乾颐堂军哥一些用于IPv6无线网络最后一跳安全的技术
1.RA扼杀
Router Advertisement Throttling
Router Advertisement (RA) throttling allows the controller to enforce rate limiting of RAs headed towards the wireless network. By enabling RA throttling, routers that are configured to send RAs frequently (every 3 seconds) can be trimmed back to a minimum frequency that will still maintain IPv6 client connectivity. This allows airtime to be optimized by reducing the number of multicast packets that must be sent. In all cases, if a client sends a Router Solicitation (RS), then an RA will be allowed through the controller and unicast to the requesting client. This is to ensure that new clients or roaming clients are not negatively impacted by RA throttling.
Note: When RA throttling occurs, only the first IPv6 capable router are allowed through. For networks that have multiple IPv6 prefixes being served by different routers, RA throttling must be disabled.
扼杀RA(路由器通告)
RA扼杀使得无线控制器向无线网络增强RA报文的限速。通过使能RA扼杀,路由器RA的发送频率(每3秒发送一次)可以减少到一个最小值,同时可以保持IPv6客户端的连接性。通过降低发送组播报文的数目可以优化airtime。在所有场景下,如果一个客户端发送RS报文,这时一个RA报文可以通过通过直使用单播的发送到请求的客户端。这样确保新的客户端或者漫游的客户端不被RA扼杀影响到
2.IPv6 Source Guard
The IPv6 source guard feature prevents a wireless client spoofing an IPv6 address of another client. This feature is analogous to IPv4 source guard. IPv6 source guard is enabled by default
IPv6源保护这个特性阻止1个无线客户端冒充另外一个IPv6客户端,这个特性和IPv4的源保护类似
3.IPv6 Access Control Lists
In order to restrict access to certain upstream wired resources or block certain applications, IPv6 Access Control lists can be used to identify traffic and permit or deny it. IPv6 Access Lists support the same options as IPv4 Access Lists including source, destination, source port, and destination port (port ranges are also supported). The wireless controller supports up to 64 unique IPv6 ACLs each with 64 unique rules in each. The wireless controller continues to support an additional 64 unique IPv4 ACLs with 64 unique rules in each for a total of 128 ACLs for a dual-stack client
IPv6访问控制列表
为了对接入到特定的上游有线网络资源或者规避特定的应用,IPv6 acl可以用于标识流量,然后允许或者拒绝它。它和IPv4的ACL类似,可以包含源目地址、源目端口等选项。无线控制器最多支持64个acl,每个acl中可以最多包含64个规则
4.DHCPv6 Server Guard
The DHCPv6 Server guard feature prevents wireless clients from handing out IPv6 addresses to other wireless clients or wired clients upstream. To prevent DHCPv6 addresses from being handed out, all DHCPv6 advertise packets from wireless clients are dropped. This feature operates on the controller, requires no configuration and is enabled automatically.
DHCPv6服务器保护特性阻止无线客户端向其他无线客户端或者上游的有线客户端分发IPv6地址。为了阻止DHCPv6地址被分发,所有的来自无线客户端的DHCPv6通告报文都被丢弃
5.Router Advertisement Guard
The RA Guard feature increases the security of the IPv6 network by dropping router advertisements coming from wireless clients. Without this feature, misconfigured or malicious IPv6 clients could announce themselves as a router for the network, often with a high priority, which could take precedence over legitimate IPv6 routers.
By default, RA guard is enabled at the AP (but can be disabled) and is always enabled on the controller. Dropping RAs at the AP is preferred as it is a more scalable solution and provides enhanced per-client RA drop counters. In all cases, the IPv6 RA is dropped at some point, protecting other wireless clients and upstream wired network from malicious or misconfigured IPv6 clients.
RA保护,该特性通过丢弃来自无线客户端的RA报文增强IPv6网络的安全。如果没有这个特性错误的配置或者恶意的IPv6客户端可能会通告它们自身作为路由器同时具备较高的优先级,这样会使得它接替正确的合法的IPv6路由器
6.AAA Override for IPv6 ACLs
In order to support centralized access control through a centralized AAA server such as Cisco's Identity Services Engine (ISE) or ACS, the IPv6 ACL can be provisioned on a per-client basis using AAA Override attributes. To use this feature, the IPv6 ACL must be configured on the controller and the WLAN must be configured with the AAA Override feature enabled. The actual named AAA attribute for an IPv6 ACL is Airespace-IPv6-ACL-Name similar to the Airespace-ACL-Name attribute used for provisioning an IPv4-based ACL. The AAA attribute contents must be equal to the name of the IPv6 ACL as configured in the controller
AAA覆盖IPv6访问控制列表
为了实现中心化接入控制,通常采用中心化AAA服务器比如思科的ISE或者ACS,通过使用AAA覆盖属性,IPv6 acl被应用到每个客户端。