[c-nsp] Possible to talk ospfv3 with auth or encryption to Brocade?

David Hubbard dhubbard at dino.hostasaurus.com
Thu Apr 18 12:31:23 EDT 2013 

Thanks Nathanael, I've kind of worked myself towards the same
conclusion over the past few hours.  I've found a working config
as follows:

Brocade side:

ipv6 ospf authentication ipsec spi #### esp sha1 KEY

Cisco side:

 ipv6 ospf authentication null
 ipv6 ospf encryption ipsec spi #### esp null sha1 KEY

This is kind of weird since I would think the two statements
on the Cisco side would conflict, but I have ospfv3 area
authentication enabled so perhaps the 'auth null' command
disables the area auth from being applied to the interface
while the encryption command does indeed set the interface
to do esp with sha1 auth and null encryption.

If I do a show ipv6 ospf int on each side, the Brocade side
thinks its doing authentication (real numbers replaced):

  Authentication Use: Enabled
   KeyRolloverTime(sec): Configured: 300 Current: 0
   KeyRolloverState: NotActive
   Outbound: SPI:500, ESP, SHA1
      Key:1234567890123456789012345678901234567890
   Inbound: SPI:500, ESP, SHA1
      Key:1234567890123456789012345678901234567890

But the Cisco side is confusing:

  NULL encryption SHA-1 auth SPI 500, secure socket UP (errors: 0)
  authentication NULL

Am I doing sha1 auth and the output is misleading, or am I
just doing ESP with no auth and the Brocade is incorrectly
accepting that even though its config should make it drop
a no-auth packet?

Thanks,

David

> -----Original Message-----
> From: Nathanael Law [mailto:Nathanael.Law at aimco.alberta.ca] 
> Sent: Thursday, April 18, 2013 12:06 PM
> To: David Hubbard
> Cc: cisco-nsp at puck.nether.net
> Subject: RE: Possible to talk ospfv3 with auth or encryption 
> to Brocade?
> 
> Hi David,
> 
> Brocade's documentation is somewhat lacking in this area, and 
> in some places very poorly worded.
> 
> E.g., in table 214 of 
> http://www.brocade.com/downloads/documents/html_product_manual
> s/NI_05400a_CFG/wwhelp/wwhimpl/common/html/wwhelp.htm#context=
> NI_ConfigGuide_Netfiles&file=OSPF_Version_3.60.5.html, 
> Brocade states, "authentication algorithm (currently ESP 
> only), encryption algorithm (currently SHA1 only)".  However, 
> SHA1 is not an encryption algorithm; it's a hash algorithm 
> used for authentication.
> 
> It would be nice if Brocade actually stated this properly, at 
> least somewhere in the document:
>  - IPsec protocols:               ESP       (i.e., no AH support)
>  - ESP encryption algorithms:     null      (i.e., no AES, 
> 3DES, DES support)
>  - ESP authentication algorithms: SHA1      (i.e., no MD5 support)
> 
> Cisco (at least in IOS 15.0(2)SE1) supports the following:
>  - IPsec protocols:               AH, ESP
>  - AH authentication algorithms:  MD5, SHA1
>  - ESP encryption algorithms:     null, DES, 3DES, AES (128, 
> 192, 256-bit)
>  - ESP authentication algorithms: MD5, SHA1
> 
> Thus, the only overlap is: ESP-null-SHA1.  It's been a while 
> since I've had my hands on a Brocade device, but the 
> following should work, or at least point you toward a working 
> solution.
> 
> On the Brocade:
> interface ethernet1/1/1
>   ipv6 ospf authentication ipsec spi NNNN esp sha1 
> 0123456789abcdef0123456789abcdef01234567
> 
> On the Cisco:
> interface gi1/0/1
>   ipv6 ospf encryption ipsec spi NNNN esp null sha1 
> 0123456789abcdef0123456789abcdef01234567
> 
> In IOS, "ipv6 ospf authentication" uses AH and "ipv6 ospf 
> encryption" uses ESP.
> 
> Best regards,
> 
> Nathanael Law
> 
> > -----Original Message-----
> > From: cisco-nsp [mailto:cisco-nsp-bounces at puck.nether.net] 
> On Behalf Of
> > David Hubbard
> > Sent: Thursday, April 18, 2013 00:42
> > To: cisco-nsp at puck.nether.net
> > Subject: [c-nsp] Possible to talk ospfv3 with auth or encryption to
> > Brocade?
> > 
> > I'm wondering if anyone has a working ospfv3 setup
> > between a Cisco and Brocade device?  As best I can
> > tell, Brocade's only possible setup is either no
> > auth and no encryption, or, sha1 auth, sha1 encryption,
> > esp packets.
> > 
> > On the Cisco side, the only option that gives you
> > esp packets is "ipv6 ospf encrypt" but then
> > unfortunately while it does support sha1 for the
> > authentication, the only encryption algorithms offered
> > are 3des, aes-cbc, des and null, so there's not a
> > compatible combination.
> > 
> > Thanks,
> > 
> > David
> > 
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
>

More information about the cisco-nsp mailing list