Junos® OS
IPv6 Neighbor Discovery User Guide
Published
2021-04-18
ii
Juniper Networks, Inc. 1133 nn v n Way Sunnyvale, California 94089 USA
408-745-2000 www.juniper.net
Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their r s c v owners.
Juniper Networks assumes no responsibility for any inaccuracies in this document. Juniper Networks reserves the right
to change, modify, transfer, or otherwise revise this b c |
n without n c |
||
Junos® OS IPv6 Neighbor Discovery User Guide |
|
|
|
Copyright © 2021 Juniper Networks, Inc. All rights reserved. |
|
|
|
The n rm |
n in this document is current as of the date on the |
page. |
YEAR 2000 NOTICE
Juniper Networks hardware and s w r products are Year 2000 compliant. Junos OS has no known m r
m ns through the year 2038. However, the NTP c n is known to have some c y in the year 2036.
END USER LICENSE AGREEMENT
The Juniper Networks product that is the subject of this technical |
c m n |
n consists of (or is intended for use |
||||||
with) Juniper Networks s w r |
Use of such s |
w r |
is subject to the terms and c n |
ns of the End User License |
||||
Agreement ("EULA") posted at |
s s |
r |
n r n |
s |
r |
. By downloading, installing or using such |
||
s w r you agree to the terms and c n |
ns of that EULA. |
|
|
|
|
iii
About This Guide | vii
1n r n IPv6 Neighbor Discovery
IPv6 Neighbor Discovery | 2
IPv6 Neighbor Discovery Overview | 2
Supported ICMP Router Discovery and IPv6 Neighbor Discovery Standards | 5
Example: C |
n |
r n |
IPv6 Interfaces and Enabling Neighbor Discovery | 6 |
||
|
Requirements | |
6 |
|||
|
Overview | 7 |
|
|||
|
C |
n |
r |
n | |
9 |
|
V |
r c |
|
n | 13 |
|
|
|
|
|
|
|
Secure IPv6 Neighbor Discovery | 19
Understanding Secure IPv6 Neighbor Discovery | 19
Example: C |
n |
r n Secure IPv6 Neighbor Discovery | 20 |
||
|
Requirements | 20 |
|||
|
Overview | 20 |
|||
|
C |
n |
r |
n | 22 |
|
V |
r c |
|
n | 24 |
|
|
|
|
|
NDP Proxy and DAD Proxy | 26
C n r n NDP Proxy | 26
C n r n DAD Proxy | 27
Neighbor Discovery Cache |
r |
c |
n | 27 |
|
|
Neighbor Discovery Cache |
r |
c |
n Overview | 28 |
||
C n r n |
Neighbor Discovery Cache r c |
n | 28 |
|||
Example: C |
n r n Neighbor Discovery Cache |
r c n to Prevent Denial-of-Service |
c s | 30
Requirements | 31
Overview | 31
2
3
iv
|
C n |
r |
n | 31 |
|
V r |
c |
n | 33 |
|
|
|
|
r b s |
|
n |
rb s n Network Issues | 38
Working with Problems on Your Network |
| 38 |
|
s |
n a Broken Network C nn c n | |
39 |
n |
y n the Symptoms of a Broken Network C nn c n | 41 |
sn the Causes of a Network Problem | 43
Taking Appropriate c n for Resolving the Network Problem | 44
vn the S n to Check Whether the Network Problem Is Resolved | 46
Checklist for Tracking Error C n |
ns | 48 |
|||||
C |
n |
r |
R |
n |
Protocol Process Tracing | 50 |
|
C |
n |
r |
R |
n |
Protocol Tracing for a S c c R n Protocol | 54 |
|
Monitor Trace File Messages Wr |
n in Near-Real Time | 57 |
|||||
Stop Trace File Monitoring | 58 |
|
nr n Statements
autonomous | 62 cryptographic-address | 63 current-hop-limit | 65
m| 66
interface (Protocols IPv6 Neighbor Discovery) | 68
key-length | 70 |
|
||
key-pair | 72 |
|
|
|
link-mtu | 74 |
|
||
m n |
c n |
r |
n | 76 |
m x |
v r s m n |
n rv (Protocols IPv6 Neighbor Discovery) | 78 |
v
m n |
v r s m n |
n rv |
(Protocols IPv6 Neighbor Discovery) | 80 |
|
n r |
r nsm |
m r | 82 |
|
|
nd-system-cache-limit | 83 |
||||
nd6-max-cache | 85 |
|
|||
nd6-new-hold-limit | 87 |
|
|||
neighbor-discovery | 89 |
|
|||
on-link | 91 |
|
|
|
|
onlink-subnet-only | 93 |
|
|||
|
r s |
c n |
r |
n | 95 |
preference (IPv6 Router |
v r s m n ) | 97 |
|||
r |
rr |
m |
| 99 |
|
rx (Protocols IPv6 Neighbor Discovery) | 100
r |
c |
b |
m |
| 102 |
|
r |
r nsm |
m r | 104 |
|||
r |
r |
|
v r |
s m n |
| 106 |
secure | 107 |
|
|
|||
security-level | 109 |
|
||||
s |
c |
r |
r |
v r |
s m n n c s | 111 |
|
m s |
m |
| 112 |
|
|
r c |
|
ns (Protocols IPv6 Neighbor Discovery) | 114 |
|||
r c |
|
ns (Protocols Secure Neighbor Discovery) | 117 |
vm | 120
4 |
r n Commands |
clear ipv6 neighbors | 123
clear ipv6 r r v r s m n | 125
vi
monitor interface | 127 monitor start | 145 monitor stop | 148 ping | 150
show ipv6 neighbors | 159
show ipv6 r r v r s m n | 163
show log | 168 traceroute | 176
vii
Use this guide to c n r monitor, and troubleshoot the IPv6 neighbor discovery on your Juniper Network devices.
