[c-nsp] Securing OSPFv3 on 6500/7600 Routers?

Pete Lumbis alumbis at gmail.com
Thu Jan 6 10:23:35 EST 2011 

Gert,

>From what I can find support for OSPFv3 Auth on the Sup720 (SX/SR) is
roughly set for Q2 CY12. The information that mentioned that was from
November so I'd follow up with your account team/SE to see if this has
changed at all or to have them build a case to try and move this date
up, if at all possible.

Pete

On Thu, Jan 6, 2011 at 4:30 AM, Gert Doering <gert at greenie.muc.de> wrote:
> Hi,
>
> On Thu, Jan 06, 2011 at 06:45:48AM +0100, Mikael Abrahamsson wrote:
>> I think it's a mistake of people implementing IPv6 protocols to design
>> them so that they have to rely on IPSEC for their
>> authentication/encryption, at least initially when IPSEC support seems to
>> be quite incomplete for platforms.
>
> That's a somewhat philosophical question - IPv6 mandates(!) IPSEC support,
> so protocol designers are doing the right thing in relying on established
> crypto infrastructure that's supposed to be already there and well-tested,
> instead of every one inventing their own scheme again and again.
>
> Now, in real life, things tend to not work out that way - OSPFv3 is there,
> IPSEC for IPv6 isn't.  So who's to blaim, the protocol designers, or the
> vendors that choose to implement only bits and pieces of the protocol
> suite?
>
> But anyway, I seem to remember that OSPF+IPSEC is there on IOS... FN
> agrees with me:
>
> http://tools.cisco.com/ITDIT/CFN/Dispatch?act=featdesc&task=display&featureId=2261
> "IPv6 Security: IPv6 IPSec to Authenticate OSPFv3"
>
> http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ospf.html#wp1069880
> "To use the IPsec AH, you must enable the ipv6 ospf authentication command..."
>
> Now the interesting question is whether this is available in any reasonable
> subset of IOS versions...  the URL above claims it was added to 12.4(9)T,
> and doesn't say a word about 12.2SX/12.2SR trains.  FN says it was added
> to 12.3(4)T, but nothing about 12.2SX/R or IOS XR/IOS XE either.
>
> So, for the original poster, this won't help.  (Please go to your BU and
> complain that IOS feature distribution sucks big time...)
>
> gert
> --
> USENET is *not* the non-clickable part of WWW!
>                                                           //www.muc.de/~gert/
> Gert Doering - Munich, Germany                             gert at greenie.muc.de
> fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>

More information about the cisco-nsp mailing list