Chapter 9
| General Security Measures
DHCPv6 Snooping
– 345 –
Identifier, and address (4 message exchanges to get IPv6 address), and
forward to trusted port.
â–
Solicit: Add new entry in binding cache, recording client’s DUID, IA type,
IA ID (2 message exchanges to get IPv6 address with rapid commit
option, otherwise 4 message exchanges), and forward to trusted port.
â–
Decline: If no matching entry is found in binding cache, drop this
packet.
â–
Renew, Rebind, Release, Confirm: If no matching entry is found in
binding cache, drop this packet.
â–
If the DHCPv6 packet is not a recognizable type, it is dropped.
If a DHCPv6 packet from a client passes the filtering criteria above, it will
only be forwarded to trusted ports in the same VLAN.
DHCP Server Packet
â–
If a DHCP server packet is received on an untrusted port, drop this
packet and add a log entry in the system.
â–
If a DHCPv6 Reply packet is received from a server on a trusted port, it
will be processed in the following manner:
A. Check if IPv6 address in IA option is found in binding table:
â–
If yes, continue to C.
â–
If not, continue to B.
B. Check if IPv6 address in IA option is found in binding cache:
â–
If yes, continue to C.
â–
If not, check failed, and forward packet to trusted port.
C. Check status code in IA option:
â–
If successful, and entry is in binding table, update lease time
and forward to original destination.
â–
If successful, and entry is in binding cache, move entry from
binding cache to binding table, update lease time and forward
to original destination.
â–
Otherwise, remove binding entry. and check failed.
â–
If a DHCPv6 Relay packet is received, check the relay message option in
Relay-Forward or Relay-Reply packet, and process client and server
packets as described above.
â—† If DHCPv6 snooping is globally disabled, all dynamic bindings are removed
from the binding table.
To Next Page
Loading...
Need help?
General