Neighbor Discovery Considerations in IPv6 Deployments Huawei Technologies
xipengxiao@huawei.com
Huawei Technologies
vasilenko.eduard@huawei.com
KPN N.V.
eduard.metz@kpn.com
Verizon Inc.
gyan.s.mishra@verizon.com
Energy Sciences Network
buraglio@es.net
OPS v6ops ND NDP SLACC DHCPv6-PD host isolation The Neighbor Discovery (ND) protocol is a critical component of the IPv6 architecture. The protocol uses multicast in many messages. It also assumes a security model where all nodes on a link are trusted. Such a design might be inefficient in some scenarios (e.g., use of multicast in wireless networks) or when nodes are not trustworthy (e.g., public access networks). These security and operational issues and the associated mitigation solutions are documented in more than twenty RFCs. There is a need to track these issues and solutions in a single document. To that aim, this document summarizes the published ND issues and then describes how all these issues originate from three causes. Addressing the issues is made simpler by addressing the causes. This document also analyzes the mitigation solutions and demonstrates that isolating hosts into different subnets and links can help to address the three causes. Guidance is provided for selecting a suitable isolation method to prevent potential ND issues.
Status of This Memo This document is not an Internet Standards Track specification; it is published for informational purposes. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at .
Copyright Notice Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents () in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.
Table of Contents
  • .  Introduction
    • .  Terminology
  • .  Review of Inventoried ND Issues
    • .  Multicast May Cause Performance and Reliability Issues
    • .  Trusting-All-Nodes May Cause On-Link Security Issues
    • .  Router-NCE-on-Demand May Cause Forwarding Delay, NCE Exhaustion, and Address Accountability Issues
    • .  Summary of ND Issues
  • .  Review of ND Mitigation Solutions
    • .  Mobile Broadband IPv6 (MBBv6)
    • .  Fixed Broadband IPv6 (FBBv6)
    • .  Unique Prefix per Host (UPPH)
    • .  Wireless ND (WiND)
    • .  Scalable Address Resolution Protocol (SARP)
    • .  ND Optimization for TRILL
    • .  Proxy ND in Ethernet Virtual Private Networks (ND EVPN)
    • .  Reducing Router Advertisements per RFC 7772
    • .  Gratuitous Neighbor Discovery (GRAND)
    • Source Address Validation Improvement (SAVI) and Router Advertisement Guard (RA-Guard)
    • Dealing with NCE Exhaustion Attacks per RFC 6583
    • Registering Self-Generated IPv6 Addresses Using DHCPv6 per RFC 9686
    • Enhanced DAD
    • ND Mediation for IP Interworking of Layer 2 VPNs
    • ND Solutions Defined Before the Latest Versions of ND
      • .  Secure Neighbor Discovery (SEND)
      • .  Cryptographically Generated Addresses (CGA)
      • .  ND Proxy
      • .  Optimistic DAD
  • .  Guidelines for Prevention of Potential ND Issues
    • .  Learning Host Isolation from the Existing Solutions
    • .  Applicability of Various Isolation Methods
      • .  Applicability of L3+L2 Isolation
      • .  Applicability of L3 Isolation
      • .  Applicability of Partial L2 Isolation
    • .  Guidelines for Applying Isolation Methods
  • .  Security Considerations
  • .  IANA Considerations
  • .  References
    • .  Normative References
    • .  Informative References
  • Acknowledgements
  • Authors' Addresses
Introduction Neighbor Discovery (ND) specifies the mechanisms that IPv6 nodes (hosts and routers) on the same link use to communicate and learn about each other. Stateless Address Autoconfiguration (SLAAC) builds on those ND mechanisms to let nodes configure their own IPv6 addresses. When analyzing the issues nodes may encounter with ND, it helps to view the ND messages they exchange throughout their life cycle, taking SLAAC into consideration. For a host, the overall procedure is as follows:
  1. LLA DAD: The host forms a Link-Local Address (LLA) and performs Duplicate Address Detection (DAD) using multicast Neighbor Solicitations (NSs).
  2. Router discovery: The host sends multicast Router Solicitations (RSs) to discover a router on the link. The router responds with Router Advertisements (RAs), providing subnet prefixes and other information. The host installs a Neighbor Cache Entry (NCE) for that router upon receiving the RAs. In contrast, the router cannot install an NCE for the host at this moment of the exchange because the host's global IP address is still unknown. When the router later needs to forward a packet to the host's global address, it will perform address resolution and install an NCE for the host.
  3. GUA DAD: The host forms a Global Unicast Address (GUA) or a Unique Local Address (ULA) and uses multicast NSs for DAD. For simplicity of description, this document will not further distinguish GUA and ULA.
  4. Next-hop determination and address resolution: When the host needs to send a packet, it will first determine whether the next hop is a router or an on-link host (which is the destination). If the next hop is a router, the host already has the NCE for that router. If the next hop is an on-link host, it will use multicast NSs to perform address resolution for the destination host. As a result, the source host installs an NCE for the destination host.
  5. Node Unreachability Detection (NUD): The host uses unicast NSs to determine whether another node with an NCE is still reachable.
  6. Link-layer address change announcement: If a host's link-layer address changes, it may use multicast Neighbor Advertisements (NAs) to announce its new link-layer address to other nodes.
For a router, the procedure is similar except that there is no router discovery. Instead, routers perform a Redirect procedure that hosts do not have. A router sends a Redirect to inform a node of a better next hop for the node's traffic. ND uses multicast in many messages and trusts messages from all nodes; in addition, routers may install NCEs for hosts on demand when they are to forward packets to these hosts. These may lead to issues. Concretely, various ND issues and mitigation solutions have been published in more than 20 RFCs, including:
  • "IPv6 Neighbor Discovery (ND) Trust Models and Threats"
  • "SEcure Neighbor Discovery (SEND)"
  • "Cryptographically Generated Addresses (CGA)"
  • "Neighbor Discovery Proxies (ND Proxy)"
  • "Optimistic Duplicate Address Detection (DAD) for IPv6"
  • "IPv6 in 3rd Generation Partnership Project (3GPP) Evolved Packet System (EPS)"
  • "IPv6 for Third Generation Partnership Project (3GPP) Cellular Hosts"
  • "IPv6 in the context of TR-101"
  • "Address Resolution Protocol (ARP) Mediation for IP Interworking of Layer 2 VPNs"
  • "Operational Neighbor Discovery Problems"
  • "Neighbor Discovery Optimization for IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs)"
  • "Registration Extensions for IPv6 over Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery"
  • "Address-Protected Neighbor Discovery for Low-Power and Lossy Networks"
  • "IPv6 Backbone Router"
  • "Architecture and Framework for IPv6 over Non-Broadcast Access"
  • "Duplicate Address Detection Proxy"
  • "Source Address Validation Improvement (SAVI) Framework"
  • "IPv6 Router Advertisement Guard"
  • "Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard)"
  • "Enhanced Duplicate Address Detection"
  • "The Scalable Address Resolution Protocol (SARP) for Large Data Centers"
  • "Reducing Energy Consumption of Router Advertisements"
  • "Unique IPv6 Prefix per Host"
  • "Transparent Interconnection of Lots of Links (TRILL): ARP and Neighbor Discovery (ND) Optimization"
  • "Gratuitous Neighbor Discovery: Creating Neighbor Cache Entries on First-Hop Routers"
  • "Operational Aspects of Proxy ARP/ND in Ethernet Virtual Private Networks"
  • "Using DHCPv6 Prefix Delegation (DHCPv6-PD) to Allocate Unique IPv6 Prefixes per Client in Large Broadcast Networks"
This document summarizes these RFCs into a one-stop reference (as of the time of writing) for easier access. This document also identifies three causes of the issues and defines three host isolation methods to address the causes and prevent potential ND issues.
Terminology This document uses the terms defined in . Additional terms are defined in this section.
MAC:
Media Access Control. To avoid confusion with link-local addresses, link-layer addresses are referred to as "MAC addresses" in this document.
Host Isolation:
Separating hosts into different subnets or links.
L3 Isolation:
Allocating a Unique Prefix per Host (UPPH) so that every host is in a different subnet. Given that a unique prefix can be allocated per host on shared media, hosts in different subnets may be on the same link.
L2 Isolation:
Taking measures to prevent a host from reaching other hosts directly in Layer 2 (L2) so that every host is in a different link. Due to the existence of Multi-Link Subnet , hosts in different links may be in the same subnet. Therefore, L2 Isolation does not imply L3 Isolation, and L3 Isolation does not imply L2 Isolation either.
L3+L2 Isolation:
Applying L3 Isolation and L2 Isolation simultaneously so that every host is in a different subnet and on a different link.
Partial L2 Isolation:
Using an L3 ND Proxy device to represent the hosts behind it to other hosts in the same subnet. Within the subnet, ND multicast exchange is segmented into multiple smaller scopes, each represented by an ND Proxy device.
Review of Inventoried ND Issues
Multicast May Cause Performance and Reliability Issues In some cases, ND uses multicast for NSs, NAs, RSs, and RAs. While multicast can be highly efficient in certain scenarios (e.g., in wired networks), multicast can also be inefficient in other scenarios (e.g., in large L2 networks or wireless networks). Typically, multicast can create a large amount of protocol traffic in large L2 networks. This can consume network bandwidth, increase processing overhead, and degrade network performance . In wireless networks, multicast can be inefficient or even unreliable due to a higher probability of transmission interference, lower data rate, and lack of acknowledgements (). Multicast-related performance issues of the various ND messages are summarized below:
  • Issue 1: LLA DAD degrades performance In an L2 network of N addresses (which can be much larger than the number of hosts, as each host can have multiple addresses), there can be N such multicast messages. This may cause performance issues when N is large.
  • Issue 2: Router's periodic unsolicited RAs drain host's battery Multicast RAs are generally limited to one packet every MIN_DELAY_BETWEEN_RAS (3 seconds), and there are usually only one or two routers on the link, so it is unlikely to cause a performance issue. However, for battery-powered hosts, such messages may wake them up and drain their batteries .
  • Issue 3: GUA DAD degrades performance This is the same as in Issue 1.
  • Issue 4: Router's address resolution for hosts degrades performance This is the same as in Issue 1.
  • Issue 5: Host's address resolution for hosts degrades performance This is the same as in Issue 1.
  • Issue for further study: Multicast NAs for host's MAC address changes may degrade performance With randomized and changing MAC addresses , there may be many such multicast messages.
In wireless networks, multicast is more likely to cause packet loss. Because DAD treats no response as no duplicate address detected, packet loss may cause duplicate addresses to be undetected. Multicast reliability issues are summarized below:
  • Issue 6: LLA DAD not completely reliable in wireless networks
  • Issue 7: GUA DAD not completely reliable in wireless networks
Note: IPv6 address collisions are extremely unlikely. As a result, these two issues are largely theoretical rather than practical.
Trusting-All-Nodes May Cause On-Link Security Issues In scenarios such as public access networks, some nodes may not be trustworthy. An attacker on the link can cause the following on-link security issues :
  • Issue 8: Source IP address spoofing An attacker can use another node's IP address as the source address of its ND message to pretend to be that node. The attacker can then launch various Redirect or Denial-of-Service (DoS) attacks.
  • Issue 9: Denial of DAD An attacker can repeatedly reply to a victim's DAD messages, causing the victim's address configuration procedure to fail, resulting in a DoS to the victim.
  • Issue 10: Rogue RAs An attacker can send RAs to victim hosts to pretend to be a router. The attacker can then launch various Redirect or DoS attacks.
  • Issue 11: Spoofed redirects An attacker can send forged Redirects to victim hosts to redirect their traffic to the legitimate router itself.
  • Issue 12: Replay attacks An attacker can capture valid ND messages and replay them later.
Router-NCE-on-Demand May Cause Forwarding Delay, NCE Exhaustion, and Address Accountability Issues When a router needs to forward a packet to a node but does not yet have a Neighbor-Cache Entry (NCE) for that node, it first creates an NCE in the INCOMPLETE state. The router then multicasts an NS to the node's solicited-node multicast address. When the destination replies with an NA containing its MAC address, the router updates the NCE with that address and changes its state to REACHABLE, thereby completing the entry. This process is referred to as "Router‑NCE‑on‑Demand" in this document. Router-NCE-on-Demand can cause the following issues:
  • Issue 13: NCE exhaustion An attacker can send a high volume of packets targeting non-existent IP addresses, causing the router to create numerous NCEs in the INCOMPLETE state. The resulting resource exhaustion may cause the router to malfunction. This vulnerability, described as "NCE exhaustion" in this document, does not require the attacker to be on-link.
  • Issue 14: Router forwarding delay When a packet arrives at a router, the router buffers it while attempting to determine the host's MAC address. This buffering delays forwarding and, depending on the router's buffer size, may lead to packet loss. This delay is referred to as "Router‑NCE‑on‑Demand forwarding delay" in this document.
  • Issue 15: Lack of address accountability With SLAAC, hosts generate their IP addresses. The router does not become aware of a host's IP address until an NCE entry is created. With DHCPv6 , the router may not know the host's addresses unless it performs DHCPv6 snooping. In public access networks, where subscriber management often relies on IP address (or prefix) identification, this lack of address accountability poses a challenge . Without knowledge of the host's IP address, network administrators are unable to effectively manage subscribers, which is particularly problematic in public access networks. Moreover, once a router has created its NCEs, ND provides no mechanism to retrieve them for management or monitoring, as noted in .
Summary of ND Issues The ND issues, as discussed in Sections , , and , are summarized below. These issues stem from three primary causes: multicast, Trusting-all-nodes, and Router-NCE-on-Demand. Eliminating any of these causes would also mitigate the corresponding issues. These observations provide guidance for addressing and preventing ND- related issues.
  1. Multicast-related issues:
    • Performance issues:
      • Issue 1: LLA DAD degrades performance
      • Issue 2: Router's periodic unsolicited RAs drain host's battery
      • Issue 3: GUA DAD degrades performance
      • Issue 4: Router's address resolution for hosts degrades performance
      • Issue 5: Host's address resolution for hosts degrades performance
    • Reliability issues:
      • Issue 6: LLA DAD not completely reliable in wireless networks
      • Issue 7: GUA DAD not completely reliable in wireless networks
  2. Trusting-all-nodes related issues:
    • Issue 8: Source IP address spoofing
    • Issue 9: Denial of DAD
    • Issue 10: Rogue RAs
    • Issue 11: Spoofed redirects
    • Issue 12: Replay attacks
  3. Router-NCE-on-Demand related issues:
    • Issue 13: NCE exhaustion
    • Issue 14: Router forwarding delay
    • Issue 15: Lack of address accountability
These issues are potential vulnerabilities and may not manifest in all usage scenarios. When these issues may occur in a specific deployment, it is advisable to consider the mitigation solutions available. They are described in the following section.
Review of ND Mitigation Solutions summarizes ND mitigation solutions available for Issues 1-15 described in . Similar solutions are grouped, beginning with those that address the most issues. Unrelated solutions are ordered based on the issues (listed in ) they address. Each solution in the table will be explained in a sub-section later, where abbreviations in the table are described. In , a letter code indicates the RFC category of the mitigation solution (see BCP 9 for an explanation of these categories):
S:
Standards Track (Proposed Standard or Internet Standard)
E:
Experimental
I:
Informational
B:
Best Current Practice
N/A:
Not Applicable (not an RFC)
The abbreviations in correspond to as follows:
On-link sec.:
Trusting-all-nodes related issues
NCE exh.:
NCE exhaustion
Fwd. delay:
Router forwarding delay
No addr. acc.:
Lack of address accountability
Solutions for Identified Issues
ND solution RFC cat. Multicast performance Reliability On-link sec. NCE exh. Fwd. delay No addr. acc.
1 2 3 4 5 6 7 8-12 13 14 15
MBBv6 I All identified issues solved
FBBv6 N/A All identified issues solved
UPPH I X X X X X X X
WiND S All issues solved for Low-Power and Lossy Networks (LLNs)
SARP E X
ND TRILL S X
ND EVPN S X
RFC 7772 B X
GRAND S X X
SAVI/RA-G I X
RFC 6583 I X
RFC 9686 S X
Mobile Broadband IPv6 (MBBv6) The IPv6 solution defined in "IPv6 in 3rd Generation Partnership Project (3GPP) Evolved Packet System (EPS)" , "IPv6 for Third Generation Partnership Project (3GPP) Cellular Hosts" , and "Extending an IPv6 /64 Prefix from a Third Generation Partnership Project (3GPP) Mobile Interface to a LAN Link" is called Mobile Broadband IPv6 (MBBv6) in this document. They are Informational RFCs. The key points are:
  • Putting every host (e.g., the mobile User Equipment (UE)) in a Point-to-Point (P2P) link with the router (e.g., the mobile gateway) has the following outcomes:
    • All multicast is effectively turned into unicast.
    • The P2P links do not have a MAC address. Therefore, Router- NCE-on-Demand is not needed.
    • Trusting-all-nodes is only relevant to the router. By applying filtering at the router (e.g., dropping RAs from the hosts), even malicious hosts cannot cause harm.
  • Assigning a unique /64 prefix to each host. Together with the P2P link, this puts each host on a separate link and subnet.
  • Maintaining (prefix, interface) binding at the router for forwarding purposes.
Since all the three causes of ND issues are addressed, all the issues discussed in are addressed.
Fixed Broadband IPv6 (FBBv6) The IPv6 solution defined in "IPv6 in the context of TR-101" is called Fixed Broadband IPv6 (FBBv6) in this document. FBBv6 has two flavors:
  • P2P: Every host (e.g., the Residential Gateway (RG)) is in a P2P link with the router (e.g., the Broadband Network Gateway (BNG)). In this case, the solution is functionally similar to MBBv6. All ND issues discussed in are solved.
  • Point to Multipoint (P2MP): All hosts (e.g., the RGs) connected to an access device (e.g., the Optical Line Terminal (OLT)) are in a P2MP link with the router (e.g., the BNG). This is achieved by placing all hosts in a single VLAN on the router and configuring the OLT to block any frame from being forwarded between its access ports; traffic from each host can travel only up toward the router, not sideways to another host, thereby preventing direct host-to-host communication.
The following list summarizes the two key aspects of the FBBv6-P2MP architecture as described in and the associated benefits:
  • Implementing DAD proxy : In a P2MP architecture described above, the normal ND DAD procedure will break down because hosts cannot exchange NSs with one another. To address this, the router participates in the DAD process as a DAD Proxy to resolve address duplication. The benefits are:
    • Multicast traffic from all hosts to the router is effectively converted into unicast, as hosts can only communicate directly with the router.
    • The Trusting-all-nodes model is limited to the router. By applying simple filtering (e.g., dropping RAs from hosts), the router can mitigate security risks, even from malicious hosts.
  • Assigning a unique /64 prefix to each host: Assigning each host a unique /64 prefix results in several operational improvements:
    • The router can proactively install a forwarding entry for that prefix towards the host, eliminating the need for Router-NCE-on-Demand.
    • Since each host resides in a different subnet, traffic between hosts is routed through the router, eliminating the need for hosts to perform address resolution for one another.
    • Without address resolution, router multicast to hosts is limited to unsolicited RAs. As each host resides in its own subnet, these RAs are sent as unicast packets to individual hosts. This follows the approach specified in , where the host's MAC address replaces the multicast MAC address in the RA.
Since all three causes of ND issues are addressed, all ND issues () are also addressed.
Unique Prefix per Host (UPPH) Unique Prefix per Host (UPPH) solutions are described in and . Both are Informational RFCs. relies on SLAAC for unique prefix allocation while relies on DHCPv6 Prefix Delegation (DHCPv6-PD). That difference in allocation mechanism does not change the discussion on ND issues, because every IPv6 node is still required to run SLAAC, even when it receives its prefix via DHCPv6-PD. Therefore, discussing alone is sufficient. "improves host isolation and enhanced subscriber management on shared network segments" such as Wi-Fi or Ethernet. The key points are:
  • When a prefix is allocated to the host, the router can proactively install a forwarding entry for that prefix towards the host. There is no more Router-NCE-on-Demand.
  • Without address resolution, router multicast to hosts consists only of unsolicited RAs. They will be sent to hosts one by one in unicast because the prefix for every host is different.
  • Since different hosts are in different subnets, hosts will send traffic to other hosts via the router. There is no host-to-host address resolution.
Therefore, ND issues caused by Router-NCE-on-Demand and router multicast to hosts are prevented. indicates that a "network implementing a unique IPv6 prefix per host can simply ensure that devices cannot send packets to each other except through the first-hop router". However, when hosts are on a shared medium like Ethernet, ensuring "devices cannot send packets to each other except through the first-hop router" requires additional measures like Private VLAN . Without such additional measures, on a shared medium, hosts can still reach each other in L2 as they belong to the same Solicited-Node Multicast Group. Therefore, Trusting-all-nodes and host multicast to routers may cause issues. Of the host multicast issues (i.e., Issues 1, 3, 5, 6, and 7), UPPH prevents Issues 5 and 7, because there is no need for address resolution among hosts (Issue 5), and there is no possibility of GUA duplication (Issue 7). However, Issues 1, 3, and 6 may occur.
Wireless ND (WiND) The term "Wireless ND (WiND)" is used in this document to describe the fundamentally different ND solution for Low-Power and Lossy Networks (LLNs) that is defined in , , , and (Standards Track). WiND changes host and router behaviors to use multicast only for router discovery. The key points are:
  • Hosts use unicast to proactively register their addresses at the routers. Routers use unicast to communicate with hosts and become an abstract registrar and arbitrator for address ownership.
  • The router also proactively installs NCEs for the hosts. This avoids the need for address resolution for the hosts.
  • The router sets the Prefix Information Option (PIO) L-bit to 0. Each host communicates only with the router ().
  • Other functionalities that are relevant only to LLNs.
WiND addresses all ND issues () in LLNs. However, WiND support is not mandatory for general-purpose hosts. Therefore, it cannot be relied upon as a deployment option without imposing additional constraints on the participating nodes.
Scalable Address Resolution Protocol (SARP) The Scalable Address Resolution Protocol (SARP) was an Experimental solution. That experiment ended in 2017, two years after the RFC was published. Because the idea has been used in mitigation solutions for more specific scenarios (described in Sections and ), it is worth describing here. The usage scenario is Data Centers (DCs), where large L2 domains span across multiple sites. In each site, multiple hosts are connected to a switch. The hosts can be Virtual Machines (VMs), so the number can be large. The switches are interconnected by a pure or overlay L2 network. The switch will snoop and install a (IP, MAC address) proxy table for the local hosts. The switch will also reply to address resolution requests from other sites to its hosts with its own MAC address. In doing so, all hosts within a site will appear to have a single MAC address to other sites. As such, a switch only needs to build a MAC address table for the local hosts and the remote switches, not for all the hosts in the L2 domain. Consequently, the MAC address table size of the switches is significantly reduced. A switch will also add the (IP, MAC address) replies from remote switches to its proxy ND table so that it can reply to future address resolution requests from local hosts for such IPs directly. This greatly reduces the number of address resolution multicast in the network. Unlike MBBv6, FBBv6, and UPPH, which try to address all ND issues discussed in , SARP focuses on reducing address resolution multicast to improve the performance and scalability of large L2 domains in DCs.
