Ipsec for ospfv3, Configuring ipsec for ospfv3, Ipsec for ospfv3 configuring ipsec for ospfv3 – Brocade FastIron Ethernet Switch Layer 3 Routing Configuration Guide User Manual
Page 340
IPsec for OSPFv3
This section describes the implementation of Internet Protocol Security (IPsec) for securing OSPFv3
traffic.
IPsec is available for OSPFv3 traffic only and only for packets that are "for-us." A for-us packet is
addressed to one of the IPv6 addresses on the device or to an IPv6 multicast address. Packets that
are just forwarded by the line card do not receive IPsec scrutiny.
Brocade devices support the following components of IPsec for IPv6-addressed packets:
• Authentication through Encapsulating Security Payload (ESP) in transport mode
• HMAC-SHA1-96 as the authentication algorithm
• Manual configuration of keys
• Configurable rollover timer
IPsec can be enabled on the following logical entities:
• Interface
• Area
• Virtual link
With respect to traffic classes, this implementation of IPSec uses a single security association (SA)
between the source and destination to support all traffic classes and so does not differentiate between
the different classes of traffic that the DSCP bits define.
IPsec on a virtual link is a global configuration. Interface and area IPsec configurations are more
granular.
Among the entities that can have IPsec protection, the interfaces and areas can overlap. The interface
IPsec configuration takes precedence over the area IPsec configuration when an area and an
interface within that area use IPsec. Therefore, if you configure IPsec for an interface and an area
configuration also exists that includes this interface, the interface’s IPsec configuration is used by that
interface. However, if you disable IPsec on an interface, IPsec is disabled on the interface even if the
interface has its own, specific authentication.
Disabling IPsec on an interface
on page 346 for more information.
For IPsec, the system generates two types of databases. The security association database (SAD)
contains a security association for each interface or one global database for a virtual link. Even if
IPsec is configured for an area, each interface that uses the area’s IPsec still has its own security
association in the SAD. Each SA in the SAD is a generated entry that is based on your specifications
of an authentication protocol (ESP in the current release), destination address, and a security policy
index (SPI). The SPI number is user-specified according to the network plan. Consideration for the SPI
values to specify must apply to the whole network.
The system-generated security policy databases (SPDs) contain the security policies against which
the system checks the for-us packets. For each for-us packet that has an ESP header, the applicable
security policy in the security policy database (SPD) is checked to see if this packet complies with the
policy. The IPsec task drops the non-compliant packets. Compliant packets continue on to the
OSPFv3 task.
Configuring IPsec for OSPFv3
This section describes how to configure IPsec for an interface, area, and virtual link. It also describes
how to change the key rollover timer if necessary and how to disable IPsec on a particular interface for
special purposes.
By default, OSPFv3 IPsec authentication is disabled. The following IPsec parameters are configurable:
IPsec for OSPFv3
340
FastIron Ethernet Switch Layer 3 Routing Configuration Guide
53-1003087-04