IPsec Authentication

IPsec is a framework for ensuring secure private communication over IP networks and is based on standards developed by the International Engineering Task Force (IETF). IPsec provides security services at the network layer of the Open Systems Interconnection (OSI) model by enabling a system to select required security protocols, determine the algorithms to use for the security services, and implement any cryptographic keys required to provide the requested services. IPsec can be used to protect one or more paths between a pair of hosts, between a pair of security gateways (such as switches), or between a security gateway and a host.

ExtremeXOS supports IPv6 Encapsulating Security Payload (ESP) in transport mode to provide authentication to OSPFv3 packets, and encryption is not supported. The transport mode Security Association (SA) is generally used between two hosts or routers/gateways when they are acting as hosts, and in OSPFv3 the routers assume the role of hosts as protocol packets are locally delivered. With ESP in transport mode, it will only provide authentication to OSPFv3 protocol packets excluding the IPv6 header, extension headers and options.

OSPFv3 exchanges both multicast and unicast packets. While running OSPFv3 over a broadcast interface, the authentication required is "one to many." Since IKE is based on the Diffie-Hellman key agreement protocol and works only for two communicating parties, it is not possible to use IKE for providing the required "one to many" authentication. RFC4552 mandates the usage of Manual Keying with current IPsec implementation. In manual keying, SAs are statically installed on the routers and these static SAs are used to authenticate packets. it is not scalable and is practically infeasible to use different security associations for inbound and outbound traffic to provide the required "one to many" security. Therefore, RFC4552 requires the implementations to use manually configured keys with the same SA parameters (for example, Security Parameter Index (SPI), keys, and so forth) for both inbound and outbound SAs.

Configuring OSPFv3 IPsec Authentication

To configure IPsec with a manual key to provide authentication for OSPFv3 interfaces, run the following command:

configure ospfv3 [{vlan} vlan-name | {tunnel} tunnel-name] authentication [none |ipsec spi spi esp-auth-algorithm algorithm key [key-string | encrypted encrypted-key-string]

To configure IPsec with a manual key to provide authentication on OSPFv3 virtual-links, run the following command:

configure ospfv3 virtual-link {routerid} router-identifier {area} area-identifier authentication [none | ipsec spi spi esp-auth-algorithm algorithm key [key-string | encrypted encrypted-key-string]