Note: all SRv6 configuration parameters are defined per-namespace.
Several per-interface sysctls are available to control SRv6 behavior.
0: Drop ingress SR-enabled packets from this interface.
1: Accept ingress SR-enabled packets and apply basic SRH processing.
-1: Ignore HMAC field.
0: Accept SR packets without HMAC, validate SR packets with HMAC.
1: Drop SR packets without HMAC, validate SR packets with HMAC.
The iproute2 tool is used to add SRH onto packets, as such:
The parameters are defined as follows.
prefix: IPv6 prefix of the route.
encapto encapsulate matching packets into an outer IPv6 header containing the SRH, and
inlineto insert the SRH right after the IPv6 header of the original packet.
segments: comma-separated list of segments. Example:
keyid: HMAC key ID, further explained below.
device: any non-loopback device.
When a packet is encapsulated within an outer IPv6 header, a source address must be selected for this outer header. By default, an interface address is selected. To change this default value, use the following command.
addr is set to
::, then the default behavior is assumed.
The optional HMAC TLV ensures the authenticity and integrity of its SRH. It contains the HMAC computation of the header, realised using an HMAC key ID. This key ID is mapped to a secret passphrase, used as input to the HMAC function. The mapping of HMAC key IDs are configured with the following command.
You will then be prompted to enter the passphrase. Leave blank to remove the mapping. The
algorithm field selects the hashing algorithm to use. Available options are
sha256. For security robustness, we recommend the latter.