OSPFv3 Authentication and Encryption

ReneMolenaar · December 29, 2016, 7:47pm

This topic is to discuss the following lesson:

johnfrades · August 7, 2015, 3:16am

Rene, do you have IPSEC lesson?

ReneMolenaar · August 10, 2015, 2:35pm

Hi John,

I just published it, it’s a long story:

https://networklessons.com/security/ipsec-internet-protocol-security/

Let me know what you think of it.

Rene

chrisnewnham17 · August 25, 2017, 12:16pm

Is the “0” or “7” option relating to whether or not the running-config file saves the key as encrypted or clear text?

lagapidis · August 31, 2017, 9:12am

Hello Chris

Options 0 and 7 refer to whether or not the key that is sent between the routers during the authentication process is encrypted. In order to encrypt the key in the configuration file, use the system password-encryption command. This command encrypts authentication key passwords among others.

I hope this has been helpful!

Laz

samer.rafid · August 6, 2018, 1:00pm

Hi,
does this means IPsec is the only way to authenticate in OSPFv3?
I tried with the following and it worked:

R2#interface Ethernet0/0

no ip address

ipv6 address 2001::2/64

ospfv3 1 authentication key-chain CISCO

ospfv3 1 ipv6 area 0



R2#show ospfv3 ipv6

OSPFv3 1 address-family ipv6

Router ID 2.2.2.2

Active Key-chains:

  Key chain CISCO: Send key 1, Algorithm HMAC-SHA-1, Number of interfaces 1

    Area BACKBONE(0)

thanks

Edit: This post gives the idea that OSPFv3 does not support any authentication beside IPsec, but after checking it does support the usual MD5 and HMAC that I mentioned above.
Samer.

samer.rafid · August 7, 2018, 5:18am

Hi,
what about this command? R1(config-if)#ospfv3 encryption ipsec

ReneMolenaar · August 14, 2018, 12:26pm

Hi Samer,

This is interesting, I haven’t seen this before. It seems they added non-IPSec support later in OSPFv3:

https://tools.ietf.org/html/rfc7166

I’ll update the lesson to include this, it’s a valid method to configure authentication.

Rene

ribeiro.luis · January 19, 2020, 7:36pm

Hi Laz,

Does this mean we should be able to capture the key in clear-text, during the ESP exchange , if option 0 is used?

Thanks,
LP

ribeiro.luis · January 19, 2020, 7:39pm

Hi Rene,

The last screenshot seems to be another AH example, not an ESP packet.

BR,
LP

lagapidis · January 20, 2020, 10:51am

Hello Luis

Whether it’s configured as cleartext or encrypted affects only the way in which it has been saved within the configuration file. If it is cleartext, and you issue the show running-configuration command, you will be able to read the password. If it is encrypted, then the password in the configuration file itself is replaced with its encrypted form. During the ESP exchange, the key is always exchanged in a secure manner.

I hope this has been helpful!

Laz

ReneMolenaar · January 27, 2020, 12:33pm

Thanks LP, just replaced that screenshot.

Rene

dorosv · February 15, 2020, 11:48am

Hi,

Is there an updated lesson containing the other non IPsec authentication methods? I see in the posts above it was in the works…

Br,
Vlad

ReneMolenaar · March 3, 2020, 1:01pm

Hello Vlad,

I just tried this. Here are the configs:

hostname R1
!
ip cef
ipv6 unicast-routing
ipv6 cef
!
key chain OSPF_AUTHENTICATION
 key 1
  key-string MY_PASSWORD
  cryptographic-algorithm hmac-sha-1
!
interface GigabitEthernet0/1
 ipv6 enable
 ospfv3 1 authentication key-chain OSPF_AUTHENTICATION
 ospfv3 1 ipv6 area 0
!
router ospfv3 1
 !
 address-family ipv6 unicast
  router-id 1.1.1.1
 exit-address-family
!
end

hostname R2
!
ip cef
ipv6 unicast-routing
ipv6 cef
!
key chain OSPF_AUTHENTICATION
 key 1
  key-string MY_PASSWORD
  cryptographic-algorithm hmac-sha-1
!
interface GigabitEthernet0/1
 ipv6 enable
 ospfv3 1 authentication key-chain OSPF_AUTHENTICATION
 ospfv3 1 ipv6 area 0
!
router ospfv3 1
 !
 address-family ipv6 unicast
  router-id 2.2.2.2
 exit-address-family
!
end

When you configure the key-chain, only the hmac-sha options work. You can select MD5 but it won’t work.

The neighbor adjacency works fine:

R1#show ipv6 ospf interface 
GigabitEthernet0/1 is up, line protocol is up 
  Link Local Address FE80::F816:3EFF:FE6D:82A3, Interface ID 3
  Area 0, Process ID 1, Instance ID 0, Router ID 1.1.1.1
  Network Type BROADCAST, Cost: 1
  Cryptographic authentication enabled
    Sending SA: Key 1, Algorithm HMAC-SHA-1 - key chain OSPF_AUTHENTICATION

And instead of IPSec, OSPF now uses its own authentication header. You can see it in this capture:

https://www.cloudshark.org/captures/23eea41f6700

Rene

philipvarghese1987 · June 13, 2021, 9:45pm

Hi,
I did a packet capture after configuring ESP and it appears the packets are being received on either ends out of order, same behavior I could see in the capture Rene posted. However the communication is happening without issues as I have full adjacency. Just curious, is this the expected behavior?

lagapidis · June 15, 2021, 8:53am

Hello Philip

Can you specify which packets you see appearing out of order? Can you indicate which ones they are from Rene’s cloudshark capture?

Thanks!

Laz