工程4项目4IPv6安全配置资料.ppt

The above example shows a site where global and site-local IPv6 addresses are assigned to hosts on the network. Site-local addresses should not be sent out to the Internet. The network administrator decides to place an outgoing filter on the border router to prevent site-local addresses from leaking out to the Internet. The access-list named “blocksite” has 2 entries: ipv6 access-list blocksite deny fec0:0:0:2::/64 any ipv6 access-list blocksite permit any any The first command denies the site-local address of fec0:0:0:2::/64. If the first 64 bits match the source address, then the packet is prevented from going out of interface ethernet 0. The second command allows any other source address to go out to the Internet. If the “permit any” command is not applied, then the implicit “deny all” at the end of any access-list will prevent any packets from going out. There are some commands to help with access-list troubleshooting. Use show ipv6 access-list (name) to see which commands and in which order have been applied. Use show run to verify the correct named filter has been applied to the correct interface and in the right direction. Also verify if the access-list commands are entered properly. Use debug ipv6 packet and debug ipv6 nd to confirm that the router is sending and receiving the correct packets in/out the desired interfaces. Use debug ipv6 icmp to check to see if echo request/reply packets are being sent or received. IPv6安全配置 工程4项目4 第31-32讲 本讲内容 IPv6 安全性 IPv6 ACL IPv6 DHCP IPv6 DNS 4.1 IPv6 安全性 由于IPv4在设计之初没有过多地考虑网络的安全性，随着Internet的飞速发展，各种应用越来越多和越来越深入，这种设计的不完善性引发了越来越多的网络安全问题，尽管后来通过在应用程序级上采用了一些安全机制，如加密和安全套接字层(Secure Socket Layer，SSL)等技术，但依然无法从IP层来保证网络的安全。 而IPsec协议恰恰是解决IP层安全的一种可行的网络安全机制，该协议对IPv4来说是可选项，但对IPv6来说是必选的，它是IPv6网络安全的核心。 IPsec协议是由一系列能够为IP网络提供完整安全方案的协议所构成，这些协议的组合为应用实体提供了多种保护措施，也构成了IPsec的体系结构。 封装安全有效载荷(ESP)：ESP定义了ESP加密及验证处理的相关报文的格式和处理规则。 认证报头(AH)：AH定义了AH验证处理的相关报文的格式和处理规则。 加密算法：加密算法描述各种加密算法如何用于ESP中。 验证算法：验证算法描述各种身份验证算法如何应用于AH和ESP中。 1.传输安全 4.1 IPv6 安