Configuration Guide 649
Configuring IPv6 IMPB IPv6 IMPB
1
IPv6 IMPB
1.1 Overview
IPv6 IMPB (IP-MAC-Port Binding) is used to bind the IPv6 address, MAC address, VLAN
ID and the connected port number of the specified host. Basing on the binding table, the
switch can prevent ND attacks with the ND Detection feature and filter the packets that
don’t match the binding entries with the IPv6 Source Guard feature.
1.2 Supported Features
IPv6-MAC Binding
This feature is used to add binding entries. The binding entries can be manually configured,
or learned by ND Snooping or DHCPv6 snooping. The features ND Detection and IPv6
Source Guard are based on the IPv6-MAC Binding entries.
ND Detection
Because of the absence of security mechanism, IPv6 ND (Neighbor Discovery) protocol is
easy to be exploited by attackers. ND detection feature uses the entries in the IPv6-MAC
binding table to filter the forged ND packets and prevent the ND attacks.
The application topology of ND Detection is as the following figure shows. The port that is
connected to the gateway should be configured as trusted port, and other ports should be
configured as untrusted ports. The forwarding principles of ND packets are as follows:
All ND packets received on the trusted port will be forwarded without checked.
RS (Router Solicitation) and NS (Neighbor Solicitation) packets with their source IPv6
addresses unspecified, such as the RS packet for IPv6 address request and the NS
packet for duplicate address detection, will not be checked on both kinds of ports.
RA (Router Advertisement) and RR (Router Redirect) packets received on the untrusted
port will be discarded directly, and other ND packets will be checked: The switch will
use the IPv6-MAC binding table to compare the IPv6 address, MAC address, VLAN ID
and receiving port between the entry and the ND packet. If a match is found, the ND
packet is considered legal and will be forwarded; if no match is found, the ND packet is
considered illegal and will be discarded.
To Next Page
Loading...
