IPv6 address objects are created and managed in a similar way to IPv4 objects They are called an
IP6 Address and can be used in NetDefendOS rules and other objects in the same way as an IPv4
address. However, it is not possible to combine the two in one configuration object.
For example, it is not possible to create an Address Group that contains both. The standard Address
Group object can contain only IPv4 address objects. For IPv6 there is a special object called an IP6
Group object that can contain only IPv6 addresses.
Similarly, the predefined all-nets address object is a catch-all object for all IPv4 addresses. Another
object, all-nets6, represents all IPv6 addreses and only IPv6 addreses.
Furthermore, it is not possible to combine all-nets (all IPv4 addresses) with all-nets6 in a single
Address Group object. For example, if a DropAll rule is needed as the last "catch-all" rule in an IP
rule set, two rules are required to catch all IPv4 and IPv6 traffic. This is discussed further in
Section 3.6, “IP Rules”.
In the same way, a routing table could route traffic for either a IPv4 network or an IPv6 network to
the same interface but this must be done with two separate routes in the routing table, one for IPv4
and one for IPv6. It cannot be achieved using a single route.
IPv6 Neighbour Discovery
IPv6 Neighbor Discovery (ND) is the IPv6 equivalent of the IPv4 ARP protocol (see Section 3.5,
“ARP”).
When IPv6 is enabled for a given Ethernet interface, NetDefendOS will respond to any IPv6
Neighbor Solicitations (NS) sent to that interface with IPv6 Neighbor Advertisments (NA) for the
IPv6 address configured for that interface. NetDefendOS will also respond with neighbor
advertisments for any networks configured using Proxy Neighbor Discovery.
Proxy Neighbor Discovery
The IPv6 feature of Proxy Neighbor Discovery (Proxy ND) in NetDefendOS functions in the same
way as Proxy ARP does with IPv4 (described in Section 4.2.6, “Proxy ARP”). There are two ways
of enabling proxy ND:
A. Directly publish an address on an interface.
This is done in exactly the same way as ARP publish by setting option on an Ethernet interface.
Both the options Publish and Xpublish are supported for IPv6. These options are explained in
Section 3.5.3, “ARP Publish”.
B. Publish an address as part of a static route.
When a route for an IPv6 address on a given Ethernet interface is created, IPv6 should already
be enabled for the interface which means that IPv6 neighbor discovery is operational.
Optionally, Proxy Neighbour Discovery (Proxy ND) can also be enabled for an IPv6 route so
that all or selected interfaces will also respond to any neighbor solicitations for the route's
network.
An example of using this second method is given below.
Example 3.10. Adding an IPv6 Route and Enabling Proxy ND
Assume that a route needs to be in the main routing table so that the IPv6 network my_ipv6_net is routed on the
interface If1 where that interface already has IPv6 enabled.
In addition, proxy neighbor discovery for my_ipv6_net needs to be enabled for the If3 interface.
3.2. IPv6 Support Chapter 3. Fundamentals
97
To Next Page
Loading...
