Skip to main content

1. Introduction

Neighbor Discovery (ND) [RFC4861] specifies the mechanisms that IPv6 nodes (hosts and routers) on the same link use to communicate and learn about each other. Stateless Address Autoconfiguration (SLAAC) [RFC4862] builds on those ND mechanisms to let nodes configure their own IPv6 addresses. When analyzing the issues nodes may encounter with ND, it helps to view the ND messages they exchange throughout their life cycle, taking SLAAC into consideration.

For a host, the overall procedure is as follows:

  1. LLA DAD: The host forms a Link-Local Address (LLA) and performs Duplicate Address Detection (DAD) using multicast Neighbor Solicitations (NSs).

  2. Router discovery: The host sends multicast Router Solicitations (RSs) to discover a router on the link. The router responds with Router Advertisements (RAs), providing subnet prefixes and other information. The host installs a Neighbor Cache Entry (NCE) for that router upon receiving the RAs. In contrast, the router cannot install an NCE for the host at this moment of the exchange because the host's global IP address is still unknown. When the router later needs to forward a packet to the host's global address, it will perform address resolution and install an NCE for the host.

  3. GUA DAD: The host forms a Global Unicast Address (GUA) [RFC3587] or a Unique Local Address (ULA) [RFC4193] and uses multicast NSs for DAD. For simplicity of description, this document will not further distinguish GUA and ULA.

  4. Next-hop determination and address resolution: When the host needs to send a packet, it will first determine whether the next hop is a router or an on-link host (which is the destination). If the next hop is a router, the host already has the NCE for that router. If the next hop is an on-link host, it will use multicast NSs to perform address resolution for the destination host. As a result, the source host installs an NCE for the destination host.

  5. Node Unreachability Detection (NUD): The host uses unicast NSs to determine whether another node with an NCE is still reachable.

  6. Link-layer address change announcement: If a host's link-layer address changes, it may use multicast Neighbor Advertisements (NAs) to announce its new link-layer address to other nodes.

For a router, the procedure is similar except that there is no router discovery. Instead, routers perform a Redirect procedure that hosts do not have. A router sends a Redirect to inform a node of a better next hop for the node's traffic.

ND uses multicast in many messages and trusts messages from all nodes; in addition, routers may install NCEs for hosts on demand when they are to forward packets to these hosts. These may lead to issues. Concretely, various ND issues and mitigation solutions have been published in more than 20 RFCs, including:

  • "IPv6 Neighbor Discovery (ND) Trust Models and Threats" [RFC3756]
  • "SEcure Neighbor Discovery (SEND)" [RFC3971]
  • "Cryptographically Generated Addresses (CGA)" [RFC3972]
  • "Neighbor Discovery Proxies (ND Proxy)" [RFC4389]
  • "Optimistic Duplicate Address Detection (DAD) for IPv6" [RFC4429]
  • "IPv6 in 3rd Generation Partnership Project (3GPP) Evolved Packet System (EPS)" [RFC6459]
  • "IPv6 for Third Generation Partnership Project (3GPP) Cellular Hosts" [RFC7066]
  • "IPv6 in the context of TR-101" [TR177]
  • "Address Resolution Protocol (ARP) Mediation for IP Interworking of Layer 2 VPNs" [RFC6575]
  • "Operational Neighbor Discovery Problems" [RFC6583]
  • "Neighbor Discovery Optimization for IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs)" [RFC6775]
  • "Registration Extensions for IPv6 over Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery" [RFC8505]
  • "Address-Protected Neighbor Discovery for Low-Power and Lossy Networks" [RFC8928]
  • "IPv6 Backbone Router" [RFC8929]
  • "Architecture and Framework for IPv6 over Non-Broadcast Access" [SND]
  • "Duplicate Address Detection Proxy" [RFC6957]
  • "Source Address Validation Improvement (SAVI) Framework" [RFC7039]
  • "IPv6 Router Advertisement Guard" [RFC6105]
  • "Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)" [RFC7113]
  • "Enhanced Duplicate Address Detection" [RFC7527]
  • "The Scalable Address Resolution Protocol (SARP) for Large Data Centers" [RFC7586]
  • "Reducing Energy Consumption of Router Advertisements" [RFC7772]
  • "Unique IPv6 Prefix per Host" [RFC8273]
  • "Transparent Interconnection of Lots of Links (TRILL): ARP and Neighbor Discovery (ND) Optimization" [RFC8302]
  • "Gratuitous Neighbor Discovery: Creating Neighbor Cache Entries on First-Hop Routers" [RFC9131]
  • "Operational Aspects of Proxy ARP/ND in Ethernet Virtual Private Networks" [RFC9161]
  • "Using DHCPv6 Prefix Delegation (DHCPv6-PD) to Allocate Unique IPv6 Prefixes per Client in Large Broadcast Networks" [RFC9663]

This document summarizes these RFCs into a one-stop reference (as of the time of writing) for easier access. This document also identifies three causes of the issues and defines three host isolation methods to address the causes and prevent potential ND issues.

1.1. Terminology

This document uses the terms defined in [RFC4861]. Additional terms are defined in this section.

MAC (Media Access Control): To avoid confusion with link-local addresses, link-layer addresses are referred to as "MAC addresses" in this document.

Host Isolation: Separating hosts into different subnets or links.

L3 Isolation: Allocating a Unique Prefix per Host (UPPH) [RFC8273] [RFC9663] so that every host is in a different subnet. Given that a unique prefix can be allocated per host on shared media, hosts in different subnets may be on the same link.

L2 Isolation: Taking measures to prevent a host from reaching other hosts directly in Layer 2 (L2) so that every host is in a different link. Due to the existence of Multi-Link Subnet [RFC4903], hosts in different links may be in the same subnet. Therefore, L2 Isolation does not imply L3 Isolation, and L3 Isolation does not imply L2 Isolation either.

L3+L2 Isolation: Applying L3 Isolation and L2 Isolation simultaneously so that every host is in a different subnet and on a different link.

Partial L2 Isolation: Using an L3 ND Proxy [RFC4389] device to represent the hosts behind it to other hosts in the same subnet. Within the subnet, ND multicast exchange is segmented into multiple smaller scopes, each represented by an ND Proxy device.

Last updated on