No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - IP Services 01

This is NE40E V800R010C10SPC500 Feature Description - IP Services
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Neighbor Discovery

Neighbor Discovery

Neighbor discovery (ND) is a group of messages and processes that identify relationships between neighboring nodes. IPv6 ND contains the same features of the Address Resolution Protocol (ARP) and ICMP router discovery in IPv4, as well as additional functions.

After a node is configured with an IPv6 address, it checks that the address is available and does not conflict with other addresses. When a node is a host, a router must notify it of the optimal next hop address of a packet to a destination. When a node is a router, it must advertise its address and address prefix, along with other configuration parameters to instruct hosts to configure parameters. When forwarding IPv6 packets, a node must know the link layer addresses and check the availability of neighboring nodes. IPv6 ND provides four types of ICMPv6 messages:
  • Router Solicitation (RS): After startup, a host sends an RS message to a router, and waits for the router to respond with a Router Advertisement (RA) message.

  • Router Advertisement (RA): A router periodically advertises RA messages containing prefixes and flag bits.

  • Neighbor Solicitation (NS): An IPv6 node uses NS messages to obtain the link-layer address of its neighbor, check that the neighbor is reachable, and perform duplicate address detection.

  • Neighbor Advertisement (NA): After receiving an NS message, an IPv6 node responds with an NA message. In addition, the IPv6 node initially sends NA messages when the link layer changes.

IPv6 ND provides the following functions: duplicate address detection, neighbor discovery, router discovery, and address autoconfiguration.

Duplicate Address Detection

Duplicate address detection checks whether an IPv6 address is available. The detailed process is as follows:

  1. When a node is configured with an IPv6 address, it immediately sends an NS message to check whether this address is already being used by another neighboring node.

  2. After receiving the NS message, neighboring nodes check whether the same IPv6 address exists. If so, it sends an NA message with the IPv6 address to the source node.

  3. After the source node receives the NA message, it considers this IPv6 address already in use by a neighbor. Conversely, if the source node does not receive any NA message after sending its NS message, the configured IPv6 address is available.

Neighbor Discovery

Similar to ARP in IPv4, IPv6 ND parses the neighbor addresses and detects the availability of neighbors based on NS and NA messages.

When a node needs to obtain the link-layer address of another node on the same local link, it sends an ICMPv6 type 135 NS message. An NS message is similar to an ARP request message in IPv4, but is destined for a multicast address rather than a broadcast address. Only the node whose last 24 bits in its address are the same as the multicast address can receive the NS message. This reduces the possibility of broadcast storms. A destination node fills its link-layer address in the NA message.

An NS message is also used to detect the availability of a neighbor when the link-layer address of the neighbor is known. An NA message is the response to an NS message. After receiving an NS message, a destination node responds with an ICMPv6 type 136 NA message on the local link. After receiving the NA message, the source node can communicate with the destination node. When the link-layer address of a node on the local link changes, the node actively sends an NA message.

Router Discovery

Router discovery is used to locate a neighboring router and learn the address prefix and configuration parameters related to address autoconfiguration. IPv6 router discovery is implemented based on the following messages:

  • RS message

    When a host is not configured with a unicast address, for example, when the system has just started, it sends an RS message. An RS message helps the host rapidly perform address autoconfiguration without waiting for the RA message that is periodically sent by an IPv6 device. An RS message is of the ICMPv6 type 133.

  • RA message

    Interfaces on each IPv6 device periodically send RA messages only when they are enabled to do so. After a router receives an RS message from an IPv6 device on the local link, the router responds with an RA message. An RA message is sent to the all-nodes multicast address (FF02::1) or to the IPv6 unicast address of the node that sent the RS message. An RA message is of the ICMPv6 type 134 and contains the following information:

    • Whether or not to use address autoconfiguration

    • Supported autoconfiguration type: stateless or stateful

    • One or more on-link prefixes (On-link nodes can perform address autoconfiguration using these address prefixes.)

    • Lifetime of the advertised on-link prefixes

    • Whether the router sending the RA message can be used as a default router (If so, the lifetime of the default router is also included, expressed in seconds.)

    • Other information about the host, such as the hop limit and the MTU that specifies the maximum size of the packet initiated by a host

    After an IPv6 host on the local link receives an RA message, it extracts the preceding information to obtain the updated default router list, prefix list, and other configurations.

Address Autoconfiguration

A router can notify hosts of how to perform address autoconfiguration using RA messages and prefix flags. For example, the router can specify stateful or stateless address autoconfiguration for the hosts.

