OSPFv3 - Authentication & IPSec Encryption

In this document I aim to show you how to implement and verify authentication and encryption of OSPFv3
adjacencies so you can better improve the security of your control-plane protocol. In this document I will be
using the newer syntax structure to perform this however please be advised that this will work with regular IPv6
only OSPF. Please also note that OSPFv2 authentication follows a different syntax and that IPSec encryption
of the control-plane is only currently supported in OSPFv3 as of writing.

Prerequisites

Understanding of OSPF operations

Understanding of OSPFv2 Authentication
Basic Understanding of IPSec requirements
Knowledge of OSPFv3 Multi-AF mode is advised though not necessary

Authentication and Encryption - What's the Difference?

An important point to make, that also often causes confusion, is what is the difference between authentication
and encryption? Well both are considerably different tasks and are often used together which may lead to the
difficulty in defining what one does. Authentication is all about the process of saying who you are and proving
that. If I say my name is Josh and provide you with government issued ID with a picture then you can see
that I am telling the truth. Authentication on the network is no different. In almost all routing protocols we want
to only form adjacencies and exchange routes with devices we trust and therefore authentication fulfils this
part. The downside is that the information exchanged during authentication is still visible to anyone snooping
the traffic. They could easily capture this and try and **** others. Much how someone can perform identity
theft. Encryption is the technology that then allows us to scramble the data as we send it so only those with
the knowledge of how to make sense of that data can see it (devices with the decryption key). Unfortunately
most protocols don't support encryption as they don't need it. OSPFv3 however does and is what we will be
exploring in this document.

OSPFv3 Authentication & Encryption

In OSPFv3 there is interestingly enough, no "built" in authentication or encryption mechanisms. In fact if you
compare an OSPFv3 hello packet with an OSPFv2 hello packet you will see that the authentication fields have
been removed. For example, see the following:

2015 Cisco and/or its affiliates. All Rights Reserved.

This document is Cisco Public Information.

Generated on 2015-05-24-07:00
1

OSPFv3 - Authentication & IPSec Encryption

Source: http://flylib.com/books/2/297/1/html/2/images/12fig19.jpg
The reason for this is that OSPFv3 utilises the built in IPv6 encryption and authentication integration to protect
the protocol. This means that the packets are encrypted and authenticated at layer 3 (IP) as opposed to being
completed at the application layer within OSPF. This does however pose some disadvantages. IPv6 currently
doesn't support ISAKMP to allow the dynamic generation and exchange of symmetrical keying material used
to encrypt the end user data, but rather just supports native IPsec. As a result, it means that you will need to
manually specify the keying data to be used between the neighbors and also means that key changes will need
to be done manually as opposed to being completed automatically via ISAKMP.
In order to demonstrate the configuration of OSPFv3 authentication and encryption I will be using the following
topology that has already been pre-configured to operate without any authentication or encryption applied.

2015 Cisco and/or its affiliates. All Rights Reserved.

This document is Cisco Public Information.

Generated on 2015-05-24-07:00
2

OSPFv3 - Authentication & IPSec Encryption

To prove that this is operational I will perform a ping from R1's loopback to R2. As with any routing protocol
authentication configuration, it is important to verify that normal neighbourship and reachability is established
before adding authentication or encryption. This helps to make troubleshooting easier later as it means that
anything that could go wrong now would be the authentication part.

Authentication & Encryption Under the Interface

The most simple and basic option is to enable authentication and encryption at the interface level. This gives
you the flexibility of allowing you to specify a different cryptographic key for each interface. Note: Since you are
performing encryption be careful with performance hits as a result of multiple keys.

Click the image to see an expanded view

2015 Cisco and/or its affiliates. All Rights Reserved.

This document is Cisco Public Information.

Generated on 2015-05-24-07:00
3

OSPFv3 - Authentication & IPSec Encryption

The command works by specifying whether you wish to perform encryption (which includes authentication)
or just authentication. Upon specifying encryption you can then manually setup the IPsec settings by setting
the SPI (Security Parameter Index) number; Encryption algorithm and key length. Then you can you need
to manually specify a hexadecimal encryption and authentication key. Using context-sensitive help is crucial
to help you see how many characters are necessary. After the command is accepted you should see that
cryptography is enabled. After this has been completed, copy and paste this command to the other router.
The adjacency should then be restored OR if you completed this before the dead timer expired then the dead
timer should be reset,

Authentication & Encryption for the Area

Similarly, you can enforce encryption and authentication for the entire area by issuing a command under the
router process itself. The syntax is almost identicle however instead of specifying the OSPF process, initially,
you simply specify the area that you wish to enforce the encryption and authentication.

Verification
As with any IPsec implementation, negotiated parameters can fail and therefore some verification is necessary
to validate what you have done. The first verification command is to see if your neighbour has come back
up after being dropped. This can be done using your normal show ipv6 ospf neighbor or show ospfv3
neighbor.

2015 Cisco and/or its affiliates. All Rights Reserved.

This document is Cisco Public Information.

Generated on 2015-05-24-07:00
4

OSPFv3 - Authentication & IPSec Encryption

If the neighbour isn't shown then your IPsec most likely didn't negotiate properly. The next step would be then
be to verify if your SA has been established and that packets are being encapsulated and decapsulated. show
crypto ipsec sa will reveal this information. Note, this command can produce quite a bit of output depending
on how many SA's exist. Filter it based on the interface you wish to see.

Below is the output you wish to see where packets are being encrypted and encapsulated.

2015 Cisco and/or its affiliates. All Rights Reserved.

This document is Cisco Public Information.

Generated on 2015-05-24-07:00
5

OSPFv3 - Authentication & IPSec Encryption

Should this output not show anything then your SA hasn't been established at which a configuration is most
likely the cause. debug crypto ipsec may reveal where the process fails however it should always be with
regards to a mismatched key. This is normally detected by an error message along the lines of "malformed
packet".

Summary

2015 Cisco and/or its affiliates. All Rights Reserved.

This document is Cisco Public Information.

Generated on 2015-05-24-07:00
6

OSPFv3 - Authentication & IPSec Encryption

In this document we looked at how OSPFv3 implements authentication and even encryption to it's packets
to allow you to further secure your control-plane by hiding the details of the packets exchanged. We also
explored the high level packet details of OSPF and saw that the original authentication sections have been
completely removed and that authentication and encryption is now completed in IPv6. Finally, we verified the
configurations that we implemented and looked at some key output that could be useful in troubleshooting
situations where out adjacencies don't come back up after applying configurations.
If you wish to see more information about this then please review Cisco's configuration guide - http://
www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_ospf/configuration/15-mt/iro-15-mt-book/ip6-route-ospfv3esp.html
Hope This Helps,
Josh

2015 Cisco and/or its affiliates. All Rights Reserved.

This document is Cisco Public Information.

Generated on 2015-05-24-07:00
7