Enabling DHCPv6-REQUEST check
Perform this task to use the DHCPv6-REQUEST check feature to protect the DHCPv6 server against DHCPv6 client spoofing attacks. Attackers can forge DHCPv6-RENEW messages to renew leases for legitimate DHCPv6 clients that no longer need the IP addresses. The forged messages disable the victim DHCPv6 server from releasing the IP addresses. Attackers can also forge DHCPv6-DECLINE or DHCPv6-RELEASE messages to terminate leases for legitimate DHCPv6 clients that still need the IP addresses.
The DHCPv6-REQUEST check feature enables the DHCPv6 snooping device to check every received DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6 snooping entries.
If any criterion in an entry is matched, the device compares the entry with the message information.
If they are consistent, the device considers the message valid and forwards it to the DHCPv6 server.
If they are different, the device considers the message forged and discards it.
If no matching entry is found, the device forwards the message to the DHCPv6 server.
To enable DHCPv6-REQUEST check:
Step | Command | Remarks |
|---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Enable DHCPv6-REQUEST check. | ipv6 dhcp snooping check request-message | By default, DHCPv6-REQUEST check is disabled. |