Dell S4148U-ON OS10 Enterprise Edition User Guide Release 10.4.0E R2 - Page 378

OSPFv3 IPsec authentication and encryption Unlike OSPFv2, OSPFv3 does not have authentication fields in its protocol header to provide security. To provide authentication and confidentiality, OSPFv3 uses IP Security (IPsec) - a collection of security protocols for authenticating and encrypting data packets. OS10 OSPFv3 supports IPsec using the IPv6 authentication header (AH) or IPv6 encapsulating security payload (ESP). • AH authentication verifies that data is not altered during transmission and ensures that users are communicating with the intended individual or organization. The authentication header is inserted after the IP header with a value of 51. MD5 and SHA1 authentication types are supported; encrypted and unencrypted keys are supported. • ESP encryption encapsulates data, enabling the protection of data that follows in the datagram. The ESP extension header is inserted after the IP header and before the next layer protocol header. 3DES, DES, AES-CBC, and NULL encryption algorithms are supported; encrypted and unencrypted keys are supported. Apply IPsec authentication or encryption on a physical, port-channel, or VLAN interface or in an OSPFv3 area. Each configuration consists of a security policy index (SPI) and the key used to validate OSPFv3 packets. After you configure an IPsec protocol for OSPFv3, IPsec operation is invisible to the user. You can only enable one security protocol (authentication or encryption) at a time on an interface or for an area. Enable IPsec AH with the ipv6 ospf authentication command; enable IPsec ESP with the ipv6 ospf encryption command. • A security policy configured for an area is inherited by default on all interfaces in the area. • A security policy configured on an interface overrides any area-level configured security for the area to which the interface is assigned. • The configured authentication or encryption policy is applied to all OSPFv3 packets transmitted on the interface or in the area. The IPsec security associations are the same on inbound and outbound traffic on an OSPFv3 interface. • There is no maximum AH or ESP header length because the headers have fields with variable lengths. Configure IPsec authentication on interfaces Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, first enable IPv6 unicast routing globally, configure an IPv6 address and enable OSPFv3 on the interface, and assign it to an area. The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router. You cannot configure the same SPI value on another interface even if it uses the same authentication or encryption algorithm. You cannot use an IPsec authentication type (MD5 or SHA-1) and the null setting at same time on an interface. These settings are mutually exclusive. • Enable IPsec authentication for OSPFv3 packets in Interface mode. ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} key} • null - Prevent an authentication policy configured for the area to be inherited on the interface. This parameter is only used if you configure IPsec area authentication. • ipsec spi number - Enter a unique security policy index (SPI) value (256 to 4294967295). • md5 - Enable message digest 5 (MD5) authentication. • sha1 - Enable secure hash algorithm 1 (SHA-1) authentication. • key - Enter the text string used in the authentication type. All neighboring OSPFv3 routers must share the key to exchange information. Only a non-encrypted key is supported. For MD5 authentication, the non-encrypted key must be 32 plain hex digits. For SHA-1 authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not supported. To delete an IPsec authentication policy, use the no ipv6 ospf authentication ipsec spi number or no ipv6 ospf authentication null command. Configure IPsec authentication on interface OS10(conf-if-eth1/1/1)# ipv6 ospf authentication ipsec spi 400 md5 12345678123456781234567812345678 378 Layer 3