Cisco路由器上配置IPv6安全邻居发现协议SEND (SEcure Neighbor Discovery)
下面我们将以Cisco路由器为例来演示如何配置IPv6下的安全邻居SEND协议,本次实验采用三台Router,router1.ipv6bbs.cn与router2.ipv6bbs.cn运行SEND协议,使用CGA生成加密的全球单播地址与链路本地地址。但router1.ipv6bbs.cn中的接口启用full-secure模式,只允许与CGA加密的邻居通讯,而router2.ipv6bbs.cn则不启用该模式,即可与CGA加密的邻居通讯,也能与普通地址通讯,router3.ipv6bbs.cn采用普通IPv6地址。
具体的组网图如下所示:
重要提示:
IPv6 SEND协议是需要验证设备之间的时间差,该值是可以手工配置的,真实设备部署中我们如未配置该选项,首先必须保证所有设备时间的同步,否则即使邻居均使用了CGA地址通讯,仍然无法建立正常的邻居和通讯,本实验中我们未进行此设置,三台设备初始配置的时间也已经同步。
实验组网图与IPv6地址分配
各设备的接口IPv6地址地址与接口编号请对照下图查看:
配置思路与流程说明:
- 在每台设备上开启IPV6功能:ipv6 unicast-routing
- 在每台设备上启用IPV6 CEF:ipv6 cef
- 在每台设备上生成RSA密钥对:crypto key generate rsa label ipv6bbs
- 在每台设备上CGA modifier中应用RSA密钥对:ipv6 cga modifier rsakeypair ipv6bbs sec-level 1
注意:该命令输入后需等待一段时间,并非设备死机或没有响应,根据sec-level选择的级别,命令执行时间也随着变长,选择sec-level 2级时等待时间会相当长 - 在相应接口下使能CGA modifier及对应的RSA密钥对:ipv6 cga rsakeypair ipv6bbs
- 在相应接口下生成CGA加密的IPv6链路本地地址:ipv6 address fe80:: link-local cga
- 在相应接口下生成CGA加密的IPv6全球本地地址:ipv6 address 1000::/64 cga
- 在相应接口下使能SEND的full-secure模式:ipv6 nd secured full-secure
注意:也可在全局配置视图下通过该命令配置full-secure模式,则表示该设备上所有接口都将工作在full-secure模式
router1.ipv6bbs.cn的配置步骤:
router1.ipv6bbs.cn con0 is now available
Press RETURN to get started.
router1.ipv6bbs.cn>enable
router1.ipv6bbs.cn#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router1.ipv6bbs.cn(config)#ipv6 unicast-routing
router1.ipv6bbs.cn(config)#ipv6 cef
router1.ipv6bbs.cn(config)#ipv6 router ospf 100
router1.ipv6bbs.cn(config-rtr)#
*Dec 29 22:20:33.751: %OSPFv3-4-NORTRID: OSPFv3 process 100 could not pick a router-id,
please configure manually
router1.ipv6bbs.cn(config-rtr)#router-id 1.1.1.1
router1.ipv6bbs.cn(config-rtr)#exit
router1.ipv6bbs.cn(config)#crypto key generate rsa label ipv6bbs
The name for the keys will be: ipv6bbs
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
router1.ipv6bbs.cn(config)#
*Dec 29 22:21:11.939: %SSH-5-ENABLED: SSH 1.99 has been enabled
router1.ipv6bbs.cn(config)#ipv6 cga modifier rsakeypair ipv6bbs sec-level 1
router1.ipv6bbs.cn(config)#interface fastEthernet 1/0
router1.ipv6bbs.cn(config-if)#ipv6 enable
router1.ipv6bbs.cn(config-if)#ipv6 cga rsakeypair ipv6bbs
router1.ipv6bbs.cn(config-if)#ipv6 address fe80:: link-local cga
router1.ipv6bbs.cn(config-if)#ipv6 address 1000::/64 cga
router1.ipv6bbs.cn(config-if)#ipv6 nd secured full-secure
router1.ipv6bbs.cn(config-if)#ipv6 ospf 100 area 0
router1.ipv6bbs.cn(config-if)#no shutdown
router1.ipv6bbs.cn(config-if)#
*Dec 29 22:22:51.379: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Dec 29 22:22:52.379: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
router1.ipv6bbs.cn(config-if)#^Z
router1.ipv6bbs.cn#
router1.ipv6bbs.cn#show running-config interface fastEthernet 1/0
Building configuration...
Current configuration : 233 bytes
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
ipv6 cga rsakeypair ipv6bbs
ipv6 address FE80:: link-local cga
ipv6 address 1000::/64 cga
ipv6 enable
ipv6 nd secured full-secure
ipv6 ospf 100 area 0
!
end
router1.ipv6bbs.cn#show interface fastEthernet 1/0
FastEthernet1/0 is up, line protocol is up
Hardware is i82543 (Livengood), address is ca00.1694.001c (bia ca00.1694.001c)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:09:26, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
82 packets input, 23892 bytes
Received 82 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
62 packets output, 16951 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
14 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
router1.ipv6bbs.cn#
router1.ipv6bbs.cn#show ipv6 interface fastethernet 1/0
FastEthernet1/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::2871:40B8:5B64:F0EA
No Virtual link-local address(es):
Global unicast address(es):
1000::38D9:8CA7:3FAC:AB7F, subnet is 1000::/64
Joined group address(es):
FF02::1
FF02::2
FF02::5
FF02::1:FF64:F0EA
FF02::1:FFAC:AB7F
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
router1.ipv6bbs.cn#
router2.ipv6bbs.cn的配置步骤:
router2.ipv6bbs.cn con0 is now available
Press RETURN to get started.
router2.ipv6bbs.cn>enable
router2.ipv6bbs.cn#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router2.ipv6bbs.cn(config)#ipv6 unicast-routing
router2.ipv6bbs.cn(config)#ipv6 cef
router2.ipv6bbs.cn(config)#ipv6 router ospf 100
router2.ipv6bbs.cn(config-rtr)#
*Dec 29 22:28:53.711: %OSPFv3-4-NORTRID: OSPFv3 process 100 could not pick a router-id,
please configure manually
router2.ipv6bbs.cn(config-rtr)#router-id 2.2.2.2
router2.ipv6bbs.cn(config-rtr)#exit
router2.ipv6bbs.cn(config)#crypto key generate rsa label ipv6bbs
The name for the keys will be: ipv6bbs
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]: 1024
% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]
router2.ipv6bbs.cn(config)#
*Dec 29 22:29:34.607: %SSH-5-ENABLED: SSH 1.99 has been enabled
router2.ipv6bbs.cn(config)#ipv6 cga modifier rsakeypair ipv6bbs sec-level 1
router2.ipv6bbs.cn(config)#interface fastEthernet 1/0
router2.ipv6bbs.cn(config-if)#ipv6 enable
router2.ipv6bbs.cn(config-if)#ipv6 cga rsakeypair ipv6bbs
router2.ipv6bbs.cn(config-if)#ipv6 addres fe80:: link-local cga
router2.ipv6bbs.cn(config-if)#ipv6 address 1000::/64 cga
router2.ipv6bbs.cn(config-if)#ipv6 ospf 100 area 0
router2.ipv6bbs.cn(config-if)#no shutdown
router2.ipv6bbs.cn(config-if)#
*Dec 29 22:30:55.051: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
router2.ipv6bbs.cn(config-if)#
*Dec 29 22:30:56.051: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
*Dec 29 22:30:58.399: %OSPFv3-5-ADJCHG: Process 100, Nbr 1.1.1.1 on FastEthernet1/0 from LOADING to FULL, Loading Done
router2.ipv6bbs.cn(config-if)#
router2.ipv6bbs.cn(config-if)#^Z
router2.ipv6bbs.cn#show running-config interface fastEthernet 1/0
Building configuration...