RELATED DOCUMENTATION
Day One: Exploring IPv6
1
CHAPTER
rIPv6 Neighbor Discovery
IPv6 Neighbor Discovery | 2
Secure IPv6 Neighbor Discovery | 19
NDP Proxy and DAD Proxy | 26
Neighbor Discovery Cache r c n | 27
2
SUMMARY
Neighbor discovery is a protocol used for IPv6 r c that allows r n nodes on the same link to
v r s their existence to their neighbors, and to learn about the existence of their neighbors.
IN THIS SECTION
IPv6 Neighbor Discovery Overview | 2
Supported ICMP Router Discovery and IPv6 Neighbor Discovery Standards | 5
Example: C n r n IPv6 Interfaces and Enabling Neighbor Discovery | 6
IN THIS SECTION
Improvements Over Ipv4 Protocols | 3
Router Discovery | 4
Address R s |
n | 4 |
Redirect | 4
SLAAC | 4
Neighbor discovery is a protocol that allows r n nodes on the same link to v r s their existence to their neighbors, and to learn about the existence of their neighbors.
Routers and hosts (nodes) use Neighbor Discovery (ND) messages to determine the link-layer addresses of neighbors that reside on c links and to overwrite invalid cache entries. Hosts also use ND to
n neighboring routers that can forward packets on their behalf.
In |
n nodes use ND to c v y track the ability to reach neighbors. When a router (or the path to |
||
a router) fails, nodes c v y search for |
rn v s to reach the s n |
n |
|
This s c |
n discusses the following topics: |
|
|
3
Improvements Over Ipv4 Protocols
IPv6 Neighbor Discovery corresponds to a number of the IPv4 protocols — ARP, ICMP Router Discovery, and ICMP Redirect. However, Neighbor Discovery provides many improvements over the IPv4 set of protocols. These improvements address the following:
• |
Router discovery—How a host locates routers residing on an |
c |
link. |
|
|
|
|
||
• |
r x discovery—How a host discovers address |
r |
x s for |
s n |
ns residing on an |
c |
link. |
||
|
Nodes use r x s to s n s between s |
n |
ns that reside on an |
c |
link and those |
|
sn ns that it can reach only through a router.
•Parameter discovery—How a node learns various parameters (link parameters or Internet parameters) that it places in outgoing packets.
• |
Address r s |
n |
H w a node uses only a s n |
n IPv6 address to determine a link-layer |
|||||
|
address for |
s n |
ns on an |
c |
link. |
|
|
|
|
• |
Next-hop |
rm n |
n |
algorithm that a node uses for mapping an IPv6 s n |
n address |
||||
|
into a neighbor IPv6 address (either the next router hop or the s n |
n itself) to which it plans to |
|||||||
|
send r c for the |
s n |
n |
|
|
|
|
|
|
• |
Neighbor unreachability |
c |
n |
H w a node determines that it can no longer reach a neighbor. |
|||||
• |
Duplicate address |
c |
n H |
w a node determines whether an address is already in use by |
|||||
|
another node. |
|
|
|
|
|
|
|
|
A router periodically m c s s a router |
v r s |
m n |
from each of its m |
c s |
interfaces, announcing |
||
its availability. Hosts listen for these v |
r s m |
n s for address |
c n |
r |
n and discovery of link- |
||
local addresses of the neighboring routers. When a host starts, it m |
c s s a router s c |
n to ask |
|||||
for immediate v r s m n s |
|
|
|
|
|
|
|
The router discovery messages do not c |
ns |
a r |
n protocol. They enable hosts to discover the |
existence of neighboring routers, but are not used to determine which router is best to reach a r c r s n n
Neighbor discovery uses the following Internet Control Message Protocol version 6 (ICMPv6) messages: router s c n router v r s m n neighbor s c n neighbor v r s m n and redirect.
Neighbor discovery for IPv6 replaces the following IPv4 protocols: router discovery (RDISC), Address R s n Protocol (ARP), and ICMPv4 redirect.
Junos OS Release 9.3 and later supports Secure Neighbor Discovery (SEND). SEND enables you to secure Neighbor Discovery protocol (NDP) messages. It is applicable in environments where physical security on a link is not assured and c s on NDP messages are a concern. The Junos OS secures NDP messages through cryptographically generated addresses (CGAs).
