-
Cisco IOS IPv6 Configuration Guide, Release 12.4T
-
Start Here: Cisco IOS Software Release Specifics for IPv6 Features
-
Implementing IPv6 Addressing and Basic Connectivity
-
Implementing ADSL and Deploying Dial Access for IPv6
-
Implementing Multiprotocol BGP for IPv6
-
Implementing DHCP for IPv6
-
Implementing Dynamic Multipoint VPN for IPv6
-
Implementing EIGRP for IPv6
-
Configuring First Hop Redundancy Protocols in IPv6
-
Implementing IPv6 Secure Neighbor Discovery
-
Implementing IPsec in IPv6 Security
-
Implementing IS-IS for IPv6
-
Implementing IPv6 for Network Management
-
Implementing Mobile IPv6
-
Implementing IPv6 Multicast
-
Implementing NAT-PT for IPv6
-
Implementing NetFlow for IPv6
-
Netflow v9 for IPv6
-
Implementing NTPv4 in IPv6
-
Implementing OSPF for IPv6
-
Implementing IPv6 over MPLS
-
Implementing IPv6 VPN over MPLS
-
Implementing Policy-Based Routing for IPv6
-
Implementing QoS for IPv6
-
Implementing RIP for IPv6
-
Implementing Traffic Filters and Firewalls for IPv6 Security
-
Implementing Static Routes for IPv6
-
Implementing Tunneling for IPv6
-
Implementing VoIP for IPv6
-
Table Of Contents
Implementing IPv6 Secure Neighbor Discovery
Prerequisites for Implementing SeND for IPv6
Information About Implementing SeND for IPv6
IPv6 Neighbor Discovery Trust Models and Threats
Cryptographically Generated Address
Authorization Delegation Discovery
Host-to-Host Deployment Without a Trust Anchor
Router Advertisement and Certificate Path Flows
How to Implement SeND for IPv6
Configuring Certificate Servers to Enable SeND
Configuring a Host to Enable SeND
Configuring a Router to Enable SeND
Creating the RSA Key Pair and CGA Modifier for the Key Pair
Configuring Certificate Enrollment for a PKI
Configuring a Cryptographically Generated Address
Configuring General CGA Parameters
Configuring CGA Address Generation on an Interface
Configuring the SeND Trustpoint
Configuring SeND Trust Anchors on the Interface
Configuring Secured and Nonsecured Neighbor Discovery Message Coexistence Mode
Configuring SeND Parameters Globally
Configuring the SeND Time Stamp
Configuration Examples for Implementing SeND for IPv6
Configuring Certificate Servers: Example
Configuring a Host to Enable SeND: Example
Configuring a Router to Enable SeND: Example
Configuring a SeND Trustpoint in Router Mode: Example
Configuring SeND Trust Anchors in the Host Mode: Example
Configuring CGA Address Generation on an Interface: Example
Feature Information for Implementing SeND for IPv6
Implementing IPv6 Secure Neighbor Discovery
First Published: February 27, 2009Last Updated: February 27, 2009This document provides information about configuring the Secure Neighbor Discovery (SeND) protocol for IPv6.
The SeND feature is designed to counter the threats of the Neighbor Discovery Protocol (NDP). SeND defines a set of neighbor discovery options and two neighbor discovery messages. SeND also defines a new autoconfiguration mechanism to establish address ownership.
Finding Feature Information
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Implementing SeND for IPv6" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS, image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Contents
•
Prerequisites for Implementing SeND for IPv6
•
•
•
•
Prerequisites for Implementing SeND for IPv6
SeND feature is available on crypto images because it involves using cryptographic libraries.
Information About Implementing SeND for IPv6
To configure the SeND protocol for IPv6, you should understand the following concepts:
•
IPv6 Neighbor Discovery Trust Models and Threats
There are three IPv6 neighbor discovery trust models, which are described as follows:
•
•
•
Nodes on the same link use NDP to discover each other's presence and link-layer addresses, to find routers, and to maintain reachability information about the paths to active neighbors. NDP is used by both hosts and routers. The original NDP specifications used IPsec to protect NDP messages. However, not many detailed instructions for using IPsec are available. The number of manually configured security associations needed for protecting NDP can be very large, which makes that approach impractical for most purposes. These threats need to be considered and eliminated.
