[c-nsp] Securing OSPFv3 on 6500/7600 Routers?
Mikael Abrahamsson
swmike at swm.pp.se
Thu Jan 6 01:28:49 EST 2011
On Thu, 6 Jan 2011, Dobbins, Roland wrote:
> Um, I thought multiple vendors supported MD5 for OSPFv3, do they not?
Nope, because it's not in the protocol at all:
http://tools.ietf.org/html/draft-ietf-ospf-ospfv3-auth-08
1. Introduction
OSPF (Open Shortest Path First) Version 2 [N1] defines the fields
AuType and Authentication in its protocol header to provide security.
In OSPF for IPv6 (OSPFv3) [N2], both of the authentication fields
were removed from OSPF headers. OSPFv3 relies on the IPv6
Authentication Header (AH) and IPv6 Encapsulating Security Payload
(ESP) to provide integrity, authentication and/or confidentiality.
http://packetlife.net/blog/2008/sep/3/ospfv3-authentication/
OSPFv3 authentication
Most IPv4 routing protocols support some form of neighbor authentication,
provided by either a plaintext password or MD5 HMAC. However, OSPFv3 (OSPF
for IPv6) doesn't include any authentication capabilities of its own;
instead, it relies entirely on IPsec to secure communications between
neighbors. This is beneficial in simplifying the OSPFv3 protocol and
standardizing its authentication mechanism.
--
Mikael Abrahamsson email: swmike at swm.pp.se
More information about the cisco-nsp
mailing list