Tech-invite   3GPPspecs   RFCs   Search in Tech-invite

in Index   Prev   Next

RFC 4861

Neighbor Discovery for IP version 6 (IPv6)

Pages: 97
Group: IPV6
Draft STD
Obsoletes:  2461
Updated by:  59426980704875277559802883198425
Part 5 of 5 – Pages 73 to 97
First   Prev   None

Top   ToC   RFC4861 - Page 73   prevText
8.  Redirect Function

   This section describes the functions related to the sending and
   processing of Redirect messages.

   Redirect messages are sent by routers to redirect a host to a better
   first-hop router for a specific destination or to inform hosts that a
   destination is in fact a neighbor (i.e., on-link).  The latter is
   accomplished by having the ICMP Target Address be equal to the ICMP
   Destination Address.

   A router MUST be able to determine the link-local address for each of
   its neighboring routers in order to ensure that the target address in
   a Redirect message identifies the neighbor router by its link-local
   address.  For static routing, this requirement implies that the next-
   hop router's address should be specified using the link-local address
   of the router.  For dynamic routing, this requirement implies that
   all IPv6 routing protocols must somehow exchange the link-local
   addresses of neighboring routers.
Top   ToC   RFC4861 - Page 74
8.1.  Validation of Redirect Messages

   A host MUST silently discard any received Redirect message that does
   not satisfy all of the following validity checks:

      - IP Source Address is a link-local address.  Routers must use
        their link-local address as the source for Router Advertisement
        and Redirect messages so that hosts can uniquely identify

      - The IP Hop Limit field has a value of 255, i.e., the packet
        could not possibly have been forwarded by a router.

      - ICMP Checksum is valid.

      - ICMP Code is 0.

      - ICMP length (derived from the IP length) is 40 or more octets.

      - The IP source address of the Redirect is the same as the current
        first-hop router for the specified ICMP Destination Address.

      - The ICMP Destination Address field in the redirect message does
        not contain a multicast address.

      - The ICMP Target Address is either a link-local address (when
        redirected to a router) or the same as the ICMP Destination
        Address (when redirected to the on-link destination).

      - All included options have a length that is greater than zero.

   The contents of the Reserved field, and of any unrecognized options,
   MUST be ignored.  Future, backward-compatible changes to the protocol
   may specify the contents of the Reserved field or add new options;
   backward-incompatible changes may use different Code values.

   The contents of any defined options that are not specified to be used
   with Redirect messages MUST be ignored and the packet processed as
   normal.  The only defined options that may appear are the Target
   Link-Layer Address option and the Redirected Header option.

   A host MUST NOT consider a redirect invalid just because the Target
   Address of the redirect is not covered under one of the link's
   prefixes.  Part of the semantics of the Redirect message is that the
   Target Address is on-link.

   A redirect that passes the validity checks is called a "valid
Top   ToC   RFC4861 - Page 75
8.2.  Router Specification

   A router SHOULD send a redirect message, subject to rate limiting,
   whenever it forwards a packet that is not explicitly addressed to
   itself (i.e., a packet that is not source routed through the router)
   in which:

      - the Source Address field of the packet identifies a neighbor,

      - the router determines (by means outside the scope of this
        specification) that a better first-hop node resides on the same
        link as the sending node for the Destination Address of the
        packet being forwarded, and

      - the Destination Address of the packet is not a multicast

   The transmitted redirect packet contains, consistent with the message
   format given in Section 4.5:

      - In the Target Address field: the address to which subsequent
        packets for the destination should be sent.  If the target is a
        router, that router's link-local address MUST be used.  If the
        target is a host, the target address field MUST be set to the
        same value as the Destination Address field.

      - In the Destination Address field: the destination address of the
        invoking IP packet.

      - In the options:

           o Target Link-Layer Address option: link-layer address of the
             target, if known.

           o Redirected Header: as much of the forwarded packet as can
             fit without the redirect packet exceeding the minimum MTU
             required to support IPv6 as specified in [IPv6].

   A router MUST limit the rate at which Redirect messages are sent, in
   order to limit the bandwidth and processing costs incurred by the
   Redirect messages when the source does not correctly respond to the
   Redirects, or the source chooses to ignore unauthenticated Redirect
   messages.  More details on the rate-limiting of ICMP error messages
   can be found in [ICMPv6].

   A router MUST NOT update its routing tables upon receipt of a
Top   ToC   RFC4861 - Page 76
8.3.  Host Specification

   A host receiving a valid redirect SHOULD update its Destination Cache
   accordingly so that subsequent traffic goes to the specified target.
   If no Destination Cache entry exists for the destination, an
   implementation SHOULD create such an entry.

   If the redirect contains a Target Link-Layer Address option, the host
   either creates or updates the Neighbor Cache entry for the target.
   In both cases, the cached link-layer address is copied from the
   Target Link-Layer Address option.  If a Neighbor Cache entry is
   created for the target, its reachability state MUST be set to STALE
   as specified in Section 7.3.3.  If a cache entry already existed and
   it is updated with a different link-layer address, its reachability
   state MUST also be set to STALE.  If the link-layer address is the
   same as that already in the cache, the cache entry's state remains

   If the Target and Destination Addresses are the same, the host MUST
   treat the Target as on-link.  If the Target Address is not the same
   as the Destination Address, the host MUST set IsRouter to TRUE for
   the target.  If the Target and Destination Addresses are the same,
   however, one cannot reliably determine whether the Target Address is
   a router.  Consequently, newly created Neighbor Cache entries should
   set the IsRouter flag to FALSE, while existing cache entries should
   leave the flag unchanged.  If the Target is a router, subsequent
   Neighbor Advertisement or Router Advertisement messages will update
   IsRouter accordingly.

