No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Configuration Guide - IP Service

CloudEngine 12800 and 12800E V200R005C00

This document describes the configurations of IP Service, including IP address, ARP, DHCP, DNS, IP performance optimization, IPv6, DHCPv6, and IPv6 DNS.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
(Optional) Configuring IPSec Authentication and Encryption on a DHCPv6 Relay Agent

(Optional) Configuring IPSec Authentication and Encryption on a DHCPv6 Relay Agent

To defend against attacks, implement IPSec authentication and encryption on packets exchanged between DHCPv6 relay agents and between a DHCPv6 relay agent and a server.

Context

If an attacker pretends to be a DHCPv6 server and sends bogus DHCPv6 messages to a client, the client may suffer from DoS attacks or be incorrectly configured. To defend against DoS attacks, implement IPsec authentication and encryption on packets exchanged between DHCPv6 relay agents and between a DHCPv6 relay agent and a server.

Procedure

  1. Configure an IPSec proposal.
    1. Run system-view

      The system view is displayed.

    2. Run ipsec proposal proposal-name

      An IPSec proposal is created and the IPSec proposal view is displayed.

    3. Run transform { ah | esp }

      A security protocol is specified for the IPSec proposal.

      By default, the security protocol used by an IPSec proposal is the Encapsulation Security Protocol (ESP).

    4. An authentication or encryption algorithm is configured.

      • If AH is used, you can only configure the AH-specific authentication algorithm because AH only authenticates packets.

        Run the ah authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 } command to specify the authentication algorithm for the AH protocol.

        By default, no authentication algorithm is used for AH.

      • When ESP is specified, ESP can authenticate, or encrypt and authenticate packets. Configure the ESP-specific authentication or encryption algorithm.
        • Run the esp authentication-algorithm { md5 | sha1 | sha2-256 | sha2-384 | sha2-512 } command to specify the authentication algorithm for the ESP protocol.

          By default, no authentication algorithm is used for ESP.

        • Run the esp encryption-algorithm { 3des | aes { 128 | 192 | 256 } | des | null } command to specify the encryption algorithm for the ESP protocol.

          By default, no encryption algorithm is used for ESP. If encryption is not required, specify null.

    5. Run encapsulation-mode transport

      A packet encapsulation mode is specified for the security protocol.

      By default, the packet encapsulation mode is tunnel.

      NOTE:

      Currently, only the transport mode is supported on the device.

      In transport mode, the packet encryption device and decryption device must be the originator and receiver of packets.

      The MD5, SHA-1, DES and 3DES algorithms are not recommended because they cannot meet your security defense requirements.

    6. Run quit

      Return to the system view.

    7. Run commit

      The configuration is committed.

  2. Configure an IPSec SA.
    1. Run ipsec sa sa-name

      An IPSec SA is created and the IPSec SA view is displayed.

      By default, no IPSec SA exists in the system.

    2. Run proposal proposal-name

      The IPSec proposal is bound to the IPSec SA.

      By default, an IPSec policy does not reference any IPSec proposal.

      NOTE:

      An IPSec can use only one IPSec proposal. To bind a new IPSec proposal to the IPSec SA, delete the original IPSec proposal.

    3. Run sa spi { inbound | outbound } { ah | esp } spi-number

      An SPI is configured for the SA.

      NOTE:
      • An SPI uniquely identifies an SA. Each SA must be configured with an inbound SPI and an outbound SPI. The outbound SPI on the local end must be the same as the inbound SPI on the remote end.
      • The security protocol (AH or ESP) you select when configuring the SPI must be the same as that used in the IPSec proposal bound to the SA.

    4. Configure a key according to the security protocol used in the IPSec proposal bound to the SA.

      • If the AH protocol is used, you can configure an authentication key that is a hexadecimal number or a character string.
        • Run the sa authentication-hex { inbound | outbound } ah [ cipher ] hex-string command to configure a hexadecimal authentication key.

        • Run the sa string-key { inbound | outbound } ah [ cipher ] string-key command to configure a character string as the authentication key.

      • If the ESP protocol is used, you can run one of the following commands to configure the authentication key or the encryption key. You can also configure both the authentication key and encryption key. If the two keys are configured at the same time, they can only be hexadecimal keys.
        • Run the sa authentication-hex { inbound | outbound } esp [ cipher ] hex-string command to configure a hexadecimal authentication key.

        • Run the sa string-key { inbound | outbound } esp [ cipher ] string-key command to configure a character string as the authentication key.

        • Run the sa encryption-hex { inbound | outbound } esp [ cipher ] hex-string command to configure a hexadecimal encryption key.

      NOTE:
      • The security protocol (AH or ESP) you select when configuring the key must be the same as that used in the IPSec proposal bound to the SA.
      • The outbound key on the local end must be the same as the inbound key on the remote end.
      • The IPSec peers must use the authentication or encryption key in the same format. For example, if the key on one end is a character string but the key on the other end is a hexadecimal number, the IPSec tunnel cannot be set up.
      • If you configure multiple keys in different formats, the last configured key takes effect.

    5. Run quit

      Return to the system view.

    6. Run commit

      The configuration is committed.

  3. Run dhcpv6 ipsec sa sa-name [ peer peer-ipv6–address [ vpn-instance vpn-instance ] ]

    IPsec authentication and encryption is enabled on the DHCPv6 relay agent to authenticate packets exchanged between DHCPv6 relay agents and between the DHCPv6 relay agent and server.

    By default, IPsec is disabled on DHCPv6 relay agents.

  4. Run commit

    The configuration is committed.

Translation
Download
Updated: 2019-04-18

Document ID: EDOC1100039535

Views: 40740

Downloads: 25

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next