SeND Protocol
The SeND protocol counters NDP threats. It defines a set of new ND options, and two new ND messages (Certification Path Solicitation (CPS) and Certification Path Answer (CPA)). It also defines a new autoconfiguration mechanism to be used in conjunction with the new ND options to establish address ownership.
SeND defines the mechanisms defined in the following sections for securing the NDP:
•
•
Cryptographically Generated Address
Cryptographically generated addresses (CGAs) are IPv6 addresses generated from the cryptographic hash of a public key and auxiliary parameters. This provides a method for securely associating a cryptographic public key with an IPv6 address in the SeND protocol.
The node generating a CGA address must first obtain a Rivest, Shamir, and Adelman (RSA) key pair (SeND uses an RSA public/private key pair). The node then computes the interface identifier part (which is the rightmost 64 bits) and appends the result to the prefix to form the CGA address.
CGA address generation is a one-time event. A valid CGA cannot be spoofed and the CGA parameters received associated to it is reused because the message must be signed with the private key that matches the public key used for CGA generation, which only the address owner will have.
A user cannot replay the complete SeND message (including the CGA address, CGA parameters, and CGA signature) because the signature has only a limited lifetime.
Authorization Delegation Discovery
Authorization delegation discovery is used to certify the authority of routers by using a trust anchor. A trust anchor is a third party that the host trusts and to which the router has a certification path. At a basic level, the router is certified by the trust anchor. In a more complex environment, the router is certified by a user that is certified by the trust anchor. In addition to certifying the router identity (or the right for a node to act as a router), the certification path contains information about prefixes that a router is allowed to advertise in router advertisements. Authorization delegation discovery enables a node to adopt a router as its default router.
SeND Deployment Models
This section describes the following SeND deployment models:
•
•
Host-to-Host Deployment Without a Trust Anchor
Deployment for SeND between hosts is straightforward. The hosts can generate a pair of RSA keys locally, autoconfigure their CGA addresses, and use them to validate their sender authority, rather than using a trust anchor to establish sender authority. Figure 1 illustrates this model.
Figure 1 Host-to-Host Deployment Model
Neighbor Solicitation Flow
In a neighbor solicitation scenario, hosts and routers in host mode exchange neighbor solicitations and neighbor advertisements. These neighbor solicitations and neighbor advertisements are secured with CGA addresses and CGA options, and have nonce, time stamp, and RSA neighbor discovery options. Figure 2 illustrates this scenario.
Figure 2 Neighbor Solicitation Flow
Host-Router Deployment Model
In many cases, hosts will not have access to the infrastructure that will enable them to obtain and announce their certificates. In these situations, hosts will secure their relationship using CGA, and secure their relationship with routers using a trusted anchor. When using router advertisements (RAs), SeND mandates that routers are authenticated through a trust anchor. Figure 3 illustrates this scenario.
Figure 3 Host-Router Deployment Model
Router Advertisement and Certificate Path Flows
Figure 4 shows the certificate exchange performed using certification path solicitation CPS/CPA SeND messages. In the illustration, Router R is certified (using an X.509 certificate) by its own CA (certificates CR). The CA itself (CA2) is certified by its own CA (certificates C2), and so on, up to a CA (CA0) that the hosts trusts. The certificate CR contains IP extensions per RFC 3779, which describes which prefix ranges the router R is allowed to announce (in RAs). This prefix range, certified by CA2, is a subset of CA2's own range, certified by CA1, and so on. Part of the validation process when a certification chain is received consists of validating the certification chain and the consistency of nested prefix ranges.
Figure 4 Router Advertisement and Certificate Path Flows
Single CA Model
The deployment model shown in Figure 3 can be simplified in an environment where both hosts and routers trust a single CA such as the Cisco certification server (CS). Figure 5 illustrates this model.
Figure 5 Single CA Deployment Model
How to Implement SeND for IPv6
The following sections describe how to configure the certificate server, the host and the router:
•
•
•
To configure SeND on a Cisco device, you must understand the following concepts:
•
Certificate Servers
Certificate servers are used to grant certificates after validating or certifying key pairs. A tool for granting certificates is mandatory in any SeND deployment. Many tools are available to grant certificates, for example, Open Secure Sockets Layer (OpenSSL) on Linux. However, very few certificate servers support granting certificates containing IP extensions. Cisco IOS certificate servers support every kind of certificate including the certificates containing the IP extensions. For more information on Cisco IOS certificates, refer to the Configuring and Managing a Cisco IOS Certificate Server module in the Cisco IOS Security Configuration Guide.
Host
SeND is available in host mode. The set of available functions on a host will be a subset of SeND functionality. CGA will be fully available and the prefix authorization delegation will be supported on the host side (sending CPS and receiving CPA).
To implement SeND, configure the host with the following parameters:
–
–
–
–
–
Router
SeND is available in router mode. You can use the ipv6 unicast-routing command to configure a node to a router. To implement SeND, configure routers with the same elements as that of the host. The routers will need to retrieve certificates of their own from a certificate server. The RSA key and subject name of the trustpoint are used to retrieve certificates from a certificate server. Once the certificate has been obtained and uploaded, the router generates a certificate request to the certificate server and installs the certificate.
Following is a summary of operations to be performed before SeND is configured on the host or router:
•
•
•
While booting, hosts and routers must either retrieve or generate their CGAs. Typically, routers will autoconfigure their CGAs once and save them (along with the key pair used in the CGA operation) into their permanent storage. At a minimum, link-local addresses on a SeND interface should be CGAs. Additionally, global addresses can be CGAs.
Configuring Certificate Servers to Enable SeND
Hosts and routers must be configured with RSA key pairs and corresponding certificate chains before the SeND parameters are configured. Perform the following task to configure the certificate server to grant certificates. Once the certificate server is configured, other parameters for the certificate server can be configured.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPSConfiguring a Host to Enable SeND
SeND is available in host mode. Before you can configure SeND parameters in host mode, first configure the host using the following commands. Once the host has been configured, SeND parameters can be configured on it.
Summary Steps
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
DETAILED STEPSConfiguring a Router to Enable SeND
SeND is available in the router mode. Before you can configure SeND parameters in router mode, first configure the router using the following commands. Once the router has been configured, the SeND parameters can be configured on it.
Summary Steps
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
DETAILED STEPSHow to Implement SeND
The tasks in the following sections explain how to implement SeND:
•
•
•
•
Creating the RSA Key Pair and CGA Modifier for the Key Pair
To create the RSA key pair and the CGA modifier for the key pair, perform the following task.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPSConfiguring Certificate Enrollment for a PKI
Certificate enrollment, which is the process of obtaining a certificate from a CA, occurs between the end host that requests the certificate and the CA. Each peer that participates in the PKI must enroll with a CA.
In IPv6, you can autoenroll or manually enroll the device certificate. The following task describes how to configure certificate enrollment for a PKI.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
DETAILED STEPSConfiguring a Cryptographically Generated Address
To configure a CGA, perform the following tasks:
•
•
Configuring General CGA Parameters
To configure general CGA parameters such as security level and key size, perform the following task.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPSConfiguring CGA Address Generation on an Interface
To configure CGA address generation on an interface, perform the following task.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPSConfiguring SeND Parameters
To configure SeND, perform the following tasks:
•
•
•
•
•
Configuring the SeND Trustpoint
In the router mode, the key pair used to generate the CGA addresses on an interface must be certified by the CA and the certificate sent on demand over the SeND protocol. One RSA key pair and associated certificate is enough for SeND to operate; however, users may use several keys, identified by different labels. SeND and CGA refer to a key directly by label or indirectly by trustpoint.
Multiple steps are required to bind SeND to a trustpoint. First a key pair is generated. Then the device refers to it in a trustpoint. Then the SeND interface configuration points to the trustpoint. There are two reasons for the multiple steps:
•
•
A CA certificate must be uploaded for the referred trustpoint. The referred trustpoint is in reality a trusted anchor.
Several trustpoints can be configured, pointing to the same RSA keys, on a given interface. This function is useful if different hosts have different trusted anchors (that is, CAs that they trust). The router can the provide each host with the certificate signed by the CA they trust.
To configure the SeND trustpoint, perform the following task.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
DETAILED STEPSConfiguring SeND Trust Anchors on the Interface
This task can be performed only in host mode. The host must be configured with one or more trust anchors. As soon as SeND is bound to a trustpoint on an interface (see "Configuring the SeND Trustpoint" section), this trustpoint is also a trust anchor.
A trust anchor configuration consists of the following items:
•
•
•
•
Because PKI has already been configured, the trust anchor configuration is accomplished by binding SeND to one or several PKI trustpoints. PKI is used to upload the corresponding certificates, which contain the required parameters (such as name and key).
This is an optional task. It allows you to select trust anchors listed in the CPS when requesting for a certificate. If you opt not to configure trust anchors, all the PKI trustpoints configured on the host will be considered.
To configure a trusted anchor on the interface perform the following task:
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPSConfiguring Secured and Nonsecured Neighbor Discovery Message Coexistence Mode
During the transition to SeND secured interfaces, network operators may want to run a particular interface with a mixture of nodes accepting secured and unsecured neighbor discovery messages. To configure the coexistence mode for secure and nonsecure neighbor discovery messages on the same interface, perform the following task.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPSConfiguring SeND Parameters Globally
To configure SeND parameters globally, perform the following optional task.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPSConfiguring the SeND Time Stamp
To configure SeND time stamp on an interface, perform the following optional task.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPSConfiguration Examples for Implementing SeND for IPv6
This section provides the following configuration examples:
•
•
•
•
•
•
Configuring Certificate Servers: Example
The following example shows how to configure certificate servers:
crypto pki server CAissuer-name C=FR, ST=fr, L=example, O=cisco, OU=nsstg, CN=CA0 lifetime ca-certificate 700 !crypto pki trustpoint CAip-extension prefix 2001::/16revocation-check crlrsakeypair CAno shutdown
Note
To display the certificate servers with IP extensions, use the show crypto pki certificates verbose command:
Router# show crypto pki certificates verboseCA CertificateStatus: AvailableVersion: 3Certificate Serial Number (hex): 01Certificate Usage: SignatureIssuer:c=FRst=frl=exampleo=ciscoou=nsstgcn=CA0Subject:c=FRst=frl=exampleo=ciscoou=nsstgcn=CA0Validity Date:start date: 09:50:52 GMT Feb 5 2009end date: 09:50:52 GMT Jan 6 2011Subject Key Info:Public Key Algorithm: rsaEncryptionRSA Public Key: (1024 bit)Signature Algorithm: MD5 with RSA EncryptionFingerprint MD5: 87DB764F 29367A65 D05CEE3D C12E0AC3Fingerprint SHA1: 04A06602 86AA72E9 43F2DB33 4A7D40A2 E2ED3325X509v3 extensions:X509v3 Key Usage: 86000000Digital SignatureKey Cert SignCRL SignatureX509v3 Subject Key ID: 75B477C6 B2CA7BBE C7866657 57C84A32 90CEFB5AX509v3 Basic Constraints:CA: TRUEX509v3 Authority Key ID: 75B477C6 B2CA7BBE C7866657 57C84A32 90CEFB5AAuthority Info Access:X509v3 IP Extension:IPv6:2001::/16Associated Trustpoints: CAConfiguring a Host to Enable SeND: Example
The following example shows how to configure a host to enable SeND:
enableconfigure terminalcrypto key generate rsa label SEND modulus 1024The name for the keys will be: SEND% The key modulus size is 1024 bits% Generating 1024 bit RSA keys, keys will be non-exportable...[OK]ipv6 cga modifier rsakeypair SEND sec-level 1crypto pki trustpoint SENDenrollment url http://209.165.200.254revocation-check noneexitcrypto pki authenticate SENDCertificate has the following attributes:Fingerprint MD5: FC99580D 0A280EB4 2EB9E72B 941E9BDAFingerprint SHA1: 22B10EF0 9A519177 145EA4F6 73667837 3A154C53% Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.ipv6 nd secured sec-level minimum 1interface fastethernet 0/0ipv6 cga rsakeypair SENDipv6 address FE80::260:3EFF:FE11:6770 link-local cgaipv6 nd secured trustanchor SENDipv6 nd secured timestamp delta 300exitipv6 nd secured full-secureTo verify the configuration use the show running-config command:
host# show running-configBuilding configuration...[snip]crypto pki trustpoint SENDenrollment url http://209.165.200.225revocation-check none!interface Ethernet1/0ip address 209.165.202.129 255.255.255.0duplex halfipv6 cga rsakeypair SENDipv6 address 2001:100::/64 cgaConfiguring a Router to Enable SeND: Example
The following example shows how to configure the router to enable SeND:
enableconfigure terminalcrypto key generate rsa label SEND modulus 1024ipv6 cga modifier rsakeypair SEND sec-level 1crypto pki trustpoint SENDsubject-name C=FR, ST=PACA, L=Example, O=Cisco, OU=NSSTG, CN=routerrsakeypair SENDrevocation-check noneexitcrypto pki authenticate SENDCertificate has the following attributes:Fingerprint MD5: FC99580D 0A280EB4 2EB9E72B 941E9BDAFingerprint SHA1: 22B10EF0 9A519177 145EA4F6 73667837 3A154C53% Do you accept this certificate? [yes/no]: yesTrustpoint CA certificate accepted.crypto pki enroll SEND% Start certificate enrollment ..% Create a challenge password. You will need to verbally provide thispassword to the CA Administrator in order to revoke your certificate.For security reasons your password will not be saved in the configuration.Please make a note of it.Password:Re-enter password:% The subject name in the certificate will include: C=FR, ST=fr, L=example, O=cisco, OU=nsstg, CN=route r % The subject name in the certificate will include: Router % Include the router serial number in the subject name? [yes/no]: no % Include an IP address in the subject name? [no]:Request certificate from CA? [yes/no]: yes % Certificate request sent to CertificateAuthority % The 'show crypto pki certificate SEND verbose' commandwill show the fingerprint.*Feb 5 09:40:37.171: CRYPTO_PKI: Certificate Request Fingerprint MD5:A6892F9F 23561949 4CE96BB8 CBC85 E64*Feb 5 09:40:37.175: CRYPTO_PKI: Certificate Request Fingerprint SHA1:30832A66 E6EB37DF E578911D 383F 96A0 B30152E7*Feb 5 09:40:39.843: %PKI-6-CERTRET: Certificate received from Certificate Authorityinterface fastethernet 0/0ipv6 nd secured sec-level minimum 1ipv6 cga rsakeypair SENDipv6 address fe80::link-local cgaipv6 nd secured trustanchor SENDipv6 nd secured timestamp delta 300exitipv6 nd secured full-secureTo verify that the certificates are generated, use the show crypto pki certificates command:
Router# show crypto pki certificatesCertificateStatus: AvailableCertificate Serial Number: 0x15Certificate Usage: General PurposeIssuer:cn=CASubject:Name: Routerhostname=Routerc=FRst=frl=exampleo=ciscoou=nsstgcn=routerValidity Date:start date: 09:40:38 UTC Feb 5 2009end date: 09:40:38 UTC Feb 5 2010Associated Trustpoints: SENDCA CertificateStatus: AvailableCertificate Serial Number: 0x1Certificate Usage: SignatureIssuer:cn=CASubject:cn=CAValidity Date:start date: 10:54:53 UTC Jun 20 2008end date: 10:54:53 UTC Jun 20 2011Associated Trustpoints: SENDTo verify the configuration, use the show running-config command:
Router# show running-configBuilding configuration...[snip]crypto pki trustpoint SENDenrollment url http://209.165.201.1subject-name C=FR, ST=fr, L=example, O=cisco, OU=nsstg, CN=router revocation-check none rsakeypair SEND !interface Ethernet1/0ip address 209.165.200.225 255.255.255.0duplex halfipv6 cga rsakeypair SENDipv6 address FE80:: link-local cgaipv6 address 2001:100::/64 cgaConfiguring a SeND Trustpoint in Router Mode: Example
The following example shows how to configure a SeND trustpoint in router mode:
enableconfigure terminalcrypto key generate rsa label SENDChoose the size of the key modulus in the range of 360 to 2048 for yourGeneral Purpose Keys. Choosing a key modulus greater than 512 may takea few minutes.How many bits in the modulus [512]: 778% Generating 778 bit RSA keys, keys will be non-exportable...[OK]ipv6 cga modifier rsakeypair SEND sec-level 1crypto pki trustpoint trstpt1subject-name C=FR, ST=fr, L=example, O=cisco, OU=nsstg, CN=sa14-72brsakeypair SENDenrollment terminalip-extension unicast prefix 2001:100:1://48exitcrypto pki authenticate trstpt1crypto pki enroll trstpt1crypto pki import trstpt1 certificateinterface Ethernet 0/0ipv6 nd secured trustpoint trstpt1Configuring SeND Trust Anchors in the Host Mode: Example
The following example shows how to configure SeND trust anchors on an interface in the host mode:
enableconfigure terminal! Configure the location of the CS we trust !crypto pki trustpoint B1enrollment terminalcrypto pki authenticate anchor1exit! Only Query a certificate signed by the CS at B2 on this interface !interface Ethernet0/0ip address 204.209.1.54 255.255.255.0ipv6 cga rsakeypair SENDipv6 address 2001:100::/64 cgaipv6 nd secured trustanchor anchor1Configuring CGA Address Generation on an Interface: Example
The following example shows how to configure CGA address generation on an interface:
enableconfigure terminalinterface fastEthernet 0/0ipv6 cga rsakeypair SENDipv6 address 2001:100::/64 cgaexitAdditional References
The following sections provide references related to the Implementing SeND for IPv6 feature.
Related Documents
Configuring certificate enrollment for a PKI
"Configuring Certificate Enrollment for a PKI" module in the Cisco IOS Security Configuration Guide
Standards
No new or modified standards are supported, and support for existing standards has not been modified.
—
MIBs
RFCs
Technical Assistance
Feature Information for Implementing SeND for IPv6
Table 1 lists the features in this module and provides links to specific configuration information. Only features that were introduced or modified in Cisco IOS Release 12.2(15)T or a later release appear in the table.
For information on a feature in this technology that is not documented here, see the Start Here: Cisco IOS Software Release Specifies for IPv6 Features document.
Not all commands may be available in your Cisco IOS software release. For release information about a specific command, see the command reference documentation.
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS and Catalyst OS software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note
Table 1 Feature Information for Implementing IPv6 Secure Neighbor Discovery
Secure Neighbor Discovery for Cisco IOS Software
12.4(24)T
The Secure Neighbor Discovery (SeND) protocol is designed to counter the threats of the Neighbor Discovery Protocol. SeND defines a set of neighbor discovery options and two neighbor discovery messages. SeND also defines a new autoconfiguration mechanism to establish address ownership.
The following sections provide information about this feature:
•
The following commands were introduced:
ipv6 cga modifier rsakeypair, ipv6 cga modifier rsakeypair (interface), ipv6 nd secured certificate-db, ipv6 nd secured full-secure, ipv6 nd secured full-secure (interface), ipv6 nd secured key-length, ipv6 nd secured sec-level, ipv6 nd secured timestamp, ipv6 nd secured timestamp-db, ipv6 nd secured trustanchor, ipv6 nd secured trustpoint, show ipv6 cga address-db, show ipv6 cga modifier-db, show ipv6 nd secured certificates, show ipv6 nd secured counters interface, show ipv6 nd secured nonce-db, show ipv6 nd secured timestamp-db.
The following commands were modified:
auto-enroll, crypto key generate rsa, crypto pki authenticate, crypto pki enroll, crypto pki import, enrollment terminal (ca-trustpoint), enrollment url (ca-trustpoint), fingerprint, ip-extension, ip http server, ipv6 address, ipv6 address link-local, password (ca-trustpoint), revocation-check, rsakeypair, serial-number (ca-trustpoint), subject-name.
Glossary
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2009 Cisco Systems, Inc. All rights reserved.
