Chapter 9
| General Security Measures
DHCPv6 Snooping
– 345 –
Identifier, and address (4 message exchanges to get IPv6 address), and
forward to trusted port.
■
Solicit: Add new entry in binding cache, recording client’s DUID, IA type,
IA ID (2 message exchanges to get IPv6 address with rapid commit
option, otherwise 4 message exchanges), and forward to trusted port.
■
Decline: If no matching entry is found in binding cache, drop this
packet.
■
Renew, Rebind, Release, Confirm: If no matching entry is found in
binding cache, drop this packet.
■
If the DHCPv6 packet is not a recognizable type, it is dropped.
If a DHCPv6 packet from a client passes the filtering criteria above, it will
only be forwarded to trusted ports in the same VLAN.
DHCP Server Packet
■
If a DHCP server packet is received on an untrusted port, drop this
packet and add a log entry in the system.
■
If a DHCPv6 Reply packet is received from a server on a trusted port, it
will be processed in the following manner:
A. Check if IPv6 address in IA option is found in binding table:
■
If yes, continue to C.
■
If not, continue to B.
B. Check if IPv6 address in IA option is found in binding cache:
■
If yes, continue to C.
■
If not, check failed, and forward packet to trusted port.
C. Check status code in IA option:
■
If successful, and entry is in binding table, update lease time
and forward to original destination.
■
If successful, and entry is in binding cache, move entry from
binding cache to binding table, update lease time and forward
to original destination.
■
Otherwise, remove binding entry. and check failed.
■
If a DHCPv6 Relay packet is received, check the relay message option in
Relay-Forward or Relay-Reply packet, and process client and server
packets as described above.
◆ If DHCPv6 snooping is globally disabled, all dynamic bindings are removed
from the binding table.
To Next Page
Loading...
