1

IPv6: Neighbor Discovery

Billy BianSW2Great China R&D CenterZyXEL Communications, Inc

2

Outline:Outline:• Neighbor Discovery (ND) Overview

• Neighbor Discovery Message Format

• Neighbor Discovery Processes

• Conceptual Host Data Structures

• Host Sending Algorithm

• Appendix

• Q&A

3

Neighbor Discovery OverviewNeighbor Discovery Overview• Set of messages and processes that determine

relationships between neighboring nodes• Replaces ARP, ICMPv4 Router Discovery, and ICMPv4 Redirect

• ND is used by nodes:• For address resolution• To determine link-layer address changes• To determine neighbor reachability

4

• ND is used by hosts:• To discover neighboring routers• Auto configure addresses, address prefixes, and other configuration

parameters

• ND is used by routers:• To advertise their presence, host configuration parameters, and on-

link prefixes• To inform hosts of a better next-hop address to forward packets for a

specific destination

5

• ICMPv6 message structure and ICMPv6 types 133 -137• All ND messages are sent with a hop limit of 255

Neighbor Discovery Message

IPv6 HeaderNext Header(58)

Neighbor Discovery Message Options

Neighbor Discovery Message Header

Neighbor Discovery Message FormatNeighbor Discovery Message Format

6

• Address Resolution• Resolve a neighbor's IPv6 address to its link-layer (MAC)

address.• It is equivalent to ARP in IPv4.

• Neighbor Unreachability Detection (NUD)• Determine that an address for use is not already in use by a

neighbor node.• It is equivalent to Gratuitous ARP frames in IPv4.

• Duplicate Address Detection (NAD)• Determine that the IPv6 layer of a neighbor is no longer

receiving packets• Might not be the final destination but the reachability of the

first hop of the destination

Neighbor Discovery ProcessesNeighbor Discovery Processes

7

Neighbor Discovery ProcessesNeighbor Discovery Processes• Router Discovery

• A host discovers the local roter(s) on the attached link• Determine which local router is a default gateway• Switch to backup default router if the primary one is

unavailable• Route Lifetime expiration• Neighbor Unreachability Detection (NUD)

• Network Prefix(es) discovery• Parameters discovery (link MTU, Max Hop Limit, auto-config)• It is equivalent to ICMPv4 Router Discovery

• Redirect Function• Process of a router inform a host of a better first hop IPv6

address to reach a destination• It is equivalent to ICMPv4 Redirect Message

8

• An exchange of Neighbor Solicitation (NS) and Neighbor Advertisement (NA) messages to resolve the link-layer address of the next-hop address• Multicast Neighbor Solicitation message

• Destination of NS is the solicited-node multicast address derived from target address

• Source address of NS is the sender’s unicast address

• Unicast Neighbor Advertisement message• Destination of NA is the requester’s unicast address• Source address and target address are same.

• Both hosts update their neighbor caches• Unicast traffic can now be sent

Address ResolutionAddress Resolution

9

Host B

Host A

Address ResolutionAddress Resolution

MAC: 00-10-5A-AA-20-A2IP: FE80::210:5AFF:FEAA:20A2

MAC: 00-60-97-02-6E-A5IP: FE80::260:97FF:FE02:6EA5

10

Ethernet Header• Destination MAC is 33-33-FF-02-6E-A5IPv6 Header• Source Address is FE80::210:5AFF:FEAA:20A2• Destination Address is FF02::1:FF02:6EA5• Hop limit is 255Neighbor Solicitation Header• Target Address is FE80::260:97FF:FE02:6EA5Neighbor Discovery Option• Source Link-Layer Address is 00-10-5A-AA-20-A2 MAC: 00-10-5A-AA-20-A2

IP: FE80::210:5AFF:FEAA:20A2

MAC: 00-60-97-02-6E-A5IP: FE80::260:97FF:FE02:6EA5

Host B

Host A

Send multicast Neighbor Solicitation

NS

Multicast Neighbor SolicitationMulticast Neighbor Solicitation

11

Multicast NS Destination DerivationMulticast NS Destination Derivation• The solicited-node multicast address is constructed

from the prefix FF02::1:FF00:0/104 and the last 24 bits of a unicast IPv6 address

• Mapping IPv6 Multicast Addresses to Ethernet Addresses

IPv6 Multicast Address FF…:

Multicast Ethernet Addresses 33-33-

12

Multicast NS Destination Address Multicast NS Destination Address

Target Address:IPv6 address (Unicast)FE80::260:97FF:FE02:6EA5

IP layer Destination Address:Solicited-Node Address FF02::1:FF02:6EA5

Link layer Destination Address:Multicast Ethernet Address33-33-FF-02-6E-A5

13

Unicast Neighbor AdvertisementUnicast Neighbor Advertisement

Host B

Host A

‚ Send unicast Neighbor Advertisement

NA

Ethernet Header• Destination MAC is 00-10-5A-AA-20-A2IPv6 Header• Source Address is FE80::260:97FF:FE02:6EA5• Destination Address is

FE80::210:5AFF:FEAA:20A2• Hop limit is 255Neighbor Advertisement Header• Target Address is FE80::260:97FF:FE02:6EA5Neighbor Discovery Option• Target Link-Layer Address is 00-60-97-02-6E-A5 MAC: 00-10-5A-AA-20-A2

IP: FE80::210:5AFF:FEAA:20A2

MAC: 00-60-97-02-6E-A5IP: FE80::260:97FF:FE02:6EA5

14

Structure of NS MessageStructure of NS Message

TypeCode

ChecksumReserved

Target Address

Options

= 135

= 0

. . .

15

Structure of NA MessageStructure of NA Message

. . .

TypeCode

ChecksumRouter flag

Solicited flagOverride flag

ReservedTarget Address

Options

= 136

= 0

16

Source and Target Link-Layer Address Source and Target Link-Layer Address OptionsOptions

Target Link-Layer Address option

. . .

TypeLength

Link-Layer Address

TypeLength

Link-Layer Address

=1

Source Link-Layer Address option

=2

. . .

17

Source and Target Link-Layer Address options for Ethernet

TypeLength

Ethernet MAC Address= 1

For all ND options, Length field is the number of 8-byteblocks in the entire option.

18

Ethernet II, Src: 00:08:74:f8:6f:ee, Dst: 33:33:ff:dd:b8:37 Destination: 33:33:ff:dd:b8:37 Source: 00:08:74:f8:6f:ee Type: IPv6 (0x86dd)Internet Protocol Version 6 Version: 6 Traffic class: 0x00 Flowlabel: 0x00000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source address: fe80::208:74ff:fef8:6fee Destination address: ff02::1:ffdd:b837

NS Sample MessageNS Sample Message

19

Internet Control Message Protocol v6 Type: 135 (Neighbor solicitation) Code: 0 Checksum: 0x158a (correct) Target: fe80::20c:29ff:fedd:b837 ICMPv6 options Type: 1 (Source link-layer address) Length: 8 bytes (1) Link-layer address: 00:08:74:f8:6f:ee

20

NA Sample MessageNA Sample MessageEthernet II, Src: 00:08:74:f8:6f:ee, Dst: 00:0c:29:dd:b8:37 Destination: 00:0c:29:dd:b8:37 Source: 00:08:74:f8:6f:ee Type: IPv6 (0x86dd)Internet Protocol Version 6 Version: 6 Traffic class: 0x00 Flowlabel: 0x00000 Payload length: 32 Next header: ICMPv6 (0x3a) Hop limit: 255 Source address: fe80::208:74ff:fef8:6fee Destination address: fe80::20c:29ff:fedd:b837

21

Internet Control Message Protocol v6 Type: 136 (Neighbor advertisement) Code: 0 Checksum: 0x8633 (correct) Flags: 0x60000000 0... .... .... .... .... .... .... .... = Not router .1.. .... .... .... .... .... .... .... = Solicited ..1. .... .... .... .... .... .... .... = Override Target: fe80::208:74ff:fef8:6fee ICMPv6 options Type: 2 (Target link-layer address) Length: 8 bytes (1) Link-layer address: 00:08:74:f8:6f:ee

22

Neighbor Unreachability DetectionNeighbor Unreachability Detection• A neighboring node is reachable if:

• There has been a recent confirmation that IPv6 packets sent were received and processed by the neighboring node

• Detects whether the first hop to the destination is reachable

• Reachability is determined by:• Receipt of a Neighbor Advertisement message in response to a

unicast Neighbor Solicitation message• Upper layer protocol indicators

• There are five reachability States:• Incomplete, Stale, Delay, Probe, Reachable

23

Reachablity confirmation Reachablity confirmation

Host A Host B3.Neighbor Solicitation

2.Neighbor Advertisement

1.Neighbor Solicitation

4.Neighbor Advertisement

24

Unicast NS retries exceeded

Delay time exceeded

PROBE

Reachable Time exceeded or unsolicited NA received

STALE

Neighbor Unreachability StatesNeighbor Unreachability States

Multicast NS retries exceeded

Reachability confirmed by sending unicast NS and receiving solicited NA

Receive Solicited NA

REACHABLE

Send packetDELAY

Send multicast NSINCOMPLETENO ENTRY EXISTS

Reachability confirmed By upper layer protocol

25

Duplicate Address DetectionDuplicate Address Detection

• Use of a neighbor solicitation to detect a duplicate unicast address• Target Address field in the Neighbor Solicitation message is set to

the IPv6 address for which duplication is being detected• The Source Address is set to the unspecified address (::)

• For a duplicate address, the defending node replies with a multicast NA• The Destination Address is set to the link-local scope all-nodes

multicast address (FF02::1)

26

Duplicate Address DetectionDuplicate Address Detection• Replace IPv4 ARP request and Gratutitos ARP• What is Gratuitous ARP?

