乾頤堂軍哥一些用于IPv6無線網絡最后一跳安全的技術

1.RA扼殺
Router Advertisement Throttling
Router Advertisement (RA) throttling allows the controller to enforce rate limiting of RAs headed towards the wireless network. By enabling RA throttling, routers that are configured to send RAs frequently (every 3 seconds) can be trimmed back to a minimum frequency that will still maintain IPv6 client connectivity. This allows airtime to be optimized by reducing the number of multicast packets that must be sent. In all cases, if a client sends a Router Solicitation (RS), then an RA will be allowed through the controller and unicast to the requesting client. This is to ensure that new clients or roaming clients are not negatively impacted by RA throttling.

Note: When RA throttling occurs, only the first IPv6 capable router are allowed through. For networks that have multiple IPv6 prefixes being served by different routers, RA throttling must be disabled.
扼殺RA（路由器通告）
RA扼殺使得無線控制器向無線網絡增強RA報文的限速。通過使能RA扼殺，路由器RA的發(fā)送頻率（每3秒發(fā)送一次）可以減少到一個最小值，同時可以保持IPv6客戶端的連接性。通過降低發(fā)送組播報文的數(shù)目可以優(yōu)化airtime。在所有場景下，如果一個客戶端發(fā)送RS報文，這時一個RA報文可以通過通過直使用單播的發(fā)送到請求的客戶端。這樣確保新的客戶端或者漫游的客戶端不被RA扼殺影響到

2.IPv6 Source Guard
The IPv6 source guard feature prevents a wireless client spoofing an IPv6 address of another client. This feature is analogous to IPv4 source guard. IPv6 source guard is enabled by default
IPv6源保護這個特性阻止1個無線客戶端冒充另外一個IPv6客戶端，這個特性和IPv4的源保護類似

3.IPv6 Access Control Lists
In order to restrict access to certain upstream wired resources or block certain applications, IPv6 Access Control lists can be used to identify traffic and permit or deny it. IPv6 Access Lists support the same options as IPv4 Access Lists including source, destination, source port, and destination port (port ranges are also supported). The wireless controller supports up to 64 unique IPv6 ACLs each with 64 unique rules in each. The wireless controller continues to support an additional 64 unique IPv4 ACLs with 64 unique rules in each for a total of 128 ACLs for a dual-stack client
IPv6訪問控制列表
為了對接入到特定的上游有線網絡資源或者規(guī)避特定的應用，IPv6 acl可以用于標識流量，然后允許或者拒絕它。它和IPv4的ACL類似，可以包含源目地址、源目端口等選項。無線控制器最多支持64個acl，每個acl中可以最多包含64個規(guī)則
4.DHCPv6 Server Guard
The DHCPv6 Server guard feature prevents wireless clients from handing out IPv6 addresses to other wireless clients or wired clients upstream. To prevent DHCPv6 addresses from being handed out, all DHCPv6 advertise packets from wireless clients are dropped. This feature operates on the controller, requires no configuration and is enabled automatically.
DHCPv6服務器保護特性阻止無線客戶端向其他無線客戶端或者上游的有線客戶端分發(fā)IPv6地址。為了阻止DHCPv6地址被分發(fā)，所有的來自無線客戶端的DHCPv6通告報文都被丟棄
5.Router Advertisement Guard
The RA Guard feature increases the security of the IPv6 network by dropping router advertisements coming from wireless clients. Without this feature, misconfigured or malicious IPv6 clients could announce themselves as a router for the network, often with a high priority, which could take precedence over legitimate IPv6 routers.
By default, RA guard is enabled at the AP (but can be disabled) and is always enabled on the controller. Dropping RAs at the AP is preferred as it is a more scalable solution and provides enhanced per-client RA drop counters. In all cases, the IPv6 RA is dropped at some point, protecting other wireless clients and upstream wired network from malicious or misconfigured IPv6 clients.
RA保護，該特性通過丟棄來自無線客戶端的RA報文增強IPv6網絡的安全。如果沒有這個特性錯誤的配置或者惡意的IPv6客戶端可能會通告它們自身作為路由器同時具備較高的優(yōu)先級，這樣會使得它接替正確的合法的IPv6路由器

6.AAA Override for IPv6 ACLs
In order to support centralized access control through a centralized AAA server such as Cisco’s Identity Services Engine (ISE) or ACS, the IPv6 ACL can be provisioned on a per-client basis using AAA Override attributes. To use this feature, the IPv6 ACL must be configured on the controller and the WLAN must be configured with the AAA Override feature enabled. The actual named AAA attribute for an IPv6 ACL is Airespace-IPv6-ACL-Name similar to the Airespace-ACL-Name attribute used for provisioning an IPv4-based ACL. The AAA attribute contents must be equal to the name of the IPv6 ACL as configured in the controller
AAA覆蓋IPv6訪問控制列表
為了實現(xiàn)中心化接入控制，通常采用中心化AAA服務器比如思科的ISE或者ACS，通過使用AAA覆蓋屬性，IPv6 acl被應用到每個客戶端。