In this lesson, we’ll configure and verify OSPFv3 Authentication and Encryption.
OSPFv3 doesn’t have any “built in” mechanisms for Authentication or Encryption. It uses IPv6’s Internet Protocol Security (IPSec).
OSPFv3 Authentication and Encryption can be configured on links:
- Per area
- Per interface
- A combination of per area and per interface
IPSec offers two encapsulation types:
- Authentication Header (AH) - Provides authentication, but not encryption.
- Encapsulating Security Payload (ESP) - Provides authentication and encryption.
Enabling authentication and encryption is preferred as it protects from having a malicious actor use a network analyzer to "sniff" packets from the network and be able to see our sensitive information.
However, adding encryption can be significantly demanding on network resources. When selecting an encryption type and strength, it's important to balance security goals with the amount of network resources the encryption will consume.
In OSPFv3, IPSec key creation and key changes must to be done manually and the configuration command can be quite long and detailed. Use care and stay organized.
In this lesson, we'll do labs for authentication only and authentication with encryption in different OSPFv3 areas. We'll enable them by area, per interface and a combination of per area and per interface. This will give you a strong foundation for implementing authorization and/or encryption on various topologies.
Configuration and Verification
We’ll be using the same topology and basic configuration from the lab in the Basic OSPFv3 Configuration and Verification lesson:
OSPFv3 authentication and/or encryption will be deployed as follows:
- Area 0: Authentication only. Combination of per area and per interface.
- Area 1: Authentication and encryption. Per interface only.
- Area 2: Authentication and encryption. Combination of per area and per interface.
Before issuing any configuration commands, let’s ensure that we have proper connectivity between R1’s loopback and R4’s loopback. This way if we do have an issue, we can be confident it's due to our new configurations and is not due to a pre-existing issue.
R-1#ping 2001:4::4 source 2001:1::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:4::4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 3/4/9 ms
Now that we know we have verified this connectivity, let’s begin by configuring OSPFv3 authentication in the Backbone Area.
Authentication Only: Per Area and Per Interface
There may be circumstances where enabling encryption may be too demanding on network resources. In these cases, we may want to enable authentication only.
In Area 0, let's begin on R-2 and configure authentication only by enabling per area.
First, enter OSPFv3 router configuration mode:
R-2(config)#conf t R-2(config)#router ospfv3 6 R-2(config-router)#
Notice that issuing the router ospfv3 6 command brought us to router configuration mode.
The authentication command is long so let's walk through it:
- The command begins with specifying the area ID, authentication and IPSec:
R-2(config-router)#area 0 authentication ipsec
- Next we need to specify the Security Policy Index (SPI). The SPI is simply a number that acts as a key for the interfaces on either side of the link for authentication. It's encapsulated with Authentication Header (AH) protocol. The key number can be any number between the range shown below:
R-2(config-router)#area 0 authentication ipsec spi ? <256-4294967295> SPI R-2(config-router)#area 0 authentication ipsec spi 2323
I chose 2323 as the SPI because the key is to be used between R-2 and R-3. Each link must have a unique SPI.
Let's see what our next option is for this command:
R-2(config-router)#area 0 authentication ipsec spi 2323 ? md5 Use MD5 authentication sha1 Use SHA-1 authentication
Here we can choose a hashing algorithm for the key. md5 is weak. SHA-1 is more secure and I'm sure my network resources can handle it:
R-2(config-router)#area 0 authentication ipsec spi 2323 sha1 ? 0 The key is not encrypted (plain text) 7 The key is encrypted Hex-string SHA-1 key (40 chars)
Notice that we have the option of whether we want to encrypt the key. This option would encrypt the key within the running-configuration. This protects us from an "Over the Shoulder Attack" - we wouldn't want someone to easily be able to see and remember the key.
We could also just enter the Hex-string key. If we did this, the default of 0 would be used to indicate that we don't want to encrypt for the running-configuration.
Notice that the Hex-string must be exactly 40 characters. If we added the 7 for encryption the required characters for the hex-string would increase:
R-2(config-router)#area 0 authentication ipsec spi 2323 sha1 7 ? Hex-string Encrypted SHA-1 key (82 chars)
Now the hex-string must be 82 characters!
Pro Tip: Choosing the hashing algorithm (md5 or SHA-1) and whether to encrypt the key for the running configuration (by choosing a 0 or 7) effect the required key length. Be sure to use the ? to check the required key length just before entering the key. If you forget, the command won't be accepted and the router will provide an message.
For this lab, I'm not going to encrypt for the running-configuration:
R-2(config-router)#$ 2323 sha1 0 0123456789abcdef0123456789abcdef01234567 *Jun 16 02:07:52.595: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON *Jun 16 02:08:27.787: %OSPFv3-5-ADJCHG: Process 6, IPv6, Nbr 126.96.36.199 on GigabitEthernet0/1 from FULL to DOWN, Neighbor Down: Dead timer expired
Notice the command is too long for us too see it in the CLI. What I entered was this:
area 0 authentication ipsec spi 2323 sha1 0 0123456789abcdef0123456789abcdef01234567
The output shows us ISAKMP has been turned on.
We can also see that the adjacency with R-3 has changed from FULL to DOWN. This makes sense because authentication hasn't been configured on the other side of the link. The adjacency will be brought back up when we configure the other side of the link on R-3.
The link on R-3 that connects to R-2 must also be authentication only. While R-2 was configured per area, we can configure this side of the link per interface:
R-3(config)#int g0/0 R-3(config-if)#$spi 2323 sha1 0 0123456789abcdef0123456789abcdef01234567 *Jun 16 04:25:21.912: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON *Jun 16 04:25:27.851: %OSPFv3-5-ADJCHG: Process 6, Nbr 188.8.131.52 on GigabitEthernet0/0 from LOA DING to FULL, Loading Done
Since we can't see the entire command on the CLI I have it here:
ipv6 ospf authentication ipsec spi 2323 sha1 0 0123456789abcdef0123456789abcdef01234567
After entering the configuration, the adjacency is back to FULL.
For further verification:
R-3(config-router)#do sh ospfv3 neighbor OSPFv3 6 address-family ipv6 (router-id 184.108.40.206) Neighbor ID Pri State Dead Time Interface ID Interface 220.127.116.11 1 FULL/BDR 00:00:36 3 GigabitEthernet0/0 18.104.22.168 1 FULL/DR 00:00:38 2 GigabitEthernet0/1
R-1#ping 2001:4::4 source 2001:1::1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 2001:4::4, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
We’ve successfully configured and verified OSPFv3 authentication in Area 0 by using a combination of per area and per interface configurations.
Authentication and Encryption
The command for authentication and encryption is similar to authentication only.
Area 1: Authentication and Encryption Enabled Per Interface
In area 1, we’ll enable authentication and encryption on the link between R-1 and R-2 per interface.