IP Routing: OSPF Configuration Guide, Cisco IOS XE Release 3S (Cisco ASR 1000)
OSPFv3 Authentication Trailer
Downloads: This chapterpdf (PDF - 1.3MB) The complete bookPDF (PDF - 6.0MB) | The complete bookePub (ePub - 1.11MB) | Feedback

OSPFv3 Authentication Trailer

The OSPFv3 Authentication Trailer feature as specified in RFC6506 provides a mechanism to authenticate Open Shortest Path First version 3 (OSPFv3) protocol packets as an alternative to existing OSPFv3 IPsec authentication.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

Information About OSPFv3 Authentication Trailer

Overview of OSPFv3 Authentication Trailer

Prior to Authentication Trailer, OSPFv3 IPsec as defined in RFC4552 was the only mechanism for authenticating protocol packets. The OSPFv3 Authentication Trailer feature defines an alternative mechanism to authenticate OSPFv3 protocol packets that additionally provides a packet replay protection via sequence number and does not have any platform dependencies.

To perform non-IPsec cryptographic authentication, OSPFv3 devices append a special data block, i.e., Authentication Trailer, to the end of the OSPFv3 packets. The length of the Authentication Trailer is not included in the length of the OSPFv3 packet but is included in the IPv6 payload length. The Link-Local Signaling (LLS) block is established by the L-bit setting in the “OSPFv3 Options” field in OSPFv3 hello and database description packets. If present, the LLS data block is included along with the OSPFv3 packet in the cryptographic authentication computation.

A new Authentication Trailer (AT)-bit is introduced into the OSPFv3 Options field. OSPFv3 devices must set the AT-bit in OSPFv3 Hello and Database Description packets to indicate that all the packets on this link will include an Authentication Trailer. For OSPFv3 Hello and Database Description packets, the AT-bit indicates the AT is present. For other OSPFv3 packet types, the OSPFv3 AT-bit setting from the OSPFv3 Hello/Database Description setting is preserved in the OSPFv3 neighbor data structure. OSPFv3 packet types that don't include an OSPFv3 Options field will use the setting from the neighbor data structure to determine whether or not the AT is expected. The AT-bit must be set in all OSPFv3 Hello and Database Description packets that contain an Authentication Trailer.

To configure Authentication Trailer, OSPFv3 utilizes existing IOS key chain command. For outgoing OSPFv3 packets the following rule is used to selects the key from the key-chain:

  • Select the key that is the last to expire.
  • If two keys have the same stop time, select the one with the highest key id.

The SA ID maps to the authentication algorithm and the secret key which is used to generate and verify the message digest. If the authentication is configured but the last valid key is expired then the packets are sent using the key. A syslog message is also generated. If no valid key is available then the packet is sent without the authentication trailer. When packets are received the Key ID is used to lookup the data for that key. If the Key ID is not found in key chain or if the SA is not valid, the packet is dropped. Otherwise the packet is verified using the algorithm and the key which is configured for the key ID. Key chains support rollover using key lifetimes. A new key can be added to a key chain with the send start time sets in the future. This allows the new key to be configured on all devices before the keys are actually used.

The hello packets have higher priority than any other OSPFv3 packets and therefore can get re-ordered on outgoing interface. This can create problem with sequence number verification on neighboring devices. To prevent sequence mismatch each OSPFv3 verifies sequence number separately for each packet type.

See RFC 6506 for more details on the authentication procedure.

How to Configure OSPFv3 Authentication Trailer

Configuring OSPFv3 Authentication Trailer

SUMMARY STEPS

    1.    enable

    2.    configure terminal

    3.    interface type number

    4.    ospfv3 [pid] { ipv4 | ipv6} authentication key-chain chain name

    5.    router ospfv3 ID

    6.    address-family ipv6 unicast vrf ID

    7.    area ID virtual-link nbr ID authentication key-chain chain name

    8.    area ID sham-link {source | destination} authentication key-chain chain name

    9.    authentication mode {strict | deployment | normal}

    10.    exit

    11.    show ospfv3 interface

    12.    show ospfv3 neighbor [detail ]

    13.    debug ospfv3 vrf authentication


DETAILED STEPS
      Command or Action Purpose
    Step 1 enable


    Example:
    Device> enable
     
    Enables privileged EXEC mode.
    • Enter your password if prompted.
     
    Step 2 configure terminal


    Example:
    Device# configure terminal
     

    Enters global configuration mode.

     
    Step 3 interface type number


    Example:
    Device(config)# interface Ethernet 2/0
     

    Specifies the interface type and number.

     
    Step 4 ospfv3 [pid] { ipv4 | ipv6} authentication key-chain chain name


    Example:
    Device(config-if)#  ospfv3 1 ipv4 authentication key-chain ospf-1
     

    Specifies the authentication type for an OSPFv3 instance.

     
    Step 5 router ospfv3 ID


    Example:
    Device(config-if)# router ospfv3 1
     

    Enters OSPFv3 router configuration mode.

     
    Step 6 address-family ipv6 unicast vrf ID


    Example:
    Device(config-router)# address-family ipv6 unicast vrf vrf1
     

    Configures the IPv6 address family in the OSPFv3 process and enters IPv6 address family configuration mode.