ND Optimization for TRILL ARP and ND optimization for Transparent Interconnection of Lots of Links (TRILL) (Standards Track) is similar to SARP (). It can be considered an application of SARP in the TRILL environment. Like SARP, ND optimization for TRILL focuses on reducing multicast address resolution. That is, it addresses Issue 5 ().
Proxy ND in Ethernet Virtual Private Networks (ND EVPN) Proxy ARP/ND in EVPN is specified in (Standards Track). The usage scenario is DCs where large L2 domains span across multiple sites. In each site, multiple hosts are connected to a Provider Edge (PE) router. The PEs are interconnected by EVPN tunnels. The PE of each site snoops the local address resolution NAs to build (IP, MAC address) Proxy ND table entries. PEs then propagate such Proxy ND entries to other PEs via the Border Gateway Protocol (BGP). Each PE also snoops local hosts' address resolution NSs for remote hosts. If an entry exists in its Proxy ND table for the remote hosts, the PE will reply directly. Consequently, the number of multicast address resolution messages is significantly reduced. Like SARP, Proxy ARP/ND in EVPN also focuses on reducing address resolution multicast.
Reducing Router Advertisements per RFC 7772 Maintaining IPv6 connectivity requires that hosts be able to receive periodic multicast RAs . Hosts that process unicast packets while they are asleep must also process multicast RAs while they are asleep. An excessive number of RAs can significantly reduce the battery life of mobile hosts. (Best Current Practice) specifies a solution to reduce RAs:
  • The router should respond to RS with unicast RA (rather than the normal multicast RA) if the host's source IP address is specified and the host's MAC address is valid. This way, other hosts will not receive this RA.
  • The router should reduce the multicast RA frequency.
addresses Issue 2 ().
Gratuitous Neighbor Discovery (GRAND) GRAND (Standards Track) changes ND in the following ways:
  • A node sends unsolicited NAs upon assigning a new IPv6 address to its interface.
  • A router creates a new NCE for the node and sets its state to STALE.
When a packet for the host later arrives, the router can use the existing STALE NCE to forward it immediately (). It then verifies reachability by sending a unicast NS rather than a multicast one for address resolution. In this way, GRAND eliminates the router forwarding delay, but it does not solve other Router-NCE-on-Demand issues. For example, NCE exhaustion can still happen.
Source Address Validation Improvement (SAVI) and Router Advertisement Guard (RA-Guard) Source Address Validation Improvement (SAVI) (Informational) binds an address to a port on an L2 switch and rejects claims from other ports for that address. Therefore, a node cannot spoof the IP address of another node. Router Advertisement Guard (RA-Guard) (Informational) only allows RAs from a port that a router is connected to. Therefore, nodes on other ports cannot pretend to be a router. SAVI and RA-Guard address the on-link security issues.
Dealing with NCE Exhaustion Attacks per RFC 6583 (Informational) deals with the NCE exhaustion attack issue (). It recommends that:
  • Operators should:
    • Filter unused address space so that messages to such addresses can be dropped rather than triggering NCE creation.
    • Implement rate-limiting mechanisms for ND message processing to prevent CPU and memory resources from being overwhelmed.
  • Vendors should:
    • Prioritize NDP processing for existing NCEs over creating new NCEs.
acknowledges that "some of these options are 'kludges', and can be operationally difficult to manage". partially addresses the Router NCE exhaustion issue. In practice, router vendors cap the number of NCEs per interface to prevent cache exhaustion. If the link has more addresses than that cap, the router cannot keep an entry for every address, and packets destined for addresses without an NCE are simply dropped .
Registering Self-Generated IPv6 Addresses Using DHCPv6 per RFC 9686 In IPv4, network administrators can retrieve a host's IP address from the DHCP server and use it for subscriber management. In IPv6 and SLAAC, this is not possible (). (Standards Track) defines a method for informing a DHCPv6 server that a host has one or more self-generated or statically configured addresses. This enables network administrators to retrieve the IPv6 addresses for each host from the DHCPv6 server. provides a solution for Issue 15 ().
Enhanced DAD Enhanced DAD (Standards Track) addresses a DAD failure issue in a specific situation: a looped-back interface. DAD will fail in a looped-back interface because the sending host will receive the DAD message back and will interpret it as another host is trying to use the same address. The solution is to include a Nonce option in each DAD message so that the sending host can detect that the looped-back DAD message is sent by itself. Enhanced DAD does not solve any ND issue. It extends ND to work in a new scenario: a looped-back interface. It is reviewed here only for completeness.
ND Mediation for IP Interworking of Layer 2 VPNs ND mediation is specified in (Standards Track). When two Attachment Circuits (ACs) are interconnected by a Virtual Private Wired Service (VPWS), and the two ACs are of different media (e.g., one is Ethernet while the other is Frame Relay), the two PEs must interwork to provide mediation service so that a Customer Edge (CE) can resolve the MAC address of the remote end. specifies such a solution. ND mediation does not address any ND issue. It extends ND to work in a new scenario: two ACs of different media interconnected by a VPWS. It is reviewed here only for completeness.
ND Solutions Defined Before the Latest Versions of ND The latest versions of ND and SLAAC are specified in and . Several ND mitigation solutions were published before . They are reviewed in this section only for completeness.
Secure Neighbor Discovery (SEND) The purpose of SEND (Standards Track) is to ensure that hosts and routers are trustworthy. SEND defined three new ND options: Cryptographically Generated Addresses (CGA) (Standards Track), RSA public-key cryptosystem, and Timestamp/Nonce. In addition, SEND also defined an authorization delegation discovery process, an address ownership proof mechanism, and requirements for the use of these components in the ND protocol.
Cryptographically Generated Addresses (CGA) The purpose of CGA is to associate a cryptographic public key with an IPv6 address in the SEND protocol. The key point is to generate the Interface Identifier (IID) of an IPv6 address by computing a cryptographic hash of the public key. The resulting IPv6 address is called a CGA. The corresponding private key can then be used to sign messages sent from the address. CGA assumes that a legitimate host does not care about the bit combination of the IID that would be created by some hash procedure. The attacker needs an exact IID to impersonate the legitimate hosts, but then the attacker is challenged to do a reverse hash calculation, which is a strong mathematical challenge. CGA is part of SEND. There is no reported deployment.
ND Proxy ND Proxy (Experimental) aims to enable multiple links joined by an ND Proxy device to work as a single link.
  • When an ND Proxy receives an ND request from a host on a link, it will proxy the message out the "best" (defined in the next paragraph) outgoing interface. If there is no best interface, the ND Proxy will proxy the message to all other links. Here, proxy means acting as if the ND message originates from the ND Proxy itself. That is, the ND Proxy will change the ND message's source IP and source MAC address to the ND Proxy's outgoing interface's IP and MAC address, and create an NCE entry at the outgoing interface accordingly.
  • When ND Proxy receives an ND reply, it will act as if the ND message is destined for itself, and update the NCE entry state at the receiving interface. Based on such state information, the ND Proxy can determine the "best" outgoing interface for future ND requests. The ND Proxy then proxies the ND message back to the requesting host.
