No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services 01

This is NE20E-S2 V800R010C10SPC500 Configuration Guide - IP Services

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring IPv6 SEND

Configuring IPv6 SEND

The SEcure Neighbor Discovery (SEND) protocol is a security extension of the Neighbor Discovery Protocol (NDP) in IPv6.

Usage Scenario

In the IPv6 protocol suite, ND is significant in ensuring availability of neighbors on the local link. As network security problems intensify, how to secure ND becomes a concern. Standard protocols define several threats to ND security, some of which are described as follows:

Table 12-1 IPv6 ND attacks

Attack Method

Description

NS/NA spoofing

An attacker sends an authorized node (host or router) an NS message with a bogus source link-layer address option, or an NA message with a bogus target link-layer address option. Then packets from the authorized node are sent to this link-layer address.

Neighbor unreachability detection (NUD) failure

An attacker repeatedly sends forged NA messages in response to an authorized node's NUD NS messages so that the authorized node cannot detect the neighbor unreachability. The consequences of this attack depend on why the neighbor became unreachable and how the authorized node would behave if it knew that the neighbor has become unreachable.

Duplicate Address Detection (DAD) attacks

An attacker responds to every DAD attempt made by a host that accesses the network, claiming that the address is already in use. Then the host will never obtain an address.

Spoofed Redirect message

An attacker uses the link-local address of the first-hop router to send a Redirect message to an authorized host. The authorized host accepts this message because the host mistakenly considers that the message came from the first-hop router.

Replay attacks

An attacker obtains valid messages and replays them. Even if Neighbor Discovery Protocol (NDP) messages are cryptographically protected so that their contents cannot be forged, they are still prone to replay attacks.

Bogus address prefix

An attacker sends a bogus RA message specifying that some prefixes are on-link. If a prefix is on-link, a host will not send any packets that contain this prefix to the router. Instead, the host will send NS messages to attempt address resolution, but the NS messages are not responded. As a result, the host is denied services.

Malicious last-hop router

An attacker multicasts bogus RA messages or unicasts bogus RA messages in response to multicast RS messages to a host attempting to discover a last-hop router. If the host selects the attacker as its default router, the attacker is able to insert himself as a man-in-the-middle and intercepts all messages exchanged between the host and its destination.

To counter these threats, Secure Neighbor Discovery (SEND), defined in standard protocols, specifies security mechanisms to extend ND. SEND defines Cryptographically Generated Addresses (CGAs), CGA option, and Rivest Shamir Adleman (RSA) Signature option, which are used to ensure that the sender of an ND message is the owner of the message's source address. SEND also defines Timestamp and Nonce options to prevent replay attacks.

  • CGA: contains an IPv6 interface identifier that is generated from a one-way hash of the public key and associated parameters.
  • CGA option: contains information used to verify the sender's CGA, including the public key of the sender. CGA is used to authenticate the validity of source IP addresses carried in ND messages.
  • RSA option: contains the hash value of the sender's public key and contains the digital signature generated from the sender's private key and ND messages. RSA is used to authenticate the completeness of ND messages and the identity of the ND message sender.
    NOTE:
    For an attacker to use an address that belongs to an authorized node, the attacker must use the public key of the authorized node for encryption. Otherwise, the receiver can detect the attempted attack after checking the CGA option. Even if the attacker obtains the public key of the authorized node, the receiver can still detect the attempted attack after checking the digital signature, which is generated from the sender's private key.
  • Timestamp option: a 64-bit unsigned integer field containing a timestamp. The value indicates the number of seconds since January 1, 1970, 00:00 UTC. This option protects non-solicit notification messages and Redirect messages and ensures that the timestamp of the recently received message is the latest.
  • Nonce option: contains a random number selected by the sender of a solicitation message. This option prevents replay attacks during message exchange. For example, a sender sends an NS message carrying the Nonce option and receives an NA message as a response that also carries the Nonce option; the sender verifies the NA message based on the Nonce option.

Pre-configuration Tasks

Before configuring IPv6 SEND, complete the following tasks:

  • Configuring IPv6 ND

Configuration Procedures

Figure 12-3 Flowchart for configuring IPv6 SEND

Configuring a CGA IPv6 Address

To enable IPv6 SEND to protect ND messages that carry CGA and RSA options, you need to configure a CGA IPv6 address on an interface that sends ND messages.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run rsa key-pair label label-name modulus modulus-bits

    An RSA key pair is created.

  3. Run interface interface-type interface-number

    The view of the interface where a CGA IPv6 address needs to be configured is displayed.

  4. Run ipv6 security rsakey-pair key-label

    The RSA key pair is bound to the interface to generate a CGA address.

  5. Run ipv6 security modifier sec-level sec-value [ modifier-value ]

    The modifier value and security level are configured for the CGA address.

    The modifier value can be manually configured only when the security level of the CGA address is 0.

  6. Run ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } cga

    Or, ipv6 address ipv6-address link-local cga

    A CGA IPv6 address is configured.

  7. Run commit

    The configuration is committed.

Enable IPv6 SEND

After a rate limit for the system to compute or verify the RSA signature in a specified period (1s), the key length allowed on the interface, and the timestamp in the ND messages are set, the system considers the received ND messages that do not meet these requirements invalid.

Procedure

  1. Run system-view

    The system view is displayed.

  2. (Optional) Run ipv6 nd security rate-limit ratelimit-value

    A rate limit for the system to compute or verify the RSA signature in a specified period (1s) is set.

  3. Run interface interface-type interface-number

    The interface view is displayed.

  4. (Optional) Run ipv6 nd security key-length { minimum keylen-value | maximum keylen-value } *

    The key length allowed on the interface is set.

  5. (Optional) Run ipv6 nd security timestamp { fuzz-factor fuzz-value | delta delta-value | drift drift-value } *

    The timestamp configuration parameters are set

  6. Run ipv6 nd security strict

    The strict security mode is enabled on the interface.

  7. Run commit

    The configuration is committed.

Verifying the Configuration of IPv6 SEND

After configuring IPv6 SEND, verify the configuration.

Procedure

  • Run the display ipv6 security interface interface-type interface-number command to check the IPv6 SEND configurations.

Example

Run the display ipv6 security interface interface-type interface-number command, and you can check the IPv6 SEND configurations.

<HUAWEI> display ipv6 security interface gigabitethernet 0/1/0
 (L) : Link local address
 SEND information for the interface : GigabitEthernet0/1/0
----------------------------------------------------------------------------
 IPv6 address                                   PrefixLength Collision Count
----------------------------------------------------------------------------
 FE80::18A8:19F0:C5A4:7A52 (L)                  10           0
 1::18F5:E2FA:63CF:31DE                         64           0
----------------------------------------------------------------------------
 SEND sec value : 0
 SEND security modifier value : 1::1
 SEND RSA key label bound : huawei
 SEND ND minimum key length value : 1280
 SEND ND maximum key length value : 2000
 SEND ND Timestamp delta value : 100
 SEND ND Timestamp fuzz value : 2
 SEND ND Timestamp drift value : 2
 SEND ND fully secured mode : enabled
Translation
Download
Updated: 2019-01-02

Document ID: EDOC1100055376

Views: 21195

Downloads: 48

Average rating:
This Document Applies to these Products

Related Version

Related Documents

Share
Previous Next