IP Routing: OSPF Configuration Guide, Cisco IOS Release 15M&T
OSPFv3 IPSec ESP Encryption and Authentication
Downloads: This chapterpdf (PDF - 1.32MB) The complete bookPDF (PDF - 5.37MB) | The complete bookePub (ePub - 1.17MB) | The complete bookePub (ePub - 1.08MB) | Feedback

OSPFv3 IPSec ESP Encryption and Authentication

OSPFv3 IPSec ESP Encryption and Authentication

When Open Shortest Path First version 3 (OSPFv3) runs on IPv6, OSPFv3 requires the IPv6 encapsulating security payload (ESP) header or IPv6 authentication header to ensure integrity, authentication, and confidentiality of routing exchanges. IPv6 ESP extension headers can be used to provide authentication and confidentiality to OSPFv3.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Prerequisites for OSPFv3 IPSec ESP Encryption and Authentication

Configure the IP Security (IPsec) secure socket application program interface (API) on OSPFv3 in order to enable authentication and encryption.

Information About OSPFv3 IPSec ESP Encryption and Authentication

OSPFv3 Authentication Support with IPsec

In order to ensure that OSPFv3 packets are not altered and re-sent to the device, causing the device to behave in a way not desired by its system administrators, OSPFv3 packets must be authenticated. OSPFv3 uses the IPsec secure socket API to add authentication to OSPFv3 packets. This API supports IPv6.

OSPFv3 requires the use of IPsec to enable authentication. Crypto images are required to use authentication, because only crypto images include the IPsec API needed for use with OSPFv3.

In OSPFv3, authentication fields have been removed from OSPFv3 packet headers. When OSPFv3 runs on IPv6, OSPFv3 requires the IPv6 authentication header (AH) or IPv6 ESP header to ensure integrity, authentication, and confidentiality of routing exchanges. IPv6 AH and ESP extension headers can be used to provide authentication and confidentiality to OSPFv3.

To use the IPsec AH, you must enable the ipv6 ospf authentication command. To use the IPsec ESP header, you must enable the ipv6 ospf encryption command. The ESP header may be applied alone or in combination with the AH, and when ESP is used, both encryption and authentication are provided. Security services can be provided between a pair of communicating hosts, between a pair of communicating security gateways, or between a security gateway and a host.

To configure IPsec, you configure a security policy, which is a combination of the security policy index (SPI) and the key (the key is used to create and validate the hash value). IPsec for OSPFv3 can be configured on an interface or on an OSPFv3 area. For higher security, you should configure a different policy on each interface configured with IPsec. If you configure IPsec for an OSPFv3 area, the policy is applied to all of the interfaces in that area, except for the interfaces that have IPsec configured directly. Once IPsec is configured for OSPFv3, IPsec is invisible to you.

The secure socket API is used by applications to secure traffic. The API needs to allow the application to open, listen, and close secure sockets. The binding between the application and the secure socket layer also allows the secure socket layer to inform the application of changes to the socket, such as connection open and close events. The secure socket API is able to identify the socket; that is, it can identify the local and remote addresses, masks, ports, and protocol that carry the traffic requiring security.

Each interface has a secure socket state, which can be one of the following:

  • NULL: Do not create a secure socket for the interface if authentication is configured for the area.

  • DOWN: IPsec has been configured for the interface (or the area that contains the interface), but OSPFv3 either has not requested IPsec to create a secure socket for this interface, or there is an error condition.

  • GOING UP: OSPFv3 has requested a secure socket from IPsec and is waiting for a CRYPTO_SS_SOCKET_UP message from IPsec.

  • UP: OSPFv3 has received a CRYPTO_SS_SOCKET_UP message from IPsec.

  • CLOSING: The secure socket for the interface has been closed. A new socket may be opened for the interface, in which case the current secure socket makes the transition to the DOWN state. Otherwise, the interface will become UNCONFIGURED.

  • UNCONFIGURED: Authentication is not configured on the interface.

OSPFv3 will not send or accept packets while in the DOWN state.

