Do we now need a security IOS license simply to provide OSPF authentication for IPv6? – UPDATED

I went a bit fast when I posted this write-up: http://mellowd.co.uk/ccie/?p=1369

I think it’s better to have a longer discussion about how authentication OSPFv3 SHOULD be set up to begin with, then show how it doesn’t work without a security license.

Let’s begin with regular IPv4. I’ve got 2 1841′s running and this is the config. This config is IDENTICAL whether you’re using a base license or security license, as the authentication is handled by OSPF’s internal authentication.
Router1

interface FastEthernet0/0
 ip address 10.0.0.1 255.0.0.0
 duplex auto
 speed auto
!
router ospf 1
 router-id 10.0.0.1
 log-adjacency-changes
 network 10.0.0.1 0.0.0.0 area 0

Router2

interface FastEthernet0/0
 ip address 10.0.0.2 255.0.0.0
 duplex auto
 speed auto
!
router ospf 1
 router-id 10.0.0.2
 log-adjacency-changes
 network 10.0.0.2 0.0.0.0 area 0

They see each other?

1841test2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.1          1   FULL/BDR        00:00:38    10.0.0.1        FastEthernet0/0

Let’s authenticate. Again, you can do this on a base license.

interface FastEthernet0/0
 ip address 10.0.0.2 255.0.0.0
 ip ospf message-digest-key 1 md5 ipv4test
!
router ospf 1
 router-id 10.0.0.2
 area 0 authentication message-digest
 network 10.0.0.2 0.0.0.0 area 0
1841test2# sh ip ospf 1
 ! - removed
       Area has message digest authentication

Let’s now move to IPv6 and OSPFv3. This is a regular set up without authentication:

ipv6 unicast-routing
ipv6 cef
!
interface FastEthernet0/1
 no ip address
 ipv6 address 2001:DB8::/64 eui-64
 ipv6 ospf 1 area 0
!
ipv6 router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes

router2

ipv6 unicast-routing
ipv6 cef
!
interface FastEthernet0/1
 no ip address
 ipv6 address 2001:DB8::/64 eui-64
 ipv6 ospf 1 area 0
!
ipv6 router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
1841test1#sh ipv6 ospf neighbor

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
2.2.2.2           1   FULL/BDR        00:00:39    4               FastEthernet0/1

Let’s now add authentication. In order to do so we use the interface specific “ipv6 ospf authentication ipsec” command

interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 ipv6 address 2001:DB8::/64 eui-64
 ipv6 ospf 1 area 0
 ipv6 ospf authentication ipsec spi 512 sha1 5C4070ED005A378F1529065802B4B5BF44032A0F

We immediately see the following error as the other side has no authentication set up:

#:%IPSECV6-4-RECVD_PKT_NOT_IPSECV6: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= FF02::5, src_addr= FE80::6616:8DFF:FECB:C32B, prot= 89

Let’s fix it quick:

interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 ipv6 address 2001:DB8::/64 eui-64
 ipv6 ospf 1 area 0
 ipv6 ospf authentication ipsec spi 512 sha1 5C4070ED005A378F1529065802B4B5BF44032A0F

Comes straight up again:

#:%OSPFv3-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/1 from LOADING to FULL, Loading Done

This is all great, until you realise that you can NOT set ipsec authentication without an expensive security license!
This is a router with a security license:

1841test1(config-if)#ipv6 ospf ?
  <1-65535>            Process ID
  authentication       Enable authentication
  cost                 Interface cost
  database-filter      Filter OSPF LSA during synchronization and flooding
  dead-interval        Interval after which a neighbor is declared dead
  demand-circuit       OSPF demand circuit
  flood-reduction      OSPF Flood Reduction
  hello-interval       Time between HELLO packets
  mtu-ignore           Ignores the MTU in DBD packets
  neighbor             OSPF neighbor
  network              Network type
  priority             Router priority
  retransmit-interval  Time between retransmitting lost link state
                       advertisements
  transmit-delay       Link state transmit delay

This is a 1941 with a base license:

1941test(config-if)#ipv6 ospf ?
  <1-65535>            Process ID
  cost                 Route cost of this interface
  database-filter      Filter OSPF LSA during synchronization and flooding
  dead-interval        Interval after which a neighbor is declared dead
  demand-circuit       OSPF demand circuit
  flood-reduction      OSPF Flood Reduction
  hello-interval       Time between HELLO packets
  mtu-ignore           Ignores the MTU in DBD packets
  network              Network type
  priority             Router priority
  retransmit-interval  Time between retransmitting lost link state
                       advertisements

6 thoughts on “Do we now need a security IOS license simply to provide OSPF authentication for IPv6? – UPDATED”

  1. Hi Manav.

    That looks good, but it looks like another IPv6 tech gone wrong. First there was going to be no DHCP for IPv6, now we have it tacked on. Then we could not authenticate our OSPFv3 links without IPSec, not it’s being tacked on.

    tsk tsk

Leave a Reply