4
Router Discovery
Router |
v r |
s |
m n s can contain a list of r |
x s These r x s are used for address |
|
|
||||||||||
c n |
r |
|
n to maintain a database of onlink (on the same data link) |
r |
x s and for |
c |
n |
|||||||||
address |
c |
|
n If a node is onlink, the router forwards packets to that node. If the node is not onlink, |
|||||||||||||
the packets are sent to the next router for c ns |
r |
n For IPv6, each |
r |
x in the |
r x list can |
|
||||||||||
contain a |
r |
x length, a valid |
m |
for the |
r |
x a preferred |
m |
for the r |
x an onlink |
|
||||||
and an |
c |
n |
r |
n |
This n |
rm |
n enables address |
c n |
|
r |
n and the s |
n |
of link |
|||
parameters such as maximum transmission unit (MTU) size and hop limit. |
|
|
|
|
|
Address R s |
n |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
For IPv6, ICMPv6 neighbor discovery replaces Address R s |
|
n Protocol (ARP) for resolving network |
||||||||||||||||
addresses to link-level addresses. Neighbor discovery also handles changes in link-layer addresses, |
||||||||||||||||||
inbound load balancing, anycast addresses, and proxy |
v r |
s |
m |
n s |
|
|
|
|
|
|||||||||
Nodes r q |
s n |
the link-layer address of a target node m |
|
c s |
a neighbor s |
c |
n message with |
|||||||||||
the target address. The target sends back a neighbor |
v r |
s |
m |
n |
message containing its link-layer |
|||||||||||||
address. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Neighbor s |
c |
n and |
v r |
s m n |
messages are used for |
|
c n |
duplicate unicast addresses on |
||||||||||
the same link. |
c n |
r |
n of an IP address depends on whether there is a duplicate address on |
|||||||||||||||
that link. Duplicate address |
|
c n is a requirement for |
|
c n |
r |
n |
|
|
|
|
||||||||
Neighbor s |
c |
n and |
v r |
s m n |
messages are also used for neighbor unreachability |
c n |
||||||||||||
Neighbor unreachability |
c |
n involves |
c n |
the presence of a target node on a given link. |
||||||||||||||
Redirect |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Redirect messages are sent to inform a host of a b |
r next-hop router to a |
r |
c |
r s n |
n or an |
|||||||||||||
onlink neighbor. This is similar to ICMPv4 redirect. Very similar to the ICMPv4 Redirect feature, the |
||||||||||||||||||
ICMPv6 redirect message is used by routers to inform on-link hosts of a b |
r next-hop for a given |
|||||||||||||||||
s n |
n The intent is to allow the routers to help hosts make the most |
c |
n |
local r |
n |
|||||||||||||
decisions possible. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||
SLAAC |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In |
n to all the other improvements it brings to the networking world, Neighbor Discovery also |
|||||||||||||||||
enables address |
c |
n |
r |
n namely Stateless Address |
|
c |
n |
r |
n (SLAAC). IPv6 maintains |
|||||||||
the capability for stateful address assignment through DHCPv6 (and s |
c assignment), but SLAAC |
|||||||||||||||||
provides a lightweight address c |
n r |
|
n method that might be desirable in many circumstances. |
5
SLAAC provides plug-and-play IP c nn c v y in two phases: Phase 1: Link-local address assignment; and then, in Phase 2: Global address assignment.
• Phase 1—Steps for local c nn c v y
1. |
Link-Local Address G n r |
n Any |
m that a m c s c b IPv6-enabled interface is |
||
|
turned up, the node generates a link-local address for that interface. This is done by appending an |
||||
|
interface |
n |
r to the link-local r |
x (FE80::/10). The auto generated link-local address |
|
|
cannot be deleted. However, a new link-local address can also be manually entered, which |
||||
|
overwrites the auto generated link-local address. |
||||
2. |
Duplicate |
|
c n Before assigning the new link-local address to its interface, the node v r s |
that the address is unique. This is accomplished by sending a Neighbor S c n message
s n to the new address. If there is a reply, then the address is a duplicate and the process stops, requiring operator n rv n n
3.Link-Local Address Assignment: If the address is unique, the node assigns it to the interface for which it was generated.
At this point, the node has IPv6 c nn c v y to all other nodes on the same link. Phase 2 can only be
completed by hosts. The router’s interface addresses must be c |
n |
r |
by other means. |
|
||||||||||||
• Phase 2—Steps for global c nn c v y |
|
|
|
|
|
|
|
|
|
|
||||||
1. |
Router |
v r s m n |
The node sends a Router S c |
|
n to prompt all on-link routers to send |
|||||||||||
|
it router |
v r |
s m |
n s When the router is enabled to provide stateless |
|
c |
n |
r |
n |
|||||||
|
support, the router |
|
v r |
s m n contains a subnet |
r |
x for use by neighboring hosts. |
|
|||||||||
2. |
Global Address G n |
r |
|
n Once it receives a subnet |
r |
x from a router, the host generates a |
||||||||||
|
global address by appending the interface id to the supplied |
r |
x |
|
|
|
|
|
|
|||||||
3. |
Duplicate Address |
|
c |
n The host again performsDuplicate Address |
|
c |
|
n (DAD), this |
||||||||
|
m for the new global address. 4. Global Address Assignment: Assuming that the address is not a |
|||||||||||||||
|
duplicate, the host assigns it to the interface. |
|
|
|
|
|
|
|
|
|
|
|||||
This process ensures full IPv6 global c nn c v y with no manual host c |
n |
r |
|
n and very |
|
|||||||||||
router c n |
r |
n |
|
|
|
|
|
|
|
|
|
|
|
|
|
Supported ICMP Router Discovery and IPv6 Neighbor Discovery
Standards
Junos OS s bs n y supports the following RFCs, which n standards for the Internet Control Message Protocol (ICMP for IP version 4 [IPv4]) and neighbor discovery (for IP version 6 [IPv6]).
6
•RFC 1256, ICMP Router Discovery Messages
•RFC 4861, Neighbor Discovery for IP version 6 (IPv6)
• RFC 2462, IPv6 Stateless Address c n r n
• RFC 2463, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) S c c n
• RFC 4443, Internet Control Message Protocol (ICMPv6) for the Internet Protocol Version 6 (IPv6) S c c n
• RFC 4861, Neighbor Discovery for IP version 6 (IPv6)
• |
RFC 4862, IPv6 Stateless Address |
c n r n |
|
• |
RFC 8335, PROBE: A |
y for Probing Interfaces |
Example: n r n IPv6 Interfaces and Enabling Neighbor Discovery
IN THIS SECTION
Requirements | 6
Overview | 7
C |
n |
r |
n | 9 |
V |
r |
c |
n | 13 |
This example shows how to c n r the router or switch to send IPv6 neighbor discovery messages.
In this example, no special c n r n beyond device n z n is required.