   Redirect messages apply to all flows that are being sent to a given
   destination.  That is, upon receipt of a Redirect for a Destination
   Address, all Destination Cache entries to that address should be
   updated to use the specified next-hop, regardless of the contents of
   the Flow Label field that appears in the Redirected Header option.

   A host MUST NOT send Redirect messages.

9.  Extensibility - Option Processing

   Options provide a mechanism for encoding variable length fields,
   fields that may appear multiple times in the same packet, or
   information that may not appear in all packets.  Options can also be
   used to add additional functionality to future versions of ND.

   In order to ensure that future extensions properly coexist with
   current implementations, all nodes MUST silently ignore any options
   they do not recognize in received ND packets and continue processing
   the packet.  All options specified in this document MUST be
Top   ToC   RFC4861 - Page 77
   recognized.  A node MUST NOT ignore valid options just because the ND
   message contains unrecognized ones.

   The current set of options is defined in such a way that receivers
   can process multiple options in the same packet independently of each
   other.  In order to maintain these properties, future options SHOULD
   follow the simple rule:

      The option MUST NOT depend on the presence or absence of any other
      options.  The semantics of an option should depend only on the
      information in the fixed part of the ND packet and on the
      information contained in the option itself.

   Adhering to the above rule has the following benefits:

     1) Receivers can process options independently of one another.  For
        example, an implementation can choose to process the Prefix
        Information option contained in a Router Advertisement message
        in a user-space process while the link-layer address option in
        the same message is processed by routines in the kernel.

     2) Should the number of options cause a packet to exceed a link's
        MTU, multiple packets can carry subsets of the options without
        any change in semantics.

     3) Senders MAY send a subset of options in different packets.  For
        instance, if a prefix's Valid and Preferred Lifetime are high
        enough, it might not be necessary to include the Prefix
        Information option in every Router Advertisement.  In addition,
        different routers might send different sets of options.  Thus, a
        receiver MUST NOT associate any action with the absence of an
        option in a particular packet.  This protocol specifies that
        receivers should only act on the expiration of timers and on the
        information that is received in the packets.

   Options in Neighbor Discovery packets can appear in any order;
   receivers MUST be prepared to process them independently of their
   order.  There can also be multiple instances of the same option in a
   message (e.g., Prefix Information options).

   If the number of included options in a Router Advertisement causes
   the advertisement's size to exceed the link MTU, the router can send
   multiple separate advertisements, each containing a subset of the

   The amount of data to include in the Redirected Header option MUST be
   limited so that the entire redirect packet does not exceed the
   minimum MTU required to support IPv6 as specified in [IPv6].
Top   ToC   RFC4861 - Page 78
   All options are a multiple of 8 octets of length, ensuring
   appropriate alignment without any "pad" options.  The fields in the
   options (as well as the fields in ND packets) are defined to align on
   their natural boundaries (e.g., a 16-bit field is aligned on a 16-bit
   boundary) with the exception of the 128-bit IP addresses/prefixes,
   which are aligned on a 64-bit boundary.  The link-layer address field
   contains an uninterpreted octet string; it is aligned on an 8-bit

   The size of an ND packet including the IP header is limited to the
   link MTU.  When adding options to an ND packet, a node MUST NOT
   exceed the link MTU.

   Future versions of this protocol may define new option types.
   Receivers MUST silently ignore any options they do not recognize and
   continue processing the message.

10.  Protocol Constants

   Router constants:

            MAX_INITIAL_RTR_ADVERT_INTERVAL  16 seconds

            MAX_INITIAL_RTR_ADVERTISEMENTS    3 transmissions

            MAX_FINAL_RTR_ADVERTISEMENTS      3 transmissions

            MIN_DELAY_BETWEEN_RAS             3 seconds

            MAX_RA_DELAY_TIME                 .5 seconds

   Host constants:

            MAX_RTR_SOLICITATION_DELAY        1 second

            RTR_SOLICITATION_INTERVAL         4 seconds

            MAX_RTR_SOLICITATIONS             3 transmissions

   Node constants:

            MAX_MULTICAST_SOLICIT             3 transmissions

            MAX_UNICAST_SOLICIT               3 transmissions

            MAX_ANYCAST_DELAY_TIME            1 second

            MAX_NEIGHBOR_ADVERTISEMENT        3 transmissions
Top   ToC   RFC4861 - Page 79
            REACHABLE_TIME               30,000 milliseconds

            RETRANS_TIMER                 1,000 milliseconds

            DELAY_FIRST_PROBE_TIME            5 seconds

            MIN_RANDOM_FACTOR                 .5

            MAX_RANDOM_FACTOR                 1.5

   Additional protocol constants are defined with the message formats in
   Section 4.

   All protocol constants are subject to change in future revisions of
   the protocol.