Current configuration : 204 bytes
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
ipv6 cga rsakeypair ipv6bbs
ipv6 address FE80:: link-local cga
ipv6 address 1000::/64 cga
ipv6 enable
ipv6 ospf 100 area 0
!
end
router2.ipv6bbs.cn#show interfaces fastEthernet 1/0
FastEthernet1/0 is up, line protocol is up
Hardware is i82543 (Livengood), address is ca01.1694.001c (bia ca01.1694.001c)
MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 100Mb/s, 100BaseTX/FX
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:00:01, output 00:00:01, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
96 packets input, 26028 bytes
Received 91 broadcasts, 0 runts, 0 giants, 0 throttles
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
0 watchdog
0 input packets with dribble condition detected
75 packets output, 18510 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
14 unknown protocol drops
0 babbles, 0 late collision, 0 deferred
0 lost carrier, 0 no carrier
0 output buffer failures, 0 output buffers swapped out
router2.ipv6bbs.cn#show ipv6 interface fastEthernet 1/0
FastEthernet1/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::38B2:B65B:7E9D:E1F9
No Virtual link-local address(es):
Global unicast address(es):
1000::38D1:B80B:7AD:D958, subnet is 1000::/64
Joined group address(es):
FF02::1
FF02::2
FF02::5
FF02::6
FF02::1:FF9D:E1F9
FF02::1:FFAD:D958
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
router2.ipv6bbs.cn#
router3.ipv6bbs.cn的配置步骤:
router3.ipv6bbs.cn con0 is now available
Press RETURN to get started.
router3.ipv6bbs.cn>enable
router3.ipv6bbs.cn#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
router3.ipv6bbs.cn(config)#ipv6 unicast-routing
router3.ipv6bbs.cn(config)#ipv6 cef
router3.ipv6bbs.cn(config)#ipv6 router ospf 100
router3.ipv6bbs.cn(config-rtr)#
*Dec 29 22:32:09.799: %OSPFv3-4-NORTRID: OSPFv3 process 100 could not pick a router-id,
please configure manually
router3.ipv6bbs.cn(config-rtr)#router-id 3.3.3.3
router3.ipv6bbs.cn(config-rtr)#exit
router3.ipv6bbs.cn(config)#interface fastEthernet 1/0
router3.ipv6bbs.cn(config-if)#ipv6 enable
router3.ipv6bbs.cn(config-if)#ipv6 address 1000::3/64
router3.ipv6bbs.cn(config-if)#ipv6 ospf 100 area 0
router3.ipv6bbs.cn(config-if)#no shutdown
router3.ipv6bbs.cn(config-if)#
*Dec 29 22:32:51.647: %LINK-3-UPDOWN: Interface FastEthernet1/0, changed state to up
*Dec 29 22:32:52.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet1/0, changed state to up
*Dec 29 22:32:56.339: %OSPFv3-5-ADJCHG: Process 100, Nbr 2.2.2.2 on FastEthernet1/0 from LOADING to FULL, Loading Done
router3.ipv6bbs.cn(config-if)#^Z
router3.ipv6bbs.cn#
router3.ipv6bbs.cn#show running-config interface fastEthernet 1/0
Building configuration...
Current configuration : 136 bytes
!
interface FastEthernet1/0
no ip address
duplex auto
speed auto
ipv6 address 1000::3/64
ipv6 enable
ipv6 ospf 100 area 0
!
end
router3.ipv6bbs.cn#show ipv6 interface fastEthernet 1/0
FastEthernet1/0 is up, line protocol is up
IPv6 is enabled, link-local address is FE80::C802:12FF:FE4C:1C
No Virtual link-local address(es):
Global unicast address(es):
1000::3, subnet is 1000::/64
Joined group address(es):
FF02::1
FF02::2
FF02::5
FF02::1:FF00:3
FF02::1:FF4C:1C
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ICMP unreachables are sent
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds (using 30000)
ND advertised reachable time is 0 (unspecified)
ND advertised retransmit interval is 0 (unspecified)
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
ND advertised default router preference is Medium
Hosts use stateless autoconfig for addresses.
router3.ipv6bbs.cn#
查看各设备OSPFv3邻居状态并ping其它设备接口IPv6地址
所有设备之间已按照组网图配置完毕,我们可以在router1.ipv6bbs.cn上查看OSPFv3邻居,并ping对端设备接口IPv6地址.
因为router1.ipv6bbs与router2.ipv6bbs二端均为CGA地址,可以正常ping通对端,OSPFv3邻居也使用CGA的链路本地地址,也能正常建立邻居
而router1.ipv6bbs使能full-secure模式,因此无法与router3.ipv6bbs的普通地址通讯,也无法建立OSPFv3邻居,从而保证该设备的邻居是安全可信的。
router1.ipv6bbs.cn#
router1.ipv6bbs.cn#show ipv6 ospf neighbor
Neighbor ID Pri State Dead Time Interface ID Interface
2.2.2.2 1 FULL/BDR 00:00:39 4 FastEthernet1/0
3.3.3.3 1 EXCHANGE/DROTHER00:00:39 4 FastEthernet1/0
router1.ipv6bbs.cn# ping ipv6 1000::38D1:B80B:7AD:D958
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1000::38D1:B80B:7AD:D958, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 144/335/964 ms
router1.ipv6bbs.cn#ping ipv6 1000::3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1000::3, timeout is 2 seconds:
....
*Dec 29 22:35:02.823: %OSPFv3-5-ADJCHG: Process 100, Nbr 3.3.3.3 on FastEthernet1/0 from EXCHANGE to DOWN, Neighbor Down: Too many retransmits.
Success rate is 0 percent (0/5)
router1.ipv6bbs.cn#
router1.ipv6bbs.cn#
router2.ipv6bbs.cn未使能full-secure模式,因此即可以与CGA地址通讯,也可以与普通地址通讯,是一种兼容或过渡的模式
查看router2上面的OSPFv3邻居状态,及ping对端二台设备的接口地址:
router2.ipv6bbs.cn#show ipv6 ospf neighbor
Neighbor ID Pri State Dead Time Interface ID Interface
1.1.1.1 1 FULL/DR 00:00:35 4 FastEthernet1/0
3.3.3.3 1 FULL/DROTHER 00:00:36 4 FastEthernet1/0
router2.ipv6bbs.cn#ping ipv6 1000::38D9:8CA7:3FAC:AB7F
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1000::38D9:8CA7:3FAC:AB7F, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0/94/156 ms
router2.ipv6bbs.cn#ping ipv6 1000::3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1000::3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/167/516 ms
router2.ipv6bbs.cn#
router3是普通的IPv6地址,无CGA地址,因为与router1.ipv6bbs.cn无法建立邻居,无法ping通,但与router2.ipv6bbs.cn能正常ping通,能建立OSPFv3邻居
同时该设备上的OSPFv3邻居会在多次retransmits后处于down状态。
查看router3上面的OSPFv3邻居状态:
router3.ipv6bbs.cn#show ipv6 ospf neighbor
Neighbor ID Pri State Dead Time Interface ID Interface
1.1.1.1 1 EXSTART/DR 00:00:32 4 FastEthernet1/0
2.2.2.2 1 FULL/BDR 00:00:33 4 FastEthernet1/0
router3.ipv6bbs.cn#
*Dec 29 22:35:05.807: %OSPFv3-5-ADJCHG: Process 100, Nbr 1.1.1.1 on FastEthernet1/0 from EXSTART to DOWN, Neighbor Down: Too many retransmits
router3.ipv6bbs.cn#
router3.ipv6bbs.cn#ping ipv6 1000::38D9:8CA7:3FAC:AB7F
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1000::38D9:8CA7:3FAC:AB7F, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
router3.ipv6bbs.cn# ping ipv6 1000::38D1:B80B:7AD:D958
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1000::38D1:B80B:7AD:D958, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 108/197/312 ms
router3.ipv6bbs.cn#
*Dec 29 22:38:18.571: %OSPFv3-5-ADJCHG: Process 100, Nbr 1.1.1.1 on FastEthernet1/0 from EXSTART to DOWN, Neighbor Down: Too many retransmits |
IP卡
狗仔卡
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
显身卡