OSPFv3 Virtual Links

For each virtual link, a master security information datablock is created for the virtual link. Because a secure socket must be opened on each interface, there will be a corresponding security information datablock for each interface in the transit area. The secure socket state is kept in the interface’s security information datablock. The state field in the master security information datablock shows the status of all of the secure sockets opened for the virtual link. If all of the secure sockets are UP, then the security state for the virtual link will be set to UP.

Packets sent on a virtual link with IPsec must use predetermined source and destination addresses. The first local area address found in the device’s intra-area-prefix LSA for the area is used as the source address. This source address is saved in the area data structure and used when secure sockets are opened and packets sent over the virtual link. The virtual link will not transition to the point-to-point state until a source address is selected. Also, when the source or destination address changes, the previous secure sockets must be closed and new secure sockets opened.


Note


Virtual links are not supported for the IPv4 AF.


How to Configure OSPFv3 IPSec ESP Encryption and Authentication

Defining Encryption on an Interface

Before You Begin

Before you configure IPsec on an interface, you must configure OSPFv3 on that interface.

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    interface type number

    4.    Do one of the following:

    • ospfv3 encryption {ipsec spi spi esp encryption-algorithm key-encryption-type key authentication-algorithm key-encryption-type key | null}
    • ipv6 ospf encryption {ipsec spi spi esp {encryption-algorithm [[key-encryption-type] key] | null} authentication-algorithm [key-encryption-type] key | null}


DETAILED STEPS
     Command or ActionPurpose
    Step 1 enable


    Example:
    Device> enable
    
     

    Enables privileged EXEC mode.

    • Enter your password if prompted.

     
    Step 2 configure terminal


    Example:
    Device# configure terminal
    
     

    Enters global configuration mode.

     
    Step 3 interface type number


    Example:
    Device(config)# interface ethernet 0/0
    
     

    Specifies an interface type and number, and places the device in interface configuration mode.

     
    Step 4Do one of the following:
    • ospfv3 encryption {ipsec spi spi esp encryption-algorithm key-encryption-type key authentication-algorithm key-encryption-type key | null}
    • ipv6 ospf encryption {ipsec spi spi esp {encryption-algorithm [[key-encryption-type] key] | null} authentication-algorithm [key-encryption-type] key | null}


    Example:
    Device(config-if)# ospfv3 encryption ipsec spi 1001 esp null md5 0 27576134094768132473302031209727
    


    Example:
    Device(config-if) ipv6 ospf encryption ipsec spi 1001 esp null sha1 123456789A123456789B123456789C123456789D
    
     

    Specifies the encryption type for an interface.

     

    Defining Encryption in an OSPFv3 Area

    SUMMARY STEPS

      1.    enable

      2.    configure terminal

      3.    ipv6 router ospf process-id

      4.    area area-id encryption ipsec spi spi esp { encryption-algorithm [ | key-encryption-type] key | null} authentication-algorithm [ | key-encryption-type] key


    DETAILED STEPS
       Command or ActionPurpose
      Step 1 enable


      Example:
      Device> enable 
      
       

      Enables privileged EXEC mode.

      • Enter your password if prompted.

       
      Step 2 configure terminal


      Example:
      Device# configure terminal 
      
       

      Enters global configuration mode.

       
      Step 3 ipv6 router ospf process-id


      Example:
      Device(config)# ipv6 router ospf 1 
      
       

      Enables OSPFv3 router configuration mode.

       
      Step 4 area area-id encryption ipsec spi spi esp { encryption-algorithm [ | key-encryption-type] key | null} authentication-algorithm [ | key-encryption-type] key


      Example:
      Device(config-rtr)# area 1 encryption ipsec spi 500 esp null md5 1aaa2bbb3ccc4ddd5eee6fff7aaa8bbb
      
       

      Enables encryption in an OSPFv3 area.

       

      Defining Authentication and Encryption for a Virtual Link in an OSPFv3 Area

      SUMMARY STEPS

        1.    enable

        2.    configure terminal

        3.    ipv6 router ospf process-id

        4.    area area-id virtual-link router-id authentication ipsec spi spi authentication-algorithm [ key-encryption-type] key

        5.    area area-id virtual-link router-id encryption ipsec spi spi esp {encryption-algorithm [key-encryption-type] key | null} authentication-algorithm [key-encryption-type] key


      DETAILED STEPS
         Command or ActionPurpose
        Step 1 enable


        Example:
        Device> enable 
        
         

        Enables privileged EXEC mode.

