automatically form IPv6 addresses from network prefixes contained in Router
Advertisements (RAs). RAs are received directly by the nShield Connect Operating
System and automatically forms IPv6 addresses by combining the network prefixes
contained in the RA with the MAC address of the receiving Ethernet interface. As they
are created by the Operating System, SLAAC IPv6 addresses are not subject to the same
validation rules as addresses entered via the nShield Connect front panel. If SLAAC is to
be used to configure nShield Connect IPv6 addresses in preference to statically entered
addresses then network planners must take care to ensure that prefixes advertised to the
nShield Connect are of a suitable type, see Acceptable IPv6 Address by Use Case.
9.2.1.1.3. IPv6 Compliance
A new sub-menu (1-1-1-9 - Set IPv6 compliance) has been added to the nShield Connect
front panel menu to permit the User to select an IPv6 compliance mode for an nShield
Connect. Compliance with USGv6 or IPv6 ready can be selected.
Both these modes change the settings for the nShield Connect firewall so that it will
pass-through packets which are discarded in the normal Default* mode. This behaviour is
required for compliance testing but is not recommended for normal use since allowing
packets with invalid fields or parameters through the firewall increases the attack
surface. When either USGv6 or IPv6 ready are selected, a confirmation message is
displayed to reduce the likelihood that they are enabled by accident.
It is recommended that the IPv6 compliance mode is set to Default for all normal
operations.
9.2.1.1.4. Acceptable IPv6 Address by Use Case
The types of IPv6 which are acceptable as a static address are given in the table below
For examples of valid IPv6 addresses, see Valid IPv6 Addresses.
Use Case Acceptable Address Type
Static IPv6 Address
Entry
•
Global Unicast
•
Local Unicast
IPv6 Default
Gateway
•
Global Unicast
•
Local Unicast
•
Link-local
nShield® Connect Installation Guide 29 of 73
To Next Page
Loading...
Need help?
General