No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
AER Functions

AER Functions

The NE40E supports most AER functions, which are described from the aspects of data plane and control plane.

Data Plane Functions

An AER supports the following functions on the data plane:

  • Port classification
    AER interfaces can be classified so that packets can be sorted and tags can be added to a specific type of packets. A receive end can verify the tags in the packets it receives before forwarding the packets. A connected interface on an AER must belong to and can only belong to one of the following categories:
    • Ingress interface: connected to an interface of a non-SMA router (usually an intra-IGP area router) in a local AS.
    • Egress interface: connected to an interface in another AS.
    • Trust interface: connected to an SMA router interface in a local AS.
    Figure 15-2 illustrates the ingress, egress, and trust interfaces.
    Figure 15-2 Ingress, egress, and trust interfaces
  • Source address check

    An AER must verify the source IPv6 addresses carried in packets. The AER classifies valid packets only and discards invalid packets.

    The AER verifies source IPv6 addresses based on the following rules:
    • Packets that arrive at the ingress interface of an AER can carry the source IPv6 address prefix of the local AS only.
    • Packets that arrive at the egress interface of an AER must not carry the source IPv6 address prefix of the local AS.
    • Packets that arrive at the trust interface of an AER are not checked.
    The source IPv6 address prefix of the local AS must be specified by an administrator. Alternatively, it can be obtained using a control plane protocol and delivered by an ACS in the local AS to AERs.
  • Packet classification
    The AER classifies packets that carry valid source IPv6 address prefixes into three categories: packets to which a tag is to be added, packets whose tags are to be verified, and other packets.
    1. After packets arrive at the ingress interface of an AER, the AER must add a tag to each packet that carries the local AS's source IPv6 address prefix and a destination IPv6 address prefix of another member AS. Other packets are directly forwarded by the AER without tag addition.
    2. After packets arrive at the egress interface of an AER, the AER must verify each packet that carries the source IPv6 address prefix of another member AS and a destination IPv6 address prefix of a local AS. Other packets are directly forwarded by the AER without tag verification.
    3. After packets arrive at the trust interface of an AER, the AER directly forwards them.
    The mappings between source IPv6 addresses and ASs can be obtained from the control plane. The ACS in each AS sends the mapping to AERs that are in the same AS as the ACS.
  • Tag update

    An AER obtains a new tag from an ACS without running a state transition algorithm.

  • Adding a tag to a packet
    An SMA tag is a new option type. It is called an SMA option and is added to the IPv6 destination option header defined in relevant standards. An SMA option can be added to a packet in one of the following situations:
    • If a packet does not contain a destination option header, an AER adds a destination option header to the packet in compliance with relevant standards and adds an SMA option to the destination option header.
    • If a packet contains a destination option header but the destination option header does not contain an SMA option, an AER adds an SMA option to the destination option header.
    • If a packet contains a destination option header and the destination option header contains an SMA option, an AER adds an SMA option before the existing SMA option.
  • Tag verification
    • An AER discards a packet if the packet does not contain a destination option header or the destination option header in the packet does not contain an SMA option.
    • An AER discards a packet if the packet carries an SMA option and an incorrect parameter or tag.
    • An AER removes the tag from a packet before forwarding the packet if the packet carries an SMA option, correct parameters, and a correct tag.

Control Plane Functions

The control plane implements the following communication functions:
  • Communication between the REG and ACSs in a trust alliance. The REG sends trust alliance member list information to the ACSs, and the REG and ACSs query information from and respond to one another.
  • Communication between ACSs. ACSs query IP address prefix information from and respond to one another. They also send diagnostic requests and respond to one another's requests.
  • Communication between an ACS and AERs in each AS. The ACS deploys the trust alliance member list, IPv6 address prefixes, and state machine information on AERs. The ACS and AERs exchange queries and diagnostic requests and responses. The AERs send their operating status information to the ACS, and the ACS sends tag polices to the AERs.

The preceding communication processes are implemented using TCP, and the involved devices run the Secure Sockets Layer (SSL) protocol to verify each other's identifies and encrypt packets. In addition, they run the Network Time Protocol (NTP) so that ACSs can synchronize time with the REG in the trust alliance, and the AERs can synchronize time with the ACS in each AS.

  • Communication between an ACS and AERs

    An ACS sends the trust alliance member list, source IPv6 address prefixes, and state machine information to the AERs that are in the member AS as the ACS. The detailed information exchanged between the ACS and AERs is as follows:
    1. Registration information:
      1. The ACS sends registration information to the AERs.
      2. The AERs send requests to the ACS to query registration information.
      3. The ACS responds to the registration information queries by the AERs.
    2. IPv6 address prefix information:
      1. The ACS sends IPv6 address prefix information to the AERs.
      2. The AERs send requests to the ACS to query IPv6 address prefix information.
      3. The ACS responds to the IPv6 address prefix information queries by the AERs.
    3. State machine information:
      1. The ACS sends state machine information to the AERs.
      2. The AERs send requests to the ACS to query state machine information.
      3. The ACS responds to the state machine information queries by the AERs.
    4. Keepalive status detection and response:
      1. The ACS sends ALIVE_INFO-Request packets to the AERs.
      2. Each AER responds to the ACS with an ACK packet.

    The ACS periodically sends updated information to the AERs. The information includes registration information, IPv6 address prefixes, bidirectional state machine information, and tag policy information about all member ASs, including the local AS.

    The SMA protocol running on the ACS sends an ALIVE_INFO-Request packet to each AER to check the Keepalive status. Upon receipt of the packet, an AER responds with an ACK packet. If the ACS does not receive a response from a specific AER within 60 seconds, the ACS considers the AER to be faulty and notifies the local AS administrator of the fault. In addition, the ACS sends the AER an ALIVE_INFO-Request packet to query its Keepalive status. After receiving a correct response sent by the AER, the ACS considers that the AER has recovered.

Translation
Download
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 14209

Downloads: 34

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next