Configuring an IPv6 global unicast address
Configure an IPv6 global unicast address by using the following options:
EUI-64 IPv6 addressing—The IPv6 address prefix of an interface is manually configured, and the interface identifier is generated automatically by the interface.
Manual configuration—The IPv6 global unicast address is configured manually.
Stateless address autoconfiguration—The IPv6 global unicast address is generated automatically based on the address prefix information contained in the RA message.
Follow these guidelines when you configure an IPv6 global unicast address:
You can configure multiple IPv6 global unicast addresses with different prefixes on an interface.
A manually configured global unicast address takes precedence over an automatically generated one. If a global unicast address has been automatically generated on an interface when you manually configure another one with the same address prefix, the latter overwrites the previous. The overwritten automatic global unicast address will not be restored even if the manual one is removed. Instead, a new global unicast address will be automatically generated based on the address prefix information in the RA message that the interface receives at the next time.
EUI-64 IPv6 addressing
To configure an interface to generate an EUI-64 IPv6 address:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Configure the interface to generate an EUI-64 IPv6 address. | ipv6 address ipv6-address/prefix-length eui-64 | By default, no IPv6 global unicast address is configured on an interface. |
Manual configuration
To specify an IPv6 address manually for an interface:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Configure an IPv6 address manually. | ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } | By default, no IPv6 global unicast address is configured on an interface. |
Stateless address autoconfiguration
To configure an interface to generate an IPv6 address by using stateless address autoconfiguration:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Enter interface view. | interface interface-type interface-number | N/A |
3. Configure an IPv6 address to be generated through stateless address autoconfiguration. | ipv6 address auto | By default, no IPv6 global unicast address is configured on an interface. |
NOTE: Using the undo ipv6 address auto command on an interface removes all IPv6 global unicast addresses automatically generated on the interface. | ||
With stateless address autoconfiguration enabled on an interface, the device automatically generates an IPv6 global unicast address by using the address prefix information in the received RA message and the interface ID. On an IEEE 802 interface (such as a VLAN interface), the interface ID is generated based on the MAC address of the interface, and is globally unique. As a result, the interface ID portion of the IPv6 global address remains unchanged and exposes the sender. An attacker can further exploit communication details such as the communication peer and time.
To fix the vulnerability, configure the temporary address function that enables the system to generate and use temporary IPv6 addresses with different interface ID portions on an interface. With this function configured on an IEEE 802 interface, the system can generate two addresses, public IPv6 address and temporary IPv6 address.
Public IPv6 address—Comprises an address prefix provided by the RA message, and a fixed interface ID generated based on the MAC address of the interface.
Temporary IPv6 address—Comprises an address prefix provided by the RA message, and a random interface ID generated through MD5.
Before sending a packet, the system preferably uses the temporary IPv6 address of the sending interface as the source address of the packet to be sent. When this temporary IPv6 address expires, the system removes it and generates a new one. This enables the system to send packets with different source addresses through the same interface. If the temporary IPv6 address cannot be used because of a DAD conflict, the public IPv6 address is used.
The preferred lifetime and valid lifetime for temporary IPv6 addresses are specified as follows:
The preferred lifetime of a temporary IPv6 address takes the value of the smaller of the following values:
The preferred lifetime of the address prefix in the RA message.
The preferred lifetime configured for temporary IPv6 addresses minus DESYNC_FACTOR (which is a random number ranging 0 to 600, in seconds).
The valid lifetime of a temporary IPv6 address takes the value of the smaller of the following values:
The valid lifetime of the address prefix.
The valid lifetime configured for temporary IPv6 addresses.
To configure the temporary address function:
Step | Command | Remarks |
---|---|---|
1. Enter system view. | system-view | N/A |
2. Configure the system to generate and preferably use the temporary IPv6 address of the sending interface as the source address of the packet to be sent. | ipv6 prefer temporary-address [ valid-lifetime preferred-lifetime ] | By default, the system does not generate or use a temporary IPv6 address. |
You must also enable stateless address autoconfiguration on an interface if you need temporary IPv6 addresses to be generated on that interface. Temporary IPv6 addresses do not override public IPv6 addresses. Therefore, an interface may have multiple IPv6 addresses with the same address prefix but different interface ID portions.
If the public IPv6 address fails to be generated on an interface because of a prefix conflict or other reasons, no temporary IPv6 address will be generated on the interface.