7
IN THIS SECTION
Topology | 8
In this example, all of the interfaces in the sample topology are c |
n |
r |
with IPv6 addresses. If you |
||||||||||||
plan to extend IPv6 |
nc |
n y into your LAN, datacenter, or customer networks, you might want to |
|||||||||||||
use Stateless Address |
|
C n |
r |
n (SLAAC) and that means c |
n |
r n |
router |
v r |
s m n s |
||||||
SLAAC is an IPv6 protocol that provides some similar |
nc |
n |
y to DHCP in IPv4. Using SLAAC, |
||||||||||||
network hosts can |
c n |
r a globally unique IPv6 address based on the |
r x provided by a |
||||||||||||
nearby router in a router |
v r s m n |
This removes the need to explicitly c |
n |
r |
every interface in |
||||||||||
a given s c |
n of the network. Router |
v r s m n |
messages are disabled by default, and you must |
||||||||||||
enable them to take advantage of SLAAC. |
|
|
|
|
|
|
|
|
|
||||||
To c n |
r |
the router to send router |
v r s m n |
messages, you must include at least the following |
|||||||||||
statements in the c n |
r |
n All other router v r s m |
n c |
n |
r |
n statements are |
n |
protocols {
router-advertisement {
interface interface-name {
prefix prefix;
}
}
}
To c n |
r neighbor discovery, include the following statements. You c n |
r router v r s m n |
on a per-interface basis. |
|
protocols { router-advertisement {
interface interface-name { current-hop-limit number; default-lifetime seconds; (link-mtu | no-link-mtu);
(managed-configuration | no-managed-configuration);
8
max-advertisement-interval seconds; min-advertisement-interval seconds;
(other-stateful-configuration | no-other-stateful-configuration); prefix prefix {
(autonomous | no-autonomous); (on-link | no-on-link); preferred-lifetime seconds; valid-lifetime seconds;
}
reachable-time milliseconds; retransmit-timer milliseconds; solicit-router-advertisement-unicast; virtual-router-only;
}
traceoptions {
file filename <files number> <size maximum-file-size> <worldreadable | no-world-readable>;
flag flag;
}
}
}
Topology
Figure 1 on page 8 shows a s m |
sample topology. |
Figure 1: ICMP Router Discover Topology
This example shows how to make sure that all of the IPv6 hosts |
c |
to the subnets in the sample |
|
topology can |
c n r a local EUI-64 address. |
|
|
9
"CLI Quick C n r n shows the c n r n for all of the devices in Figure 1 on page 8. "No Link Title" describes the steps on Device R1.
n r n
IN THIS SECTION
Procedure | 9
Procedure
CLI Quick |
n |
r |
|
n |
|
|
|
|
|
|
|
|
|
|
To quickly c |
n |
r this example, copy the following commands, paste them into a text |
remove any |
|||||||||||
line breaks, change any details necessary to match your network c n |
r |
n and then copy and paste |
||||||||||||
the commands into the CLI at the [edit] hierarchy level. |
|
|
|
|
||||||||||
Device R1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
set interfaces fe-1/2/0 unit 1 |
|
scr |
|
n to-P2 |
|
|
|
|
|
|||||
set interfaces fe-1/2/0 unit 1 family inet6 address 2001:db8:0:1::/64 eui-64 |
|
|
|
|||||||||||
set interfaces fe-1/2/1 unit 5 |
|
scr |
|
n to-P4 |
|
|
|
|
|
|||||
set interfaces fe-1/2/1 unit 5 family inet6 address 2001:db8:0:5::/64 eui-64 |
|
|
|
|||||||||||
set interfaces fe-1/2/2 unit 9 |
|
scr |
|
n to-P3 |
|
|
|
|
|
|||||
set interfaces fe-1/2/2 unit 9 family inet6 address 2001:db8:0:9::/64 eui-64 |
|
|
|
|||||||||||
set interfaces lo0 unit 1 family inet6 address 2001:db8::1/128 |
|
|
|
|||||||||||
set protocols r |
r |
v |
r |
s |
m |
n |
interface fe-1/2/0.1 |
r |
x 2001:db8:0:1::/64 |
|
|
|||
set protocols r |
r |
v |
r |
s |
m |
n |
interface fe-1/2/1.5 |
r |
x 2001:db8:0:5::/64 |
|
|
|||
set protocols r |
r |
v |
r |
s |
m |
n |
interface fe-1/2/2.9 |
r |
x 2001:db8:0:9::/64 |
|
|
|||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Device R2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|||||
set interfaces fe-1/2/0 unit 2 |
|
scr |
|
n to-P1 |
|
|
|
|
|
|||||
set interfaces fe-1/2/0 unit 2 family inet6 address 2001:db8:0:1::/64 eui-64 |
|
|
|
|||||||||||
set interfaces fe-1/2/1 unit 14 |
scr |
n to-P3 |
|
|
|
|
|
|||||||
set interfaces fe-1/2/1 unit 14 family inet6 address 2001:db8:0:14::/64 eui-64 |
|
|
||||||||||||
set interfaces fe-1/2/2 unit 21 |
scr |
n to-P4 |
|
|
|
|
|
|||||||
set interfaces fe-1/2/2 unit 21 family inet6 address 2001:db8:0:21::/64 eui-64 |
|
|
||||||||||||
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
10
set interfaces lo0 unit 2 family inet6 address 2001:db8::2/128
set protocols r |
r |
v |
r |
s |
m |
n |
interface fe-1/2/0.2 |
