Rethinking IPv6 Defense: A Unified Edge-Centric Zero-Trust Data-Plane Architecture

TL;DR

This paper introduces a unified, programmable zero-trust architecture for IPv6 security that efficiently detects spoofing and flooding attacks by validating identities early in the data plane.

Contribution

It presents a novel, edge-centric, data-plane-based zero-trust architecture with a concrete P4 design to improve IPv6 security against multiple attack vectors.

Findings

Prototype implementation on BMv2 demonstrates effectiveness.

Validation on Netronome NFP-4000 SmartNIC confirms real-world applicability.

Systematic evaluation across 15 diverse attack scenarios shows robustness.

Abstract

IPv6 dependability is increasingly inseparable from IPv6 security: Neighbor Discovery (ND), Router Advertisements (RA), and ICMPv6 are essential for correct operation yet expose a broad attack surface for spoofing and flooding. Meanwhile, IPv6's massive address space breaks per-IP reputation and makes many defenses either non-scalable or narrowly scoped (e.g., only internal threats, only RA abuse, or only volumetric floods). We propose a zero-trust edge architecture implemented in a single programmable data-plane pipeline that unifies four modules: external spoofing, internal spoofing, external flooding, and internal flooding. A key design choice is to enforce identity plausibility before rate plausibility: stateless per-packet validation filters spoofed traffic early so that time-window statistics for flooding operate on credible identities. We outline a concrete P4 design (prefix Hop-Limit bands, DAD-anchored address-port bindings, and Count-Min Sketch windowed counting) and evaluate it across a systematic 15-scenario suite spanning single-, dual-, and multi-vector compositions. We report results from a BMv2 prototype and validate the same pipeline on a Netronome NFP-4000 SmartNIC, and we discuss limitations and open directions.