Do we now need a security IOS license simply to provide OSPF authentication for IPv6?

While going through the CCIE 4th edition cert guide, I’ve come across something that is potentially a very big problem. Currently if you want to authenticate OSPF and EIGRP neighbours you can do so via plain-text or MD5 passwords. With IPv6 you need to use OSPFv3 and EIGRP. Here’s where it get’s bad. OSPFv3 does NOT give you the option to use authentication in the OSPFv3 configuration section. Rather it relies on IPv6’s inherent authentication properties.

However!

In order to use IPv6’s authentication properties, you NEED a crypto license on your device. This means you can no longer authenticate OSPF for IPv6 with a base license IOS. EIGRP on the other hand still allows you to authenticate with MD5 and plain-text. Let’s put this to the test.

I’ve got a vanilla Cisco 1941 here with the base license.

1941test(config-if)#ipv6 ospf ?
  <1-65535>            Process ID
  cost                 Route cost of this interface
  database-filter      Filter OSPF LSA during synchronization and flooding
  dead-interval        Interval after which a neighbor is declared dead
  demand-circuit       OSPF demand circuit
  flood-reduction      OSPF Flood Reduction
  hello-interval       Time between HELLO packets
  mtu-ignore           Ignores the MTU in DBD packets
  network              Network type
  priority             Router priority
  retransmit-interval  Time between retransmitting lost link state
                       advertisements
  transmit-delay       Link state transmit delay

What I’m looking for is the ipv6 ospf authentication ipsec command. As I have no security license, it’s not there.

1941test(config-router)#ipv6 router ospf 1
1941test(config-rtr)#area 0 ?
  default-cost  Set the summary default-cost of a NSSA/stub area
  nssa          Specify a NSSA area
  range         Summarize routes matching address/mask (border routers only)
  stub          Specify a stub area

No area 0 authentication option!

Interestingly enough, EIGRP for IPv6 still uses EIGRP’s internal authentication algorithm.

interface GigabitEthernet0/1
 ip address 10.0.4.254 255.255.255.252
 ipv6 address 2001:D08::C671:FEFF:FE65:55A1/64
 ipv6 eigrp 1
 ipv6 authentication mode eigrp 1 md5
 ipv6 authentication key-chain eigrp 1 chain
!
key chain chain
 key 1
  key-string 7 010703174F

The problem with authentication being left to IPv6 itself, is shown in this very example. As far as I can see, unless you’re buying an expensive security license for each and every OSPF router, you can forget about authenticating your OSPF adjacencies!

I hope I’m mistaken. If anyone has a way of getting it to work, I’d like to know.

Updated post here: http://mellowd.co.uk/ccie/?p=1421

© 2009-2019 Darren O'Connor All Rights Reserved -- Copyright notice by Blog Copyright