| General Security Measures
C
25
HAPTER
DHCPv6 Snooping
Solicit: Add new entry in binding cache, recording client's DUID,
■
IA type, IA ID (2 message exchanges to get IPv6 address with
rapid commit option, otherwise 4 message exchanges), and
forward to trusted port.
Decline: If no matching entry is found in binding cache, drop
■
this packet.
Renew, Rebind, Release, Confirm: If no matching entry is found
■
in binding cache, drop this packet.
If the DHCPv6 packet is not a recognizable type, it is dropped.
■
If a DHCPv6 packet from a client passes the filtering criteria above,
it will only be forwarded to trusted ports in the same VLAN.
DHCP Server Packet
If a DHCP server packet is received on an untrusted port, drop
■
this packet and add a log entry in the system.
If a DHCPv6 Reply packet is received from a server on a trusted
■
port, it will be processed in the following manner:
Check if IPv6 address in IA option is found in binding table:
A.
If yes, continue to C.
■
If not, continue to B.
■
Check if IPv6 address in IA option is found in binding cache:
B.
If yes, continue to C.
■
If not, check failed, and forward packet to trusted port.
■
Check status code in IA option:
C.
If successful, and entry is in binding table, update lease
■
time and forward to original destination.
If successful, and entry is in binding cache, move entry
■
from binding cache to binding table, update lease time
and forward to original destination.
Otherwise, remove binding entry. and check failed.
■
If a DHCPv6 Relay packet is received, check the relay message
■
option in Relay-Forward or Relay-Reply packet, and process
client and server packets as described above.
If DHCPv6 snooping is globally disabled, all dynamic bindings are
◆
removed from the binding table.
Additional considerations when the switch itself is a DHCPv6 client –
◆
The port(s) through which the switch submits a client request to the
DHCPv6 server must be configured as trusted (using the
snooping trust
command). Note that the switch will not add a dynamic
entry for itself to the binding table when it receives an ACK message
from a DHCPv6 server. Also, when the switch sends out DHCPv6 client
packets for itself, no filtering takes place. However, when the switch
receives any messages from a DHCPv6 server, any packets received
from untrusted ports are dropped.
– 912 –
ipv6 dhcp