Brocade Communications Systems Layer 3 Routing Configuration ICX 6650 User Manual
Page 267
Brocade ICX 6650 Layer 3 Routing Configuration Guide
249
53-1002603-01
OSPF V3 configuration
General considerations when configuring
IPsec for OSPF V3
The IPsec component generates security associations and security policies based on certain
user-specified parameters. The parameters are described with the syntax of each command in this
section and also pointed out in the section with the show command examples,
on page 274. User-specified parameters and their relation to system-generated values are as
follows:
•
Security association: based on your entries for security policy index (SPI), destination address,
and security protocol (currently ESP), the system creates a security association for each
interface or virtual link.
•
Security policy database: based on your entries for SPI, source address, destination
addresses, and security protocol, the system creates a security policy database for each
interface or virtual link.
•
You can configure the same SPI and key on multiple interfaces and areas, but they still have
unique IPsec configurations because the SA and policies are added to each separate security
policy database (SPD) that is associated with a particular interface. If you configure an SA with
the same SPI in multiple places, the rest of the parameters associated with the SA—such as
key, crypto algorithm, and security protocol, and so on—must match. If the system detects a
mismatch, it displays an error message.
•
IPsec authentication for OSPFv3 requires the use of multiple SPDs, one for each interface. A
virtual link has a separate, global SPD. The authentication configuration on a virtual link must
be different from the authentication configuration for an area or interface, as required by
RFC4552. The interface number is used to generate a non-zero security policy database
identifier (SPDID), but for the global SPD for a virtual link, the system-generated SPDID is
always zero. As a hypothetical example, the SPD for interface eth 1/1/1 might have the
system-generated SPDID of 1, and so on.
•
If you change an existing key, you must also specify a different SPI value. For example, in an
interface context where you intend to change a key, you must type a different SPI value—which
occurs before the key parameter on the command line—before you type the new key. The
example in
“IPsec for OSPF V3 configuration”
illustrates this requirement.
•
The old key is active for twice the current configured key-rollover-interval for the inbound
direction. In the outbound direction, the old key remains active for a duration equal to the
key-rollover-interval. If the key-rollover-interval is set to 0, the new key immediately takes effect
for both directions. For a description of the key-rollover-interval, refer to the
on page 254section.