I went a bit fast when I posted this write-up: http://mellowd.co.uk/ccie/?p=1369
I think it’s better to have a longer discussion about how authentication OSPFv3 SHOULD be set up to begin with, then show how it doesn’t work without a security license.
Let’s begin with regular IPv4. I’ve got 2 1841′s running and this is the config. This config is IDENTICAL whether you’re using a base license or security license, as the authentication is handled by OSPF’s internal authentication.
Router1
interface FastEthernet0/0 ip address 10.0.0.1 255.0.0.0 duplex auto speed auto ! router ospf 1 router-id 10.0.0.1 log-adjacency-changes network 10.0.0.1 0.0.0.0 area 0
Router2
interface FastEthernet0/0 ip address 10.0.0.2 255.0.0.0 duplex auto speed auto ! router ospf 1 router-id 10.0.0.2 log-adjacency-changes network 10.0.0.2 0.0.0.0 area 0
They see each other?
1841test2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.0.0.1 1 FULL/BDR 00:00:38 10.0.0.1 FastEthernet0/0
Let’s authenticate. Again, you can do this on a base license.
interface FastEthernet0/0 ip address 10.0.0.2 255.0.0.0 ip ospf message-digest-key 1 md5 ipv4test ! router ospf 1 router-id 10.0.0.2 area 0 authentication message-digest network 10.0.0.2 0.0.0.0 area 0
1841test2# sh ip ospf 1
! - removed
Area has message digest authentication
Let’s now move to IPv6 and OSPFv3. This is a regular set up without authentication:
ipv6 unicast-routing ipv6 cef ! interface FastEthernet0/1 no ip address ipv6 address 2001:DB8::/64 eui-64 ipv6 ospf 1 area 0 ! ipv6 router ospf 1 router-id 2.2.2.2 log-adjacency-changes
router2
ipv6 unicast-routing ipv6 cef ! interface FastEthernet0/1 no ip address ipv6 address 2001:DB8::/64 eui-64 ipv6 ospf 1 area 0 ! ipv6 router ospf 1 router-id 1.1.1.1 log-adjacency-changes
1841test1#sh ipv6 ospf neighbor Neighbor ID Pri State Dead Time Interface ID Interface 2.2.2.2 1 FULL/BDR 00:00:39 4 FastEthernet0/1
Let’s now add authentication. In order to do so we use the interface specific “ipv6 ospf authentication ipsec” command
interface FastEthernet0/1 no ip address duplex auto speed auto ipv6 address 2001:DB8::/64 eui-64 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 512 sha1 5C4070ED005A378F1529065802B4B5BF44032A0F
We immediately see the following error as the other side has no authentication set up:
#:%IPSECV6-4-RECVD_PKT_NOT_IPSECV6: Rec'd packet not an IPSEC packet.
(ip) dest_addr= FF02::5, src_addr= FE80::6616:8DFF:FECB:C32B, prot= 89
Let’s fix it quick:
interface FastEthernet0/1 no ip address duplex auto speed auto ipv6 address 2001:DB8::/64 eui-64 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 512 sha1 5C4070ED005A378F1529065802B4B5BF44032A0F
Comes straight up again:
#:%OSPFv3-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/1 from LOADING to FULL, Loading Done
This is all great, until you realise that you can NOT set ipsec authentication without an expensive security license!
This is a router with a security license:
1841test1(config-if)#ipv6 ospf ?
<1-65535> Process ID
authentication Enable authentication
cost Interface cost
database-filter Filter OSPF LSA during synchronization and flooding
dead-interval Interval after which a neighbor is declared dead
demand-circuit OSPF demand circuit
flood-reduction OSPF Flood Reduction
hello-interval Time between HELLO packets
mtu-ignore Ignores the MTU in DBD packets
neighbor OSPF neighbor
network Network type
priority Router priority
retransmit-interval Time between retransmitting lost link state
advertisements
transmit-delay Link state transmit delay
This is a 1941 with a base license:
1941test(config-if)#ipv6 ospf ?
<1-65535> Process ID
cost Route cost of this interface
database-filter Filter OSPF LSA during synchronization and flooding
dead-interval Interval after which a neighbor is declared dead
demand-circuit OSPF demand circuit
flood-reduction OSPF Flood Reduction
hello-interval Time between HELLO packets
mtu-ignore Ignores the MTU in DBD packets
network Network type
priority Router priority
retransmit-interval Time between retransmitting lost link state
advertisements
I’ve been practising my Catalyst 3560 QoS a lot recently. Not only is it a major topic on the CCIE exam, I also happens to use 3560′s daily in my workplace.
