Ipsec for ospf v3 configuration – Brocade Communications Systems Layer 3 Routing Configuration ICX 6650 User Manual
Page 266
248
Brocade ICX 6650 Layer 3 Routing Configuration Guide
53-1002603-01
OSPF V3 configuration
Instructions for configuring IPsec on these entities appear in
“IPsec for OSPF V3 configuration”
IPsec on a virtual link is a global configuration. Interface and area IPsec configurations are more
granular.
Among the entities that can have IPsec protection, the interfaces and areas can overlap. The
interface IPsec configuration takes precedence over the area IPsec configuration when an area
and an interface within that area use IPsec. Therefore, if you configure IPsec for an interface and
an area configuration also exists that includes this interface, the interface’s IPsec configuration is
used by that interface. However, if you disable IPsec on an interface, IPsec is disabled on the
interface even if the interface has its own, specific authentication. Refer to
For IPsec, the system generates two types of databases. The security association database (SAD)
contains a security association for each interface or one global database for a virtual link. Even if
IPsec is configured for an area, each interface that uses the area’s IPsec still has its own security
association in the SAD. Each SA in the SAD is a generated entry that is based on your
specifications of an authentication protocol (ESP in the current release), destination address, and
a security policy index (SPI). The SPI number is user-specified according to the network plan.
Consideration for the SPI values to specify must apply to the whole network.
The system-generated security policy databases (SPDs) contain the security policies against which
the system checks the for-us packets. For each for-us packet that has an ESP header, the
applicable security policy in the security policy database (SPD) is checked to see if this packet
complies with the policy. The IPsec task drops the non-compliant packets. Compliant packets
continue on to the OSPFv3 module.
IPsec for OSPF V3 configuration
This section describes how to configure IPsec for an interface, area, and virtual link. It also
describes how to change the key rollover timer if necessary and how to disable IPsec on a
particular interface for special purposes.
By default, OSPFv3 IPsec authentication is disabled. The following IPsec parameters are
configurable:
•
ESP security protocol
•
Authentication
•
HMAC-SHA1-96 authentication algorithm
•
Security parameter index (SPI)
•
A 40-character key using hexadecimal characters
•
An option for not encrypting the keyword when it appears in show command output
•
Key rollover timer
NOTE
In the current release, certain keyword parameters must be entered even though only one keyword
choice is possible for that parameter. For example, the only authentication algorithm in the current
release is HMAC-SHA1-96, but you must nevertheless enter the keyword for this algorithm. Also, ESP
currently is the only authentication protocol, but you must still enter the esp keyword. This section
describes all keywords.