C613-50100-01 REV C Command Reference for x930 Series 1098
AlliedWare Plus™ Operating System - Version 5.4.6-1.x
OSPFV3 FOR IPV6 COMMANDS
IPV
6 OSPF ENCRYPTION SPI ESP
Security is achieved using the IPv6 ESP extension header. The IPv6 ESP extension
header is used to provide confidentiality, integrity, authentication, and
confidentiality. Authentication fields are removed from OSPF for IPv6 packet
headers, so applying IPv6 ESP extension headers are required for integrity,
authentication, and confidentiality.
Use the null keyword to override existing area encryption. Apply the null keyword
if area encryption is already configured to then configure encryption on an
interface instead.
Use the sha1 keyword to choose SHA-1 authentication instead of entering the
md5 keyword to use MD5 authentication. The SHA-1 algorithm is more secure
than the MD5 algorithm. SHA-1 uses a 40 hexadecimal character key instead of a
32 hexadecimal character key as used for MD5 authentication.
See the OSPFv3 Feature Overview and Configuration Guide for more information
and examples.
NOTE: You can configure an encryption security policy (SPI) on a VLAN interface with
this command, or an OSPFv3 area with the area encryption ipsec spi esp command.
When you configure encryption for an area, the security policy is applied to all VLAN
interfaces in the area. Allied Telesis recommends a different encryption security policy
is applied for each interface for higher security.
If you apply the ipv6 ospf encryption null command this affects encryption
configured on both the VLAN interface and the OSPFv3 area.
This is due to OSPFv3 hello messages ingressing VLAN interfaces, which are part of area
encryption, not being encrypted. So neighbors time out.
Example To enable ESP encryption, but not apply an AES-CBC key or a 3DES key, for interface
VLAN 2 and MD5 authentication with a 32 hexadecimal character key, use the
commands:
awplus# configure terminal
awplus(config)# interface vlan2
awplus(config-if)# ipv6 ospf encryption ipsec spi 1000 esp null
md5 1234567890ABCDEF1234567890ABCDEF
To enable ESP encryption, but not apply an AES-CBC key or a 3DES key, for interface
VLAN 2 and SHA-1 authentication with a 40 hexadecimal character key, use the
commands:
awplus# configure terminal
awplus(config)# interface vlan2
awplus(config-if)# ipv6 ospf encryption ipsec spi 1000 esp null
sha1 1234567890ABCDEF1234567890ABCDEF12345678
To Next Page
Loading...
Need help?
General