r |
x 2001:db8:0:1::/64 |
set protocols r |
r |
v r |
s |
m |
n |
interface fe-1/2/1.14 |
r |
x 2001:db8:0:14::/64 |
|
set protocols r |
r |
v |
r |
s |
m |
n |
interface fe-1/2/2.21 |
r |
x 2001:db8:0:21::/64 |
Device R3
set interfaces fe-1/2/0 unit 10 |
scr |
n to-P1 |
|
|
|||||
set interfaces fe-1/2/0 unit 10 family inet6 address 2001:db8:0:9::/64 eui-64 |
|||||||||
set interfaces fe-1/2/1 unit 13 |
scr |
n to-P2 |
|
|
|||||
set interfaces fe-1/2/1 unit 13 family inet6 address 2001:db8:0:14::/64 eui-64 |
|||||||||
set interfaces fe-1/2/2 unit 17 |
scr |
n to-P4 |
|
|
|||||
set interfaces fe-1/2/2 unit 17 family inet6 address 2001:db8:0:17::/64 eui-64 |
|||||||||
set interfaces lo0 unit 3 family inet6 address 2001:db8::3/128 |
|
||||||||
set protocols r |
r |
v r |
s |
m |
n |
interface fe-1/2/0.10 |
r |
x 2001:db8:0:9::/64 |
|
set protocols r |
r |
v r |
s |
m |
n |
interface fe-1/2/1.13 |
r |
x 2001:db8:0:14::/64 |
|
set protocols r |
r |
v r |
s |
m |
n |
interface fe-1/2/2.17 |
r |
x 2001:db8:0:17::/64 |
|
|
|
|
|
|
|
|
|
|
|
Device R4
set interfaces fe-1/2/0 unit 6 |
|
scr |
|
n to-P1 |
|
|
|||
set interfaces fe-1/2/0 unit 6 family inet6 address 2001:db8:0:5::/64 eui-64 |
|||||||||
set interfaces fe-1/2/1 unit 18 |
scr |
n to-P3 |
|
|
|||||
set interfaces fe-1/2/1 unit 18 family inet6 address 2001:db8:0:17::/64 eui-64 |
|||||||||
set interfaces fe-1/2/2 unit 22 |
scr |
n to-P2 |
|
|
|||||
set interfaces fe-1/2/2 unit 22 family inet6 address 2001:db8:0:21::/64 eui-64 |
|||||||||
set interfaces lo0 unit 4 family inet6 address 2001:db8::4/128 |
|||||||||
set protocols r |
r |
v r |
s |
m |
n |
interface fe-1/2/0.6 |
r |
x 2001:db8:0:5::/64 |
|
set protocols r |
r |
v r |
s |
m |
n |
interface fe-1/2/1.18 |
r |
x 2001:db8:0:17::/64 |
|
set protocols r |
r |
v r |
s |
m |
n |
interface fe-1/2/2.22 |
r |
x 2001:db8:0:21::/64 |
|
|
|
|
|
|
|
|
|
|
|
Step-by-Step Procedure
The following example requires you to navigate various levels in the c |
n r |
n hierarchy. For |
||
ns r |
c |
ns on how to do that, see Using the CLI Editor in C n r |
n Mode in the CLI User Guide. |
|
To c |
n |
r a IPv6 neighbor discovery: |
|
|
1. C |
n |
r the network interfaces. |
|
|
11
|
This example shows m |
loopback interface addresses to simulate |
c |
networks. |
|||
|
|
|
|
|
|
|
|
|
[edit interfaces] |
|
|
|
|
|
|
|
user@R1# set fe-1/2/0 unit 1 |
scr |
|
n to-P2 |
|
|
|
|
user@R1# set fe-1/2/0 unit 1 family inet6 address 2001:db8:0:1::/64 eui-64 |
|
|
||||
|
user@R1# set fe-1/2/1 unit 5 |
scr |
|
n to-P4 |
|
|
|
|
user@R1# set fe-1/2/1 unit 5 family inet6 address 2001:db8:0:5::/64 eui-64 |
|
|
||||
|
user@R1# set fe-1/2/2 unit 9 |
scr |
|
n to-P3 |
|
|
|
|
user@R1# set fe-1/2/2 unit 9 family inet6 address 2001:db8:0:9::/64 eui-64 |
|
|
||||
|
user@R1# set lo0 unit 1 family inet6 address 2001:db8::1/128 |
|
|
||||
|
|
|
|
|
|
|
|
2. Enable neighbor discovery. |
|
|
|
|
|
|
|
|
|
|
|
||||
|
[edit protocols router-advertisement] |
|
|
||||
|
user@R1# set interface fe-1/2/0.1 |
r |
x 2001:db8:0:1::/64 |
|
|
||
|
user@R1# set interface fe-1/2/1.5 |
r |
x 2001:db8:0:5::/64 |
|
|
||
|
user@R1# set interface fe-1/2/2.9 |
r |
x 2001:db8:0:9::/64 |
|
|
||
|
|
|
|
|
|
|
|
Results
From c n r n mode, c n rm your c n r n by entering the show interfaces and show
protocols commands. If the output does not display the intended c n r |
n repeat the c n r |
n |
ns r c ns in this example to correct it. |
|
|
user@R1# show interfaces fe-1/2/0 {
unit 1 {
description to-P2; family inet6 {
address 2001:db8:0:1::/64 { eui-64;
}
}
}
}
fe-1/2/1 { unit 5 {
description to-P4; family inet6 {
12
address 2001:db8:0:5::/64 { eui-64;
}
}
}
}
fe-1/2/2 { unit 9 {
description to-P3; family inet6 {
address 2001:db8:0:9::/64 { eui-64;
}
}
}
}
lo0 {
unit 1 {
family inet6 {
address 2001:db8::1/128;
}
}
}
user@R1# show protocols router-advertisement {
interface fe-1/2/0.1 {
prefix 2001:db8:0:1::/64;
}
interface fe-1/2/1.5 {
prefix 2001:db8:0:5::/64;
}
interface fe-1/2/2.9 {
prefix 2001:db8:0:9::/64;
}
}
If you are done c n r n the device, enter commit from c n r |
n mode. |
13
V r c |
n |
|
|
|
|
IN THIS SECTION |
||
|
|
Checking the Interfaces | 13 |
|
|
Pinging the Interfaces | 14 |
|
|
|
|
|
Checking the IPv6 Neighbor Cache | 15 |
|
|
|
|
|
Verifying IPv6 Router v r s m n s | 16 |
|
|
|
|
|
Tracing Neighbor Discovery Events | 17 |
|
|
|
|
|
|
To c n rm that the c n |
r |
n is working properly, perform this task: |
Checking the Interfaces
Purpose
Verify that the interfaces are up, and view the assigned EUI-64 addresses.
