One of the differences between IPv4 and IPv6 is that we don’t use ARP (Address Resolution Protocol) anymore. ND (Neighbor Discovery Protocol) will replace the functionality of ARP. In this lesson we’ll take a look how ND works.
ND uses ICMP and solicited node multicast addresses to discover the layer 2 address of other IPv6 hosts the same network (local link). It uses two messages to accomplish this:
- Neighbor solicitation message
- Neighbor advertisement message
Let’s take closer look at these two messages.
IPv6 Neighbor Solicitation Message
The neighbor solicitation message is used primarily to find the layer two address of another IPv6 address on the local link, it’s also used for DAD (Duplicated Address Detection). In this packet the source address will be the source address of the host that is sending the neighbor solicitation, the destination address will be the solicited node multicast address of the remote host. This message also includes the layer two address of the host that is sending it. In the ICMP header of this packet you will find a type value of 135.
Using solicited node multicast addresses as the destination is far more efficient than IPv4’s ARP requests that are broadcasted to all hosts.
Every IPV6 device will compute a solicited node multicast address by taking the multicast group address (FF02::1:FF /104) and adding the last 6 hexadecimal characters from its IPv6 address. It will then join this multicast group address and “listens” to it.
When one host wants to find the layer two address of another host, it will send the neighbor solicitation to the remote host’s solicited node multicast address.It can calculate the solicited node multicast address of the remote host since it knows about the multicast group address and it knows the IPv6 address that it wants to reach.
The result will be that only the remote host will receive the neighbor solicitation. That’s far more efficient than a broadcast that is received by everyone…
Neighbor solicitation messages are also used to check if a remote host is reachable. In this case, the destination address will be the unicast address of the remote host.
IPv6 Neighbor Advertisement Message
Once the remote host receives the neighbor solicitation it will reply with the neighbor advertisement message. The source address is the IPv6 address of the host and the destination address is the IPv6 address of the remote host that sent the neighbor solicitation. The most important part is that this message includes the layer two address of the host. The neighbor advertisement message uses type 136 in the ICMPv6 packet header.
Once R1 receives the neighbor advertisement, these two IPv6 hosts will be able to communicate with each other.
Neighbor advertisement messages are also used when the layer two address of a host changes. When this message is sent, the destination address will be the all-nodes multicast address.
Configuration
Now you have an idea how IPv6 neighbor discovery works. Let’s see what it looks like on some real devices. I’ll also show you some wireshark captures. I will use these two routers for this demonstration:
First we will configure some IPv6 addresses on our routers:
R1 & R2
(config)#interface FastEthernet 0/0
(config-if)#ipv6 enable
Using ipv6 enable is enough to generate some link local addresses which is all we need for this exercise. Here are the IPv6 addresses that the routers created:
R1#show ipv6 interface FastEthernet 0/0 | include FE80
IPv6 is enabled, link-local address is FE80::C001:2FF:FE40:0 [TEN]R2#show ipv6 interface FastEthernet 0/0 | include FE80
IPv6 is enabled, link-local address is FE80::C002:3FF:FEE4:0 [TEN]
To see the neighbor discovery in action I will enable a debug on both routers:
R1 & R2
#debug ipv6 nd
Let’s send a ping from R1 to R2:
R1#ping FE80::C002:3FF:FEE4:0
Output Interface: FastEthernet0/0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to FE80::C002:3FF:FEE4:0, timeout is 2 seconds:
Packet sent with a source address of FE80::C001:2FF:FE40:0
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/19/60 ms
Now you will see the following debug messages:
R1#
ICMPv6-ND: DELETE -> INCMP: FE80::C002:3FF:FEE4:0
ICMPv6-ND: Sending NS for FE80::C002:3FF:FEE4:0 on FastEthernet0/0
ICMPv6-ND: Received NA for FE80::C002:3FF:FEE4:0 on FastEthernet0/0 from FE80::C002:3FF:FEE4:0
ICMPv6-ND: Neighbour FE80::C002:3FF:FEE4:0 on FastEthernet0/0 : LLA c202.03e4.0000
ICMPv6-ND: INCMP -> REACH: FE80::C002:3FF:FEE4:0
ICMPv6-ND: Received NS for FE80::C001:2FF:FE40:0 on FastEthernet0/0 from FE80::C002:3FF:FEE4:0
ICMPv6-ND: Sending NA for FE80::C001:2FF:FE40:0 on FastEthernet0/0
First we see a line that includes INCMP, this indicates that the address resolution is in progress. Next we see that R1 is sending the NS (neighbor solicitation) and receiving the NA (neighbor advertisement). In the neighbor advertisement it finds the layer two address of R2 (c202.03e4.0000). The status jumps from INCMP to REACH since R1 now knows how to reach R2. You can also see that R1 receives a neighbor solicitation from R2 and replies with the neighbor advertisement. Here’s what it looks like on R2:
R2#
ICMPv6-ND: Received NS for FE80::C002:3FF:FEE4:0 on FastEthernet0/0 from FE80::C001:2FF:FE40:0
ICMPv6-ND: DELETE -> INCMP: FE80::C001:2FF:FE40:0
ICMPv6-ND: Neighbour FE80::C001:2FF:FE40:0 on FastEthernet0/0 : LLA c201.0240.0000
ICMPv6-ND: INCMP -> STALE: FE80::C001:2FF:FE40:0
ICMPv6-ND: Sending NA for FE80::C002:3FF:FEE4:0 on FastEthernet0/0
ICMPv6-ND: STALE -> DELAY: FE80::C001:2FF:FE40:0
ICMPv6-ND: DELAY -> PROBE: FE80::C001:2FF:FE40:0
ICMPv6-ND: Sending NS for FE80::C001:2FF:FE40:0 on FastEthernet0/0
ICMPv6-ND: Received NA for FE80::C001:2FF:FE40:0 on FastEthernet0/0 from FE80::C001:2FF:FE40:0
ICMPv6-ND: PROBE -> REACH: FE80::C001:2FF:FE40:0
ICMPv6-ND: REACH -> STALE: FE80::C001:2FF:FE40:0
These debugs are interesting but they don’t show us the source and destination address that are in use.
Wireshark Captures
Let’s take a look at these messages in wireshark, this will show us the source and destination addresses. Here’s the neighbor solicitation from R1 to R2:
Above you can see the source and destination MAC addresses. The source address is the MAC address of R1 and the destination is a multicast MAC address. The source IPv6 address is the link-local address of R1 and the destination is the solicited node multicast address of R2:
- FF02::1:FF /104 is the multicast group address.
- e4:0000 are the last 6 hexadecimal characters of the link-local address of R2 (FE80::C002:3FF:FEE4:0). This is compressed to e4:0.
As you can see the layer two destination address is a multicast address. When a switch receives this it will flood it out all of its interfaces. That’s a bad idea since it defeats the purpose of our solicited node multicast addresses. For this reason, we should enable MLD snooping on our switch.
Here’s the capture of R2 that sends the neighbor advertisement:
You can see the source and destination MAC addresses of R2. The IPv6 addresses are the link-local addresses of R1 and R2. You can also see the ICMPv6 type value of 136.
If you want to take a look for yourself then you can find the wireshark capture here:
That’s all I have on IPv6 neighbor discovery. I hope this lesson has been useful to you, if you have any questions…feel free to leave a comment.
No comments:
Post a Comment