Cisco 500 Series Administration Manual page 521

23
519
Establishing Binding of Neighbors
An IPv6 First Hop Security switch can discover and record binding information by
using the following methods:
• NBI-NDP Method: Learning IPv6 addresses from the snooped Neighbor
Discovery Protocol messages
• NBI-DHCP method: By learning IPv6 addresses from the snooped DHCPv6
messages
• NBI-Manual Method: By manual configuration
An IPv6 address is bound to a link layer property of the host's network attachment.
This property, called a "binding anchor" consists of the interface identifier (ifIndex)
through which the host is connected to and the host's MAC address.
IPv6 First Hop Security switch establishes binding only on perimeterical interfaces
(see IPv6 First Hop Security
Binding information is saved in the Neighbor Binding table.
NBI-NDP Method
The NBI-NDP method used is based on the FCFS- SAVI method specified in
RFC6620, with the following differences:
• Unlike FCFS-SAVI, which supports only binding for link local IPv6
addresses, NBI-NDP additionally supports binding global IPv6 addresses
as well.
• NBI-NDP supports IPv6 address binding only for IPv6 addresses learnt from
NDP messages. Source address validation for data message is provided by
IPv6 Source Address Guard.
• In NBI-NDP, proof of address ownership is based on the First-Come, First-
Served principle. The first host that claims a given source address is the
owner of that address until further notice. Since no host changes are
acceptable, a way must be found to confirm address ownership without
requiring a new protocol. For this reason, whenever an IPv6 address is first
learned from an NDP message, the switch binds the address to the
interface. Subsequent NDP messages containing this IPV6 address can be
checked against the same binding anchor to confirm that the originator
owns the source IP address.
Security: IPv6 First Hop Security
Perimeter).
Cisco 500 Series Stackable Managed Switch Administration Guide
Neighbor Binding Integrity