25
545
IPv6 First Hop Security switch establishes binding only on perimeterical interfaces (see
First Hop Security
Perimeter).
Binding information is saved in the Neighbor Binding table.
NBI-NDP Method
The NBI-NDP method used is based on the FCFS- SAVI method specified in RFC6620, with
the following differences:
•
Unlike FCFS-SAVI, which supports only binding for link local IPv6 addresses, NBI-
NDP additionally supports binding global IPv6 addresses as well.
•
NBI-NDP supports IPv6 address binding only for IPv6 addresses learnt from NDP
messages. Source address validation for data message is provided by IPv6 Source
Address Guard.
•
In NBI-NDP, proof of address ownership is based on the First-Come, First-Served
principle. The first host that claims a given source address is the owner of that address
until further notice. Since no host changes are acceptable, a way must be found to
confirm address ownership without requiring a new protocol. For this reason,
whenever an IPv6 address is first learned from an NDP message, the switch binds the
address to the interface. Subsequent NDP messages containing this IPV6 address can
be checked against the same binding anchor to confirm that the originator owns the
source IP address.
The exception to this rule occurs when an IPv6 host roams in the L2 domain or
changes its MAC address. In this case, the host is still the owner of the IP address, but
the associated binding anchor might have changed. To cope with this case, the defined
NBI-NDP behavior implies verification of whether or not the host is still reachable by
sending DAD-NS messages to the previous binding interface. If the host is no longer
reachable at the previously-recorded binding anchor, NBI-NDP assumes that the new
anchor is valid and changes the binding anchor. If the host is still reachable using the
previously recorded binding anchor, the binding interface is not changed.
To reduce the size of the Neighbor Binding table, NBI-NDP establishes binding only on
perimeterical interfaces (see
information through internal interfaces using NS and NA messages. Before creating an NBI-
NDP local binding, the device sends a DAD-NS message querying for the address involved. If
a host replies to that message with an NA message, the device that sent the DAD-NS message
infers that a binding for that address exists in another device and does not create a local
binding for it. If no NA message is received as a reply to the DAD-NS message, the local
device infers that no binding for that address exists in other devices and creates the local
binding for that address.
Cisco Sx350, SG350X, SG350XG, Sx550X & SG550XG Series Managed Switches, Firmware Release 2.2.5.x
IPv6 First Hop Security
Security: IPv6 First Hop Security
Neighbor Binding Integrity
Perimeter) and distributes binding
IPv6