• IPv4 sets both source and target with the same IP address of the sender in ARP request

• If it receives ARP reply, then the IP address is duplicate

• Must be performed by all nodes (hosts & routers)• Performed before assigning a unicast address to

an Interface• Performed on interface initialization• Not performed for anycast address• Link must be mulicast address

27

Duplicate Address DetectionDuplicate Address Detection• Accomplished by using NS (multicast) and NA

messages

• Node sends NS with:• Source address is unspecific address(::)• Destination address is tentative solicited-node address• Target address field is set to tentative IP address• The Source Link-layer Address option is not used

• If address already exists, the particular node sends a NA reply with:• The destination address of NA is set to FF02::1• The solicited flag is 0 because NS is not using the desired IP

address

28

Multicast NS for Duplicate Address Multicast NS for Duplicate Address DetectionDetection

Host B

Host A

Send multicast Neighbor Solicitation

NS

Tentative IP: FEC0::2:260:8FF:FE52:F9D8

MAC: 00-60-08-52-F9-D8IP: FEC0::2:260:8FF:FE52:F9D8

Ethernet Header• Dest MAC is 33-33-FF-52-F9-D8IPv6 Header• Source Address is ::• Destination Address is FF02::1:FF52:F9D8• Hop limit is 255Neighbor Solicitation Header• Target Address is

FEC0::2:260:8FF:FE52:F9D8

29

Multicast NA for a Duplicate Address

Host B

Host A

Ethernet Header• Destination MAC is 33-33-00-00-00-01IPv6 Header• Source Address is FEC0::2:260:8FF:FE52:F9D8• Destination Address is FF02::1• Hop limit is 255Neighbor Advertisement Header• Target Address is FEC0::2:260:8FF:FE52:F9D8Neighbor Discovery Option• Target Link-Layer Address is 00-60-08-52-F9-D8 Tentative IP:

FEC0::2:260:8FF:FE52:F9D8

‚ Send multicast Neighbor Advertisement

NA

MAC: 00-60-08-52-F9-D8IP: FEC0::2:260:8FF:FE52:F9D8

30

Router DiscoveryRouter Discovery• Attempts to discover the set of routers on the local link• Similar to IPv4 ICMP router discovery (RFC 1256)• In IPv6 RA messages, the Router Lifetime filed indicates the time

that router can be considered a default router• Accomplished by sending a multicast Router Solicitation (FF02:2)

and the receipt of a multicast Router Advertisement (FF02::1) message

• If the router becomes unavailable, the condition is detected via neighbor unreachability instead of Router Lifetime in the RA messages

• A new default router is chosen from default router list or the host sends a RS message to determine a new default router

31

Multicast RS MessageMulticast RS Message

Router

Host A

Send multicast Router SolicitationRS

Ethernet Header• Destination MAC is 33-33-00-00-00-02IPv6 Header• Source Address is :: • Destination Address is FF02::2• Hop limit is 255Router Solicitation Header

MAC: 00-B0-D0-E9-41-43 IP: none

MAC: 00-10-FF-D6-58-C0 IP: FE80::210:FFFF:FED6:58C0

32

Multicast RA MessageMulticast RA Message

Host A

Ethernet Header• Destination MAC is 33-33-00-00-00-01IPv6 Header• Source Address is FE80::210:FFFF:FED6:58C0• Destination Address is FF02::1• Hop limit is 255Router Advertisement Header• Current Hop Limit, Flags, Router Lifetime,

Reachable and Retransmission TimersNeighbor Discovery Options• Source Link-Layer Address is 00-10-FF-D6-58-C0• MTU is 1500• Prefix Information is for FEC0:0:0:F282::/64

MAC: 00-10-FF-D6-58-C0 IP: FE80::210:FFFF:FED6:58C0

Router

‚ Send multicast Router Advertisement

RA

MAC: 00-B0-D0-E9-41-43 IP: none

33

Structure of the RS MessageStructure of the RS Message

TypeCode

ChecksumReserved

Options

= 133

= 0

. . .

34

Structure of the RA MessageStructure of the RA MessageTypeCode

ChecksumCurrent Hop Limit

Managed Address Configuration flag

Other Stateful Configuration flagHome Agent flag

Default Router PreferenceReserved

Router LifetimeReachable Time

Retrans TimerOptions

= 134= 0

. . .

35

Structure of the Prefix Information Structure of the Prefix Information OptionOption Type

LengthPrefix LengthOn-Link flag

Autonomous flagRouter Address flag

Site prefix flagReserved1

Valid LifetimePreferred Lifetime

Reserved2Site Prefix Length

Prefix

= 3

= 4

36

Structure of the MTU OptionStructure of the MTU Option

TypeLength

ReservedMTU

= 5

= 1

37

Type

Length

Reserved

Advertisement Interval

= 7

= 1

Structure of the Advertisement Interval Structure of the Advertisement Interval OptionOption

38

= 1

Type

Length

Reserved

Home Agent Preference

Home Agent Lifetime

= 8

Structure of the Home Agent Structure of the Home Agent Information OptionInformation Option

39

Structure of the Route Information Structure of the Route Information OptionOption

TypeLength

Prefix LengthReserved 1PreferenceReserved 2

Route LifetimePrefix

= 9

40

Sample RS messageSample RS messageEthernet II, Src: 00:0c:29:7e:7e:86, Dst: 33:33:00:00:00:02 Destination: 33:33:00:00:00:02 Source: 00:0c:29:7e:7e:86 Type: IPv6 (0x86dd)Internet Protocol Version 6 Version: 6 Traffic class: 0x00 Flowlabel: 0x00000 Payload length: 16 Next header: ICMPv6 (0x3a) Hop limit: 255 Source address: fe80::20c:29ff:fe7e:7e86 Destination address: ff02::2

41

Internet Control Message Protocol v6

Type: 133 (Router solicitation)

Code: 0

Checksum: 0x2b0d (correct)

ICMPv6 options

Type: 1 (Source link-layer address)

Length: 8 bytes (1)

Link-layer address: 00:0c:29:7e:7e:86

42

Sample RA MessageSample RA Message Ethernet II, Src: 00:13:49:00:00:01, Dst: 33:33:00:00:00:01 Destination: 33:33:00:00:00:01 Source: 00:13:49:00:00:01 (ZyxelCom_00:00:01) Type: IPv6 (0x86dd)Internet Protocol Version 6 Version: 6 Traffic class: 0x00 Flowlabel: 0x00000 Payload length: 56 Next header: ICMPv6 (0x3a) Hop limit: 255 Source address: fe80::213:49ff:fe00:1 Destination address: ff02::1

43

Internet Control Message Protocol v6 Type: 134 (Router advertisement) Code: 0 Checksum: 0x96a0 (correct) Cur hop limit: 64 Flags: 0x00 0... .... = Not managed .0.. .... = Not other ..0. .... = Not Home Agent ...0 0... = Router preference: Medium Router lifetime: 1800 Reachable time: 0 Retrans time: 0

44

ICMPv6 options Type: 1 (Source link-layer address) Length: 8 bytes (1) Link-layer address: 00:13:49:00:00:01 ICMPv6 options Type: 3 (Prefix information) Length: 32 bytes (4) Prefix length: 64 Flags: 0xc0 1... .... = Onlink .1.. .... = Auto ..0. .... = Not router address ...0 .... = Not site prefix Valid lifetime: 0x00278d00 Preferred lifetime: 0x00093a80 Prefix: fec0::

45

RedirectRedirect• Sometimes hosts will pick the wrong next-hop

• There are several routers• Send to a router although destination is connected to the same

link

• The router that receives the packet• will retransmit the correct hop• Send a Redirect message to the sender

• After receive the Redirect message, the host will send the next message to the correct router

46

Unicast Packet to the RouterUnicast Packet to the Router

Host A

Ethernet Header• Destination MAC is 00-AA-00-22-22-22IPv6 Header• Source Address is