   The constants in this specification may be overridden by specific
   documents that describe how IPv6 operates over different link layers.
   This rule allows Neighbor Discovery to operate over links with widely
   varying performance characteristics.

11.  Security Considerations

   Neighbor Discovery is subject to attacks that cause IP packets to
   flow to unexpected places.  Such attacks can be used to cause denial
   of service but also allow nodes to intercept and optionally modify
   packets destined for other nodes.  This section deals with the main
   threats related to Neighbor Discovery messages and possible security
   mechanisms that can mitigate these threats.

11.1.  Threat Analysis

   This section discusses the main threats associated with Neighbor
   Discovery.  A more detailed analysis can be found in [PSREQ].  The
   main vulnerabilities of the protocol fall under three categories:

   - Denial-of-Service (DoS) attacks.
   - Address spoofing attacks.
   - Router spoofing attacks.

   An example of denial of service attacks is that a node on the link
   that can send packets with an arbitrary IP source address can both
   advertise itself as a default router and also send "forged" Router
   Advertisement messages that immediately time out all other default
   routers as well as all on-link prefixes.  An intruder can achieve
   this by sending out multiple Router Advertisements, one for each
   legitimate router, with the source address set to the address of
   another router, the Router Lifetime field set to zero, and the
Top   ToC   RFC4861 - Page 80
   Preferred and Valid lifetimes set to zero for all the prefixes.  Such
   an attack would cause all packets, for both on-link and off-link
   destinations, to go to the rogue router.  That router can then
   selectively examine, modify, or drop all packets sent on the link.
   The Neighbor Unreachability Detection (NUD) will not detect such a
   black hole as long as the rogue router politely answers the NUD
   probes with a Neighbor Advertisement with the R-bit set.

   It is also possible for any host to launch a DoS attack on another
   host by preventing it from configuring an address using [ADDRCONF].
   The protocol does not allow hosts to verify whether the sender of a
   Neighbor Advertisement is the true owner of the IP address included
   in the message.

   Redirect attacks can also be achieved by any host in order to flood a
   victim or steal its traffic.  A host can send a Neighbor
   Advertisement (in response to a solicitation) that contains its IP
   address and a victim's link-layer address in order to flood the
   victim with unwanted traffic.  Alternatively, the host can send a
   Neighbor Advertisement that includes a victim's IP address and its
   own link-layer address to overwrite an existing entry in the sender's
   destination cache, thereby forcing the sender to forward all of the
   victim's traffic to itself.

   The trust model for redirects is the same as in IPv4.  A redirect is
   accepted only if received from the same router that is currently
   being used for that destination.  If a host has been redirected to
   another node (i.e., the destination is on-link), there is no way to
   prevent the target from issuing another redirect to some other
   destination.  However, this exposure is no worse than it was before
   being redirected; the target host, once subverted, could always act
   as a hidden router to forward traffic elsewhere.

   The protocol contains no mechanism to determine which neighbors are
   authorized to send a particular type of message (e.g., Router
   Advertisements); any neighbor, presumably even in the presence of
   authentication, can send Router Advertisement messages thereby being
   able to cause denial of service.  Furthermore, any neighbor can send
   proxy Neighbor Advertisements as well as unsolicited Neighbor
   Advertisements as a potential denial-of-service attack.

   Many link layers are also subject to different denial-of-service
   attacks such as continuously occupying the link in CSMA/CD (Carrier
   Sense Multiple Access with Collision Detection) networks (e.g., by
   sending packets closely back-to-back or asserting the collision
   signal on the link), or originating packets with somebody else's
   source MAC address to confuse, e.g., Ethernet switches.  On the other
   hand, many of the threats discussed in this section are less
Top   ToC   RFC4861 - Page 81
   effective, or non-existent, on point-to-point links, or cellular
   links where a host shares a link with only one neighbor, i.e., the
   default router.

11.2.  Securing Neighbor Discovery Messages

   The protocol reduces the exposure to the above threats in the absence
   of authentication by ignoring ND packets received from off-link
   senders.  The Hop Limit field of all received packets is verified to
   contain 255, the maximum legal value.  Because routers decrement the
   Hop Limit on all packets they forward, received packets containing a
   Hop Limit of 255 must have originated from a neighbor.

   Cryptographic security mechanisms for Neighbor Discovery are outside
   the scope of this document and are defined in [SEND].  Alternatively,
   IPsec can be used for IP layer authentication [IPv6-SA].  The use of
   the Internet Key Exchange (IKE) is not suited for creating dynamic
   security associations that can be used to secure address resolution
   or neighbor solicitation messages as documented in [ICMPIKE].

   In some cases, it may be acceptable to use statically configured
   security associations with either [IPv6-AUTH] or [IPv6-ESP] to secure
   Neighbor Discovery messages.  However, it is important to note that
   statically configured security associations are not scalable
   (especially when considering multicast links) and are therefore
   limited to small networks with known hosts.  In any case, if either
   [IPv6-AUTH] or [IPv6-ESP] is used, ND packets MUST be verified for
   the purpose of authentication.  Packets that fail authentication
   checks MUST be silently discarded.

12.  Renumbering Considerations

   The Neighbor Discovery protocol together with IPv6 Address
   Autoconfiguration [ADDRCONF] provides mechanisms to aid in
   renumbering -- new prefixes and addresses can be introduced and old
   ones can be deprecated and removed.

