Configuring an ipv6 link-local address – H3C Technologies H3C SecPath F1000-E User Manual

688

Step Command

Remarks

2.

Enter interface view.

interface interface-type
interface-number

N/A

3.

Configure an IPv6 address to
be generated through

stateless address
autoconfiguration.

ipv6 address auto

By default, no IPv6 global unicast
address is configured on an interface.

With stateless address autoconfiguration enabled on an interface, the device automatically generates an

IPv6 global unicast address by using the address prefix information in the received RA message and the

interface ID. On an IEEE 802 interface (such as an Ethernet interface), the interface ID is generated

based on the MAC address of the interface, and is globally unique. As a result, the interface ID portion
of the IPv6 global address remains unchanged and thus exposes the sender. An attacker can further

exploit communication details such as the communication peer and time.
To fix the vulnerability, configure the temporary address function that enables the system to generate and

use temporary IPv6 addresses with different interface ID portions on an interface. With this function
configured on an IEEE 802 interface, the system can generate the following addresses:

•

Public IPv6 address—Comprises an address prefix provided by the RA message, and a fixed
interface ID generated based on the MAC address of the interface.

•

Temporary IPv6 address—Comprises an address prefix provided by the RA message, and a
random interface ID generated through MD5.

Before sending a packet, the system preferably uses the temporary IPv6 address of the sending interface

as the source address of the packet to be sent. When this temporary IPv6 address expires, the system
removes it and generates a new one. This enables the system to send packets with different source

addresses through the same interface. If the temporary IPv6 address cannot be used because of a DAD

conflict, the public IPv6 address is used.
The preferred lifetime and valid lifetime for temporary IPv6 addresses are specified as follows:

•

The preferred lifetime of a temporary IPv6 address takes the value of the smaller of the following

values: the preferred lifetime of the address prefix in the RA message or the preferred lifetime
configured for temporary IPv6 addresses minus DESYNC_FACTOR (which is a random number

ranging 0 to 600, in seconds).

•

The valid lifetime of a temporary IPv6 address takes the value of the smaller of the following values:
the valid lifetime of the address prefix or the valid lifetime configured for temporary IPv6 addresses.

CAUTION:
•

You must also enable stateless address autoconfiguration on an interface if you need temporary IPv6
addresses to be generated on that interface. Temporary IPv6 addresses do not override public IPv6

addresses. Therefore, an interface may have multiple IPv6 addresses with the same address prefix but

different interface ID portions.

•

If the public IPv6 address fails to be generated on an interface because of a prefix conflict or other
reasons, no temporary IPv6 address will be generated on the interface.

Configuring an IPv6 link-local address

IPv6 link-local addresses can be configured in either of the following ways: