Reference Guide
Default route
You can generate an external default route and distribute the default information to the OSPFv3 routing domain.
• To generate the default route, use the default-information originate [always] command in ROUTER-OSPFv3 mode.
Congure default route
OS10(config)# router ospfv3 100
OS10(config-router-ospf-100)# default-information originate always
View default route conguration
OS10(config-router-ospf-100)# show configuration
!
router ospfv3 100
default-information originate always
OSPFv3 IPsec authentication and encryption
Unlike OSPFv2, OSPFv3 does not have authentication elds in its protocol header to provide security. To provide authentication and
condentiality, OSPFv3 uses IP Security (IPsec) — a collection of security protocols for authenticating and encrypting data packets. OS10
OSPFv3 supports IPsec using the IPv6 authentication header (AH) or IPv6 encapsulating security payload (ESP).
• AH authentication veries that data is not altered during transmission and ensures that users are communicating with the intended
individual or organization. The authentication header is inserted after the IP header with a value of 51. MD5 and SHA1 authentication
types are supported; encrypted and unencrypted keys are supported.
• ESP encryption encapsulates data, enabling the protection of data that follows in the datagram. The ESP extension header is inserted
after the IP header and before the next layer protocol header. 3DES, DES, AES-CBC, and NULL encryption algorithms are supported;
encrypted and unencrypted keys are supported.
Apply IPsec authentication or encryption on a physical, port-channel, or VLAN interface or in an OSPFv3 area. Each conguration consists
of a security policy index (SPI) and the key used to validate OSPFv3 packets. After you congure an IPsec protocol for OSPFv3, IPsec
operation is invisible to the user.
You can only enable one security protocol (authentication or encryption) at a time on an interface or for an area. Enable IPsec AH with the
ipv6 ospf authentication command; enable IPsec ESP with the ipv6 ospf encryption command.
• A security policy congured for an area is inherited by default on all interfaces in the area.
• A security policy congured on an interface overrides any area-level congured security for the area to which the interface is assigned.
• The congured authentication or encryption policy is applied to all OSPFv3 packets transmitted on the interface or in the area. The
IPsec security associations are the same on inbound and outbound trac on an OSPFv3 interface.
• There is no maximum AH or ESP header length because the headers have elds with variable lengths.
Congure IPsec authentication on interfaces
Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, rst enable IPv6 unicast routing globally, then enable
OSPFv3 on the interface, and assign it to an area.
The SPI value must be unique to one IPsec security policy (authentication or encryption) on the router. You cannot congure the same SPI
value on another interface even if it uses the same authentication or encryption algorithm.
You cannot use an IPsec authentication type (MD5 or SHA-1) and the null setting at same time on an interface. These settings are
mutually exclusive.
• Enable IPsec authentication for OSPFv3 packets in Interface mode.
ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} key}
Layer 3
441