配置IPv6安全邻居发现功能示例

本举例介绍IPv6安全邻居发现功能的配置过程。

如图1所示，RouterA配置了IPv6安全邻居发现功能，假设RouterB作为攻击者。当RouterB向RouterA发送报文时，RouterA将该报文视为非法报文而丢弃。

图1 配置IPv6安全邻居发现功能组网图

无

采用如下的思路配置IPv6安全邻居发现功能：

在RouterA上配置CGA（Cryptographically Generated Addresses）类型的IPv6地址和普通IPv6地址。

在RouterA上使能接口的严格安全模式功能。

在RouterB上配置接口的IPv6地址。

为完成此配置举例，需要准备如下数据：

rsa密钥对名字

CGA地址的修正值和安全级别

CGA类型的IPv6地址

RouterB的IPv6地址

1. 配置RouterA的CGA类型的IPv6地址

system-view

[HUAWEIA] sysname RouterA

[RouterA] ipv6

[RouterA] RSA key-pair label huawei

NOTES: If the key modulus is greater than 512, It may take few minutes. Please

wait

Key Successfully Created

[RouterA] interface gigabitethernet 1/0/0

[RouterA-GigabitEthernet1/0/0] undo shutdown

[RouterA-GigabitEthernet1/0/0] ipv6 enable

ipv6 security rsakey-pair huawei

ipv6 security modifier sec-level 1

ipv6 address fe80::3 link-local cga

ipv6 address 2001:db8:1::2/64 cga

ipv6 address 2001:db8::1/64

2. 使能RouterA接口的严格安全模式功能

[RouterA-GigabitEthernet1/0/0] ipv6 nd security strict

3. 配置RouterB的IPv6地址

system-view

[HUAWEIB] sysname RouterB

[RouterB] ipv6

[RouterB] interface gigabitethernet 1/0/0

[RouterB-GigabitEthernet1/0/0] undo shutdown

[RouterB-GigabitEthernet1/0/0] ipv6 enable

[RouterB-GigabitEthernet1/0/0] ipv6 address auto link-local

[RouterB-GigabitEthernet1/0/1] ipv6 address 2001:db8:1::2/64

ipv6 address 2001:db8::2/64

4. 验证配置结果

如果配置成功，可以查看配置的IPv6地址，以及接口状态为Up，IPv6协议状态为Up，IPv6安全邻居发现功能配置信息。

# 显示RouterA的GE1/0/0接口的信息。

[RouterA-GigabitEthernet1/0/0] display this ipv6 interface

GigabitEthernet1/0/0 current state : UP

IPv6 protocol current state : UP

IPv6 is enabled, link-local address is FE80::3057:B5D6:6BD6:6CA8

Global unicast address(es):

2001:db8:1::2092:84CE:827B:D5A4, subnet is 2001:db8:1::/64

2001:db8::1, subnet is 2001:db8::/64

Joined group address(es):

FF02::1:FF7B:D5A4

FF02::2

FF02::1

FF02::1:FFD6:6CA8

MTU is 1500 bytes

ND DAD is enabled, number of DAD attempts: 1

ND reachable time is 30000 milliseconds

ND retransmit interval is 1000 milliseconds

ND stale time is 1200 seconds

# 显示RouterA的GE1/0/0接口的IPv6安全邻居发现功能的配置信息。

[RouterA-GigabitEthernet1/0/0] display ipv6 security interface gigabitethernet 1/0/0

(L) : Link local address

SEND information for the interface : GigabitEthernet1/0/0

IPv6 address PrefixLength Collision Count

FE80::3057:B5D6:6BD6:6CA8 (L) 10 0

2001:db8:1::2092:84CE:827B:D5A4 64 0

SEND sec value : 1

SEND security modifier value : 585D:9EA0:328:2792:B763:1DE3:BBC4:D22D

SEND ND minimum key length value : 512

SEND ND maximum key length value : 2048

SEND ND Timestamp delta value : 300

SEND ND Timestamp fuzz value : 1

SEND ND Timestamp drift value : 1

IPv6 is enabled, link-local address is FE80::2E0:E6FF:FE13:8100

2001:db8:1::2, subnet is 2001:db8:1::/64

2001:db8::2, subnet is 2001:db8::/64

Joined group address(es):

FF02::1:FF00:2

FF02::2

FF02::1

FF02::1:FF13:8100

MTU is 1500 bytes

ND DAD is enabled, number of DAD attempts: 1

ND reachable time is 30000 milliseconds

ND retransmit interval is 1000 milliseconds

ND stale time is 1200 seconds

# 从RouterB ping RouterA的CGA类型的链路本地地址，由于RouterA配置了IPv6安全邻居发现功能，无法PING通。

[Router B-GigabitEthernet1/0/0] ping ipv6 FE80::3057:B5D6:6BD6:6CA8 -i gigabitethernet 1/0/0

PING FE80::3057:B5D6:6BD6:6CA8 : 56 data bytes, press CTRL_C to break

Request time out

Request time out

Request time out

Request time out

Request time out

--- FE80::3057:B5D6:6BD6:6CA8 ping statistics ---

5 packet(s) transmitted

0 packet(s) received

100.00% packet loss

round-trip min/avg/max = 0/0/0 ms

# 从RouterB ping RouterA的CGA类型的全球单播地址，由于RouterA配置了IPv6安全邻居发现功能，无法ping通。

[Router B-GigabitEthernet1/0/0] ping ipv6 2001:db8:1::2092:84CE:827B:D5A4

PING 2001:db8:1::2092:84CE:827B:D5A4 : 56 data bytes, press CTRL_C to break

Request time out

Request time out

Request time out

Request time out

Request time out

--- 2001:db8:1::2092:84CE:827B:D5A4 ping statistics ---

5 packet(s) transmitted

0 packet(s) received

100.00% packet loss

round-trip min/avg/max = 0/0/0 ms

# 从RouterB ping RouterA的普通全球单播地址，由于RouterA配置了IPv6安全邻居发现功能，也无法ping通。

[Router B-GigabitEthernet1/0/0] ping ipv6 2001:db8::1

PING 2001:db8::1 : 56 data bytes, press CTRL_C to break

Request time out

Request time out

Request time out

Request time out

Request time out

# 去使能RouterA的了IPv6安全邻居发现功能后，从RouterB ping RouterA的IPv6，可以ping通。以下以ping RouterA的CGA类型的全球单播地址为例。

[RouterA-GigabitEthernet1/0/0] undo ipv6 nd security strict

[Router B-GigabitEthernet1/0/0] ping ipv6 2001:db8:1::2092:84CE:827B:D5A4

PING 2001:db8:1::2092:84CE:827B:D5A4 : 56 data bytes, press CTRL_C to break

Reply from 2001:db8:1::2092:84CE:827B:D5A4

bytes=56 Sequence=1 hop limit=64 time = 1 ms

bytes=56 Sequence=2 hop limit=64 time = 20 ms

bytes=56 Sequence=3 hop limit=64 time = 1 ms

bytes=56 Sequence=4 hop limit=64 time = 1 ms

bytes=56 Sequence=5 hop limit=64 time = 1 ms

--- 2001:db8:1::2092:84CE:827B:D5A4 ping statistics ---

5 packet(s) transmitted

5 packet(s) received

0.00% packet loss

round-trip min/avg/max = 1/4/20 ms

RouterA的配置文件

#

sysname RouterA

#

#

rsa key-pair label huawei

#

interface GigabitEthernet1/0/0

undo shutdown

ipv6 enable

ipv6 security rsakey-pair huawei

ipv6 security modifier sec-level 1 585D:9EA0:328:2792:B763:1DE3:BBC4:D22D

ipv6 address 2001:db8::1/64

ipv6 nd security strict

#

return

RouterB的配置文件

#

sysname RouterB

#

#

interface GigabitEthernet1/0/0

undo shutdown

ipv6 enable

ipv6 address 2001:db8::2/64

ipv6 address auto link-local

#

return