   The robustness of these mechanisms is based on all the nodes on the
   link receiving the Router Advertisement messages in a timely manner.
   However, a host might be turned off or be unreachable for an extended
   period of time (i.e., a machine is powered down for months after a
   project terminates).  It is possible to preserve robust renumbering
   in such cases, but it does place some constraints on how long
   prefixes must be advertised.

   Consider the following example in which a prefix is initially
   advertised with a lifetime of 2 months, but on August 1st it is
   determined that the prefix needs to be deprecated and removed due to
Top   ToC   RFC4861 - Page 82
   renumbering by September 1st.  This can be done by reducing the
   advertised lifetime to 1 week starting on August 1st, and as the
   cutoff gets closer, the lifetimes can be made shorter until by
   September 1st the prefix is advertised with a lifetime of 0.  The
   point is that, if one or more nodes were unplugged from the link
   prior to September 1st, they might still think that the prefix is
   valid since the last lifetime they received was 2 months.  Thus, if a
   node was unplugged on July 31st, it thinks the prefix is valid until
   September 30th.  If that node is plugged back in prior to September
   30th, it may continue to use the old prefix.  The only way to force a
   node to stop using a prefix that was previously advertised with a
   long lifetime is to have that node receive an advertisement for that
   prefix that changes the lifetime downward.  The solution in this
   example is simple: continue advertising the prefix with a lifetime of
   0 from September 1st until October 1st.

   In general, in order to be robust against nodes that might be
   unplugged from the link, it is important to track the furthest into
   the future that a particular prefix can be viewed as valid by any
   node on the link.  The prefix must then be advertised with a 0
   lifetime until that point in the future.  This "furthest into the
   future" time is simply the maximum, over all Router Advertisements,
   of the time the advertisement was sent, plus the prefix's lifetime
   contained in the advertisement.

   The above has an important implication on using infinite lifetimes.
   If a prefix is advertised with an infinite lifetime, and that prefix
   later needs to be renumbered, it is undesirable to continue
   advertising that prefix with a zero lifetime forever.  Thus, either
   infinite lifetimes should be avoided or there must be a limit on how
   long of a time a node can be unplugged from the link before it is
   plugged back in again.  However, it is unclear how the network
   administrator can enforce a limit on how long time hosts such as
   laptops can be unplugged from the link.

   Network administrators should give serious consideration to using
   relatively short lifetimes (i.e., no more than a few weeks).  While
   it might appear that using long lifetimes would help ensure
   robustness, in reality, a host will be unable to communicate in the
   absence of properly functioning routers.  Such routers will be
   sending Router Advertisements that contain appropriate (and current)
   prefixes.  A host connected to a network that has no functioning
   routers is likely to have more serious problems than just a lack of a
   valid prefix and address.
Top   ToC   RFC4861 - Page 83
   The above discussion does not distinguish between the preferred and
   valid lifetimes.  For all practical purposes, it is probably
   sufficient to track the valid lifetime since the preferred lifetime
   will not exceed the valid lifetime.

13.  IANA Considerations

   This document does not require any new ICMPv6 types or codes to be
   allocated.  However, existing ICMPv6 types have been updated to point
   to this document instead of RFC 2461.  The procedure for the
   assignment of ICMPv6 types/codes is described in Section 6 of

   This document continues to use the following ICMPv6 message types
   introduced in RFC 2461 and already assigned by IANA:

      Message name                            ICMPv6 Type

      Router Solicitation                      133
      Router Advertisement                     134
      Neighbor Solicitation                    135
      Neighbor Advertisement                   136
      Redirect                                 137

   This document continues to use the following Neighbor Discovery
   option types introduced in RFC 2461 and already assigned by IANA:

      Option Name                             Type

      Source Link-Layer Address                    1
      Target Link-Layer Address                    2
      Prefix Information                           3
      Redirected Header                            4
      MTU                                          5

   Neighbor Discovery option types are allocated using the following

   1. The IANA should allocate and permanently register new option types
   from IETF RFC publication.  This is for all RFC types including
   standards track, informational, and experimental status that
   originate from the IETF and have been approved by the IESG for

   2. IETF working groups with working group consensus and area director
   approval can request reclaimable Neighbor Discovery option type
   assignments from the IANA.  The IANA will tag the values as
   "reclaimable in future".
Top   ToC   RFC4861 - Page 84
   The "reclaimable in the future" tag will be removed when an RFC is
   published documenting the protocol as defined in 1).  This will make
   the assignment permanent and update the reference on the IANA Web

   At the point where the option type values are 85% assigned, the IETF
   will review the assignments tagged "reclaimable in the future" and
   inform the IANA which ones should be reclaimed and reassigned.

   3. Requests for new option type value assignments from outside the
   IETF are only made through the publication of an IETF document, per
   1) above.  Note also that documents published as "RFC Editor
   contributions" [RFC3667] are not considered to be IETF documents.

14.  References

14.1.  Normative References

   [ADDR-ARCH]  Hinden, R. and S. Deering, "IP Version 6 Addressing
                Architecture", RFC 4291, February 2006.

