Security: IPv6 First Hop Security
Neighbor Binding Integrity
Cisco 500 Series Stackable Managed Switch Administration Guide 520
23
The exception to this rule occurs when an IPv6 host roams in the L2 domain
or changes its MAC address. In this case, the host is still the owner of the IP
address, but the associated binding anchor might have changed. To cope
with this case, the defined NBI-NDP behavior implies verification of whether
or not the host is still reachable by sending DAD-NS messages to the
previous binding interface. If the host is no longer reachable at the
previously-recorded binding anchor, NBI-NDP assumes that the new anchor
is valid and changes the binding anchor. If the host is still reachable using
the previously recorded binding anchor, the binding interface is not
changed.
To reduce the size of the Neighbor Binding table, NBI-NDP establishes binding
only on perimeterical interfaces (see IPv6 First Hop Security Perimeter) and
distributes binding information through internal interfaces using NS and NA
messages. Before creating an NBI-NDP local binding, the device sends a DAD-NS
message querying for the address involved. If a host replies to that message with
an NA message, the device that sent the DAD-NS message infers that a binding for
that address exists in another device and does not create a local binding for it. If no
NA message is received as a reply to the DAD-NS message, the local device
infers that no binding for that address exists in other devices and creates the local
binding for that address.
NBI-NDP supports a lifetime timer. A value of the timer is configurable in the
Neighbor Binding Settings page. The timer is restarted each time that the bound
IPv6 address is confirmed. If the timer expires, the device sends up to 2 DAD-NS
messages with short intervals to validate the neighbor.
NBI-DHCP Method
The NBI-NDP method is based on the SAVI-DHCP method specified in the SAVI
Solution for DHCP, draft-ietf-savi-dhcp-15, September 11, 2012.
Like NBI-NDP, NBI-DHCP provides perimeterical binding for scalability. The
following difference between the NBI-DHCP and NBI-FCFS method exists: NBI-
DHCP follows the state announced in DHCPv6 messages, thus there is no need to
distribute the state by NS/NA messages.
NB Integrity Policy
In the same way that other IPv6 First Hop Security features function, NB Integrity
behavior on an interface is specified by an NB Integrity policy attached to an
interface. These policies are configured in the Neighbor Binding Settings page.
To Next Page
Loading...
Need help?
General
