No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

ME60 V800R010C10SPC500 Configuration Guide - Security Hardening 01

This is ME60 V800R010C10SPC500 Configuration Guide - Security Hardening
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
IPv6 SEND

IPv6 SEND

The IPv6 SEcure Neighbor Discovery (SEND) resolves the security problems that threaten the IPv6 Neighbor Discovery Protocol (NDP).

In the IPv6 protocol suite, ND is significantly important in ensuring availability of neighbors on the local link. As networks rapidly develop, ND is facing growing attacks. To defend against ND, SEND, as an extension of ND, is defined in relevant standards. SEND defines Cryptographically Generated Addresses (CGAs), CGA option, and Rivest Shamir Adleman (RSA) Signature option, which are used to ensure that the sender of an ND message is the owner of the message's source address. SEND also defines Timestamp and Nonce options to prevent replay attacks.

  • CGA: contains an IPv6 interface identifier that is generated based on a one-way hash of the public key and associated parameters.

  • CGA option: contains information used to verify the sender's CGA, including the public key of the sender. The CGA option is used to check whether the sender of an ND message is the owner of the message's source address.

  • RSA signature option: contains the hash value of the sender's public key and the digital signature generated based on the sender's private key and ND messages. The RSA signature option is used to check the integrity of ND messages and authenticity of the sender.

    NOTE:

    To use an address that belongs to an authorized node, the attacker must use the public key of the authorized node for encryption. Otherwise, the receiver can detect the attack after checking the CGA option. Even if the attacker obtains the public key of the authorized node, the receiver can still detect the attack after checking the digital signature, which is generated based on the sender's private key.

  • Timestamp: a 64-bit unsigned integer field containing a timestamp. The value indicates the number of seconds since January 1, 1970, 00:00 UTC. This option prevents unsolicited notification packets and redirection packets from replaying. The receiver checks whether the timestamp of the recently received packet is the latest.

  • Nonce: contains a random number selected by the sender of a solicitation message. The Nonce option prevents replay attacks during packet exchange. For example, during the exchange of NS packets and NA packets, if an NS packet carries the Nonce option, the NA packet, as a response, also carries the Nonce option, allowing the sender to determine whether it is a valid NA packet.

IPv6 SEND is supported by the following interfaces:
  • Ethernet interfaces and sub-interfaces
  • GE interfaces and sub-interfaces
  • Eth-Trunk interfaces and sub-interfaces
  • VE interfaces and sub-interfaces
  • VLANIF interfaces
  • VBDIF interfaces
Translation
Download
Updated: 2019-01-04

Document ID: EDOC1100059445

Views: 7504

Downloads: 9

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next