   [ICMPv6]     Conta, A., Deering, S., and M. Gupta, Ed., "Internet
                Control Message Protocol (ICMPv6) for the Internet
                Protocol Version 6 (IPv6) Specification", RFC 4443,
                March 2006.

   [IPv6]       Deering, S. and R. Hinden, "Internet Protocol, Version 6
                (IPv6) Specification", RFC 2460, December 1998.

   [KEYWORDS]   Bradner, S., "Key words for use in RFCs to Indicate
                Requirement Levels", BCP 14, RFC 2119, March 1997.

14.2.  Informative References

   [ADDRCONF]   Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
                Address Autoconfiguration", RFC 4862, September 2007.

   [ADDR-SEL]   Draves, R., "Default Address Selection for Internet
                Protocol version 6 (IPv6)", RFC 3484, February 2003.

   [ARP]        Plummer, D., "Ethernet Address Resolution Protocol: Or
                Converting Network Protocol Addresses to 48.bit Ethernet
                Address for Transmission on Ethernet Hardware", STD 37,
                RFC 826, November 1982.

   [ASSIGNED]   Reynolds, J., Ed., "Assigned Numbers: RFC 1700 is
                Replaced by an On-line Database", RFC 3232, January
Top   ToC   RFC4861 - Page 85
   [DHCPv6]     Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins,
                C., and M. Carney, "Dynamic Host Configuration Protocol
                for IPv6 (DHCPv6)", RFC 3315, July 2003.

   [HR-CL]      Braden, R., Ed., "Requirements for Internet Hosts -
                Communication Layers", STD 3, RFC 1122, October 1989.

   [ICMPIKE]    Arkko, J., "Effects of ICMPv6 on IKE", Work in Progress,
                March 2003.

   [ICMPv4]     Postel, J., "Internet Control Message Protocol", STD 5,
                RFC 792, September 1981.

   [IPv6-3GPP]  Wasserman, M., Ed., "Recommendations for IPv6 in Third
                Generation Partnership Project (3GPP) Standards", RFC
                3314, September 2002.

   [IPv6-CELL]  Arkko, J., Kuijpers, G., Soliman, H., Loughney, J., and
                J. Wiljakka, "Internet Protocol Version 6 (IPv6) for
                Some Second and Third Generation Cellular Hosts", RFC
                3316, April 2003.

   [IPv6-ETHER] Crawford, M., "Transmission of IPv6 Packets over
                Ethernet Networks", RFC 2464, December 1998.

   [IPv6-SA]    Kent, S. and K. Seo, "Security Architecture for the
                Internet Protocol", RFC 4301, December 2005.

   [IPv6-AUTH]  Kent, S., "IP Authentication Header", RFC 4302, December

   [IPv6-ESP]   Kent, S., "IP Encapsulating Security Payload (ESP)", RFC
                4303, December 2005.

   [IPv6-NBMA]  Armitage, G., Schulter, P., Jork, M., and G. Harter,
                "IPv6 over Non-Broadcast Multiple Access (NBMA)
                networks", RFC 2491, January 1999.

   [LD-SHRE]    Hinden, R. and D. Thaler, "IPv6 Host-to-Router Load
                Sharing", RFC 4311, November 2005.

   [MIPv6]      Johnson, D., Perkins, C., and J. Arkko, "Mobility
                Support in IPv6", RFC 3775, June 2004.

   [MLD]        Deering, S., Fenner, W., and B. Haberman, "Multicast
                Listener Discovery (MLD) for IPv6", RFC 2710, October
Top   ToC   RFC4861 - Page 86
   [MLDv2]      Vida, R., Ed., and L. Costa, Ed., "Multicast Listener
                Discovery Version 2 (MLDv2) for IPv6", RFC 3810, June

   [PSREQ]      Nikander, P., Ed., Kempf, J., and E. Nordmark, "IPv6
                Neighbor Discovery (ND) Trust Models and Threats", RFC
                3756, May 2004.

   [RAND]       Eastlake, D., 3rd, Schiller, J., and S. Crocker,
                "Randomness Requirements for Security", BCP 106, RFC
                4086, June 2005.

   [RDISC]      Deering, S., Ed., "ICMP Router Discovery Messages", RFC
                1256, September 1991.

   [RFC3667]    Bradner, S., "IETF Rights in Contributions", RFC 3667,
                February 2004.

   [RTSEL]      Draves, R. and D. Thaler, "Default Router Preferences
                and More-Specific Routes", RFC 4191, November 2005.

   [SH-MEDIA]   Braden, B., Postel, J., and Y. Rekhter, "Internet
                Architecture Extensions for Shared Media", RFC 1620, May

   [SEND]       Arkko, J., Ed., Kempf, J., Zill, B., and P. Nikander,
                "SEcure Neighbor Discovery (SEND)", RFC 3971, March

   [SYNC]       S. Floyd, V. Jacobson, "The Synchronization of Periodic
                Routing Messages", IEEE/ACM Transactions on Networking,
                April 1994.
Top   ToC   RFC4861 - Page 87
Appendix A: Multihomed Hosts

   There are a number of complicating issues that arise when Neighbor
   Discovery is used by hosts that have multiple interfaces.  This
   section does not attempt to define the proper operation of multihomed
   hosts with regard to Neighbor Discovery.  Rather, it identifies
   issues that require further study.  Implementors are encouraged to
   experiment with various approaches to making Neighbor Discovery work
   on multihomed hosts and to report their experiences.  Further work
   related to this problem can be found in [RTSEL].

   If a multihomed host receives Router Advertisements on all of its
   interfaces, it will (probably) have learned on-link prefixes for the
   addresses residing on each link.  When a packet must be sent through
   a router, however, selecting the "wrong" router can result in a
   suboptimal or non-functioning path.  There are number of issues to

     1) In order for a router to send a redirect, it must determine that
        the packet it is forwarding originates from a neighbor.  The
        standard test for this case is to compare the source address of
        the packet to the list of on-link prefixes associated with the
        interface on which the packet was received.  If the originating
        host is multihomed, however, the source address it uses may
        belong to an interface other than the interface from which it
        was sent.  In such cases, a router will not send redirects, and
        suboptimal routing is likely.  In order to be redirected, the
        sending host must always send packets out the interface
        corresponding to the outgoing packet's source address.  Note
        that this issue never arises with non-multihomed hosts; they
        only have one interface.  Additional discussion on this topic
        can be found in RFC 1122 under Section

     2) If the selected first-hop router does not have a route at all
        for the destination, it will be unable to deliver the packet.
        However, the destination may be reachable through a router on
        one of the other interfaces.  Neighbor Discovery does not
        address this scenario; it does not arise in the non-multihomed

     3) Even if the first-hop router does have a route for a
        destination, there may be a better route via another interface.
        No mechanism exists for the multihomed host to detect this

   If a multihomed host fails to receive Router Advertisements on one or
   more of its interfaces, it will not know (in the absence of
   configured information) which destinations are on-link on the
Top   ToC   RFC4861 - Page 88
   affected interface(s).  This leads to the following problem: If
   Router Advertisements are received on some, but not all, interfaces,
   a multihomed host could choose to only send packets out on the
   interfaces on which it has received Router Advertisements.  A key
   assumption made here, however, is that routers on those other
   interfaces will be able to route packets to the ultimate destination,
   even when those destinations reside on the subnet to which the sender
   connects, but has no on-link prefix information.  Should the
   assumption be FALSE, communication would fail.  Even if the
   assumption holds, packets will traverse a suboptimal path.

Appendix B: Future Extensions

   Possible extensions for future study are:

    o Using dynamic timers to be able to adapt to links with widely
      varying delay.  Measuring round-trip times, however, requires
      acknowledgments and sequence numbers in order to match received
      Neighbor Advertisements with the actual Neighbor Solicitation that
      triggered the advertisement.  Implementors wishing to experiment
      with such a facility could do so in a backwards-compatible way by
      defining a new option carrying the necessary information.  Nodes
      not understanding the option would simply ignore it.

    o Adding capabilities to facilitate the operation over links that
      currently require hosts to register with an address resolution
      server.  This could, for instance, enable routers to ask hosts to
      send them periodic unsolicited advertisements.  Once again, this
      can be added using a new option sent in the Router Advertisements.

    o Adding additional procedures for links where asymmetric and non-
      transitive reachability is part of normal operations.  Such
      procedures might allow hosts and routers to find usable paths on,
      e.g., radio links.
Top   ToC   RFC4861 - Page 89
Appendix C: State Machine for the Reachability State

   This appendix contains a summary of the rules specified in Sections
   7.2 and 7.3.  This document does not mandate that implementations
   adhere to this model as long as their external behavior is consistent
   with that described in this document.

   When performing address resolution and Neighbor Unreachability
   Detection the following state transitions apply using the conceptual

   State           Event                   Action             New state

   -               Packet to send.        Create entry.       INCOMPLETE
                                          Send multicast NS.
                                          Start retransmit timer

   INCOMPLETE      Retransmit timeout,    Retransmit NS       INCOMPLETE
                   less than N            Start retransmit
                   retransmissions.       timer

   INCOMPLETE      Retransmit timeout,    Discard entry          -
                   N or more              Send ICMP error

   INCOMPLETE      NA, Solicited=0,       Record link-layer      STALE
                   Override=any           address. Send queued

   INCOMPLETE      NA, Solicited=1,       Record link-layer    REACHABLE
                   Override=any           address. Send queued

   INCOMPLETE      NA, Solicited=any,     Update content of    unchanged
                   Override=any, No       IsRouter flag
                   Link-layer address

    -              NS, RS, Redirect             -                 -
                   No link-layer address

   !INCOMPLETE     NA, Solicited=1,        -                   REACHABLE
                   Same link-layer
                   address as cached.

   !INCOMPLETE     NA, Solicited=any,     Update content of    unchanged
                   Override=any, No       IsRouter flag.
                   link-layer address
Top   ToC   RFC4861 - Page 90
   REACHABLE       NA, Solicited=1,        -                     STALE
                   Different link-layer
                   address than cached.

   STALE, PROBE    NA, Solicited=1,        -                   unchanged
   Or DELAY        Override=0
                   Different link-layer
                   address than cached.

   !INCOMPLETE     NA, Solicited=1,       Record link-layer   REACHABLE
                   Override=1             address (if

   !INCOMPLETE     NA, Solicited=0,        -                  unchanged

   !INCOMPLETE     NA, Solicited=0,        -                  unchanged
                   Same link-layer
                   address as cached.

