R21xx-HP FlexFabric 11900 Layer 3 IP Services Configuration Guide

ManualsBrandsHP ManualsNetwork HardwareHP FlexFabric 11000 Switch Products

141

142

143

144

145

146

147

148

149

150

134

Ste

Command

Remarks

3. Configure an IPv6 global

unicast address for the

interface.

ipv6 address { ipv6-address

prefix-length |

ipv6-address/prefix-length }

By default, no IPv6 global unicast

address is configured on an interface.

Stateless address autoconfiguration

To configure an interface to generate an IPv6 address through stateless address autoconfiguration:

Ste

Command

Remarks

1. Enter system view.

system-view N/A

2. Enter interface view.

interface interface-type

interface-number

N/A

3. Enable stateless address

autoconfiguration.

ipv6 address auto

By default, no IPv6 global unicast

address is configured on an interface.

Using the undo ipv6 address auto

command on an interface removes all

IPv6 global unicast addresses

automatically generated on the

interface.

After this configuration, the interface automatically generates an IPv6 global unicast address by using

the address prefix information in the received RA message and the interface ID. On an IEEE 802

interface (such as an Ethernet interface or a VLAN interface), the interface ID is generated based on the

MAC address of the interface and is globally unique. An attacker can exploit this rule to easily identify

the sending device.

To fix the vulnerability, you can configure the temporary address function. With this function, an IEEE 802

interface generates the following addresses:

• Public IPv6 address—Comprises the address prefix provided by the RA message, and a fixed

interface ID generated based on the MAC address of the interface.

• Temporary IPv6 address—Comprises the address prefix provided by the RA message, and a

random interface ID generated through MD5.

The interface preferably uses the temporary IPv6 address as the source address of sent packets. When

the valid lifetime of the temporary IPv6 address expires, the interface removes it and generates a new

one. This enables the system to send packets with different source addresses through the same interface.

If the temporary IPv6 address cannot be used because of a DAD conflict, the public IPv6 address is used.

The preferred lifetime and valid lifetime for a temporary IPv6 address are determined as follows:

• The preferred lifetime of a temporary IPv6 address takes the smaller of the following values:

{ The preferred lifetime of the address prefix in the RA message.

{ The preferred lifetime configured for temporary IPv6 addresses minus DESYNC_FACTOR (a

random number ranging from 0 to 600 seconds).

• The valid lifetime of a temporary IPv6 address takes the smaller of the following values: