配置IPv6安全邻居发现功能实验

学习精彩网络技术老师：华为HCIA和HCIP数通eNSP实战视频课

学习精彩网络技术老师：华为、华三、锐捷、WLAN、IPv6等全套视频课程

本举例介绍IPv6安全邻居发现功能的配置过程。

组网需求

如图1所示，RouterA配置了IPv6安全邻居发现功能，假设RouterB作为攻击者。当RouterB向RouterA发送报文时，RouterA将该报文视为非法报文而丢弃。

图1 配置IPv6安全邻居发现功能组网图

​

配置注意事项

无

配置思路

采用如下的思路配置IPv6安全邻居发现功能：

在RouterA上配置CGA（Cryptographically Generated Addresses）类型的IPv6地址和普通IPv6地址。

在RouterA上使能接口的严格安全模式功能。

在RouterB上配置接口的IPv6地址。

数据准备

为完成此配置举例，需要准备如下数据：

RSA密钥对名字

CGA地址的修正值和安全级别

CGA类型的IPv6地址

RouterB的IPv6地址

操作步骤

1. 配置RouterA的CGA类型的IPv6地址

<HUAWEIA> system-view

[HUAWEIA] sysname RouterA

[RouterA] ipv6

[RouterA] rsa key-pair label huawei

 NOTES: If the key modulus is greater than 512, It may take few minutes. Please

wait

 Key Successfully Created

[RouterA] interface gigabitethernet 1/0/0

[RouterA-GigabitEthernet1/0/0] undo shutdown

[RouterA-GigabitEthernet1/0/0] ipv6 enable

[RouterA-GigabitEthernet1/0/0] ipv6 security rsakey-pair huawei

[RouterA-GigabitEthernet1/0/0] ipv6 security modifier sec-level 1

[RouterA-GigabitEthernet1/0/0] ipv6 address fe80::3 link-local cga

[RouterA-GigabitEthernet1/0/0] ipv6 address 2001:db8:1::2/64 cga

[RouterA-GigabitEthernet1/0/0] ipv6 address 2001:db8::1/64

1. 使能RouterA接口的严格安全模式功能

[RouterA-GigabitEthernet1/0/0] ipv6 nd security strict

1. 配置RouterB的IPv6地址

<HUAWEIB> system-view

[HUAWEIB] sysname RouterB

[RouterB] ipv6

[RouterB] interface gigabitethernet 1/0/0

[RouterB-GigabitEthernet1/0/0] undo shutdown

[RouterB-GigabitEthernet1/0/0] ipv6 enable

[RouterB-GigabitEthernet1/0/0] ipv6 address auto link-local

[RouterB-GigabitEthernet1/0/1] ipv6 address 2001:db8:1::2/64

[RouterB-GigabitEthernet1/0/1] ipv6 address 2001:db8::2/64

1. 验证配置结果

如果配置成功，可以查看配置的IPv6地址，以及接口状态为Up，IPv6协议状态为Up，IPv6安全邻居发现功能配置信息。

# 显示RouterA的GE1/0/0接口的信息。

[RouterA-GigabitEthernet1/0/0] display this ipv6 interface

GigabitEthernet1/0/0 current state : UP

IPv6 protocol current state : UP

IPv6 is enabled, link-local address is FE80::3057:B5D6:6BD6:6CA8

  Global unicast address(es):

    2001:db8:1::2092:84CE:827B:D5A4, subnet is 2001:db8:1::/64

    2001:db8::1, subnet is 2001:db8::/64

  Joined group address(es):

    FF02::1:FF7B:D5A4

    FF02::2

    FF02::1

    FF02::1:FFD6:6CA8

  MTU is 1500 bytes

  ND DAD is enabled, number of DAD attempts: 1

  ND reachable time is 30000 milliseconds

  ND retransmit interval is 1000 milliseconds

  ND stale time is 1200 seconds

# 显示RouterA的GE1/0/0接口的IPv6安全邻居发现功能的配置信息。

[RouterA-GigabitEthernet1/0/0] display ipv6 security interface gigabitethernet 1/0/0

 (L) : Link local address

 SEND information for the interface : GigabitEthernet1/0/0

----------------------------------------------------------------------------

 IPv6 address                                   PrefixLength Collision Count

----------------------------------------------------------------------------

 FE80::3057:B5D6:6BD6:6CA8 (L)                  10           0

 2001:db8:1::2092:84CE:827B:D5A4                64           0

----------------------------------------------------------------------------

 SEND sec value : 1

 SEND security modifier value : 585D:9EA0:328:2792:B763:1DE3:BBC4:D22D

 SEND RSA key label bound : huawei

 SEND ND minimum key length value : 512

 SEND ND maximum key length value : 2048

 SEND ND Timestamp delta value : 300

 SEND ND Timestamp fuzz value : 1

 SEND ND Timestamp drift value : 1

 SEND ND fully secured mode : enabled

# 显示RouterB的GE1/0/0接口的信息。

[RouterB-GigabitEthernet1/0/0] display this ipv6 interface

GigabitEthernet1/0/0 current state : UP

IPv6 protocol current state : UP

IPv6 is enabled, link-local address is FE80::2E0:E6FF:FE13:8100

  Global unicast address(es):