ND Proxy is widely used in SARP (), ND optimization for TRILL (), and Proxy ARP/ND in EVPN ().
Optimistic DAD Optimistic DAD (Standards Track) seeks to minimize address configuration delays in the successful case and to reduce disruption as far as possible in the failure case. That is, Optimistic DAD lets hosts immediately use the newly formed address to communicate before DAD completes, assuming that DAD will succeed anyway. If the address turns out to be duplicate, Optimistic DAD provides a set of mechanisms to minimize the impact. Optimistic DAD modified the original ND and original SLAAC (both of which are obsolete), but the solution was not incorporated into the latest specifications of ND and SLAAC . However, implementations of Optimistic DAD exist. Optimistic DAD does not solve any ND issue (). It is reviewed here only for completeness.
Guidelines for Prevention of Potential ND Issues By knowing the potential ND issues and associated mitigation solutions, network administrators of existing IPv6 deployments can assess whether these issues may occur in their networks and, if so, whether to deploy the mitigation solutions proactively. Deploying these solutions may take time and additional resources. Therefore, it is advisable to plan. Network administrators planning to start their IPv6 deployments can use the issue-solution information to help plan their deployments. Moreover, they can take proactive action to prevent potential ND issues.
Learning Host Isolation from the Existing Solutions While various ND solutions may initially appear unrelated, categorizing them into four distinct groups highlights an important observation: host isolation is an effective strategy for mitigating ND-related issues.
  • Group 1: L3 and L2 Isolation This group includes MBBv6 and FBBv6, which isolate hosts at both L3 and L2 by placing each host within its subnet and link. This prevents ND issues caused by multicast and Trusting-all-nodes, as each host operates within its isolated domain. Furthermore, since routers can route packets to a host based on its unique prefix, the need for Router-NCE-on-Demand is also eliminated. Therefore, L3 and L2 Isolation prevent all ND issues.
  • Group 2: L3 Isolation This group includes UPPH solutions like and , which isolate hosts into separate subnets while potentially leaving them on the same shared medium. This approach mitigates ND issues caused by router multicast to hosts and eliminates the need for Router-NCE-on-Demand, as detailed in .
  • Group 3: Partial L2 Isolation This group encompasses solutions such as WiND, SARP, ND optimization for TRILL, and Proxy ND in EVPN. These solutions use a proxy device to represent the hosts behind it, effectively isolating those hosts into distinct multicast domains. While hosts are still located within the same subnet, their separation into different multicast domains reduces the scope of ND issues related to multicast-based address resolution.
  • Group 4: Non-Isolating Solutions The final group includes remaining solutions that do not implement host isolation. These solutions do not prevent ND issues but instead focus on addressing specific ND problems.
The analysis demonstrates that the stronger the isolation of hosts, the more ND issues can be mitigated. This correlation is intuitive, as isolating hosts reduces the multicast scope, minimizes the number of nodes that must be trusted, and may eliminate the need for Router-NCE-on-Demand, the three primary causes of ND issues. This understanding can be used to prevent ND issues.
Applicability of Various Isolation Methods
Applicability of L3+L2 Isolation Benefits:
  • All ND issues () can be effectively mitigated.
Constraints:
  1. L2 Isolation: Actions must be taken to isolate hosts in L2. The required effort varies by the chosen method and deployment context. For example, the P2P method is heavyweight, while the Private VLAN method is more manageable.
  2. Unique prefix allocation: A large number of prefixes will be required, with one prefix assigned per host. This is generally not a limitation for IPv6. For instance, members of a Regional Internet Registry (RIR) can obtain a /29 prefix allocation , which provides 32 billion /64 prefixes -- sufficient for any foreseeable deployment scenarios. Practical implementations, such as MBBv6 assigning /64 prefixes to billions of mobile UEs , and FBBv6 assigning /56 prefixes to hundreds of millions of routed RGs , demonstrate the feasibility of this approach.
  3. Privacy issue from unique prefix identifiability: Assigning a unique prefix to each host may theoretically reduce privacy, as hosts can be directly identified by their assigned prefix. However, alternative host identification methods, such as cookies, are commonly used. Therefore, unique prefix identifiability may not make much difference. The actual impact on privacy is therefore likely to be limited.
  4. Router support for L3 Isolation: The router must support an L3 Isolation solution, e.g., or .
  5. A large number of router interfaces may be needed: If the P2P method is used, the router must instantiate a separate logical interface for every attached host. In this case, a large number of interfaces will be needed at the router.
  6. Router as a bottleneck: Since all communication between hosts is routed through the router, the router may become a performance bottleneck in high-traffic scenarios.
  7. Incompatibility with host-based multicast services: Services that rely on multicast communication among hosts, such as the Multicast Domain Name System , will be disrupted.
Applicability of L3 Isolation Benefits:
  • All ND issues () are mitigated, with the exception of:
    • LLA DAD multicast degrades performance,
    • LLA DAD not reliable in wireless networks, and
    • on-link security.
    These remaining issues depend on the characteristics of the shared medium:
    • If the shared medium is Ethernet, the issues related to LLA DAD multicast are negligible.
    • If nodes can be trusted, such as in private networks, on-link security concerns are not significant.
  • There is no need for L2 Isolation. Consequently, this method can be applied in a wide range of scenarios, making it possibly the most practical host isolation method.
Constraints (as discussed in ):
  1. Unique prefix allocation
  2. Router support for L3 Isolation
  3. Router as a bottleneck
  4. Privacy issue from unique prefix identifiability
Applicability of Partial L2 Isolation Benefit:
  • Reduced multicast traffic: This method reduces multicast traffic, particularly for address resolution, by dividing the subnet into multiple multicast domains.
Constraint:
  • Router support for Partial L2 Isolation: The router must implement a Partial L2 Isolation solution such as WiND, SARP, ND optimization for TRILL, and Proxy ND in EVPN to support this method.
Guidelines for Applying Isolation Methods Based on the applicability analysis provided in the preceding sections, network administrators can determine whether to implement an isolation method and, if so, which method is most appropriate for their specific deployment. A simple guideline is to consider the isolation methods in the order listed in the preceding sections, progressing from the strongest isolation to the weakest:
  • Stronger isolation methods can prevent more ND issues, but may also impose higher entry requirements.
  • Weaker isolation methods have fewer entry requirements but may leave some ND issues unmitigated.
The choice between L3+L2 Isolation and L3 Isolation often depends on the cost of implementing L2 Isolation:
  • If the cost is acceptable, L3+L2 Isolation is preferable because it eliminates every ND issue listed in .
  • Otherwise, L3 Isolation addresses most of those issues while keeping the implementation effort reasonable.
Selecting an isolation method that is either too strong or too weak does not result in serious consequences:
  • Choosing an overly strong isolation method may require the network administrator to meet higher entry requirements initially, such as measures for L2 Isolation, additional prefixes, or additional router capabilities.
  • Choosing a weaker isolation method may necessitate deploying supplemental ND mitigation techniques to address any unresolved ND issues.
In either case, the resulting solution can be functional and effective.
Security Considerations This document is a review of known ND issues and solutions, including security. It does not introduce any new solutions. Therefore, it does not introduce new security issues.
IANA Considerations This document has no IANA actions.