QoS on the 3560 is a completely different beast than on a regular IOS router. This is probably why it’s ‘difficult’ as it’s customised towards a single platform.
There are a couple of things I’m not happy about. One is that my policy-maps don’t show exactly what’s going on. I’ll give you an example.
This is my topology:
Note that as I’m on my laptop which doesn’t have Visio, I’ve used Gliffy’s online drawing app to create this image
The goal here is that I want to mark traffic coming from Laptop2 (fa0/1) as CS1 and Laptop3 (fa0/8) as CS4. This is the simple configuration I put together:
access-list 100 permit ip any any class-map match-all INT1ANY match access-group 100 class-map match-all INT8ANY match access-group 100 ! ! policy-map MARK1 class INT1ANY set dscp cs1 policy-map MARK8 class INT8ANY set dscp cs4 ! ! interface FastEthernet0/1 load-interval 30 service-policy input MARK1 ! interface FastEthernet0/8 load-interval 30 service-policy input MARK8
Right, let’s generate some traffic. I’m going to use iperf to send loads of traffic from laptop2.
I now want to see what’s happening on fa0/1. It should be matching everything and remarking them to CS1, but I see nothing!
3560Test#sh policy-map int fa0/1
FastEthernet0/1
Service-policy input: MARK1
Class-map: INT1ANY (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: access-group 100
Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
0 packets, 0 bytes
30 second rate 0 bps
Zilch, nada, nothing!
What about fa0/8?
3560Test#sh policy-map int fa0/8
FastEthernet0/8
Service-policy input: MARK8
Class-map: INT8ANY (match-all)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: access-group 100
Class-map: class-default (match-any)
0 packets, 0 bytes
30 second offered rate 0 bps, drop rate 0 bps
Match: any
0 packets, 0 bytes
30 second rate 0 bps
Again, the service policy says we are not matching or doing anything. But is this really true? Let’s fire up wireshark on Laptop1 and see the marking as they come in.
This is the output for traffic coming from Laptop2 (check the highlighted section):
This is the output for traffic coming from Laptop3:
The wireshark capture proves that the 3560 IS classifying and marking traffic, but the show service policy commands above are showing nothing.
Anyone have any ideas?
While going through the CCIE 4th edition cert guide, I’ve come across something that is potentially a very big problem. Currently if you want to authenticate OSPF and EIGRP neighbours you can do so via plain-text or MD5 passwords. With IPv6 you need to use OSPFv3 and EIGRP. Here’s where it get’s bad. OSPFv3 does NOT give you the option to use authentication in the OSPFv3 configuration section. Rather it relies on IPv6′s inherent authentication properties.
However!
In order to use IPv6′s authentication properties, you NEED a crypto license on your device. This means you can no longer authenticate OSPF for IPv6 with a base license IOS. EIGRP on the other hand still allows you to authenticate with MD5 and plain-text. Let’s put this to the test.
I’ve got a vanilla Cisco 1941 here with the base license.
1941test(config-if)#ipv6 ospf ?
<1-65535> Process ID
cost Route cost of this interface
database-filter Filter OSPF LSA during synchronization and flooding
dead-interval Interval after which a neighbor is declared dead
demand-circuit OSPF demand circuit
flood-reduction OSPF Flood Reduction
hello-interval Time between HELLO packets
mtu-ignore Ignores the MTU in DBD packets
network Network type
priority Router priority
retransmit-interval Time between retransmitting lost link state
advertisements
transmit-delay Link state transmit delay
What I’m looking for is the ipv6 ospf authentication ipsec command. As I have no security license, it’s not there.
1941test(config-router)#ipv6 router ospf 1 1941test(config-rtr)#area 0 ? default-cost Set the summary default-cost of a NSSA/stub area nssa Specify a NSSA area range Summarize routes matching address/mask (border routers only) stub Specify a stub area
No area 0 authentication option!
Interestingly enough, EIGRP for IPv6 still uses EIGRP’s internal authentication algorithm.
interface GigabitEthernet0/1 ip address 10.0.4.254 255.255.255.252 ipv6 address 2001:D08::C671:FEFF:FE65:55A1/64 ipv6 eigrp 1 ipv6 authentication mode eigrp 1 md5 ipv6 authentication key-chain eigrp 1 chain ! key chain chain key 1 key-string 7 010703174F
The problem with authentication being left to IPv6 itself, is shown in this very example. As far as I can see, unless you’re buying an expensive security license for each and every OSPF router, you can forget about authenticating your OSPF adjacencies!