    2001:db8:1::2, subnet is 2001:db8:1::/64

    2001:db8::2, subnet is 2001:db8::/64

  Joined group address(es):

    FF02::1:FF00:2

    FF02::2

    FF02::1

    FF02::1:FF13:8100

  MTU is 1500 bytes

  ND DAD is enabled, number of DAD attempts: 1

  ND reachable time is 30000 milliseconds

  ND retransmit interval is 1000 milliseconds

  ND stale time is 1200 seconds

# 从RouterB ping RouterA的CGA类型的链路本地地址，由于RouterA配置了IPv6安全邻居发现功能，无法ping通。

[Router B-GigabitEthernet1/0/0] ping ipv6 FE80::3057:B5D6:6BD6:6CA8 -i gigabitethernet 1/0/0

  PING FE80::3057:B5D6:6BD6:6CA8 : 56  data bytes, press CTRL_C to break

    Request time out

    Request time out

    Request time out

    Request time out

    Request time out

  --- FE80::3057:B5D6:6BD6:6CA8 ping statistics ---

    5 packet(s) transmitted

    0 packet(s) received

    100.00% packet loss

    round-trip min/avg/max = 0/0/0 ms

                            

# 从RouterB ping RouterA的CGA类型的全球单播地址，由于RouterA配置了IPv6安全邻居发现功能，无法ping通。

[Router B-GigabitEthernet1/0/0] ping ipv6 2001:db8:1::2092:84CE:827B:D5A4

  PING 2001:db8:1::2092:84CE:827B:D5A4 : 56  data bytes, press CTRL_C to break

    Request time out

    Request time out

    Request time out

    Request time out

    Request time out

  --- 2001:db8:1::2092:84CE:827B:D5A4 ping statistics ---

    5 packet(s) transmitted

    0 packet(s) received

    100.00% packet loss

    round-trip min/avg/max = 0/0/0 ms

                              

# 从RouterB ping RouterA的普通全球单播地址，由于RouterA配置了IPv6安全邻居发现功能，也无法ping通。

[Router B-GigabitEthernet1/0/0] ping ipv6 2001:db8::1

  PING 2001:db8::1 : 56  data bytes, press CTRL_C to break

    Request time out

    Request time out

    Request time out

    Request time out

    Request time out

  --- 2001:db8:1::2092:84CE:827B:D5A4 ping statistics ---

    5 packet(s) transmitted

    0 packet(s) received

    100.00% packet loss

    round-trip min/avg/max = 0/0/0 ms

                              

# 去使能RouterA的了IPv6安全邻居发现功能后，从RouterB ping RouterA的IPv6，可以ping通。以下以ping RouterA的CGA类型的全球单播地址为例。

[RouterA-GigabitEthernet1/0/0] undo ipv6 nd security strict

[Router B-GigabitEthernet1/0/0] ping ipv6 2001:db8:1::2092:84CE:827B:D5A4

  PING 2001:db8:1::2092:84CE:827B:D5A4 : 56  data bytes, press CTRL_C to break

    Reply from 2001:db8:1::2092:84CE:827B:D5A4

    bytes=56 Sequence=1 hop limit=64  time = 1 ms

    Reply from 2001:db8:1::2092:84CE:827B:D5A4

    bytes=56 Sequence=2 hop limit=64  time = 20 ms

    Reply from 2001:db8:1::2092:84CE:827B:D5A4

    bytes=56 Sequence=3 hop limit=64  time = 1 ms

    Reply from 2001:db8:1::2092:84CE:827B:D5A4

    bytes=56 Sequence=4 hop limit=64  time = 1 ms

    Reply from 2001:db8:1::2092:84CE:827B:D5A4

    bytes=56 Sequence=5 hop limit=64  time = 1 ms

  --- 2001:db8:1::2092:84CE:827B:D5A4 ping statistics ---

    5 packet(s) transmitted

    5 packet(s) received

    0.00% packet loss

    round-trip min/avg/max = 1/4/20 ms

                                

配置文件

RouterA的配置文件

#

 sysname RouterA

#

ipv6

#

rsa key-pair label huawei

#

interface GigabitEthernet1/0/0

 undo shutdown

 ipv6 enable

 ipv6 security rsakey-pair huawei

 ipv6 security modifier sec-level 1 585D:9EA0:328:2792:B763:1DE3:BBC4:D22D

 ipv6 address 2001:db8:1::/64 cga

 ipv6 address 2001:db8::1/64

 ipv6 address FE80::3057:B5D6:6BD6:6CA8 link-local cga

 ipv6 nd security strict

#

return

RouterB的配置文件

#

 sysname RouterB

#

ipv6

#

interface GigabitEthernet1/0/0

 undo shutdown

 ipv6 enable

 ipv6 address 2001:db8:1::2/64

 ipv6 address 2001:db8::2/64

 ipv6 address auto link-local

#

return