While going through the CCIE 4th edition cert guide, I’ve come across something that is potentially a very big problem. Currently if you want to authenticate OSPF and EIGRP neighbours you can do so via plain-text or MD5 passwords. With IPv6 you need to use OSPFv3 and EIGRP. Here’s where it get’s bad. OSPFv3 does NOT give you the option to use authentication in the OSPFv3 configuration section. Rather it relies on IPv6’s inherent authentication properties.
In order to use IPv6’s authentication properties, you NEED a crypto license on your device. This means you can no longer authenticate OSPF for IPv6 with a base license IOS. EIGRP on the other hand still allows you to authenticate with MD5 and plain-text. Let’s put this to the test.
I’ve got a vanilla Cisco 1941 here with the base license.
1941test(config-if)#ipv6 ospf ? <1-65535> Process ID cost Route cost of this interface database-filter Filter OSPF LSA during synchronization and flooding dead-interval Interval after which a neighbor is declared dead demand-circuit OSPF demand circuit flood-reduction OSPF Flood Reduction hello-interval Time between HELLO packets mtu-ignore Ignores the MTU in DBD packets network Network type priority Router priority retransmit-interval Time between retransmitting lost link state advertisements transmit-delay Link state transmit delay
What I’m looking for is the ipv6 ospf authentication ipsec command. As I have no security license, it’s not there.
1941test(config-router)#ipv6 router ospf 1 1941test(config-rtr)#area 0 ? default-cost Set the summary default-cost of a NSSA/stub area nssa Specify a NSSA area range Summarize routes matching address/mask (border routers only) stub Specify a stub area
No area 0 authentication option!
Interestingly enough, EIGRP for IPv6 still uses EIGRP’s internal authentication algorithm.
interface GigabitEthernet0/1 ip address 10.0.4.254 255.255.255.252 ipv6 address 2001:D08::C671:FEFF:FE65:55A1/64 ipv6 eigrp 1 ipv6 authentication mode eigrp 1 md5 ipv6 authentication key-chain eigrp 1 chain ! key chain chain key 1 key-string 7 010703174F
The problem with authentication being left to IPv6 itself, is shown in this very example. As far as I can see, unless you’re buying an expensive security license for each and every OSPF router, you can forget about authenticating your OSPF adjacencies!
I hope I’m mistaken. If anyone has a way of getting it to work, I’d like to know.
Updated post here: http://mellowd.co.uk/ccie/?p=1421