IP Router Configuration
Router Configuration Guide 35
DNS
The DNS client is extended to use IPv6 as transport and to handle the IPv6 address in the DNS
AAAA resource record from an IPv4 or IPv6 DNS server. An assigned name can be used
instead of an IPv6 address since IPv6 addresses are more difficult to remember than IPv4
addresses.
Secure Neighbor Discovery (SeND)
Secure Neighbor Discovery (SeND) in conjunction with Cryptographically Generated
Addresses (CGAs) introduce a concept that allows operators to secure IPv6 neighbor
discovery between nodes on a common Layer 2 network segment.
When SeND is enabled on an interface, CGAs must be enabled and static GUA/LLA IPv6
addressing is not supported. In this case, the router will generate a CGA from the configured
prefix (GUA, LLA) and use that address for all communication. The router will validate NS/
ND messages from other nodes on the network segment, and only install them in the neighbor
cache if they pass validation.
A number of potential use-cases for SeND exist in order to secure the network from deliberate
or accidental tampering during neighbor discovery; principally to prevent hijacking of in-use
IPv6 addressing or man-in-the-middle attacks; but also to validate whether a node is
permitted to participate in neighbor discovery at all; or to validate which routers are permitted
to act as default gateways.
SeND impacts the following areas of neighbor discovery:
• Neighbor solicitation (solicited-node multicast address; target address)
• Neighbor advertisement (solicited; unsolicited)
• Router solicitation
• Router advertisement
• Redirect messages
To Next Page
Loading...
