+7(495) 797-3311 www.qtech.ru
Москва, Новозаводская ул., 18, стр. 1
218
Chapter 31 DHCPv6 option37, 38
31.1 Introduction to DHCPv6
option37, 38
DHCPv6 (Dynamic Host Configuration Protocol for IPv6) is designed for IPv6 address scheme
and is used for assigning IPv6 prefixes, IPv6 addresses and other configuration parameters to
hosts.
When DHCPv6 client wants to request address and configure parameter of DHCPv6 server
from different link, it needs to communicate with server through DHCPv6 relay agent. DHCPv6
message received by relay agent node is reencapsulated to be relay-forward packets and they
are forwarded to the server which sends the relay-reply packets to DHCPv6 relay agent node
in different link, after that, relay agent node restores DHCPv6 message to DHCPv6 client to
finish communication between client and server.
There are some problems when using DHCPv6 relay agent, for example: How to assign IP
address in the fixed range to the specifiec users? How to avoid illegal DHCPv6 client to forge
IP address exhaust attack triggered by MAC address fields of DHCPv6 packets? How to avoid
illegal DHCPv6 client to trigger deny service attack through using MAC address of other legal
clients? Therefore, IETF set rfc4649 and rfc4580, i.e. DHCPv6 option 37 and option 38 to
solve these problems.
DHCPv6 option 37 and option 38 is similar to DHCP option 82. When DHCPv6 client sends
request packets to DHCPv6 server though DHCPv6 relay agent, if DHCPv6 relay agent
supports option 37 and option 38, they will be added to request packets. For the respond
packets of server, option 37 and option 38 are meaningless and are peeled from the respond
packets. Therefore, the application of option 37 and option 38 is transparent for client.
DHCPv6 server can authenticate identity of DHCPv6 client and DHCPv6 relay device by
option 37 and option 38, assign and manage client address neatly through configuring the
assign policy, prevent DHCPv6 attack availably according to the inclusive client information,
such as forging MAC address fields of DHCPv6 packets to trigger IP address exhaust attack.
Since server can identify multiple request packets from the same access port, it can assign the
address number through policy limit to avoid address exhaust. However, rfc4649 and rfc4580
do not set how to use opton 37 and option 38 for DHCPv6 server, users can use it neatly
according to their own demand.
Содержание QSW-2800 series
Страница 189: ...7 495 797 3311 www qtech ru 18 1 175...
Страница 414: ...7 495 797 3311 www qtech ru 18 1 400...