An IPv6 Refresher--Part V

Neighbor Discovery Protocol
IPv6 Neighbor Discovery (ND) was first designed and published almost 10 years ago, as RFC 1970. It has been revised since then as RFC 2461, and a new version, focusing on fixes rather than revisions, is underway as RFC 2461bis. Some extensions have been described in Inverse Neighbor Discovery (RFC 3122), Default Router Selection (RFC4191), and Autoconfiguration (RFC 2462).

In these 10 years, the focus of the Internet community has shifted significantly, and areas that did not get much attention, such as security and mobility, are now the focus of most of the efforts. This change of focus has led to a number of extensions, clarifications, and interactions described in various RFCs and Internet Drafts: Extension for Mobility in MIPv6 (RFC 3775), Security Features in Secure Neighbor Discovery (SEND) (RFC 3971), Detecting Network Attachment (DNA) (RFC 4135), Protocol for Carrying Authentication for Network Access (PANA) (RFC 4058), and Optimistic DAD (draft-ietf-ipv6-optimistic-dad).

The IPv6 NDP provides a number of integrated key features for router and host operations, when attached to the same link. Some of these features, such as address resolution and redirect, are seen in IPv4, under specific distinct protocols such as ARP and ICMP Redirect, respectively. Other features--for instance, prefix discovery and neighbor unreachability detection--are new, although some could be achieved by other means with IPv4, too. Table 12 lists these features and their correspondence in IPv4.

NDP applies to both hosts and routers in different ways. Table 13 attempts to separate hosts and router roles, with regard to the preceding list of features.

One of the fundamental differences between IPv6 ND and its IPv4 counterpart suite of protocols (ARP, IPCP, and so on) is the positioning in the IP protocol stack. Although IPv4 same-link-related protocols are split between ARP/RARP, right above the link layer, and ICMP, running above IP, IPv6 ND is implemented entirely within ICMPv6. Figure 20 highlights differences between the protocol stacks.

The reasons for the ND positioning within the stack are numerous, but if only one should be mentioned, it is simplicity. Why make address resolution (ARP and RARP in IPv4) a special case if this can be avoided? When within ICMP rather than next to IP, this feature can benefit from any service provided by IP, including security (Authentication Header), multicast, and so on.

To secure the various functions in NDP, Secure Neighbor Discovery has introduced a set of specific ND options. They are used to protect NDP messages. Although this IPv6 refresher does not go into more detail about these options, you can refer to RFC 3971 for more information about SEND.

Protocol Operations Summary
The NDP enables each node on the link to perform ND, to build the knowledge necessary to make proper decisions when sending IPv6 packets to a neighbor. This knowledge represents a compilation of advertisements received from routers and nodes. These advertisements can be solicited or unsolicited. This information is stored on the following lists maintained by nodes:

• List of on-link IPv6 addresses and corresponding link-layer addresses
• Neighbors status (reachable, unreachable)
• For hosts in particular:


• List of on-link prefixes
• List of on-link routers
• List of default routers (on-link routers willing to be default routers)

To obtain the above information, the following messages are used in the NDP:


• Router solicitation (RS)
• Router advertisement (RA)
• Neighbor solicitation (NS)
• Neighbor advertisement (NA)
• Redirect
• Inverse neighbor solicitation (INS)
• Inverse neighbor advertisement (INA)

The positioning of NDP above IPv6/ICMP raises a couple of questions that deserve clarification.

When the link-layer address matching a given destination address is not known, a node seeking that association has to send its query to a wider audience. In IPv4, this is done using MAC-level broadcasts. In IPv6, the node uses multicasts for this query. The multicast group used is the solicited-node (with link-local scope), as described in the "IPv6 Addressing" section. Note: Note that after the link-layer address is known for a prefix, the neighbor query might be sent again, to confirm the association (IP address, link- layer address). In that case, the query is directly unicasted to the destination.


Another issue arises when a node is using NDP to acquire its own address (see the section "Autoconfiguration"). It needs a source address to use for its query but has none yet. In such cases, it can use the IPv6 unspecified address (::) for the packet SA.

Whereas address resolution messages are sent to the solicited-node multicast address (with link-local scope), other NDP messages are expected to reach all nodes or all routers. At the same time, the SA can be either a global or the link-local address of the sender: The latter is always preferred, to minimize the node's dependency on renumbering. Here is a list of all special addresses, sources, and destinations that a node can use in NDP exchanges:


• All-nodes multicast address (FF02::1, destination)
• All-routers multicast address (FF02::2, destination)
• Solicited-node multicast address (destination)
• Link-local address (source or destination)
• Unspecified address (::, source)

Finally, two algorithms are leveraged by the IPv6 nodes to process the information gathered through NDP:


• Next-hop determination algorithm
• Default router selection

Comparison with IPv4
IPv6 NDP provides a number of improvements over the corresponding IPv4 protocols, as follows:


• Router discovery becomes an integrated part of the protocol, enabling hosts to identify their default router.
• Additional information, such as MTU or link-layer address, has been inserted in the ND messages, reducing the number of required exchanges on the link to achieve the same result as in IPv4. Here are a few examples:


• The link-layer address of the router is carried in RA message. So all nodes on the link, without any further message flow, know it.
• The target link-layer address, inserted in the redirect message, saves the receiver (being redirected) any extra address-resolution exchange.
The MTU, carried in the RA, enables all nodes on a link to use a consistent MTU.
• The address resolution uses multicast groups (solicited-node multicast address), embedding part of the target address. Most likely, therefore, only a few (most of the time only the target address owner) nodes will get interrupted with such address-resolution queries. Compare this with IPv4 ARP, which has no other choice than broadcasting (link-layer broadcast) the address-resolution requests (because ARP sits directly above the link layer). One hopes that the IPv6 way of resolving link-layer addresses will make subnets with a much larger number of hosts more manageable by drastically limiting link-layer broadcasts that host software layers have to handle.
• Some new features such as address autoconfiguration and neighbor unreachability detection are part of the base protocol, simplifying configurations and improving robustness of packet delivery.
• Router advertisements and Redirect messages carry router addresses in the form of link-local addresses, which makes the router association in the host more robust to renumbering (of global prefixes). In IPv4, the default gateway information has to be modified on the host every time the network changes its addressing scheme.
• The positioning of address resolution above ICMP makes it possible to use standard IP authentication and security mechanisms for ND messages. Such mechanisms are not available in ARP for IPv4.

Next:
  <   
1 of 5
   >