Dhcpv6, Securing ipv6 address configuration, Dhcpv6 snooping – Brocade FastIron Ethernet Switch Security Configuration Guide User Manual

Page 355

DHCPv6

Supported DHCPv6 packet inspection and tracking features....................................... 355

Securing IPv6 address configuration............................................................................ 355

DHCPv6 snooping.........................................................................................................355

Supported DHCPv6 packet inspection and tracking features

Lists Dynamic Host Configuration Protocol (DHCP) IPv6 packet inspection and tracking features
supported on FastIron devices.

The following table lists individual Brocade switches and the Dynamic Host Configuration Protocol
(DHCP) IPv6 packet inspection and tracking features they support. These features are supported in the
Layer 2 and Layer 3 software images, except where explicitly noted.

Feature

ICX 6430

ICX 6450

FCX

ICX 6610

ICX 6650

FSX 800
FSX 1600

ICX 7750

DHCPv6 snooping

08.0.01

08.0.10

Securing IPv6 address configuration

In a IPv6 domain, a node can obtain an IPv6 address using the following two mechanisms:

• IPv6 address auto-configuration using router advertisements
• DHCPv6 protocol

In a typical man-in-middle (MiM) attack, the attacker can snoop or spoof the traffic act as a rogue
DHCPv6 server. To prevent such attacks, DHCPv6 snooping helps to secure the IPv6 address
configuration in the network.

DHCPv6 snooping

DHCPv6 snooping enables the Brocade device to filter untrusted DHCPv6 packets in a subnet on an
IPv6 network. DHCPv6 snooping can ward off MiM attacks, such as a malicious user posing as a
DHCPv6 server sending false DHCPv6 server reply packets with the intention of misdirecting other
users. DHCPv6 snooping can also stop unauthorized DHCPv6 servers and prevent errors due to user
mis-configuration of DHCPv6 servers.

FastIron Ethernet Switch Security Configuration Guide

355

53-1003088-03