[c-nsp] Securing OSPFv3 on 6500/7600 Routers?

Gert Doering gert at greenie.muc.de
Thu Jan 6 04:30:56 EST 2011


Hi,

On Thu, Jan 06, 2011 at 06:45:48AM +0100, Mikael Abrahamsson wrote:
> I think it's a mistake of people implementing IPv6 protocols to design 
> them so that they have to rely on IPSEC for their 
> authentication/encryption, at least initially when IPSEC support seems to 
> be quite incomplete for platforms.

That's a somewhat philosophical question - IPv6 mandates(!) IPSEC support,
so protocol designers are doing the right thing in relying on established
crypto infrastructure that's supposed to be already there and well-tested,
instead of every one inventing their own scheme again and again.

Now, in real life, things tend to not work out that way - OSPFv3 is there,
IPSEC for IPv6 isn't.  So who's to blaim, the protocol designers, or the
vendors that choose to implement only bits and pieces of the protocol
suite?

But anyway, I seem to remember that OSPF+IPSEC is there on IOS... FN
agrees with me:

http://tools.cisco.com/ITDIT/CFN/Dispatch?act=featdesc&task=display&featureId=2261
"IPv6 Security: IPv6 IPSec to Authenticate OSPFv3"

http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-ospf.html#wp1069880
"To use the IPsec AH, you must enable the ipv6 ospf authentication command..."

Now the interesting question is whether this is available in any reasonable
subset of IOS versions...  the URL above claims it was added to 12.4(9)T,
and doesn't say a word about 12.2SX/12.2SR trains.  FN says it was added
to 12.3(4)T, but nothing about 12.2SX/R or IOS XR/IOS XE either.

So, for the original poster, this won't help.  (Please go to your BU and
complain that IOS feature distribution sucks big time...)

gert
-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
URL: <https://puck.nether.net/pipermail/cisco-nsp/attachments/20110106/817094ce/attachment.pgp>


More information about the cisco-nsp mailing list