Configuring OSPFv3 Authentication Trailer

Information About the OSPFv3 Authentication Trailer

The OSPFv3 authentication trailer feature (as defined in RFC 7166) provides an alternative mechanism to authenticate Open Shortest Path First version 3 (OSPFv3) protocol packets. Prior to the OSPFv3 authentication trailer, OSPFv3 IPsec (as defined in RFC 4552) was the only mechanism for authenticating protocol packets. The OSPFv3 authentication trailer feature also provides packet replay protection through sequence number and do not have platform dependencies.

To perform non-IPsec cryptographic authentication, devices attach a special data block, that is, authentication trailer, to the end of the OSPFv3 packet. The length of the authentication trailer is not included in the length of the OSPFv3 packet but is included in the IPv6 payload length. The Link-Local Signaling (LLS) block is established by the L-bit setting in the OSPFv3 Options field in OSPFv3 hello packets and database description packets. If present, the LLS data block is included in the cryptographic authentication computation along with the OSPFv3 packet.

A new authentication trailer bit is introduced into the OSPFv3 Options field. OSPFv3 devices must set the authentication trailer bit in OSPFv3 hello packets and database description packets to indicate that all the packets on this link include an authentication trailer. For OSPFv3 hello packets and database description packets, the authentication trailer bit indicates that the authentication trailer is present. For other OSPFv3 packet types, the OSPFv3 authentication trailer bit setting from the OSPFv3 hello and database description setting is preserved in the OSPFv3 neighbor data structure. OSPFv3 packet types that do not include the OSPFv3 Options field uses the setting from the neighbor data structure to determine whether the authentication trailer is expected. The authentication trailer bit must be set in all OSPFv3 hello packets and database description packets that contain an authentication trailer.

To configure the authentication trailer, OSPFv3 utilizes the existing Cisco IOS key chain command. For outgoing OSPFv3 packets, the following rules are used to select the key from the key chain:

  • Select the key that is the last to expire.

  • If two keys have the same stop time, select the one with the highest key ID.

The security association ID maps to the authentication algorithm and the secret key that is used to generate and verify the message digest. If the authentication is configured, but the last valid key is expired, the packets are sent using the key. A syslog message is also generated. If no valid key is available, the packet is sent without the authentication trailer. When packets are received, the key ID is used to look up the data for that key. If the key ID is not found in the key chain, or if the security association is not valid, the packet is dropped. Otherwise, the packet is verified using the algorithm and the key that is configured for the key ID. Key chains support rollover using key lifetimes. A new key can be added to a key chain with the send start time set in the future. This setting allows the new key to be configured on all the devices before the keys are actually used.

The hello packets have higher priority than other OSPFv3 packets, and therefore, can get reordered on the outgoing interface. This reordering can create problems with sequence number verification on neighboring devices. To prevent sequence mismatch, OSPFv3 verifies the sequence number separately for each packet type. See RFC 7166 for more details on the authentication procedure.

During the initial rollover of the authentication trailer feature on the network, adjacency can be maintained between the devices that are configured with authentication routes and devices that are yet to be configured by using the deployment mode. When the deployment mode is configured using the authentication mode deployment command, the packets are processed differently. For the outgoing packets, OSPF checksum is calculated even if authentication trailer is configured. For incoming packets, the packets without authentication trailer or the wrong authentication hash are dropped. In the deployment mode, the show ospfv3 neighbor detail command shows the last packet authentication status. This information can be used to verify if the authentication trailer feature is working before the mode is set to normal with the authentication mode normal command.

How to Configure the OSPFv3 Authentication Trailer

To configure OSPFv3 authentication trailer, perform this procedure:

Before you begin

An authentication key is required for configuring OSPFv3 authentication trailer. For more information on configuring an authentication key, see How to Configure Authentication Keys in Protocol-Independent Features.

Procedure

  Command or Action Purpose

Step 1

enable

Example:

Device> enable

Enables privileged EXEC mode.

Enter your password, if prompted.

Step 2

configure terminal

Example:

Device# configure terminal

Enters global configuration mode.

Step 3

interface type number

Example:

Device(config)# interface GigabitEthernet 2/0/1

Specifies the interface type and number.

Step 4

ospfv3 [pid] [ ipv4 | ipv6] authentication {key-chain chain-name | null}

Example:

Device(config-if)# ospfv3 1 ipv6 authentication key-chain ospf-1

Specifies the authentication type for an OSPFv3 instance.

Step 5

router ospfv3 [process-id]

Example:

Device(config-if)# router ospfv3 1

Enters OSPFv3 router configuration mode.

Step 6

address-family ipv6 unicast

Example:

Device(config-router)# address-family ipv6 unicast

Configures the IPv6 address family in the OSPFv3 process and enters IPv6 address family configuration mode.

Step 7

area area-id authentication {key-chain chain-name | null}

Example:

Device(config-router-af)# area 1 authentication key-chain ospf-chain-1

Configures the authentication trailer on all interfaces in the OSPFv3 area.

Step 8

area area-id virtual-link router-id authentication key-chain chain-name

Example:

Device(config-router-af)# area 1 virtual-link 1.1.1.1 authentication key-chain ospf-chain-1

Configures the authentication for virtual links.

Step 9

area area-id sham-link source-address destination-address authentication key-chain chain-name

Example:

Device(config-router-af)# area 1 sham-link 1.1.1.1 1.1.1.0 authentication key-chain ospf-chain-1

Configures the authentication for sham-links.

Step 10

authentication mode { deployment | normal}

Example:

Device(config-router-af)# authentication mode deployment

(Optional) Specifies the type of authentication used for the OSPFv3 instance.

The deployment keyword provides adjacency between configured and the unconfigured authentication devices.

Step 11

end

Example:

Device(config-router-af)# end

Exits IPv6 address family configuration mode and returns to privileged EXEC mode.

Step 12

show ospfv3 interface

Example:

Device# show ospfv3

(Optional) Displays OSPFv3-related interface information.

Step 13

show ospfv3 neighbor [detail]

Example:

Device# show ospfv3 neighbor detail

(Optional) Displays OSPFv3 neighbor information on a per-interface basis.

Step 14

debug ospfv3

Example:

Device# debug ospfv3

(Optional) Displays debugging information for OSPFv3.

Configuration Examples for the OSPFv3 Authentication Trailer

The following sections provide examples on how to configure the OSPFv3 authentication trailer and how to verify the OSPFv3 authentication trailer configuration.

Example: Configuring the OSPFv3 Authentication Trailer

The following example shows how to define authentication trailer on GigabitEthernet interface 1/0/1: 

Device> enable
Device# configure terminal
Device(config)# interface GigabitEthernet 1/0/1
Device(config-if)# ospfv3 1 ipv6 authentication key-chain ospf-1
Device(config-if)# router ospfv3 1
Device(config-router)# address-family ipv6 unicast
Device(config-router-af)# area 1 authentication key-chain ospf-1
Device(config-router-af)# area 1 virtual-link 1.1.1.1 authentication key-chain ospf-1
Device(config-router-af)# area 1 sham-link 1.1.1.1 authentication key-chain ospf-1
Device(config-router-af)# authentication mode deployment
Device(config-router-af)# end
Device(config)# key chain ospf-1
Device(config-keychain)# key 1
Device(config-keychain-key)# key-string ospf
Device(config-keychain-key)# cryptographic-algorithm hmac-sha-256
!

Example: Verifying OSPFv3 Authentication Trailer

The following example shows the output of the show ospfv3 command. 

Device# show ospfv3
 OSPFv3 1 address-family ipv6
 Router ID 1.1.1.1
…
RFC1583 compatibility enabled
 Authentication configured with deployment key lifetime
 Active Key-chains:
  Key chain ospf-1: Send key 1, Algorithm HMAC-SHA-256, Number of interfaces 1
    Area BACKBONE(0)

The following example shows the output of the show ospfv3 neighbor detail command. 

Device# show ospfv3 neighbor detail
OSPFv3 1 address-family ipv6 (router-id 2.2.2.2)
 Neighbor 1.1.1.1
    In the area 0 via interface GigabitEthernet0/0
    Neighbor: interface-id 2, link-local address FE80::A8BB:CCFF:FE01:2D00
    Neighbor priority is 1, State is FULL, 6 state changes
    DR is 2.2.2.2 BDR is 1.1.1.1
    Options is 0x000413 in Hello (V6-Bit, E-Bit, R-Bit, AT-Bit)
    Options is 0x000413 in DBD (V6-Bit, E-Bit, R-Bit, AT-Bit)
    Dead timer due in 00:00:33
    Neighbor is up for 00:05:07
    Last packet authentication succeed
    Index 1/1/1, retransmission queue length 0, number of retransmission 0
    First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
    Last retransmission scan length is 0, maximum is 0
    Last retransmission scan time is 0 msec, maximum is 0 msec

The following example shows the output of the show ospfv3 interface command. 

Device# show ospfv3 interface
GigabitEthernet1/0/1 is up, line protocol is up 
  Cryptographic authentication enabled
    Sending SA: Key 25, Algorithm HMAC-SHA-256 – key chain ospf-1
    Last retransmission scan time is 0 msec, maximum is 0 msec

Additional References for OSPFv3 Authentication Trailer

Related Documents

Related Topic

Document Title

Configuring OSPF features

IP Routing: OSPF Configuration Guide

Standards and RFCs

Standard/RFC

Document Title

RFC 7166

RFC for Supporting Authentication Trailer for OSPFv3

RFC 6506

RFC for Supporting Authentication Trailer for OSPFv3

RFC 4552

RFC for Authentication/Confidentiality for OSPFv3

Feature Information for the OSPFv3 Authentication Trailer

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Table 1. Feature Information for the OSPFv3 Authentication Trailer

Feature Name

Releases

Feature Information

OSPFv3 Authentication Trailer

 Cisco IOS XE Fuji 16.8.1a

OSPFv3 Authentication Trailer feature provides a mechanism to authenticate OSPFv3 protocol packets as an alternative to existing OSPFv3 IPsec authentication.