References Normative References Neighbor Discovery for IP version 6 (IPv6) This document specifies the Neighbor Discovery protocol for IP Version 6. IPv6 nodes on the same link use Neighbor Discovery to discover each other's presence, to determine each other's link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors. [STANDARDS-TRACK] IPv6 Stateless Address Autoconfiguration This document specifies the steps a host takes in deciding how to autoconfigure its interfaces in IP version 6. The autoconfiguration process includes generating a link-local address, generating global addresses via stateless address autoconfiguration, and the Duplicate Address Detection procedure to verify the uniqueness of the addresses on a link. [STANDARDS-TRACK] Informative References IPv6 Address Accountability Considerations Jisc Energy Sciences Network ESnet Hosts in IPv4 networks typically acquire addresses by use of DHCP, and retain that address and only that address while the DHCP lease remains valid. In IPv6 networks, hosts may use DHCPv6, but may instead autoconfigure their own global address(es), and potentially use many privacy addresses over time. This behaviour places an additional burden on network operators who require address accountability for their users and devices. There has been some discussion of this issue on various mail lists; this text attempts to capture the issues to encourage further discussion. Work in Progress Randomized and Changing Media Access Control (MAC) Addresses: Context, Network Impacts, and Use Cases To limit the privacy issues created by the association between a device, its traffic, its location, and its user in IEEE 802 networks, client vendors and client OS vendors have started implementing Media Access Control (MAC) address randomization. This technology is particularly important in Wi-Fi networks (defined in IEEE 802.11) due to the over-the-air medium and device mobility. When such randomization happens, some in-network states may break, which may affect network connectivity and user experience. At the same time, devices may continue using other stable identifiers, defeating the purpose of MAC address randomization. This document lists various network environments and a range of network services that may be affected by such randomization. This document then examines settings where the user experience may be affected by in-network state disruption. Last, this document examines some existing frameworks that maintain user privacy while preserving user quality of experience and network operation efficiency. The Internet Standards Process -- Revision 3 This memo documents the process used by the Internet community for the standardization of protocols and procedures. It defines the stages in the standardization process, the requirements for moving a document between stages and the types of documents used during this process. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Neighbor Discovery for IP Version 6 (IPv6) This document specifies the Neighbor Discovery protocol for IP Version 6. [STANDARDS-TRACK] IPv6 Stateless Address Autoconfiguration This document specifies the steps a host takes in deciding how to autoconfigure its interfaces in IP version 6. [STANDARDS-TRACK] IPv6 Global Unicast Address Format This document obsoletes RFC 2374, "An IPv6 Aggregatable Global Unicast Address Format". It defined an IPv6 address allocation structure that includes Top Level Aggregator (TLA) and Next Level Aggregator (NLA). This document makes RFC 2374 and the TLA/NLA structure historic. This memo provides information for the Internet community. IPv6 Neighbor Discovery (ND) Trust Models and Threats The existing IETF standards specify that IPv6 Neighbor Discovery (ND) and Address Autoconfiguration mechanisms may be protected with IPsec Authentication Header (AH). However, the current specifications limit the security solutions to manual keying due to practical problems faced with automatic key management. This document specifies three different trust models and discusses the threats pertinent to IPv6 Neighbor Discovery. The purpose of this discussion is to define the requirements for Securing IPv6 Neighbor Discovery. This memo provides information for the Internet community. SEcure Neighbor Discovery (SEND) IPv6 nodes use the Neighbor Discovery Protocol (NDP) to discover other nodes on the link, to determine their link-layer addresses to find routers, and to maintain reachability information about the paths to active neighbors. If not secured, NDP is vulnerable to various attacks. This document specifies security mechanisms for NDP. Unlike those in the original NDP specifications, these mechanisms do not use IPsec. [STANDARDS-TRACK] Cryptographically Generated Addresses (CGA) This document describes a method for binding a public signature key to an IPv6 address in the Secure Neighbor Discovery (SEND) protocol. Cryptographically Generated Addresses (CGA) are IPv6 addresses for which the interface identifier is generated by computing a cryptographic one-way hash function from a public key and auxiliary parameters. The binding between the public key and the address can be verified by re-computing the hash value and by comparing the hash with the interface identifier. Messages sent from an IPv6 address can be protected by attaching the public key and auxiliary parameters and by signing the message with the corresponding private key. The protection works without a certification authority or any security infrastructure. [STANDARDS-TRACK] Unique Local IPv6 Unicast Addresses This document defines an IPv6 unicast address format that is globally unique and is intended for local communications, usually inside of a site. These addresses are not expected to be routable on the global Internet. [STANDARDS-TRACK] Neighbor Discovery Proxies (ND Proxy) Bridging multiple links into a single entity has several operational advantages. A single subnet prefix is sufficient to support multiple physical links. There is no need to allocate subnet numbers to the different networks, simplifying management. Bridging some types of media requires network-layer support, however. This document describes these cases and specifies the IP-layer support that enables bridging under these circumstances. This memo defines an Experimental Protocol for the Internet community. Optimistic Duplicate Address Detection (DAD) for IPv6 Optimistic Duplicate Address Detection is an interoperable modification of the existing IPv6 Neighbor Discovery (RFC 2461) and Stateless Address Autoconfiguration (RFC 2462) processes. The intention is to minimize address configuration delays in the successful case, to reduce disruption as far as possible in the failure case, and to remain interoperable with unmodified hosts and routers. [STANDARDS-TRACK] Multi-Link Subnet Issues There have been several proposals around the notion that a subnet may span multiple links connected by routers. This memo documents the issues and potential problems that have been raised with such an approach. This memo provides information for the Internet community. Cisco Systems' Private VLANs: Scalable Security in a Multi-Client Environment This document describes a mechanism to achieve device isolation through the application of special Layer 2 forwarding constraints. Such a mechanism allows end devices to share the same IP subnet while being Layer 2 isolated, which in turn allows network designers to employ larger subnets and so reduce the address management overhead. Some of the numerous deployment scenarios of the aforementioned mechanism (which range from data center designs to Ethernet-to-the-home-basement networks) are mentioned in the following text to exemplify the mechanism's possible usages; however, this document is not intended to cover all such deployment scenarios nor delve into their details. This document is not an Internet Standards Track specification; it is published for informational purposes. Address Mapping of IPv6 Multicast Packets on Ethernet When transmitting an IPv6 packet with a multicast destination address, the IPv6 destination address is mapped to an Ethernet link-layer multicast address. This document clarifies that a mapping of an IPv6 packet with a multicast destination address may in some circumstances map to an Ethernet link-layer unicast address. [STANDARDS-TRACK] IPv6 Router Advertisement Guard Routed protocols are often susceptible to spoof attacks. The canonical solution for IPv6 is Secure Neighbor Discovery (SEND), a solution that is non-trivial to deploy. This document proposes a light-weight alternative and complement to SEND based on filtering in the layer-2 network fabric, using a variety of filtering criteria, including, for example, SEND status. This document is not an Internet Standards Track specification; it is published for informational purposes. IPv6 in 3rd Generation Partnership Project (3GPP) Evolved Packet System (EPS) The use of cellular broadband for accessing the Internet and other data services via smartphones, tablets, and notebook/netbook computers has increased rapidly as a result of high-speed packet data networks such as HSPA, HSPA+, and now Long-Term Evolution (LTE) being deployed. Operators that have deployed networks based on 3rd Generation Partnership Project (3GPP) network architectures are facing IPv4 address shortages at the Internet registries and are feeling pressure to migrate to IPv6. This