        • Enter your password if prompted.

         
        Step 2 configure terminal


        Example:
        Device# configure terminal 
        
         

        Enters global configuration mode.

         
        Step 3 ipv6 router ospf process-id


        Example:
        Device(config)# ipv6 router ospf 1 
        
         

        Enables OSPFv3 router configuration mode.

         
        Step 4 area area-id virtual-link router-id authentication ipsec spi spi authentication-algorithm [ key-encryption-type] key


        Example:
        Device(config-rtr)# area 1 virtual-link 10.0.0.1 authentication ipsec spi 940 md5 1234567890ABCDEF1234567890ABCDEF 
        
         

        Enables authentication for virtual links in an OSPFv3 area.

         
        Step 5 area area-id virtual-link router-id encryption ipsec spi spi esp {encryption-algorithm [key-encryption-type] key | null} authentication-algorithm [key-encryption-type] key


        Example:
        Device(config-rtr)# area 1 virtual-link 10.1.0.1 hello-interval 2 dead-interval 10 encryption ipsec spi 3944 esp null sha1 123456789A123456789B123456789C123456789D
        
         

        Enables encryption for virtual links in an OSPFv3 area.

         

        Configuration Examples for OSPFv3 IPSec ESP Encryption and Authentication

        Example: Defining Encryption in an OSPFv3 Area

        Device# show ipv6 ospf interface
        
        Ethernet0/0 is up, line protocol is up
          Link Local Address 2001:0DB1:A8BB:CCFF:FE00:6E00, Interface ID 2
          Area 0, Process ID 1, Instance ID 0, Router ID 10.10.10.1
          Network Type BROADCAST, Cost:10
          MD5 Authentication (Area) SPI 1000, secure socket state UP (errors:0)
          Transmit Delay is 1 sec, State BDR, Priority 1
          Designated Router (ID) 10.11.11.1, local address 2001:0DB1:A8BB:CCFF:FE00:6F00
          Backup Designated router (ID) 10.10.10.1, local address
        FE80::A8BB:CCFF:FE00:6E00
          Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
            Hello due in 00:00:03
          Index 1/1/1, flood queue length 0
          Next 0x0(0)/0x0(0)/0x0(0)
          Last flood scan length is 1, maximum is 1
          Last flood scan time is 0 msec, maximum is 0 msec
          Neighbor Count is 1, Adjacent neighbor count is 1
            Adjacent with neighbor 10.11.11.1  (Designated Router)
          Suppress hello for 0 neighbor(s)

        Additional References

        Related Documents

        Related Topic

        Document Title

        IPv6 addressing and connectivity

        IPv6 Configuration Guide

        Cisco IOS commands

        Cisco IOS Master Command List, All Releases

        IPv6 commands

        Cisco IOS IPv6 Command Reference

        Cisco IOS IPv6 features

        Cisco IOS IPv6 Feature Mapping

        Configuring BGP Nonstop Forwarding Awareness Using BGP Graceful Restart

        “Configuring Advanced BGP Features” in the IP Routing: BGP Configuration Guide

        Standards and RFCs

        Standard/RFC

        Title

        RFCs for IPv6

        IPv6 RFCs

        MIBs

        MIB

        MIBs Link

        To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

        http:/​/​www.cisco.com/​go/​mibs

        Technical Assistance

        Description

        Link

        The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

        http:/​/​www.cisco.com/​cisco/​web/​support/​index.html

        Feature Information for OSPFv3 IPSec ESP Encryption and Authentication

        The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

        Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

        Table 1 Feature Information for OSPFv3 IPSec ESP Encryption and Authentication

        Feature Name

        Releases

        Feature Information

        OSPFv3 IPSec ESP Encryption and Authentication

        12.4(9)T

        15.1(1)SY

        IPv6 ESP extension headers can be used to provide authentication and confidentiality to OSPFv3.

        The following commands were introduced or modified: area encryption, area virtual-link, area virtual-link authentication, ipv6 ospf area, ipv6 ospf encryption, show ipv6 ospf interface, show ospfv3 interface.