   !INCOMPLETE     NA, Solicited=0,        Record link-layer     STALE
                   Override=1              address.
                   Different link-layer
                   address than cached.

   !INCOMPLETE     upper-layer reachability  -                 REACHABLE

   REACHABLE       timeout, more than        -                   STALE
                   N seconds since
                   reachability confirm.

   STALE           Sending packet          Start delay timer     DELAY

   DELAY           Delay timeout           Send unicast NS probe PROBE
                                           Start retransmit timer

   PROBE           Retransmit timeout,     Retransmit NS         PROBE
                   less than N

   PROBE           Retransmit timeout,     Discard entry         -
                   N or more
Top   ToC   RFC4861 - Page 91
   The state transitions for receiving unsolicited information other
   than Neighbor Advertisement messages apply to either the source of
   the packet (for Neighbor Solicitation, Router Solicitation, and
   Router Advertisement messages) or the target address (for Redirect
   messages) as follows:

   State           Event                   Action              New state

   -               NS, RS, RA, Redirect    Create entry.         STALE

   INCOMPLETE      NS, RS, RA, Redirect    Record link-layer     STALE
                                           address. Send queued

   !INCOMPLETE     NS, RS, RA, Redirect    Update link-layer     STALE
                   Different link-layer    address
                   address than cached.

   INCOMPLETE      NS, RS No link-layer    -                   unchanged

   !INCOMPLETE     NS, RS, RA, Redirect    -                   unchanged
                   Same link-layer
                   address as cached.

Appendix D: Summary of IsRouter Rules

   This appendix presents a summary of the rules for maintaining the
   IsRouter flag as specified in this document.

   The background for these rules is that the ND messages contain,
   either implicitly or explicitly, information that indicates whether
   or not the sender (or Target Address) is a host or a router.  The
   following assumptions are used:

    - The sender of a Router Advertisement is implicitly assumed to be a

    - Neighbor Solicitation messages do not contain either an implicit
      or explicit indication about the sender.  Both hosts and routers
      send such messages.

    - Neighbor Advertisement messages contain an explicit "IsRouter
      flag", the R-bit.
Top   ToC   RFC4861 - Page 92
    - The target of the redirect, when the target differs from the
      destination address in the packet being redirected, is implicitly
      assumed to be a router.  This is a natural assumption since that
      node is expected to be able to forward the packets towards the

    - The target of the redirect, when the target is the same as the
      destination, does not carry any host vs. router information.  All
      that is known is that the destination (i.e., target) is on-link
      but it could be either a host or a router.

   The rules for setting the IsRouter flag are based on the information
   content above.  If an ND message contains explicit or implicit
   information, the receipt of the message will cause the IsRouter flag
   to be updated.  But when there is no host vs. router information in
   the ND message, the receipt of the message MUST NOT cause a change to
   the IsRouter state.  When the receipt of such a message causes a
   Neighbor Cache entry to be created, this document specifies that the
   IsRouter flag be set to FALSE.  There is greater potential for
   mischief when a node incorrectly thinks a host is a router, than the
   other way around.  In these cases, a subsequent Neighbor
   Advertisement or Router Advertisement message will set the correct
   IsRouter value.

Appendix E: Implementation Issues

E.1.  Reachability Confirmations

   Neighbor Unreachability Detection requires explicit confirmation that
   a forward-path is functioning properly.  To avoid the need for
   Neighbor Solicitation probe messages, upper-layer protocols should
   provide such an indication when the cost of doing so is small.
   Reliable connection-oriented protocols such as TCP are generally
   aware when the forward-path is working.  When TCP sends (or receives)
   data, for instance, it updates its window sequence numbers, sets and
   cancels retransmit timers, etc.  Specific scenarios that usually
   indicate a properly functioning forward-path include:

    - Receipt of an acknowledgment that covers a sequence number (e.g.,
      data) not previously acknowledged indicates that the forward path
      was working at the time the data was sent.

    - Completion of the initial three-way handshake is a special case of
      the previous rule; although no data is sent during the handshake,
      the SYN flags are counted as data from the sequence number
      perspective.  This applies to both the SYN+ACK for the active open
      and the ACK of that packet on the passively opening peer.
Top   ToC   RFC4861 - Page 93
    - Receipt of new data (i.e., data not previously received) indicates
      that the forward-path was working at the time an acknowledgment
      was sent that advanced the peer's send window that allowed the new
      data to be sent.

   To minimize the cost of communicating reachability information
   between the TCP and IP layers, an implementation may wish to rate-
   limit the reachability confirmations its sends IP.  One possibility
   is to process reachability only every few packets.  For example, one
   might update reachability information once per round-trip time, if an
   implementation only has one round-trip timer per connection.  For
   those implementations that cache Destination Cache entries within
   control blocks, it may be possible to update the Neighbor Cache entry
   directly (i.e., without an expensive lookup) once the TCP packet has
   been demultiplexed to its corresponding control block.  For other
   implementations, it may be possible to piggyback the reachability
   confirmation on the next packet submitted to IP assuming that the
   implementation guards against the piggybacked confirmation becoming
   stale when no packets are sent to IP for an extended period of time.