document describes the support for IPv6 in 3GPP network architectures. This document is not an Internet Standards Track specification; it is published for informational purposes. Address Resolution Protocol (ARP) Mediation for IP Interworking of Layer 2 VPNs The Virtual Private Wire Service (VPWS), detailed in RFC 4664, provides point-to-point connections between pairs of Customer Edge (CE) devices. It does so by binding two Attachment Circuits (each connecting a CE device with a Provider Edge (PE) device) to a pseudowire (connecting the two PEs). In general, the Attachment Circuits must be of the same technology (e.g., both Ethernet or both ATM), and the pseudowire must carry the frames of that technology. However, if it is known that the frames' payload consists solely of IP datagrams, it is possible to provide a point-to-point connection in which the pseudowire connects Attachment Circuits of different technologies. This requires the PEs to perform a function known as "Address Resolution Protocol (ARP) Mediation". ARP Mediation refers to the process of resolving Layer 2 addresses when different resolution protocols are used on either Attachment Circuit. The methods described in this document are applicable even when the CEs run a routing protocol between them, as long as the routing protocol runs over IP. [STANDARDS-TRACK] Operational Neighbor Discovery Problems In IPv4, subnets are generally small, made just large enough to cover the actual number of machines on the subnet. In contrast, the default IPv6 subnet size is a /64, a number so large it covers trillions of addresses, the overwhelming number of which will be unassigned. Consequently, simplistic implementations of Neighbor Discovery (ND) can be vulnerable to deliberate or accidental denial of service (DoS), whereby they attempt to perform address resolution for large numbers of unassigned addresses. Such denial-of-service attacks can be launched intentionally (by an attacker) or result from legitimate operational tools or accident conditions. As a result of these vulnerabilities, new devices may not be able to "join" a network, it may be impossible to establish new IPv6 flows, and existing IPv6 transported flows may be interrupted. This document describes the potential for DoS in detail and suggests possible implementation improvements as well as operational mitigation techniques that can, in some cases, be used to protect against or at least alleviate the impact of such attacks. [STANDARDS-TRACK] Multicast DNS As networked devices become smaller, more portable, and more ubiquitous, the ability to operate with less configured infrastructure is increasingly important. In particular, the ability to look up DNS resource record data types (including, but not limited to, host names) in the absence of a conventional managed DNS server is useful. Multicast DNS (mDNS) provides the ability to perform DNS-like operations on the local link in the absence of any conventional Unicast DNS server. In addition, Multicast DNS designates a portion of the DNS namespace to be free for local use, without the need to pay any annual fee, and without the need to set up delegations or otherwise configure a conventional DNS server to answer for those names. The primary benefits of Multicast DNS names are that (i) they require little or no administration or configuration to set them up, (ii) they work when no infrastructure is present, and (iii) they work during infrastructure failures. Neighbor Discovery Optimization for IPv6 over Low-Power Wireless Personal Area Networks (6LoWPANs) The IETF work in IPv6 over Low-power Wireless Personal Area Network (6LoWPAN) defines 6LoWPANs such as IEEE 802.15.4. This and other similar link technologies have limited or no usage of multicast signaling due to energy conservation. In addition, the wireless network may not strictly follow the traditional concept of IP subnets and IP links. IPv6 Neighbor Discovery was not designed for non- transitive wireless links, as its reliance on the traditional IPv6 link concept and its heavy use of multicast make it inefficient and sometimes impractical in a low-power and lossy network. This document describes simple optimizations to IPv6 Neighbor Discovery, its addressing mechanisms, and duplicate address detection for Low- power Wireless Personal Area Networks and similar networks. The document thus updates RFC 4944 to specify the use of the optimizations defined here. [STANDARDS-TRACK] Duplicate Address Detection Proxy The document describes a proxy-based mechanism allowing the use of Duplicate Address Detection (DAD) by IPv6 nodes in a point-to-multipoint architecture with a "split-horizon" forwarding scheme, primarily deployed for Digital Subscriber Line (DSL) and Fiber access architectures. Based on the DAD signaling, the first-hop router stores in a Binding Table all known IPv6 addresses used on a point-to-multipoint domain (e.g., VLAN). When a node performs DAD for an address already used by another node, the first-hop router defends the address rather than the device using the address. Source Address Validation Improvement (SAVI) Framework Source Address Validation Improvement (SAVI) methods were developed to prevent nodes attached to the same IP link from spoofing each other's IP addresses, so as to complement ingress filtering with finer-grained, standardized IP source address validation. This document is a framework document that describes and motivates the design of the SAVI methods. Particular SAVI methods are described in other documents. IPv6 for Third Generation Partnership Project (3GPP) Cellular Hosts As the deployment of third and fourth generation cellular networks progresses, a large number of cellular hosts are being connected to the Internet. Standardization organizations have made the Internet Protocol version 6 (IPv6) mandatory in their specifications. However, the concept of IPv6 covers many aspects and numerous specifications. In addition, the characteristics of cellular links in terms of bandwidth, cost, and delay put special requirements on how IPv6 is used. This document considers IPv6 for cellular hosts that attach to the General Packet Radio Service (GPRS), Universal Mobile Telecommunications System (UMTS), or Evolved Packet System (EPS) networks (hereafter collectively referred to as Third Generation Partnership Project (3GPP) networks). This document also lists specific IPv6 functionalities that need to be implemented in addition to what is already prescribed in the IPv6 Node Requirements document (RFC 6434). It also discusses some issues related to the use of these components when operating in these networks. This document obsoletes RFC 3316. Terms Used in Routing for Low-Power and Lossy Networks This document provides a glossary of terminology used in routing requirements and solutions for networks referred to as Low-Power and Lossy Networks (LLNs). An LLN is typically composed of many embedded devices with limited power, memory, and processing resources interconnected by a variety of links. There is a wide scope of application areas for LLNs, including industrial monitoring, building automation (e.g., heating, ventilation, air conditioning, lighting, access control, fire), connected home, health care, environmental monitoring, urban sensor networks, energy management, assets tracking, and refrigeration. Implementation Advice for IPv6 Router Advertisement Guard (RA-Guard) The IPv6 Router Advertisement Guard (RA-Guard) mechanism is commonly employed to mitigate attack vectors based on forged ICMPv6 Router Advertisement messages. Many existing IPv6 deployments rely on RA-Guard as the first line of defense against the aforementioned attack vectors. However, some implementations of RA-Guard have been found to be prone to circumvention by employing IPv6 Extension Headers. This document describes the evasion techniques that affect the aforementioned implementations and formally updates RFC 6105, such that the aforementioned RA-Guard evasion vectors are eliminated. Extending an IPv6 /64 Prefix from a Third Generation Partnership Project (3GPP) Mobile Interface to a LAN Link This document describes requirements for extending an IPv6 /64 prefix from a User Equipment Third Generation Partnership Project (3GPP) radio interface to a LAN link and describes two implementation examples. Practices for Scaling ARP and Neighbor Discovery (ND) in Large Data Centers This memo documents some operational practices that allow ARP and Neighbor Discovery (ND) to scale in data center environments. Enhanced Duplicate Address Detection IPv6 Loopback Suppression and Duplicate Address Detection (DAD) are discussed in Appendix A of RFC 4862. That specification mentions a hardware-assisted mechanism to detect looped back DAD messages. If hardware cannot suppress looped back DAD messages, a software solution is required. Several service provider communities have expressed a need for automated detection of looped back Neighbor Discovery (ND) messages used by DAD. This document includes mitigation techniques and outlines the Enhanced DAD algorithm to automate the detection of looped back IPv6 ND messages used by DAD. For network loopback tests, the Enhanced DAD algorithm allows IPv6 to self-heal after a loopback is placed and removed. Further, for certain access networks, this document automates resolving a specific duplicate address conflict. This document updates RFCs 4429, 