Over all it's quite simple to configure. 1st we need to enable ipv6 on the interface(s) that we are expecting OSPFv3 authentication on ( in my lab this was already done earlier, so I'm skipping setting up OSPFv3 routing ).
Next, we need to create a SPI index number plus the selection of the md5/sha hash method and then finally the hex-data-string. The latter would be comparative to our key-strings in cisco ios keys. These items must match within the router(s) and interfaces that are to be OPSFv3-authen enabled.
interface FastEthernet0/1
description VRF custA to 3560#1 port gi 0/1
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
ipv6 address 2002:100::2/64
ipv6 enable
ipv6 ospf cost 1000
ipv6 ospf 10 area 0
ipv6 ospf authentication ipsec spi 256 md5 AABBCCDDEEFFAABBCCDDEEFFAABBCCDD
Once we enable AH on our interfaces, we can now monitor via packet captures, and since this is Cryptology, we can use the show crypto ipsec cmds
And here's a dump of the AH header via tshark & tcpdump . Notice the SPI and AH-ICV fields?
Authentication Header
Next Header: OSPF IGP (0x59)
Length: 24
AH SPI: 0x00000100
AH Sequence: 43
AH ICV: 01394B4859CB743CF6252970
Open Shortest Path First
OSPF Header
OSPF Version: 3
Message Type: Hello Packet (1)
Packet Length: 40
Source OSPF Router: 2.2.2.2 (2.2.2.2)
Area ID: 0.0.0.0 (Backbone)
Packet Checksum: 0x1140 [correct]
Instance ID: 0
Reserved: 0
OSPF Hello Packet
Interface ID: 4
Router Priority: 1
Options: 0x000013 (R, E, V6)
.... .... .... .... ..0. .... = DC: DC is NOT set
.... .... .... .... ...1 .... = R: R is SET
.... .... .... .... .... 0... = N: N is NOT set
.... .... .... .... .... .0.. = MC: MC is NOT set
.... .... .... .... .... ..1. = E: E is SET
.... .... .... .... .... ...1 = V6: V6 is SET
Hello Interval: 10 seconds
Router Dead Interval: 40 seconds
Designated Router: 2.2.2.2
Backup Designated Router: 172.16.1.254
Active Neighbor: 172.16.1.254 Source: fe80::214:6aff:fec4:28ad (fe80::214:6aff:fec4:28ad)
Destination: ff02::5 (ff02::5)
Authentication Header
Next Header: OSPF IGP (0x59)
Length: 24
AH SPI: 0x00000100
AH Sequence: 44
AH ICV: 80FA486B184EC2721FEDA05E
Open Shortest Path First
OSPF Header
OSPF Version: 3
Message Type: Hello Packet (1)
Packet Length: 40
Source OSPF Router: 172.16.1.254 (172.16.1.254)
Area ID: 0.0.0.0 (Backbone)
Packet Checksum: 0x04d9 [correct]
Instance ID: 0
Reserved: 0
OSPF Hello Packet
Interface ID: 4
Router Priority: 1
Options: 0x000013 (R, E, V6)
.... .... .... .... ..0. .... = DC: DC is NOT set
.... .... .... .... ...1 .... = R: R is SET
.... .... .... .... .... 0... = N: N is NOT set
.... .... .... .... .... .0.. = MC: MC is NOT set
.... .... .... .... .... ..1. = E: E is SET
.... .... .... .... .... ...1 = V6: V6 is SET
Hello Interval: 10 seconds
Router Dead Interval: 40 seconds
Designated Router: 2.2.2.2
Backup Designated Router: 172.16.1.254
Active Neighbor: 2.2.2.2
tcpdump
18:10:20.552021 IP6 (flowlabel 0x0000e, hlim 1, next-header OSPF (89) payload length: 36) fe80::21f:caff:fef3:2111 > ff02::5: OSPFv3, Hello, length 36
Router-ID 192.168.110.254, Backbone Area
Options [V6, External, Router]
Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.14, Priority 1
Designated Router 192.168.110.254
Neighbor List:
18:10:22.084776 IP6 (class 0xe0, hlim 1, next-header AH (51) payload length: 64) fe80::219:55ff:fe78:318d > ff02::5: AH(spi=0x00000100,sumlen=16,seq=0x20): OSPFv3, Hello, length 40
Router-ID 2.2.2.2, Backbone Area
Options [V6, External, Router]
Hello Timer 10s, Dead Timer 40s, Interface-ID 0.0.0.4, Priority 1
Designated Router 2.2.2.2, Backup Designated Router 172.16.1.254
Neighbor List:
172.16.1.254
As you can see with the 2 dumps, the details of the neighbors, timers, area,etc.... are in the clear. The AH provides no security or restrict the exposures to the ospf data. It just ensure integrity of the players and for authentication of any OSPFv3 speakers.
Next, let explore the show crypto ipsec sa cmd
ccie01#show crypto ipsec sa ipv6 int fas 0/1
interface: FastEthernet0/1
Crypto map tag: (none), local addr FE80::214:6AFF:FEC4:28AD IPsecv6 policy name: OSPFv3-10-256
IPsecv6-created ACL name: FastEthernet0/1-ipsecv6-ACL protected vrf: (none)
local ident (addr/mask/prot/port): (FE80::/10/89/0)
remote ident (addr/mask/prot/port): (::/0/89/0)
current_peer :: port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 97, #pkts encrypt: 0, #pkts digest: 97
#pkts decaps: 90, #pkts decrypt: 0, #pkts verify: 90
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0 local crypto endpt.: FE80::214:6AFF:FEC4:28AD, remote crypto endpt.: ::
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0x100(256)
inbound esp sas:
inbound ah sas:
spi: 0x100(256)
transform: ah-md5-hmac ,
in use settings ={Transport, }
conn id: 2001, flow_id: SW:1, crypto map: (none)
no sa timing
replay detection support: N
Status: ACTIVE
inbound pcp sas:
outbound esp sas:
outbound ah sas:
spi: 0x100(256)
transform: ah-md5-hmac ,
in use settings ={Transport, }
conn id: 2002, flow_id: SW:2, crypto map: (none)
no sa timing
replay detection support: N
Status: ACTIVE
outbound pcp sas:
Looks farmilar to a regular show crypto ipsec sa cmds that we use in VPN :)
Things to watch out for;
- the SPI# must match
- the hash type must match
- the hex-data string must match
- and finally just like in ipv4, the timers must match
note: you must have a ios-codeset that supports crypto. The above where done on two cisco 1841 ISR with the following codeset;
ccie01#sh version | i oft
Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(25f), RELEASE SOFTWARE (fc2)
ccie01#
But here's a ipv6 aware cisco 6500 that does support cryptology features;
LA1R01CR#show ver | i oftwa
Cisco Internetwork Operating System Software
IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(18)SXF11, RELEASE SOFTWARE (fc1)
BOOTLDR: s72033_rp Software (s72033_rp-IPSERVICESK9_WAN-M), Version 12.2(18)SXF11, RELEASE SOFTWARE (fc1)
SuperLAT software (copyright 1990 by Meridian Technology Corp).
X.25 software, Version 3.0.0.
Bridging software.
TN3270 Emulation software.
But it does not offer OPSFv3 authentication;
LA1R01CR(config-if)#ipv6 ospf ?
<1-65535> Process ID
cost Interface cost
database-filter Filter OSPF LSA during synchronization and flooding
dead-interval Interval after which a neighbor is declared dead
demand-circuit OSPF demand circuit
flood-reduction OSPF Flood Reduction
hello-interval Time between HELLO packets
mtu-ignore Ignores the MTU in DBD packets
neighbor OSPF neighbor
network Network type
priority Router priority
retransmit-interval Time between retransmitting lost link state advertisements
transmit-delay Link state transmit delay
Nor does it support authentication globally
LA1R01CR(config-rtr)#?
area OSPF area parameters
auto-cost Calculate OSPF interface cost according to bandwidth
default Set a command to its defaults
default-information Distribution of default information
default-metric Set metric of redistributed routes
discard-route Enable or disable discard-route installation
distance Administrative distance
distribute-list Filter networks in routing updates
exit Exit from IPv6 routing protocol configuration mode
ignore Do not complain about specific event
log-adjacency-changes Log changes in adjacency state
maximum-paths Forward packets over multiple paths
no Negate a command or set its defaults
passive-interface Suppress routing updates on an interface
process-min-time Percentage of quantum to be used before releasing CPU
redistribute Redistribute IPv6 prefixes from another routing protocol
router-id router-id for this OSPF process
summary-prefix Configure IPv6 summary prefix
timers Adjust routing timers
So keep that thought in mind when designing your OSPFv3 topologies and before you enable IPv6 on your speakers. I've been burned numerous times, when deploying OPSFv3 +authentication into cisco core backbones.
Ken Felix
Your Freelance Network Security Engineer
kfelix " a t " hyperfeed.com
No comments:
Post a Comment