NDP
Proxy
Neighbor Discovery Protocol (NDP) for IPv6 performs
functions similar to those provided by Address Resolution Protocol
(ARP) for IPv4.
RFC 4861 defines
Neighbor Discovery for IP version 6 (IPv6).
Hosts, routers, and firewalls use NDP to determine the link-layer
addresses of neighbors on connected links, to keep track of which
neighbors are reachable, and to update neighbors’ link-layer addresses
that have changed. Peers advertise their own MAC address and IPv6
address, and they also solicit addresses from peers.
NDP also supports the concept of
proxy, when a node
has a neighboring device that is able to forward packets on behalf
of the node. The device (firewall) performs the role of NDP Proxy.
Palo Alto Networks firewalls support NDP and NDP Proxy on their
interfaces. When you configure the firewall to act as an NDP Proxy
for addresses, it allows the firewall to send Neighbor Discovery
(ND) advertisements and respond to ND solicitations from peers that
are asking for MAC addresses of IPv6 prefixes assigned to devices behind
the firewall. You can also configure addresses for which the firewall
will not respond to proxy requests (negated addresses).
In fact, NDP is enabled by default, and you need to configure
NDP Proxy when you configure NPTv6, for the following reasons:
When an interface with NDP Proxy enabled receives an ND solicitation
requesting a MAC address for an IPv6 address, the following sequence
occurs:
The firewall searches the ND
cache to ensure the IPv6 address from the solicitation is not there.
If the address is there, the firewall ignores the ND solicitation.
If the source IPv6 address is 0, that means the packet is
a Duplicate Address Detection packet, and the firewall ignores the
ND solicitation.
The firewall does a Longest Prefix Match search of the NDP
Proxy addresses and finds the best match to the address in the solicitation.
If the Negate field for the match is checked (in the NDP Proxy list),
the firewall drops the ND solicitation.
Only if the Longest Prefix Match search matches, and that
matched address is not negated, will the NDP Proxy respond to the
ND solicitation. The firewall responds with an ND packet, providing
its own MAC address as the MAC address of the next hop toward the
queried destination.
In order to successfully support NDP, the firewall does not perform
NDP Proxy for the following: