Cisco 300 Series Administration Manual page 456

20
418
NBI-NDP method
The NBI-NDP method used is based on the FCFS- SAVI method specified in
RFC6620, with the following differences:
• Unlike FCFS-SAVI, which supports only binding for link local IPv6
addresses, NBI-NDP additionally supports binding global IPv6 addresses
as well.
• NBI-NDP supports IPv6 address binding only for IPv6 addresses learnt from
NDP messages. Source address validation for data message is provided by
IPv6 Source Address Guard.
• In NBI-NDP, proof of address ownership is based on the First-Come, First-
Served principle. The first host that claims a given source address is the
owner of that address until further notice. Since no host changes are
acceptable, a way must be found to confirm address ownership without
requiring a new protocol. For this reason, whenever an IPv6 address is first
learned from an NDP message, the switch binds the address to the
interface. Subsequent NDP messages containing this IPV6 address can be
checked against the same binding anchor to confirm that the originator
owns the source IP address.
The exception to this rule occurs when an IPv6 host roams in the L2 domain
or changes its MAC address. In this case, the host is still the owner of the IP
address, but the associated binding anchor might have changed. To cope
with this case, the defined NBI-NDP behavior implies verification of whether
or not the host is still reachable by sending DAD-NS messages to the
previous binding interface. If the host is no longer reachable at the
previously-recorded binding anchor, NBI-NDP assumes that the new anchor
is valid and changes the binding anchor. If the host is still reachable using
the previously recorded binding anchor, the binding interface is not
changed.
To reduce the size of the Neighbor Binding table, NBI-NDP establishes binding
only on perimeterical interfaces (see
distributes binding information through internal interfaces using NS and NA
messages. Before creating an NBI-NDP local binding, the device sends a DAD-NS
message querying for the address involved. If a host replies to that message with
an NA message, the device that sent the DAD-NS message infers that a binding for
that address exists in another device and does not create a local binding for it. If no
NA message is received as a reply to the DAD-NS message, the local device
infers that no binding for that address exists in other devices and creates the local
binding for that address.
Cisco Small Business 200, 300 and 500 Series Managed Switch Administration Guide (Internal Version)
Security: IPV6 First Hop Security
IPv6 First Hop Security
Neighbor Binding Integrity
Perimeter) and