c |
n |
|
|
|
|
|
|
From |
r |
n |
mode, enter the show interfaces terse command. |
|
|||
|
|
|
|
|
|||
user@R1> show interfaces terse |
|
|
|
|
|||
Interface |
|
Admin Link Proto |
Local |
Remote |
|||
fe-1/2/0 |
|
|
|
|
|
|
|
fe-1/2/0.1 |
up |
up |
inet6 |
2001:db8:0:1:2a0:a514:0:14c/64 |
|||
|
|
|
|
|
|
fe80::2a0:a514:0:14c/64 |
|
fe-1/2/1.5 |
up |
up |
inet6 |
2001:db8:0:5:2a0:a514:0:54c/64 |
|||
|
|
|
|
|
|
fe80::2a0:a514:0:54c/64 |
|
fe-1/2/2.9 |
up |
up |
inet6 |
2001:db8:0:9:2a0:a514:0:94c/64 |
|||
lo0 |
|
|
|
|
|
fe80::2a0:a514:0:94c/64 |
|
|
|
|
|
|
|
|
|
lo0.1 |
|
up |
up |
inet6 |
2001:db8::1 |
|
|
|
|
|
|
|
|
fe80::2a0:a50f:fc56:14c |
|
|
|
|
|
|
|
|
|
14
Meaning
The output shows that all interfaces are c n r with the IPv6 (inet6) address family. Each IPv6enabled interface has two IPv6 addresses; one link-local address, and one global address. The global
addresses match those shown in Figure 1. Junos OS |
m c y creates a link-local address for any |
||||||
interface that is enabled for IPv6 |
r |
n All link-local addresses begin with the fe80::/64 |
r x The |
||||
host |
r n of the address is a full 64 bits long and matches the link-local interface n |
r When an |
|||||
interface address is c n |
r using the eui-64 statement, its interface n |
r matches the interface |
|||||
n |
r of the link-local address. This is because link-local addresses are coded according to the EUI-64 |
||||||
s c c |
n |
|
|
|
|
|
|
Pinging the Interfaces
Purpose
Verify c nn c v y between the directly connected interfaces.
cn
1.Determine the remote router’s IPv6 interface address.
On Device R2, run the show interfaces terse command for the interface that is directly connected to
Device R1, and copy the global address into the capture b |
r of your terminal emulator. |
|||||
|
|
|
|
|
||
user@R2> show interfaces fe-1/2/0.2 terse |
|
|
|
|
||
Interface |
Admin Link Proto |
Local |
Remote |
|||
fe-1/2/0.2 |
up |
up |
inet6 |
2001:db8:0:1:2a0:a514:0:24c/64 |
||
|
|
|
|
fe80::2a0:a514:0:24c/64 |
||
|
|
|
|
|
|
|
2. On Device R1, run the ping command, using the global address that you copied.
user@R1> ping 2001:db8:0:1:2a0:a514:0:24c
PING6(56=40+8+8 bytes) 2001:db8:0:1:2a0:a514:0:14c --> 2001:db8:0:1:2a0:a514:0:24c
16 bytes from 2001:db8:0:1:2a0:a514:0:24c, icmp_seq=0 hlim=64 time=20.412 ms 16 bytes from 2001:db8:0:1:2a0:a514:0:24c, icmp_seq=1 hlim=64 time=18.897 ms 16 bytes from 2001:db8:0:1:2a0:a514:0:24c, icmp_seq=2 hlim=64 time=1.389 ms
15
Meaning
Junos OS uses the same ping command for both IPv4 and IPv6 s n The lack of any interior gateway protocol (IGP) in the network limits the ping s n to directly-connected neighbors. Repeat the ping test for other directly connected neighbors.
Checking the IPv6 Neighbor Cache
Purpose
Display n |
rm |
n about the IPv6 neighbors. |
r c n |
c n |
ping s n you can n an entries for interface addresses in the IPv6 neighbor cache. |
cn
From |
r |
n mode, enter the show ipv6 neighbors command. |
|
|
||
|
|
|
|
|
||
user@R1> show ipv6 neighbors |
|
|
|
|
||
IPv6 Address |
Linklayer Address |
State |
Exp Rtr Secure |
|||
Interface |
|
|
|
|
|
|
2001:db8:0:1:2a0:a514:0:24c |
00:05:85:8f:c8:bd |
stale |
546 |
yes no |
||
fe-1/2/0.1 |
|
|
|
|
||
fe80::2a0:a514:0:24c |
00:05:85:8f:c8:bd |
stale |
258 |
yes no |
||
fe-1/2/0.1 |
|
|
|
|
||
fe80::2a0:a514:0:64c |
00:05:85:8f:c8:bd |
stale |
111 |
yes no |
||
fe-1/2/1.5 |
|
|
|
|
||
fe80::2a0:a514:0:a4c |
00:05:85:8f:c8:bd |
stale |
327 |
yes no |
||
fe-1/2/2.9 |
|
|
|
|
||
|
|
|
|
|
|
|
Meaning
In IPv6, the Address R s n Protocol (ARP) has been replaced by the Neighbor Discovery Protocol (NDP). The IPv4 command show arp is replaced by the IPv6 command show ipv6 neighbors. The key pieces of n rm n displayed by this command are the IP address, the MAC (Link Layer) address, and the interface.