   TCP must also guard against thinking "stale" information indicates
   current reachability.  For example, new data received 30 minutes
   after a window has opened up does not constitute a confirmation that
   the path is currently working; it merely indicates that 30 minutes
   ago the window update reached the peer, i.e., the path was working at
   that point in time.  An implementation must also take into account
   TCP zero-window probes that are sent even if the path is broken and
   the window update did not reach the peer.

   For UDP-based applications (Remote Procedure Call (RPC), DNS), it is
   relatively simple to make the client send reachability confirmations
   when the response packet is received.  It is more difficult and in
   some cases impossible for the server to generate such confirmations
   since there is no flow control, i.e., the server cannot determine
   whether a received request indicates that a previous response reached
   the client.

   Note that an implementation cannot use negative upper-layer advice as
   a replacement for the Neighbor Unreachability Detection algorithm.
   Negative advice (e.g., from TCP when there are excessive
   retransmissions) could serve as a hint that the forward path from the
   sender of the data might not be working.  But it would fail to detect
   when the path from the receiver of the data is not functioning,
   causing none of the acknowledgment packets to reach the sender.
Top   ToC   RFC4861 - Page 94
Appendix F: Changes from RFC 2461

   o Removed references to IPsec AH and ESP for securing messages or as
     part of validating the received message.

   o Added Section 3.3.

   o Updated Section 11 to include more detailed discussion on threats,
     IPsec limitations, and use of SEND.

   o Removed the on-link assumption in Section 5.2 based on RFC 4942,
     "IPv6 Neighbor Discovery On-Link Assumption Considered Harmful".

   o Clarified the definition of the Router Lifetime field in Section

   o Updated the text in Sections 4.6.2 and 6.2.1 to indicate that the
     preferred lifetime must not be larger than valid lifetime.

   o Removed the reference to stateful configuration and added reference
     for DHCPv6 instead.

   o Added the IsRouter flag definition to Section 6.2.1 to allow for
     mixed host/router behavior.

   o Allowed mobile nodes to be exempt from adding random delays before
     sending an RS during a handover.

   o Updated the definition of the prefix length in the prefix option.

   o Updated the applicability to NBMA links in the introduction and
     added references to 3GPP RFCs.

   o Clarified that support for load balancing is limited to routers.

   o Clarified router behavior when receiving a Router Solicitation
     without Source Link-Layer Address Option (SLLAO).

   o Clarified that inconsistency checks for CurHopLimit are done for
     non-zero values only.

   o Rearranged Section 7.2.5 for clarity, and described the processing
     when receiving the NA in INCOMPLETE state.

   o Added clarifications in Section 7.2 on how a node should react upon
     receiving a message without SLLAO.

   o Added new IANA section.
Top   ToC   RFC4861 - Page 95
   o Miscellaneous editorials.


   The authors of RFC 2461 would like to acknowledge the contributions
   of the IPV6 working group and, in particular, (in alphabetical order)
   Ran Atkinson, Jim Bound, Scott Bradner, Alex Conta, Stephen Deering,
   Richard Draves, Francis Dupont, Robert Elz, Robert Gilligan, Robert
   Hinden, Tatuya Jinmei, Allison Mankin, Dan McDonald, Charles Perkins,
   Matt Thomas, and Susan Thomson.

   The editor of this document (Hesham Soliman) would like to thank the
   IPV6 working group for the numerous contributions to this revision --
   in particular (in alphabetical order), Greg Daley, Elwyn Davies,
   Ralph Droms, Brian Haberman, Bob Hinden, Tatuya Jinmei, Pekka Savola,
   Fred Templin, and Christian Vogt.
Top   ToC   RFC4861 - Page 96
Authors' Addresses

   Thomas Narten
   IBM Corporation
   P.O. Box 12195
   Research Triangle Park, NC 27709-2195

   Phone: +1 919 254 7798

   Erik Nordmark
   Sun Microsystems, Inc.
   17 Network Circle
   Menlo Park, CA 94025

   Phone: +1 650 786 2921
   Fax:   +1 650 786 5896

   William Allen Simpson
   Computer Systems Consulting Services
   1384 Fontaine
   Madison Heights, Michigan  48071


   Hesham Soliman
   Elevate Technologies

Top   ToC   RFC4861 - Page 97
Full Copyright Statement

   Copyright (C) The IETF Trust (2007).

   This document is subject to the rights, licenses and restrictions
   contained in BCP 78, and except as set forth therein, the authors
   retain all their rights.

   This document and the information contained herein are provided on an

Intellectual Property

   The IETF takes no position regarding the validity or scope of any
   Intellectual Property Rights or other rights that might be claimed to
   pertain to the implementation or use of the technology described in
   this document or the extent to which any license under such rights
   might or might not be available; nor does it represent that it has
   made any independent effort to identify any such rights.  Information
   on the procedures with respect to rights in RFC documents can be
   found in BCP 78 and BCP 79.

   Copies of IPR disclosures made to the IETF Secretariat and any
   assurances of licenses to be made available, or the result of an
   attempt made to obtain a general license or permission for the use of
   such proprietary rights by implementers or users of this
   specification can be obtained from the IETF on-line IPR repository at

   The IETF invites any interested party to bring to its attention any
   copyrights, patents or patent applications, or other proprietary
   rights that may cover technology that may be required to implement
   this standard.  Please address the information to the IETF at