I hope I’m mistaken. If anyone has a way of getting it to work, I’d like to know.
Updated post here: http://mellowd.co.uk/ccie/?p=1421
We’re busy implementing IPv6 on our BGP edges and eventually in our core at the moment. It’s pretty easy in the IPv4 world to work out what addresses are what, but there are loads more in IPv6.
I’ve decided to list the current assigned and reserved IPv4 and IPv6 address spaces here. Note that this list is still a work in progress, especially on the IPv6 side of things.
Let’s start with IPv4. Most of you should know most of the reserved ranges, but there may be a few you didn’t know about.
IPv4
Reserved:
0.0.0.0/8 – RFC1700
127.0.0.0/8 – Loopback
Internal private ranges (RFC1918)
10.0.0.0/8
172.16.0.0/12
192.168.0.0/16
Documentation (RFC5737)
192.0.2.0/24
198.51.100.0/24
203.0.113.0/24
Multicast (RFC5771, RFC6034 & RFC2365)
224.0.0.0/8 – 239.0.0.0/8
‘Future use’ – will never be used
240.0.0.0/8 – 255.0.0.0/8
255.255.255.255 is reserved for limited broadcast (RFC919 and RFC922)
IPv6
Now let’s check IPv6. The current Global Unique (aka public IP) range is 2000::/3 – that means any address from 2000:0000:0000:0000:0000:0000:0000:0000 – 3FFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF is a global unique unicast address – However, RFC3849 deems it fit to assign 2001:0DB8::/32 as non-routable to be used for documentation. Why they couldn’t use a range outside 2000::/3 is beyond me.
The following are all reserved by the IEFT (RFC4291, RFC4048 and RFC3879)
0100::/8
0200::/7
0400::/6
0800::/5
1000::/4
4000::/3
6000::/3
8000::/3
A000::/3
C000::/3
E000::/4
F000::/5
F800::/6
FE00::/9
FEC0::/10
Unique Local Unicast addresses (RFC4193)
FC00::/7
Link Local Unicast addresses (RFC4291)
FE80::/10
Multicast addresses (RFC4291)
FF00::/8
Loopback address
::1
Default route
::/0
6to4 tunnels
2002::/16
Teredo (RFC4380)
2001::/32
Unspecified
::
I’m sure I may have missed some out, so please let me know if I have
I had no idea that dynagen could actually do this, but it’s pretty damn awesome. Dynagen/Dynamips can output any interface’s traffic directly to a .cap file ready to be read in tcpdump or Wireshark.
How do we do this?
Let’s take a simple topology. R2 and R4 are running OSPF with each other, directly connected via their Fa0/1 interfaces. I want to capture packets going in and out of R2′s interface.
Dynamips/Dynagen has started:
=> list Name Type State Server Console R2 7200 running localhost:7200 2002 R4 7200 running localhost:7200 2004
You start capturing like so:
=> capture R2 fa0/1 /tmp/R2.cap
Stop the capture:
=> no capture R2 fa0/1
We now have a file named R2.cap in the /tmp folder. We can open it either in tcpdump or Wireshark:
darreno@Zenoss:/tmp$ sudo tcpdump -r R2.cap reading from file R2.cap, link-type EN10MB (Ethernet) 16:37:26.959354 IP 7.3.24.2 > OSPF-ALL.MCAST.NET: OSPFv2, Hello, length 56 16:37:28.930017 CDPv2, ttl: 180s, Device-ID 'R2', length 318 16:37:32.827991 16:37:36.959745 IP 7.3.24.2 > OSPF-ALL.MCAST.NET: OSPFv2, Hello, length 56 16:37:42.855127 16:37:46.930856 IP 7.3.24.2 > OSPF-ALL.MCAST.NET: OSPFv2, Hello, length 56 16:37:52.846687 16:37:56.940269 IP 7.3.24.2 > OSPF-ALL.MCAST.NET: OSPFv2, Hello, length 56 16:38:02.826550 16:38:06.943788 IP 7.3.24.2 > OSPF-ALL.MCAST.NET: OSPFv2, Hello, length 56 16:38:12.836321 16:38:16.947188 IP 7.3.24.2 > OSPF-ALL.MCAST.NET: OSPFv2, Hello, length 56 16:38:22.835339 16:38:26.932277 IP 7.3.24.2 > OSPF-ALL.MCAST.NET: OSPFv2, Hello, length 56 16:38:28.940528 CDPv2, ttl: 180s, Device-ID 'R2', length 318
Very handy indeed!
Comments