C613-50631-01 Rev A Command Reference for IE340 Series 1218
AlliedWare Plus™ Operating System - Version 5.5.3-0.x
OSPFV3 FOR IPV6 COMMANDS
AREA
ENCRYPTION IPSEC SPI ESP
Usage notes When you issue this command, authentication and encryption are both enabled.
Use this command on an OSPFv3 area, use the area virtual-link encryption ipsec spi
command on an OSPFv3 area virtual link. Configure the same SPI (Security
Parameters Index) value on all interfaces that connect to the same link. SPI values
are used by link interfaces. Use a different SPI value for a different link interface
when using OSPFv3 with link interfaces.
Security is achieved using the IPv6 ESP extension header. The IPv6 ESP extension
header is used to provide confidentiality, integrity, authentication, and
confidentiality. Authentication fields are removed from OSPF for IPv6 packet
headers, so applying IPv6 ESP extension headers are required for integrity,
authentication, and confidentiality.
Use the sha1 keyword to choose SHA-1 authentication instead of entering the
md5 keyword to use MD5 authentication. The SHA-1 algorithm is more secure
than the MD5 algorithm. SHA-1 uses a 40 hexadecimal character key instead of a
32 hexadecimal character key as used for MD5 authentication.
See the OSPFv3 Feature Overview and Configuration Guide for more information
and examples.
NOTE: You can configure an encryption security policy (SPI) on an OSPFv3 area with
this command, or on an interface with the ipv6 ospf encryption spi esp command.
When you configure encryption for an area, the security policy is applied to all
interfaces in the area. However, we recommend a different encryption security policy is
applied to each interface for higher security.
If you apply the ipv6 ospf encryption null command, this affects encryption
configured on both the interface and the OSPFv3 area.
This is due to OSPFv3 hello messages ingressing interfaces, which are part of area
encryption, not being encrypted. So neighbors time out.
Example To enable ESP encryption, but not apply an AES-CBC key or an 3DES key, and MD5
authentication with a 32 hexadecimal character key for OPSPF area 1, use the
commands:
awplus# configure terminal
awplus(config)# router ipv6 ospf
awplus(config-router)# area 1 encryption ipsec spi 1000 esp null
md5 1234567890ABCDEF1234567890ABCDEF
To enable ESP encryption, but not apply an AES-CBC key or an 3DES key, and SHA-1
authentication with a 40 hexadecimal character key for OPSPF area 1, use the
commands:
awplus# configure terminal
awplus(config)# router ipv6 ospf
awplus(config-router)# area 1 encryption ipsec spi 1000 esp null
sha1 1234567890ABCDEF1234567890ABCDEF12345678
To Next Page
Loading...
Need help?
General
