Skip to main content

RFC 9898 - IPv6部署中的邻居发现注意事项

发布日期: 2025年11月
状态: 信息性 (Informational)
作者:

  • X. Xiao (Huawei Technologies)
  • E. Vasilenko (Huawei Technologies)
  • E. Metz (KPN N.V.)
  • G. Mishra (Verizon Inc.)
  • N. Buraglio (Energy Sciences Network)

摘要 (Abstract)

邻居发现 (Neighbor Discovery, ND) 协议是IPv6架构的关键组成部分。该协议在许多消息中使用组播,并假设链路上所有节点都是可信的安全模型。这种设计在某些场景下可能效率低下(例如,在无线网络中使用组播),或在节点不可信时(例如,公共接入网络)存在问题。这些安全和运营问题及相关缓解解决方案已记录在超过20个RFC中。有必要在单个文档中跟踪这些问题和解决方案。

为此,本文档总结了已发布的ND问题,然后描述了所有这些问题如何源于三个原因。通过解决这些原因可以简化问题的解决。本文档还分析了缓解解决方案,并证明将主机隔离到不同的子网和链路可以帮助解决这三个原因。本文档提供了选择合适隔离方法以防止潜在ND问题的指导。

目录 (Contents)

  • 1. Introduction (简介)
    • 1.1 Terminology (术语)
  • 2. Review of Inventoried ND Issues (ND问题清单回顾)
    • 2.1 Multicast May Cause Performance and Reliability Issues (组播可能导致性能和可靠性问题)
    • 2.2 Trusting-All-Nodes May Cause On-Link Security Issues (信任所有节点可能导致链路内安全问题)
    • 2.3 Router-NCE-on-Demand May Cause Forwarding Delay, NCE Exhaustion, and Address Accountability Issues (按需路由器NCE可能导致转发延迟、NCE耗尽和地址问责问题)
    • 2.4 Summary of ND Issues (ND问题总结)
  • 3. Review of ND Mitigation Solutions (ND缓解解决方案回顾)
    • 3.1 Mobile Broadband IPv6 (MBBv6) (移动宽带IPv6)
    • 3.2 Fixed Broadband IPv6 (FBBv6) (固定宽带IPv6)
    • 3.3 Unique Prefix per Host (UPPH) (每主机唯一前缀)
    • 3.4 Wireless ND (WiND) (无线ND)
    • 3.5 Scalable Address Resolution Protocol (SARP) (可扩展地址解析协议)
    • 3.6 ND Optimization for TRILL (TRILL的ND优化)
    • 3.7 Proxy ND in Ethernet Virtual Private Networks (ND EVPN) (以太网虚拟专用网中的代理ND)
    • 3.8 Reducing Router Advertisements per RFC 7772 (按照RFC 7772减少路由器通告)
    • 3.9 Gratuitous Neighbor Discovery (GRAND) (无偿邻居发现)
    • 3.10 Source Address Validation Improvement (SAVI) and Router Advertisement Guard (RA-Guard) (源地址验证改进和路由器通告防护)
    • 3.11 Dealing with NCE Exhaustion Attacks per RFC 6583 (按照RFC 6583处理NCE耗尽攻击)
    • 3.12 Registering Self-Generated IPv6 Addresses Using DHCPv6 per RFC 9686 (按照RFC 9686使用DHCPv6注册自生成IPv6地址)
    • 3.13 Enhanced DAD (增强DAD)
    • 3.14 ND Mediation for IP Interworking of Layer 2 VPNs (第2层VPN IP互通的ND中介)
    • 3.15 ND Solutions Defined Before the Latest Versions of ND (在最新版本ND之前定义的ND解决方案)
      • 3.15.1 Secure Neighbor Discovery (SEND) (安全邻居发现)
      • 3.15.2 Cryptographically Generated Addresses (CGA) (加密生成地址)
      • 3.15.3 ND Proxy (ND代理)
      • 3.15.4 Optimistic DAD (乐观DAD)
  • 4. Guidelines for Prevention of Potential ND Issues (防止潜在ND问题的指导方针)
    • 4.1 Learning Host Isolation from the Existing Solutions (从现有解决方案学习主机隔离)
    • 4.2 Applicability of Various Isolation Methods (各种隔离方法的适用性)
      • 4.2.1 Applicability of L3+L2 Isolation (L3+L2隔离的适用性)
      • 4.2.2 Applicability of L3 Isolation (L3隔离的适用性)
      • 4.2.3 Applicability of Partial L2 Isolation (部分L2隔离的适用性)
    • 4.3 Guidelines for Applying Isolation Methods (应用隔离方法的指导方针)
  • 5. Security Considerations (安全考虑)
  • 6. IANA Considerations (IANA考虑)
  • 7. References (参考文献)
    • 7.1 Normative References (规范性参考文献)
    • 7.2 Informative References (信息性参考文献)

附录 (Appendices)

相关资源

Last updated on