IPv6 Features

IPv6 supports the following features:
  • Hierarchical address structure
    The IPv6 hierarchical address structure facilitates route search, reduces the IPv6 routing table size using route aggregation, and improves the forwarding efficiency of CX devices.
  • Automatic address configuration
    IPv6 supports stateful and stateless address autoconfiguration to simplify the host configuration process.
    • In stateful address autoconfiguration, the host obtains the address and configuration from a server.
    • In stateless address autoconfiguration, the host automatically configures an IPv6 address that contains the prefix advertised by the local CX device and interface ID of the host. If no CX device exists on the link, the host can only configure the link-local address automatically to interwork with local nodes.
  • Selection of source and destination addresses
    When network administrators need to specify or plan source and destination addresses of packets, they can define a group of address selection rules. An address selection policy table can be created based on these rules. Similar to a routing table, this table is queried based on the longest matching rule. The address is selected based on the source and destination addresses.
    Select a source address using the following rules in descending order of priority:
    1. Prefer a source address that is the same as the destination address.
    2. Prefer an address in an appropriate address range.
    3. Avoid selecting a deprecated address.
    4. Prefer a home address.
    5. Prefer an address of the outbound interface.
    6. Prefer an address whose label value is the same as that of the destination address.
    7. Use the longest matching rule.
     NOTE:
    The candidate address can be the unicast address that is configured on the specified outbound interface. If a source address that has the same label value and is in the same address range with the destination address is not found on the outbound interface, you can select such a source address from another interface.
    Select a destination address using the following rules in descending order of priority.
    1. Avoid selecting an unavailable destination address.
    2. Prefer an address in an appropriate address range.
    3. Avoid selecting a deprecated address.
    4. Prefer a home address.
    5. Prefer an address whose label value is the same as that of the source address.
    6. Prefer an address with a higher precedence value.
    7. Prefer native transport to the 6over4 or 6to4 tunnel.
    8. Prefer an address in a smaller address range.
    9. Use the longest matching rule.
    10. Leave the order of address priorities unchanged.
  • QoS
    In an IPv6 header, the new Flow Label field specifies how to identify and process traffic. The Flow Label field identifies a flow and allows aCX device to recognize packets in the flow and to provide special processing.
    QoS is guaranteed even for the packets encrypted with IPsec because the IPv6 header can identify different types of flows.
  • Built-in security
    An IPv6 packet contains a standard extension header related to IPsec, and therefore IPv6 can provide end-to-end security. This provides network security specifications and improves interoperability between different IPv6 applications.
  • Fixed basic header
    A fixed basic header helps improve forwarding efficiency.
  • Flexible extension header
    An IPv4 header only supports the 40-byte Options field, whereas the size of the IPv6 extension header is limited only by the IPv6 packet size.
    In IPv6, multiple extension headers are introduced to replace the Options field of the IPv4 header. This improves packet processing efficiency, enhances IPv6 flexibility, and provides better scalability for the IP protocol. Figure 1 shows an IPv6 extension header.
Figure 1 IPv6 extension header 



When multiple extension headers are used in the same packet, the headers must be listed in the following order:
  • IPv6 basic header
  • Hop-by-hop extension header
  • Destination options extension header
  • Routing extension header
  • Fragment extension header
  • Authentication extension header
  • Encapsulation security extension header
  • Destination options extension header (options to be processed at the destination)
  • Upper layer extension header
Not all extension headers must be examined and processed by CX devices. When a CX device forwards packets, it determines whether or not to process the extension headers based on the Next Header value in the IPv6 basic header.
The destination options extension header appears twice in a packet: one before the routing extension header and one after the upper layer extension header. All other extension headers appear only once.
Posted by at No comments:
Labels: , ,