FEC0::1:2AA:FF:FE11:1111• Destination Address is

FEC0::2:2AA:FF:FE99:9999

MAC: 00-AA-00-22-22-22IP: FEC0::1:2AA:FF:FE22:2222

FE80::2AA:FF:FE22:2222Router 2 Router 3

Unicast Packet Send unicast packet

MAC: 00-AA-00-33-33-33IP: FEC0::1:2AA:FF:FE33:3333 FE80::2AA:FF:FE33:3333

MAC: 00-AA-00-11-11-11IP: FEC0::1:2AA:FF:FE11:1111

FE80::2AA:FF:FE11:1111

47

Redirect Message Sent by the RouterRedirect Message Sent by the Router

Host A

‚ Send unicast Redirect

Redirect

Ethernet Header• Destination MAC is 00-AA-00-11-11-11IPv6 Header• Source Address is FE80::2AA:FF:FE22:2222• Destination Address is FEC0::1:2AA:FF:FE11:1111• Hop limit is 255Redirect Header• Target Address is FE80::2AA:FF:FE33:3333• Destination Address is FEC0::2:2AA:FF:FE99:9999Neighbor Discovery Options• Target Link-Layer Address is 00-AA-00-33-33-33• Redirected Header

Router 2 Router 3MAC: 00-AA-00-33-33-33IP: FEC0::1:2AA:FF:FE33:3333 FE80::2AA:FF:FE33:3333

MAC: 00-AA-00-11-11-11IP: FEC0::1:2AA:FF:FE11:1111

FE80::2AA:FF:FE11:1111

MAC: 00-AA-00-22-22-22IP: FEC0::1:2AA:FF:FE22:2222

FE80::2AA:FF:FE22:2222

48

Unicast Packet Forwarded by the Unicast Packet Forwarded by the RouterRouter

Host A

Ethernet Header• Destination MAC is 00-AA-00-33-33-33IPv6 Header• Source Address is

FEC0::1:2AA:FF:FE11:1111• Destination Address is

FEC0::2:2AA:FF:FE99:9999MAC: 00-AA-00-11-11-11IP: FEC0::1:2AA:FF:FE11:1111

FE80::2AA:FF:FE11:1111

MAC: 00-AA-00-22-22-22IP: FEC0::1:2AA:FF:FE22:2222

FE80::2AA:FF:FE22:2222Router 2 Router 3

MAC: 00-AA-00-33-33-33IP: FEC0::1:2AA:FF:FE33:3333 FE80::2AA:FF:FE33:3333

Unicast Packet

ƒ Forward unicast packet

49

Conceptual Host Data StructuresConceptual Host Data Structures• To facilitate interactions between neighboring nodes, RFC 2461 defines the following

conceptual host data structures as an example of how to store information for ND processes:

• Neighbor cache • The neighbor cache stores the on-link IP address of each neighbor, its

corresponding link-layer address, and an indication of the neighbor's reachability state.

• Destination cache • The destination cache stores information on next-hop IP addresses for destinations

to which traffic has recently been sent.

• Prefix list • The prefix list contains on-link prefixes.

• Default router list • IP addresses corresponding to on-link routers that have sent Router Advertisement

messages and are eligible to be default routers are included in the default router list.

50

Prefix List Default Router List

Destination CacheDestination Next-Hop Address PMTU

Neighbor Cache

Link Layer AddressNext-Hop Address State

Conceptual Host Data StructuresConceptual Host Data Structures

51

Host Sending AlgorithmHost Sending Algorithm1. Determine the next-hop address for the destination

• Check the destination cache• If the destination address matches a prefix in the prefix list,

next-hop address is destination address• If the destination address does not match a prefix in the prefix

list, next-hop address is the default router address

2. Determine the link-layer address for the next-hop address• Check the neighbor cache• Use address resolution to obtain the link-layer address for the

next-hop address

3. Send the packet using the link-layer address of the next-hop address

52

Check destination cache

Entry found ?

Y

NEntry

found?

Y

N

Address resolution fornext-hop

resolution successful?

Y

N

Indicate an error.

Match?Y

N

Check prefix list

Update neighbor cache

Send packet using link-layer address of neighbor cache entry.

default router as next-hop

destination as next-hop

Obtain next-hop

default router?

N

Y

Update destination cache

Check neighbor cache for next hop

53

IPv4 Neighbor Functions and IPv6 EquivalentsIPv4 Neighbor Functions and IPv6 Equivalents

IPv4 Neighbor Function

ARP Request message

ARP Reply message

ARP cache

Gratuitous ARP

RS message (optional)

RA message (optional)

Redirect message

IPv6 Neighbor Function

NS message

NA message

Neighbor cache

Duplicate address detection

RS (required)

RA (required)

Redirect message

AppendixAppendix

54

Summary of ND Messages and OptionsSummary of ND Messages and OptionsND Message ND Option

Router Solicitation Source Link-Layer Address

Router Advertisement Source Link-Layer Address

Prefix Information

MTU

Advertisement Interval

Home Agent Information

Route Information

Neighbor Solicitation Source Link-Layer Address

Neighbor Advertisement Target Link-Layer Address

Redirect Redirected Header

Target Link-Layer Address

55

Q&AQ&A