16
Verifying IPv6 Router v r s m n s
Purpose
C n rm that devices can be added to the network using SLAAC by ensuring that router v r s m n s are working properly.
cn
From |
r |
n mode, enter the show ipv6 router-advertisement command. |
||
user@R1> show ipv6 r |
r |
v r s m n |
||
Interface: fe-1/2/0.1 |
|
|||
Advertisements sent: 37, last sent 00:01:41 ago |
||||
Solicits received: 0 |
|
|||
Advertisements received: 38 |
||||
Advertisement from fe80::2a0:a514:0:24c, heard 00:05:46 ago |
||||
|
Managed: 0 |
|
|
|
|
Other configuration: 0 |
|||
|
Reachable time: 0 |
ms |
||
|
Default lifetime: |
1800 sec |
||
|
Retransmit timer: |
0 ms |
||
|
Current hop limit: 64 |
|||
|
Prefix: 2001:db8:0:1::/64 |
|||
|
Valid lifetime: |
2592000 sec |
||
|
Preferred lifetime: 604800 sec |
|||
|
On link: 1 |
|
|
|
|
Autonomous: 1 |
|
|
|
Interface: fe-1/2/1.5 |
|
|||
Advertisements sent: 36, last sent 00:05:49 ago |
||||
Solicits received: 0 |
|
|||
Advertisements received: 37 |
||||
Advertisement from fe80::2a0:a514:0:64c, heard 00:00:54 ago |
||||
|
Managed: 0 |
|
|
|
|
Other configuration: 0 |
|||
|
Reachable time: 0 |
ms |
||
|
Default lifetime: |
1800 sec |
||
|
Retransmit timer: |
0 ms |
||
|
Current hop limit: 64 |
|||
|
Prefix: 2001:db8:0:5::/64 |
|||
|
Valid lifetime: |
2592000 sec |
Preferred lifetime: 604800 sec
17
On link: 1
Autonomous: 1
Interface: fe-1/2/2.9
Advertisements sent: 36, last sent 00:01:37 ago
Solicits received: 0
Advertisements received: 38
Advertisement from fe80::2a0:a514:0:a4c, heard 00:01:00 ago
Managed: 0
Other configuration: 0
Reachable time: 0 ms
Default lifetime: 1800 sec
Retransmit timer: 0 ms
Current hop limit: 64
Prefix: 2001:db8:0:9::/64
Valid lifetime: 2592000 sec
Preferred lifetime: 604800 sec
On link: 1
Autonomous: 1
Meaning
The output shows that router v r s m n s are being sent and received on Device R1’s interfaces, |
|
|
n c |
n that both Device R1 and its directly connected neighbors are c n r to generate r |
r |
v r |
s m n s |
|
Tracing Neighbor Discovery Events
Purpose
Perform |
n v |
n by tracing router v r s m n s |
cn
1. C n r trace |
r ns |
[edit protocols router-advertisement traceoptions] user@R1# set ipv6-nd-trace
user@R1# |
set r c |
ns |
all |
user@R1# |
commit |
|
|
18
2. Run the show log command.
user@R1> show log ipv6-nd-trace
Mar 29 14:07:16 trace_on: Tracing to "/var/log/P1/ipv6-nd-trace" started Mar 29 14:07:16.287229 background dispatch running job ipv6_ra_delete_interface_config_job for task Router-Advertisement
Mar 29 14:07:16.287452 task_job_delete: delete background job ipv6_ra_delete_interface_config_job for task Router-Advertisement Mar 29 14:07:16.287505 background dispatch completed job ipv6_ra_delete_interface_config_job for task Router-Advertisement
Mar 29 14:07:16.288288 ipv6_ra_iflchange(Router-Advertisement): ifl 0xb904378 ifl fe-1/2/2.9 104 change 0, intf 0xba140d8
Mar 29 14:07:16.288450 ipv6_ra_iflchange(Router-Advertisement): ifl 0xb904250 ifl fe-1/2/0.1 85 change 0, intf 0xba14000
Mar 29 14:07:16.288656 ipv6_ra_iflchange(Router-Advertisement): ifl 0xb9044a0 ifl fe-1/2/1.5 80 change 0, intf 0xba1406c
Mar 29 14:07:16.289293 ipv6_ra_ifachange(Router-Advertisement): ifa 0xba002bc fe80::2a0:a514:0:54c ifl fe-1/2/1.5 80 change 0, intf 0xba1406c
Mar 29 14:07:16.289358 -- nochange/add
Mar 29 14:07:16.289624 ipv6_ra_ifachange(Router-Advertisement): ifa 0xba00230 2001:db8:0:5:2a0:a514:0:54c ifl fe-1/2/1.5 80 change 0, intf 0xba1406c
Mar 29 14:07:16.289682 -- nochange/add
Mar 29 14:07:16.289950 ipv6_ra_ifachange(Router-Advertisement): ifa 0xba001a4 fe80::2a0:a514:0:14c ifl fe-1/2/0.1 85 change 0, intf 0xba14000
Mar 29 14:07:16.290009 -- nochange/add
Mar 29 14:07:16.290302 ipv6_ra_ifachange(Router-Advertisement): ifa 0xba00118 2001:db8:0:1:2a0:a514:0:14c ifl fe-1/2/0.1 85 change 0, intf 0xba14000
Mar 29 14:07:16.290365 -- nochange/add
Mar 29 14:07:16.290634 ipv6_ra_ifachange(Router-Advertisement): ifa 0xba003d4 fe80::2a0:a514:0:94c ifl fe-1/2/2.9 104 change 0, intf 0xba140d8
Mar 29 14:07:16.290694 -- nochange/add
Mar 29 14:07:16.290958 ipv6_ra_ifachange(Router-Advertisement): ifa 0xba00348 2001:db8:0:9:2a0:a514:0:94c ifl fe-1/2/2.9 104 change 0, intf 0xba140d8
Mar 29 14:07:16.291017 -- nochange/add
Mar 29 14:07:20.808516 task_job_create_foreground: create job ipv6 ra for task Router-Advertisement
Mar 29 14:07:20.808921 foreground dispatch running job ipv6 ra for task Router-Advertisement
Mar 29 14:07:20.809027 ipv6_ra_send_advertisement: sending advertisement for ifl 104 to ff02::1
Mar 29 14:07:20.809087 (4810916) sending advertisement for ifl 104
Mar 29 14:07:20.809170 ifa 0xba00348 2001:db8:0:9:2a0:a514:0:94c/64
19
Mar 29 14:07:20.809539 --> sent 56 bytes
Mar 29 14:07:20.809660 task_timer_reset: reset Router-Advertisement_ipv6ra Mar 29 14:07:20.809725 task_timer_set_oneshot_latest: timer RouterAdvertisement_ipv6ra interval set to 7:07
Mar 29 14:07:20.809772 foreground dispatch completed job ipv6 ra for task Router-Advertisement
RELATED DOCUMENTATION
Supported IPv4, TCP, and UDP Standards
Supported IPv6 Standards
Accessing Standards Documents on the Internet
SUMMARY
The Secure Neighbor Discovery (SEND) Protocol for IPv6 r c prevents an c r who has access to the broadcast segment from abusing NDP or ARP to trick hosts into sending the c r r c s n for someone else, a technique known as ARP poisoning.
