Duplicate Address Detection (DAD) is one of the functions of the Neighbor Discovery Protocol (NDP), which determines whether the IPv6 address of a node conflicts with those of other nodes. However, due to the lack of verification of NDP messages, DAD is vulnerable to Denial of Service (DoS) attacks. Existing solutions suffer from high complexity and low security, need to modify the NDP, or have a single point of failure, which renders them infeasible to be deployed.

To solve the above problems, we propose P4DAD, which is a secure DAD mechanism based on P4. By creating and maintaining a binding entry between an IPv6 address and a link-layer property of a host’s network attachment, P4DAD can filter spoofed NDP messages in an in-network manner to prevent DoS attacks on DAD without modification to the NDP or host stack. We implement a prototype of P4DAD and evaluate it in terms of functionality, performance, and scalability. Evaluation results show that P4DAD can prevent DoS attacks on DAD successfully with negligible overhead and has satisfactory scalability.

重复地址检测 (DAD) 是邻居发现协议 (NDP) 的功能之一，它确定一个节点的 IPv6 地址是否与其他节点的 IPv6 地址冲突。但是，由于缺乏对 NDP 消息的验证，DAD 容易受到拒绝服务 (DoS) 攻击。现有解决方案复杂度高、安全性低，需要修改NDP，或存在单点故障，难以部署。

为了解决上述问题，我们提出了 P4DAD，这是一种基于 P4 的安全 DAD 机制。通过在 IPv6 地址和主机网络连接的链路层属性之间创建和维护绑定条目，P4DAD 可以在网络内过滤欺骗 NDP 消息，以防止对 DAD 的 DoS 攻击，而无需修改 NDP 或主机堆栈。我们实现了 P4DAD 的原型，并在功能、性能和可扩展性方面对其进行了评估。评估结果表明，P4DAD 能够以可忽略的开销成功阻止对 DAD 的 DoS 攻击，并具有令人满意的可扩展性。