Applying IPsec

After configuring IPsec, you can configure protocols to use it for protocol packet authentication.

Context

To defend against network attacks, configure IPsec so that IPsec can be implemented on protocol packets exchanged between routers. Table 1 describes IPsec applications.

Table 1 IPsec applications

Protocol

Usage scenario

Reference

DHCPv6 Relay

If an attacker pretends to be a DHCPv6 server and sends bogus DHCPv6 messages to a client, the client may suffer from DoS attacks or be incorrectly configured. To defend against DoS attacks, implement IPsec on packets exchanged between DHCPv6 relay agents or between a DHCPv6 relay agent and a DHCPv6 server.

Configuring IPsec on a DHCPv6 Relay Agent

RIPng

If IPsec authentication is configured on a RIPng network, the sent and received RIPng packets will be authenticated, and those cannot pass authentication will be discarded. This can improve the security of the RIPng network.

Configuring IPsec Authentication for RIPng

OSPFv3

OSPFv3 IPsec uses a set of IPsec mechanisms to authenticate sent and received OSPFv3 packets, protecting devices against invalid OSPFv3 packets.

Configuring OSPFv3 IPsec

IGMP

On a multicast network, forged IGMP messages may be used to attack devices, causing devices unable to forward multicast traffic. To protect a device against attacks launched using forged IGMP messages, use this feature to authenticate sent and received IGMP messages based on a specified SA.

Configuring IGMP IPsec

MLD

On a multicast network, forged MLD messages may be used to attack devices, causing devices unable to forward multicast traffic. To protect a device against attacks launched using forged MLD messages, use this feature to authenticate sent and received MLD messages based on a specified SA.

Configuring MLD IPsec

IPv4 PIM

On a multicast network, forged IPv4 PIM messages may be used to attack devices, causing devices unable to forward multicast traffic. To protect a device against attacks launched using forged IPv4 PIM messages, use this feature to authenticate sent and received IPv4 PIM messages based on a specified SA.

Configuring IPv4 PIM IPsec

IPv6 PIM

On a multicast network, forged IPv6 PIM messages may be used to attack devices, causing devices unable to forward multicast traffic. To protect a device against attacks launched using forged IPv6 PIM messages, use this feature to authenticate sent and received IPv6 PIM messages based on a specified SA.

Configuring IPv6 PIM IPsec
Parent Topic: Configuring an IPsec SA Manually
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >