I went a bit fast when I posted this write-up: http://mellowd.co.uk/ccie/?p=1369
I think it’s better to have a longer discussion about how authentication OSPFv3 SHOULD be set up to begin with, then show how it doesn’t work without a security license.
Let’s begin with regular IPv4. I’ve got 2 1841′s running and this is the config. This config is IDENTICAL whether you’re using a base license or security license, as the authentication is handled by OSPF’s internal authentication.
Router1
interface FastEthernet0/0 ip address 10.0.0.1 255.0.0.0 duplex auto speed auto ! router ospf 1 router-id 10.0.0.1 log-adjacency-changes network 10.0.0.1 0.0.0.0 area 0
Router2
interface FastEthernet0/0 ip address 10.0.0.2 255.0.0.0 duplex auto speed auto ! router ospf 1 router-id 10.0.0.2 log-adjacency-changes network 10.0.0.2 0.0.0.0 area 0
They see each other?
1841test2#sh ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.0.0.1 1 FULL/BDR 00:00:38 10.0.0.1 FastEthernet0/0
Let’s authenticate. Again, you can do this on a base license.
interface FastEthernet0/0 ip address 10.0.0.2 255.0.0.0 ip ospf message-digest-key 1 md5 ipv4test ! router ospf 1 router-id 10.0.0.2 area 0 authentication message-digest network 10.0.0.2 0.0.0.0 area 0
1841test2# sh ip ospf 1
! - removed
Area has message digest authentication
Let’s now move to IPv6 and OSPFv3. This is a regular set up without authentication:
ipv6 unicast-routing ipv6 cef ! interface FastEthernet0/1 no ip address ipv6 address 2001:DB8::/64 eui-64 ipv6 ospf 1 area 0 ! ipv6 router ospf 1 router-id 2.2.2.2 log-adjacency-changes
router2
ipv6 unicast-routing ipv6 cef ! interface FastEthernet0/1 no ip address ipv6 address 2001:DB8::/64 eui-64 ipv6 ospf 1 area 0 ! ipv6 router ospf 1 router-id 1.1.1.1 log-adjacency-changes
1841test1#sh ipv6 ospf neighbor Neighbor ID Pri State Dead Time Interface ID Interface 2.2.2.2 1 FULL/BDR 00:00:39 4 FastEthernet0/1
Let’s now add authentication. In order to do so we use the interface specific “ipv6 ospf authentication ipsec” command
interface FastEthernet0/1 no ip address duplex auto speed auto ipv6 address 2001:DB8::/64 eui-64 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 512 sha1 5C4070ED005A378F1529065802B4B5BF44032A0F
We immediately see the following error as the other side has no authentication set up:
#:%IPSECV6-4-RECVD_PKT_NOT_IPSECV6: Rec'd packet not an IPSEC packet.
(ip) dest_addr= FF02::5, src_addr= FE80::6616:8DFF:FECB:C32B, prot= 89
Let’s fix it quick:
interface FastEthernet0/1 no ip address duplex auto speed auto ipv6 address 2001:DB8::/64 eui-64 ipv6 ospf 1 area 0 ipv6 ospf authentication ipsec spi 512 sha1 5C4070ED005A378F1529065802B4B5BF44032A0F
Comes straight up again:
#:%OSPFv3-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/1 from LOADING to FULL, Loading Done
This is all great, until you realise that you can NOT set ipsec authentication without an expensive security license!
This is a router with a security license:
1841test1(config-if)#ipv6 ospf ?
<1-65535> Process ID
authentication Enable authentication
cost Interface cost
database-filter Filter OSPF LSA during synchronization and flooding
dead-interval Interval after which a neighbor is declared dead
demand-circuit OSPF demand circuit
flood-reduction OSPF Flood Reduction
hello-interval Time between HELLO packets
mtu-ignore Ignores the MTU in DBD packets
neighbor OSPF neighbor
network Network type
priority Router priority
retransmit-interval Time between retransmitting lost link state
advertisements
transmit-delay Link state transmit delay
This is a 1941 with a base license:
1941test(config-if)#ipv6 ospf ?
<1-65535> Process ID
cost Route cost of this interface
database-filter Filter OSPF LSA during synchronization and flooding
dead-interval Interval after which a neighbor is declared dead
demand-circuit OSPF demand circuit
flood-reduction OSPF Flood Reduction
hello-interval Time between HELLO packets
mtu-ignore Ignores the MTU in DBD packets
network Network type
priority Router priority
retransmit-interval Time between retransmitting lost link state
advertisements
All the more reason to go for your CCIE now before they make some kind of update that uses only version 15 or higher of IOS.
Indeed. They better not update it before the end of the year!
[...] Updated post here: http://mellowd.co.uk/ccie/?p=1421 [...]
[...] Do we now need a security IOS license simply to provide OSPF authentication for IPv6? – UPDATED | … – Good catch by Darren. You need an Advanced Security IOS license to configure OSPFv6 authentication. Gee, thanks Cisco¡ Filed Under: Bookmarks Tagged With: Bookmarks [...]
Which is precisely why we have this work underway in IETF – http://tools.ietf.org/html/draft-ietf-ospf-auth-trailer-ospfv3-03
Hi Manav.
That looks good, but it looks like another IPv6 tech gone wrong. First there was going to be no DHCP for IPv6, now we have it tacked on. Then we could not authenticate our OSPFv3 links without IPSec, not it’s being tacked on.
tsk tsk