IPv6 Addresses

IPv6 Address Format

A 128-bit IPv6 address has two formats:
  • X:X:X:X:X:X:X:X
    • IPv6 addresses in this format are written as eight groups of four hexadecimal digits (0 to 9, A to F), each group separated by a colon (:). Every "X" represents a group of hexadecimal digits. For example, 2031:0000:130F:0000:0000:09C0:876A:130B is a valid IPv6 address.
      For convenience, any zeros at the beginning of a group can be omitted; therefore, the given example becomes 2031:0:130F:0:0:9C0:876A:130B.
    • Any number of consecutive groups of 0s can be replaced with two colons (::). Therefore, the given example can be written as 2031:0:130F::9C0:876A:130B.
      This double-colon substitution can only be used once in an address; multiple occurrences would be ambiguous.
  • X:X:X:X:X:X:d.d.d.d
    IPv4-mapped IPv6 address: The format of an IPv4-mapped IPv6 address is 0:0:0:0:0:FFFF:IPv4-address. IPv4-mapped IPv6 addresses are used to represent IPv4 node addresses as IPv6 addresses.
    "X:X:X:X:X:X" represents the high-order six groups of digits, each "X" standing for 16 bits represented by hexadecimal digits. "d.d.d.d" represents the low-order four groups of digits, each "d" standing for 8 bits represented by decimal digits. "d.d.d.d" is a standard IPv4 address.

IPv6 Address Structure

An IPv6 address is composed of two parts:
  • Network prefix: network ID of an IPv4 address, which is of n bits.
  • Interface identifier: host ID of an IPv4 address, which is of 128-n bits.
Figure 1 illustrates the structure of the address 2001:A304:6101:1::E0:F726:4E58 /64.
Figure 1 Structure of the address 2001:A304:6101:1::E0:F726:4E58 /64 





IPv6 Address Types

IPv6 addresses have three types.
  • Unicast address: identifies a single network interface and is similar to an IPv4 unicast address. A packet sent to a unicast address is transmitted to the unique interface identified by this address.
  • Anycast address: assigned to a group of interfaces, which usually belong to different nodes. A packet sent to an anycast address is transmitted to only one of the member interfaces, typically the nearest according to the routing protocol's choice of distance.
    Application scenario: When a mobile host communicates with the mobile agent on the home subnet, it uses the anycast address of the subnetCX device.
    Addresses specifications: Anycast addresses do not have independent address space. They can use the format of any unicast address. A syntax is required to differentiate an anycast address from a unicast address.
  • Multicast address: assigned to a set of interfaces that belong to different nodes and is similar to an IPv4 multicast address. A packet that is sent to a multicast address is delivered to all the interfaces identified by that address.
    IPv6 addresses do not include broadcast addresses. In IPv6, multicast addresses can provide the functions of broadcast addresses.
Unicast addresses can be classified into four types, as shown in Table 1.
Table 1 IPv6 unicast address types
Address Type
Binary Prefix
IPv6 Prefix Identifier
Link-local unicast address
1111111010
FE80::/10
Unique local unicast address
1111110
FC00::/7
Loopback address
00...1 (128 bits)
::1/128
Unspecified address
00...0 (128 bits)
::/128
Global unicast address
Others
-
Each unicast address type is described as follows:
  • Link-local unicast address: used in the neighbor discovery protocol and in the communication between nodes on the local link during stateless address autoconfiguration. The packet with the link-local unicast address as the source or destination address is only forwarded on the local link. The link-local unicast address can be automatically configured on any interface using the link-local prefix FE80::/10(1111 1110 10), and the interface identifier in IEEE EUI-64 format (an EUI-64 can be derived from an EUI-48).
  • Unique Local unicast address: is globally unique and intended for local communication. Unique local unicast addresses are not expected to be routable on the global internet. They are routable inside a site and also possibly between a limited set of sites. These addresses are not auto-configured. A unique local unicast address consists of a 7-bit prefix, a 41-bit global ID (including the L bit which is one bit), a 16-bit subnet ID, and a 64-bit interface ID.
  • Loopback address: is 0:0:0:0:0:0:0:1 or ::1 and not assigned to any interface. Similar to the IPv4 loopback address 127.0.0.1, the IPv6 loopback address indicates that a node sends IPv6 packets to itself.
  • Unspecified address (::): can neither be assigned to any node nor function as the destination address. The unspecified address can be used in the Source Address field of the IPv6 packet sent by an initializing host before it has learned its own address. During Duplicate Address Detection (DAD), the Source Address field of a Neighbor Solicitation (NS) packet is an unspecified address.
  • Global unicast address: equivalent to an IPv4 public network address. Global unicast addresses are used on links that can be aggregated, and are provided to the Internet Service Provider (ISP). The structure of this type of address enables route-prefix aggregation to solve the problem of a limited number of global routing entries. A global unicast address consists of a 48-bit route prefix managed by operators, a 16-bit subnet ID managed by local nodes, and a 64-bit interface ID. Unless otherwise specified, global unicast addresses include site-local unicast addresses.

Interface ID in the IEEE EUI-64 Format

The 64-bit interface ID in an IPv6 address identifies a unique interface on a link. This address is derived from the link-layer address (such as a MAC address) of the interface. The 64-bit IPv6 interface ID is translated from a 48-bit MAC address by inserting a hexadecimal number FFFE (1111 1111 1111 1110) into the MAC address, and then setting the U/L bit (the leftmost seventh bit) to 1. Figure 2 shows translation from a MAC address to an EUI-64 address.
Figure 2 Translation from a MAC address to an EUI-64 address 


Posted by at No comments:
Labels: ,

Configuring a Basic ACL to Manage Device Access Rights

Networking Requirements

On the network shown in Figure 1, the PE is a device in the HR department and two VPN instances VPN-A and VPN-B are created on the PE. CE1 is a device in Department A and belongs to VPN-A that uses 111:1 as the VPN-target. CE2 is a device in Department B and belongs to VPN-B that uses 222:2 as the VPN-target. To allow the user (CE1) in VPN-A to log in to the PE by Telnet and prevent the user (CE2) in VPN-B from logging in to the PE, configure a basic ACL on the PE so that devices in Department A are allowed to access the devices in the HR department, whereas devices in Department B are not allowed to access the devices in the HR department, and devices in Department A and Department B cannot access each other.
Figure 1 Configuring a basic ACL to manage device access rights





Configuration Roadmap

The configuration roadmap is as follows:
  1. Configure VPN instances on different devices.
  2. Define ACL rules to configure rights for different VPN users to access the PE.
  3. Apply the ACL to allow different VPN users to have different rights to access the PE.

Data Preparation

To complete the configuration, you need the following data:
  • ACL number
  • VPN instance names

Procedure

  1. Configure VPN instances on the PE.
    # Configure VPN-A.
    <HUAWEI> system-view
    [~HUAWEI] sysname PE
    [*HUAWEI] commit
    [~PE] ip vpn-instance vpna
    [*PE-vpn-instance-vpna] route-distinguisher 100:1
    [*PE-vpn-instance-vpna] vpn-target 111:1 both
    [*PE-vpn-instance-vpna] commit
    [~PE-vpn-instance-vpna] quit
    [~PE] interface gigabitethernet 0/1/0
    [~PE-GigabitEthernet0/1/0] ip binding vpn-instance vpna
    [*PE-GigabitEthernet0/1/0] ip address 10.1.1.1 24
    [*PE-GigabitEthernet0/1/0] commit
    [~PE-GigabitEthernet0/1/0] quit
    # Configure VPN-B.
    [~PE] ip vpn-instance vpnb
    [*PE-vpn-instance-vpnb] route-distinguisher 100:2
    [*PE-vpn-instance-vpnb] vpn-target 222:2 both
    [*PE-vpn-instance-vpnb] commit
    [~PE-vpn-instance-vpnb] quit
    [~PE] interface gigabitethernet 0/2/0
    [~PE-GigabitEthernet0/2/0] ip binding vpn-instance vpnb
    [*PE-GigabitEthernet0/2/0] ip address 10.2.1.1 24
    [*PE-GigabitEthernet0/2/0] commit
    [~PE-GigabitEthernet0/2/0] quit
  2. Create a basic ACL and configure ACL rules on the PE to allow the user (CE1) in VPN-A to log in to PE by Telnet and prevent the user (CE2) in VPN-B from logging in to the PE.
    [~PE] acl number 2001
    [*PE-acl4-basic-2001] rule permit vpn-instance vpna
    [*PE-acl4-basic-2001] rule deny vpn-instance vpnb
    [*PE-acl4-basic-2001] commit
    [~PE-acl4-basic-2001] quit
  3. Apply the ACL in Telnet services on the PE.
    [~PE] user-interface vty 0 4
    [~PE-ui-vty0-4] authentication-mode password
    [*PE-ui-vty0-4] set authentication password
    Please configure the login password (8-16)
Enter Password:
Confirm Password:
    [*PE-ui-vty0-4] acl 2001 inbound
    [*PE-ui-vty0-4] commit
  4. Configure IP addresses for CE1 and CE2 as shown in Figure 1. For configuration details, see Configuration Files in this section.
  5. Verify the configuration.
    # Log in to the PE from CE1 by Telnet. The command output shows that CE1 can log in to the PE by Telnet.
    <CE1> telnet vpn-instance vpna 10.1.1.1
    Trying 10.1.1.1 ...                                                             
Press CTRL+K to abort                                                           
Connected to 10.1.1.1 ...                                                       
Info: The max number of VTY users is 10, and the number                         
      of current VTY users on line is 1.  
<PE>
    # Log in to the PE from CE2 by Telnet. The command output shows that CE2 cannot log in to the PE by Telnet.
    <CE2> telnet vpn-instance vpna 10.1.1.1
    Trying 10.1.1.1 ...
Press CTRL+K to abort
Error: Failed to connect to the remote host.Press CTRL+K to abort
    # Log in to CE2 from CE1 by Telnet. The command output shows that CE1 cannot log in to CE2 by Telnet.
    <CE1> telnet vpn-instance vpnb 10.2.1.2
    Trying 10.2.1.2 ...
Press CTRL+K to abort
Error: Failed to connect to the remote host.Press CTRL+K to abort

