ccie blog

IPv6 Neighbor Discovery Protocol (NDP)

The NDP was the most confusing thing for me to understand. I think it’s down to the fact that NDP covers a lot of things. For example, when I was learning, I assumed that the neighbor discovery protocol just involved the exchange of neighbor solicitation & neighbor advertisement messages. However, the way router discovery (router solicitation & router advertisements), or Duplicate Address Detection (DAD) works comes down to the neighbor discovery protocol. There’s currently a total of nine main functions of NDP, as listed below (each function is discussed in more detail further down this post):

The Neighbor Discovery Protocol (NDP) is responsible for:

  • Router discovery
  • Prefix discovery
  • Parameter discovery
  • Address Autoconfiguration
  • Address resolution
  • Next-hop determination
  • Neighbor unreachability detection
  • Duplicate address detection
  • Redirect

ICMPv6 messages

NDP uses fives ICMPv6 messages to address all the functions listed above

  • Router Solicitation (RS)
  • Router Advertisement (RA)
  • Neighbor Solicitation (NS)
  • Neighbor Advertisement (NA)
  • Redirect

 

Router Discovery

Hosts need to be able to discover routers on the link that they are connected to. Because of this, routers send unsolicited Router Advertisements (RA) every 200 seconds to the all nodes link-local multicast group FF02::1. It contains anything that you need to know from the router on the link. The typical information you’ll find in an RA is covered below:

  • Prefixes on the link
  • Prefix lifetime
  • A flag to indicate whether it can be used for stateful or stateless autoconfiguration
  • Default router info (whether or not it can be used as a default router & for how long)
  • Parameter info (MTU to use, and maximum hop-limit)

Hosts are also able to issue Router Soliciations (RS) messages in order to trigger the advertisement of an RA message, rather than wait up to 200 seconds to receive all this information from the router. RS Messages are sent to the all routers link local multicast address FF02::2, and can either use the unspecified souce address (::/128) or link-local address as the source. Routers are expected to answer, and if they don’t, another two RS messages are sent in an attempt to try and discover them.

 

Prefix Discovery

The reason prefixes need to be discoverable on a link is because of stateless address autoconfiguration (SLAAC). Routers send prefixes available on a link in an RA message. Hosts can then configure themselves with a unique IP using the EUI-64 conversion on each of the prefixes advertised by the router. By default routers will advertise all ipv6 prefixes on the link, however if you only want the router to advertise a small subset of addresses you can use the command below.

#ipv6 nd prefix [prefix]

The CLI actually allows you to get right down to the nitty gritty bits such as configuring the lifetime of each prefix, or identify which prefixes can be used for stateless autoconfiguration etc.

 

Paramter Discovery

Parameters such as the hop count and MTU are listed in the RA message sent by the router.

 

Address Autoconfiguration

As discussed in the router discovery section above, a flag on the RA message indicates whether to use stateful or stateless autoconfiguration. DHCPv6 is used if the link is set to use stateful autoconfiguration. Much like DHCP for IPv4, it allocates and stores host IP addressing information. Stateless address autoconfiguration (SLAAC) allows the host to allocate it’s own unique IP address for each of the prefixes advertised in the RA. Therefore, there is no database of information to monitor the state of what addresses are in use, or not in use.

 

Address Resolution

When a device needs to send packets to a IPv6 address but doesn’t know the link-layer address to forward it to, then it needs to use IPv6 address resolution. In IPv4 we would use ARP work out which mac address to use in order to send data to a particular destination IP. In IPv6, we use Neighbor Solicitation (NS) & Neighbor Advertisement (NA) messages to work out which link layer address to use in order to send data to  a destination IPv6 address. Let’s take a look at an example. Server 1 needs to find the link layer address of Server 4 in order to forward packets destined for Server 4’s global IP address.

Server 1 sends a NS to the solicited-node multicast group FF02::1:FF00:0000/104 – where the last 24 bits [highlighted] are replaced by the last 24 bits of the unicast IPv6 destination address. So in our case, the last 24 bits of the IPv6 destination is highlighted here —> 2001::4:3:2222:1111. Therefore Server 1 forwards the ICMPv6 packet to ff02::1:ff22:1111. Server 4 will then reply with a NA, and in the ICMPv6 option field it includes its link-layer address. And that’s it, job done!

One final note on the NA I wanna mention is that neighbor advertisements can also be sent as unsolicited messages. In the case where the device changes it’s IPv6 address, it should send an unsolicited NA message to the all-nodes link-local multicast ff02::1. It’s similar to gratuitous ARP, where it just updates the neighbors with the new IP address it’s using.

 

Next-Hop Determination

A device identifies itself as a default router in the RA message. As long as the #ipv6 nd ra-lifetime is greater than 0, the router is capable of becoming a default router.

 

Neighbor Unreachability Detection

Neighbor advertisements are used to confirm reachability. However, only solicited advertisements confirm reachability in both directions. An unsolicited advertisement just means the device managed to send us this information. It doesn’t confirm we can speak back.

 

Neighbors can only be identified as reachable, when they have received a reply to their neighbor solitication with a neighbor advertisement. Devices can check this by seeing that the neighbor advertisement has the solicited flag set to one upon delivery (remember, neighbor advertisements can be sent unsolicited, which means the solicited flag will be set to 0, and only verifies one way connectivity). Once confirmation is received, the neighbor will move into the reachable state.

The neighbor cache can be used to check what is reachable, or what state it’s in if it’s not. The list of states are shown below:

State Description
INCOMPLETE Address resolution is in progress (i.e. NS are being sent)
REACHABLE Neighbor has been reachable within the configured "ipv6 nd reachable-time". The time advertised in the RA is 0 (unspecified), which means hosts can configure their own neighbor reachable time. However, the router itself uses 30 seconds by default. The lower the setting, the faster neighbors can identify a failure of a neighbor
STALE The neighbor is no longer in the reachable state & isn't sending NS messages to try and change the state back to "reachable". Basically the device has finished sending data to the neighbor & the reachable time has now expired. If a host now needs to start send data to the neighbor again, the state will go to DELAY & whilst it performs an address resolution and checks the neighbor is still reachable. Once confirmation is received, it will go back to being reachable.
DELAY The device has recently been reachable, however for some reason it is no longer reachable. This state is shortly endured why the upper layer protocols try and establish reachability again. If it can't, it will move into the probe state.
PROBE The neighbor is no longer reachable. The device is actively attempting move into the reachable state by sending neighbor soliciation messages.
Duplicate Address Detection (DAD)

Used to ensure another host on the segment is not using that same IPv6 address. Imagine a host just configured 2001::9/64 on his interface. The steps below show what happens.

  1. The IPv6 address is configured on the interface
  2. The device adds itself to the solicited node multicast address ff02::1:ff00:0009
  3. It sends a NS to ff02::1:ff00:0009, using the source address ::/128
  4. If it receives a NA, it means the address ain’t unique. If not, the address is unique
Redirect

These are messages sent by a router to inform hosts that they should use a different router on the same network segment to get to their destination. The messages are usually sent because the path is more optimal via the other router. Once the host receives this message, future messages to that same destination will be sent directly to the alternative router.

Leave a comment

Your comment