< Home

ipv6 nd security strict

Function

The ipv6 nd security strict command enables the strict security mode on an interface.

The undo ipv6 nd security strict command restores the default security mode.

By default, the strict security mode is not enabled on an interface.

Format

ipv6 nd security strict

undo ipv6 nd security strict

Parameters

None

Views

Ethernet interface view, Eth-Trunk interface view, Tunnel interface view, VLANIF interface view, BDIF interface view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

If an interface needs to reject insecure ND messages, you can run the ipv6 nd security strict command to configure the interface to work in strict security mode. By default, an interface receives all secure and insecure ND messages.

An interface regards a received ND message insecure in any of the following cases:

  • The received ND message does not carry a CGA or RSA option. That is, the interface that sent the ND message does not have a CGA address.
  • The key length in the received ND message is out of the range allowed on the interface.
  • The rate of processing the received ND message exceeds the rate limit of the system.
  • The difference between the receive time and the send time of the ND message is out of the range allowed on the interface.

Prerequisites

Before running the ipv6 nd security strict command, you must run the ipv6 enable command in the interface view to enable IPv6 on the interface.

Configuration Impact

After the strict security mode is enabled for an interface, the interface verifies the security options in received ND message and discards insecure ND messages. The insecure neighbor entries are deleted accordingly.

Precautions

If an interface has been enabled to work in strict security mode, configure all addresses of the interface as CGA addresses. Otherwise, the interface may select a common IPv6 address as the source address, which causes a security check failure and a service interruption.

  • After the strict security mode is enabled for an interface, you must configure a CGA address and use the CGA address as the source address for sending messages from this interface so that ND messages can carry security options. As the source address is selected based on the IPv6 address selection policy and CGA and non-CGA addresses are not differentiated during the source address selection, you must configure all addresses (link-local addresses and global unicast addresses) of the interface as CGA address so that the source address selected is always a CGA address.
  • ND messages carrying security options will be strictly checked only when all interfaces on the same link have CGA addresses configured and strict security enabled. Otherwise, CGA may partially function or forwarding may fail.
  • After the strict security mode is enabled on an interface, the system will not perform Duplicate Address Detection (DAD) on insecure nodes. In this case, the insecure conflicting addresses that may exist on the network cannot be detected. Therefore, re-triggering of DAD is recommended after the strict security mode is disabled.

Example

# Enable the strict security mode on GE 1/0/0.

<sysname> system-view
[sysname] interface GigabitEthernet 0/0/0
[sysname-GigabitEthernet0/0/0] ipv6 enable
[sysname-GigabitEthernet0/0/0] ipv6 nd security strict
Parent Topic: IPv6 Neighbor Discovery Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >