< Home

Configuring Strict IPv6 SEND

After the rate limit for processing received ND messages, the key length allowed on the interface, and the timestamp in the ND messages are set, the system considers the received ND messages that do not meet these requirements invalid.

Context

When working in strict security mode, an interface regards the received ND message insecure and discards it in the following cases:

  • The rate of processing the received ND message exceeds the rate limit of the system.
  • The key length in the received ND message is out of the length range allowed on the interface.
  • The difference between the receive time and the send time of the ND message is out of the time range allowed on the interface.

On a link, device A is configured with strict IPv6 SEND whereas device B is not. In this case, device A regards the ND messages sent from device B insecure and rejects them.

Procedure

  1. Access the system view. 

    system-view

  2. (Optional) Set the rate limit for processing received ND messages. 

    ipv6 nd security rate-limit ratelimit-value

  3. Access the interface view. 

    interface interface-type interface-number

  4. (Optional) Set the key length allowed on the interface. 

    ipv6 nd security key-length { minimum keylen-value | maximum keylen-value } *

  5. (Optional) Set timestamp parameters. 

    ipv6 nd security timestamp  { fuzz-factor fuzz-value | delta delta-value | drift drift-value } *

  6. Enable the strict security mode. 

    ipv6 nd security strict

Parent Topic: Configuring IPv6 SEND
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic