[nsp] OSPF & Encryption

[Chris Moore - GMD]

Thanks for all the replys, everyone.

I am particularly intrigued with the following idea:

>-----Original Message-----
>From: Charles H. Gucker [mailto:cgucker at cv.net]
>Sent: Tuesday, November 18, 2003 12:08 PM
>To: Chris Moore - GMD
>Cc: 'cisco-nsp at puck.nether.net'
>Subject: Re: [nsp] OSPF & Encryption
>
>
>	I was wondering if there was any reason why you would need to
encrypt
>your acutal OSPF data.  You can use digests and the like to encrypt the
>handshake, but after that, if the data is encrypted, who cares about the
>routing announcements? ;-)   I would believe your customers would be 
>more concerned with their transmissions, ensuring they are encrypted,
>secure and complete than the internal workings of your OSPF process.
>
>
>thanks,
>charles

I absolutely do not need to encrypt my routing data, just my routed data. I
wasn't thinking about the fact that you can use a deny statement in the
crypto map access-list to NOT encrypt certain traffic (I'm encrypting
EVERYTHING on these links at this point).

Would a config along the lines of the following do the trick?

!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key StrongKey1 address 172.17.4.1
!
!
crypto ipsec transform-set ts1 ah-md5-hmac esp-des
!
crypto map MAP1 1 ipsec-isakmp
 set peer 172.17.4.1
 set security-association lifetime seconds 190
 set transform-set ts1
 match address 101
!
!
!
interface FastEthernet0
 ip address 10.12.32.253 255.255.240.0
 speed auto
 full-duplex
 no cdp enable
!
!
interface Serial0
 ip address 172.17.4.2 255.255.255.252
 ip ospf network point-to-point
 no fair-queue
!
!
router ospf 1
 log-adjacency-changes
 network 10.12.32.0 0.0.15.255 area 0.0.0.0
 network 172.17.4.0 0.0.0.3 area 0.0.0.0
!
!
!
access-list 101 remark ## Crypto List ##
access-list 101 deny ospf any any
access-list 101 permit ip any any
!
!
!


Thanks,

Chris