Search This Blog

Tuesday, September 9, 2014

IPv6 OPSFv3 authentication and encryption



Authentication

the following example is for IPv6 OSPFv3 authentication between R2 and R3
 
R2:
interface FastEthernet1/0
 no ip address
 speed auto
 duplex auto
 ipv6 address 2000:23::2/64
 ipv6 ospf authentication ipsec spi 256 sha1 0123456789012345678901234567890123456789
 ipv6 ospf 1 area 0

R3:
interface FastEthernet1/0
 no ip address
 speed auto
 duplex auto
 ipv6 address 2000:23::3/64
 ipv6 ospf authentication ipsec spi 256 sha1 0123456789012345678901234567890123456789
 ipv6 ospf 1 area 0

Note that SPI (Security Protocol Index) should be identical on both routers.


The authentication is part of the IPv6 Header, and as you can see it’s not encrypting the entire packet only authenticate the identities between R2 and R3. So a MITM can still see the content of the OSPF packets that R2 and R3 exchanging.

Encryption

R2:
interface FastEthernet1/0
 no ip address
 speed auto
 duplex auto
 ipv6 address 2000:23::2/64
 ipv6 ospf encryption ipsec spi 256 esp aes-cbc 256 0123456789012345678901234567890123456789012345678901234567890123 sha1 0123456789012345678901234567890123456789
 ipv6 ospf 1 area 0

R3:
interface FastEthernet1/0
 no ip address
 speed auto
 duplex auto
 ipv6 address 2000:23::3/64
 ipv6 ospf encryption ipsec spi 256 esp aes-cbc 256 0123456789012345678901234567890123456789012345678901234567890123 sha1 0123456789012345678901234567890123456789
 ipv6 ospf 1 area 0

Now the OSPF packet are totally encrypted and we can’t see nothing! so no MITM here!





No comments:

Post a Comment