IN THIS SECTION
Understanding Secure IPv6 Neighbor
Discovery | 19
Example: C n r n Secure IPv6 Neighbor Discovery | 20
One of the |
nc |
ns of the IPv6 Neighbor Discovery Protocol (NDP) is to resolve network layer (IP) |
|||||
addresses to link layer (for example, Ethernet) addresses, a nc |
n performed in IPv4 by Address |
||||||
R s |
n Protocol (ARP). The Secure Neighbor Discovery (SEND) Protocol prevents an |
c |
r who |
||||
has access to the broadcast segment from abusing NDP or ARP to trick hosts into sending the |
c r |
||||||
r c |
s n |
for someone else, a technique known as ARP poisoning. |
|
|
|||
To protect against ARP poisoning and other |
c s against NDP |
nc ns SEND should be deployed |
|||||
where |
r v n n |
access to the broadcast segment might not be possible. |
|
|
20
SEND uses RSA key pairs to produce cryptographically generated addresses, as n in RFC 3972, Cryptographically Generated Addresses (CGA). This ensures that the claimed source of an NDP message is the owner of the claimed address.
Example: n r n Secure IPv6 Neighbor Discovery
IN THIS SECTION
Requirements | 20
Overview | 20
C |
n |
r |
n | 22 |
V |
r |
c |
n | 24 |
This example shows how to c n r IPv6 Secure Neighbor Discovery (SEND).
This example has the following requirements:
•Junos OS Release 9.3 or later
•IPv6 deployed in your network
•If you have not already done so, you must generate or install an RSA key pair. To generate a new RSA key pair, enter the following command:
user@host> request security pki generate-key-pair type rsa c r c |
c r c |
n m size size |
|
|
|
IN THIS SECTION
Topology | 21
21
To c n r SEND, include the following statements:
protocols { neighbor-discovery {
onlink-subnet-only; secure {
security-level {
(default | secure-messages-only);
}
cryptographic-address { key-length number; key-pair pathname;
}
timestamp {
clock-drift number; known-peer-window seconds; new-peer-window seconds;
}
traceoptions {
file filename <files number> <match regular-expression> <size size> <world-readable | no-world-readable>;
flag flag; no-remote-trace;
}
}
}
}
Specify default to send and receive both secure and unsecured Neighbor Discovery Protocol (NDP) packets. To c n r SEND to accept secured NDP messages only and to drop unsecured ones. specify secure-messages-only.
All nodes on the segment need to be c n r with SEND if the secure-messages-only n is used, which is recommended unless only a small subset of devices require increased r c n Failure to
c n r SEND for all nodes might result in loss of c nn c v y
Topology
22
n r n
IN THIS SECTION
Procedure | 22
Procedure
CLI Quick |
n |
r |
n |
|
To quickly c |
n |
r this example, copy the following commands, paste them into a text |
remove any |
line breaks, change any details necessary to match your network c n |
r |
n and then copy and paste |
the commands into the CLI at the [edit] hierarchy level. |
|
|
set protocols neighbor-discovery secure security-level secure-messages-only set protocols neighbor-discovery secure cryptographic-address key-length 1024
set protocols neighbor-discovery secure cryptographic-address key-pair /var/etc/rsa_key set protocols neighbor-discovery secure m s m
Step-by-Step Procedure
The following example requires you to navigate various levels in the c |
n |
r |
n hierarchy. For |
||||
n |
rm |
n about n v |
n the CLI, see Using the CLI Editor in C n |
r |
|
n Mode in the CLI User |
|
Guide. |
|
|
|
|
|
||
To c |
n |
r a secure IPv6 neighbor discovery: |
|
|
|
||
1. |
C |
n |
r the security level. |
|
|
|
[edit protocols neighbor-discovery secure] user@host# set security-level secure-messages-only
2. ( n ) Enable the key length.
23
The default key length is 1024.
[edit protocols neighbor-discovery secure] user@host# set cryptographic-address key-length 1024
3. ( |
n ) Specify the directory path of the public-private key |
generated for the cryptographic |
||
address. |
|
|
|
|
The default c |
n of the |
is the /var/etc/rsa_key directory. |
|
[edit protocols neighbor-discovery secure] user@host# set cryptographic-address key-pair /var/etc/rsa_key
4. ( |
n ) C n |
r a m s m to ensure that s c |
n and redirect messages are not being |
replayed. |
|
|
[edit protocols neighbor-discovery secure] user@host# set m s m
Results
From c n r n mode, c n rm your c n |
r |
n by entering the show protocols command. If the |
output does not display the intended c n |
r |
n repeat the c n r n ns r c ns in this example |
to correct it. |
|
|
user@host# show protocols neighbor-discovery {
secure { security-level {
secure-messages-only;
}
cryptographic-address { key-length 1024;
key-pair /var/etc/rsa_key;
}
timestamp;
}
}