General considerations, Interface and area ipsec considerations – Brocade Multi-Service IronWare Routing Configuration Guide (Supporting R05.6.00) User Manual
Page 687
Multi-Service IronWare Routing Configuration Guide
659
53-1003033-02
Configuring OSPFv3
NOTE
In the current release, certain keyword parameters must be entered even though only one keyword
choice is possible for that parameter. For example, the only authentication algorithm in the current
release is HMAC-SHA1-96, but you must nevertheless enter the keyword for this algorithm. Also, ESP
currently is the only authentication protocol, but you must still enter the esp keyword. This section
describes all keywords.
General considerations
The IPsec component generates security associations and security policies based on certain
user-specified parameters. The parameters are described with the syntax of each command in this
section and also pointed out in the section with the show command examples,
on page 693. User-specified parameters and their relation to system-generated values are as
follows:
•
Security association: based on your entries for security policy index (SPI), destination address,
and security protocol (currently ESP), the system creates a security association for each
interface or virtual link.
•
Security policy database: based on your entries for SPI, source address, destination
addresses, and security protocol, the system creates a security policy database for each
interface or virtual link.
•
You can configure the same SPI and key on multiple interfaces and areas, but they still have
unique IPsec configurations because the SA and policies are added to each separate security
policy database (SPD) that is associated with a particular interface. If you configure an SA with
the same SPI in multiple places, the rest of the parameters associated with the SA — such as
key, cryptographic algorithm, and security protocol, and so on — must match. If the system
detects a mismatch, it displays an error message.
•
IPsec authentication for OSPFv3 requires the use of multiple SPDs, one for each interface. A
virtual link has a separate, global SPD. The authentication configuration on a virtual link must
be different from the authentication configuration for an area or interface, as required by
RFC4552. The interface number is used to generate a non-zero security policy database
identifier (SPDID), but for the global SPD for a virtual link, the system-generated SPDID is
always zero. As a hypothetical example, the SPD for interface eth 1/1 might have the
system-generated SPDID of 1, and so on.
•
If you change an existing key, you must also specify a different SPI value. For example, in an
interface context where you intend to change a key, you must type a different SPI value — which
occurs before the key parameter on the command line — before you type the new key. The
example in
“Configuring IPsec for OSPFv3”
illustrates this requirement.
•
The old key is active for twice the current configured key-rollover-interval for the inbound
direction. In the outbound direction, the old key remains active for a duration equal to the
key-rollover-interval. If the key-rollover-interval is set to 0, the new key immediately takes effect
for both directions. For a description of the key-rollover-interval, refer to the
on page 664section.
Interface and area IPsec considerations
This section describes the precedence of interface and area IPsec configurations.
If you configure an interface IPsec by using the ipv6 ospf authentication command in the context of
a specific interface, that interface’s IPsec configuration overrides the area configuration of IPsec.