Conguring IPsec for OSPFv3
This section describes how to congure IPsec for an interface, area, and virtual link. It also describes how to change the key rollover timer
if necessary and how to disable IPsec on a particular interface for special purposes.
By default, OSPFv3 IPsec authentication is disabled. The following IPsec parameters are congurable:
• ESP security protocol
• Authentication
• HMAC-SHA1-96 authentication algorithm
• Security parameter index (SPI)
• A 40-character key using hexadecimal characters
• An option for not encrypting the keyword when it appears in show command output
• Key rollover timer
• Specifying the key add remove timer
NOTE
In the current release, certain keyword parameters must be entered even though only one keyword choice is possible for that
parameter. For example, the only authentication algorithm in the current release is HMAC-SHA1-96, but you must nevertheless
enter the keyword for this algorithm. Also, ESP currently is the only authentication protocol, but you must still enter the esp
keyword. This section describes all keywords.
IPsec for OSPFv3 considerations
The IPsec component generates security associations and security policies based on certain user-specied parameters. The parameters
are described with the syntax of each command in this section. User-specied parameters and their relation to system-generated values
are as follows:
• Security association: based on your entries for security policy index (SPI), destination address, and security protocol (currently
ESP), the system creates a security association for each interface or virtual link.
• Security policy database: based on your entries for SPI, source address, destination addresses, and security protocol , the
system creates a security policy database for each interface or virtual link.
• You can congure the same SPI and key on multiple interfaces and areas, but they still have unique IPsec congurations
because the SA and policies are added to each separate security policy database (SPD) that is associated with a particular
interface. If you congure an SA with the same SPI in multiple places, the rest of the parameters associated with the SA—such
as key, cryptographic algorithm, and security protocol, and so on—must match. If the system detects a mismatch, it displays an
error message.
• IPsec authentication for OSPFv3 requires the use of multiple SPDs, one for each interface. A virtual link has a separate, global
SPD. The authentication conguration on a virtual link must be dierent from the authentication conguration for an area or
interface, as required by RFC4552. The interface number is used to generate a non-zero security policy database identier
(SPDID), but for the global SPD for a virtual link, the system-generated SPDID is always zero. As a hypothetical example, the
SPD for interface eth 1/1/1 might have the system-generated SPDID of 1, and so on.
• If you change an existing key, you must also specify a dierent SPI value. For example, in an interface context where you intend
to change a key, you must type a dierent SPI value—which occurs before the key parameter on the command line—before you
type the new key.
• The old key is active for twice the current congured key-rollover-interval for the inbound direction. In the outbound direction,
the old key remains active for a duration equal to the key-rollover-interval. If the key-rollover-interval is set to 0, the new key
immediately takes eect for both directions.
Conguring OSPFv3
FastIron Ethernet Switch Layer 3 Routing
53-1003627-04 313