[c-nsp] Possible to talk ospfv3 with auth or encryption to Brocade?

Nathanael Law Nathanael.Law at aimco.alberta.ca
Thu Apr 18 12:06:15 EDT 2013 

Hi David,

Brocade's documentation is somewhat lacking in this area, and in some places very poorly worded.

E.g., in table 214 of http://www.brocade.com/downloads/documents/html_product_manuals/NI_05400a_CFG/wwhelp/wwhimpl/common/html/wwhelp.htm#context=NI_ConfigGuide_Netfiles&file=OSPF_Version_3.60.5.html, Brocade states, "authentication algorithm (currently ESP only), encryption algorithm (currently SHA1 only)".  However, SHA1 is not an encryption algorithm; it's a hash algorithm used for authentication.

It would be nice if Brocade actually stated this properly, at least somewhere in the document:
 - IPsec protocols:               ESP       (i.e., no AH support)
 - ESP encryption algorithms:     null      (i.e., no AES, 3DES, DES support)
 - ESP authentication algorithms: SHA1      (i.e., no MD5 support)

Cisco (at least in IOS 15.0(2)SE1) supports the following:
 - IPsec protocols:               AH, ESP
 - AH authentication algorithms:  MD5, SHA1
 - ESP encryption algorithms:     null, DES, 3DES, AES (128, 192, 256-bit)
 - ESP authentication algorithms: MD5, SHA1

Thus, the only overlap is: ESP-null-SHA1.  It's been a while since I've had my hands on a Brocade device, but the following should work, or at least point you toward a working solution.

On the Brocade:
interface ethernet1/1/1
  ipv6 ospf authentication ipsec spi NNNN esp sha1 0123456789abcdef0123456789abcdef01234567

On the Cisco:
interface gi1/0/1
  ipv6 ospf encryption ipsec spi NNNN esp null sha1 0123456789abcdef0123456789abcdef01234567

In IOS, "ipv6 ospf authentication" uses AH and "ipv6 ospf encryption" uses ESP.

Best regards,

Nathanael Law

> -----Original Message-----
> From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of
> David Hubbard
> Sent: Thursday, April 18, 2013 00:42
> To: cisco-nsp at puck.nether.net
> Subject: [c-nsp] Possible to talk ospfv3 with auth or encryption to
> Brocade?
> 
> I'm wondering if anyone has a working ospfv3 setup
> between a Cisco and Brocade device?  As best I can
> tell, Brocade's only possible setup is either no
> auth and no encryption, or, sha1 auth, sha1 encryption,
> esp packets.
> 
> On the Cisco side, the only option that gives you
> esp packets is "ipv6 ospf encrypt" but then
> unfortunately while it does support sha1 for the
> authentication, the only encryption algorithms offered
> are 3des, aes-cbc, des and null, so there's not a
> compatible combination.
> 
> Thanks,
> 
> David
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list