Unicast Reverse Path Forwarding
In IPv6, unicast RPF helps assure a router from DoS attacks from spoofed IPv6 host addresses.
When you configure IPv6 unicast RPF by arising the ipv6 verify unicast reverse-path command
on an interface, the router performs a recursive lookup in the IPv6 acquisition table to verify that the
packet came in on the actual interface. If this analysis passes, the packet in catechism is allowed
through; if not, the router drops it.
Cisco IOS Software gives you the advantage of defining a array of assurance boundary. This way, a router
can verify alone called antecedent IPv6 addresses in the unicast RPF check. To do this, configure an
access account on the router and alarm it with the ipv6 verify unicast reverse-path command.
In Example 20-4, the router will accomplish the RPF analysis on all IPv6 packets that access the router’s
Fast Ethernet 0/0 interface. The router will again bead packets that accommodated both of these conditions:
1. The RPF analysis fails.
2. The antecedent abode is aural the 2007::/64 range.
If either of these altitude is not met, the packet will be routed. If both altitude are met, the
router drops the packet.
Example 20-4 Unicast Reverse-Path Forwarding Configuration
HiramMaxim(config)# ipv6 access-list urpf
HiramMaxim(config-ipv6-acl)# abjure ipv6 2007::/64 any
HiramMaxim(config-ipv6-acl)# admittance ipv6 any any
HiramMaxim(config-ipv6-acl)# interface fa0/0
HiramMaxim(config-if)# ipv6 verify unicast reverse-path urpf
HiramMaxim(config-if)# end
HiramMaxim# ipv6 interface fa0/0
FastEthernet0/0 is up, band agreement is up
IPv6 is enabled, link-local abode is FE80::207:85FF:FE80:7208
No Virtual link-local address(es):
Global unicast address(es):
2002:192:168:1::1, subnet is 2002:192:168:1::/64
2002:192:168:2::1, subnet is 2002:192:168:2::/64 [ANY]
Joined accumulation address(es):
FF02::1
FF02::2
FF02::A
FF02::D
FF02::16
FF02::1:FF00:1
FF02::1:FF80:7208
MTU is 1500 bytes
ICMP absurdity letters bound to one every 100 milliseconds
ICMP redirects are enabled
Basic IPv6 Functionality Protocols 763
For added advice about how RPF checks work, see Chapter 16, “Introduction to IP
Multicasting.”
DNS
DNS for IPv6 is absolutely agnate to DNS for IPv4; it provides resolution of area names to IPv6
addresses. One key aberration is the name acclimated for DNS annal for IPv6 addresses. In IPv4, these
are accepted as A records; in IPv6, RFC 1886 cleverly agreement them AAAA records, because IPv6
addresses are four times best (in bits) than IPv4 addresses. RFC 1886 and RFC 2874 are both
IPv6 DNS extensions. RFC 2874 calls IPv6 abode annal A6 records. Today, RFC 1886 is most
commonly used; however, RFC 2874 expects to eventually anachronistic RFC 1886.
IPv6 DNS extensions additionally accommodate the changed lookup action of PTR records, which maps IPv6
addresses to host names.
CDP
Cisco Discovery Agreement provides all-encompassing advice about the agreement and
functionality of Cisco devices. Because of its extensibility, it should be no abruptness to you that
CDP additionally provides advice about Cisco IPv6 host configuration. To see IPv6 information
ICMP unreachables are sent
Input features: RPF
Unicast RPF access-list urpf
Process Switching:
0 analysis drops
0 suppressed analysis drops
CEF Switching:
0 analysis drops
0 suppressed analysis drops
ND DAD is enabled, cardinal of DAD attempts: 1
ND attainable time is 30000 milliseconds
ND advertised attainable time is 0 milliseconds
ND advertised retransmit breach is 0 milliseconds
ND router advertisements are beatific every 200 seconds
ND router advertisements alive for 1800 seconds
ND advertised absence router another is Medium
Hosts use stateless autoconfig for addresses.
Example 20-4 Unicast Reverse-Path Forwarding Agreement (Continued)
764 Chapter 20: IP Version 6
transmitted in CDP frames, you charge use the detail keyword for the appearance cdp neighbor
command, as apparent in Example 20-5.
DHCP
One another to changeless IPv6 addressing, namely stateless autoconfiguration, was covered earlier.
Another another additionally exists: stateful autoconfiguration. This is area DHCPv6 comes in.
DHCPv6 is defined in RFC 3315.
Two altitude can account a host to use DHCPv6:
■ The host is absolutely configured to use DHCPv6 based on an implementation-specific setting.
■ An IPv6 router advertises in its RA letters that it wants hosts to use DHCPv6 for
addressing. Routers do this by ambience the M banderole (Managed Abode Configuration) in RAs.
To use stateful autoconfiguration, a host sends a DHCP appeal to one of two acclaimed IPv6
multicast addresses on UDP anchorage 547:
■ FF02::1:2, all DHCP broadcast agents and servers
■ FF05::1:3, all DHCP servers
The DHCP server again provides the all-important agreement advice in acknowledgment to the host on
UDP anchorage 546. This advice can accommodate the aforementioned types of advice acclimated in an IPv4
network, but additionally it can accommodate advice for assorted subnets, depending on how the
DHCP server is configured.
To configure a Cisco router as a DHCPv6 server, you aboriginal configure a DHCP pool, aloof as in IPv4
DHCP. Then, you charge accurately accredit the DHCPv6 account application the ipv6 dhcp server poolname
interface command.
Example 20-5 IPv6 Advice Available from CDP Output
Rivers# appearance cdp neighbors detail
-------------------------
Device ID: Mantle
Entry address(es):
IP address: 10.7.7.6
IPv6 address: FE80::207:85FF:FE80:7208 (link-local)
IPv6 address: 2001::207:85FF:FE80:7208 (global unicast)
Platform: Cisco 1760, Capabilities: Router Switch
Interface: Serial0/0, Anchorage ID (outgoing port): Serial0/0
Holdtime : 159 sec
(output bare for brevity)