The ipv6 nd security key-length command sets a key length that is allowed on an interface.
The undo ipv6 nd security key-length command restores the default key length.
By default, the minimum key length is 512 bits and the maximum key length is 2048 bits.
ipv6 nd security key-length { minimum keylen-value | maximum keylen-value } *
undo ipv6 nd security key-length
| Parameter | Description | Value |
|---|---|---|
| minimum keylen-value | Specifies the minimum key length allowed on the interface. |
The value is an integer ranging from 384 to 2048, in bits. The default value is 512, which is recommended. |
| maximum keylen-value | Specifies the maximum key length allowed on the interface. |
The value is an integer ranging from 384 to 2048, in bits. The default value is 2048, which is recommended. |
Ethernet interface view, Eth-Trunk interface view, Tunnel interface view, VLANIF interface view, BDIF interface view
Usage Scenario
After an interface enabled with the strict security mode receives an ND message, it verifies the RSA key in the ND message to determine whether the ND message is secure. To set a key length that is allowed on an interface, you can run the ipv6 nd security key-length command. If the key length of the received ND message is out of the length range allowed on the interface, the interface regards the ND message insecure and discards it.
Prerequisites
Before running the ipv6 nd security key-length command, you must run the ipv6 enable command in the interface view to enable IPv6 on the interface.
Follow-up Procedure
Run the ipv6 nd security strict command to enable the strict security mode on the interface.
# Set a minimum key length and a maximum key length allowed on an interface to 1500 bits and 2000 bits respectively.
<sysname> system-view
[sysname] interface GigabitEthernet 0/0/1
[sysname-GigabitEthernet 0/0/1] ipv6 enable
[sysname-GigabitEthernet 0/0/1] ipv6 nd security key-length minimum 1500
[sysname-GigabitEthernet 0/0/1] ipv6 nd security key-length maximum 2000