hello,
thanks lagapidis, just another question.
the ospfv3 don’t used a PKI or PSK for authentication.
how the authentication is ensured ?
thanks
Hello Houssem
OSPFv3 doesn’t inherently support authentication itself. OSPFv2 had authentication built in, with the related packet headers etc, but OSPFv3 relies on IPv6’s built-in authentication methods.
As stated in this Cisco documentation on the topic:
When OSPFv3 runs on IPv6, OSPFv3 requires the IPv6 authentication header (AH) or IPv6 ESP header to ensure integrity, authentication, and confidentiality of routing exchanges. IPv6 AH and ESP extension headers can be used to provide authentication and confidentiality to OSPFv3.
The security policy itself is a combination of the SPI and the key (which is the key used to create and validate the hash value). This in essence within the framework of IPsec, is PSK.
I hope this has been helpful!
Laz
Hi team,
Let’s say one of the routers got compromised. Is there a way to hide the ESP Auth and Cipher keys?
Regards,
Vanilson Pedro
Hello Vanilson
There is no direct way to hide the ESP Auth and cipher keys in the configuration. It would be great if there were a command like the service password-encryption command which encrypts all of the plain text passwords in the config file, but there isn’t something similar for IPSec keys.
The solution to this is to ensure that the router doesn’t get compromised, and there are sufficient methods to ensure this.
I hope this has been helpful!
Laz