wikipedia:Link_rot)*]

- [Easy-SEND](https://sourceforge.net/projects/easy-send/)

- [ipv6-send-cga](https://code.google.com/p/ipv6-send-cga/), [Huawei](/source/Huawei) and [Beijing University of Posts and Telecommunications](/source/Beijing_University_of_Posts_and_Telecommunications)

- [NDprotector](https://web.archive.org/web/20110811105850/http://amnesiak.org/NDprotector/), [Telecom SudParis](/source/Telecom_SudParis)

- [Native SeND kernel API](https://code.google.com/p/google-summer-of-code-2009-freebsd/downloads/detail?name=Ana_Kukec.tar.gz)

- [TrustRouter](http://www.trustrouter.net/)

- [USL SEND](https://web.archive.org/web/20110710143008/http://www.docomolabs-usa.com/lab_opensource.html) (discontinued), [NTT DoCoMo](/source/NTT_DoCoMo)

- [WinSEND](https://hpi.de/meinel/security-tech/next-generation-security-engineering/ipv6-security/winsend.html)

## See also

- [Neighbor Discovery Protocol](/source/Neighbor_Discovery_Protocol)

## References

1. **[^](#cite_ref-1)** [Holding IPv6 Neighbor Discovery to a Higher Standard of Security](https://community.infoblox.com/t5/IPv6-CoE-Blog/Holding-IPv6-Neighbor-Discovery-to-a-Higher-Standard-of-Security/ba-p/3470), community.infoblox.com, 2.10.2015

- J.Arkko, ed. (March 2005). *Secure Neighbor Discovery (SEND)*. [IETF](/source/Internet_Engineering_Task_Force). [RFC](/source/RFC_(identifier)) [3971](https://tools.ietf.org/html/rfc3971).

- T.Narten; et al. (September 2007). *Neighbor Discovery for IP version 6 (IPv6)*. [IETF](/source/Internet_Engineering_Task_Force). [RFC](/source/RFC_(identifier)) [4861](https://tools.ietf.org/html/rfc4861).

- R. Gagliano; et al. (February 2012). *Certificate Profile and Certificate Management for SEcure Neighbor Discovery (SEND)*. [IETF](/source/Internet_Engineering_Task_Force). [RFC](/source/RFC_(identifier)) [6494](https://tools.ietf.org/html/rfc6494).

This computer networking article is a stub. You can help Wikipedia by adding missing information.

- [v](https://en.wikipedia.org/wiki/Template:Compu-network-stub)
- [t](/source/Template_talk%3ACompu-network-stub)
- [e](https://en.wikipedia.org/wiki/Special:EditPage/Template:Compu-network-stub)

v t e Internet Protocol version 6 General IPv6 IPv6 address IPv6 packet Mobile IPv6 Deployment IPv6 deployment 6rd World IPv6 Day and World IPv6 Launch Day Comparison of IPv6 support in operating systems IPv4 to IPv6 topics IPv4 address exhaustion IPv6 transition mechanism Related protocols DHCPv6 ICMPv6 Neighbor Discovery Protocol Multicast Listener Discovery Secure Neighbor Discovery Multicast router discovery Site Multihoming by IPv6 Intermediation

---
Adapted from the Wikipedia article [Secure Neighbor Discovery](https://en.wikipedia.org/wiki/Secure_Neighbor_Discovery) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/Secure_Neighbor_Discovery?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.
