[nsp] OSPF & Encryption
Chris Moore - GMD
chris.moore at gmd.com
Wed Nov 19 08:39:14 EST 2003
Thanks for all the replys, everyone.
I am particularly intrigued with the following idea:
>From: Charles H. Gucker [mailto:cgucker at cv.net]
>Sent: Tuesday, November 18, 2003 12:08 PM
>To: Chris Moore - GMD
>Cc: 'cisco-nsp at puck.nether.net'
>Subject: Re: [nsp] OSPF & Encryption
> I was wondering if there was any reason why you would need to
>your acutal OSPF data. You can use digests and the like to encrypt the
>handshake, but after that, if the data is encrypted, who cares about the
>routing announcements? ;-) I would believe your customers would be
>more concerned with their transmissions, ensuring they are encrypted,
>secure and complete than the internal workings of your OSPF process.
I absolutely do not need to encrypt my routing data, just my routed data. I
wasn't thinking about the fact that you can use a deny statement in the
crypto map access-list to NOT encrypt certain traffic (I'm encrypting
EVERYTHING on these links at this point).
Would a config along the lines of the following do the trick?
crypto isakmp policy 1
crypto isakmp key StrongKey1 address 172.17.4.1
crypto ipsec transform-set ts1 ah-md5-hmac esp-des
crypto map MAP1 1 ipsec-isakmp
set peer 172.17.4.1
set security-association lifetime seconds 190
set transform-set ts1
match address 101
ip address 10.12.32.253 255.255.240.0
no cdp enable
ip address 172.17.4.2 255.255.255.252
ip ospf network point-to-point
router ospf 1
network 10.12.32.0 0.0.15.255 area 0.0.0.0
network 172.17.4.0 0.0.0.3 area 0.0.0.0
access-list 101 remark ## Crypto List ##
access-list 101 deny ospf any any
access-list 101 permit ip any any
More information about the cisco-nsp