Configuration Files

  • PE configuration file
    #
 sysname PE
#
ip vpn-instance vpna
 route-distinguisher 100:1
 vpn-target 111:1 export-extcommunity
 vpn-target 111:1 import-extcommunity
ip vpn-instance vpnb
 route-distinguisher 100:2
 vpn-target 222:2 export-extcommunity
 vpn-target 222:2 import-extcommunity
#
acl number 2001
 rule 5 permit vpn-instance vpna
 rule 10 deny vpn-instance vpnb
#
interface GigabitEthernet0/1/0
 undo shutdown
 ip binding vpn-instance vpna
 ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/2/0
 undo shutdown
 ip binding vpn-instance vpnb
 ip address 10.2.1.1 255.255.255.0
#    
user-interface con 0
user-interface vty 0 4
 acl 2001 inbound
 authentication-mode password
 user privilege level 15
 set authentication password cipher \Ly$!c2@a#x#R32H{7y/U4=1$A*:Z$\@<>
user-interface vty 16 20
#
return
  • CE1 configuration file
    #
 sysname CE1
#
aaa
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default
 #
 domain default
 #
#
interface GigabitEthernet0/1/0
 undo shutdown
 ip address 10.1.1.2 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
return
  • CE2 configuration file
    #
 sysname CE2
#
aaa
 authentication-scheme default
 #
 authorization-scheme default
 #
 accounting-scheme default
 #
 domain default
 #
#
interface GigabitEthernet0/1/0
 undo shutdown
 ip address 10.2.1.2 255.255.255.0
#
user-interface con 0
user-interface vty 0 4
user-interface vty 16 20
#
return
Posted by at No comments:
Labels: , ,

Configuring an Advanced ACL to Defend Against Attacks

Networking Requirements

As shown in Figure 1, Device A, Device B, and Device C are access devices, whereas Device D, Device E, and Device F are core devices. The access devices connect to the core devices through 10 Gbit/s interfaces. Voice and 3G services run on the network. To control user access and ensure network and device security, security policies need to be configured on the access routers to prevent ICMP packet attacks. To achieve this purpose, configure an advanced ACL on Device A.
If the attacker (PC) attacks the network, Device A can use the configured advanced ACL to prevent the ICMP packet attacks.
Figure 1 Configuring an advanced ACL to defend against attacks


Configuration Roadmap

The configuration roadmap is as follows:
  1. Set passwords for users that log in to a device using the NMS and CLI to improve login security.
  2. Record all information about unsuccessful logins in a log file and output log information to the console interface for network administrators to check the login information.
  3. Configure an advanced ACL on Device A and apply the advanced ACL to QoS services to defend against ICMP packet attacks.

Data Preparation

To complete the configuration, you need the following data:
  • IP address of each interface
  • Password for users that log in to a device using the NMS and CLI
  • Number of the advanced ACL

