ipv6 nd security timestamp
Function
The ipv6 nd security timestamp command sets timestamp parameters for an ND message.
The undo ipv6 nd security timestamp command restores default timestamp parameters of an ND message.
By default, the maximum difference between the receive time and send time of an ND message is 300 seconds; the maximum difference between the system time of the sender and the system time of the receiver is 1%; the maximum alive time of an ND message is 1 second.
Format
ipv6 nd security timestamp { delta delta-value | drift drift-value | fuzz-factor fuzz-value } *
undo ipv6 nd security timestamp { delta | drift | fuzz-factor }
Parameters
| Parameter | Description | Value |
|---|---|---|
| delta delta-value | Specifies the maximum difference between the receive time and send time of an ND message. |
The value is an integer ranging from 0 to 1000, in seconds. The default value is 300, which is recommended. |
| drift drift-value | Specifies the maximum difference between the system time of the sender and the system time of the receiver. |
The value is an integer ranging from 0 to 100. The default value is 1, which is recommended. |
| fuzz-factor fuzz-value | Specifies the maximum alive time of an ND message. If the difference between the receive time and send time of an ND message is larger than delta-value but smaller than fuzz-value, the ND message can still be received by the interface. |
The value is an integer ranging from 0 to 1000, in seconds. The default value is 1, which is recommended. |
Views
Ethernet interface view, Eth-Trunk interface view, Tunnel interface view, VLANIF interface view, BDIF interface view
Usage Guidelines
Usage Scenario
If an ND message to be sent to an interface is obtained by an attacker, the ND message will be delayed. Therefore, you can run the ipv6 nd security timestamp command to set timestamp parameters. The system then calculates an allowed time range based on these timestamp parameters. If the difference between the send time and receive time of an ND message is out of the allowed time range, the ND message will be regarded invalid and discarded.
If no neighbor relationship is established between a local interface and a remote interface, the allowed time range can be calculated based on the following formula:
-delta-value < (RDnew - TSnew) < +delta-value
If a neighbor relationship has been established between a local interface and a remote interface, the allowed time range can be calculated based on the following formula:
TSnew + fuzz-value > TSlast + (RDnew - RDlast) x (1 - drift-value) - fuzz-value
- RDnew: the local time at which the new SEND message is received
- RDlast: the local time at which the last SEND message for this peer is accepted
- TSnew: the time stamp value present in the new received SEND message (the time is recorded by the sender in the Timestamp option in the newly sent ND message)
- TSlast: the time stamp value of the last received and accepted SEND message (the time is recorded by the sender in the Timestamp option in the last sent ND message)
For example, FW_A sends the first ND message to FW_B at 4:00 (the system time of FW_A). That is, TSnew is 4:00. FW_B receives the ND message at 5:00 (the system time of FW_B). That is, RDnew is 5:00. If the received ND message is considered secure, FW_B records TSlast as 4:00 and RDlast as 5:00
Then, FW_A sends the second ND message to FW_B at 4:05 (the system time of FW_A). That is, TSnew is 4:05. FW_B receives the ND message at 5:05 (the system time of FW_B). That is, RDnew is 5:05. If the received ND message is considered secure, FW_B records TSlast as 4:05 and RDlast as 5:05.
Prerequisites
Before running the ipv6 nd security timestamp command, you must run the ipv6 enable command in the interface view to enable IPv6 on the interface.
Follow-up Procedure
Run the ipv6 nd security strict command to enable the strict security mode on the interface.