API Guide
Configure default route
OS10(config)# router ospfv3 100
OS10(config-router-ospf-100)# default-information originate always
View default route configuration
OS10(config-router-ospf-100)# show configuration
!
router ospfv3 100
default-information originate always
OSPFv3 IPsec authentication and encryption
Unlike OSPFv2, OSPFv3 does not have authentication fields in its protocol header to provide security. To provide authentication
and confidentiality, OSPFv3 uses IP Security (IPsec) — a collection of security protocols for authenticating and encrypting data
packets. OS10 OSPFv3 supports IPsec using the IPv6 authentication header (AH) or IPv6 encapsulating security payload (ESP).
● AH authentication verifies that data is not altered during transmission and ensures that users are communicating with the
intended individual or organization. The authentication header is inserted after the IP header with a value of 51. MD5 and
SHA1 authentication types are supported; encrypted and unencrypted keys are supported.
● ESP encryption encapsulates data, enabling data protection that follows in the datagram. The ESP extension header is
inserted after the IP header and before the next layer protocol header. 3DES, DES, AES-CBC, and NULL encryption
algorithms are supported; encrypted and unencrypted keys are supported.
Apply IPsec authentication or encryption on a physical, port-channel, or VLAN interface or in an OSPFv3 area. Each
configuration consists of a security policy index (SPI) and the OSPFv3 packets validation key. After you configure an IPsec
protocol for OSPFv3, IPsec operation is invisible to the user.
You can only enable one authentication or encryption security protocol at a time on an interface or for an area. Enable IPsec AH
using the ipv6 ospf authentication command; enable IPsec ESP with the ipv6 ospf encryption command.
● A security policy configured for an area is inherited on all interfaces in the area by default.
● A security policy configured on an interface overrides any area-level configured security for the area where the interface is
assigned.
● The configured authentication or encryption policy applies to all OSPFv3 packets transmitted on the interface or in the area.
The IPsec security associations are the same on inbound and outbound traffic on an OSPFv3 interface.
● There is no maximum AH or ESP header length because the headers have fields with variable lengths.
Configure IPsec authentication on interfaces
Prerequisite: Before you enable IPsec authentication on an OSPFv3 interface, first enable IPv6 unicast routing globally, then
enable OSPFv3 on the interface, and assign it to an area.
The SPI value must be unique to one IPsec authentication or encryption security policy on the router. You cannot configure the
same SPI value on another interface even if it uses the same authentication or encryption algorithm.
You cannot use an IPsec MD5 or SHA-1 authentication type and the null setting at same time on an interface. These settings
are mutually exclusive.
● Enable IPsec authentication for OSPFv3 packets in Interface mode.
ipv6 ospf authentication {null | ipsec spi number {MD5 | SHA1} key}
○ null — Prevent an authentication policy configured for the area to be inherited on the interface. Only use this
parameter if you configure IPsec area authentication.
○ ipsec spi number — Enter a unique security policy index (SPI) value, from 256 to 4294967295.
○ md5 — Enable message digest 5 (MD5) authentication.
○ sha1 — Enable secure hash algorithm 1 (SHA-1) authentication.
○ key — Enter the text string used in the authentication type. All neighboring OSPFv3 routers must share the key to
exchange information. Only a non-encrypted key is supported. For MD5 authentication, the non-encrypted key must be
32 plain hex digits. For SHA-1 authentication, the non-encrypted key must be 40 hex digits. An encrypted key is not
supported.
728
Layer 3