Documente Academic
Documente Profesional
Documente Cultură
In this document I aim to show you how to implement and verify authentication and encryption of OSPFv3
adjacencies so you can better improve the security of your control-plane protocol. In this document I will be
using the newer syntax structure to perform this however please be advised that this will work with regular IPv6
only OSPF. Please also note that OSPFv2 authentication follows a different syntax and that IPSec encryption
of the control-plane is only currently supported in OSPFv3 as of writing.
Prerequisites
Generated on 2015-05-24-07:00
1
Source: http://flylib.com/books/2/297/1/html/2/images/12fig19.jpg
The reason for this is that OSPFv3 utilises the built in IPv6 encryption and authentication integration to protect
the protocol. This means that the packets are encrypted and authenticated at layer 3 (IP) as opposed to being
completed at the application layer within OSPF. This does however pose some disadvantages. IPv6 currently
doesn't support ISAKMP to allow the dynamic generation and exchange of symmetrical keying material used
to encrypt the end user data, but rather just supports native IPsec. As a result, it means that you will need to
manually specify the keying data to be used between the neighbors and also means that key changes will need
to be done manually as opposed to being completed automatically via ISAKMP.
In order to demonstrate the configuration of OSPFv3 authentication and encryption I will be using the following
topology that has already been pre-configured to operate without any authentication or encryption applied.
Generated on 2015-05-24-07:00
2
To prove that this is operational I will perform a ping from R1's loopback to R2. As with any routing protocol
authentication configuration, it is important to verify that normal neighbourship and reachability is established
before adding authentication or encryption. This helps to make troubleshooting easier later as it means that
anything that could go wrong now would be the authentication part.
Generated on 2015-05-24-07:00
3
The command works by specifying whether you wish to perform encryption (which includes authentication)
or just authentication. Upon specifying encryption you can then manually setup the IPsec settings by setting
the SPI (Security Parameter Index) number; Encryption algorithm and key length. Then you can you need
to manually specify a hexadecimal encryption and authentication key. Using context-sensitive help is crucial
to help you see how many characters are necessary. After the command is accepted you should see that
cryptography is enabled. After this has been completed, copy and paste this command to the other router.
The adjacency should then be restored OR if you completed this before the dead timer expired then the dead
timer should be reset,
Verification
As with any IPsec implementation, negotiated parameters can fail and therefore some verification is necessary
to validate what you have done. The first verification command is to see if your neighbour has come back
up after being dropped. This can be done using your normal show ipv6 ospf neighbor or show ospfv3
neighbor.
Generated on 2015-05-24-07:00
4
If the neighbour isn't shown then your IPsec most likely didn't negotiate properly. The next step would be then
be to verify if your SA has been established and that packets are being encapsulated and decapsulated. show
crypto ipsec sa will reveal this information. Note, this command can produce quite a bit of output depending
on how many SA's exist. Filter it based on the interface you wish to see.
Below is the output you wish to see where packets are being encrypted and encapsulated.
Generated on 2015-05-24-07:00
5
Should this output not show anything then your SA hasn't been established at which a configuration is most
likely the cause. debug crypto ipsec may reveal where the process fails however it should always be with
regards to a mismatched key. This is normally detected by an error message along the lines of "malformed
packet".
Summary
Generated on 2015-05-24-07:00
6
In this document we looked at how OSPFv3 implements authentication and even encryption to it's packets
to allow you to further secure your control-plane by hiding the details of the packets exchanged. We also
explored the high level packet details of OSPF and saw that the original authentication sections have been
completely removed and that authentication and encryption is now completed in IPv6. Finally, we verified the
configurations that we implemented and looked at some key output that could be useful in troubleshooting
situations where out adjacencies don't come back up after applying configurations.
If you wish to see more information about this then please review Cisco's configuration guide - http://
www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-mt/iro-15-mt-book/ip6-route-ospfv3esp.html
Hope This Helps,
Josh
Generated on 2015-05-24-07:00
7