Specifying the key rollover timer, Configuring ipsec on a interface – Brocade Virtual ADX Switch and Router Guide (Supporting ADX v03.1.00) User Manual
Page 186
172
Brocade Virtual ADX Switch and Router Guide
53-1003246-01
Enabling OSPFv3
7
•
IPSec authentication for OSPFv3 requires the use of multiple SPDs, one for each interface. A
virtual link has a separate, global SPD. The authentication configuration on a virtual link must
be different from the authentication configuration for an area or interface, as required by
RFC4552. The interface number is used to generate a non-zero security policy database
identifier (SPDID), but for the global SPD for a virtual link, the system-generated SPDID is
always zero. As a hypothetical example, the SPD for interface ethernet 1/1 might have the
system-generated SPDID of 1, and so on.
•
If you change an existing key, you must also specify a different SPI value. For example, in an
interface context where you intend to change a key, you must type a different SPI value—which
occurs before the key parameter on the command line—before you type the new key. The
example in
illustrates this requirement.
•
The old key is active for twice the current configured key-rollover-interval for the inbound
direction. In the outbound direction, the old key remains active for a duration equal to the
key-rollover-interval. If the key-rollover-interval is set to 0, the new key immediately takes effect
for both directions. For a description of the key-rollover-interval, refer to the
section.
Specifying the key rollover timer
Configuration changes for authentication takes effect in a controlled manner through the key
rollover procedure as specified in RFC 4552, Section 10.1. The key rollover timer controls the
timing of the configuration changeover. The key rollover timer can be configured in the IPv6 router
OSPF context, as the following example illustrates.
Virtual ADX(config-ospf6-router)#key-rollover-interval 200
Syntax: key-rollover-interval time
The range for the key-rollover-interval is 0 through 14400 seconds. The default is 300 seconds.
Configuring IPsec on a interface
For IPsec to work, the IPsec configuration must be the same on all the routers to which an interface
connects.
For multicast, IPsec does not need or use a specific destination address—the destination address
is “do not care,” and this status is reflected by the lone pair of colons (::) for destination address in
the show command output.
To configure IPsec on an interface, proceed as in the following example.
NOTE
The IPsec configuration for an interface applies to the inbound and outbound directions. Also, the
same authentication parameters must be used by all routers on the network to which the interface
is connected, as described in section 7 of RFC 4552.
Virtual ADX(config-if-e10000-1)#ipv6 ospf authentication ipsec spi 429496795 esp
sha1 abcdef12345678900987654321fedcba12345678
Syntax: [no] ipv6 ospf authentication ipsec spi spinum esp sha1 [no-encrypt] key
The no form of this command deletes IPsec from the interface.
The ipv6 command is available in the configuration interface context for a specific interface.
The ospf keyword identifies OSPFv3 as the protocol to receive IPsec security.