Enabling DHCPv6-REQUEST check

About DHCPv6-REQUEST check

Perform this task to use the DHCPv6-REQUEST check feature to protect the DHCPv6 server against DHCPv6 client spoofing attacks. Attackers can forge DHCPv6-RENEW messages to renew leases for legitimate DHCPv6 clients that no longer need the IP addresses. The forged messages disable the victim DHCPv6 server from releasing the IP addresses. Attackers can also forge DHCPv6-DECLINE or DHCPv6-RELEASE messages to terminate leases for legitimate DHCPv6 clients that still need the IP addresses.

The DHCPv6-REQUEST check feature enables the DHCPv6 snooping device to check every received DHCPv6-RENEW, DHCPv6-DECLINE, or DHCPv6-RELEASE message against DHCPv6 snooping entries.

Procedure

  1. Enter system view.

    system-view

  2. Enter interface view.

    interface interface-type interface-number

  3. Enable DHCPv6-REQUEST check.

    ipv6 dhcp snooping check request-message

    By default, DHCPv6-REQUEST check is disabled.