Applications of DHCPv6 Snooping

DHCPv6 can dynamically allocate IPv6 addresses to DHCPv6 clients. However, this process has security risks, such as spoofing attacks. DHCPv6 snooping can be deployed to ensure that clients can obtain IPv6 addresses from a legitimate server. Figure 1 shows DHCPv6 snooping deployed on a Layer 3 network. When DHCPv6 snooping is deployed on a Layer 3 network, the DHCPv6 relay function must be enabled.

Figure 1 Network diagram of DHCPv6 snooping on a Layer 3 network

As shown in Figure 1, DHCPv6 snooping can only work on a Layer 3 device. The following operations can be performed on the DHCPv6 relay agent to prevent various types of DHCPv6 attacks:

• Configure a static binding table to ensure that users configured with static IPv6 addresses can properly access the network.
• Configure IPv6 packet check to defend against IPv6/MAC spoofing attacks.
• Configure association between ND probe and DHCPv6 snooping to release the IPv6 addresses occupied by offline users.