Do we now need a security IOS license simply to provide OSPF authentication for IPv6? – UPDATED

I went a bit fast when I posted this write-up: http://mellowd.co.uk/ccie/?p=1369

I think it’s better to have a longer discussion about how authentication OSPFv3 SHOULD be set up to begin with, then show how it doesn’t work without a security license.

Let’s begin with regular IPv4. I’ve got 2 1841’s running and this is the config. This config is IDENTICAL whether you’re using a base license or security license, as the authentication is handled by OSPF’s internal authentication.
Router1

interface FastEthernet0/0
 ip address 10.0.0.1 255.0.0.0
 duplex auto
 speed auto
!
router ospf 1
 router-id 10.0.0.1
 log-adjacency-changes
 network 10.0.0.1 0.0.0.0 area 0

Router2

interface FastEthernet0/0
 ip address 10.0.0.2 255.0.0.0
 duplex auto
 speed auto
!
router ospf 1
 router-id 10.0.0.2
 log-adjacency-changes
 network 10.0.0.2 0.0.0.0 area 0

They see each other?

1841test2#sh ip ospf neighbor

Neighbor ID     Pri   State           Dead Time   Address         Interface
10.0.0.1          1   FULL/BDR        00:00:38    10.0.0.1        FastEthernet0/0

Let’s authenticate. Again, you can do this on a base license.

interface FastEthernet0/0
 ip address 10.0.0.2 255.0.0.0
 ip ospf message-digest-key 1 md5 ipv4test
!
router ospf 1
 router-id 10.0.0.2
 area 0 authentication message-digest
 network 10.0.0.2 0.0.0.0 area 0
1841test2# sh ip ospf 1
 ! - removed
       Area has message digest authentication

Let’s now move to IPv6 and OSPFv3. This is a regular set up without authentication:

ipv6 unicast-routing
ipv6 cef
!
interface FastEthernet0/1
 no ip address
 ipv6 address 2001:DB8::/64 eui-64
 ipv6 ospf 1 area 0
!
ipv6 router ospf 1
 router-id 2.2.2.2
 log-adjacency-changes

router2

ipv6 unicast-routing
ipv6 cef
!
interface FastEthernet0/1
 no ip address
 ipv6 address 2001:DB8::/64 eui-64
 ipv6 ospf 1 area 0
!
ipv6 router ospf 1
 router-id 1.1.1.1
 log-adjacency-changes
1841test1#sh ipv6 ospf neighbor

Neighbor ID     Pri   State           Dead Time   Interface ID    Interface
2.2.2.2           1   FULL/BDR        00:00:39    4               FastEthernet0/1

Let’s now add authentication. In order to do so we use the interface specific “ipv6 ospf authentication ipsec” command

interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 ipv6 address 2001:DB8::/64 eui-64
 ipv6 ospf 1 area 0
 ipv6 ospf authentication ipsec spi 512 sha1 5C4070ED005A378F1529065802B4B5BF44032A0F

We immediately see the following error as the other side has no authentication set up:

#:%IPSECV6-4-RECVD_PKT_NOT_IPSECV6: Rec'd packet not an IPSEC packet.
        (ip) dest_addr= FF02::5, src_addr= FE80::6616:8DFF:FECB:C32B, prot= 89

Let’s fix it quick:

interface FastEthernet0/1
 no ip address
 duplex auto
 speed auto
 ipv6 address 2001:DB8::/64 eui-64
 ipv6 ospf 1 area 0
 ipv6 ospf authentication ipsec spi 512 sha1 5C4070ED005A378F1529065802B4B5BF44032A0F

Comes straight up again:

#:%OSPFv3-5-ADJCHG: Process 1, Nbr 2.2.2.2 on FastEthernet0/1 from LOADING to FULL, Loading Done

This is all great, until you realise that you can NOT set ipsec authentication without an expensive security license!
This is a router with a security license:

1841test1(config-if)#ipv6 ospf ?
  <1-65535>            Process ID
  authentication       Enable authentication
  cost                 Interface cost
  database-filter      Filter OSPF LSA during synchronization and flooding
  dead-interval        Interval after which a neighbor is declared dead
  demand-circuit       OSPF demand circuit
  flood-reduction      OSPF Flood Reduction
  hello-interval       Time between HELLO packets
  mtu-ignore           Ignores the MTU in DBD packets
  neighbor             OSPF neighbor
  network              Network type
  priority             Router priority
  retransmit-interval  Time between retransmitting lost link state
                       advertisements
  transmit-delay       Link state transmit delay

This is a 1941 with a base license:

1941test(config-if)#ipv6 ospf ?
  <1-65535>            Process ID
  cost                 Route cost of this interface
  database-filter      Filter OSPF LSA during synchronization and flooding
  dead-interval        Interval after which a neighbor is declared dead
  demand-circuit       OSPF demand circuit
  flood-reduction      OSPF Flood Reduction
  hello-interval       Time between HELLO packets
  mtu-ignore           Ignores the MTU in DBD packets
  network              Network type
  priority             Router priority
  retransmit-interval  Time between retransmitting lost link state
                       advertisements

© 2009-2018 Darren O'Connor All Rights Reserved -- Copyright notice by Blog Copyright