234
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enter interface view.
interface
interface-type
interface-number
N/A
3. Enable stateless address
autoconfiguration on an
interface, so that the
interface can automatically
generate a global unicast
address.
ipv6 address auto
By default, the stateless address
autoconfiguration feature is disabled
on an interface.
Using the
undo ipv6 address auto
command on an interface deletes all
IPv6 global unicast addresses and
link-local addresses that are
automatically generated on the
interface.
After this configuration is completed, the interface automatically generates an IPv6 global unicast
address by using the address prefix in the received RA message and the interface ID. On an IEEE
802 interface (such as an Ethernet interface or a VLAN interface), the interface ID is generated
based on the interface's MAC address and is globally unique. An attacker can exploit this rule to
identify the sending device easily.
To fix the vulnerability, you can configure the temporary address feature. With this feature, an IEEE
802 interface generates the following addresses:
• Public IPv6 address—Includes the address prefix in the RA message and a fixed interface ID
generated based on the MAC address of the interface.
• Temporary IPv6 address—Includes the address prefix in the RA message and a random
interface ID generated through MD5.
You can also configure the interface to preferentially use the temporary IPv6 address as the source
address of sent packets. When the valid lifetime of the temporary IPv6 address expires, the interface
deletes the address and generates a new one. This feature enables the system to send packets with
different source addresses through the same interface. If the temporary IPv6 address cannot be
used because of a DAD conflict, the public IPv6 address is used.
The preferred lifetime and valid lifetime for a temporary IPv6 address are determined as follows:
• The preferred lifetime of a temporary IPv6 address takes the smaller of the following values:
{ The preferred lifetime of the address prefix in the RA message.
{ The preferred lifetime configured for temporary IPv6 addresses minus DESYNC_FACTOR
(a random number in the range of 0 to 600 seconds).
• The valid lifetime of a temporary IPv6 address takes the smaller of the following values:
{ The valid lifetime of the address prefix.
{ The valid lifetime configured for temporary IPv6 addresses.
To configure the temporary address feature:
Step Command Remarks
1. Enter system view.
system-view
N/A
2. Enable the temporary IPv6
address feature.
ipv6 temporary-address
[ valid-lifetime preferred-lifetime ]
By default, the temporary IPv6
address feature is disabled.
3. Enable the system to
preferentially use the
temporary IPv6 address as
the source address of the
packet.
ipv6 prefer temporary-address
By default, the system does
not preferentially use the
temporary IPv6 address as the
source address of the packet.
To Next Page
Loading...
Need help?
General