When stateless address autoconfiguration is employed, a host uses the prefix information in a received RA message and local interface ID to automatically form an IPv6 address, and sets the default router according to the default router information in the message.

Security Neighbor Discovery

IPsec is well suited for IPv6 networks, but it does not address all security issues. In addition to IPsec, IPv6 requires more security mechanisms.

In the IPv6 protocol suite, ND is significant in ensuring availability of neighbors on the local link. As network security problems intensify, how to secure ND becomes a concern. Standard protocols define several threats to ND security, some of which are described as follows.

Table 11-2 IPv6 ND attack modes

Attack Mode

Description

NS/NA spoofing

An attacker sends an authorized node (host or router) an NS message with a bogus source link-layer address option, or an NA message with a bogus target link-layer address option. Then packets from the authorized node are sent to this link-layer address.

Neighbor unreachability detection (NUD) failure

An attacker repeatedly sends forged NA messages in response to an authorized node's NUD NS messages so that the authorized node cannot detect the neighbor unreachability. The consequences of this attack depend on why the neighbor became unreachable and how the authorized node would behave if it knew that the neighbor has become unreachable.

Duplicate Address Detection (DAD) attacks

An attacker responds to every DAD attempt made by a host that accesses the network, claiming that the address is already in use. Then the host will never obtain an address.

Spoofed Redirect message

An attacker uses the link-local address of the first-hop router to send a Redirect message to an authorized host. The authorized host accepts this message because the host mistakenly considers that the message came from the first-hop router.

Replay attacks

An attacker obtains valid messages and replays them. Even if Neighbor Discovery Protocol (NDP) messages are cryptographically protected so that their contents cannot be forged, they are still prone to replay attacks.

Bogus address prefix

An attacker sends a bogus RA message specifying that some prefixes are on-link. If a prefix is on-link, a host will not send any packets that contain this prefix to the router. Instead, the host will send NS messages to attempt address resolution, but the NS messages are not responded. As a result, the host is denied services.

Malicious last-hop router

An attacker multicasts bogus RA messages or unicasts bogus RA messages in response to multicast RS messages to a host attempting to discover a last-hop router. If the host selects the attacker as its default router, the attacker is able to insert himself as a man-in-the-middle and intercepts all messages exchanged between the host and its destination.

To counter these threats, standard protocols specify security mechanisms to extend ND. Standard protocols define Cryptographically Generated Addresses (CGAs), CGA option, and Rivest Shamir Adleman (RSA) Signature option, which are used to ensure that the sender of an ND message is the owner of the message's source address. Standard protocols also define Timestamp and Nonce options to prevent replay attacks.

  • CGA: contains an IPv6 interface identifier that is generated from a one-way hash of the public key and associated parameters.
  • CGA option: contains information used to verify the sender's CGA, including the public key of the sender. CGA is used to authenticate the validity of source IP addresses carried in ND messages.
  • RSA option: contains the hash value of the sender's public key and contains the digital signature generated from the sender's private key and ND messages. RSA is used to authenticate the completeness of ND messages and the identity of the ND message sender.
    NOTE:
    For an attacker to use an address that belongs to an authorized node, the attacker must use the public key of the authorized node for encryption. Otherwise, the receiver can detect the attempted attack after checking the CGA option. Even if the attacker obtains the public key of the authorized node, the receiver can still detect the attempted attack after checking the digital signature, which is generated from the sender's private key.
  • Timestamp option: a 64-bit unsigned integer field containing a timestamp. The value indicates the number of seconds since January 1, 1970, 00:00 UTC. This option protects non-solicit notification messages and Redirect messages and ensures that the timestamp of the recently received message is the latest.
  • Nonce option: contains a random number selected by the sender of a solicitation message. This option prevents replay attacks during message exchange. For example, a sender sends an NS message carrying the Nonce option and receives an NA message as a response that also carries the Nonce option; the sender verifies the NA message based on the Nonce option.

To reject insecure ND messages, an interface can have the IPv6 SEND function configured. An ND message that meets any of the following conditions is insecure:

  • The received ND message does not carry the CGA or RSA option, which indicates that the interface sending this message is not configured with a CGA.
  • The key length of the received ND message exceeds the length limit that the interface supports.
  • The rate at which ND messages are received exceeds the system rate limit.
  • The time difference between the sent and received ND messages exceeds the time difference allowed by the interface.
NOTE:
As router implementation complies with standard protocols, the key-hash field in the RSA signature option of ND packets is generated using the SHA-1 algorithm. SHA-1 has been proved not secure enough.
Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055041

Views: 11059

Downloads: 49

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next