     
    Step 7 area ID virtual-link nbr ID authentication key-chain chain name


    Example:
    Device(config-router-af)# area 1 virtual-link 1.1.1.1 authentication key-chain ospf-chain-1
     

    Configures the authentication for virtual links.

     
    Step 8 area ID sham-link {source | destination} authentication key-chain chain name


    Example:
    Device(config-router-af)# area 1 sham-link 1.1.1.1 authentication key-chain ospf-chain-1
     

    Configures the authentication for sham links.

     
    Step 9 authentication mode {strict | deployment | normal}


    Example:
    Device(config-router-af)# authentication mode deployment
     

    Specifies the type of authentication used for the OSPFv3 instance.

    • When the strict keyword is used, the expired keys can not be used for sending or receiving packets.
    • The deployment keyword provides adjacency between configured and unconfigured authentication devices.
     
    Step 10 exit


    Example:
    Device(config-router-af)# exit
     

    Exits IPv6 address family configuration mode and returns to privileged EXEC mode.

     
    Step 11 show ospfv3 interface


    Example:
    Device# show ospfv3
     

    (Optional) Displays OSPFv3-related interface information.

     
    Step 12 show ospfv3 neighbor [detail ]


    Example:
    Device# show ospfv3 neighbor detail
     

    (Optional) Displays OSPFv3 neighbor information on a per-interface basis.

     
    Step 13 debug ospfv3 vrf authentication


    Example:
    Device# debug ospfv3 vrf authentication
     

    (Optional) Displays debugging information for OSPFv3.

     

    Configuration Examples for OSPFv3 Authentication Trailer

    Example: Configuring OSPFv3 Authentication Trailer

    interface Ethernet 0/0
     ospfv3 1 ipv4 authentication key-chain ospf-1
     router ospfv3 1
      address-family ipv6 unicast vrf vrf1
       area 1 virtual-link 1.1.1.1 authentication key-chain ospf-chain-1
       area 1 sham-link 1.1.1.1 authentication key-chain ospf-chain-1
       authentication mode deployment
     !
    !     
    
    

    The following examples show the output of the show ospfv3 commands.

    Device# show ospfv3
     OSPFv3 1 address-family ipv6
     Router ID 1.1.1.1
    …
    RFC1583 compatibility enabled
     Authentication configured with strict key lifetime
     Active Key-chains:
      Key chain mama: Send key 1, Algorithm HMAC-SHA-256, Number of interfaces 1
        Area BACKBONE(0)
    
    Device# show ospfv3 neighbor detail
    
    OSPFv3 1 address-family ipv6 (router-id 2.2.2.2)
    
     Neighbor 1.1.1.1
        In the area 0 via interface Ethernet0/0
        Neighbor: interface-id 2, link-local address FE80::A8BB:CCFF:FE01:2D00
        Neighbor priority is 1, State is FULL, 6 state changes
        DR is 2.2.2.2 BDR is 1.1.1.1
        Options is 0x000413 in Hello (V6-Bit, E-Bit, R-Bit, AT-Bit)
        Options is 0x000413 in DBD (V6-Bit, E-Bit, R-Bit, AT-Bit)
        Dead timer due in 00:00:33
        Neighbor is up for 00:05:07
        Last packet authentication succeed
        Index 1/1/1, retransmission queue length 0, number of retransmission 0
        First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
        Last retransmission scan length is 0, maximum is 0
        Last retransmission scan time is 0 msec, maximum is 0 msec
    
    
    
    Device# show ospfv3 interface
    
    Ethernet0/0 is up, line protocol is up 
    …
      Cryptographic authentication enabled
        Sending SA: Key 25, Algorithm HMAC-SHA-256 – key chain ospf-keys
        Last retransmission scan time is 0 msec, maximum is 0 msec
    
    
    

    Additional References for OSPFv3 Authentication Trailer

    Related Documents

    Related Topic

    Document Title

    Cisco IOS commands

    Cisco IOS Master Command List, All Releases

    Configuring OSPF features

    IP Routing: OSPF Configuration Guide

    Standards and RFCs

    Related Topic

    Document Title

    RFCs for Supporting Authentication Trailer for OSPFv3

    RFC 6506

    Technical Assistance

    Description

    Link

    The Cisco Support website provides extensive online resources, including documentation and tools for troubleshooting and resolving technical issues with Cisco products and technologies.

    To receive security and technical information about your products, you can subscribe to various services, such as the Product Alert Tool (accessed from Field Notices), the Cisco Technical Services Newsletter, and Really Simple Syndication (RSS) Feeds.

    Access to most tools on the Cisco Support website requires a Cisco.com user ID and password.

    http:/​/​www.cisco.com/​support

    Feature Information for OSPFv3 Authentication Trailer

    The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

    Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/​go/​cfn. An account on Cisco.com is not required.

    Table 1 Feature Information for OSPFv3 Authentication Trailer

    Feature Name

    Releases

    Feature Information

    OSPFv3 Authentication Trailer

    Cisco IOS XE Release 3.11S

    The OSPFv3 Authentication Trailer feature defines an alternative mechanism to authenticate OSPFv3 protocol packets so that OSPFv3 does not depend only upon IPsec for authentication.

    The following commands were introduced or modified: ospfv3 authentication key-chain, authentication mode, debug ospfv3 vrf authentication.