Tuesday, November 20, 2012

exploring ipv6 ospf routing on the cisco ASA

We will look at IPv6 routing known as OSPFv3 on the cisco ASA.


As of version 9

asaken# sh version | i Soft
Cisco Adaptive Security Appliance Software Version 9.0(1)
asaken#

I'm going to strike out some comments I made eariler, since I had to go to  the ASDM to figure out these features where present and slightly different than a  cisco ISR for example. What I notice is the ASDM provides simple OSPFv3 configuration items per-interface or globally.

I've taken some screenshot of this process;






Will cisco has done it again, they introduce features but do not fully enable everything that we can should expect. Take for example ipv6 ospf routing in our  cisco ASA.

We've found out ipv6 dynamic routing is support but ospf does not provide the following;

1: the ability to adjust ipv6 cost per interface or globally

2: the lack of OSPFv3 authentication 

The first could hamper our ability if we had multiple interfaces and need to adjust ospf cost towards metrics and preference of one path over the next. The latter is bad from a security concern and risk.


Okay so how do we enable ospf. Will it's quite easy and similar to the  cisco ios routers.

1st we enable globally the ospfv3 process;

ipv6 router ospf 10
 router-id 192.168.110.254
 default-information originate always metric 1000
 passive-interface default
 no passive-interface inside
 log-adjacency-changes


note: We need a operative l3 ipv4 interface and need to set a router-id

Next and just like with a cisco ios router, you need to craft the opsf instance on the interface;


interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.110.1 255.255.255.0
 ipv6 address 2002:100::1/64
 ipv6 nd reachable-time 3000
 ipv6 nd ns-interval 1200
 ipv6 nd dad attempts 2
 ospf cost 100
 ipv6 ospf 10 area 0


Okay, so that was simple? Notice how I played with  router default-origination  and inject this default ipv6 route regardless if I had a default route to begin with?

Also the same types of ipv4 show commands applies for ipv6

show ipv6 ospf interface
show ipv6 ospf neighbor
show ipv6 ospf database


So I hope this post is useful with the basic ipv6 ospf routing and on a cisco ASA 9.x code


Ken Felix
Freelance Network/Security Engineer
kfelix " a@t" hyperfeed dot com

3 comments:

  1. I want to make a correct, I re-review the release
    notes and found OPSFv3 is supported in the ASA.

    here's example of what I crafted

    ipv6 ospf encryption ipsec spi 256 esp null md5 aabbccddeeffaabbccddeeffaabbccdd

    ReplyDelete
  2. And just like with the cisco ISR you can execute the show crypto ipsec sa command for details;

    asaken# show crypto ipsec sa
    interface: inside
    Crypto map tag: OSPFv3-10-256, seq num: 0, local addr: ::

    local ident (addr/mask/prot/port): (::/0/89/0)
    remote ident (addr/mask/prot/port): (::/0/89/0)
    current_peer: ::

    #pkts encaps: 119, #pkts encrypt: 0, #pkts digest: 119
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 119, #pkts comp failed: 0, #pkts decomp failed: 0
    #post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #TFC rcvd: 0, #TFC sent: 0
    #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt.: ::/0, remote crypto endpt.: ::/0
    path mtu 1500, ipsec overhead 66(48), media mtu 1500
    PMTU time remaining (sec): 0, DF policy: copy-df
    ICMP error validation: disabled, TFC packets: disabled
    current outbound spi: 00000100
    current inbound spi : 00000100

    inbound esp sas:
    spi: 0x00000100 (256)
    transform: esp-null esp-md5-hmac no compression
    in use settings ={L2L, Transport, Manual key (OSPFv3), }
    slot: 0, conn_id: 268025856, crypto-map: OSPFv3-10-256
    sa timing: remaining key lifetime (sec): 0
    IV size: 0 bytes
    replay detection support: N
    outbound esp sas:
    spi: 0x00000100 (256)
    transform: esp-null esp-md5-hmac no compression
    in use settings ={L2L, Transport, Manual key (OSPFv3), }
    slot: 0, conn_id: 268025856, crypto-map: OSPFv3-10-256
    sa timing: remaining key lifetime (sec): 0
    IV size: 0 bytes
    replay detection support: N

    This concludes my OSPFv3 support within a ASA firewall. Key things to remember;

    ipv4 and ipv6 are still 2 uniqu process OPSFv3 is only used for IPV6

    OSPFv3 is enable per-interface

    you need at least one IPv4 addressed interface

    OSPFv3 support both AH or ESP within the interface configuration.


    I'm going to see how and if ESP is an option within our cisco ISRs for the OSPFv3 enabled interfaces. I never seen or recall this, but I have been wrong numerous times in the past :)




    ReplyDelete
  3. And just like with the cisco ISR you can execute the show crypto ipsec sa command for details;

    asaken# show crypto ipsec sa
    interface: inside
    Crypto map tag: OSPFv3-10-256, seq num: 0, local addr: ::

    local ident (addr/mask/prot/port): (::/0/89/0)
    remote ident (addr/mask/prot/port): (::/0/89/0)
    current_peer: ::

    #pkts encaps: 119, #pkts encrypt: 0, #pkts digest: 119
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 119, #pkts comp failed: 0, #pkts decomp failed: 0
    #post-frag successes: 0, #post-frag failures: 0, #fragments created: 0
    #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
    #TFC rcvd: 0, #TFC sent: 0
    #Valid ICMP Errors rcvd: 0, #Invalid ICMP Errors rcvd: 0
    #send errors: 0, #recv errors: 0

    local crypto endpt.: ::/0, remote crypto endpt.: ::/0
    path mtu 1500, ipsec overhead 66(48), media mtu 1500
    PMTU time remaining (sec): 0, DF policy: copy-df
    ICMP error validation: disabled, TFC packets: disabled
    current outbound spi: 00000100
    current inbound spi : 00000100

    inbound esp sas:
    spi: 0x00000100 (256)
    transform: esp-null esp-md5-hmac no compression
    in use settings ={L2L, Transport, Manual key (OSPFv3), }
    slot: 0, conn_id: 268025856, crypto-map: OSPFv3-10-256
    sa timing: remaining key lifetime (sec): 0
    IV size: 0 bytes
    replay detection support: N
    outbound esp sas:
    spi: 0x00000100 (256)
    transform: esp-null esp-md5-hmac no compression
    in use settings ={L2L, Transport, Manual key (OSPFv3), }
    slot: 0, conn_id: 268025856, crypto-map: OSPFv3-10-256
    sa timing: remaining key lifetime (sec): 0
    IV size: 0 bytes
    replay detection support: N

    This concludes my OSPFv3 support within a ASA firewall. Key things to remember;

    ipv4 and ipv6 are still 2 uniqu process OPSFv3 is only used for IPV6

    OSPFv3 is enable per-interface

    you need at least one IPv4 addressed interface

    OSPFv3 support both AH or ESP within the interface configuration.


    I'm going to see how and if ESP is an option within our cisco ISRs for the OSPFv3 enabled interfaces. I never seen or recall this, but I have been wrong numerous times in the past :)




    ReplyDelete