If you're coming from an OSPFv2 world, you're used to typing in a simple {IP OSPF AUTHENTICATION-KEY} command. When you jump to IPv6 OSPFv3, you might look for the equivalent command and be surprised to find it's not there.
How does OSPFv3 secure its neighbour relationships and routing updates? The answer is a fundamental shift in design: OSPFv3 relies on IPsec authentication. OSPFv3 doesn't include any authentication capabilities of its own. The OSPFv3 authentication field has been removed from OSPFv3 packet headers. OSPFv3 requires the IPv6 authentication header (AH) or IPv6 ESP header to ensure the integrity, authentication, and confidentiality of routing exchanges.
What are the benefits?
This approach has several benefits:
- No more cleartext passwords
- Stronger crypto (SHA-256, AES)
- Leverages existing infrastructure
- Standardization
How does it work?
OSPFv3 supports two methods to implement IPsec.
1. Manual- this is the most straightforward and commonly used method, you manually configure a security policy index (SPI) and a pre-shared key on both routers.
The building blocks:
- SPI- a number that uniquely identifies the security policy to both routers. It must match on both sides.
- Authentication algorithm- the hashing algorithm to use ( SHA1, SHA256).
- Encryption key- the actual pre-shared password. It must match on both sides.
2. IPsec profile ( the scalable method)
- For larger networks, manually configuring keys on every interface becomes a management headache. This is where the IPsec profile comes in.
- An IPsec profile defines the security policy (algorithms, keys, etc) and is then applied to an OSPFv3 process. This applies the policy to all OSPFv3 interfaces, making it much more scalable.
- This method is complex to set up, but it is the recommended way for large-scale deployments.
Let's see the configuration- So, we are going to configure OSPv3 authentication interface, and the area authentication.
Topology:-
Goal: ensure the integrity, authentication, and confidentiality of routing exchanges.
- Configure the topology as per the diagram
- Configure the IPv6 addresses as per the topology
- Configure OSPFv3, and both routers are in area 0
- Configure OSPFv3 authentication on the interfaces
- erase the previous configuration
- Reconfigure OSPFv3 authentication for the entire OSPFv3 area 0
- Verify with show commands and messages.
R1(config)#interface fastethernet 0/0
R1(config-if)#ipv6 address 2001:1212:12:12::1/64
R1(config-if)#no shutdown
R1(config-if)#exit
R1(config)#interface fastethernet 2/0
R1(config-if)#ipv6 address fc00:1111:1111:1111::1/64
R1(config-if)#no shutdown
R1(config-if)#exit
R2(config)#interface fastethernet 0/0
R2(config-if)#ipv6 address 2001:1212:12:12::2/64
R2(config-if)#no shutdown
R2(config-if)#exit
R2(config)#interface fastethernet 2/0
R2(config-if)#ipv6 address fc00:2222:2222:2222::1/64
R2(config-if)#no shutdown
R2(config-if)#exit
R1(config)#ipv6 unicast-routing
R1(config)#ipv6 router ospf 100
R1(config-rtr)#router-id 10.10.10.10
R1(config-rtr)#exit
R1(config)#interface fastethernet 0/0
R1(config-if)#ipv6 ospf 100 area 0
R1(config-if)#exit
R1(config)#interface fastethernet 2/0
R1(config-if)#ipv6 ospf 100 area 0
R1(config-if)#exit
R2(config)#ipv6 unicast-routing
R2(config)#ipv6 router ospf 100
R2(config-rtr)#router-id 20.20.20.20
R2(config-rtr)#exit
R2(config)#interface fastethernet 0/0
R2(config-if)#ipv6 ospf 100 area 0
R2(config-if)#exit
R2(config)#interface fastethernet 2/0
R2(config-if)#ipv6 ospf 100 area 0
R2(config-if)#exit
%OSPFv3-5-ADJCHG: Process 100, Nbr 20.20.20.20 on FastEthernet0/0 from LOADING to FULL, Loading Done
%OSPFv3-5-ADJCHG: Process 100, Nbr 10.10.10.10 on FastEthe rnet0/0 from LOADING to FULL, Loading Done
R1(config)#interface fastethernet 0/0
R1(config-if)#IPv6 ospf authenticationb ipsec spi 499 md5 abcdef1234567890abcded1234567890
R1(config-if)#end
%IPSECV6-4-RECVD_PKT_NOT_IPSECV6: Rec'd packet not an IPSEC packet. (ip) dest_addr= FF02::5, src_addr= FE80::C802:63FF:FE30:0, prot= 89
%OSPFv3-5-ADJCHG: Process 100, Nbr 20.20.20.20 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
%IPSECV6-4-RECVD_PKT_NOT_IPSECV6: Rec'd packet not an IPSECv6 packet.
(ip) dest_addr= FF02::5, src_addr= FE80::C802:63FF:FE30:0, prot= 89
R2(config)#interface fastethernet 0/0
R2(config-if)#IPv6 ospf authenticationb ipsec spi 499 md5 abcdef1234567890abcded1234567890
R2(config-if)#end
%OSPFv3-5-ADJCHG: Process 100, Nbr 10.10.10.10 on FastEthernet0/0 from LOADING to FULL, Loading Done
%OSPFv3-5-ADJCHG: Process 100, Nbr 20.20.20.20 on FastEthernet0/0 from LOADING to FULL, Loading Done
R1#show ipv6 ospf neighbor
Neighbor ID Pri State Dead Time Interface ID Interface
20.20.20.20 1 FULL/DR 00:00:33 4 FastEthernet0/ 0
R1#show ipv6 route ospf
IPv6 Routing Table - 7 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
O FC00:2222:2222:2222::/64 [110/2]
via FE80::C802:63FF:FE30:0, FastEthernet0/0
R2#show ipv6 ospf neighbor
Neighbor ID Pri State Dead Time Interface ID Interface
10.10.10.10 1 FULL/BDR 00:00:34 4 FastEthernet0/ 0
R2#show ipv6 route ospf
IPv6 Routing Table - 7 entries
Codes: C - Connected, L - Local, S - Static, R - RIP, B - BGP
U - Per-user Static route
I1 - ISIS L1, I2 - ISIS L2, IA - ISIS interarea, IS - ISIS summary
O - OSPF intra, OI - OSPF inter, OE1 - OSPF ext 1, OE2 - OSPF ext 2
ON1 - OSPF NSSA ext 1, ON2 - OSPF NSSA ext 2
O FC00:1111:1111:1111::/64 [110/2]
via FE80::C801:3AFF:FE14:0, FastEthernet0/0
