ARP in IPv6
Network Discover, Router Solicitation (探索) & Advertisement (通告), Link_layer addr, SAAC (Stateless Adress Auto Config)
IPv6 結合了 IPv4 的 ARP 與 ICMP 及 Redirect。除了改良了 IPv4 版本也追加了 ND 新功能,此一功能能夠探測鄰近路由是否可到達。
/ \
/ \
/ \
/ \
/ \
Host ----- RS (Solicitate) ------------ -------------(Advertisement) RA Router
\ /
\ /
\ /
\ /
\ /
ND defines how to detect unreacheachability using NUD schematics:
-
to track NUD.
-
to solicitate which Neighbor Router is able to redirect datagram.
-
to check subnet mask (prefix).
-
DHCPv6 使用 SAAC 無接縫或稱無狀態位址自動組態取代 DHCPv4.
-
to detect the modified data-link layer addr.
-
max hop counts is 255. Under this index, path will be considered to be TIMEOUT(往返計時逾時).
-
(omit)
ND specifies the spec of Host & Router. Including: (RFC 4861)
-
ND, Neighbor Discovery
-
RD, Router Discovery
-
AR, Address Resolution
-
NUD, Neighbor Unreachability Detection
-
DAD, Duplicate Address Detection
-
ICMP Redirection
Weakness of ND see RFC 6583
ND is easier to be attacked by DOS, since its Router can be forged to be Default GW and advertise this forged info to other Routers in same Subnet (same prefix or same network mask).
Secure Neighbor Discovery
to avoid DOS by implementing RA (Router Advertisement) Guard, to filter the orifinal router in Link-state layer via ND header.
ND exposes its weakness due to Fragmentation, so SND rules out that fragment is banned.
the two table is distinguished by the facto that Neighbor is act role as subnet info to DES.
neighbor cached table shows out
-
the datagram queue is reached to des or not.
-
reachable Neghibour.
-
process called if NUD (unreachable) Event happens.
ASW1$show ipv6 neighbors IPv6 Addr age Link-Layer Addr State Interface 8個16進制位元組 0800:27dd:edd3 REACH(可達) v110 STALE(失效) Fa0/1 INCOMPLETE (不完整) DELAY (延遲) PROBE (探測)