dhcpv6 ipsec

Function

The dhcpv6 ipsec command enables IPsec on a DHCPv6 relay agent.

The undo dhcpv6 ipsec command disables IPsec on a DHCPv6 relay agent.

By default, IPsec is disabled on DHCPv6 relay agents.

Format

dhcpv6 ipsec sa sa-name [ peer peer-ipv6-address [ vpn-instance vpn-instance ] ]

undo dhcpv6 ipsec sa sa-name [ peer peer-ipv6-address [ vpn-instance vpn-instance ] ]

undo dhcpv6 ipsec

Parameters

Parameter	Description	Value
peer peer-ipv6-address	Specifies an IPv6 address.	The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.
vpn-instance vpn-instance	Specifies a VPN instance name.	The value is a string of 1 to 31 case-sensitive characters. It cannot contain spaces. The VPN instance name cannot be _public_. If the character string is quoted by double quotation marks, the character string can contain spaces.
sa sa-name	Specifies an IPsec SA name.	The value is a string of 1 to 15 case-sensitive characters, and cannot contain spaces. The characters can be letters or numbers, and can contain hyphens (-). If the character string is quoted by double quotation marks, the character string can contain spaces.

Parameter

Description

Value

peer peer-ipv6-address

Specifies an IPv6 address.

The value is a 32-digit hexadecimal number, in the format of X:X:X:X:X:X:X:X.

vpn-instance vpn-instance

Specifies a VPN instance name.

The value is a string of 1 to 31 case-sensitive characters. It cannot contain spaces. The VPN instance name cannot be _public_. If the character string is quoted by double quotation marks, the character string can contain spaces.

sa sa-name

Specifies an IPsec SA name.

The value is a string of 1 to 15 case-sensitive characters, and cannot contain spaces. The characters can be letters or numbers, and can contain hyphens (-). If the character string is quoted by double quotation marks, the character string can contain spaces.

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
dhcp	write

Usage Guidelines

Usage Scenario

To defend against DoS attacks, run the dhcpv6 ipsec command so that IPsec can be implemented on packets exchanged between DHCPv6 relay agents and between a DHCPv6 relay agent and a server. If packets from a DHCPv6 client must travel through multiple relay agents before they arrive at a server, IPsec must run between each pair of devices that the packets pass through. For example, if client A sends packets to server D through relay agents B and C in sequence, IPsec must run between relay agents B and C and also between relay agent C and server D.

Prerequisites

An IPsec SA has been configured.

Precautions

The DHCPv6 relay agent can use different SAs to authenticate packets exchanged with different peer IPv6 addresses.
If no peer IPv6 address is specified, all DHCPv6 messages sent and received on the DHCPv6 relay agent are authenticated by the same SA.
The dhcpv6 ipsec command with a peer IPv6 address specified takes precedence over the dhcpv6 ipsec command without a peer IPv6 address specified.

Example

# Enable IPsec on a DHCPv6 relay agent.

<HUAWEI> system-view
[~HUAWEI] ipsec sa sa1
[*HUAWEI-ipsec-sa-sa1] quit
[*HUAWEI] dhcpv6 ipsec sa sa1 peer 2001:db8::1