Chapter 32 dhcpv6 snooping configuration, 1 introduction to dhcpv6 snooping, 1 defense against fake dhcpv6 server – PLANET XGS3-24040 User Manual

Chapter 32 DHCPv6 Snooping Configuration

32-1

Chapter 32 DHCPv6 Snooping Configuration

32.1 Introduction to DHCPv6 Snooping

DHCPv6 Snooping monitors the interaction flow of the packets between DHCPv6 client and server, so as to
create the binding table of the user, and implement all kinds of security policies based on the binding table.
DHCPv6 Snooping has the following functions:

32.1.1 Defense against Fake DHCPv6 Server

DHCPv6 Snooping can set the port of connecting DHCPv6 server as the trust port, other ports as the

un-trusted ports by default, so as to avoid the user to configure DHCPv6 server privately in network. DHCPv6

Snooping does not forward DHCPv6 response packets which are received by the un-trusted ports, and

according to the source MAC of the received DHCPv6 response packets to implement the security policy. For

example, this MAC is set as a blackhole MAC within a period, or this port is directly shutdown within a period.

32.1.2 Defense against Fake IPv6 Address

DHCPv6 Snooping function can send the control list entries based the binding on the port. The port denies all

IPv6 traffic by default, it only allows to forward IPv6 packets of which the IPv6 addresses and the MAC

addresses are bound by this port as the source. In this way, it can effectively prevent the malicious user fake

or privately set IPv6 address to access the network.

32.1.3 Defense against the attack of DHCPv6 addresses

exhaustion

DHCPv6 Snooping can limit the binding number of the port. The port of which the binding number exceeds

the threshold, does not forward and drop the after DHCPv6 application packets. In this way, it can effectively

prevent the attack of DHCPv6 addresses exhaustion.

32.1.4 Defense against ND cheat

The IPv6 address obtained by DHCPv6 protocol can be trustier in IPv6 network, so DHCPv6 Snooping can

convert the binding list entries to static one, and effectively prevent the attack of ND cheat to a gateway device.

The function of binding ND for DHCPv6 Snooping needs to be enabled on the device of layer 3 gateway.

32.1.5 Reply the remove requirement for port

Through capturing the ports of DHCPv6 packets, DHCPv6 Snooping judges the port connected to the

DHCPv6 user. After DHCPv6 Snooping binding is created, if DHCPv6 Snooping receives

CONFIRM/REQUEST packets and response packets of DHCPv6 client from other ports, it needs to use DAD

NS/NA to detect whether the binding of the original port is still usable, if it is still usable (that means to receive

the response of DAD NA), then do not create new binding on new port, contrarily (that means the response of

DAD NA is not received in set time), create the binding on new port and deletes the binding on the original

port.