No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


NE40E V800R010C10SPC500 Feature Description - Security 01

This is NE40E V800R010C10SPC500 Feature Description - Security
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
SMA Fundamentals

SMA Fundamentals

This section describes the state machine-based anti-spoofing (SMA) function for IPv6, which is a source IPv6 address verification solution.

Basic Concepts

Table 15-1 lists the basic concepts involved in the implementation of the SMA function.

Table 15-1 Basic SMA concepts


Acronym and Abbreviation


Autonomous system


An AS.

Trust alliance


A collection of SMA-enabled ASs.

Member AS


An AS that is included in a trust alliance.

Non-member AS


An AS that is not included in a trust alliance.

Registration center


A server that registers trust alliance member information and manages a trust alliance member list.

AS control server


The only server in a local AS that can communicate with an REG and other ASs in the same trust alliance. It also configures AERs in the local AS. Each member in a trust alliance has only one ACS.

AS edge router


A router at the edge of an AS. An AS can contain one or more AERs.



A string added to an IP packet. It is used to verify the source IP address prefix.

State machine


Used to generate and update a list of tags.

Source AS


An AS from which packets originate.

Destination AS


An AS to which packets are sent.


In Figure 15-1, all SMA-capable ASs form a trust alliance. Each AS is a member of the trust alliance. The trust alliance has one REG, and each member AS has one ACS.

The REG manages the alliance member list and controls the addition and removal of trust alliance members.

ACSs communicate with each other to negotiate state machine information that is used to generate and update tags. Each ACS deploys state machine information on AERs in a local AS. An egress AER in a source AS adds a tag to packets. Upon receipt of the packets, the ingress AER in a destination AS checks the tags in the packets to verify IPv6 address prefixes.

Figure 15-1 Trust alliance diagram

Tags enable member ASs to verify IPv6 source address prefixes of one another and establish trust relationships, which prevents a host in an AS to spoof the identity of a host in another AS. In addition, an AS can limit the rate at which packets are transmitted over an untrusted connection after detecting attacks, minimizing losses.

Functions of Primary SMA Entities

SMA functions can be classified as data plane functions or control plane functions.
  • On the data plane, an AER in a source AS adds a tag to a packet. Upon receipt of the packet, the AER in a destination AS verifies the tag.
  • On the control plane, REGs, ACSs, and AERs submit and distribute member AS registration information, negotiate state machines, update and synchronize all information, and configure AERs.
The major functions of REGs, ACSs, and AERs are as follows:
  • REG
    1. Communicates with the ACS of each member AS along a secure channel in a trust alliance to implement the following three functions:
    2. Receives member registration change requests and maintains a member AS list.
    3. Processes member registration changes and notifies all member ASs of the changes.
    4. Provides base time reference for member ASs. The member ASs synchronize time with the REG.
  • ACS
    1. Communicates with the REG along a secure channel in a trust alliance to implement the following three functions:
    2. Submits to the REG a request to change local AS registration information.
    3. Receives and processes AS change information sent by the REG.
    4. Synchronizes time signals in a local AS with the REG.
    5. Communicates with ACSs in other member ASs along secure channels to implement the following four functions:
    6. Sends the local AS's IPv6 address prefix to other ACSs.
    7. Receives member ASs' IPv6 address prefixes from other ACSs.
    8. Sends local-to-remote AS state machine information to other ACSs.
    9. Receives remote-to-local AS state machine information sent by other ACSs.
    10. Defines policies for tag addition, verification, and deployment.
    11. Communicates with AERs in a local AS along a secure channel to implement the following four functions:
    12. Deploys state machine information on the AERs.
    13. Sends trust alliance base time signals to the AERs so that the AERs can synchronize time with the ACS.
    14. Receives AER operating status information.
    15. Deploys tag policies on the AERs.
  • AER
    1. Communicates with the ACS in a local AS along a secure channel to implement the following four functions:
    2. Receives and applies the state machine information sent by the ACS.
    3. Receives trust alliance base time signals sent by the ACS and corrects the local time.
    4. Sends its own operating status information to the ACS.
    5. Receives and applies the tag policies sent by the ACS.
    6. Adds a tag of the local AS to packets that originate from the local AS and are destined for another member AS.
    7. Verifies tags in packets that originate from other member ASs and are destined for the local AS, forwards valid packets, and discards invalid ones.
Updated: 2019-01-03

Document ID: EDOC1100055047

Views: 12624

Downloads: 29

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next