4861, and 4862. The Scalable Address Resolution Protocol (SARP) for Large Data Centers This document introduces the Scalable Address Resolution Protocol (SARP), an architecture that uses proxy gateways to scale large data center networks. SARP is based on fast proxies that significantly reduce switches' Filtering Database (FDB) table sizes and reduce impact of ARP and Neighbor Discovery (ND) on network elements in an environment where hosts within one subnet (or VLAN) can spread over various locations. SARP is targeted for massive data centers with a significant number of Virtual Machines (VMs) that can move across various physical locations. Reducing Energy Consumption of Router Advertisements Frequent Router Advertisement messages can severely impact host power consumption. This document recommends operational practices to avoid such impact. Unique IPv6 Prefix per Host This document outlines an approach utilizing existing IPv6 protocols to allow hosts to be assigned a unique IPv6 prefix (instead of a unique IPv6 address from a shared IPv6 prefix). Benefits of using a unique IPv6 prefix over a unique service-provider IPv6 address include improved host isolation and enhanced subscriber management on shared network segments. Transparent Interconnection of Lots of Links (TRILL): ARP and Neighbor Discovery (ND) Optimization This document describes mechanisms to optimize the Address Resolution Protocol (ARP) and Neighbor Discovery (ND) traffic in a Transparent Interconnection of Lots of Links (TRILL) campus. TRILL switches maintain a cache of IP / Media Access Control (MAC) address / Data Label bindings that are learned from ARP/ND requests and responses that pass through them. In many cases, this cache allows an edge Routing Bridge (RBridge) to avoid flooding an ARP/ND request by either responding to it directly or encapsulating it and unicasting it. Such optimization reduces packet flooding over a TRILL campus. Dynamic Host Configuration Protocol for IPv6 (DHCPv6) This document describes the Dynamic Host Configuration Protocol for IPv6 (DHCPv6): an extensible mechanism for configuring nodes with network configuration parameters, IP addresses, and prefixes. Parameters can be provided statelessly, or in combination with stateful assignment of one or more IPv6 addresses and/or IPv6 prefixes. DHCPv6 can operate either in place of or in addition to stateless address autoconfiguration (SLAAC). This document updates the text from RFC 3315 (the original DHCPv6 specification) and incorporates prefix delegation (RFC 3633), stateless DHCPv6 (RFC 3736), an option to specify an upper bound for how long a client should wait before refreshing information (RFC 4242), a mechanism for throttling DHCPv6 clients when DHCPv6 service is not available (RFC 7083), and relay agent handling of unknown messages (RFC 7283). In addition, this document clarifies the interactions between models of operation (RFC 7550). As such, this document obsoletes RFC 3315, RFC 3633, RFC 3736, RFC 4242, RFC 7083, RFC 7283, and RFC 7550. Registration Extensions for IPv6 over Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery This specification updates RFC 6775 -- the Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery specification -- to clarify the role of the protocol as a registration technique and simplify the registration operation in 6LoWPAN routers, as well as to provide enhancements to the registration capabilities and mobility detection for different network topologies, including the Routing Registrars performing routing for host routes and/or proxy Neighbor Discovery in a low-power network. Address-Protected Neighbor Discovery for Low-Power and Lossy Networks This document updates the IPv6 over Low-Power Wireless Personal Area Network (6LoWPAN) Neighbor Discovery (ND) protocol defined in RFCs 6775 and 8505. The new extension is called Address-Protected Neighbor Discovery (AP-ND), and it protects the owner of an address against address theft and impersonation attacks in a Low-Power and Lossy Network (LLN). Nodes supporting this extension compute a cryptographic identifier (Crypto-ID), and use it with one or more of their Registered Addresses. The Crypto-ID identifies the owner of the Registered Address and can be used to provide proof of ownership of the Registered Addresses. Once an address is registered with the Crypto-ID and a proof of ownership is provided, only the owner of that address can modify the registration information, thereby enforcing Source Address Validation. IPv6 Backbone Router This document updates RFCs 6775 and 8505 in order to enable proxy services for IPv6 Neighbor Discovery by Routing Registrars called "Backbone Routers". Backbone Routers are placed along the wireless edge of a backbone and federate multiple wireless links to form a single Multi-Link Subnet (MLSN). Operational Security Considerations for IPv6 Networks Knowledge and experience on how to operate IPv4 networks securely is available, whether the operator is an Internet Service Provider (ISP) or an enterprise internal network. However, IPv6 presents some new security challenges. RFC 4942 describes security issues in the protocol, but network managers also need a more practical, operations-minded document to enumerate advantages and/or disadvantages of certain choices. This document analyzes the operational security issues associated with several types of networks and proposes technical and procedural mitigation techniques. This document is only applicable to managed networks, such as enterprise networks, service provider networks, or managed residential networks. Multicast Considerations over IEEE 802 Wireless Media Well-known issues with multicast have prevented the deployment of multicast in 802.11 (Wi-Fi) and other local-area wireless environments. This document describes the known limitations of wireless (primarily 802.11) Layer 2 multicast. Also described are certain multicast enhancement features that have been specified by the IETF and by IEEE 802 for wireless media, as well as some operational choices that can be made to improve the performance of the network. Finally, some recommendations are provided about the usage and combination of these features and operational choices. Gratuitous Neighbor Discovery: Creating Neighbor Cache Entries on First-Hop Routers Neighbor Discovery (RFC 4861) is used by IPv6 nodes to determine the link-layer addresses of neighboring nodes as well as to discover and maintain reachability information. This document updates RFC 4861 to allow routers to proactively create a Neighbor Cache entry when a new IPv6 address is assigned to a node. It also updates RFC 4861 and recommends that nodes send unsolicited Neighbor Advertisements upon assigning a new IPv6 address. These changes will minimize the delay and packet loss when a node initiates connections to an off-link destination from a new IPv6 address. Operational Aspects of Proxy ARP/ND in Ethernet Virtual Private Networks This document describes the Ethernet Virtual Private Network (EVPN) Proxy ARP/ND function augmented by the capability of the ARP/ND Extended Community. From that perspective, this document updates the EVPN specification to provide more comprehensive documentation of the operation of the Proxy ARP/ND function. The EVPN Proxy ARP/ND function and the ARP/ND Extended Community help operators of Internet Exchange Points, Data Centers, and other networks deal with IPv4 and IPv6 address resolution issues associated with large Broadcast Domains by reducing and even suppressing the flooding produced by address resolution in the EVPN network. Using DHCPv6 Prefix Delegation (DHCPv6-PD) to Allocate Unique IPv6 Prefixes per Client in Large Broadcast Networks This document discusses an IPv6 deployment scenario when individual nodes connected to large broadcast networks (such as enterprise networks or public Wi-Fi networks) are allocated unique prefixes via DHCPv6 Prefix Delegation (DHCPv6-PD), as specified in RFC 8415. Registering Self-Generated IPv6 Addresses Using DHCPv6 This document defines a method to inform a DHCPv6 server that a device has one or more self-generated or statically configured addresses. IPv6 Address Allocation and Assignment Policy RIPE RIPE-738 Architecture and Framework for IPv6 over Non-Broadcast Access Sandelman Software Works This document presents an architecture and framework for IPv6 access networks that decouples the network-layer concepts of Links, Interface, and Subnets from the link-layer concepts of links, ports, and broadcast domains, and limits the reliance on link-layer broadcasts. This architecture is suitable for IPv6 over any network, including non-broadcast networks, which is typically the case for intangible media such as wireless and virtual networks such as overlays. A study of the issues with IPv6 ND over intangible media is presented, and a framework to solve those issues within the new architecture is proposed. Work in Progress IPv6 in the context of TR-101 Broadband Forum TR-177
Acknowledgements The authors would like to thank , , , , , , , , , , , , , , , , , , , , , , , , , and for their reviews and comments. The authors would also like to thank for being the document shepherd.
Authors' Addresses Huawei Technologies
xipengxiao@huawei.com
Huawei Technologies
vasilenko.eduard@huawei.com
KPN N.V.
eduard.metz@kpn.com
Verizon Inc.
gyan.s.mishra@verizon.com
Energy Sciences Network
buraglio@es.net