[nsp] OSPF & Encryption

Charles H. Gucker cgucker at cv.net
Tue Nov 18 14:07:59 EST 2003

On Tue, Nov 18, 2003 at 07:12:58AM -0700, Chris Moore - GMD wrote:
> Hi all,
> I've walked into an interesting situation. I am working on a small network
> with private point-to-point T1s between sites. We have customers (we're in
> the financial industry) that insist that we encrypt our private T1s. We also
> want to run OSPF. 

	I was wondering if there was any reason why you would need to encrypt
your acutal OSPF data.  You can use digests and the like to encrypt the
handshake, but after that, if the data is encrypted, who cares about the
routing announcements? ;-)   I would believe your customers would be 
more concerned with their transmissions, ensuring they are encrypted,
secure and complete than the internal workings of your OSPF process.

> I was going to encrypt the links using IPSec but this breaks OSPF. Cisco's
> solution seems to be to use GRE tunnels - something I don't have experience
> with. Is there a simpler way? Are there alternatives to IPSec for encrypting
> point-to-point links?

	Well, you could still do IPSec, or better yet, put the tunnels on the 
outer edge of your network either within your routers, or on an external box.
This would allow you to keep layer 4 functions in layer 4, and layer 3 and
below where they belong.

	Just the idea of trying to troubleshoot any dynamnic routing protocols
within a tunnel is scary. 


More information about the cisco-nsp mailing list