ipv6 nd security strict

Function

The ipv6 nd security strict command enables the strict security mode on an interface.

The undo ipv6 nd security strict command restores the default security mode.

By default, the strict security mode is not enabled on an interface.

Format

ipv6 nd security strict

undo ipv6 nd security strict

Parameters

None

Views

100ge sub-interface view, 100GE interface view, 10GE sub-interface view, 10GE interface view, 200GE sub-interface view, 25GE sub-interface view, 25GE interface view, 400GE sub-interface view, 400GE interface view, 40GE sub-interface view, 40GE interface view, 50GE sub-interface view, 50GE interface view, Eth-Trunk sub-interface view, Eth-Trunk interface view, FlexE interface view, GE optical interface view, GE sub-interface view, GE interface view, GE electrical interface view, Global VE sub-interface view, PW-VE sub-interface view, PW-VE interface view, VBDIF interface view, VE sub-interface view, VLANIF interface view, Management interface view

Default Level

2: Configuration level

Task Name and Operations

Task Name Operations
nd write

Usage Guidelines

Usage Scenario

If an interface needs to reject insecure ND messages, you can run the ipv6 nd security strict command to configure the interface to work in strict security mode. By default, an interface receives all secure and insecure ND messages.

An interface regards a received ND message insecure in any of the following cases:

  • The received ND message does not carry a CGA or RSA option. That is, the interface that sent the ND message does not have a CGA address.
  • The key length in the received ND message is out of the range allowed on the interface.
  • The rate of processing the received ND message exceeds the rate limit of the system.
  • The difference between the receive time and the send time of the ND message is out of the range allowed on the interface.

    NOTE:

    On a link, device A is configured with strict IPv6 SEND whereas device B is not. In this case, device A regards the ND messages sent from device B insecure and rejects them.

Prerequisites

IPv6 has been enabled on the involved interface using the ipv6 enable command.

Configuration Impact

After the strict security mode is enabled on an interface, the system will not perform Duplicate Address Detection (DAD) on insecure nodes. In this case, the insecure conflicting addresses that may exist on the network cannot be detected. Therefore, re-triggering of DAD is recommended after the strict security mode is disabled.

Precautions

If an interface has been enabled to work in strict security mode, configure all addresses of the interface as CGA addresses. Otherwise, the interface may select a common IPv6 address as the source address, which causes a security check failure and a service interruption.

Example

# Enable the strict security mode on GE 0/1/1.
<HUAWEI> system-view
[~HUAWEI] interface GigabitEthernet 0/1/1
[~HUAWEI-GigabitEthernet0/1/1] ipv6 enable
[*HUAWEI-GigabitEthernet0/1/1] ipv6 nd security strict
Parent Topic: IPv6 ND Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >