Chapter 33 DHCPv6 Snooping
Configuration
33.1 Introduction to DHCPv6 Snooping
DHCPv6 Snooping monitors the interaction flow of the packets between DHCPv6
client and server, so as to create the binding table of the user, and implement all kinds of
security policies based on the binding table. DHCPv6 Snooping has the following
functions:
33.1.1 Defense against Fake DHCPv6 Server
DHCPv6 Snooping can set the port of connecting DHCPv6 server as the trust port,
other ports as the un-trusted ports by default, so as to avoid the user to configure
DHCPv6 server privately in network. DHCPv6 Snooping does not forward DHCPv6
response packets which are received by the un-trusted ports, and according to the
source MAC of the received DHCPv6 response packets to implement the security policy.
For example, this MAC is set as a blackhole MAC within a period, or this port is directly
shutdown within a period.
33.1.2 Defense against Fake IPv6 Address
DHCPv6 Snooping function can send the control list entries based the binding on the
port. The port denies all IPv6 traffic by default, it only allows to forward IPv6 packets of
which the IPv6 addresses and the MAC addresses are bound by this port as the source.
In this way, it can effectively prevent the malicious user fake or privately set IPv6 address
to access the network.
33.1.3 Defense against the attack of DHCPv6 addresses
exhaustion
DHCPv6 Snooping can limit the binding number of the port. The port of which the
binding number exceeds the threshold, does not forward and drop the after DHCPv6
application packets. In this way, it can effectively prevent the attack of DHCPv6
655