DHCPv6 snooping is a DHCPv6 security feature that establishes and maintains a DHCPv6 snooping binding table that records information about DHCPv6 clients by intercepting DHCPv6 packets between a DHCPv6 server and the DHCPv6 clients. Such a binding table contains user information such as the MAC address, IPv6 address, lease, VLAN ID, and interface information. Based on this table, the device analyzes and processes packets as well as filtering out attack packets, providing security services for DHCPv6.
DHCPv6, which is widely used on networks, provides a convenient and efficient host configuration mechanism. However, certain threats exist during DHCPv6 packet forwarding. For example:
IPv6/MAC spoofing attack: An attacker may forge the IPv6 address and MAC address of an authorized user to communicate with the server. As a result, the involved DHCPv6 client fails to obtain services.
DHCPv6 snooping can prevent this type of attack using the attack defense policy described in Table 1 to ensure DHCPv6 security.
Attack Defense Type |
Function |
Object Protected |
|---|---|---|
IPv6/MAC spoofing attack defense |
Configure IPv6 packet check. If no DHCPv6 snooping binding entry is found based on the source IPv6 address, prefix, VLAN ID, and VPN information in an IPv6 packet, the IPv6 packet is simply discarded. If a DHCPv6 snooping binding entry is found based on the source IPv6 address, prefix, VLAN ID, and VPN information in the IPv6 packet but the source MAC address and interface information in this entry do not match those in the IPv6 packet, this packet is also discarded. |
This policy effectively protects the communication network against attacks launched through forged packets. |
DHCPv6 snooping offers the following benefits: