Configuring an ipv6 link-local address – H3C Technologies H3C SecPath F1000-E User Manual
Page 713
688
Step Command
Remarks
2.
Enter interface view.
interface interface-type
interface-number
N/A
3.
Configure an IPv6 address to
be generated through
stateless address
autoconfiguration.
ipv6 address auto
By default, no IPv6 global unicast
address is configured on an interface.
With stateless address autoconfiguration enabled on an interface, the device automatically generates an
IPv6 global unicast address by using the address prefix information in the received RA message and the
interface ID. On an IEEE 802 interface (such as an Ethernet interface), the interface ID is generated
based on the MAC address of the interface, and is globally unique. As a result, the interface ID portion
of the IPv6 global address remains unchanged and thus exposes the sender. An attacker can further
exploit communication details such as the communication peer and time.
To fix the vulnerability, configure the temporary address function that enables the system to generate and
use temporary IPv6 addresses with different interface ID portions on an interface. With this function
configured on an IEEE 802 interface, the system can generate the following addresses:
•
Public IPv6 address—Comprises an address prefix provided by the RA message, and a fixed
interface ID generated based on the MAC address of the interface.
•
Temporary IPv6 address—Comprises an address prefix provided by the RA message, and a
random interface ID generated through MD5.
Before sending a packet, the system preferably uses the temporary IPv6 address of the sending interface
as the source address of the packet to be sent. When this temporary IPv6 address expires, the system
removes it and generates a new one. This enables the system to send packets with different source
addresses through the same interface. If the temporary IPv6 address cannot be used because of a DAD
conflict, the public IPv6 address is used.
The preferred lifetime and valid lifetime for temporary IPv6 addresses are specified as follows:
•
The preferred lifetime of a temporary IPv6 address takes the value of the smaller of the following
values: the preferred lifetime of the address prefix in the RA message or the preferred lifetime
configured for temporary IPv6 addresses minus DESYNC_FACTOR (which is a random number
ranging 0 to 600, in seconds).
•
The valid lifetime of a temporary IPv6 address takes the value of the smaller of the following values:
the valid lifetime of the address prefix or the valid lifetime configured for temporary IPv6 addresses.
CAUTION:
•
You must also enable stateless address autoconfiguration on an interface if you need temporary IPv6
addresses to be generated on that interface. Temporary IPv6 addresses do not override public IPv6
addresses. Therefore, an interface may have multiple IPv6 addresses with the same address prefix but
different interface ID portions.
•
If the public IPv6 address fails to be generated on an interface because of a prefix conflict or other
reasons, no temporary IPv6 address will be generated on the interface.
Configuring an IPv6 link-local address
IPv6 link-local addresses can be configured in either of the following ways: