blog/ posts/ IPv6 OSPF IPSec authentication methods
Portage pause and resume ebuilds | posts | Conditional aliases for zshrc

All IP Routing protocols support some types of neighbour authetication. But OSPFv3 does not include any authentication on by itself. It relies on security mechanisms implemented in the IPv6 protocol. This makes implementation of OSPFv3 simpler and less prone to bugs on its own.

There are 2 methods of configuring authentication in OSPFv3:

  • Authentication per interface
  • Authentication per OSPFv3 area

Authentication per interface

While configuring IPSec authentication 2 parameters are needed:

  • SPI is needed (Security Policy Index).
  • AH (Authentication Header)

The SPI index is a locally significant integer number between 256 and 4,294,967,295. The AH key on IOS can be done using 2 different algorithms:

  • MD5 key (32 chars)
  • SHA-1 key (40 chars)

Below the IOS inline help while configurin IPv6 authentication AH:

R1(config-if)#ipv6 ospf authentication ipsec spi 256 md5 ?
  0           The key is not encrypted (plain text)
  7           The key is encrypted
  Hex-string  MD5 key (32 chars)

R1(config-if)#ipv6 ospf authentication ipsec spi 256 sha1 ?
  0           The key is not encrypted (plain text)
  7           The key is encrypted
  Hex-string  SHA-1 key (40 chars)

Here a example on howto generate a key on a linux/UNIX host:

user@host % echo cisco | sha1sum 
20a43b29a07a27dcf58a5709bf210ccbf972917d  -
user@host % echo cisco | md5sum
cc79bc443b2c09b3208d49eb19168ca5  -

If both parameters have been defined a working configuration for a interface could look like this:

interface FastEthernet0/0
 ipv6 address FE80::0 link-local
 ipv6 enable
 ipv6 ospf authentication ipsec spi 256 sha1 20a43b29a07a27dcf58a5709bf210ccbf972917d
 ipv6 ospf 1 area 0
end

Authentication per OSPF area

The configuration on a per area basis works the same as in example above. The authentication work then on all OSPF area participating interfaces with the same key.

router ospfv3 1
 area 0 authentication ipsec spi 256 sha1 20a43b29a07a27dcf58a5709bf210ccbf972917d

Verification

Use following commands to verfiy a successful IPSec authentication:

R1#show crypto map

R1#sh crypto ipsec sa

R1#show crypto ipsec policy

R1#show ipv6 ospf interface

Troubleshooting

While configuring on a virtual lab enviroment i have noticed if adding the IPSec authentication to a router process on a already converged OSPF network nothing happens. The neighbourship is stable. Apparently you need to reset the OSPF process to re-initiate the neighbourship. It is comparable to making changes to BGP sessions, as long as you do not tear the BGP/TCP session down the neighbours continue to use working configuration.