Procedure

  1. Assign an IP address to each interface. For configuration details, see Configuration Files in this section.
  2. Set a password for users that log in to a device using the NMS and CLI.
    <DeviceA> system-view
    [~HUAWEI] sysname RouterA
    [*HUAWEI] commit
    [~DeviceA] user-interface console 0
[*DeviceA-ui-con0] shell
[*DeviceA-ui-con0] authentication mode password
[*DeviceA-ui-con0] set authentication password cipher Huawei-123
[*DeviceA-ui-con0] idle-timeout 30 0
[*DeviceA-ui-con0] commit
[~DeviceA-ui-con0] quit
[~DeviceA] user-interface maximum-vty 15
[*DeviceA] user-interface vty 5 14
[*DeviceA-ui-vty5-14] shell
[*DeviceA-ui-vty5-14] authentication mode password
[*DeviceA-ui-vty5-14] set authentication password cipher Huawei-123
[*DeviceA-ui-vty5-14] idle-timeout 30 0
[*DeviceA-ui-vty5-14] commit
[~DeviceA-ui-vty5-14] quit
    The configurations of the other access devices are similar to the configuration of CX device A.
  3. Record all information about unsuccessful logins in a log file and output log information to the console interface.
    [~DeviceA] info-center enable
[*DeviceA] info-center source default channel 9 log level warnings
[*DeviceA] info-center logfile channel channel9
[*DeviceA] commit
[~DeviceA] quit
<DeviceA> terminal logging
  4. Configure an advanced ACL on Device A and apply the advanced ACL to QoS services to defend against ICMP packet attacks.
    <DeviceA> system-view
    [~DeviceA] acl number 3001
    [*DeviceA-acl4-advance-3001] description anti-virus
    [*DeviceA-acl4-advance-3001] rule 5 deny icmp
    [*DeviceA-acl4-advance-3001] commit
    [~DeviceA-acl4-advance-3001] quit
    [~DeviceA] traffic classifier anti-virus
    [*DeviceA-classifier-anti-virus] if-match acl 3001
    [*DeviceA-classifier-anti-virus] commit
    [~DeviceA-classifier-anti-virus] quit
    [~DeviceA] traffic behavior anti-virus
    [*DeviceA-behavior-anti-virus] commit
    [~DeviceA-behavior-anti-virus] quit
    [~DeviceA] traffic policy anti-virus
    [*DeviceA-trafficpolicy-anti-virus] classifier anti-virus behavior anti-virus
    [*DeviceA-trafficpolicy-anti-virus] commit
    [~DeviceA-trafficpolicy-anti-virus] quit
    [~DeviceA] interface gigabitethernet 0/2/0
    [*DeviceA-GigabitEthernet0/2/0] traffic-policy anti-virus inbound
    [*DeviceA-GigabitEthernet0/2/0] commit
    [~DeviceA-GigabitEthernet0/2/0] traffic-policy anti-virus outbound
    [*DeviceA-GigabitEthernet0/2/0] commit
  5. Verify the configuration.
    # Ping Device A from the PC. The command output shows that the ping operation fails.
    c:\>ping 172.16.1.1

Pinging 172.16.1.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 172.16.1.1:
    Pacets: Sent = 4, Received = 0, Lost = 4 <100% loss>,
    # Delete the advanced ACL on Device A. Then the command output shows that ping operation is successful.
    c:\>ping 172.16.1.1

Pinging 172.16.1.1 with 32 bytes of data:
Reply from 172.16.1.1: bytes=32 time<1ms TTL=128
Reply from 172.16.1.1: bytes=32 time<1ms TTL=128
Reply from 172.16.1.1: bytes=32 time<1ms TTL=128
Reply from 172.16.1.1: bytes=32 time<1ms TTL=128

Ping statistics for 172.16.1.1:
    Packets: Sent = 4, Received = 4, Lost = 0 <0% loss>,
Approximate round trip times in mill-seconds:
    Minimum = 0ms, Maximum = 0 ms, Average = 0ms

Configuration Files


  • Device A configuration file
#
 sysname DeviceA
#
 info-center source default channel 9 log level warning
#
acl number 3001
 description anti-virus
 rule 5 deny icmp
#
traffic classifier anti-virus
 if-match acl 3001
#
traffic behavior anti-virus
#
traffic policy anti-virus
 classifier anti-virus behavior anti-virus
#
interface GigabitEthernet0/2/0
 undo shutdown
 traffic-policy anti-virus inbound
 traffic-policy anti-virus outbound
#
user-interface maximum-vty 15
user-interface con 0
 authentication-mode password
 set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
 idle-timeout 30 0
user-interface vty 0 4
user-interface vty 5 14
 set authentication password cipher N`C55QK<`=/Q=^Q`MAF4<1!!
 idle-timeout 30 0
user-interface vty 16 20
#
return
Posted by at No comments:
Labels: , ,
Subscribe to: Posts (Atom)